Spanish Police arrested three individuals on July 20, 2024, who are suspected of participating in a series of cyberattacks targeting critical infrastructure and government institutions in Spain and other NATO countries. The detainees are believed to be affiliated with the hacktivist group NoName057(16), known for its pro-Russian ideology and launching DDoS attacks against entities supporting Ukraine in the ongoing conflict. The arrests come amidst heightened concerns about cyberwarfare as tensions escalate between Russia and the West. An article in Reuters quoted a statement by the Spanish Civil Guard which said that the attacks orchestrated by NoName057(16) specifically targeted public institutions and companies in strategic sectors within NATO countries that have offered aid to Ukraine.

Details of NoName Hackers’ Arrest

The operation, led by the Spanish Civil Guard, apprehended the suspects in Mallorca, Huelva, and Seville. Searches conducted at their residences yielded computer equipment and documents potentially linked to the cyberattacks. Notably, Spanish police released a video on its social media platform X of a raid at the home of one of the suspects in which a Soviet-era hammer and sickle flag was mounted on a wall, further hinting at their alleged pro-Russian affiliation. [caption id="attachment_82995" align="alignnone" width="762"] Source: X[/caption] Investigations suggest that NoName057(16) primarily employs Distributed Denial-of-Service (DDoS) attacks. DDoS attacks aim to overwhelm websites or online services with a flood of junk traffic, rendering them inaccessible to legitimate users. While the specific impact of these attacks remains under investigation, they likely caused disruptions to targeted institutions and potentially hampered their operations. The group's manifesto, referenced by Spanish authorities, reportedly outlines their objective of retaliating against "hostile and openly anti-Russian actions by Western Russophobes."

Inglorious Past of NoName057(16)

NoName057(16) emerged shortly after Russia's invasion of Ukraine and has since been linked to cyberattacks against various NATO members, including Poland. In January 2024, NoName057(16) claimed responsibility for a wave of DDoS attacks targeting Swiss government websites on the eve of a summit aimed at facilitating peace talks between Russia and Ukraine. The targeted websites included those belonging to the federal government and organizations involved in the peace process. [caption id="attachment_82997" align="aligncenter" width="529"] One of the organizations targeted by NoName in Spain. (Source: X)[/caption] Polish cybersecurity firms have also documented a surge in cyberattacks originating from suspected pro-Russian actors. A recent report by Check Point Software Technologies revealed that Polish entities face an average of nearly 1,430 cyberattacks per week. The study further identified NoName057(16) as the most prolific pro-Russian group targeting Polish infrastructure, with past attacks directed at Polish Radio, Gdynia Port, and government websites. The arrests in Spain mark a significant development in efforts to counter cyberattacks potentially linked to the ongoing conflict in Ukraine. The investigation into the activities of NoName057(16) is ongoing, with Spanish authorities collaborating with a specialized prosecutor's office to uncover the full extent of the group's operations and identify additional individuals involved. The full extent of the damage caused by NoName057(16) remains under investigation. However, the disruption of essential services, even for a short period, can have significant consequences. Hospitals, power grids, and communication networks rely heavily on functioning IT infrastructure. DDoS attacks can disrupt healthcare services, hinder emergency response efforts, and cause economic losses. The use of a homemade DDoS program called DDoSia by NoName057(16) raises concerns about the potential for these attacks to become more accessible to non-state actors. Cybersecurity experts urge governments and businesses to invest in robust cybersecurity measures to defend against such threats. The Spanish authorities' crackdown on NoName057(16) is a positive development in the fight against cyberwarfare. However, it also serves as a stark reminder of the evolving nature of cyber threats and the need for continued vigilance in the face of a constantly adapting digital landscape. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A critical software update gone wrong triggered a domino effect on July 19, 2024, causing a global Microsoft-CrowdStrike outage that crippled critical infrastructure, businesses, and organizations worldwide, especially the airline industry. However, amidst the pandemonium, Southwest Airlines in the United Stated seemed to have weathered the storm with surprising grace. While competitor airlines grounded their fleets and scrambled for solutions, Southwest continued operating with minimal disruptions. The reason: the airline is still using Windows 3.1 and Windows 95 that is 32-years-old!

How Did Southwest Survive BSOD?

The faulty update from cybersecurity giant CrowdStrike last Friday sent millions of Windows systems into a tailspin, causing widespread chaos leading to the dreaded Blue Screen of Death (BSOD). Airports became battlegrounds of long lines and cancelled flights, hospitals struggled with limited access to patient records, and financial institutions experienced service outages. The airlines affected by the CrowdStrike update had to ground their fleets because many of their background systems refused to operate. These systems could include pilot and fleet scheduling, maintenance records, ticketing, etc. According to this article on Forbes.com, in the United States alone, airlines cancelled 3,675 flights or 14 per cent of the total fleets. Another 56 per cent of all flights were late by 15 minutes or more. By 6 pm Friday, Delta Airlines had cancelled 1,326 flights, United had cancelled 562 and American had cancelled 466. Southwest however stood tall during the crisis.  It cancelled just three of its 4,390 departures. Also 94 per cent of Southwest flights departed within an hour of the scheduled time. So how did Southwest survive the Crowdstrike outage? Explaining the scenario, a website named govtech says, “That’s because major portions of the airline’s computer systems are still using Windows 3.1, a 32-year-old version of Microsoft’s computer operating software. It’s so old that the CrowdStrike issue doesn’t affect it so Southwest is still operating as normal. It’s typically not a good idea to wait so long to update, but in this one instance Southwest has done itself a favor.” Windows 3.1, launched in 1992, doesn’t get any updates. So, when CrowdStrike pushed the faulty update to all its customers, Southwest wasn’t affected as it didn’t receive an update. Apart from Windows 3.1, Southwest also uses Windows 95 for its staff scheduling system. It is a newer operating system — about three years younger than Windows 3.1 — but it’s ancient compared to today’s tech. Many of the [caption id="attachment_82984" align="alignnone" width="788"] Source: X[/caption]

Memes Galore After Southwest Dodges the Bullet

This unexpected resilience of Southwest Airlines sparked online jokes and memes, with some netizens poking fun at the airline's supposedly "outdated" technology.  Users on social media platform X took this opportunity to create memes and poke fun at the airline and its alleged attitude of "If it ain't broke, don't fix it." [caption id="attachment_82985" align="alignnone" width="776"] Source: X[/caption] [caption id="attachment_82986" align="alignnone" width="701"] Source: X[/caption] [caption id="attachment_82987" align="alignnone" width="758"] Source: X[/caption]

Southwest Grappling with ‘Modern’ Issues

While Southwest's outdated systems were a saving grace in this instance, it highlights the potential risks associated with such dated technology. The airline previously faced significant disruptions due to these very systems, resulting in hefty fines and a commitment to modernization efforts. During the holiday season in 2022, Southwest had to cancel 16,900 flights leaving around two million passengers stranded. This resulted in a $35 million fine as part of a $140 million settlement. The airline also committed to spending $1.3 billion to update its technology. Southwest will likely need to navigate a path that prioritizes both robust cybersecurity and the gradual integration of modern, reliable systems to avoid future outages and maintain passenger trust.

Cadre Holdings, a leading provider of safety and survivability products, has disclosed a significant cybersecurity incident through a Form 8-K filed with the U.S. Securities and Exchange Commission (SEC). The incident, which was detected on July 15, 2024, involved an unauthorized third-party gaining access to certain technology systems of the company. Upon detection of the breach using its security tools, Cadre Holdings stated that it promptly activated its standard response protocols. These included an immediate containment effort, an ongoing assessment, and remediation of the incident. The company has also engaged external cybersecurity experts to aid in the investigation, activated its incident response plan, notified federal law enforcement, and preemptively took certain systems offline as a precautionary measure.

Cadre Holdings Security Breach in Detail

According to the company’s profile on Linkedin, Cadre Holdings was founded in 2021 and is headquartered in Jacksonville, Florida. The company describes itself as a global provider of safety & survivability products designed for first responders, federal agencies, outdoor recreation, and personal protection markets. [caption id="attachment_82963" align="alignnone" width="719"] Source: Cadre Holdings Website[/caption] The company’s core products include body armor, explosive ordnance disposal equipment and duty gear. The highly engineered products are utilized in over 100 countries by federal, state and local law enforcement, fire and rescue professionals, explosive ordnance disposal teams, and emergency medical technicians. Key brands include Safariland and Med-Eng, amongst others. The company has around 5,000 employees including two associate members. In its SEC filing, the company said, “On July 15, 2024, Cadre Holdings, Inc determined that the Company had experienced a cybersecurity incident in which an unauthorized third party gained access to certain technology systems of the Company. “Following detection of the incident with its security tools, the company immediately initiated its standard response protocols to contain, assess and remediate the incident, including beginning an investigation with outside experts, activating its incident response plan, notifying federal law enforcement, and taking certain systems offline in an abundance of caution,” it said. Despite these immediate actions, Cadre Holdings mentioned that it was still in the preliminary stages of its investigation. Consequently, the full scope, nature, and potential impact of the cybersecurity breach remained undetermined. While the company said that certain operations have been affected, it is currently unclear whether the incident will have a material impact on the company's financial condition or operational results. The company has emphasized that it is working diligently to understand the breadth of the incident and to restore normal operations as swiftly as possible. The Form 8-K filing states, "The Company’s investigation and response remains ongoing." It further notes that "the Company is unable to determine at this time whether the incident has had or is reasonably likely to have a material impact on the company’s financial condition or results of operations." In the Form 8-K filing, Cadre Holdings included a cautionary note regarding forward-looking statements. The company acknowledged that these statements are based on its current beliefs and expectations but could be subject to change as the investigation progresses. Factors that may influence the actual outcomes include the ongoing assessment of the cybersecurity incident and its potential legal, reputational, and financial repercussions. While the nature of the accessed data remains unknown, the potential for compromised information regarding product design or vulnerabilities could have serious consequences. Cadre Holdings has assured its stakeholders of their commitment to transparency and will provide updates as the investigation unfolds. Cadre Holdings' commitment to resolving the situation and minimizing any adverse impacts on its stakeholders is evident in its swift and comprehensive response. As the investigation continues, the company aims to enhance its cybersecurity measures to prevent future incidents.

Global cybercrime costs are projected to soar from $9.22 trillion in 2024 to $13.82 trillion by 2028, according to a report by Stocklytics.com. Cyberattacks in the United States alone are forecasted to exceed $452 billion in 2024.  Alarmingly, a survey among Chief Information Security Officers (CISO) in the United States showed that three in four organizations were at risk of a material cyberattack in 2023. With this in mind, cybersecurity and compliance expert Kiteworks sought to identify the U.S. states where businesses are most at risk of cyberattacks. To do so, the company created a points-based index which analyzed a variety of factors such as annual victim counts, financial losses from cyberattacks, increases in both victims and losses, and the types of cyberattacks experienced.

Key Findings of Cyberattacks in US Report

• Colorado is the state where businesses are most at risk of cyberattacks, with a risk score of 7.96. Colorado has seen a 58.7 per cent increase in victim losses since 2017

• With the highest population of 38 million, California’s annual cyberattack losses amount to over $656 million (656,847,391)

• The state of Missouri has the biggest four-year moving increase in financial losses attributed to cyberattacks, with a 136 per cent increase since 2017

• Virginia is the only state to see a decrease in cyberattack victims since 2017, with a decrease of 10.8 per cent

Colorado is Most at Risk Due to Cyberattacks Colorado is the state where businesses are most at risk of cyberattacks, with a risk score of 7.96 out of 10. Despite its mid-sized population of 5,877,610, Colorado experienced the highest rate of cyberattacks since 2017 and has reported 10,776 annual victims from 2020. Despite Colorado only seeing a moving increase of 3.8 per cent in victims since 2017, the state has faced significant financial losses due to cyberattacks, with a 58.7 per cent increase in losses since 2017, amounting to $104,476,603. This is 65 per cent higher than in the neighbouring state of Utah ($53,047,234). This could be due to Colorado’s aging population, as reports show people over the age of 75 are most likely to report repeat cybercrime victimization. New York is in second place, with a risk score of 7.84 out of 10. As the fourth most populous state with 19,571,216 residents, New York reported 27,205 annual victims between 2020-2023. By contrast, Massachusetts reported one third the number of victims (8,749) over the same period as New York. New York has seen a 14.4 per cent increase in victims over four years, with reports showing cyberattack complaints up 53 per cent since 2022. The financial losses from cyberattacks in the state have also surged by 75.7 per cent, totalling a staggering $440,673,485 lost. Nevada ranks third with a risk score of 7.62 out of 10, reflecting the state's growing vulnerability to cyberattacks. With a population of 3,194,176, Nevada reported 10,551 annual victims from 2020 to 2023. The state has experienced a significant 27.6 per cent increase in victim counts over four years, indicating a rapid rise in cybercrime incidents. Just earlier this year, the state's Gaming Control Board’s website was hit with a cyberattack, resulting in the site being offline for several days. The financial losses from cyberattacks have risen in Nevada by 25.2 per cent since 2017, totaling to $44,994,168, 72 per cent more than the neighbouring state of Idaho ($12,427,049).

The Most Costly Cyberattacks 

Business Email Compromise (BEC) is the cyberattack in the United States with the highest financial impact, with losses exceeding $1 billion ($1,747,924,931) since 2020 and an average loss of $88,350 per incident. BEC attacks involve fraudsters impersonating business executives or employees to deceive victims into transferring funds or revealing sensitive information. Credit card and check fraud rank second, causing $516,046,155 in total losses and an average loss of $27,039 per incident. This fraud typically involves unauthorized use of payment information. Malware attacks, in third place, have resulted in losses of $237,469,021 with an average loss of $83,235 per incident.

Most Common Cyberattacks

Non-payment/non-delivery attacks are the most common US cyber threat since 2020 with 60,113 incidents, which involves fraudsters tricking victims into paying for undelivered goods or services. The second most prevalent is personal data breaches, with 40,523 incidents, which can involve unauthorized access to sensitive information often leading to identity theft and fraud. Patrick Spencer, spokesperson at Kiteworks, commented on the results: “Our study reveals a concerning trend: cyberattacks are on the rise, both in frequency and financial impact. As cyber threats continue to evolve, proactive investment in advanced security technologies and employee training can significantly enhance a company's resilience against cybercrime, as well as a greater focus on data security. "Businesses should adopt a content-defined zero trust approach to secure their sensitive communications. By consolidating email, file sharing, SFTP, managed file transfer, and web forms into a private content network protected by a hardened virtual appliance, organizations can ensure that sensitive content is only accessed by authorized users. This approach provides advanced security, comprehensive governance, and regulatory compliance, ensuring the protection of sensitive content,” he concluded. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A routine software update by CrowdStrike on July 19, 2024, unintentionally stirred a major disruption across various infrastructures and organizations. The update triggered the notorious Blue Screen of Death (BSOD), rendering many systems unusable. While initially not deemed a cybersecurity incident, the situation underscores the fragility of digital security and the potential for such disruptions to become serious security threats. 

Initial Fallout of BSOD 

Problems arose soon after users installed CrowdStrike's latest update. System crashes and the feared BSOD became widespread, leading to significant operational disruptions. Even though it wasn't a direct cybersecurity breach, keeping systems operational is vital for security.  [caption id="attachment_82923" align="alignnone" width="742"] Statement of CrowdStrike’s President and CEO, George Kurtz (Source: X)[/caption] CrowdStrike's CEO, George Kurtz, emphasized that the incident wasn't a cyberattack. However, he acknowledged the severity of the disruption and assured customers a fix was underway. His statement highlighted the importance of robust incident response measures even in non-malicious disruption scenarios. 

How Are Cybercriminals Trying to Exploit BSOD 

The disruption caused by CrowdStrike has unfortunately created openings for opportunistic threat actors. Cybercriminals have been quick to capitalize on the situation through social engineering attacks. They've set up scam domains and phishing pages disguised as solutions to the BSOD issue. For instance, one malicious domain redirected users to payment pages requesting cryptocurrencies like Bitcoin and Ethereum under the pretense of offering a fix.    [caption id="attachment_82924" align="alignnone" width="2005"] One of the fake domains (Source: X)[/caption] Another domain has surfaced, claiming to offer support services to companies affected by the issue. Caution is advised as these claims are potentially misleading and could pose additional security risks. 

What Are the Indicators of Compromise (IoCs)? 

Be on the lookout for indicators of compromise (IoCs) that might signal malicious activity. Here's a list of suspicious domains that threat actors might use: 

• hxxp://crowdstrikestore[.]com[.]br/ 
• hxxp://crowdstrike-bsod[.]com/ 
• hxxp://crowdstrike[.]buzz/ 
• hxxp://crowdstrike[.]life/ 
• hxxp://crowdstrike[.]live/ 
• hxxp://crowdstrike[.]site/ 
• hxxp://crowdstrike[.]technology/ 
• hxxp://crowdstrike[.]us[.]org/ 
• hxxp://crowdstrike0day[.]com/ 
• hxxp://crowdstrikebluescreen[.]com/ 
• hxxp://crowdstrikebsod[.]com/ 
• hxxp://crowdstrikeconnectingevents[.]com/ 
• hxxp://crowdstrikeconnects[.]com/ 
• hxxp://crowdstrikedoomsday[.]com/ 
• hxxp://crowdstrikedown[.]site/ 
• hxxp://crowdstrikeevents[.]com/ 
• hxxp://crowdstrikeeventshub[.]com/ 
• hxxp://crowdstrikeeventsplatform[.]com/ 
• hxxp://crowdstrikeeventsplus[.]com/ 
• hxxp://crowdstrikefix[.]com/ 
• hxxp://crowdstrikeoptimizer[.]com/ 
• hxxp://crowdstrikeredbird[.]com/ 
• hxxp://crowdstrikestore[.]com[.]br/ 
• hxxp://crowdstriketoken[.]com/ 
• hxxp://crowdstrikewhisper[.]com/ 
• hxxp://crowdstrikexdr[.]in/ 
• hxxp://fix-crowdstrike-apocalypse[.]com/ 
• hxxp://fix-crowdstrike-bsod[.]com/ 
• hxxp://microsoftcrowdstrike[.]com/ 
• hxxp://okta-crowdstrike[.]com/ 
• hxxp://crowdstrike[.]us[.]org/ 
• hxxp://whatiscrowdstrike[.]com 
• www[.]crowdstrike-falcon[.]online 
• www[.]crowdstrike-helpdesk[.]com 
• crowdstrikereport[.]com 
• crowdstrikefix[.]zip 
• crowdstrike[.]mightywind[.]com 
• crowdstrikeclaim[.]com 
• crowdstrikeoutage[.]com 
• www[.]crowdstrikeoutage[.]com 
• crowdstrikeupdate[.]com 
• crowdstrikerecovery1[.]blob[.]core[.]windows[.]net 
• crowdstrike[.]woccpa[.]com 
• crowdstrike[.]es 
• www[.]crowdstrokeme[.]me 
• 1512178658959801095[.]crowdstriek[.]com 
• www[.]crowdstrikeclaim[.]com 
• lab-crowdstrike-manage[.]stashaway[.]co 
• crowdstrokeme[.]me 
• crowdstrike-bsod[.]com 
• crowdstrike0day[.]com 
• crowdstrikebluescreen[.]com 
• crowdstrikedoomsday[.]com 
• crowdstrikedown[.]site 
• crowdstrikefix[.]com 
• crowdstriketoken[.]com 
• crowdstuck[.]org 
• fix-crowdstrike-apocalypse[.]com 
• fix-crowdstrike-bsod[.]com 
• microsoftcrowdstrike[.]com 
• whatiscrowdstrike[.]com 
• crowdfalcon-immed-update[.]com 
• crowdstrikebsod[.]com 
• crowdstrikeoutage[.]info  

Falcon Sensor Issue Used to Target CrowdStrike Customers 

CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels and they adhere to technical guidance the CrowdStrike support teams have provided. The following CrowdStrike Falcon LogScale query hunts for domains provided above.  [caption id="attachment_82927" align="alignnone" width="947"] Falcon LogScale Query: Source: Crowdstrike Blog[/caption]

CISA Warns Organizations to Remain Vigilant of Malicious Actors

Meanwhile, US cybersecurity agency CISA has warned that hackers are trying to take advantage of Microsoft outage.   “CISA is aware of the widespread outage affecting Microsoft Windows hosts due to an issue with a recent CrowdStrike update and is working closely with CrowdStrike and federal, state, local, tribal and territorial (SLTT) partners, as well as critical infrastructure and international partners to assess impacts and support remediation efforts,” it said in a statement. “Threat actors continue to use the widespread IT outage for phishing and other malicious activity. CISA urges organizations to ensure they have robust cybersecurity measures to protect their users, assets, and data against this activity,” CISA added. This incident serves as a stark reminder of our dependence on technology and the potential consequences of software malfunctions. The global scale of the outage caused significant disruptions to businesses, governments, and individuals alike. While CrowdStrike is working on a fix, it's crucial for organizations to stay vigilant and implement robust cybersecurity measures to protect themselves from future threats. 

