Researchers from Austria's Graz University of Technology have uncovered a novel side-channel attack called SnailLoad that exploits network latency to infer user activity. SnailLoad is a non-invasive attack technique that could allow attackers to gather information about websites visited or videos watched by victims without needing direct access to their network traffic.

How The SnailLoad Exploit Works

SnailLoad takes advantage of the bandwidth bottleneck present in most internet connections. When a user's device communicates with a server, the last mile of the connection is typically slower than the server's connection. An attacker can measure delays in their own packets sent to the victim to deduce when the victim's connection is busy. [caption id="attachment_79548" align="alignnone" width="1287"] Source: snailload.com[/caption] The attack masquerades as a download of a file or any website component (like a style sheet, a font, an image or an advertisement). The attacking server sends out the file at a snail's pace, to monitor the connection latency over an extended period of time. The researchers decided to name the technique 'SnailLoad' as "apart from being slow, SnailLoad, just like a snail, leaves traces and is a little bit creepy." The attack requires no JavaScript or code execution on the victim's system. It simply involves the victim loading content from an attacker-controlled server that sends data at an extremely slow rate. By monitoring latency over time, the attacker can correlate patterns with specific online activities. The researchers have shared the conditions required to recreate the SnailLoad attack:

• Victim communicates with the attack server.
• Communicated server has a faster Internet connection than the victim's last mile connection.
• Attacker's packets sent to victim are delayed if the last mile is busy.
• Attacker infers website visited or video watched by victim through side-channel attack.

In the related user study detailed in the SnailLoad research paper, the researchers approached local undergraduate and graduate students who volunteered to run a measurement script that employs the SnailLoad attack technique. The researchers took steps to ensure that no personal information had been exposed to information leakage at any point. Furthermore, the researchers had planned to destroy collected traces after the paper had been published and offer students the option to directly request the deletion of traces or exclusion of their traces in the paper's results at any point. The researchers reported the attack technique to Google on March 9 under the responsible disclosure section of their paper, with Google acknowledging the severity of the issue. The tech giant also stated that it was investigating possible server-side mitigations for YouTube.  The researchers shared working proof of concept on GitHub along with instructions and an online demo.

SnailLoad Implications and Mitigation

In testing, SnailLoad was able to achieve up to 98% accuracy in identifying YouTube videos watched by victims. It also showed 62.8% accuracy in fingerprinting websites from the top 100 most visited list. While not currently observed in the wild, SnailLoad could potentially affect most internet connections. Mitigation is challenging, as the root cause stems from fundamental bandwidth differences in network infrastructure. The researchers stated that while adding random noise to the network can reduce the accuracy of the attack, it could impact performance and cause inconvenience to users. As online privacy concerns grow, SnailLoad highlights how even encrypted traffic could potentially be exploited to leak information through subtle timing differences. Further research could be required to develop effective countermeasures against this new class of remote side-channel attacks.

Security experts have identified multiple vulnerabilities in widely used industrial gas chromatographs manufactured by Emerson Rosemount. These flaws could potentially allow malicious actors to access sensitive information, disrupt operations and execute unauthorized commands. Gas chromatographs are critical instruments used for analyzing chemical compounds across a range of industries, including environmental facilities, hospitals, and food processing companies. These devices are critical for ensuring the accuracy of gas measurements and the safety of the environment, patients, and consumers.

Flaws in Emerson Rosemount Gas Chromatographs

Operational technology security firm Claroty discovered the vulnerabilities, which include two command injection flaws and two authentication bypass issues. If exploited, these flaws could enable unauthenticated attackers to run arbitrary commands, access sensitive data and gain administrative control. [caption id="attachment_79530" align="alignnone" width="649"] Source: Wikipedia[/caption] [caption id="attachment_79525" align="alignnone" width="1476"] Emulated system (Source: claroty.com)[/caption] To study the Emerson Rosemount 370XA gas chromatograph, commonly used in industrial settings for gas analysis, the researchers took efforts to emulate the systems. This complex process was undertaken because the physical device could cost over $100,000 while the research was limited to a six-week project. The emulation process involved download and extraction of the device firmware from the official Emerson Rosemount website, and a search for an application that could implements its proprietary protocols. The researchers used the QEMU emulator to emulate the PowerPC architecture used by the gas chromatograph and run the extracted firmware. Upon investigation, the researchers were able to uncover four key vulnerabilities:

• CVE-2023-46687: Allows remote execution of root-level commands without authentication (CVSS score: 9.8)
• CVE-2023-49716: Enables authenticated users to run arbitrary commands remotely (CVSS score: 6.9)
• CVE-2023-51761: Permits unauthenticated users to bypass authentication and gain admin access by resetting passwords (CVSS score: 8.3)
• CVE-2023-43609: Allows unauthenticated users to access sensitive information or cause denial-of-service (CVSS score: 6.9)

The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory in January warning that successful attacks could lead to "denial-of-service conditions" and unauthorized system access. The affected models include GC370XA, GC700XA and GC1500XA running firmware versions 4.1.5 and earlier.

Industry Impact and Mitigation

Gas chromatographs play a crucial role in various sectors, from environmental monitoring to medical diagnostics. Compromised devices could have far-reaching consequences. In food processing, attacks on chromatographs might prevent accurate bacteria detection, halting production. In healthcare settings, disrupted blood sample analysis could impact patient care. Emerson has released updated firmware addressing these vulnerabilities. The Claroty researchers said they "appreciate Emerson for its swift response and cooperation, which demonstrates their dedication to our shared goal." Emerson advises customers to apply the patches and implement best practices in the cybersecurity industry according to current standards. The firm stated, "In addition, Emerson recommends end users continue to utilize current cybersecurity industry best practices and in the event such infrastructure is not implemented within an end user’s network, action should be taken to ensure the Affected Product is connected to a well-protected network and not connected to the Internet. In its advisory CISA shared the following recommendations for securing these systems:

• Minimize network exposure: Ensure that control system devices and/or systems,  are not publicly accessible from the internet.
• Locate control system networks:  Place remote devices behind firewalls and isolate them from business networks
• Secure Remote Access: Use Virtual Private Networks (VPNs) to secure remote access. However, the agency also warned of potential inherent risks in VPNs, asking organizations and businesses to be aware of them.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures," the advisory stated.

