In a significant move to bolster data privacy protections, the California Privacy Protection Agency (CPPA) inked a new partnership with France’s Commission Nationale de l'Informatique et des Libertés (CNIL).
The collaboration aims to conduct joint research on data privacy issues and share investigative findings that will enhance the capabilities of both organizations in safeguarding personal data.
The partnership between CPPA and CNIL shows the growing emphasis on international collaboration in data privacy protection. Both California and France, along with the broader European Union (EU) through its General Data Protection Regulation (GDPR), recognize that effective data privacy measures require global cooperation.
France’s membership in the EU brings additional regulatory weight to this partnership and highlights the necessity of cross-border collaboration to tackle the complex challenges of data protection in an interconnected world.
What the CPPA-CNIL Data Privacy Protections Deal Means
The CPPA on Tuesday outlined the goals of the partnership, stating, “This declaration establishes a general framework of cooperation to facilitate joint internal research and education related to new technologies and data protection issues, share best practices, and convene periodic meetings.” The strengthened framework is designed to enable both agencies to stay ahead of emerging threats and innovations in data privacy.
Michael Macko, the deputy director of enforcement at the CPPA, said there were practical benefits of this collaboration. “Privacy rights are a commercial reality in our global economy,” Macko said. “We’re going to learn as much as we can from each other to advance our enforcement priorities.”
This mutual learning approach aims to enhance the enforcement capabilities of both agencies, ensuring they can better protect consumers’ data in an ever-evolving digital landscape.
CPPA’s Collaborative Approach
The partnership with CNIL is not the CPPA’s first foray into international cooperation. The California agency also collaborates with three other major international organizations: the Asia Pacific Privacy Authorities (APPA), the Global Privacy Assembly, and the Global Privacy Enforcement Network (GPEN). These collaborations help create a robust network of privacy regulators working together to uphold high standards of data protection worldwide.
The CPPA was established following the implementation of California's groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA). As the first comprehensive consumer privacy law in the United States, the CCPA set a precedent for other states and countries looking to enhance their data protection frameworks. The CPPA’s role as an independent data protection authority mirror that of the CNIL - France’s first independent data protection agency – which highlights the pioneering efforts of both regions in the field of data privacy.
By combining their resources and expertise, the CPPA and CNIL aim to tackle a range of data privacy issues, from the implications of new technologies to the enforcement of data protection laws. This partnership is expected to lead to the development of innovative solutions and best practices that can be shared with other regulatory bodies around the world.
As more organizations and governments recognize the importance of safeguarding personal data, the need for robust and cooperative frameworks becomes increasingly clear. The CPPA-CNIL partnership serves as a model for other regions looking to strengthen their data privacy measures through international collaboration.
Credit Suisse, a global investment bank and financial services firm, has reportedly fallen victim to a cyberattack. The Credit Suisse data breach was allegedly masterminded by a threat actor (TA), operating under the alias “888,” on the data hack site BreachForums.
The TA claims to have accessed highly sensitive data of the bank and posted it on the dark web marketplace. According to the the threat actor, the data breach contains personal information of about 19,000 of the bank’s Indian employees.
Credit Suisse Data Breach Details
Credit Suisse was founded in 1856 and has approximately $15.21 Billion in revenue. It is one of the leading institutions in private banking and asset management, with strong expertise in investment banking.
On June 25, 2024, the threat actor claimed to have carried out a cyberattack on the bank and exfiltrated details on 19,000 of its users.
[caption id="attachment_79024" align="alignnone" width="1622"] Source: X[/caption]
The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities.
To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India.
[caption id="attachment_79025" align="alignnone" width="1362"] Source: X[/caption]
The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The hacker commented that they are only accepting cryptocurrency as the mode of payment. More specifically, the hacker was open to payment on Monero (XMR), a digital currency renowned for its privacy and anonymity attributes. This method of payment is often utilized in illegal transactions to evade detection.
Despite these claims by the threat actor, a closer inspection reveals that the bank’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the bank to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.
Not the First Credit Suisse Data Breach
This is not the first time that Credit Suisse has been involved in a security breach. According to a report published in The Economic Times, in 2023, the bank warned its staff that a former employee stole personal data of its employees, including salaries and bonuses. The information included salary and "variable compensation" for a period between 2013 and 2015.