Amidst the global outage affecting Microsoft Windows systems, the Indian Computer Emergency Response Team (CERT-In) has issued a critical advisory (CIAD-2024-0035) to address the issue. This outage seems to have stemmed from a recent update to the CrowdStrike Falcon Sensor, a popular endpoint detection and response (EDR) solution. Dubbed the Blue Screen of Death (BSOD), the outage has disrupted operations across airports, hospitals, software firms among other sectors globally and is generating widespread frustration among users.

Flawed Update Led to BSOD: CERT-In

According to the CERT-In advisory, Windows hosts equipped with the CrowdStrike Falcon Sensor experienced crashes and the infamous BSOD following a recent update to the agent. This critical error typically indicates a system halt due to a hardware or software failure, rendering the affected device inoperable. The exact cause of the BSOD remains undisclosed, but the swift action taken by CrowdStrike suggests a flaw within the update itself. The CrowdStrike team promptly reverted the changes, potentially mitigating further disruptions.

Resolving the Issue: Workarounds and Updates

While the update has been rolled back, some Windows systems might still be experiencing issues. CERT-In has provided a workaround for these cases, involving booting into Safe Mode or the Windows Recovery Environment and manually deleting a specific file associated with the faulty update.

• Navigate to the directory C:\Windows\System32\drivers\CrowdStrike and locate the file matching the pattern "C-00000291*.sys".
• Delete the identified file and reboot the host normally

Additionally, users have been advised to check the CrowdStrike support portal for the latest updates and recommendations.

Microsoft Statement on BSOD

While CERT-In's advisory primarily focuses on the technical aspects of the issue, news reports suggest a broader collaborative effort between Microsoft and CrowdStrike. Earlier on Friday, Microsoft acknowledged that an outage in its online services had affected customers worldwide.  In its latest update in a post on social media platform X, Microsoft stated, "Our services are still seeing continuous improvements while we continue to take mitigation actions. Multiple services are continuing to see improvements in availability as our mitigation actions progress. A recent surge in BSOD reports across various Microsoft Windows versions coincided with the timeframe of the CrowdStrike update. Though details remain unconfirmed, this potentially points towards a wider impact beyond the systems specifically mentioned in the CERT-In advisory.

The cyberattack on India’s biggest cryptocurrency exchange  WazirX has sent shockwaves through the crypto community. The WazirX hack on July 19, 2024, highlights the constant vigilance required in the face of evolving cyber threats. With stolen funds exceeding $230 million, WazirX released a preliminary report detailing their findings on the compromised Safe Multisig wallet, the suspected attack method, and their ongoing efforts to recover the stolen funds.

Layers of Safe Multisig Wallet’s Security Bypassed: Report

The security breach of WazirX was first reported by Web3 security firm Cyvers Alerts which detected multiple suspicious transactions involving WazirX’s Safe Multisig wallet on the ETH network. [caption id="attachment_82523" align="aligncenter" width="675"] Source: X[/caption] Cyvers Alerts also mentioned that around $234.9 million of funds in the Safe Multisig wallet had been moved to a new address, with each transaction’s caller funded by Tornado Cash, the decentralized protocol for private transactions. Tornado Cash is a crypto mixing service that allows users to obfuscate the origin and destination of their cryptocurrency transactions, essentially adding a layer of anonymity. WazirX’s preliminary investigation report reveals that the attackers targeted its Safe Multisig wallet which usually requires multiple approvals for any transactions. This particular wallet, operational since February 2023, leveraged Liminal's digital asset custody and wallet infrastructure for added security.

Wallet Configuration and Breach Mechanics

The report dives into the security measures employed by the compromised wallet. It functioned with a multisig configuration involving six signatories – five from the WazirX team and one from Liminal. To ensure additional security, transactions typically required approval from at least three WazirX signatories, each utilizing Ledger Hardware Wallets, a recognized security measure in the cryptocurrency space. Finally, a whitelisting policy restricted transactions to pre-approved addresses managed by Liminal's interface.

Suspected Chink in the Armor: Discrepancy in Liminal's Interface

Despite these seemingly robust security protocols, WazirX suspects a critical vulnerability within Liminal's interface. The report highlights a potential discrepancy between the information displayed on the interface during transactions and the actual content of the signed transactions. WazirX suggests that attackers may have exploited this gap. The report theorizes that the attackers might have replaced the transaction payload, essentially tricking the signatories into authorizing a malicious transaction that transferred control of the wallet to the attackers. This aligns with details from The Cyber Express article, which mentioned attackers bypassing the multisig approvals.

WazirX's Response: A Race Against Time to Recover Funds

While acknowledging the attack, WazirX maintains that they implemented necessary steps to safeguard user assets. However, the attackers managed to exploit the suspected vulnerability. In response, WazirX claims to have taken swift action to mitigate further damage. They have blocked suspicious deposits and are actively reaching out to potentially affected wallets to initiate recovery procedures. Additionally, they are collaborating with security experts to trace the stolen funds and apprehend the perpetrators.

Importance of Robust Security

While the preliminary report sheds light on the incident, several critical questions remain unanswered. A more comprehensive investigation is needed to determine the exact nature of the vulnerability in Liminal's interface and how the attackers were able to exploit it. Additionally, it's vital to assess whether any internal security gaps within WazirX might have contributed to the breach. Furthermore, the effectiveness of WazirX's recovery efforts will be a crucial factor in regaining user confidence. The WazirX hack serves as a stark reminder of the ever-evolving cyber threats plaguing the cryptocurrency industry. It highlights the importance of multi-layered security measures, not only within cryptocurrency exchanges but also with third-party service providers like Liminal. As investigations progress and more details emerge, we can expect to learn valuable lessons about the importance of robust cybersecurity protocols and the need for constant vigilance in the face of sophisticated cyberattacks.

Indian cryptocurrency exchange platform WazirX has reported a major security breach involving Safe Multisig, one of its wallets, on Ethereum blockchain. The WazirX hack has reportedly caused a severe financial loss, estimated to be over $230 million as claimed by analysts. In response to the cybersecurity incident, WazirX said it would temporarily suspend Indian Rupee (INR) and crypto withdrawals to protect user funds. The company also said that it is investigating the incident.

WazirX Hack in Detail: Funds Disappear into the Ether

The security breach of WazirX was first reported by Web3 security firm Cyvers Alerts on July 18, 2024 on its X (formerly Twitter) handle. In its post, Cyvers Alerts warned, “ALERT🚨Hey @WazirXIndia, our system has detected multiple suspicious transactions involving your Safe Multisig wallet on the ETH network.” [caption id="attachment_82523" align="aligncenter" width="675"] Source: X[/caption] Safe Multisig wallet is designed to require multiple approvals for any transactions, aiming to add an extra layer of security. However, in this instance, the attackers managed to bypass the security measures and siphon off a massive amount of cryptocurrency. Cyvers Alerts also mentioned that around $234.9 million of funds in the Safe Multisig wallet had been moved to a new address, with each transaction’s caller funded by Tornado Cash, the decentralized protocol for private transactions. Tornado Cash is a crypto mixing service that allows users to obfuscate the origin and destination of their cryptocurrency transactions, essentially adding a layer of anonymity. While some users value the privacy aspects of such services, law enforcement agencies and regulators have raised concerns about their potential use in money laundering and other illicit activities. “The suspicious address has already swapped $PEPE, $GALA, and $USDT to $ETH and continues to swap other digital assets,” Cyvers Alerts posted. “We attempted to contact you 30 minutes ago, but received no response. It appears that your Safe wallet has been compromised by a malicious actor!” (sic).

Over $200 Million Yet to be Offloaded: Report

Crypto sleuth ZachXBT claimed that the suspected primary attacker address still has over $104 million to dump. “Attacker still has $100M+ worth of SHIB (Shiba Inu) and $4.7M+ FLOKI to sell,” the sleuth wrote on its Telegram channel ‘Investigations by ZachXBT’. [caption id="attachment_82525" align="aligncenter" width="570"] Source: Telegram[/caption]

WazirX Suspends Withdrawals in India

Following the discovery of the breach, WazirX took swift action to mitigate further damage. The Indian exchange temporarily paused the withdrawal of cryptocurrencies and Indian rupees on the platform. Making the announcement on its official X handle, WazirX posted, “We're aware that one of our multisig wallets has experienced a security breach. Our team is actively investigating the incident. To ensure the safety of your assets, INR and crypto withdrawals will be temporarily paused. Thank you for your patience and understanding. We'll keep you posted with further updates.” [caption id="attachment_82526" align="alignnone" width="748"] Source: X[/caption]

Unanswered Questions Over WazirX Hack

As the investigation over the security breach continues, WazirX will have to address several questions like how did the attackers manage to bypass the security protocols of the Safe Multisig wallet? The investigators should also identify if any internal vulnerabilities were exploited or if the attackers employed sophisticated hacking techniques. The WazirX hack serves as a stark reminder of the ever-evolving cyber threats plaguing the cryptocurrency industry. As the industry continues to grow, exchanges like WazirX will need to prioritize robust security measures to regain user trust. Investing in cutting-edge security solutions, fostering transparency, and collaborating with industry stakeholders will be crucial in preventing similar incidents from happening again. Furthermore, discussions surrounding cryptocurrency anonymity and its potential misuse warrant serious consideration by regulators and industry leaders.

NATO, the North Atlantic Treaty Organization, has identified that it faces a complex and ever evolving cyberthreat landscape. While its history is rooted in deterring conventional military attacks, cyberspace has emerged as its new battleground. The alliance organization says that malicious actors are constantly probing NATO's defenses, employing cyberattacks to disrupt operations, steal sensitive information, and sow discord. In response, NATO has undertaken a significant effort to bolster its cyber defenses, safeguarding its networks and the security of its member states.

NATO Identifies Russia, China as Source of Cyber Threats

NATO has identified Russia, China, and other malicious actors as major threats, employing a range of cyber tactics. These include infiltrating networks to steal classified data, launching denial-of-service attacks to cripple critical infrastructure, and manipulating information to undermine public trust. According to a news release by NATO, “Russia's war of aggression against Ukraine has highlighted the extent to which cyber activities are a feature of modern conflict.”

NATO's Comprehensive Approach to Cyber Defense

Recognizing the gravity of the situation, NATO has adopted a multi-pronged approach to cyber defense. This strategy integrates political, military, and technical measures to achieve a holistic defense posture.

• Policy and Strategy: At the 2021 Summit, NATO introduced a Comprehensive Cyber Defence Policy. It emphasizes deterring, defending against, and countering cyber threats across all domains – peacetime, crisis, and conflict. The policy acknowledges that under specific circumstances, a large-scale cyberattack could be considered an armed attack, potentially triggering a collective response from member states under Article 5 of the NATO treaty.
• Network Protection and Situational Awareness: The NATO Cyber Security Centre (NCSC) serves as the central hub for safeguarding NATO's own networks. It provides 24x7 protection and works tirelessly to keep pace with the ever-changing threat landscape. Additionally, the Cyberspace Operations Centre, established in Mons, Belgium in 2018, enhances situational awareness by monitoring cyber threats and coordinating NATO's operational activities in cyberspace. This center plays a critical role in ensuring that NATO commanders have a clear understanding of the cyber landscape and can make informed decisions to protect the Alliance. Now, in the 2024 NATO Summit in Washington, D.C., allies have agreed to establish the NATO Integrated Cyber Defence Centre to enhance network protection, situational awareness and the implementation of cyberspace as an operational domain.
• Education, Training, and Exercises: NATO feels that building a skilled workforce is paramount. For this the organization conducts regular exercises like the annual Cyber Coalition Exercise to test and refine cyber defense capabilities. The Alliance also emphasizes education and training through initiatives like the NATO Cyber Range, fostering expertise among member states.
• International Cooperation: The member organizations say that it actively engages with partner countries, international organizations, industry leaders, and academia. “Collaboration fosters information sharing, facilitates joint exercises, and promotes best practices for cyber defense. A key partnership is with the European Union, with both organizations working together to counter hybrid threats and bolster cyber resilience,” NATO said. [caption id="attachment_82456" align="alignnone" width="774"] Source: NATO Website[/caption]

Strengthening National Defenses: A Shared Responsibility

While NATO provides a collective framework, it emphasized that the primary responsibility for robust cyber defenses lies with individual member states. The NATO Defence Planning Process sets timely targets for national cyber defense capabilities, ensuring a standardized approach across the Alliance. NATO also facilitates information sharing, best practice exchanges, and offers assistance to Allies seeking to bolster their national defenses. Additionally, the newly established Virtual Cyber Incident Support Capability (VCISC) provides support to member states facing large-scale cyberattacks.

The Road Ahead: Continuous Improvement

The cyber threat landscape is constantly evolving, demanding continuous adaptation from NATO and its member states. Looking ahead, the organization has identified several critical key areas:

• Enhancing Cyber Resilience: Critical infrastructure, such as power grids and communication networks, needs robust defenses against cyberattacks. This requires collaboration between governments, industry leaders, and the public to identify vulnerabilities and implement preventative measures.
• Developing New Technologies: Staying ahead of the curve necessitates ongoing investment in research and development. NATO is actively exploring new technologies to enhance cyber detection, prevention, and response capabilities.
• Promoting International Norms: Establishing clear international norms for responsible state behavior in cyberspace is crucial. This would help to deter malicious activities and foster a more stable digital environment.

By adopting a comprehensive approach that combines strong policy frameworks, cutting-edge technologies, and international cooperation, NATO is working to safeguard its member states from the ever-present threat of cyberattacks. As the digital age continues to evolve, so too will NATO's cyber defense capabilities, ensuring a secure and stable future for the Alliance.

Just two years after patching a similar exploit, cross-chain Decentralized Finance (DeFi) protocol Li.Fi has been hit again by hackers, this time losing nearly $10 million in cryptocurrency. The Li.Fi attack, which took place on July 16, 2024, targeted a vulnerability in Li.Fi's contract, allowing attackers to drain funds from unsuspecting users' wallets. This isn't the first time Li.Fi has faced security issues. Back in March 2022, the protocol fell victim to a similar exploit, raising concerns about the robustness of its security measures. The recent attack highlights the ongoing challenges faced by DeFi protocols in securing user funds and the importance of staying vigilant in a rapidly evolving threat landscape. [caption id="attachment_82246" align="alignnone" width="763"] Source: X[/caption]

Understanding the Attack: How Hackers Exploited Li.Fi

According to a post on X by a user named Nick L. Franklin, the attack leveraged a vulnerability known as a "call injection." This vulnerability arises when a function within a smart contract doesn't properly validate user input. [caption id="attachment_82247" align="alignnone" width="742"] Source: X[/caption] In the case of Li.Fi, attackers were able to inject a malicious function call that essentially tricked the contract into transferring users' funds to a hacker-controlled address. The Li.Fi team identified a specific contract address (0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae) used by the attackers and urged users to revoke approvals for this address to prevent further loss. The team also provided a list of additional addresses to revoke for those who had manually set infinite approvals:

• 0x341e94069f53234fE6DabeF707aD424830525715
• 0xDE1E598b81620773454588B85D6b5D4eEC32573e
• 0x24ca98fB6972F5eE05f0dB00595c7f68D9FaFd68

This essentially revokes the permission granted by users to Li.Fi to access their funds. [caption id="attachment_82248" align="alignnone" width="720"] Source: X[/caption] While the exact details of the exploit haven't been fully disclosed, comments on social media suggests that the bad actors targeted users who had previously granted Li.Fi "infinite approval" for their tokens. This essentially gives the protocol unlimited access to a user's funds, a practice generally discouraged due to the inherent security risks.

Impact of the Attack: Millions Lost and DeFi's Reputation Tarnished

The attack resulted in the loss of nearly $10 million worth of cryptocurrency across various chains, including Ethereum (ETH), USD Coin (USDC), and Tether (USDT). While the exact number of affected users remains unclear, the incident has undoubtedly shaken confidence in Li.Fi and the broader DeFi ecosystem. This latest exploit comes at a critical time for DeFi, which is already grappling with regulatory uncertainty and concerns about its overall security. The incident underscores the need for stricter development practices, rigorous audits, and a more proactive approach to security from DeFi protocols.

Lessons Learned: How to Stay Safe in the DeFi Space

The Li.Fi hack serves as a stark reminder of the inherent risks associated with DeFi. Here are some key takeaways for users:

• Be Wary of Infinite Approvals: Avoid granting DeFi protocols "infinite approval" for your tokens. Opt for more granular permissions whenever possible.
• Research Before You Invest: Always conduct thorough research on any DeFi protocol before investing your funds. Look for projects with a proven track record, strong security audits, and a transparent development team.
• Stay Updated: Keep yourself informed about the latest security threats and vulnerabilities in the DeFi space.