A convincing live stream featuring a seemingly-legitimate Donald Trump YouTube channel quickly gained massive traction before the U.S. Presidential debate Thursday, reaching nearly half the number of subscribers as the official Donald Trump YouTube channel before it was taken down. The channel and Trump deepfake urged viewers to donate in cryptocurrency, with promises of substantial rewards in exchange. The video was titled with keywords related to the official Presidential debate between Trump and Biden while sharing a fake promotional website and QR code for donations through Bitcoin, Ethereum, Doge and Tether cryptocurrencies.

Fake Trump Cryptocurrency Promotion Scam Streamed Ahead of Presidential Debate

The timing of the fake live stream coincided with the scheduled debate this week between current U.S. President Joe Biden and former President and challenger Donald J. Trump. Scammers behind the campaign appeared to be taking advantage of actual statements made by Trump supporting cryptocurrency in the past, coupled with a repeated AI-generated video where he sits alongside popular YouTuber Logan Paul to speak about promoting cryptocurrency within the United States if elected. [caption id="attachment_79454" align="alignnone" width="1351"] Screenshot taken from the livestream.[/caption] The fake video appears to stem from an edit of a podcast video where Trump joined the YouTuber to speak on various issues, including the election, U.S. politics, his personal life and his opponent. The edited fake video shared a QR code and website (donaldtrump[.]gives) where viewers could be tricked into making donations. The website incorporates official Trump campaign branding for the 2024 presidential election, sharing instructions for participation in the "unique event," a multiplier to lure visitors with calculations on how much cryptocurrency they would receive in return for their donation, and a "live" feed of ongoing donations made to the shared cryptocurrency addresses. [caption id="attachment_79477" align="alignnone" width="690"] Cryptocurrency addresses involved with the scam[/caption] "During this unique event, you have the opportunity to take a share of 2,000 BTC & 50,000 ETH & 500,000,000 DOGE & 50,000,000 USDT. Have a look at the rules and don't miss out on this. You can only participate once!" the scam website stated. According to details from a WhoIs lookup, the website appears to have been registered on June 27th, the same day as the Presidential debate, using a Russian registrant.

YouTube Channel Connected To Scam Taken Down

The YouTube channel behind this promotion was taken down shortly after a report to YouTube, but the website promoted during the stream still appears to be up and running. The channel was noted to have about 1.38 million subscribers before its takedown, nearly half the subscriber count (2.9 million) for the official Donald J Trump YouTube channel. [caption id="attachment_79462" align="alignnone" width="606"] Email confirmation of Channel takedown[/caption] It is unknown if the live transaction feed featured on the scam website reflects actual real-time transactions. The full extent and the victim count from this cryptocurrency scam is unknown; details of the campaign have been sent to CRIL (Cyble Research and Intelligence Labs) researchers for further investigation. [caption id="attachment_79474" align="alignnone" width="2604"] Screenshot of alleged transactions[/caption] The campaign highlights the threat of Artificial Intelligence content to election-related processes, legitimate campaign donations and impersonation of candidates or well-known figures. In a recent incident, crypto scammers had taken over the YouTube channel of Channel 7 News Australia to use a deepfake Elon Musk to promote dubious crypto investments.

💾

A data security officer from the Manila Bulletin has admitted to hacking 93 websites, including government and private company sites, as well as servers abroad. The hacker, known by the alias "Kangkong," was arrested along with two others by the National Bureau of Investigation (NBI) Cybercrime Division on June 19 following reports of multiple unauthorized access attempts and breaches. Kangkong issued a public apology to President Marcos, the general public, and especially the military community for his actions.

Implications for Philippines National Security

Kangkong's hacking spree exposed significant vulnerabilities in the cybersecurity measures of various organizations. Among the high-profile targets were the peacekeeping operations center website of the Armed Forces of the Philippines, the mail server of the National Security Council, and the Join the PH Army website. The hacker along with two others individuals were arrested by the National Bureau of Investigation (NBI) Cybercrime Division on June 19 after reports of multiple unauthorized access attempts and breaches on websites. [caption id="attachment_79338" align="alignnone" width="1200"] Arrested data officer Kangkong (Source: www.onenews.ph)[/caption] The hacker acknowledged the serious consequences of his actions, including the potential exposure of sensitive data of soldiers to foreign entities. "That's when I realized that we have many enemies and we should not be going against each other," Kangkong stated. The officer revealed in an interview with ABS-CBN that he had left specific pictures on compromised websites as proof of his involvement.

Senior Technology Officer May Be Implicated

In his extrajudicial confession, Kangkong initially implicated Art Samaniego, Manila Bulletin's senior technology officer, as the person who ordered the hacking of several websites. However, he later expressed regret for this claim. Samaniego has denied allegations that he ordered the hacking to boost his social media reach. The NBI Cybercrime Division has issued a subpoena for Samaniego to explain his side to the authorities. Meanwhile, the Manila Bulletin has suspended Samaniego pending an internal investigation. Kangkong also highlighted the inadequate cybersecurity measures in place for government and private companies' websites, stating that this was a key factor in his ability to hack them. He urged organizations to invest in security measures to prevent similar breaches in the future. Kangkong's confession highlights the urgent need for improved cybersecurity measures in the Philippines. He emphasized that inadequate security was a key factor in his ability to breach these websites. "Cybersecurity is not really a priority in the Philippines," he stated, urging organizations to invest in better security measures despite the associated costs.