Another Bloomberg report said that a data breach in 2023 impacted numerous former Credit Suisse clients who collectively held a staggering $100 billion in accounts.
Credit Suisse Hacker Targeted Big Multinationals Recently
There are many concerns over the potential misuse of sensitive information found in the data breach, which includes customer names, dates of birth, and relationships. Credit Suisse should investigate the data breach claims considering the history of the threat actor.
Earlier this month, the TA 888 claimed to have stolen data of over 32,000 current and former employees of Accenture. The company, however, denied the claims and said that the data set published by the hacker had only three employee names and email addresses.
The hacker also claimed responsibility for leaking details about 8,174 employees of Heineken across several countries.
Prior to this, 888 also staked claims for an attack on oil and gas multinational Shell. The TA posted sample information sharing personal details of Australian customers.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
On June 23rd, LockBit announced breaching the US Federal Reserve System, while security experts remained skeptical. The Russian threat group claimed to exfiltrate 33 terabytes of banking information from the USA’s central bank servers. They also threatened to publish the data in the following 48 hours unless the victims would pay ransom. Source – Cybernews.com […]
A shockwave went through the financial world when ransomware group LockBit claimed to have breached the US Federal Reserve, the central banking system of the United States.
On LockBit’s dark web leak site, the group threatened to release over 30 TB of banking information containing Americans’ banking data if a ransom wasn’t paid by June 25:
LockBit leak site
“Federal banking is the term for the way the Federal Bank of America distributes its money. The Reserve operates twelve banking districts around the country which oversee money distribution within their respective districts. The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City and San Francisco.
33 terabytes of juicy banking information containing American’s banking secrets.”
The statement ends expressing the group’s disappointment about a negotiator who apparently offered to pay $50,000.
So, you can imagine that everyone was anticipating the end of the countdown that signalled the release of the stolen data with bated breath.
However, when that deadline passed and the data was released, people who looked at the data found it did not, in fact, belong to the Federal Reserve but instead to a particular financial organization: Evolve Bank & Trust.
Overview of the available data
All the links lead to directories containing data that seems to belong to Evolve.
There hasn’t been enough time to do a full analysis of the huge amount of data, but it appears it is only remotely tied to the Federal Reserve by some included links to a Federal Reserve press link from mid-June.
At that time, the US Federal Reserve Board penalized Evolve Bancorp and its subsidiary, Evolve Bank & Trust, for multiple “deficiencies” in the bank’s risk management, anti-money laundering (AML) and compliance practices.
According to the Federal Reserve statement released at the time:
“In addition, Evolve did not maintain an effective risk management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers.”
So, as expected, LockBit drew a lot of attention under false pretences.
“While LockBit is technically still alive, it’s fair to say the group is not what it was: Not only are its attacks dwindling, but in early May law enforcement also revealed the identity of alleged LockBit leader Dmitry Khoroshev, aka LockBitSupp. LockBitSupp, who is now subjected to a series of asset freezes and travel bans, also has a reward of up to $10 million over his head for information that leads to his arrest.”
And recently the FBI announced it had over 7,000 LockBit decryption keys in its possession, allowing it to help victims to recover data encrypted by the gang in past attacks. LockBit ransomware has impacted over 1,800 US victims, according to FBI stats.
Back to the data, it’s good news it appears not to be from the Federal Reserve. However, it’s not good news for customers of Evolve Bank & Trust and their data may well have been stolen and published. And it’s a lot of data.
A lot of data
We’ll keep you updated on this developing story. For now, there’s no official statement from Evolve, but there are general things to know if you think you have been involved in a data breach.
Protecting yourself after a data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
Set up identity monitoring.Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
Check your digital footprint
Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.