What's Next for Li.Fi?

The Li.Fi team is currently investigating the attack and working to implement security measures to prevent similar incidents in the future. They have advised users to revoke approvals for the malicious contract address and refrain from interacting with Li.Fi powered applications until further notice. In a post on X on July 17, Li.Fi wrote that the protocol was fully operational again. [caption id="attachment_82250" align="alignnone" width="727"] Source: X[/caption] The future of Li.Fi remains uncertain. Rebuilding user trust will be a significant challenge, and the protocol will likely face heightened scrutiny from regulators and security experts. Whether Li.Fi can recover from this setback depends on its ability to demonstrably improve its security posture and regain the confidence of the DeFi community.

The Evolving Threat Landscape in DeFi

The Li.Fi hack is a stark reminder that DeFi protocols are prime targets for cybercriminals. As the value locked in DeFi continues to grow, so too will the sophistication of attacks. DeFi developers need to prioritize security by employing rigorous code audits, implementing best practices, and working with security researchers to identify and address potential vulnerabilities. Users, on the other hand, need to exercise caution, conduct thorough research, and understand the inherent risks involved before investing in DeFi protocols. The Li.Fi incident serves as a wake-up call for the entire DeFi ecosystem. Only through a collaborative effort that prioritizes security and user protection can DeFi mature into a truly viable and trustworthy financial alternative.

The Indian Computer Emergency Response Team (CERT-In), a cybersecurity agency operating under the Ministry of Electronics and Information Technology, has sounded the alarm for Adobe users and issued a high-risk warning. Their latest Vulnerability Note (CIVN-2024-0213) details multiple critical security weaknesses discovered in several Adobe software versions. These vulnerabilities expose users of Adobe Premiere Pro, Adobe InDesign, and Adobe Bridge to significant security risks. CERT-In classifies the identified vulnerabilities as "HIGH" severity and urges users to act swiftly to safeguard their systems. This includes updating their Adobe software immediately. If left unaddressed, attackers can exploit these vulnerabilities to trigger memory leaks and run unauthorized code on targeted systems. Such attacks can have severe consequences, including stolen data, system crashes, and unauthorized access to sensitive information. Apart from Adobe Products, CERT-In has also issued critical warnings vulnerability warnings for IBM WebSphere application server and Joomla Content Management System

Understanding the Vulnerabilities

According to CERT-In, several underlying issues are responsible for the vulnerabilities found in Adobe products:

• Integer Overflow or Wraparound: This vulnerability occurs when an arithmetic operation surpasses the maximum capacity of the integer data type used to store the value, leading to unexpected behavior or crashes.
• Heap-based Buffer Overflow: This arises when data surpasses the designated buffer capacity in the heap memory, potentially allowing attackers to execute unauthorized code.
• Out-of-bounds Write and Read: These vulnerabilities occur when software reads or writes data beyond the allocated memory boundaries, leading to data corruption, crashes, or code execution.
• Untrusted Search Path: This vulnerability arises when software searches for resources in untrusted directories, which attackers can exploit to execute malicious code.

Affected Adobe Softwares

The following Adobe software versions are susceptible to these vulnerabilities:

• Adobe Premiere Pro:
  • All versions before 24.4.1 for Windows and macOS
  • All versions before 23.6.5 for Windows and macOS
• Adobe InDesign:
  • All versions before ID19.3 for Windows and macOS
  • All versions before ID18.5.2 for Windows and macOS
• Adobe Bridge:
  • All versions before 13.0.7 for Windows and macOS
  • All versions before 14.1 for Windows and macOS

Security Patch

CERT-In recommends the following actions to mitigate the risks associated with these vulnerabilities:

• Apply the Latest Updates: Install the most recent updates provided by Adobe for the affected software as soon as possible. Keeping software up-to-date is essential to shield systems from known vulnerabilities.
• Regular Update Checks: Enable automatic updates for your Adobe software if available. Otherwise, routinely check for updates and install them promptly.
• Download from Official Sources: Only download software and updates from the official Adobe website or trusted app stores. Avoid downloading from untrusted sources, as they might distribute malicious versions.
• Layered Security: Consider using additional security measures like firewalls, antivirus software, and intrusion detection systems to add an extra layer of protection against potential attacks.
• Regular Backups: Regularly back up important data to minimize the impact of a potential security breach or system failure.

By following these recommendations, users of the affected Adobe software can significantly reduce their risk of falling victim to cyberattacks.

IBM WebSphere Application Server Under Fire

CERT-In has also reported a vulnerability in IBM WebSphere Application Server (CVE-2024-0215) that could allow Remote Code Execution (RCE) attacks. This means attackers could potentially exploit this flaw to execute malicious code on the server, granting them complete control of the system. According to IBM, "a remote attacker could exploit this vulnerability to execute arbitrary code on the system with a specially crafted sequence of serialized objects." The bulletin applies to:

• IBM WebSphere Application Server Traditional V9.0 or earlier versions
• IBM WebSphere Application Server Network Deployment V8.5 or earlier versions

IBM has recommended updating to the following versions to address the vulnerability or fix the pack that contains the APAR PH61489.

• For V9.0.0.0 through 9.0.5.20: Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH61489 --OR-- · Apply Fix Pack 9.0.5.21 or later (targeted availability 3Q2024).
• For V8.5.0.0 through 8.5.5.25: Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH61489 --OR-- · Apply Fix Pack 8.5.5.26 or later (targeted availability 3Q2024).

Users can find detailed information and download the updates from the official IBM Security Bulletin.

Cross-Site Scripting (XSS) Vulnerabilities in Joomla

A high-risk warning for users of the Joomla Content Management System (CMS) has also been issued by CERT-In. Multiple vulnerabilities classified as "HIGH" severity have been identified in advisory (CIVN-2024-0214), allowing attackers to inject malicious scripts into websites. These vulnerabilities exist in various components/functions (Custom Fields, wrapper extensions, StringHelper::truncate, fancyselect list field layout, accessiblemedia) of Joomla due to improper input validation. These vulnerabilities fall under the category of Cross-Site Scripting (XSS), which can be exploited to steal user data, deface websites, or redirect users to phishing sites. Successful exploitation of these vulnerabilities could allow the attacker to conduct cross-site scripting attacks on the targeted system. Cert-in has suggested users upgrade to Joomla CMS versions 3.10.16-elts, 4.4.6, or 5.1.2. More details have been provided by Joomla in its Security Announcements page.

Multiple firms managing their domain names through domain registrar Squarespace have reported instances of hijacking in the last week. The Squarespace domain hijacking was a result of security flaws following Squarespace's acquisition of Google Domains assets last year. Former customers of Google domains became victims of the hijack after they failed to open an account on the platform.

Squarespace Domain Hijacking in Detail

In June 2023, Squarespace, based in New York City, secured nearly 10 million domain names from Google Domains and has been gradually transferring these domains to its own service. The exploitation of domain hijacking primarily took place from July 9-12. The cyberattackers primarily targeted Bitcoin companies like Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. According to an article by KrebOnSecurity, the attackers were able to take control of Squarespace accounts that migrated without Google registration and instead used an email address linked to the domain. In a few cases, criminals redirected the hijacked domains to phishing websites that were designed to steal cryptocurrency funds from unsuspecting individuals. As of publication time, Squarespace has not responded to the hijack or issued a public statement on the matter.

Security Experts Explain Loophole by Squarespace

A study conducted by researchers at  Metamask and Paradigm speculates that the main reason for the hijacks could be that Squarespace assumed that all users would migrate from Google Domains and then select social login options such as "Continue with Google" or "Continue with Apple" instead of the "Continue with email" selection. [caption id="attachment_81979" align="alignnone" width="1094"] Source: X[/caption] Metamask's leading product manager, Taylor Monahan, emphasized that Squarespace did not consider the possibility that a threat actor could register an account with an email address connected to a recently-migrated domain before the real holder could access the account themselves. "As a result, there's nothing stopping them from attempting to log in with an email address," Monahan told KrebsOnSecurity. "Since there's no password set on the account, it simply redirects them to the 'create password for your new account' process. And because the account is partially initialized on the backend, they now have control over the domain in question." Moreover, Monahan disclosed that the registration of new accounts with emails did not require the emails to be verified either. The transfers of domains from Google to Squarespace are public records, Monahan said. "It's either public or readily obtainable knowledge regarding which email addresses have administrative control over a domain. If the email address has never been used to pull out a Squarespace account, it's possible that anyone who enters that email@domain combination in the Squarespace form now has full control over the domain.” A breach is possible when attackers manage to get the email addresses of lower-privilege accounts that are currently active users of the domain, such as the "domain manager," who, for example, is among the few people who can either transfer control of the domain or redirect it to another internet location. Users have few options for monitoring account activity, Monahan added. "You basically have no control over the access different folks have. You don’t have any audit logs. You don’t get email notifications for some actions. The owner doesn’t get email notification for actions taken by a ‘domain manager.’ This is absolutely insane if you’re used to and expecting the controls Google provides."

Recommendations for Squarespace Users

The researchers identified that some migrated Squarespace domains were also vulnerable to hijacking if attackers discovered email addresses for lower-privileged user accounts connected to the domain, such as "domain manager," which also has the capability to transfer a domain or redirect it to a different internet address. Monahan expressed concerns that the migration process has left domain owners with limited options to secure and monitor their accounts. "One of the first steps to complete is to carry out a test to see which people can access your new account on Squarespace," he advises. "The teams, in most cases, do not even know about the accounts' existence." The researchers' study includes a detailed guide on securing Squarespace user accounts, urging Squarespace users to enable multi-factor authentication, which was disabled during the migration process. The guide also mentions deleting the Squarespace user accounts that are no longer needed as well as removing reseller access in Google Workspace. If it was Google Domains you took Google Workspace from, Squarespace might also be your authorized reseller," the help document explains. "That means anyone with your Squarespace account can also access your Google Workspace through the backdoor unless you explicitly disable it following the instructions provided here, which are highly recommended. It's safer to protect one account rather than two."

The Cyber & Infrastructure Security Centre (CISC) of Australia has recently announced that the Critical Infrastructure Risk Management Program (CIRMP) Annual Report filling period will begin from July 1 till September 28, 2024. Organizations must submit their cybersecurity reports using this designated form by August 17, 2024. They will be required to develop, implement, and maintain a cybersecurity framework under the Security of Critical Infrastructure (SOCI) CIRMP Rules. This project is part of the Australian Government's effort to promote confidence in digital products and services, not only by ensuring their security and integrity but also by demonstrating the government's commitment to trustworthiness. By this way, the country aims to not only strengthen the privacy of the citizens but also improve the identity of such products in the eyes of the people.

Australia’s Global Collaboration Plan for Cybersecurity

While technology evolves, some of the most problematic digital products are still deficient in data protection. Many digital products still lack basic security features. So, both individuals and companies who use them become easy targets for cybercriminals. The incursion of Advanced Persistent Threats (APT) in industry, as well as technology obsoleteness, makes it necessary to cooperate with other countries. For this reason, the Australian government is pushing for sustainable cooperation to address the problems of cybercrime by adhering to standards. This includes measures like information sharing, exchanging the best examples in terms of cybersecurity, and employing innovation across countries. However, questions remain as to how international treaties among nations can counter possible cyberattacks through public-private cooperation and how quickly can they react in the direction of the restoration of the cyberspace stable. Australia has several complementary mechanisms to ensure digital products are secure by design such as Protective Security Policy Framework (PSPF), and the Security of Critical Infrastructure Act 2013. With these mechanics, Australia aims to secure its digital products from the beginning. Work is currently being pursued under component three in the 2023-2030 National Security Strategy to address technology resilience and security by means of not only IT (Information Technology) but also in OT (Operational Technology) and ICS (Industrial Control System).

Advantages of Learning & International Collaboration for Cybersecurity

The Australian government is acquiring knowledge from the approaches of international partners and is using them to the fullest extent. "Australia and our international partners share a common goal: securing all technologies, including those employed in OT and ICS environments," said a representative from the Australian Department of Home Affairs to Industrial Cyber.

Public and Private Sector Collaboration for Cybersecurity

The next generation of the public-private partnership (PPP) is crucial for boosting Australia's cybersecurity position. Sharing information, the development of best practices, and response to cyber incidents in a coordinated manner are parts of the collaborative process, thus, keeping Australia's digital infrastructure on the same page. Australia gains additional benefits from its cooperations with foreign partners, and besides the sharing of cases and strategies, it helps and promotes each respective partnership. "Cybersecurity goes beyond borders," the Department of Home Affairs spokesperson explained in layman's terms. "Australia depends not only on the operational part of the agency but on the strong relationships with our foreign partners to deliver timely and necessary information to improve the responses to and mitigate cyber threats. The close international collaboration observed in aviation safety activities has served as a successful model for our efforts.” The spokesperson insisted that the trend of coordinated regulations and policies is intensifying, and thus, it requires a more comprehensive and inclusive approach. "Previously, the legislators had the freedom to modify the boundaries of the policy set up in a specific area since policy making was done according to the forms of each jurisdiction at that time. However, now we are observing cybersecurity go global through various technologies that are running a cross-border environment, largely avoiding the specific cases of the jurisdiction's law, economy, and cultural factors. Hence, the countries all around the world not only recognize new and unique problems but are also willing to find different ways of policy issues to bring about international agreement and transparency," the spokesperson concluded.

A hacktivist group claims to have hacked into renowned entertainment company Disney’s internal Slack channels and stolen about more than a terabyte of data. The Disney data breach was allegedly orchestrated by a group that identifies itself as “NullBulge.” According to the threat actor, it exfiltrated 1.1 TB of files and chat messages from 10,000 Slack channels, including those used by the company’s developers. “Anything we could get our hands on, we downloaded and packaged up. Want to see what goes on behind the doors? Go grab it,” the group wrote in a post on X (formerly twitter). [caption id="attachment_81810" align="aligncenter" width="606"] Source: X[/caption]

Disney Data Breach in Detail

On July 12, 2024, threat actor “NullBulge” wrote a post on data leak marketplace Breachforums that claimed that the group breached details of Disney’s unannounced projects, raw images and code, some login credentials, link to internal API and webpages, and other miscellaneous data. The leak purportedly contains contents from Slack chats, such as various files of the employees, screenshots, pictures of the employees’ pets, and phone numbers, among other details posted on Slack. In their blog post, the attackers stated that they had a mole in Disney, an employee who assisted them in the malicious data leak. However, they claimed that this collaborator consequently refused to supply them with more data. “We tried to hold off until we got deeper in, but our inside man got cold feet and kicked us out!” read the blog post.

Disney Yet to React to Data Breach Claims

Disclosure of internal chats is dangerous for not just Disney but for every other firm. This provides access to sensitive information for hackers who can potentially exploit vital communication resources, and threaten to release damaging information. The Cyber Express has reached out to Disney to learn more about this cyberattack and the authenticity of the claims made by the threat actor. However, at publication time, no official statement or response has been received, leaving the claims for the Disney data breach unverified. Even though Disney hasn’t reacted to the leak yet, if the attackers’ statements are to be believed, then the stolen information would be highly beneficial to fraudsters. For example, hackers often look for victims that have the most potential for supply chain attacks. Leaked company information would let a malicious actor more easily enter the company’s network. And hackers love to showcase their prowess by sending crude messages to organizations through their internal base, such as Slack channels. According to a report making the rounds online, the Disney Data Breach has revealed that the company could release a sequel to the 2021 game Aliens: Fireteam Elite. The sequel was codenamed Project Macondo and is scheduled for Q3 2025, although that plan might have changed. The documents describe a new mode called Annihilation, which is a 'new spin on Horde Mode with a variety of objectives and encounters.' The project’s scope is also outlined, suggesting the documents are a pitch or from early in development. It describes having an ‘ideal scope’ of 12 hours of gameplay in the Campaign mode, and one map for Annihilation.

Disney Hack Not the First Instance of Slack Access Breach

This is not the first instance of hackers gaining access to slack channels of a company. Last year, a threat actor initiated a chat to carry out a malware attack on renowned global casino and resort powerhouse MGM Resorts. The bad actors spied on employees and obtained more data. In December 2022, video game publishing company Activision also was hacked, in which the attackers got into the corporate Slack and the game release schedule. A culprit in 2022 managed to penetrate Uber’s cyber security and proceeded to leave a message on the company’s Slack forums, apparently in a protest of the company's payout policy to drivers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Societe Francaise Du Radiotelephone, popularly known as SFR, a prominent telecommunications company based in France, has fallen victim to an alleged cyberattack. The SFR data breach, which was allegedly orchestrated on July 12, 2024, has been attributed to a hacker known as “KevAdams,” who claims to have infiltrated and compromised over 1.4 million landline users’ data of the company. SFR is France’s third-largest telecom provider.

Decoding SFR Data Breach Claims

According to the company’s profile, SFR was founded in 1987 and its head office is located in Paris. In 2021, it was categorized as a large company which has over 5,000 employees. In his post on dark web marketplace Breachforums, threat actor “KevAdams” claimed that the exfiltrated database contained 1,445,683 million records that allegedly compromised sensitive Personal Identifiable Information (PII) of customers. To substantiate the data breach claim, the threat actor attached sample records, with the latest timestamp of July 2024 which included the “first name, last name, phone number, address, latitude, longitude, subscribed, and redlist [sic]” data of customers. The TA offered to sell the entire database for $300. The hacker also claimed to sell the data exclusively to a buyer for $850. He asked for payment to be made in XMR (Monero) cryptocurrency or LTC (Litecoin). The actor also noted that he would delete the sale thread after the exclusivity price was paid.

Potential Impact of SFR Data Breach

If proven, the potential consequences of this cyberattack could be critical as the personal details of customers could be leaked. SFR should take appropriate measures to protect the privacy and security of the stakeholders involved. Data breaches of this kind can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the data breach, the amount of data compromised, and the motive behind the cyber assault remain undisclosed. Despite the claims made by the threat actor, the official website of the targeted company remains fully functional. This discrepancy has raised doubts about the authenticity of the cyber criminal’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of SFR Telecom. As of the writing of this news report, no response has been received, leaving the data breach claim unverified. Meanwhile, customers can take preventive steps like changing passwords and login credentials of accounts linked to Corse GSM. They should also be wary and not fall victim to phishing attempts. Fraudsters could use the leaked email addresses to send fraudulent links. They should also monitor their bank accounts linked to the subscription of Corse GSM mobile plans. They should also relay information about any suspicious activity to law enforcement authorities. The cyberattack on Societe Francaise Du Radiotelephone underscores the persistent threat posed by malicious actors seeking to exploit vulnerabilities in digital infrastructure. As organizations continue to rely heavily on technology to conduct their operations, safeguarding against cyber threats remains paramount to protect sensitive data and maintain the trust of customers and stakeholders alike. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged SFR Telecom data breach or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

American Golf Corporation, an experienced and innovative operator in the golf industry in the United States, has allegedly fallen victim to a cyberattack from the notorious MEDUSA ransomware group. The hackers allegedly exfiltrated 154.9 GB of data, including email correspondence, members’ data, orders, full access account credentials (User ID, Passwords, Secret Keys), reports, licenses, passports, and financial data.