A newly disclosed vulnerability in Progress MOVEit Transfer has sparked concern among cybersecurity experts due to the lingering memory of high-profile attacks by ransomware gangs using a different vulnerability last year that hit organizations such as the BBC and FBI. The new authentication bypass flaw, officially designated CVE-2024-5806, could potentially allow unauthorized access to sensitive data. MOVEit Transfer, designed for large-scale enterprise use, boasts features compliant with regulations like PCI and HIPAA. It offers various file transfer methods, including SFTP and HTTPS, making it a critical component in many organizations' data management infrastructure. Progress initially kept details of CVE-2024-5806 under wraps, advising customers to patch systems before its disclosure. On June 25th, 2024, Progress officially un-embargoed the vulnerability, revealing that it affects both MOVEit Transfer version 2023.0 and newer, as well as MOVEit Gateway version 2024.0 and newer.

Progress MOVEit Vulnerability Details

WatchTowr Labs was sent details of the vulnerability by a user who identified as 'dav1d_bl41ne' on its IRC channel, an unusual method of vulnerability sharing, the researchers noted. The researchers decided to investigate further, setting up a test environment to replicate the vulnerability. [caption id="attachment_79318" align="alignnone" width="471"] Source: labs.watchtowr.com[/caption] The debugger output from the test environment showed that the server was throwing exceptions and attempting to access files in unexpected ways. Upon further investigation, the researchers discovered that the vulnerability could be exploited by providing a valid file path instead of the SSH public key during authentication. This led to the server attempting to access the file, giving the attacker unauthorized access to the system. The researchers shared the following steps on exploiting the vulnerability:

• Upload a public key to the File Transfer server.
• Rather than supplying a legitimate public key, send a file path to the public key, signing the authentication request with the same public key.
• The key will be accepted by the server with successful login, allowing for the access of target files.

The flaw affects MOVEit Transfer versions 2023.0 and newer, as well as MOVEit Gateway 2024.0 and later. Progress describes it as an "Improper Authentication vulnerability" in the SFTP module that could lead to "Authentication Bypass in limited scenarios." In limited scenarios, CVE-2024-5806 allows for authentication bypass, potentially giving attackers unauthorized access to sensitive files. The vulnerability is particularly concerning because the software is widely used among enterprises, making it a prime target for APT groups, ransomware gangs, and other malicious actors. Progress has shared the following recommendations to prevent exploitation of the flaw:

• Block public inbound RDP access to MOVEit Transfer server(s).
• Limit outbound access on MOVEit Transfer server(s) to only trusted endpoints.

According to a post on X from The Shadowserver Foundation, the foundation has already observed active exploitation attempts using the vulnerability soon after its disclosure. [caption id="attachment_79326" align="alignnone" width="1170"] Source: X.com[/caption]

Implications of the MOVEit Vulnerability

The discovery of this vulnerability soon after major exploitation last year has reignited discussions about the security of file transfer solutions in enterprise environments. The potential for unauthorized access to sensitive files could have far-reaching consequences for the large number of enterprises that rely on MOVEit Transfer. While the full extent of the vulnerability's impact is still being assessed, the incident has sparked more debate about responsible disclosure practices in the cybersecurity community. Some argue that early, private notifications to affected parties are crucial, while others advocate for more transparent, public disclosures to ensure widespread awareness and prompt action. As the situation develops, IT administrators and security professionals are advised to stay vigilant, monitor for any signs of exploitation, and implement recommended security measures to protect their MOVEit Transfer deployments.  

Scammers are exploiting the buzz around the 2024 Paris Olympics to lure victims into investing in initial coin offerings (ICOs). These scams tend to promise big returns on "Olympic" tokens. The campaigns manufacture hype around such offerings through the use of use fake websites, AI-generated images, and social media campaigns to entice investors.

 Olympics Initial Coin Offerings (ICO) Fraud

Researchers from Trend Micro uncovered a recent scheme that claimed to offer an official "Olympics Games Token" for sale. The Olympic Games Token ICO website, theolympictoken[.]com, was registered on March 30, 2024, and its website went live a day later.  The website also links to a legitimate Olympics 2024 logo and a countdown to the event, making it seem like a legitimate project. [caption id="attachment_79264" align="alignnone" width="395"] Source: trendmicro.com[/caption] It linked to a "whitepaper" – a document explaining the project's tech and goals. But that link led nowhere useful. Instead of details, it dumped visitors on the official Olympics website. Red flag number one. A Twitter account and Telegram channel pushed followers to buy tokens ASAP. When the original site got shut down, a near-identical one (olympictokensolana[.]com) popped up under a new name. The researchers spotted at least ten other websites using 2024 Olympics-associated branding to lure victims into ICO scams; some of them were shut down shortly after their discovery.

Use of AI-Generated Images Olympics in ICO Scams

[caption id="attachment_79257" align="alignnone" width="1263"] Source: trendmicro.com[/caption] The researchers remarked that AI-generated images are becoming increasingly common in such ICO scams, as they offer a cost-effective and time-efficient way to create convincing lures. Cybercriminals can use AI to generate text, correct spelling and grammatical errors, and even create sentences in languages they do not speak. [caption id="attachment_79256" align="alignnone" width="384"] Source: trendmicro.com[/caption] The researchers spotted at least three other ICO Olympics scam websites employing the usage of AI-generated imagery for promotion.