New GrimResource technique exploits a 2018-old, unpatched, Windows XSS flaw and crafted MSC files to deploy malware via the Microsoft Management Console (MMC). Researchers detected the new exploitation technique in the wild on June 6th, 2024. Exploiting the Microsoft Management Console could enable hackers to evade security measures and gain initial access. Although researchers reported […]
Hacktivist group KillSec has revealed a new weapon in their digital arsenal: a Ransomware as a Service (RaaS) program designed to empower aspiring cybercriminals with hacking capabilities. The threat actor revealed the RaaS program on June 24, 2024, sharing its features for those looking to deploy ransomware attacks on their targets. The centerpiece of KillSec RaaS is its advanced locker, meticulously crafted in C++ for optimal performance and efficiency. This encryption tool is engineered to lock down files on victims' computers, rendering them inaccessible until a ransom is paid and a decryption key is provided. Operating through a user-friendly dashboard accessible via the Tor network, known for its anonymity features, KillSec ensures that its clients can operate discreetly.
KillSec Announces New RaaS Program for Hackers
[caption id="attachment_79012" align="alignnone" width="532"] Source: Dark Web[/caption]
The dashboard boasts several essential features designed to streamline the ransomware deployment process. Users can track the success of their campaigns with detailed statistics, manage communications via an integrated chat function, and customize ransomware configurations using the built-in builder tool.In addition to its current capabilities, KillSec has announced forthcoming enhancements to its RaaS program. These include a stresser tool for launching distributed denial-of-service (DDoS) attacks, automated phone call capabilities to pressure victims into paying ransoms, and an advanced stealer for harvesting sensitive data such as passwords and financial information.Access to KillSec's RaaS program is available for a fee of $250, aimed at "trusted individuals," with KillSec taking a 12% commission from any ransom payments collected. This pricing model highlights the group's commitment to making advanced cyber weaponry accessible while maintaining a profitable partnership with their clients.
Who is the KillSec Hacktivist Group?
Founded in 2021, KillSec has emerged as a prominent force in the hacktivist community, often aligning itself with the ethos of the Anonymous movement. Their activities have included high-profile website defacements, data breaches, and ransomware attacks, including recent breaches affecting traffic police websites in Delhi and Kerala.Ransomware as a Service (RaaS) programs, similar to what KillSec has announced, represent an evolution in cybercrime tactics, democratizing access to powerful malicious software for a global audience. The RaaS program model allows less technically skilled individuals to engage in cyber extortion with relative ease, leveraging customizable ransomware variants to target businesses and individuals worldwide. The proliferation of RaaS platforms has contributed to the escalating frequency and severity of ransomware attacks, posing substantial challenges to law enforcement agencies worldwide.Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Choosing an IT management software is one of the most important decisions you make as an IT team. There are a few well-known platforms on the market, one being NinjaOne. Considering the feedback from review sites, NinjaOne customers are switching to alternatives mainly because of a poor user experience, slow customer support, complex configuration, and […]
A newly disclosed critical security flaw impacting Progress Software MOVEit Transfer is already seeing exploitation attempts in the wild shortly after details of the bug were publicly disclosed.
The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions -
From 2023.0.0 before 2023.0.11
From 2023.1.0 before 2023.1.6, and&
In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication (MFA) issues, according to the latest Cisco Talos report.
As cybersecurity's cat-and-mouse game starts to look more like Tom and Jerry, attackers develop a method for undermining Android app security with no obvious fix.
Organizations face an overwhelming number of vulnerabilities and threats. The traditional approach has been to prioritize exposures—identifying and addressing the most critical vulnerabilities first. However, this method, while logical on the surface, has significant limitations. At Veriti, we advocate for a different strategy: prioritizing actions. By focusing on remediations rather than merely cataloging exposures, we believe […]
Today, CISA, in partnership with the Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, and Canadian Cyber Security Center, released Exploring Memory Safety in Critical Open Source Projects. This guidance was crafted to provide organizations with findings on the scale of memory safety risk in selected open source software (OSS).
This joint guidance builds on the guide The Case for Memory Safe Roadmaps by providing a starting point for software manufacturers to create memory safe roadmaps, including plans to address memory safety in external dependencies which commonly include OSS. Exploring Memory Safety in Critical Open Source Projects also aligns with the 2023 National Cybersecurity Strategy and corresponding implementation plan, which discusses investing in memory safety and collaborating with the open source community—including the establishment of the interagency Open Source Software Security Initiative (OS3I) and investment in memory-safe programming languages.
CISA encourages all organizations and software manufacturers to review the methodology and results found in the guidance to:
Reduce memory safety vulnerabilities;
Make secure and informed choices;
Understand the memory-unsafety risk in OSS;
Evaluate approaches to reducing this risk; and
Continue efforts to drive risk-reducing action by software manufacturers.