Details of the American Golf Corporation Ransomware Attack

According to its Linkedin profile, American Golf, over its 50-year history, “has been involved with more than 325 golf courses for various private entities or public agencies." Currently, American Golf manages over 70 facilities across the United States. The MEDUSA group has shared details of the data breach on its dark web channel, “MEDUSA BLOG”, including a countdown timer adding pressure to the situation. [caption id="attachment_81528" align="alignnone" width="1105"] Source: X[/caption] The bad actor has set an ominous deadline of 8 days for the corporation to meet its demands. MEDUSA has demanded a ransom of $2,000,000. Additionally, for every day that passes without payment, the ransom amount increases by USD $100,000. MEDUSA is also willing to delete all the data for a ransom of $2,000,000. As of now, the American Golf Corporation has not issued an official response or statement regarding the data breach. The Cyber Express has reached out to the organization to gather insights into the incident, but no information has been provided at the time of writing.

Previous Cyberattacks on Golfing Industry

The golfing industry saw a high-profile cyberattack in 2018 when the Professional Golfer’s Association (PGA) of America was hit by a ransomware attack. According to this article by NBC news, files associated with the PGA Championship and the Ryder Cup in France were locked in the attack. The hackers were able to encrypt some of the PGA's files and had then directed the association to an email address and Bitcoin wallet. Last year, Golf club maker Callaway reported a data breach of its website which affected more than one million people. The compromised information included account passwords and answers to security questions, as well as names, mailing addresses, email addresses, phone numbers and order histories.

MEDUSA Ransomware: Rising Number of Attacks

This cyberattack on the American Golf Corporation is not an isolated incident.  In the last month, MEDUSA ransomware intensified their attacks. They targeted the Harry Perkins Institute in Australia and allegedly exfiltrated 4.6 TB of internal building camera recordings of the institute and demanded a ransom of $500,000. AJE Group, a prominent company in the manufacture, distribution, and sale of alcoholic and nonalcoholic beverages in Peru, also became a victim of MEDUSA where the group exfiltrated 646.4 GB of the company’s data. MEDUSA first emerged in June 2021 and has since launched attacks on organizations across various countries and industries, including healthcare, education, manufacturing, and retail. Despite its global reach, most victims have been based in the United States. MEDUSA operates as a Ransomware-as-a-Service (RaaS) platform, offering malicious software and infrastructure to would-be attackers. This model enables less technically skilled criminals to launch sophisticated ransomware attacks. MEDUSA’s threat actors often utilize a public Telegram channel to post stolen data, leveraging public exposure as an extortion tactic to pressure organizations into paying the ransom. While the authenticity of the ransomware attack on the American American Golf Corporation remains unconfirmed, the potential consequences are significant. The Cyber Express will continue to monitor this ongoing situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

HealthCare.gov, the health insurance exchange website operated by the United States federal government, has reportedly suffered a data breach. A threat actor has reportedly orchestrated the HealthCare.gov data breach and claimed to have leaked database from the website on dark web which contains sensitive information of approximately 7,500 users. The claim that HealthCare.gov had been compromised surfaced on July 11 on the data leak site BreachForums. The threat actor claimed that they were revealing the stolen database of 83,000 lines, which consists of the Personally Identifiable Information (PII) of 7,500 users, including their full names, phone numbers, email addresses, mailing addresses, cities, states and zip codes. To substantiate the data breach claim, the threat actor, operating under the alias “HealthDontCare”, attached sample records in zip format. In its claim, the bad actor wrote in the post, “Today we are uploading healthcare.gov database breached today. We have exploited several vulnerabilities to gain access to this data. N***ers from United States failed to pay our extortion fee, so f**k off and enjoy.”

Potential Impact of HealthCare.gov Data Breach

If proven, the potential consequences of this cyberattack could be critical as personal information about citizens could be exposed. The organization should take appropriate measures to protect the privacy and security of the stakeholders involved. Data breaches of this nature can lead to identity theft, potential financial frauds, and a loss of trust among citizens. Currently, details regarding the extent of the HealthCare.gov Data Breach, the extent of data compromised, and the motive behind the cyber assault remain undisclosed. Despite the claims made by the threat actor, the official HealthCare.gov website remain fully functional. This discrepancy has raised doubts about the authenticity of the threat actor’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of Centers for Medicare & Medicaid Services (CMS). As of the writing of this news report, no response has been received, leaving the cyberattack claim unverified.

HealthCare.gov Suffered Two Cyberattacks Previously

This is not the first time that HealthCare.Gov was under the scanner for data breaches. The CMS reported that sensitive data of 93,689 people was compromised during an October 16, 2018 data breach of HealthCare.Gov that targeted the Direct Enrollment pathway used by insurance agents and brokers. Initially the numbers of victims were estimated at 75,000. According to an article by CNBC, the data breach in 2018 exposed personal details of victims including the last four digits of the Social Security number, immigration status and employer name. The exposed data consisted of information provided on insurance applications, as well as information from other federal agencies used to confirm the application details. The breach forced CMS to shut down the Direct Enrollment pathway for a week while investigating the suspicious activity it noticed on the portal. Owing to the breach, the CMS reached out to all affected consumers by phone and mailed notification letters to offer free credit protection and additional services to prevent and remediate issues arising from unauthorized use of data exposed as a result of the breach, including identity monitoring services, identity theft insurance, and identity restoration services. In 2014 too, hackers had uploaded malware to a test server of HealthCare.gov. However the CMS then put out a statement that, “Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted. We have taken measures to further strengthen security." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Amateur radio community, American Radio Relay League (ARRL), which reported that it was the target of a significant ransomware attack in May 2024, has now confirmed that data of few of its employees was stolen in the cyberattack. The ARRL data breach notification was recently shared with impacted individuals which mentioned that a "sophisticated ransomware incident" was detected after the attackers breached and encrypted its computer systems on May 14.

ARRL Data Breach: What Was Affected?

ARRL is the preeminent national association for amateur radio enthusiasts in the United States. In its data breach notification on May 20, ARRL mentioned that the attackers compromised data from “Logbook of The World” (LoTW) internet database. This platform is crucial for amateur radio operators, allowing them to record and verify successful contacts (QSOs) with fellow operators globally. The LoTW’s functionality as a digital logbook and a user confirmation system is central to the operations of many enthusiasts who rely on its integrity for maintaining accurate records. Following this attack, ARRL said, “We immediately took the affected systems offline, secured our network environment and engaged independent third-party forensic specialists to assist us with investigating the extent of any unauthorized activity. “Our investigation has determined that the unauthorized third party may have acquired your personal information during this incident. Please know that we have taken all reasonable steps to prevent your data from being further published or distributed, have notified and are working with federal law enforcement to investigate.”

ARRL Data Breach Only Affected 150 Members: SEC Filing

ARRL, in its SEC filing with the Office of Maine's Attorney General this week, claimed that the data breach in May only affected 150 employees. In its notice to impacted individuals recently, ARRL wrote, “While we have no evidence that your information has been misused, we are notifying you of this incident and are offering you the resources provided in this letter, in an abundance of caution and so that you can take precautionary steps to help protect yourself, should you wish to do so. ARRL recommends you proceed with caution and take advantage of the resources provided in this letter.” The community decided to provide those impacted by this data breach with 24 months of free identity monitoring. “We value the safety of your personal information and want to make sure you have the information you need so that you can take steps to further protect yourself, should you feel it appropriate to do so. We encourage you to remain vigilant and to regularly review and monitor relevant account statements and credit reports and report suspected incidents of identity theft to local law enforcement, your state’s Attorney General or the Federal Trade Commission (the “FTC”). “To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for 24 months. Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained unintentional exposure of confidential data. Your identity monitoring services include Credit Monitoring, $1 Million Identity Fraud Loss Reimbursement, Fraud Consultation, and Identity Theft Restoration,” the company said in a statement. Even though the community has so far released two public statements regarding the data breach, ARRL has not linked the ransomware attack to a specific threat actor. This incident also serves as a reminder of the vulnerabilities inherent in digital transformation. As organizations increasingly rely on online platforms for critical services, enhanced cybersecurity measures become indispensable. The ARRL’s experience could prompt other associations and similar entities to re-evaluate their cybersecurity postures and adopt more stringent safeguards.

SiegedSec, who describe themselves as "gay furry hackers," claimed responsibility for a cyberattack on The Heritage Foundation before the hacktivist group promptly disbanded. The Heritage Foundation cyberattack surfaced on July 2, 2024, when SiegedSec allegedly released two gigabytes of the conservative think tank’s internal data. The Heritage Foundation was specifically targeted because of its "Project 2025" plans, which SiegedSec views as a blueprint for Donald Trump to implement sweeping far-right reforms should he win another term as president. According to the hacktivist group, these plans align with anti-trans and anti-abortion policies they are actively opposing through their cyber campaign.

SiegedSec’s Cyberattack on The Heritage Foundation Explained

On July 2, SiegedSec released an alleged leak from The Heritage Foundation’s blogs and material related to ‘The Daily Signal’, a right-wing media site affiliated with Heritage. The data was created between 2007 and November 2022. [caption id="attachment_81349" align="aligncenter" width="493"] Source: SeigedSec't Telegram Post[/caption] The leak exposed sensitive information, including full names, email addresses, passwords, and usernames of individuals associated with The Heritage Foundation, including users with U.S. government email addresses. In its Telegram channel, SiegedSec explained its motives, saying, “Project 2025 threatens the rights of abortion healthcare and LGBTQ+ communities in particular. So of course, we won’t stand for that!” However, according to an article in Fudzilla, a Heritage spokesperson refuted the claims, stating that "an organized group stumbled upon a two-year-old archive of The Daily Signal website available on a public-facing website owned by a contractor." The spokesperson said no Heritage systems were breached at any time, dismissing the hack as "a false exaggeration by a group of criminal trolls seeking attention."

SiegedSec Announces Retirement, Exposes Chats with The Heritage Foundation

Following the alleged data breach, SiegedSec surprisingly announced the group’s disbanding on July 11. [caption id="attachment_81350" align="aligncenter" width="473"] SiegedSec's Post on Telegram[/caption] “Yes, this is a sudden announcement. We planned to disband later today or tomorrow, but given the circumstances, I believe its best we do so now. “I've been considering quitting cybercrime lately, and the other members have agreed it’s time to let SiegedSec rest for good,” the group posted on its Telegram account. The group then invited The Heritage Foundation to contact them over the leak, which is when one Mike Howell, an investigative columnist for the Daily Signal, contacted SiegedSec over the messaging app Signal. In a conversation with Vio, a spokesperson for SiegedSec, Howell said that The Heritage Foundation was “in the process of identifying and outting [sic] members of your group” and working with the FBI. In its Telegram post on July 11, SiegedSec said, “Mike Howell reached out to us, at first to ask questions to understand our motives and why we breached his organization. Then, he proceeded to throw insults, threats, and claimed our existence was against nature.” “We tried answering things in a way to hopefully help him understand. But as his insults grew, so did our impatience. So we are releasing all of our chat logs with Mike Howell.”

Chat Logs of SiegedSec vs Heritage Foundation Response

[caption id="attachment_81352" align="aligncenter" width="617"] Source: X[/caption] The chat logs appear to support the claims made by SiegedSec. The chat transcript showed Mike Howell using offensive language to describe SiegedSec members. Howell also threatened to expose the identities of the hackers, using a homophobic slur in the process. Following an exchange where Howell issued a violent threat, SiegedSec member vio queried whether Howell would object to the conversation being made public. “Please share widely,” Howell responded, “I hope the word spreads as fast as the STDs do in your degenerate furry community.” Howell reposted this information on Twitter, quoting the lyrics of the song “The Way I Am” by Eminem. Howell's retweet essentially confirmed the authenticity of the chat logs. SiegedSec, however, maintained that their decision to disband was pre-planned. "While this announcement may seem abrupt," SiegedSec explained, "we had already planned to disband within the next day or two. Given the recent developments, including the intense media attention and the potential for FBI involvement, we believe disbanding now is the best course of action for our mental wellbeing." The group elaborated that they had been contemplating ending their cybercrime activities for some time, and the other members agreed it was time to permanently shut down SiegedSec's operations.

History of SiegedSec’s Cyberattacks

SiegedSec, a hacktivist collective led by "YourAnonWolf," gained prominence shortly before the Russian invasion of Ukraine. The group, humorously labeling themselves as "gay furry hackers," quickly amassed a following and claimed responsibility for various cyber attacks. Operating with affiliations to groups like GhostSec, SiegedSec is known for its witty slogans and profane communication style. The collective predominantly comprises members in the 18-26 age bracket, showcasing a youthful and dynamic approach to their hacking activities. Some of the organizations associated with SiegedSec's cyberattacks include NATO, River Valley Church in the U.S. for its alleged anti-trans stand, AirAsia Berhad, Murphy Oil Corporation and Telerad Bangladesh Ltd.

UnitedHealth Group’s Change Healthcare unit has uploaded a substitute data breach notice to its website about its February 2024 cyberattack and assured that affected individuals will start receiving emails of notification letters from July 20, 2024. Change Healthcare, in its notice published this week, said the data review is in the late stages; however, it is possible that further individuals may still be identified as having been affected.

Change Healthcare Data Breach: Background and Context

The company has provided a detailed timeline of data leak events in its substitute notice. Change Healthcare explains that the intrusion was discovered on February 21, 2024. Hackers were able to access internal systems between February 17 and 20. By March 7, Change Healthcare confirmed a significant amount of data was stolen from its network.  Analysis of the stolen data was delayed until March 13, 2024, when Change Healthcare was able to secure a soft copy for review. Initial investigations revealed that a substantial number of individuals in the United States were impacted. The total number affected has not been officially released but estimates suggest it could be as high as 1 in 3 Americans, potentially exceeding 110 million people. The type of information exposed or stolen varies depending on the individual and may include some or all of the following:

• Health insurance details (like primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers)
• Health information (including medical record numbers, providers, diagnoses, medications, test results, images, care and treatment details)
• Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due)
• Additional personal information such as Social Security numbers, driver's licenses or state ID numbers, or passport numbers

In certain instances, guarantor information was also compromised. The notice outlines steps affected individuals can take to safeguard themselves from potential misuse of their information.

Change Healthcare Offers Mandatory Mitigation Services

Change Healthcare is providing complimentary credit monitoring and identity theft protection services to affected individuals for a two-year period. The stolen data was obtained by an affiliate of the BlackCat ransomware group, who remain in possession of a copy. Additionally, the operators of the now-defunct BlackCat ransomware group may also have a copy, and the RansomHub ransomware group has claimed to have acquired the data. Since credit monitoring services are now available, and considering the possibility that 1 in 3 Americans may be affected, it is highly recommended that all US citizens sign up for these services immediately if they believe they may have been impacted. To register, visit http://changecybersupport.com or call (888) 846-4705.

Response to Change Healthcare Cyberattack

While the Change Healthcare cyberattack, did leave a notable dent in UnitedHealth Group’s earnings from operations, which included $872 million in adverse effects, the company’s adjusted earnings from operations remained resilient, excluding direct response costs attributed to the cyberattack. As per the press release in April, In light of the cyberattack’s potential implications on claims receipt timing, UnitedHealth Group exercised prudence by allocating an additional $800 million towards claims reserves in the first quarter, reflecting a proactive approach to manage potential future impacts on its financial stability. Looking beyond the immediate financial repercussions, UnitedHealth Group remains focused on maintaining consistent care patterns and supporting its care providers through accommodations necessitated by the cyberattack, as evidenced by a medical care ratio of 84.3% in the first quarter of 2024. Despite the turbulence induced by the cyberattack on Change Healthcare, UnitedHealth Group reaffirmed its commitment to shareholder value by returning $4.8 billion through dividends and share repurchases in the first quarter.

A threat actor has claimed responsibility for orchestrating a cyberattack on Neiman Marcus, the luxury retailer in the U.S. The Neiman Marcus data breach claims come just days after the group issued a notification to its customers regarding a massive leak that occurred in May 2024, potentially exposing sensitive personal information. In its notification filed with the Attorney General of Maine on June 24, the company claimed that the breach affected an estimated 64,472 victims. However, the threat actor, operating under the pseudonym “Sp1d3rHunters,” claimed that the group was downplaying the breach and alleged that they had illegal access to a database of 40 million customers, which included high-profile celebrities.

Fresh Claims of Neiman Marcus Data Breach

In a July 10 post on the darkweb markerplace BreachForums, the threat actor wrote, “Neiman Marcus had chance to stop sale of data from 40 million customers, but they said only 60,000 people are affected. We give Neiman last chance to buy back data and show how important it is, but now price is higher.” The anonymous hacking group then shared an alleged sample of the 40 million customers, which included names, email addresses, phone numbers, credit card details and addresses of high-profile individuals like Melania Trump, Ivanka Trump, Tiffany Trump, Jill Biden, Halie Biden, Sara Biden, Barbara Bush, Kylie Jenner, Kim Kardashian, Khloe Kardashian, Kanye West, Melinda Gates and Bill Gates. Sharing the sensitive data of celebrities, the malicious actor threatened, “Here are some famous people from your database we will leak if you don't pay. You decide if this info is important or not. To Neiman: We give you one more chance to secure your data and protect your customers. We partially blocking the phone numbers of these high-profile individuals and if you don't want us to sell or release the private details of these and 40+ million other customers, our price is $1 million.” “Do the right thing. Do not let this data get out,” the post added. The celebrities and politicians in the stolen database highlight the importance of the alleged breach, the group wrote in a footnote to its post: “Now is this data worth something now that you see how many celebrities, politicians, and their children are in this database? What about shopping habits? is it important to know that President Bill Clinton was in Honolulu in April 2023 and what was at your store and what did he purchase using his debit card?...Or more Celebrity shopping like what did Jennifer Lopez buy from your stores?...what about details on Megan Fox and Courtney Cox. $1 million is nothing to protect this information. Do the right thing and we will keep your data safe.”

Neiman Marcus Yet to Respond

The above claims have raised serious questions over the security checks in place at Neiman Marcus and the potential impact on its high-profile customers if the data leak happens to be validated. To ascertain the veracity of the claims, The Cyber Express has reached out to officials of the luxury retain chain. As of publication time, no response has been received, leaving the data breach claim unverified. Neiman Marcus Group, Inc., based in Dallas, Texas, is a popular luxury retailer that oversees brands such as Neiman Marcus, Bergdorf Goodman, Horchow, and Last Call. Since September 2021, it has been under the ownership of a consortium of investment firms led by Davidson Kempner Capital Management, Sixth Street Partners, and Pacific Investment Management. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Threat Actor (TA) has claimed to have orchestrated a data breach from Microsoft which allegedly compromises sensitive data of over 2,000 employees. The notorious TA, operating under the pseudonym, 888, shared that the data was allegedly compromised in an undisclosed third-party breach in July 2024, but the data has the latest date of 2022.