Spotting Fake ICO Campaigns

ICOs have gained significant attention as cryptocurrency continues to be adopted in various industries. While most new tokens lack utility and are simply memecoins, it does not always mean they are scams. Investors should be vigilant and look out for potential scams and rug-pulls. A legitimate ICO should have a proper website and social media presence, a transparent team, an active community, a comprehensive whitepaper, legitimacy of claims, token distribution, smart contract audit, and liquidity management. The researchers have shared the following guidelines to help identify such scams:

• Proper website and social media presence: The researchers stated that scam sites are often poorly designed or lack active presence on social media.
• Transparent team: Cross-check the identities and credentials of the teams behind the offering. Anonymity is a red flag.
• Active community: Genuine projects have engaged followers on platforms like Discord, Twitter or Telegram, which suggests genuine interest and support.
• Comprehensive whitepaper: A whitepaper that outlines the project's goals, utility, and technical aspects, which demonstrates a thorough understanding of the project's concept and planning.
• Legitimacy of claims: Claims backed by verifiable evidence, such as partnerships, use cases, and endorsements.
• Token distribution: Avoid projects with highly concentrated token ownership which might increase the chances of exit scams.
• Smart contract audit: Audit by reputable third-parties, which identify vulnerabilities.
• Liquidity management: Liquidity is locked to prevent premature withdrawals and is decentralized among the community, which secures investors' funds.

In the case of the Olympic Games Token, the website raised several red flags such as a very low number of token holders and an invalid whitepaper link. Investors and those interested in cryptocurrency should follow adequate precautions to avoid falling victim to such scams. Experts have been monitoring Olympics-related search engine results and social media activity to counter fraudulent ticketing scams and coordinated disinformation campaigns.

South Korean telecommunications giant KT is under investigation for allegedly hacking the systems of customers who used torrent services such as web hard drives (Webhard), a popular file-sharing service in the country. The scandal, which has been ongoing for nearly five months, has affected an estimated 600,000 customers, with the police investigation revealing that KT may have operated a dedicated malware team.

Malware Infiltrated Systems of Torrenting Subscribers

The incident came to light in May 2020 when numerous web hard drives suddenly stopped working. Users flooded company forums with complaints about unexplained errors. An investigation revealed that malware had infiltrated the "Grid Program," software that enables direct data exchange between users. [caption id="attachment_79121" align="alignnone" width="2800"] Source: mnews.jtbc.co.kr[/caption] The malware, which was designed to interfere with BitTorrent traffic, was allegedly used to monitor and control the internet activities of KT subscribers. The police believe that the motive behind this hacking was to reduce network-related costs, as torrent transfers can be costly for internet service providers. KT, however, claims that it was merely trying to manage traffic on its network to ensure a smooth user experience. KT instead stated that the Webhard services were malicious, however after the the Gyeonggi Southern District Office conducted raids on KT facilities, they believe the ISP may have violated communications and network laws. A police follow-up investigation stated that KT operated a dedicated team responsible for developing, distributing, and operating the malware program. The hacking was traced to  KT's Bundang IDC Center, one of its data centers. Over five months, an estimated 20,000 PCs were infected daily. The malware reportedly created strange folders, made files invisible, and disabled web hard programs.

Legal and Ethical Implications

KT and Webhard companies have a history of conflict, including lawsuits. While a previous court ruled in KT's favor regarding traffic blocking of grid services, the current situation differs significantly. KT was alleged to have planted malicious code on individual users' PCs without consent or explanation. South Korean legal experts question KT's methods, suggesting the company could have pursued formal procedures through its legal team instead of resorting to hacking. The incident raises serious concerns about privacy, corporate responsibility, and the extent to which internet service providers can control network traffic. The scandal has also raised concerns about the security of KT's customers' data, with many wondering what other sensitive information may have been compromised. The company's CEO has since resigned, and the company's reputation has taken a significant hit. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A widespread supply chain attack has hit more than 100,000 websites, including notable platforms like JSTOR, Intuit, and the World Economic Forum. The attack stems from a fake domain impersonating the popular open-source library Polyfill.js, which supports older browsers. In February, the Chinese company Funnull had acquired the domain and GitHub account associated with the project, leading to the injection of malware into sites that embed cdn.polyfill.io. The malicious code is designed to redirect mobile users to sports betting sites or pornographic sites using a fake Google Analytics domain.

Malicious Polyfill Injection and Its Impact

Researchers stated that the injected malware is dynamically generated based on HTTP headers, making it difficult to detect. The Polyfill injection attack is a classic example of a supply chain attack against a widely used library. [caption id="attachment_79097" align="alignnone" width="2454"] At least 104183 websites might be affected. (Source: publicwww.com)[/caption] The compromised Polyfill code dynamically generates malware based on HTTP headers, potentially utilizing multiple attack vectors. Researchers from Sansec decoded one variant that redirects mobile users to a sports betting site using a fake Google Analytics domain. The malware employs sophisticated techniques and defenses against reverse engineering to evade detection, including:

•  Activating only on specific mobile devices at certain hours
•  Avoiding execution when an admin user is detected
•  Delaying activation when web analytics services are present

The attack's scope is significant, with Google already blocking Google Ads for e-commerce sites using polyfill.io. Researchers later reported that their infrastructure had been subjected to DDoS attacks after reporting on the campaign.