To learn more about taking a top-down approach to developing secure products, visit CISA’s Secure by Design webpage.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See theBOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Rate limiting is a well-known technique for limiting network traffic to web servers, APIs, or other online services. It is also one of the methods available to you for blocking DDoS attackers from flooding your system with requests and exhausting network capacity, storage, and memory. You typically define rate-limiting rules in your Web Application Firewall […]
The tragedy of the commons is a concept in economics and ecology that describes a situation where individuals, acting in their own self-interest, collectively deplete a shared resource. In simpler terms, it's the idea that when a resource is available to everyone without restriction, some individuals tend to overuse it, leading to its eventual depletion and harming everyone in the long run. In the case of Maven Central, we are experiencing an unwitting tyranny by the few.
Multiple vulnerabilities have been addressed in ADOdb, a PHP database abstraction layer library. These vulnerabilities could cause severe security issues, such as SQL injection attacks, cross-site scripting (XSS) attacks, and authentication bypasses. The Ubuntu security team has released updates to address them in various versions of Ubuntu, including Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu […]
Containerized applications offer several advantages over traditional deployment methods, making them a powerful tool for modern application development and deployment. Understanding the security complexities of containers and implementing targeted security measures is crucial for organizations to protect their applications and data. Adopting specialized security practices, such as Linux live kernel patching, is essential in maintaining […]
Notorious ransomware group BianLian has claimed to have added two new organizations as its latest cyberattack victims. The BianLian ransomware attack was allegedly carried out on two US-based firms, namely, Better Business Bureau Inc and U.S. Dermatology Partners. The infamous actor has claimed to have accessed sensitive data including financial, contract, and employee profiles from both its victims.
BianLian Ransomware Attack: Critical Details
The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million.
[caption id="attachment_79001" align="alignnone" width="1259"] Source: X[/caption]
The threat actor claims to have accessed 1.2 TB of organization data, including accounting, budget, and financial data; contract data and NDAs; files from the CFO's computer; operational and business files; and email and PST archives. The group has also disclosed sensitive information such as the names, personal email addresses, and phone numbers of BBB’s CEO, vice president, chief accreditation officer, and chief activation officer.
The other organization that has allegedly fallen victim to the ransomware group is US Dermatology Partners. The organization, with a revenue of $213.7 Million, is one of the premier dermatology practitioners in the USA, caring for over two million patients annually.
[caption id="attachment_79002" align="alignnone" width="1259"] Source: X[/caption]
The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.
Potential Impact of BianLian Ransomware Attack
If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry.
Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed.
Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.
History of BianLian Ransomware Group Attacks
BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks.
Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake.
Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime New Report Urges Public-Private Collaboration to Reduce Chemical, Nuclear AI Risks Chris Riotta (@chrisriotta) • June 25, 2024 The U.S. federal government warned that artificial intelligence lowers the barriers to conceptualizing and conducting […]
Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development Companies Eager for Tools Are Putting AI’s Transformative Power Ahead of Security Rashmi Ramesh (rashmiramesh_) • June 25, 2024 Oh, no – not all Ollama administrators have patched against the “Probllama” flaw. […]
Source: www.databreachtoday.com – Author: 1 Healthcare , Industry Specific , Standards, Regulations & Compliance John Riggi of the American Hospital Association on HHS’ Upcoming Cyber Regulations Marianne Kolbasuk McGee (HealthInfoSec) • June 25, 2024 John Riggi, national cybersecurity and risk adviser, American Hospital Association White House efforts to ratchet up healthcare sector cybersecurity […]
Source: www.databreachtoday.com – Author: 1 3rd Party Risk Management , Cybercrime , Fraud Management & Cybercrime More Victims of Campaign Against Data Warehousing Platform Snowflake Come to Light Mathew J. Schwartz (euroinfosec) • June 25, 2024 Attention Neiman Marcus shoppers: Your contact information may be for sale on a criminal forum. (Image: Shutterstock) […]
Source: www.databreachtoday.com – Author: 1 Immutable backups are essential in the fight against ransomware, and businesses should put protections in place to ensure attackers can’t alter or delete them. Acronis President Gaidar Magdanurov said data protection firms must address the threat of ransomware by implementing immutable storage and exposing APIs for seamless integration with security […]
Malwarebytes Premium Security has maintained its long-running, perfect record in protecting users against online threats by blocking 100% of the malware samples deployed in the AV Lab Cybersecurity Foundation’s “Advanced In-The-Wild Malware Test.”