Details of Alleged Microsoft Data Breach

According to the TA’s post on dark web marketplace BreachForums, the hacked data included information about 2,073 personally identifiable information (PII) records of Microsoft employees, including the first name, last name, job title, email, linkedin profile urls, city and country. To substantiate the data breach claim, the threat actor shared a sample of the data breach which included sensitive PIIs of users mostly from New Zealand and one user from Greece. The TA, however, did not elaborate on which third-party app of Microsoft was hacked to initiate the leak.

Potential Impact on Microsoft Employees

If proven, the potential consequences of this data breach could be critical as the sensitive PII records could be leaked. The organization should take appropriate measures to protect the privacy and security of the stakeholders involved. Leak of personal information can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the compromised Microsoft data and the motive behind the cyber assault remain undisclosed. Despite the claims made by the TA “888”, there is no public information of a leak from any of Microsoft’s assets which remain fully functional. This discrepancy has raised doubts about the authenticity of the bad actor’s assertion. he hacker, 888, has previously been linked to several high-profile data breaches, including those of Credit Suisse, Accenture India, Shell, Heineken, and UNICEF. To ascertain the veracity of the claims, The Cyber Express has reached out to Microsoft officials. As of the writing of this news report, no response has been received, leaving the data breach claim unverified.

Microsoft Criticized for Poor Security Measures

Microsoft has come under severe scrutiny over its security failures in the recent past. In April 2024, a significant data leak exposed sensitive employee credentials and internal company files to the internet, raising serious concerns about data security protocols within the organization. The data leak was identified through an open and public storage server hosted on Microsoft’s Azure cloud service. According to a report by TechCrunch, the data leak was not highlighted or detected by Microsoft’s internal security systems, raising questions about the efficacy of their monitoring mechanisms. The report further highlighted that the data accessible online included a myriad of sensitive information such as code, scripts, and configuration files containing passwords, keys, and credentials utilized by Microsoft employees for accessing internal databases and systems. In February, ‘Three high-risk vulnerabilities’ were reported in the Azure components of Microsoft’s cloud software solutions along with a critical IoT device vulnerability that potentially allowed for remote code execution(RCE) attacks. Last month, Microsoft pushed ahead with the new Windows Recall screen recording feature despite the concerns of security and privacy advocates that the company belatedly tried to address. After criticism, the company then announced that it will delay the Recall feature for further testing. Microsoft President Brad Smith, in a hearing by the House Committee on Homeland Security in June,  said to strengthen cybersecurity measures, the company has added 1,600 more security engineers this fiscal year and would add another 800 new security positions in the next fiscal year. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a significant move to thwart cyberattacks, Microsoft China has mandated that its employees transition from using Android smartphones to iPhones. This decision highlights the increasing importance of cybersecurity and data protection in corporate operations, especially in regions where geopolitical dynamics can complicate technological reliance and security protocols.

Security and Authentication Concerns in Microsoft China

According to a report by Bloomberg, Microsoft's directive comes in response to heightened concerns over security and authentication issues associated with Android devices. Android, being an open-source operating system, is often perceived as more vulnerable to security breaches compared to Apple's iOS. The company's internal security teams have reportedly identified several vulnerabilities in Android devices that could potentially be exploited for unauthorized data access or cyberattacks. The decision reflects a broader strategy by Microsoft to mitigate risks associated with the use of Android devices in a country where cybersecurity threats are a growing concern. By switching to iPhones, Microsoft aims to leverage the advanced security features and robust encryption protocols that Apple devices offer, thereby enhancing the overall security framework for its Chinese operations.

Implications for Microsoft China Employees

Microsoft’s latest switch is part of its new Secure Future Initiative. As Google Play Store is unavailable in China, Android users download apps directly or through device manufacturers like Huawei and Xiaomi. This increases the risk of potential malware attacks due to lack of security features. Microsoft has assured that it will provide necessary support and resources to ensure a smooth transition for its workforce. According to the Bloomberg report, Microsoft plans to distribute iPhone 15, as a one-time purchase, to its employees in China who currently use Android devices, including those from Xiaomi or Huawei. These phones will be distributed through various hubs throughout the country, including Hong Kong. The shift to iPhones is expected to streamline security protocols and enhance the protection of corporate data. Apple's ecosystem, known for its stringent security measures and closed-loop system, offers a more controlled environment, which is less susceptible to the kind of threats that Android's open system faces. A memo was sent out to Microsoft China employees that due to lack of Google services; the company proposed a ban on Android devices. The move also intends to increase the use of the Microsoft Authenticator and Identity Pass apps. Microsoft’s decision underscores the serious nature of cybersecurity threats and the lengths to which companies are willing to go to protect their data. This move could potentially influence other multinational corporations operating in China to re-evaluate their own security protocols and consider similar shifts to more secure platforms.

Microsoft’s Security Controls Under Scanner

Microsoft security controls came under scrutiny in April with the release of a U.S. Cyber Safety Review Board (CSRB) report that detailed “a cascade of security failures at Microsoft” that allowed threat actors linked to China to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China” in a July 2023 attack. In March, US Senator Ron Wyden has launched a scathing attack on Microsoft, urging the U.S. government to hold the tech giant responsible for what he claims are “negligent cybersecurity practices” that facilitated a successful Chinese espionage campaign against the United States government. Microsoft's decision to ban the use of Android phones by its employees in China and mandate a shift to iPhones underscores the critical importance of cybersecurity in today’s corporate landscape. By prioritizing security and data protection, Microsoft is taking proactive steps to safeguard its operations in a region marked by complex geopolitical and cybersecurity challenges. As the tech landscape continues to evolve, decisions like these highlight the intricate balance between technology, security, and geopolitics that global companies must navigate.

The notorious Rhysida ransomware group has added MYC Media to its long list of high-profile victims. MYC Media is a leading creative agency based out of Canada and specializes in providing comprehensive marketing solutions to businesses online. Rhysida ransomware group allegedly carried out a cyberattack on the digital company on July 7, 2024 and has given the company six days to respond. The threat actor has also demanded a ransom of 5 bitcoins as ransom for selling the data.

Understanding the MYC Media Ransomware Attack

According to its LinkedIn Page, “MYC Media is your national creative agency providing full-service marketing to businesses looking to expand their brand’s reach and make an impact. Over the past decade, we have evolved into a company which excels in many areas – from online marketing and website development to all types of printing and manufacturing services. We are well positioned to service any variety or size of business, from startups to multi-national corporations.” [caption id="attachment_80768" align="alignnone" width="1905"] Source: MYC Media website[/caption] The company was founded in 2008 in Mississauga, Ontario and employs around 11-50 employees along with 34 associate members. It has six divisions including MYC Graphics which takes care of printing, manufacturing and installation; Market Your Car - Vehicle Wraps and Graphics; MYC Interactive - Website Design, Development and Online Marketing; Pixter Studio - Online Wall Art, Canvas and Print Studio and FoodTruckWraps.ca - Food Truck Wraps and Graphics Specialists. Though the threat actor did not share details of the alleged ransomware attack, the group, on its dark web post, appealed to its buyers, “With just seven days on the clock, seize the opportunity to bid on exclusive, unique and impressive data. Open your wallets and be ready to buy exclusive Data. We sell only to one hand, no reselling, you will be the only owner!” [caption id="attachment_80769" align="aligncenter" width="670"] Source: X[/caption]

Potential Impact of MYC Media Ransomware Attack

If proven, the potential consequences of this ransomware attack could be critical. The media organization should take appropriate measures to protect the privacy and security of the stakeholders involved. Ransomware attacks can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the Rhysida ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by Rhysida, the official website of MYC Media remains fully functional. This discrepancy has raised doubts about the authenticity of the Rhysida group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of writing this news report, no response has been received, leaving the ransomware attack claim unverified.

Rhysida Group Targeted Big Names Previously

Rhysida is a notorious group that encrypts data on victims' systems and threatens to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organizations rather than making random attacks on individuals, and demands large sums of money to restore data. The group orchestrated the notable 2023 British Library cyberattack and Insomniac Games data breach. It has also targeted many organizations, including some in the US healthcare sector, and the Chilean army. In November 2023, the US agencies Cybersecurity and Infrastructure Security Agency (CISA), FBI and MS-ISAC published an alert about the Rhysida ransomware and the actors behind it, with information about the techniques the ransomware uses to infiltrate targets and its mode of operation. The US CISA report states, “Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

E-commerce supplier Shopify has confirmed that it did not experience a cyber security incident but stated that a data loss was caused by a third-party app. The Shopify data breach was reportedly carried out by a known threat actor, operating under the alias ‘888’, on the dark web marketplace BreachForums. Shopify Inc. is a Canada-based multinational business that offers a proprietary e-commerce platform along with integrations to allow individuals, retailers and other businesses to setup their own online stores or retail point-of-sale websites. Denying that a data breach took place from its own accounts, Shopify released a statement to multiple media outlets which read, “Shopify systems have not experienced a security incident. The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.” The company, however, did not give details of the cybersecurity incident that it was referring to, name of the third-party app or state the number of impacted individuals.

Recent Claim of Shopify Data Breach

While Shopify did not elaborate on the cybersecurity incident, the statement could be referring to the recent data breach which allegedly took place on July 4, 2024. Threat actor ‘888’ has allegedly shared stolen data from Shopify on BreachForums which consisted personal details, email subscriptions and order-related information of its users. [caption id="attachment_80706" align="aligncenter" width="1723"] Source: BreachForums[/caption] The threat actor claimed to have carried out a data breach containing 179,873 rows of user information. These records apparently include Shopify ID, First Name, Last Name, Email, Mobile, Orders Count, Total spent, Email subscriptions, Email subscription dates, SMS subscription, and SMS subscription dates. The hacker,888, had previously been linked to multiple high-profile data breaches including Credit Suisse, Accenture India,  Shell,  Heineken, and UNICEF. The breach could possibly have stemmed from a recent data breach incident impacting Evolve Bank and Trust. Evolve Bank and Trust is a supporting partner of Shopify Balance, a money management integration built-in to the admin pages of Shopify stores. The bank is also a third-party issuer of Affirm debit cards.

Evolve Bank and Trust Data Breach Linked to Shopify?

Towards the end of June, the Evolve Bank confirmed that it had been impacted by a cybersecurity incident claimed by LockBit. The bank disclosed that the stolen data included sensitive personal information such as names, social security numbers(SSNs), dates of birth, and account details, among other data. [caption id="attachment_80709" align="aligncenter" width="559"] Source: X.com(@lvdeeaz)[/caption] In an official statement to the alleged Evolve data breach, the bank said, “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the  dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users).” Later, the financial firm Affirm Holdings had confirmed  that it had also been affected by the Evolve Bank and Trust Data Breach. The firm stated in a security notice on its website, “Affirm is aware of a cybersecurity incident involving Evolve, a third party vendor that serves as an issuing partner on the Affirm Card. We are actively investigating the issue. We will communicate directly with any impacted consumers as we learn more.” Given the severity of the data breach, Shopify customers must be vigilant and guard against phishing attempts and identity thefts. They should adopt healthy cyber practices including monitoring their account for unusual activities, changing passwords, enabling two-factor authentication and being wary of phishing emails and messages requesting sharing of personal information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Indian government has issued a high alert to the public over several fake and fraudulent emails that have been circulated by fraudsters to defraud many people. A phishing scam is currently being undertaken in India, warned a statement by the country’s finance ministry. According to the ministry, fraudsters are sending emails that contain a letter as an attachment which makes allegations of child pornography, pedophilia, cyber pornography, sexually explicit exhibit, grooming etc. levelled against the receivers of the said e-mails.

Beware of Phishing Scam: Indian Govt Alerts Citizens

The letter in circulation bears the names and signatures of and seals of various authorities, that accuse the recipient of sexual offences. The names of high-profile authorities mentioned in the letter include Sandeep Khirwar, ADG, Cyber Crime and Economic Offence, Delhi Police Headquarters, Delhi and that of Anupam Prakash, Joint Secretary ( Conservation of Foreign Exchange and Prevention of Smuggling Activities Act), Central Economic Intelligence Bureau (CEIB), together with stamps and logos of CEIB, Intelligence Bureau and Cyber Cell, Delhi. [caption id="attachment_80537" align="alignnone" width="792"] Source: Ministry of Finance, India[/caption] Sharing an attachment of the email, the ministry said, “The fraudsters have used different e-mail addresses for sending the aforementioned fake e-mails with attachment. Police authorities have been alerted for taking necessary action in the matter.” In the attachment, the fake email makes a reference to section 14 of the POCSO Act 2012, Section 292, Section 67A and Section 67B of the IT Act 2000. The letter asks the recipient to respond to the letter and “provide justification for further review” or sanctions may be imposed within 24 hours. The Government has asked citizens not to respond to such emails and report such cases to the nearest police station/cyber police station. “Receiver of any such email should be aware about this fraudulent attempt. It is informed to the general public that any such e-mails with the attachment should not be responded to and such cases may be reported to the nearest police station/cyber police station,” the communication said.

India Third on List Globally for Reported Phishing Scams: Report

According to a cybersecurity report  prepared by Zscaler, India ranked third leading country worldwide for the number of phishing attempts encountered in 2023. The reports says that about 79.1 1 million attempts of phishing were recorded. A United Nations Ad Hoc Committee discussing cybercrime, called for specific attention to be given to the problem of phishing, calling it the “predominant cybercrime globally”. To tackle the problem of phishing, India proposed using a ‘24×7 global communication channel’ between countries. According to this report by The Economic Times, India’s proposal felt that the current measures against cybercrime were “inadequate.” To tackle the problem, the country proposed facilitating information exchange between Law Enforcement Agencies between countries to “swiftly render phishing links inaccessible and identify the abused IT resources and the malicious actor.”

How to Protect Yourself Against Phishing Scams?

With the right knowledge and tools, you can arm yourself against these phishing attacks. Here are a few of the practical steps you can take to safeguard your digital identity and assets.

• Get Educated: Learn how phishing works and common tricks attackers use.
• Think Before You Click: Don't rush! Check email addresses and hover over links to see real URLs before clicking. Verify suspicious emails with the sender through a trusted channel.
• Use Multi-Factor Authentication (MFA): Even if your password is stolen, MFA adds an extra step (like a code to your phone) to block unauthorized access.
• Update Software Regularly: Outdated software has security holes. Update your operating system, web browser, and antivirus software to patch vulnerabilities. Consider real-time antivirus scanning for extra protection.
• Trust Your Gut: If something feels off, it probably is! Don't let pressure or fear cloud your judgment. Verify everything before sharing sensitive information or making financial transactions.
• Report Phishing Attempts: Help protect others. Report suspicious emails to your email provider, bank, or cybersecurity agencies.

The LockBit ransomware group, infamous for its disruptive cyberattacks, is once again in the spotlight for allegedly carrying out a ransomware attack on Homeland Vinyl. The US-based Homeland Vinyl manufactures a diverse portfolio of vinyl profiles, including its proprietary decking and railing systems. The LockBit group alleges that they have exfiltrated sales, inventory financial transactions data and other company records, setting a deadline of July 19, 2024 to publish the compromised information.

Unverified Homeland Vinyl Cyberattack Claims

According to its website, “Homeland Vinyl Products, Inc. creates a wide range of high quality residential and commercial vinyl products including vinyl fence, vinyl deck, vinyl railing, and specialty products.” The company has six plants across the US in Birmingham, AL; Millville, NJ; Surgoinsville, TN; Ogden, UT; Winter Park, FL and Corsicana, TX. In its LinkedIn profile, the company says it has 501-1,000 employees and 120 associated members. In its post on July 4, LockBit claims to have breached a host of sensitive company information. To authenticate its claims, the ransomware group has provided sample screenshots of the data breach on the dark web portal. This includes sales records from March 1, 2023 to February 29, 2024, Homeland Vinyl’s federal tax returns, inventory records as on May 31, 2024 and sample of the firm’s bank account transactions for the entire month of February 2024. [caption id="attachment_80475" align="alignnone" width="1234"] Source: Lockbit's Dark Web[/caption] [caption id="attachment_80477" align="alignnone" width="814"] Source: Lockbit's Dark Web[/caption] [caption id="attachment_80478" align="alignnone" width="817"] Source: Lockbit's Dark Web[/caption] The group claims they will publish the organization's data on July 19, 2024. The Cyber Express team attempted to reach Homeland Vinyl officials for comment, but as of now, there has been no response. The company’s website also appears to be functioning normally, casting doubts over the legitimacy of the Homeland Vinyl cyberattack claim. However, considering LockBit’s past activities, complete dismissal would be premature.

History of LockBit’s Ransomware Attacks 

LockBit Ransomware Group emerged as a significant cyber threat in September 2019. This group operates a ransomware-as-a-service (RaaS) model, attracting affiliates who launch attacks under their banner. LockBit automates the targeting and encryption processes, spreading within organizations without manual oversight, using common system tools to remain undetected. Their significant attacks have targeted a range of sectors from healthcare to financial institutions, primarily in the United States, China, India, and across Europe, exploiting organizations’ vulnerabilities to extort hefty ransoms. LockBit’s notoriety skyrocketed in 2022, earning them the title of the world’s most prolific ransomware by various government agencies. In May 2024, the NCA, FBI, and other global partners collaborated in an international operation to arrest Dmitry Khoroshev, an anonymous leader behind the notorious LockBit Ransomware gang. A month later, the FBI retrieved almost 7,000 decryption keys related to the LockBit operation, which affected thousands of businesses. The agency underlined the significance of thorough cybersecurity procedures and cooperative partnerships in protecting against malevolent activities given the ongoing evolution of cyber threats. Despite the arrest, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the one on Monday. In the beginning of July, LockBit targeted KBC Zagreb which is the largest and most advanced Croatian hospital. The cyber attacker claimed to have accessed sensitive data of the hospital which includes medical records, patient exams and studies, research papers of doctors, surgery, organ and donor data. The group also allegedly exfiltrated internal and external audit documents of Indonesian tin manufacturer PT. Pelat Timah Nusantara (Latinusa), Tbk. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Enterprise Resource Planning (ERP) system eViridis has reportedly suffered a significant data breach, potentially impacting its clients as well. A Threat Actor (TA) has claimed responsibility for the eViridis data breach, stating they have compromised and exfiltrated the company's entire data set, including email logs and client information. eViridis is owned and operated by US-based investment and advisory services firm, Aveniras LLC. The TA is allegedly selling the stolen database on the dark web, with prices starting at US $500.