Mitigation and Recommendations

Andrew Betts, the original Polyfill author, took to X to advise against the usage of Polyfill altogether, stating that modern browsers no longer require it. He added that he had no influence over the sale of the project and was never in possession of the new domain, and cautioned that websites that serve third-party scripts are a huge security concern. [caption id="attachment_79101" align="alignnone" width="623"] Source: X.com(@triblondon)[/caption] [caption id="attachment_79102" align="alignnone" width="634"] Source: X.com(@triblondon)[/caption] Experts have set up a domain (polykill.io) to warn against the compromise of the project and have recommend the following steps for website owners:

• Immediately and remove usage of cdn.polyfill.io from websites and projects.
• Replace with a secure alternative such as those being offered by Fastly and CloudFlare. Fastly has saved and hosted an earlier version(https://polyfill-fastly.io/) of the project's codebase before its sale to Funnull.

The website cautioned of the risks associated with the takeover of the project:

"There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the web browser."

CloudFlare had also published its findings and recommendations in response to concerns over the compromise of domains. The company stated in a blog article:

The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack. Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."

This incident serves as a stark reminder of the security implications of relying on external code libraries/third-party scripts and the importance of vigilance in maintaining website integrity, plus the potential malicious takeover of massively deployed projects. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Microsoft software engineer accidentally published internal PlayReady DRM source code on a publicly accessible developer forum. The 4GB data leak contains sufficient information to compile the required DLL from the source code, potentially opening the door for reverse engineering or cracking of the DRM protection technology. PlayReady, introduced in 2007, is Microsoft's platform-independent digital rights management (DRM) system used for protecting media files. It includes encryption, output protection, and digital rights management features. The leak could have significant implications for the security of this widely-used technology.

PlayReady DRM Internal Code Leak

In early June, a Microsoft engineer had published information about an Apple TV service crash on a Surface Pro 9 device in a public forum. The shared data included a 771MB file attachment that revealed 4GB of internal code related to Microsoft PlayReady upon extraction. [caption id="attachment_79066" align="alignnone" width="1920"] Original Post Before Deletion (Source: security-explorations.com)[/caption] The leaked PlayReady data is said to include: 1. WarBird configurations for creating the PlayReady library 2. WarBird libraries for code obfuscation functions 3. Libraries with symbolic information related to PlayReady [caption id="attachment_79063" align="alignnone" width="1428"] Partial Directory View of Leaked Data (Source: security-explorations.com)[/caption]

HD Keys Could Be Decrypted

Researchers from cybersecurity company AG Security Research Lab managed to successfully build the required Windows PlayReady DLL library from the leaked internal code, aided by step-by-step instructions provided by another user on the same forum. Their investigation uncovered several deficiencies in Protected Media Path (PMP) components of PlayReady, which could be exploited to access plaintext content keys secured by the system on Windows 10 and 11 systems. The researchers demonstrated that these extracted keys could successfully decrypt high-definition movies protected by PlayReady. Notably, the vulnerability persists even on systems with hardware DRM capabilities, as this feature can be easily disabled. The root cause appears to lie in the software DRM implementation used by default on Windows 10 systems without hardware DRM capability. Given that Windows 10 still holds a 69% market share worldwide, this vulnerability could potentially affect a significant number of users until the operating system's retirement in October 2025. The team also demonstrated that the technique used to extract plaintext values of content keys could work for other platforms relying on SW Microsoft PlayReady technology in a Windows OS environment.

Implications and Microsoft's Response

The researchers had notified Microsoft about the leak on June 12, 2024. While Microsoft removed the forum post within 12 hours, the download link reportedly remained active. On June 26, MSRC stated to the researchers that it had conducted an investigation and determined that the incident was not a vulnerability to service as the post had already been taken down. The researchers confirmed that the download link no longer remains active. The incident highlights the ongoing challenges in maintaining the security and secrecy of DRM implementations. It also underscores the importance of adhering to guidelines for handling sensitive information in public forums, as the leak violated Microsoft's own guidelines for posting link reproduction information publicly. These guidelines specify:

• All information in reports and any comments and replies are publicly visible by default.
• Don't put anything you want to keep private in the title or content of the initial report, which is public.
• To maintain your privacy and keep your sensitive information out of public view, exercise caution.

Major Streaming Services Potentially Affected

The same research team had earlier tested Microsoft's Protected Media Path and had discovered several streaming platforms were affected by vulnerabilities within the environment: Canal+ Online, Netflix, HBO Max, Amazon Prime Video, Sky Showtime, and others. DRM protection is crucial to the video streaming industry, which is valued at $544 billion, making this security breach a matter of serious concern. Microsoft reportedly demonstrated interest in a full disclosure of the stated vulnerabilities and technical details along with Proof of Concept over its MSRC channel, offering potential rewards for the disclosure. However, the researchers declined, as they felt a full disclosure would have to include a commercial agreement, would jeopardize their own confidential technology and tools along with future research on the Windows operating system. The researchers also believed that Microsoft should focus on conducting a more comprehensive review of its Protected Media Path environment, which could result in the discovery and fixing of additional issues rather than focusing on a single exploit.   Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The National Health Laboratory Service (NHLS), South Africa's primary diagnostic pathology service for public healthcare facilities, has fallen victim to a cyber attack. The incident, which occurred over the weekend, has forced the organization to shut down its IT systems, including emails, website, and patient lab test results storage and retrieval systems. NHLS CEO Prof Koleka Mlisana confirmed the breach in a memo to staff, describing it as a "suspected incident" that compromised the security of their IT infrastructure. The attack comes amidst an Mpox outbreak that has already overwhelmed the country's healthcare services. However, the extent of the cyberattack has yet to be determined, even as restoration efforts are underway.