For its performance in the May 2024 evaluation, Malwarebytes Premium Security also received a certificate of “Excellence.”
According to AV Lab, such certificates “are granted to solutions that are characterized by a high level of security, with a rating of at least 99% of blocked threats in the Advanced In-The-Wild Malware Test.”
Every two months, the cybersecurity and information security experts at AV Lab construct a series of tests to compare cybersecurity vendors against the latest malware that is currently being used by adversaries and threat actors.
For the May evaluation, AV Lab tested 521 unique malware samples against 13 cybersecurity products. Malwarebytes Premium Security detected 521/521 malware samples, with a remediation time of 44 seconds—well below the 52-second average determined by AV Lab in its most recent testing.
Three cybersecurity vendors failed to block 100% of malware tested: ESET, F-Secure, and Panda.
To ensure that AV Lab’s evaluations reflect current cyberthreats, each round of testing follows three steps:
Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”
Malwarebytes is proud to once again achieve a 100% score with AVLab’s Advanced In-The-Wild Malware Test, a trusted resource that proves our commitment to user safety.
A newly surfaced banking trojan named "Sniffthem," also known as Tnaket has emerged on the dark web forums. This Sniffthem trojan, introduced by threat actor oliver909 on the XSS Russian language forum, targets a wide spectrum of Windows operating systems ranging from Windows 7 to the latest Windows 11.Oliver909's forum post on June 24, 2024, detailed the capabilities of the banking trojan Sniffthem, highlighting its advanced functionalities designed for financial fraud. Among its notable features, Sniffthem possesses the ability to perform HTML injection, enabling it to compromise websites—even those secured with SSL certificates—by injecting malicious HTML code. This tactic undermines the integrity of supposedly secure web pages, facilitating the theft of sensitive information.
Dark Web Actors Reveals Banking Trojan Sniffthem
[caption id="attachment_78990" align="alignnone" width="1906"] Source: Dark Web[/caption]
Another key feature of Sniffthem is its credit card grabber capability, allowing it to stealthily capture credit card details through the injection of fake web pages. This method operates covertly, ensuring that the theft of financial data goes unnoticed by users and security measures alike. Moreover, the trojan supports a wide range of web browsers including Firefox, Google Chrome, Edge, and Yandex, ensuring compatibility across various user environments.To evade detection, the banking trojan Sniffthem employs crypters, enhancing its stealth and persistence on infected systems. These crypters cloak the trojan's code, making it difficult for antivirus programs and security defenses to detect and remove the malware effectively. Oliver909 demonstrated the trojan's functionalities through a video shared on the forum, showcasing its management panel and user interface designed for seamless control over malicious activities.In terms of pricing, oliver909 offers Sniffthem on a subscription basis, setting a monthly rate of USD 600. This pricing strategy positions Sniffthem as a lucrative option within the cybercriminal marketplace, appealing to threat actors looking to capitalize on financial fraud opportunities.
Technical Insights into Sniffthem Banking Trojan
Sniffthem's technical specifications highlight its sophistication and potential impact on cybersecurity. The Sniffthem banking trojan operates persistently as a hidden process, evading detection and maintaining a covert presence on infected systems. Its integration with a web-based management panel allows threat actors to efficiently control compromised devices and orchestrate malicious activities remotely.Furthermore, Sniffthem's compatibility with a wide array of browsers—64 in total—highlights its versatility and ability to infiltrate diverse user environments. This capability extends its reach across various sectors, with a particular focus on the BFSI (Banking, Financial Services, and Insurance) industry where financial transactions and sensitive data are prime targets.The emergence of Sniffthem signifies a heightened threat to organizations and individuals alike, particularly within the financial sector. To mitigate risks associated with banking trojans like Sniffthem, cybersecurity best practices are essential. Organizations should prioritize regular software updates, endpoint protection, and employee training to recognize and respond to phishing attempts effectively.Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
India’s largest government-owned-telecommunications service provider, Bharat Sanchar Nigam Ltd (BSNL), has allegedly suffered a massive data breach, the second such instance in less than six months. The BSNL data breach reportedly involves critical data including international Mobile Subscriber Identity (IMSI) numbers, SIM card information, Home Location Register (HLR) specifics, DP Card Data, and even snapshots of BSNL's SOLARIS servers which can be misused for SIM cloning.