Details of eViridis Data Breach 

eViridis was established in the year 2010 to develop business-to-business software solutions for the emerging aftermarket electronics industry, including aftermarket resale, part harvesting, and electronics recycling. The company offers consulting services to assist recyclers and corporations. On its website, the company states, “For more than 10 years eViridis has been helping some of the largest Manufacturing, Media, Financial Services and Healthcare companies in the world transform labor intensive, manual ways of working into streamlined digital processes and workflows.” [caption id="attachment_80273" align="alignnone" width="1790"] Source: eViridis website[/caption] According to the company's profile on the internet, there are around 200 employees in the firm which has a revenue worth $31.1 million. eViridis data breach was allegedly executed by threat actor, who is operating under the alias “jewwu”. In his post on dark web marketplace BreachForums, the TA shared that the stolen data impacts not just the company but also its clients. The TA apparently compromised email logs, client data, and other company information. The bad actor also shared a few screenshots to support the assertions of data breach. This includes data like user login id and passwords, server login credentials, documents like count of assets, audit evaluation results and load acknowledgment report. The screenshots of the alleged data breach also contained data of eViridis clients such as evTerra Recycling, Jabil and Estrella TV. [caption id="attachment_80274" align="alignnone" width="2087"] Source: X[/caption] Explaining further details of the data breach, the TA wrote, “The full size of this breach is around 2.1TB. Granted I only have about 61GB of this archived, I still have access to the other 1.61TB of information but I currently do not have the space to download it all, so there is a chance I may lose access once this thread gains traction. 61GB is definitely safe and available though.” The bad actor was willing to negotiate and sell the stolen data for USD $500 and up. [caption id="attachment_80275" align="alignnone" width="1047"] Source: X[/caption]

Potential Impact of eViridis Data Breach

If proven, the potential consequences of this data breach could be critical as the sensitive data including financial details of the firm as well as the clients could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the data breach, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by the threat actor, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the bad actor’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to eViridis and its parent company Aveniras LLC. As of writing this news report, no response has been received, leaving the data breach claims unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

HealthEquity Inc., the largest health savings account administrators in the U.S., has encountered a cybersecurity setback, as detailed in its recent U.S. Securities and Exchange Commission (SEC) filing. In its report to the SEC, the company said that even though Personally Identifiable Information (PII) was compromised, the breach did not affect the company's operations or finances.

Details of HealthEquity SEC Filing

According to the health management firm, an unnamed business partner’s account was compromised by bad actors to access and exfiltrate PII and protected health information. “Earlier this year, HealthEquity, Inc. became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner. The Company promptly took steps to isolate and triage the issue and began an investigation into the nature and scope of the issue,” the company said in a Form 8-K report filed on July 2, 2024. [caption id="attachment_80168" align="alignnone" width="1895"] Source: SEC.gov[/caption] “The investigation concluded that the Partner’s user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the Partner’s systems,” the report said. Though the SEC filing did not disclose further details like the month of the cyberattack or provide a description of the threat actor, HealthEquity may be referring to a cybersecurity incident involving the company that occurred on May 14. In a media release shared by the Kentucky Personnel Cabinet on June 21, Governor Andy Beshear said, “On May 14, the Kentucky Personnel Cabinet was informed of unauthorized updates to members’ HealthEquity accounts. HealthEquity is a third-party vendor that administers Flexible Spending Accounts (FSA) and Health Reimbursement Arrangements (HRA) on behalf of the Kentucky Employees’ Health Plan (KEHP). “After investigating this incident, HealthEquity determined that this potential fraud event impacted 449 KEHP member accounts. It is presumed that the bad actors who accessed the accounts were aiming to receive money from claim reimbursements. “Immediately upon becoming aware of this potential fraud event, HealthEquity locked all affected member accounts, removed any unauthorized profile changes and suspended the ability to edit account login information. HealthEquity also implemented additional measures to ensure further security for members. Communications regarding the security incident were distributed to all affected members. HealthEquity is currently investigating whether any claim reimbursements were fraudulently submitted or redirected. HealthEquity has committed to restoring any member accounts to the prior balance if they conclude that any HRA or FSA member funds were impacted,” reported the Governor’s release.

Data Breach Caused No Interruption to Company’s Systems: HealthEquity

In the SEC Filing, HealthEquity said the data breach incident did not impact the company. “The investigation did not find placement of malicious code on any company systems. There has been no interruption to the Company’s systems, services, or business operations,” said the report. HealthEquity said it is in the process of notifying its partners and clients as well as identifying and notifying individual members whose information may have been involved. “The Company expects to offer complimentary credit monitoring and identity restoration services. The Company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results. The Company is continuing to evaluate the impact of this incident, including remediation expenses and other potential liabilities. The Company believes it holds adequate cybersecurity insurance for this incident and will also be seeking recourse from the Partner,” HealthEquity concluded in its SEC filing.

Opaxe Pty Ltd, an Australian software and information services company for mining and minerals industry, has allegedly suffered a cyberattack. A Threat Actor (TA) has claimed to have breached sensitive data of the firm which includes Personal Identifiable Information (PII) of 16,000 users. The Opaxe data breach was reportedly orchestrated by a threat actor, operating under the alias, “Tanaka”.

Unconfirmed: Opaxe Data Breach

Opaxe is an intelligent software platform that restructures and redistributes information and generates business insights to help mining professionals and investors make better decisions. "We collect, collate and republish listed mining company announcements so that you can access them quickly and easily, all in one place. We have more than 40,000 mining company announcements and 3 million data points extracted from these announcements," the company mentioned in its profile. [caption id="attachment_80137" align="alignnone" width="1602"] Source: Opaxe Website[/caption] According to the company’s website, “Opaxe was founded in May 2019 and is headquartered in West Perth, Australia with an operational office in Dunedin, New Zealand. Our development team is based in Kathmandu, Nepal.” Threat actor Tanaka made the claim to have accessed Opaxe’s data on the dark web marketplace BreachForums. In his post, the TA mentioned that the database was exfiltrated on June 26, 2024, and was in the SQL format. [caption id="attachment_80136" align="alignnone" width="1807"] Source: X[/caption] The TA stated that the breached information had over 5.5 million rows in the SQL database, which includes 16k,00 user records. The user records comprise the data fields like ID, first name, last name, e-mail, hashed passwords, industry, company, and job title [sic].

No Official Conformation of Data Breach Yet

Despite these claims by the threat actor, a closer inspection reveals that the firm’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to Opaxe to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified. The implications of such a breach, if proven, are potentially devastating, given the sensitive nature of the data held by Opaxe. The organization is responsible for holding personal data of its users. A data leak of this magnitude could expose sensitive personal information of users as well as its business secrets. Mining professionals and investors who rely on information shared by Opaxe for critical business insights could be vulnerable of having their confidential information accessed and misused by threat actors. The breach, if confirmed, could poses several risks, including unlawful access to proprietary business insights and personal user information. This could lead to identity theft, data manipulation, and a loss of trust among Opaxe’s user base.

Mining Industry Exposed to Higher Cybersecurity Risks: Report

According to AustralianMining.com, which reports on the latest news and current trends in the industry, a data breach in the mining sector could be devastating due to the highly sensitive nature of the information involved, such as geological surveys and operational plans. The article suggests that mining organizations should considering establishing “Private AI”. It refers to artificial intelligence systems that are deployed within an organization's own infrastructure, rather than relying on external, cloud-based solutions. This ensures that sensitive data, such as organizational financial information, merger and acquisition targets, site surveys and employee details, remains on-premises, enhancing security and compliance with local regulations. While the authenticity of the data breach on Opaxe Pty Ltd remains unconfirmed, the potential consequences are significant. The Cyber Express will continue to monitor this ongoing situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Harry Perkins Institute of Medical Research, one of Australia’s leading medical research institutes, has reportedly suffered a cyberattack carried out by the notorious MEDUSA ransomware group. The hackers allegedly exfiltrated 4.6 TB of internal building camera recordings of the institute and demanded a ransom of $500,000.

Harry Perkins Institute Ransomware Attack Explained

The Harry Perkins Institute was established in 1998. It functions out of two hospital campuses in Perth, one at the QEII Medical Centre in Nedlands and the second at the Fiona Stanley Hospital Campus in Murdoch. According to the institute’s website, the centre’s aim is “to unify Western Australian scientists in a collaborative research powerhouse. In the years since, we have grown to become one of the nation’s leading medical research centres, where a close-knit team of more than 250 research and trial staff work together to defeat the major diseases that impact our community – diseases like cancer, heart disease, diabetes and rare genetic diseases.” The MEDUSA ransomware group has set an ominous countdown of 9 days, 18 hours, 6 minutes and 35 seconds for the institute to comply with its demands, which ends on July 12. Additionally, for every day that passes without payment, the ransom amount increases by USD $10,000. MEDUSA is also willing to sell the data to anyone or delete it for a ransom of $500,000. [caption id="attachment_80094" align="alignnone" width="1080"] Source: X[/caption] Harry Perkins Institute is yet to react to the ransomware group’s claims. Without an official statement from the medical firm, it would be premature to conclude whether the ransomware attack genuinely took place. The Cyber Express has reached out to the firm seeking confirmation of the cyberattack. The article would be updated once there is an official response to the incident. If the ransomware attack on Harry Perkins is indeed confirmed, the implications for the firm could be extensive and severe. Cybersecurity has become increasingly important in every sector, and the video surveillance system is no exception. A compromised Video Surveillance System can result in unauthorized access to sensitive data along with concerns over the privacy of individuals.

MEDUSA Ransomware: Rising Number of Attacks

Last month, MEDUSA ransomware escalated their activities. They first targeted AJE Group, a prominent company in the manufacture, distribution, and sale of alcoholic and nonalcoholic beverages in Peru, exfiltrating 646.4 GB of the company’s data. The notorious group then allegedly carried out data breaches of two institutions in the USA. The first was the Tri-Cities Preparatory High School, a public charter middle and high school located in Prescott, Arizona. The second target is Fitzgerald, DePietro & Wojnas CPAs, P.C., an accounting firm based in Utica, New York. MEDUSA first emerged in June 2021 and has since launched attacks on organizations across various countries and industries, including healthcare, education, manufacturing, and retail. Despite its global reach, most victims have been based in the United States. MEDUSA operates as a Ransomware-as-a-Service (RaaS) platform, offering malicious software and infrastructure to would-be attackers. This model enables less technically skilled criminals to launch sophisticated ransomware attacks. MEDUSA’s threat actors often utilize a public Telegram channel to post stolen data, leveraging public exposure as an extortion tactic to pressure organizations into paying the ransom. While the authenticity of the ransomware attack on The Harry Perkins Institute remains unconfirmed, the potential consequences are significant. The Cyber Express will continue to monitor this ongoing situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Atlantic States Marine Fisheries Commission (ASMFC) has acknowledged a data breach and begun to notify customers who were affected by it. The ASMFC data breach reportedly took place on April 6, 2024. The commission stated that “it was the victim of a cybersecurity incident” that affected the organization’s electronic systems. The data breach notification was shared by the ASMFC with the Office of the Maine Attorney General on June 28 through their legal counsel. In its notification, the ASMFC shared that around 9,895 people, including 3,823 Maine residents could be affected by the data breach. Hackers allegedly stole a company database containing sensitive Personal Identifiable Information (PII), along with financial records of the commission. The cause of the data breach has been reported as “external system breach (hacking).”

Understanding ASMFC Data Breach

ASMFC plays a key role in overseeing fisheries along the Atlantic seaboard. Established 80 years ago, the fishery organization states on its site that its mission is "to promote the better utilization of the fisheries, marine, shell and anadromous, of the Atlantic seaboard by the development of a joint program for the promotion and protection of such fisheries, and by the prevention of physical waste of the fisheries from any cause." The 8Base ransomware group claimed the organization as a victim on its leak site and said it had stolen several pieces of critical data. On April 15th, the 8Base ransomware group asserted on its official leak site that it had obtained information such as personal data, invoices, receipts, accounting documents and certificates. The group gave the organization a deadline of four days to pay the ransom, warning that if the ransom was not paid by April 19th, they would release the data. [caption id="attachment_79949" align="alignnone" width="2048"] Source: Archived copy of the official site(asmfc.org) displaying earlier notice.[/caption] According to the commission, “On April 6, 2024, ASMFC learned it was the victim of a cybersecurity incident that affected our organization’s electronic systems. ASMFC promptly notified law enforcement. With assistance from third-party experts, we took immediate steps to secure our systems, restore operations, and investigate the nature and scope of the Incident. Based on our investigation, the Incident appears to have begun on or about March 14, 2024 and ended on April 6, 2024.” ASMFC concluded that sensitive PII could have been part of the data leak: “As part of our extensive forensic investigation, we have worked diligently to determine whether any personally identifiable information may have been impacted. We concluded that some or all the following information may have been subject to unauthorized access and acquisition during the Incident: name, mailing address, email address, phone number, Social Security number, bank account and routing number, copies of ID cards (driver's license, Social Security cards, birth certificate and/or passport),” the organization send in its notification. The breach was discovered during routine security monitoring, but the specific methods used by the hackers remain unclear. In response, ASMFC has taken steps to secure personal information and offered identity theft protection services to those affected. “As an added precaution, we are also offering you a chance to enroll in complimentary identity theft protection services through IDX, A ZeroFox Company. IDX identity protection services include 24 months of Credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services,” the commission shared with all its stakeholders. “Please note that at this time, we have no evidence that your information has been misused. However, we encourage you to take full advantage of this offered service,” ASMFC mentioned in its letter.

The nefarious LockBit 3.0 ransomware group has struck once again, targeting unsuspecting victims in their latest wave of attacks. The recent victims to fall prey to the LockBit 3.0 ransomware attack are KBC Zagreb in Croatia and PT Latinusa Tbk in Indonesia. The authenticity of the LockBit group’s claims regarding the cyberattack on KBC Zagreb and PT Latinusa Tbk remain shrouded in uncertainty.

Latest Victims of LockBit 3.0 Cyberattack

On July 1, 2024, LockBit claimed to have targeted KBC Zagreb which is the largest and most advanced Croatian hospital. According to its website, the medical facility was established in 1942 in the capital city of Zagreb and serves around 10,000 citizens every day across two main campuses and three other locations in the city. [caption id="attachment_79918" align="alignnone" width="840"] Source: X[/caption] On Monday, LockBit ransomware named KBC Zagreb as its latest victim on its dark leak site. In its post, LockBit said, “KBC Zagreb is a company that operates in the hospital and healthcare industry. It employs 2,001-5,000 people and has $500M- $1B of revenue.” [caption id="attachment_79919" align="alignnone" width="1430"] Source: X[/caption] The cyber attacker claimed to have accessed sensitive data of the hospital which includes “medical records, patient exams and studies, research papers of doctors, surgery, organ and donor data, organ and tissue banks, employee data, addresses, phone numbers, employee legal documents, data on donations and relationships with private companies, donation book; medication reserve data; personal data breach reports and much more.” To substantiate its claims, the group uploaded 12 documents as proof which allegedly contained sensitive information of the data breach from the hospital. Lockbit has mentioned that deadline for ransom as July 18. The ransomware attack on KBC Zagreb comes barely a week after the hospital faced a cyberattack by infamous Russian actor “NoName057 (16).” The attack on the intervening night of June 24 and 25, forced the hospital to shut down its entire IT infrastructure.   The attack significantly damaged the hospital’s digital systems, causing a temporary rollback to manual processes. According to news reports, during that attack, Milivoj Novak, assistant director of health care, quality and supervision of KBC Zagreb, said that the shutdown took the hospital back 50 years – to paper and pencil. The hospital also confirmed significant delays due to the cyberattack and that some patients were redirected to other hospitals. The other ransomware victim claimed by the LockBit 3.0 ransomware group is PT. Pelat Timah Nusantara (Latinusa), Tbk.  PT Latinusa Tbk is the first and the only tinplate producer in Indonesia and founded in 1982. [caption id="attachment_79922" align="alignnone" width="1460"] Source: X[/caption] The hackers allegedly exfiltrated internal and external audit documents of the company apart from claims, budgets, analysis, and finance private information. LockBit’s deadline for the ransom is July 3. Despite assertions of successful infiltration and data compromise, the official websites of the targeted companies appear to be fully operational, raising doubts on the veracity of the LockBit’s claims. The Cyber Express Team tried to substantiate LockBit 3.0 ransomware attack claims by reaching out to KBC Zagreb and PT. Pelat Timah Nusantara officials for clarification. However, at of the time of this report, there has been no official response or public statement from the victims, leaving the LockBit 3.0 ransomware attack claim unverified.

LockBit 3.0 Continues Cyberattacks Despite Developer's Arrest

Recently, the Ukraine National Police arrested a  28-year-old cryptor developer whom they claimed was involved in the LockBit and Conti ransomware groups. Despite the arrest, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the one on Monday. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Did a threat actor lie about orchestrating a data breach containing sensitive data about 8,000 students and faculty of a university in India? VIT Bhopal, the university in question, says so and has shared proof with The Cyber Express debunking the hacker’s claims. The university also felt that the hacker’s failed attempt to carry out a cyberattack was only to "garner attention and notoriety."

What Was VIT Bhopal Data Breach Claim?

VIT Bhopal was established in 2017 and is a deemed university located on the outskirts of Bhopal, the capital city of the state of Madhya Pradesh. The institution is authorized by the University Grants Commission (UGC), which is a statutory organization of the Government of India for the maintenance of standards of teaching, examination, and research in university education. VIT Bhopal ranks among the top universities in India. As per the National Institutional Ranking Framework (NIRF) Ranking, it stands in 65th position amongst all the universities in India. On June 10, 2024, a threat actor, operating under the name “lucifer001,” claimed on the notorious data breach site BreachForums that they had carried out a cyberattack on the university’s website. [caption id="attachment_76218" align="aligncenter" width="792"] Source: X[/caption] According to the post, the threat actor shared screenshots and claimed to possess the following information:

• ID: Unique Identification number assigned to each student and faculty member of the university.
• Username: Login credentials of all the stakeholders used to access university portals, maintain and share records, post newsletters, and research materials confined to the institution.
• Full name: First and last name of the students and faculty of VIT Bhopal.
• Email: Email addresses of stakeholders, which is the official mode of communication for announcements, course materials and student-faculty interactions.
• Password: To access personal accounts and university resources.
• User Activation Key: A unique code allegedly required for initial account activation or password resets.