Impact on South Africa's National Health Laboratory Service

NHLS Chief Executive Officer Prof Koleka Mlisana informed staff of the incident in a memo, stating that the breach had caused damage and that the organization was treating the matter with extreme urgency and concern. Milsana stated, “I regret to inform you that our IT systems are unavailable due to a suspected incident that occurred over the weekend.” Mlisana assured staff that the organization's Incident Response Team was working around the clock to determine the scope of the intrusion and deploy the necessary safeguards to secure systems and data. The NHLS has implemented its "Downtime Protocol" to minimize disruption to services, prioritizing patients' samples and processing, with results communicated directly to clinicians whenever urgent. The cyber attack comes at a critical time for South Africa's healthcare system. The country is currently grappling with a Mpox outbreak, and the NHLS was already facing a significant backlog in toxicology tests as of March. The shutdown of IT systems is likely to exacerbate these challenges. Mzi Gcukumana, the NHLS Communication, Marketing, and PR officer, disclosed: “Preliminary investigation suggests that our Enterprise Resource Planning (Oracle) environment, Laboratory Information System (LIS) (TrakCare) database, and CDW are not affected. Therefore, no patient data has been lost or compromised. All patient data is safe."

Response and Recovery Efforts

“Please rest assured that our priority focus is on data security. We are determined to solve this issue swiftly and transparently,” Milsana stated to patients. In response to the breach, the NHLS has deployed its Incident Response Team to assess the scope of the intrusion and implement necessary safeguards. Mlisana assured staff that the team is working around the clock to secure systems and data. “I want to take this opportunity to thank you in advance as we all put in our efforts to ensure that disruption to our services is minimised,” Milsana added. The NHLS had determined that that certain sections of its systems, including its backup server were deleted, requiring the rebuilding of affected systems. Gcukumana stated, “All users will be aware that the NHLS networked laboratory system is heavily reliant on these information technology systems that have been disrupted.” He added, “Unfortunately, this will take time, and investigations thus far have not advanced enough for us to give a timeframe for the restoration of our systems and full service. All stakeholders and the public will be informed as soon as more information becomes available.” The National Department of Health, which oversees the NHLS, has been informed of the incident. A spokesperson for the department called for patience as efforts to resolve the issue continue. As the investigation unfolds, the NHLS has promised regular updates on the compromise and ongoing response activities. The organization emphasizes its commitment to data security and swift, transparent resolution of the issue. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyble Research and Intelligence Labs (CRIL) researchers have observed the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm remote access trojan (RAT) through the use of Python-related files.

Technical Overview of XWorm RAT Campaign

The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, "pkg.zip" and "NewCopy.xlsx", from a specified URL. The LNK shortcut file then executes "pythonw.exe" using the start command, which duplicates files and stores them in a new folder. The "pythonw.exe" loads a malicious DLL, "python310.dll", through DLL sideloading, injecting shellcode into the MSBuild process. [caption id="attachment_78917" align="alignnone" width="1529"] Source: Cyble[/caption] The hackers use a technique called DLL sideloading, where a malicious library file masquerades as a legitimate one. This allows the attackers to run their code under the guise of trusted software. Additionally, they employ a tool called Shadowloader to inject the XWorm RAT into a running process, further obscuring its presence. The XWorm RAT is then executed, offering a range of capabilities, including data theft, DDoS attacks, and cryptocurrency address manipulation. The malware attempts to connect to a Command-and-Control (C&C) server, but at the time of analysis, the server was inactive, resulting in no observed malicious activities. [caption id="attachment_78919" align="alignnone" width="537"] Source: Cyble[/caption] While the initial infection vector remains unclear, researchers suspect phishing emails may play a role. The intended victim could not be ascertained from accessing the the Excel lure used in the campaign. CRIL researchers had previously observed the UAC-0184 threat actor group employing lures tailored to appeal to Ukrainian targets, often mimicking official government or utility communications.

Protecting Against XWorm RAT

The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:

• Implement strong email filtering to block malicious attachments.
• Exercise caution with email attachments, especially from unknown senders.
• Limit execution of scripting languages where possible.
• Use application whitelisting to control which programs can run.
• Deploy robust antivirus and anti-malware solutions.
• Enforce strong, unique passwords and two-factor authentication.
• Monitor networks for unusual activity or data exfiltration attempts.

The campaign demonstrates UAC-0184's relentless efforts at attacking Ukraine with evasive techniques. The use of the XWorm RAT as the final payload indicates the intent to establish remote access over compromised systems for strategic purposes. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The European Union has extended its sanctions against threat actors after adding six Russian and Ukrainian nationals to its restrictive measures list. These latest sanctions come as part of the EU's ongoing efforts to combat malicious campaigns that threaten its member states and global security. The Council of the European Union adopted the decision to expand sanctions on June 24, 2024, citing the increasing frequency and sophistication of cyberattacks against critical infrastructure and essential services. These attacks, including ransomware, supply chain targeting, and cyberespionage, pose a systemic threat to the EU's security, economy, and society. The sanctions are aimed at preventing, deterring, and discouraging such activities, and are considered a vital instrument in the EU's framework for a joint diplomatic response to malicious cyber activities.

Russian Military Intelligence and FSB Operative Sanctions

The sanctions will take effect following publication in the Official Journal of the European Union. The council document justified the new sanctions as measures in response to the ongoing war between Russia and Ukraine and its resulting cyber activities:

The use of cyber operations that have enabled and accompanied Russia’s unprovoked and unjustified war of aggression against Ukraine affects global stability and security, represents an important risk of escalation, and adds to the already significant increase of malicious cyber activities outside the context of armed conflict over recent years. The growing cybersecurity risks and an overall complex cyber threat landscape, with a clear risk of rapid spill-over of cyber incidents from one Member State to others, and from third countries to the Union, further call for restrictive measures under Decision (CFSP) 2019/797.