Exploring Claims of BSNL Data Breach
The BSNL data leak was first disclosed by an Indian firm, Athenian Tech, in its threat intelligence report. According to the report, a threat actor, operating under the alias “kiberphant0m”, leaked a significant amount of sensitive data affecting millions of users.
The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information could be compromised.
The hacker also posted details of call log samples which leaked sensitive information like mobile numbers of users, the date and duration of calls, and the amount charged for the call in Indian Rupees. The call log samples were being leaked in two sets: one for the month of May 2024 and another from 2020. This indicates that the data breach was a recent attack raising questions over the security checks in place at BSNL.
The threat actor was selling the alleged stolen data for $5,000. The steep price tag could indicate the significant value of the stolen data which is sensitive. The Cyber Express has yet to verify the authenticity of the recent BSNL data breach and has contacted the organization for an official response. This article will be updated based on their response.
Potential Implications of BSNL Data Breach
SIM Cloning and Identity Theft: Cloning a SIM involves creating a duplicate card that has the same IMSI and authentication keys, thus making it easy for the attackers to intercept messages/ calls, gain access to people’s bank accounts, and embezzle their finances.
Privacy Violations: Identity theft means that one can gain unauthorized access to the individuals’ communication and breaches.
Financial and Identity Theft: Illegal operations can defeat protective procedures in the financial portfolios, which entail substantial monetary losses and cases of identity theft.
Targeted Attacks and Scams: The user could be exposed to major security risks and could be vulnerable to phishing schemes and other social engineering attacks, exploiting their trust in BSNL.
The threat is not just limited to the consumers, but also to BSNL’s operations and security. Illegal access to servers can result in service disruptions, slow performance, and unauthorized access to telecom operations. Leaking of such information poses a severe threat to critical infrastructures and paves the way for future attacks on complex systems interconnectivity.
BSNL users should remain vigilant and monitor any unusual activity on their phones and bank accounts and enable two-factor authentication (2FA) for added security on all accounts. BSNL too should take immediate action if the breach is confirmed, secure network endpoints, and audit access logs. They should enhance security measures, conduct frequent security audits, and adopt advanced threat detection technologies.
Second BSNL Data Breach in Less Than Six Months
If the data theft claims are proven, it would be the second instance of a cyberattack on BSNL in less than six months. In December 2023, a threat actor known as “Perell” claimed access to critical information about fiber and landline users of BSNL. The dataset contained about 32,000 lines of data allegedly impacting over 2.9 million users. However, BSNL did not validate the claims back then.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban—the first such action under authorities given to the Commerce Department in 2019—follows years of warnings from the US intelligence community about Kaspersky being a national security threat because Moscow could allegedly commandeer its all-seeing antivirus software to spy on its customers.
Red Teaming security assessments aim to demonstrate to clients how attackers in the real world might link together various exploits and attack methods to reach their objectives.
By introducing a mobile device management (MDM) platform into the existing infrastructure, administrators gain the ability to restrict sideloading on managed devices.
Many organizations today use a jump server (also known as jump box or jump host) as the intermediary device to access a remote network securely. It is the go-to solution for remote administration of servers and devices and for development and testing environments. It is also commonly used to control vendor access to an organization’s internal systems and to meet compliance in certain industries.
While this is definitely a step up in security from using VPNs, jump server can sometimes create a false sense of security because there still exists security risks and loopholes.
In this blog post, we will first explore the security benefits and risks of a jump server. Finally, we will unveil strategies to mitigate those security risks.
When access is centralized, it is easy monitor and manage who access their network, ensuring all access to protected networks are authorized. Centralized access also simplifies managing permissions and security policies. while also making it easier to monitor and log activities.
2. Easy Monitoring and Session Management
With centralized access, monitoring traffic and logging activities are simplified. Jump servers also allow session recording, session timeout, and the ability terminate sessions to enhance control and security.