VIT Bhopal Refutes Data Breach Claim

The university responded to the data breach claims and said that the information shared by the cyberattacker was to "gain attention and notoriety through dubious and illegal methods.” Sharing a point-by-point explanation debunking the claims, Dr G Vishnuvarthanan, Assistant Director, Centre for Technical Support, VIT Bhopal University, said, “I would like to provide some invaluable findings and suggestions from our end, which need to be treated as a rebuttal." After an internal investigation, the university found that the hacker only “leaked insignificant” info from a dummy Application Programming Interface (API), which was not protected. “It is crucial to clarify that the alleged breach involved a dummy API endpoint, intentionally open for various third-party integrations with the university's website. This endpoint contains only dummy data, designed explicitly for testing and integration purposes, and does not include any real or sensitive information,” Vishnuvarthanan explained. He then went on to clarify that in its investigation of the data breach claim, the university found that the hacker accessed only eight rows of dummy data, which contained nothing of significance. “VIT Bhopal University takes data security very seriously. Upon learning of the alleged breach, the university immediately conducted a thorough review and investigation. Despite our confidence in our security measures, we verified that only 8 rows of dummy data from the dummy API were accessed. This data has no significance and was part of the publicly available integration tools,” he added. The University stated that it follows industry-standard data security practices and tools to ensure the safety of student and faculty data. He ascertained the university's commitment to data security based on four core practices:

1. Regular Security Audits: Conducting periodic security audits to identify and address potential vulnerabilities.
2. Advanced Encryption: Utilizing advanced encryption techniques to protect data at rest and in transit.
3. Access Controls: Implementing strict access controls to ensure that only authorized personnel can access sensitive information.
4. Incident Response Plan: Maintaining a comprehensive incident response plan to swiftly address any security incidents.

Cyber Attack Threat: A Challenge to Digital Assets

While the VIT Bhopal data breach claim turned out to be a hoax, cyber threats around the globe is a matter of concern, and are continuing to evolve in sophistication and scale. It is not just organizations but consumers too who face an ever-growing challenge to safeguard their digital assets. To brace this challenge, Cyble, a leading force in AI-based cybersecurity, recently unveiled AmIBreached 3.0, its dark web engine.

What is AmIBreached?

AmIBreached 3.0, developed by Cyble offers advanced tools to identify, prioritize, and mitigate dark web risks. This comprehensive platform accesses over 150 billion records from breaches, hacking forums, and discussions, providing organizations with critical insights into hidden threats. With real-time monitoring and actionable intelligence, AmIBreached 3.0 helps organizations and individuals proactively address and manage emerging cyber threats efficiently.

Nearly a month after The Cyber Express exposed a data breach in the digital assets of India’s Telangana State Police, the cops have restored services for the public on their official website. The Telangana Police data breach came to light in June when their Hawk Eye app, a popular citizen-friendly crime reporting app and TSCOP app, an internal crime detection app of the state police, were reportedly compromised. As a fallout over the twin data breaches, the Telangana Police shut down public access to the official department website, citing maintenance. The police also arrested a 20-year-old hacker who was responsible for the data breaches. In their report, the Telangana Police acknowledged that the news report on The Cyber Express gave them crucial leads that led to the arrest of the hacker.

Telangana Police Website Access Restored

The Telangana State Police website offers a variety of services to citizens, such as checking the status of their complaints and traffic tickets, making payments online, obtaining a police verification certificate for applying for a job or a passport, reporting stolen or lost mobile phones, reporting cybercrimes, and finding contact information for emergency services in the State. All the above services were suspended by the police for almost the entire month of June because of the data breach. On June 30, 2024, the Telangana Police wrote a post on X informing the public that services have been restored. [caption id="attachment_79723" align="aligncenter" width="826"] Source: X[/caption] “Access the Telangana Police services online! Visit **http://tspolice.gov.in** to report complaints, grievances, or concerns,” the police wrote in the post. The post added that citizens could now directly download FIRs from the website. FIR, or the First Information Report (FIR), is a written document prepared by the police in India to detail a cognizable offence.

Improved Security Checks on Telangana Police Website

When the Hawk Eye app data was breached on May 31, the hacker threatened to leak sensitive data of over 200,000 citizens, including their Personally Identifiable Information (PII), names, email addresses, phone numbers, physical addresses, IMEI numbers, and location coordinates. Days later, the same hacker breached the TSCOP app, which had sensitive data of police officers, criminals and gun license holders in Telangana. Cybersecurity experts also warned the cops of multiple vulnerabilities that could be exploited. [caption id="attachment_79718" align="aligncenter" width="687"] Source: X[/caption] “It is easy to hack into their system as they used basic authentication and encoding,” India’s popular data security researcher Srinivas Kodali said. He condemned the state police for not hiring proper developers and putting the privacy of several thousand users at risk. Following the data breaches, the Telangana Police shut down access to the public to the website. The police then initiated a Vulnerability Assessment and Penetration Testing "across all police internal and external networks, web and mobile applications, as well as cloud and endpoints." The cops shared that security checks were being carried out to identify and address any weaknesses and to prevent any future breaches. To ensure that there is an added layer of security on its website, the Telangana Police have now added a security feature of a One-Time Password (OTP) to the registered mobile number once the user has typed in their login credentials. Despite the police officially declaring that the website services have been restored, many users shared that the services remained inaccessible. Most of the complaints were a 404 error message. [caption id="attachment_79722" align="aligncenter" width="702"] Source: X[/caption] But sources told The Cyber Express that the other digital assets of the Telangana Police were undergoing maintenance and access would be restored in a phased manner after mandatory security checks were completed.

It’s been almost two weeks since the CDK Global cyberattack paralyzed the US automotive industry and many car sales outlets are still limping back to normalcy. The CDK Global cyberattack has reportedly raked up millions of dollars in losses for dealerships. According to a report by CNN, the cyber automobile, the cyberattack has made it difficult for dealers to track customer interactions, orders and sales.

Background of CDK Global Cyberattack

On June 19, 2024, CDK Global, a provider of software solutions to around 15,000 auto dealerships across the United States, experienced a cyberattack. On June 21, the company disclosed that it experienced twin cyberattacks in the same week. The cyberattacks, had a profound impact on major clients of CDK Global, including General Motors dealerships, Group 1 Automotive, Asbury Automotive Group, AutoNation, Lithia Motors, Penske, Sonic Automotive and Holman, which operates dealerships across the U.S. These dealerships rely heavily on CDK’s software to manage their daily operations, from sales transactions to inventory management. CNN reported that due to the outage, some dealers started fulfilling orders with pen and paper. Other services, such as state inspections, repairs and parts deliveries, came to a standstill in some parts of the country. After the initial attack, CDK Global shut down most of its systems to investigate the incident and restore systems. “We are actively investigating a cyber incident,” the company had said. “Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible.”

How Victim Firms Responded to Cyberattacks

In response to the cyberattacks, Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive activated their incident response plans and disconnected from CDK systems as a precaution. Sonic Automotive mentioned that as of June 24, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but “slower than normal.” It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

Cyberattack Could Almost Cost a Billion in Losses: Report

An estimate study prepared by the Anderson Economic Group, reported that the cyberattacks on CDK could result in approximately $944 million in direct losses due to business interruptions for affected car dealers if the outage lasts a full three weeks. In an automated voice message to its clients on Friday, CDK company said it was making progress in bringing some dealerships back online  but it did not expect the issue to be entirely resolved until July. “We do feel it’s important to share that we do not believe that we will be able to get all dealers live prior to June 30,” the message said. The CNN report, quoting a CDK spokesperson, said, “We have successfully brought two small groups of dealers and one large publicly traded dealer group live on the Dealer Management System (DMS). We are also actively working to bring live additional applications — including our Customer Relationship Management (CRM) and Service solutions — and our Customer Care channels. “We understand and share the urgency for our customers to get back to business as usual, and we will continue providing updates as more information is available,” the CDK spokesperson added.

Hackers have claimed three prominent cyberattacks in Italy in the last 24 hours. The Italy ransomware attacks were allegedly carried out by the RansomHub and RansomHouse groups. RansomHub targeted the websites of the Cloud Europe and Mangimi Fusco firms, while RansomHouse took credit for orchestrating a cyberattack on Francesco Parisi.

Details of Italy ransomware attacks

Cloud Europe is a Tier IV certified carrier-neutral data center located in Rome’s Tecnopolo Tiburtino. According to details on the company website, it specializes in the design and management of data centers, with particular attention to the problems of security and service continuity. The company builds, hosts and manages modular infrastructure for customer data centers in the private and public sectors. [caption id="attachment_79490" align="alignnone" width="1173"] Source: X[/caption] The threat actor RansomHub claimed to have encrypted the servers of Cloud Europe, exfiltrating more than 70 TB of its data. “In addition, we have stolen over 541.41 GB of your sensitive data, obtained access to another company from your sensitive transformations,” RansomHub stated on its site. The other company targeted by RansomHub is Mangimi Fusco, which is an animal food manufacturer. It also supplies farm products and raw materials to wholesale merchants. According to the ransomware group, it has stolen 490 GB of “Private and confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, finance information, etc…we give you three days to come for negotiations.” [caption id="attachment_79491" align="alignnone" width="1189"] Source: X[/caption] Meanwhile, RansomHouse has allegedly breached the website of Francesco Parisi, which is a group of freight forwarding and shipping agents. It was established by Francesco Parisi in Trieste and has been operating in Central Europe since 1807. The group has around 100 employees and has a revenue of $13.7 million. The ransomware group claims that it stole 150 GB of the company’s data on May 29. [caption id="attachment_79492" align="alignnone" width="1491"] Source: X[/caption] Despite these claims, a closer inspection reveals that that the websites of Cloud Europe and Mangimi Fusco seem to be functioning normally, showing no signs of the ransomware attack as alleged by the threat actor. However, Francesco Parisi has put up a disclaimer on its home site which reads, “Important notice: Hacker Attack. We are aware that our infrastructure was subjected to a hacker attack. We want to reassure our users, customers and suppliers that we have immediately taken the necessary measures to restore operations and protect their data. Safety is a top priority. We are working hard to investigate the incident and implement additional security measures to prevent future attacks. We apologize for any inconvenience this event may have caused. We will keep you informed of developments in the situation and will let you know as soon as we have further information. In the meantime, if you have any questions or concerns, please feel free to contact us. Thank you for understanding.” [caption id="attachment_79494" align="alignnone" width="1196"] Source: X[/caption] Meanwhile, The Cyber Express has reached out to both Cloud Europe and Mangimi Fusco regarding the purported cyberattack orchestrated by the RansomHub group. However, at the time of publication, no official statements or responses have been received, leaving the claims of the ransomware cyberattack on these entities unverified.

Inglorious Past of RansomHub, RansomHouse

The origins of RansomHub trace back to February 2024, when it emerged as a Ransomware-as-a-Service (RaaS) on cybercrime forums. They employ sophisticated encryption techniques and target organizations predominantly in the IT & ITES sector. RansomHub has hackers from various global locations united by a common goal of financial gain. The gang openly mentions prohibiting attacks on non-profit organizations. RansomHouse emerged in March 2022 and is labelled as a multi-pronged extortion threat. In the words of RansomHouse representatives, the group claims to not encrypt data and that they are ‘extortion only,’ claiming itself as a ‘force for good’ that intends ‘shine a light’ on companies with poor security practices. The group has been observed accepting only Bitcoin payments.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Indonesia’s civil aviation authority has alleged suffered a massive security breach where a threat actor has claimed to have accessed critical data related to handling of air traffic in the country. The Indonesian civil aviation data breached was allegedly orchestrated by a threat actor, operating under the alias, “Hacker Mail”. The threat actor has alleged exfiltrated more than 3GB of database which includes all employees and passwords for all applications, website user data, ID card photo data for all employees, drone pilot certificate participants, and flight data related to aircraft, pilot’s personal data, as well as all other activities in Indonesian airports.

Decoding Indonesian Civil Aviation Data Breach

The threat actor’s post on hacking site Breachforums, stated that the exfiltration of data occurred on June 27,2024. In his post, the hacker stated, “The Directorate General of Civil Aviation (DGCA) is an element that implements some of the duties and functions of the Indonesian Ministry of Transportation, which is under and responsible to the Minister of Transportation. The Directorate General of Civil Aviation is led by the Director General. The Directorate General of Civil Aviation has the task of formulating and implementing policies and technical standardization in the field of air transportation. The Directorate General of Civil Aviation handles the administration and management of civil aviation within the Unitary State of the Republic of Indonesia.” To substantiate the data breach claim, the threat actor attached the following sample records.

• User log for small, unmanned aircraft certificates, remote pilot certificate and unmanned aircraft operation approval.

In this sample of data leak, the cyberattacker has claimed to  expose sensitive personal information of pilots, IP address used to login and date and time of login. The data is for users who logged in to one of the applications of the DGCA on 08/15/2022 and 08/16/2022.

• Sample chats which probably refer to communication of DGCA employees with pilots on 04/13/2022
• ID card photo data for all employees
• Userrname and password of employees who logged on to a DGCA application

Despite these high-profile declarations, a closer inspection reveals that Indonesia’s DGCA website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the DGCA officials to verify the alleged cyberattack. The authorities too are yet to release an official statement or response regarding the reported data breach, leaving the claims unverified as of now. The article too would be updated if any information is provided by the officials.

Indonesia Battles Three Major Cyberattack Claims in One Week

Hackers have recently carried out allegedly three major cyberattacks on key Indonesian establishments. Last week, a ransomware attack on Indonesia’s national data center has disrupted official government services including immigration services at airports. The attack has reportedly affected more than 200 government agencies at national and regional levels. The attack was carried out by LockBit 3.0 ransomware, a variant known for encrypting victims’ data and demanding payment for its release. The attackers had offered a decryption key in exchange for an $8 million ransom. The AFP however reported that the Indonesian government though refused to pay the ransom but admitted that the cyberattack would have been rendered useless if there was a backup to the main server. Earlier this week, a hacker “MoonzHaxor” had claimed to have breached Indonesian Military's (TNI) Strategic Intelligence Agency (Bais) and offered to sell this data for $1,000 USD. The same hacker had announced breaching Indonesia's Automatic Finger Identification System (Inafis) owned by the National Police (Polri). The data reportedly includes fingerprint images, email addresses, and SpringBoot application configurations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor claims to have carried out a cyberattack on India’s National Disaster Management Authority (NDMA). The NDMA is the top statutory body for disaster management in India, with the Prime Minister as its chairperson. The threat actor, operating under the alias “infamous,” has allegedly gained access to personal data of 93,000 volunteers, including their names, age, mobile numbers and other critical records. The hacker is currently selling the data on the dark web for $1,000.

Exploring Data Leak Claims of NDMA Volunteers

The NDMA was created in 2006. Its primary responsibility is to coordinate response to natural or man-made disasters and for capacity-building in disaster resiliency and crisis response. It is also the apex body for setting policies, plans and guidelines for disaster management to ensure a timely and effective response to disasters. The allegation that NDMA data had been hacked emerged on June 25 on the data leak site BreachForums. The threat actor “infamous” claimed to be in possession of a stolen database, consisting of the Personally Identifiable Information (PII) of NDMA volunteers, including their personal details such as name, title, gender, blood group, date of birth, email, mobile number, ID number, marital status, family contact number, education qualifications, skills, cadre, address, postal code, and the current state of residence. [caption id="attachment_79228" align="alignnone" width="1596"] Source: X[/caption] To substantiate the data breach claim, the threat actor attached sample records, with the latest timestamp of June 2024, while disclosing that the database includes records of 93,000 volunteers. The cyberattacker is asking $1,000 for the entire data set on BreachForums. Despite these claims by the threat actor, a closer inspection reveals that NDMA’s website is currently functioning normally, showing no signs of a security breach. The threat actor has also not provided clarity on the time period when the services of volunteers occurred. The Cyber Express has reached out to NDMA to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.

NDMA Volunteers Must Stay Vigilant

While authorities investigate the data breach claim, NDMA volunteers must be vigilant and take steps to prevent any malicious activities. Cybercriminals usually employ a range of tactics to misuse personal information, perpetuating identity theft and financial fraud. Some prominent techniques include phishing, where hackers trick individuals into revealing their PII by mimicking legitimate entities through fraudulent emails or phone calls. Individuals are also susceptible to identity theft and fraud, where fraudsters use psychological tactics to divulge sensitive information, such as passwords or credit card details. Since the email addresses have also been allegedly leaked, individuals must be vigilant of suspicious messages requesting sensitive information, as well as any unusual activity involving new or existing accounts.

Hackers Target 373 Indian Govt Websites in Five Years: Report

According to data published by the Indian Government, hackers have repeatedly targeted key websites run by the administration. An article in The Hindustan Times, quoting data from the Ministry of Electronics and Information Technology, said that, “As per the information reported to and tracked by CERT-In (Indian Computer Emergency Response Team), a total number of 110, 54, 59, 42, 50 and 58 website hacking incidents of Central Ministries/Departments and State Government organizations were observed during the years 2018, 2019, 2020, 2021, 2022 and 2023 (up to September).” The report added that some government offices were still using outdated Windows versions in their official computers and laptops, making them vulnerable to cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Amidst the ongoing Russo-Ukrainian war, hackers from Italy have decided to join forces with an infamous cyber attacker group in Russia. Azzasec is an Italian hacktivist group who has been involved in anti-Israel campaigns and has teamed up with the infamous pro-Russian hacktivists Noname057(16). Azzasec has a large network of partner groups, whereas Noname05716 is selective in their allies. The alliance between these two nefarious groups signifies a potential increase in the scale and sophistication of cyberattacks on Ukraine and its allies.

Understanding the AzzaSec Ransomware

On June 26, 2024, NoName formally announced on its social media channels about the alliance. “Today we have formed an alliance with the Italian hacker group AzzaSec, which is one of the TOP 3 coolest hack teams in Italy! We are always open to cooperation with various trance around the world!” the post read. [caption id="attachment_79189" align="alignnone" width="837"] Source: X[/caption] AzzaSec is an infamous actor that infects computers and encrypts files. It later demands a ransom for its decryption. Once a computer is infected, AzzaSec assigns the '.AzzaSec' extension to the filenames. It alters files such as '1.png' to '1.png.AzzaSec' and '2.pdf' to '2.pdf.AzzaSec.' Additionally, it changes the desktop wallpaper and provides a ransom note via a pop-up window like the screenshot below. [caption id="attachment_79190" align="alignnone" width="1828"] Source: X[/caption] The group demands ransom through Bitcoin. AzzaSec’s sophisticated encryption techniques and the secrecy of cryptocurrency transactions make it increasingly difficult for authorities to crackdown and defuse the cybercriminals. AzzaSec recently announced the release of a Windows ransomware builder. The group claimed that their ransomware could bypass major antivirus solutions such as Windows 10 / 11 Defender, Avast, Kaspersky, and AVG. AzzaSec’s emergence into the ransomware scene signals a reminder for organizations and individuals alike to upgrade their cybersecurity measures and remain vigilant against online threats.