Among those sanctioned are Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both identified as members of the "Callisto group" linked to Russian military intelligence. The group, also known as "Seaborgium" or "Star Blizzard," is accused of conducting multi-year phishing campaigns to steal credentials and data, targeting individuals and critical state functions in defense and foreign relations. Two Ukrainian nationals, Oleksandr Sklianko and Mykola Chernykh, were sanctioned for their involvement in the "Armageddon" hacker group, allegedly supported by Russia's Federal Security Service (FSB). The group was found carrying out cyberattacks against the Ukrainian government and EU member states using phishing emails and malware campaigns.

Wizard Spider Threat Group Members Sanctioned

The EU also targeted two key players in the Russia-based threat group Wizard Spider: Mikhail Mikhailovich Tsarev and Maksim Sergeevich Galochkin. Both are implicated in deploying the "Conti" and "Trickbot" malware programs, which have caused substantial economic damage in the EU through ransomware campaigns targeting essential services such as healthcare, banking and defense. The EU Council has emphasized the need to protect these vital sectors from cyber threats, which can have devastating consequences for individuals, businesses, and societies as a whole. The Council said the sanctions imposed on these six individuals are a clear message that the EU will not tolerate malicious cyber activities that threaten its security, economy, and democracy. The Council document stated:

 "As part of the sustained, tailored and coordinated Union action against persistent cyber threat actors, six natural persons should be included in the list of natural and legal persons, entities and bodies subject to restrictive measures set out in the Annex to Decision (CFSP) 2019/797. Those persons are responsible for, or were involved in, cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States."

The sanctions demonstrate that the EU will continue to work closely with its Member States, international partners, and other stakeholders to address the growing cybersecurity threat landscape escalated by geopolitical tensions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A recently discovered vulnerability (CVE-2024-27812) in the Apple Vision Pro headset allowed hackers to bypass device security mechanisms and flood user's environments with animated 3D objects – such as spiders and bugs – through a Safari exploit. These objects persisted even after exiting Safari, making for a uniquely unsettling environment. Apple addressed the vulnerability this month after security researcher Ryan Pickren had disclosed the flaw in February, awarding the researcher a bounty. The bug highlights the challenges in securing 'spatial computing' devices.

Spatial Hack in Apple Vision Pro Devices

Apple designed the Vision Pro with strict privacy controls. This includes limiting device apps to a default 'Shared Space' and mandating explicit user consent for more engaging and immersive content. Websites must also obtain explicit user permission to generate 3D content within a user's physical environment. [caption id="attachment_78754" align="alignnone" width="720"] Source: ryanpickren.com[/caption] However, Pickren discovered that the AR Quick Look feature that had been introduced in 2018 for iOS remained active in the visionOS without the implementation of proper safeguards. This oversight allowed websites to manipulate HTML anchor tags to spawn unlimited 3D objects coupled with animations and spatial audio. By adding specific anchor tags to webpages, malicious websites can instruct Safari to render a 3D model, surprisingly without any form of user interaction. "If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats," Pickren explained. "Freaky stuff," he exclaimed. [caption id="attachment_78758" align="alignnone" width="1168"] Source: ryanpickren.com[/caption] [caption id="attachment_78756" align="alignnone" width="1186"] Source: ryanpickren.com[/caption] The researcher stated that the exploit code is straightforward and that closing Safari doesn't get rid of the 3D objects, as they are handled by a separate application. "To make things even freakier – since these animated files are being handled by a separate application (Quick Look), closing Safari does not get rid of them," Pickren noted. He added, "There is no obvious way to get rid of them besides manually running around the room to physically tap each one."

Bug Reporting and Gaps in Vulnerability Assessment

After trying to disclose the flaw to Apple, the researcher felt the tech giant had downplayed its relation to spatial computing and the generation of 3D objects, instead focusing on the potential for system crashes and reboots. The CVE description claimed that the issue had been addressed by improving the file handling protocol, which the researcher believed was unrelated to the bug. This highlights the challenges of triaging and classifying bugs in emerging fields such as Spatial Computing. The researcher believes the bug's impact goes beyond simple system crashes or reboots, raising questions about the security and privacy of the technology and the need for reevaluating existing threat models. "Perhaps it's time for Apple to re-evaluate their Vision Pro threat model," Pickren suggested. "This is a deeply personal product and classic vulnerability triaging guidelines may not capture the full impact anymore." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A ransomware attack on Indonesia's national data center has disrupted official government services. The attack has reportedly affected more than 200 government agencies at national and regional levels, and the threat actors claiming responsibility have demanded a ransom of $8 million for a restoration of these systems. A senior official has reported that the government has refused to pay the ransom, instead focusing on restoring services and trying to identify the attackers.

Authorities Have Detected Samples of LockBit 3.0 Ransomware

Samuel Abrijani Pangerapan, director general of informatics applications at the Communications and Informatics Ministry, confirmed that essential services like immigration checks at airports had been disrupted. Long lines were formed at affected airports after automated passport machines were rendered useless. While some of these services have been restored, including the government's immigration services, ongoing efforts are aimed at restoring other critical operations, such as investment licensing. Samuel stated, “We have tried our best to carry out recovery while the (National Cyber and Crypto Agency) is currently carrying out forensics.” The National Cyber and Crypto Agency has detected samples of LockBit 3.0 ransomware, a variant known for encrypting victims' data and demanding payment for its release. PT Telkom Indonesia, an Indonesian multinational telecommunications company, is working with domestic and international authorities and leading the efforts to efforts to break the encryption and restore access to the compromised data. Herlan Wijanarko, the company's director of network & IT solutions, confirmed that the attackers had offered a decryption key in exchange for an $8 million ransom.