3. Reduce Attack Surface from external threats
Jump servers should be isolated from the internet and shouldn’t be able to browse the intranet. This reduces the attack surface and adds a layer of defense against external threats.
4. Reduced Exposure
By limiting direct access to critical systems and databases, jump servers minimize the risk of unauthorized access from any unauthorized sources.
5. Simplifying Audit and Compliance
User activity and traffic passing through the controlled central access point can be logged and recorded, which helps meet regulatory.
Top 5 Security Risks of Jump Server
1. Single Point of Failure
A compromised jump server can jeopardize the entire network. Also, a compromised user account, a privileged user, or an infected device can jeopardize the entire system and database the jump server protects.
2. Setup Complications
A simple jump server contains a Windows Server with RDP and user accounts from Active Directory. Additional setup and tools can be used to create more secure policies. In some cases, coding and debugging is required, which makes it difficult to add additional security policies.
3. Misconfigured Architecture and Database Security
A misconfigured architecture can completely bypass the jump server and access privileged resources, as indicated in the image below with the non-privileged resource. If the non-privileged resource is compromised, then the privileged resource can be accessed, bypassing the jump server. Because privileged resources are usually databases, many mistakenly think that jump server protects the database. Although jump servers do protect database access (in a way), it is NOT database security, as you’ll see later in this article.
Above: Workstation can circumvent access to privileged resources when the security architecture is misconfigured. Image source: Improsec.
4. Outdated Software and Credentials Management
Running outdated software on the jump server is known to expose the jump server to vulnerabilities. Default and weak passwords should be changed, and strong authentication policies should be enforced.
5. Insider Threats and Incident Response
Disgruntled or malicious employees who have access can cause data loss and data breaches. Although all traffic can be monitored, jump servers by default lack the ability immediately respond to insiders who are mass downloading or deleting data.
How to Mitigate Jump Server Security Risks Using Best Practices
Simply put, the easiest and simplest way to mitigate jump server security risks is to implement security best practices on your jump server. However, that is easily said than done.
Mamori’s Approach: Mamori.io uses a zero-trust approach that assumes your password has already been compromised. Every access is secured by MFA, from accessing the network using Zero Trust Network Access (ZTNA) to accessing the database using our Database Privileged User Access (DB PAM) via SSO. Even certain operations within the database, such as mass deleting data, can be authorized to certain individuals and secured using 2FA.
2. Regular Updates and Patch
Regularly patching and updating the software and operating system on the jump server is the quickest and easiest way to close security gaps against known vulnerabilities and exploits.
Security Risk Mitigated: Outdated Software
Mamori’s Approach: Even if an external threat uses a known vulnerability to compromise your jump server, your critical resources and database can still be protected by database privileged access controls secured by 2FA.
3. Enforce Role-Based Access
Only grant access to those who need access. Enforce role-based access so users have the minimal necessary permissions (least-privileged access). This limits the number of potential attack vectors and reduces insider threats.
Mamori’s Approach: Mamori provides Privileged Access Management (PAM) to limit jump server access to only those who need access. Once the user connects to the database or privileged resource, Mamori provides Database Privileged Access Management (DB PAM) to limit the user’s access to resource, his visibility (eg. data masking) and the types of operations (eg. read, write, delete, etc.) the user can perform onto those resources.
4. Ensure Comprehensive Logging and Monitoring
Comprehensive logging and monitoring allow for the detection of suspicious activities and help with IT audits and compliance. Logging and monitoring also facilitates forensic analysis post-incident, enhancing the overall security posture.
Mamori’s Approach: At Mamori, we believe logging and monitoring is NOT comprehensive if users are able to share accounts. That is why we use a zero-trust approach, where the user, device, location, (and more) needs to be authenticated for access and for certain database operations. Thus, when each session is monitored, logged, and recorded, we ensure that each session can easily be traced back and be used as forensics or incident response.
5. Enforce Strong Password Policies
Strong password policies, such as password complexity, regular changes, and restricting reuse, make it harder for attackers to guess or crack passwords. This strengthens the first line of defense against unauthorized access.