Inglorious Past of NoName

NoName057(16) , on the other hand,  first emerged in March 2022 and is known for its cyber-attacks on Ukrainian, American, and European government agencies, media, and private companies. The group is considered one of the biggest unorganised and free pro-Russian activist group. Renowned for its widespread cyber operations, NoName057(16) has garnered notoriety for developing and distributing custom malware, notably the DDoS attack tool, the successor to the Bobik DDoS botnet. [caption id="attachment_79192" align="alignnone" width="1280"] Source: X[/caption] According to a report by Google-owned Mandiant, NoName057(16), along with other Russian state hackers, pose the biggest cyber threat to elections in regions with Russian interest. “Mandiant is tracking multiple self-proclaimed hacktivist groups primarily conducting DDoS attacks and leaking compromised data in support of Russian interests. These groups claim to have targeted organizations spanning the government, financial services, telecommunications, transportation, and energy sectors in Europe, North America, and Asia; however, target selection and messaging suggests that the activity is primarily focused on the conflict in Ukraine. Relevant groups include KillNet, Anonymous Sudan, NoName057(16), JokerDNR/DPR, Beregini, FRwL_Team (aka "From Russia with Love"), and Moldova Leaks,” Google stated in its threat intelligence report in April. The alliance between AzzaSec and NoName057(16) raises serious concerns about the evolving cyber threat landscape. With a combined skillset for ransomware deployment and large-scale attacks, these groups pose a significant risk to organizations and governments aligned with Ukraine. As the Russo-Ukrainian war rages on, the digital front is likely to see further escalation in cyberattacks.  It is crucial for targeted nations and organizations to bolster their cybersecurity defenses, implement robust incident response plans, and collaborate on international efforts to counter these cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Credit Suisse, a global investment bank and financial services firm, has reportedly fallen victim to a cyberattack. The Credit Suisse data breach was allegedly masterminded by a threat actor (TA), operating under the alias “888,” on the data hack site BreachForums. The TA claims to have accessed highly sensitive data of the bank and posted it on the dark web marketplace. According to the the threat actor, the data breach contains personal information of about 19,000 of the bank’s Indian employees.

Credit Suisse Data Breach Details

Credit Suisse was founded in 1856 and has approximately $15.21 Billion in revenue. It is one of the leading institutions in private banking and asset management, with strong expertise in investment banking. On June 25, 2024, the threat actor claimed to have carried out a cyberattack on the bank and exfiltrated details on 19,000 of its users. [caption id="attachment_79024" align="alignnone" width="1622"] Source: X[/caption] The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities. To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India. [caption id="attachment_79025" align="alignnone" width="1362"] Source: X[/caption] The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The hacker commented that they are only accepting cryptocurrency as the mode of payment. More specifically, the hacker was open to payment on Monero (XMR), a digital currency renowned for its privacy and anonymity attributes. This method of payment is often utilized in illegal transactions to evade detection. Despite these claims by the threat actor, a closer inspection reveals that the bank’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the bank to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.

Not the First Credit Suisse Data Breach

This is not the first time that Credit Suisse has been involved in a security breach. According to a report published in The Economic Times, in 2023, the bank warned its staff that a former employee stole personal data of its employees, including salaries and bonuses. The information included salary and "variable compensation" for a period between 2013 and 2015. Another Bloomberg report said that a data breach in 2023 impacted numerous former Credit Suisse clients who collectively held a staggering $100 billion in accounts.

Credit Suisse Hacker Targeted Big Multinationals Recently

There are many concerns over the potential misuse of sensitive information found in the data breach, which includes customer names, dates of birth, and relationships. Credit Suisse should investigate the data breach claims considering the history of the threat actor. Earlier this month, the TA 888 claimed to have stolen data of over 32,000 current and former employees of Accenture. The company, however, denied the claims and said that the data set published by the hacker had only three employee names and email addresses. The hacker also claimed responsibility for leaking details about 8,174 employees of Heineken across several countries. Prior to this, 888 also staked claims for an attack on oil and gas multinational Shell.  The TA posted sample information sharing personal details of Australian customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.  

Notorious ransomware group BianLian has claimed to have added two new organizations as its latest cyberattack victims. The BianLian ransomware attack was allegedly carried out on two US-based firms, namely, Better Business Bureau Inc and U.S. Dermatology Partners. The infamous actor has claimed to have accessed sensitive data including financial, contract, and employee profiles from both its victims.

BianLian Ransomware Attack: Critical Details  

The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million. [caption id="attachment_79001" align="alignnone" width="1259"] Source: X[/caption] The threat actor claims to have accessed 1.2 TB of organization data, including accounting, budget, and financial data; contract data and NDAs; files from the CFO's computer; operational and business files; and email and PST archives. The group has also disclosed sensitive information such as the names, personal email addresses, and phone numbers of BBB’s CEO, vice president, chief accreditation officer, and chief activation officer. The other organization that has allegedly fallen victim to the ransomware group is US Dermatology Partners. The organization, with a revenue of $213.7 Million, is one of the premier dermatology practitioners in the USA, caring for over two million patients annually. [caption id="attachment_79002" align="alignnone" width="1259"] Source: X[/caption] The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.

Potential Impact of BianLian Ransomware Attack

If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.

History of BianLian Ransomware Group Attacks

BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks. Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by  BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake. Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

India’s largest government-owned-telecommunications service provider, Bharat Sanchar Nigam Ltd (BSNL), has allegedly suffered a massive data breach, the second such instance in less than six months. The BSNL data breach reportedly involves critical data including international Mobile Subscriber Identity (IMSI) numbers, SIM card information, Home Location Register (HLR) specifics, DP Card Data, and even snapshots of BSNL's SOLARIS servers which can be misused for SIM cloning.

Exploring Claims of BSNL Data Breach

The BSNL data leak was first disclosed by an Indian firm, Athenian Tech, in its threat intelligence report. According to the report, a threat actor, operating under the alias “kiberphant0m”, leaked a significant amount of sensitive data affecting millions of users. The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information could be compromised. The hacker also posted details of call log samples which leaked sensitive information like mobile numbers of users, the date and duration of calls, and the amount charged for the call in Indian Rupees. The call log samples were being leaked in two sets: one for the month of May 2024 and another from 2020. This indicates that the data breach was a recent attack raising questions over the security checks in place at BSNL. The threat actor was selling the alleged stolen data for $5,000. The steep price tag could indicate the significant value of the stolen data which is sensitive. The Cyber Express has yet to verify the authenticity of the recent BSNL data breach and has contacted the organization for an official response.  This article will be updated based on their response.

Potential Implications of BSNL Data Breach

1. SIM Cloning and Identity Theft: Cloning a SIM involves creating a duplicate card that has the same IMSI and authentication keys, thus making it easy for the attackers to intercept messages/ calls, gain access to people’s bank accounts, and embezzle their finances.
2. Privacy Violations: Identity theft means that one can gain unauthorized access to the individuals’ communication and breaches.
3. Financial and Identity Theft: Illegal operations can defeat protective procedures in the financial portfolios, which entail substantial monetary losses and cases of identity theft.
4. Targeted Attacks and Scams: The user could be exposed to major security risks and could be vulnerable to phishing schemes and other social engineering attacks, exploiting their trust in BSNL.

The threat is not just limited to the consumers, but also to BSNL’s operations and security. Illegal access to servers can result in service disruptions, slow performance, and unauthorized access to telecom operations. Leaking of such information poses a severe threat to critical infrastructures and paves the way for future attacks on complex systems interconnectivity. BSNL users should remain vigilant and monitor any unusual activity on their phones and bank accounts and enable two-factor authentication (2FA) for added security on all accounts. BSNL too should take immediate action if the breach is confirmed, secure network endpoints, and audit access logs. They should enhance security measures, conduct frequent security audits, and adopt advanced threat detection technologies.

Second BSNL Data Breach in Less Than Six Months

If the data theft claims are proven, it would be the second instance of a cyberattack on BSNL in less than six months. In December 2023, a threat actor known as “Perell” claimed access to critical information about fiber and landline users of BSNL. The dataset contained about 32,000 lines of data allegedly impacting over 2.9 million users. However, BSNL did not validate the claims back then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious BlackBasta ransomware group is claiming credit for carrying out cyberattacks on major multinationals in the U.S. The ransomware gang claims it has access to sensitive data of financial services firm Key Benefit Administrators and healthcare apparel retailer Scrubs & Beyond. BlackBasta was recently suspected to have exploited a Microsoft zero-day prior to Microsoft’s release of a patch for the vulnerability back in March.

Decoding BlackBasta Ransomware's Alleged Attack

The first organization targeted by BlackBasta is Key Benefit Administrators, Inc., which offers financial services. The company provides employment benefit services that manages pension, retirement, health, and welfare funds. BlackBasta claims to have access to 2.5TB of sensitive data of the firm, including client, executive, and employee info. [caption id="attachment_78852" align="alignnone" width="1247"] Source: Ransomware.live[/caption] The other organization targeted by the ransomware group is Scrubs & Beyond, which is the largest retailer of healthcare apparel and accessories in the U.S. The ransomware crew claims to have accessed 600GB of the organization’s sensitive data, including HR, employee, and departmental files. [caption id="attachment_78853" align="alignnone" width="1238"] Source: Ransomware.live[/caption] Until an official statement is released by the two firms, the facts behind the BlackBasta ransomware attack claim will likely remain elusive. If BlackBasta's claims are proven true, the implications could be significant. The compromise of sensitive legal information and client data could have broad consequences, not only for the firms concerned but also for its clients and partners.

How Does BlackBasta Group Operate?

BlackBasta is a highly active ransomware group that has quickly gained a reputation for targeting high-value organizations across various industries. BlackBasta typically uses sophisticated phishing campaigns, and exploits known vulnerabilities in software to obtain access to their targets' systems. After gaining access, the group encrypts critical data and demands hefty ransoms for its release.

Previous Attacks By BlackBasta

A recent joint security advisory from the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) stated that Black Basta has, through its affiliates, compromised more than 500 organizations all over the world. The victims include organizations that span 12 of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. A few of BlackBasta’s victims include Microsoft, Hyundai Europe, Capita, The American Dental Association, Yellow Pages Canada, and Dish, among others.

How to Protect Against Ransomware

The ever-present threat of ransomware requires vigilant cybersecurity practices by consumers and organizations alike. Keeping software and operating systems up-to-date: Many ransomware attacks exploit vulnerabilities in outdated software and operating systems. By keeping software and operating systems up-to-date, you can minimize the possibility of a ransomware attack. Backing up important data: If your files are encrypted by ransomware, you may be able to restore them from a backup. By regularly backing up important data, you can increase the chances that you can recover your files if they are encrypted by ransomware. However, those backups should be immutable and ransomware-resistant - a good backup service provider may be your surest bet. Using antivirus software: Antivirus software can detect and remove various types of malware, including ransomware. By using antivirus or endpoint security software, you can reduce the risk of a ransomware attack. Being cautious of suspicious emails: Many ransomware attacks are spread via phishing emails. You can lower the risk of a ransomware attack by being wary of suspicious emails and refraining from clicking on links or opening attachments from unknown sources. Educating employees about cybersecurity: Employees play a critical role in defending against cyberattacks. It is of utmost importance that they understand the best practices and know how to identify and report suspicious activities. Isolating critical workloads and data: Isolating your most important data and applications with technologies such as microsegmentation, VLANs, firewalls and strict access and permission controls will create an extra layer of security that will make it that much harder for ransomware to infect your most critical systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The infamous cybercrime marketplace BreachForums faced an awkward scenario on June 25, 2024, when a threat actor leaked unverified information about "Aegis”, one of the forum moderators. The doxxing incident of BreachForums moderator was first reported by a LinkedIn user on a cybersecurity forum named “CISO2CISO”.

BreachForums Moderator Doxxing Details

On Tuesday, Bhavesh Mohinani, an SOC analyst and a member of "CISO2CISO,"  shared screenshots of a BreachForums post by an anonymous threat actor that allegedly contained sensitive Personally Identifiable Information (PII) of BreachForums moderator "Aegis". [caption id="attachment_78802" align="alignnone" width="1069"] Source: LinkedIn[/caption] The threat actor claimed that he obtained “bits and pieces” information about Aegis through his friend. “One thing I was given was a first name and an IP. Looking into it, you find out his information is very much out there! So much OPSEC, am I right,” the TA wrote in his post. OPSEC or Operational Security, is a process that identifies seemingly innocuous actions that could inadvertently reveal critical or sensitive data to a cybercriminal. Elaborating the details of Aegis, the threat actor claimed, “Aegis is a 17-year-old Egyptian resident living with his mother. His father seems not to have been found. Aegis started off being a skid, stealing code, claiming to be harmful and so on...he is a loser. “Aegis will most likely deny this being his information but if this post gets taken down, you will know the truth/ love everyone! Expect this loser,” the TA wrote. The user also shared details claiming to be the moderator’s phone number, IP address, residential address and telegram account. [caption id="attachment_78803" align="alignnone" width="1091"] Source: LinkedIn[/caption] While there is no confirmation or credibility to the claims shared by the anonymous actor, the post was deleted as soon as it was shared. However, the post has raised concerns about the security and trustworthiness of online communities.

What is Doxxing?

Doxxing, or doxing for short, is when someone puts your personal information out there on the internet. This can include information like where you work, your home address, your credit card numbers, and other private details. Usually, the intention of the threat actor is to harass the victims. The word "doxxing" first came about in the 1990s, starting from the word "documents," which got shortened to "docs," and then finally became "dox." When people talk about "dropping dox," they mean cybercriminals revealing the true identities of their rivals, taking away their anonymity, and making them vulnerable to the authorities. A doxxing attack begins with the threat actor gathering extensive information about their target, searching online and checking social media for clues. Social media can reveal workplace details, which can be exploited for attacks. Skilled threat actors might also trace a target’s IP address to determine their location. The more data a threat actor collects, the more harm they can inflict. While some doxxing incidents are minor, like sending unwanted pizza deliveries, others can lead to severe consequences such as online harassment, swatting, identity theft, reputational damage, physical assault, job loss, or stalking. The alleged doxxing of the BreachForums moderator has raised questions about whether it would lead to the arrest of another threat actor and if it signals the decline of the forums. For example, in California, doxing is considered a serious offense, and individuals engaging in this activity could face legal consequences. Individuals arrested and charged with cyber harassment (doxing) under Penal Code §653.2 face up to one year in jail and a fine of up to $1,000. In April 2023, Hong Kong’s privacy watchdog, Office of the Privacy Commissioner for Personal Data, arrested a 27-year-old woman on suspicion of doxxing after she allegedly posted the personal details of her friend’s ex-boyfriend on social media.

Prevention Against Doxxing

To protect users against doxxing, one must use strong, unique passwords for each account and enable Multi-Factor Authentication (MFA). Cleaning the digital footprint by removing personal information from online sites, deactivating old accounts, and adjusting privacy settings is regarded as a healthy practice. Using a VPN is recommended to hide the user’s IP address and prevent location tracking. Users must also be vigilant against phishing scams by recognizing poor spelling, mismatched email addresses, and unsolicited links. Finally, avoiding oversharing personal information online and keeping social media profiles private is a healthy digital practice to enhance security. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Jollibee Foods Corporation (JFC), which is the largest fast-food chain operator in Philippines, has launched an investigation for an alleged data breach in its system that may have affected millions of its customers across the globe. The Jollibee probe was initiated after a threat actor claimed responsibility for breaching the systems of the Jollibee Foods Corporation. On June 21, The Cyber Express reported that a notorious attacker, operating under the alias “Sp1d3r”, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000 on the dark web. [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption]

Details of Jollibee Probe into Cyberattack

The Philippines National Privacy Commission (NPC) regulations make it mandatory for organizations in the country to report and inform stakeholders of cybersecurity incidents within 72 hours of discovery. A statement was released on June 22 by Richard Shin, Chief Financial Officer and Corporate Information Officer of JFC, which said that it was addressing “a cybersecurity incident” that reportedly affected the company, “in addition to other subsidiaries”. “The Company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the Company’s and its subsidiaries’ data against threats. The Company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the statement said. JFC, however, added that its e-commerce platforms and those of its subsidiaries’ brands remained unaffected by the cyberattack and continued to be operational. It added that the safety of data from stakeholders was paramount for the company. “JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders. The Company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats,” the company said. “The Company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter,” it added. The fast-food delivery group urged the public to be vigilant and exercise good information security practices, including keeping passwords secure and changing them often.

Jollibee’s Cybersecurity Concerns  

The alleged data breach of the fast-food chain took place on popular data hack site BreachForums on June 20. The threat actor, “Sp1d3r”, claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. JFC, meanwhile, is investigating this alleged cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King Philippines, and Highlands Coffee. This is not the first time that Jollibee has faced flak for its cybersecurity measures. In December 2017, JFC had informed of a data breach of its delivery website. The NPC had then warned that the data of 18 million customers was at “a very high risk” of being exposed. After an investigation, the NPC in May 2018 suspended Jollibee’s delivery website due to “serious vulnerabilities.” JFC also took down the delivery websites of its other brands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Jollibee, the Philippines’ largest fast-food chain, has allegedly been hit by a massive data breach. The Jollibee cyberattack came to light on June 20, 2024, when a threat actor claimed responsibility for breaching the systems of Jollibee Foods Corporation. The notorious attacker, operating under the alias “Sp1d3r“, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000.

Details of Jollibee Cyberattack

The data breach of the fast-food chain was posted by the threat actor on popular data hack site BreachForums. The threat actor stated that “Jollibee is a Filipino chain of fast-food restaurants owned by Jollibee Foods Corporation. As of September 2023, there were over 1,500 Jollibee outlets worldwide, with restaurants in Southeast Asia, East Asia, the Middle East, North America, and Europe.” [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption] The threat actor claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. To support these claims, the TA included a sample in tabular data format accessible through spreadsheet programs like Microsoft Excel and Google Sheets. While the exact details of the alleged data breach remains unclear, the potential impact on millions of customers is cause for concern.

Jollibee Yet to React to Cyberattack Claims

The motive behind the Jollibee cyberattack remains unknown. So far, Jollibee Foods Corporation has not reacted or issued any official statement regarding the alleged data breach. The Cyber Express has reached out to the corporation to verify the claims. This article will be updated once the company responds to the allegations and shares any preventive measures in place to prevent critical data from being misused. The Philippines National Privacy Commission (NPC) has yet to receive any notification from Jollibee Foods Corporation regarding the breach. The NPC regulations require organizations to inform affected individuals and report such incidents within 72 hours of discovery.

Jollibee Cyberattack Threat Actor Responsible for Snowflake Breach

While Jollibee investigates the claims made by “Sp1d3r”, the threat actor has been responsible for several recent breaches, which includes many customers of third-party cloud data storage vendor Snowflake. On June 1, “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes, and other information. The same threat actor was responsible for the data breach at American automobile aftermarket component supplier Advance Auto Parts, Inc. The attacker “Sp1d3r” claimed to have stolen three terabytes of customer data from the company’s Snowflake cloud storage and was selling the data for US$1.5 million. In its report, the company stated that the cyberattack could create damages up to $3 million. The Jollibee Cyberattack is a stark reminder of the vulnerabilities of the digital world, where even the largest and most established companies could become victims of notorious data hackers. Customers should stay vigilant and follow any further guidance provided by Jollibee and cybersecurity professionals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.