Security Risk Mitigated: Credentials Management and weak passwords
Mamori’s Approach: We encourage the use of strong password policies, but we emphasize on Two Factor Authentication (2FA). That’s because we use a zero-trust approach, where we assume every password is already compromised or will be compromised one day.
6. Segmenting the Network
Jump servers should only have access to select servers. One practice is to isolate the jump server from other parts of the network, which limits the potential damage of the jump server is compromised. Segmenting a network prevents attacks from moving laterally across the network to access other critical systems.
Mamori’s Approach: Mamori uses Zero Trust Network Access (ZTNA) to microsegment a network. The microsegmented network can then be used for the jump server to ensure an isolated, secure environment.
Mamori Adds Two Additional Layers of Security to Your Jump Host
Layer 1: Securing Access to the Jump Server
Mamori ensures that only the right user with the right permission has access to the jump server using the following modules and features:
Zero Trust Network Access (ZTNA) – Before a user gets connects to the network, the user’s device and identity is verified using 2FA. Other security policies, such as access restrictions by IP address, can also be enforced.
Privileged Access Management (PAM) – Once a user connects onto the network, policies set forth in the PAM module will restrict or allow that user’s access to the jump server.
Layer 2: Securing Access from the Jump Server to Your Databases
After a person connects onto a jump server, the following Mamori modules and features ensure that the person can only view, access, and perform operations that is needed to do his job:
Database Privileged Access Management (DB PAM) – Once a user connects onto a database via a jump server, DB PAM will determine what resources the user has access to and what database operations the user can execute.
SQL Firewall – DB PAM can create rules and privileges on what SQL commands a user can run. You can choose to block all SQL commands or allow specific types of SQL commands.
Data Privacy Policies – You can easily create policies such as data masking policies, who has access to which tables, rows, or columns, and how users can work with those data.
Bonus Layer: Controlling Uploads and Downloads from Jump Server
By default, jump servers do not allow you to control uploads and downloads to and from the jump server. When someone needs to upload or download, admins might choose to share passwords, or create a new account with excess privileges that is to be a forgotten account – both of which introduce considerable security risks.
With Mamori’s PAM features, you can set permissions that allow what user(s) is able to upload, download, or do both from the jump server. Permission include having the user request access on-demand, limit access by IP address, or setting a time frame where the user account is granted access. This is another form of securing access that improves both security and workflow efficiency.
Deploy Both Layers Using a Simple Dashboard with No Coding Required
Unlike the configuring a jump server, using Mamori requires no coding. We offer a simple dashboard and user interface that even the most non-technical users can create security policies that can mitigate the security risks of your jump server.
By understanding the benefits and addressing the risks associated with jump servers, you can enhance the security of your network while maintaining efficient, controlled, and secure access to critical systems. If you have further questions or need assistance in securing your jump server, feel free to reach out for a detailed consultation.
SANTA CLARA, Calif., June 26, 2024 — At the 16th Information Security Forum and 2024 RSAC Hot Topics Seminar held on June 7, 2024, Richard Zhao, Chief Operating Officer of International Business at NSFOCUS, presented the new picture of cybersecurity in the post-cloud era with his professional insights. Key Highlights Richard’s speech focused on three […]
Login
By combining their resources and expertise, the CPPA and CNIL aim to tackle a range of data privacy issues, from the implications of new technologies to the enforcement of data protection laws. This partnership is expected to lead to the development of innovative solutions and best practices that can be shared with other regulatory bodies around the world.
As more organizations and governments recognize the importance of safeguarding personal data, the need for robust and cooperative frameworks becomes increasingly clear. The CPPA-CNIL partnership serves as a model for other regions looking to strengthen their data privacy measures through international collaboration. 
Source: X[/caption]
The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities.
To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India.
[caption id="attachment_79025" align="alignnone" width="1362"]
Source: X[/caption]
The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The 
Source: 
_Kjetil_Kolbj%C3%B8rnsrud_Alamy.jpg)
_Frank_Herholdt_alamy.jpg)
Source: X[/caption]
The threat actor claims to have accessed 1.2 TB of organization 
Source: X[/caption]
The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.
Source: Dark Web[/caption]
The 
The threat actor was selling the alleged stolen data for $5,000. The steep price tag could indicate the significant value of the stolen data which is sensitive. _Herr_Loeffler_shutterstock.jpg)