Experts Concerned About Indonesia Government Infrastructure Security

Cybersecurity experts warn that the severity of the attack highlights significant vulnerabilities in the government's digital infrastructure and incident response capabilities. Cybersecurity expert Teguh Aprianto described the latest attack as "severe" and notes that it highlights the need for improved infrastructure, manpower, and vendor management to prevent such attacks in the future. Teguh stated, "It shows that the government infrastructure, manpower handling this and the vendors are all problematic." In recent years, Indonesia has faced a series of high-profile cyber attacks, including a ransomware attack on its central bank and a data breach at its largest Islamic lender. The consequences of these attacks can be severe, with victims often forced to pay large sums to regain access to their data. Last year, the LockBit ransomware gang claimed responsibility for an attack on the Bank Syariah Indonesia. Sensitive information of over 15 million individuals had been stolen in the attack, affecting both customers and employees. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

ANY.RUN has disclosed a recent cybersecurity incident in which one of its employees fell victim to a sophisticated phishing attack, potentially compromising sensitive information. ANY.RUN is an online malware analysis environment that helps researchers study and simulate the creation of malware and threat processes in real time. While the full extent of the breach is still under investigation, ANY.RUN affirmed its commitment to transparency and stated that it would provide regular updates on the incident as they work to mitigate potential damage.

ANY.RUN Employee Email Compromise

[caption id="attachment_78600" align="alignnone" width="531"] Source: X.com (@anyrun_app)[/caption] According to a post on X from the company's official handle, the attack originated from a compromised customer account, which had been used to send a convincing phishing email to a staff member. This led to unauthorized access to the employee's email account. Subsequently, the attacker forwarded a phishing message to contacts within the compromised email address book. ANY.RUN stated that it had already notified data controllers of affected individuals and is working closely with them to address any concerns. They emphasized that the compromised employee did not have access to the production environment or any code base, which limits the potential scope of the breach.

ANY.RUN Response and Next Steps

Upon discovery of the incident, ANY.RUN took steps to minimize possible compromise and share details about the incident. An ongoing investigation is being done to determine the full impact of the breach and gather additional details. While the comprehensive report, the company has assured its customers that they are taking the matter seriously. In the coming days and weeks, ANY.RUN would work to: 1. Continue their investigation and analysis of the incident 2. Provide regular updates on their progress 3. Compile a detailed report of their findings The company acknowledges that many questions remain unanswered at this stage. However, they are committed to keeping all parties informed throughout the process. Customers appear to have viewed the effort at communication positively, highlighting it as an example of transparency around cybersecurity incident reporting and disclosure. The incident serves as a stark reminder that even companies working in the cybersecurity industry remain a potential target for attacks. Last year, Okta, a provider of identity and access management software, had suffered a security incident in which attackers had managed to access its support incident management through the use of stolen credentials. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The UK's Sellafield nuclear waste site has pleaded guilty to criminal charges related to various cybersecurity failings in the period spanning 2019-2023. Sellafield admitted it had failed "to ensure adequate protection of sensitive nuclear information on its information technology network." The Sellafield nuclear site has the word's largest store of plutonium and has been used to dispose of waste generated from decades of weapons programs and atomic power generation. Concerns over the nuclear site's cyber defenses have existed for well over a decade.

Sellafield Nuclear Waste Site's Cybersecurity Failings

Concerns over the site's security implementations grew after a 2012 report warned of "critical security vulnerabilities" requiring urgent attention. Due to the extreme sensitivity of the issues, problems were referred to with the codename "Voldemort." While Sellafield stated there has never been a successful cyberattack, revelations of IT failures last year raised alarms. In an investigative report last year, the Guardian uncovered that the site had been attacked by threat actors affiliated with the Russian and Chinese governments. The report found out that the site's authorities were not aware of when Sellafield's systems began to be compromised, but breaches may have gone as far back as the year 2015. In 2015, security experts had realized that Sellafield's computer systems had been compromised by sleeper malware. Sellafield had been earlier forced into “special measures” for regular cybersecurity failings by the UK's Office for Nuclear Regulation (ONR) and security services. The status of the compromised systems are unknown, but may have possibly led to the theft of sensitive information regarding moving of radioactive waste, monitoring for leaks of dangerous material, and fire checks. Sellafield stated that current protections on critical systems are robust, with isolated networks preventing external IT breaches from penetrating operational controls. An ONR spokesperson stated to the Guardian: “We acknowledge that Sellafield Limited has pleaded guilty to all charges," but emphasized that there was no evidence the vulnerabilities led to compromise. A Sellafield spokesman stated in the report, “We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. The charges relate to historic offences and there is no suggestion that public safety was compromised."

Concerns of GMB Trade Union

With attention now focused on improving cyber resilience, officials are working to prevent sensitive materials or dangerous nuclear operations from potential disruption by hackers. Earlier the GMB trade union, which represents tens of thousands of workers across the energy industry, also expressed concerns over the security of Sellafield, with its national secretary Andy Prendergast noting a “lack of training and competence among staff, inadequate safety procedures and a culture of fear and intimidation.” Prendergast added, “GMB has repeatedly raised concerns over safety and staffing levels, which are mainly due to turnover and the age and demographic of the workforce.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CDK Global has disclosed that it experienced an additional cyberattack in the course of its investigation into a cyberattack that occurred earlier in the same week. While limited details are known about the new incident, it may place additional strain on the firm's investigations and its efforts to return to usual operations. The second incident forced several auto dealerships in the U.S. and Canada to come to a near-standstill, with staff stating that the outage could last for days. CDK Global is a multinational corporation that provides software to auto dealerships, with at least 15,000 dealers relying on its offering.

Incident Extends CDK Global Systems Outage

After the initial attack, CDK Global shut down most of its systems on Wednesday, while working to investigate the incident and restore systems. "We are actively investigating a cyber incident.," the company said. "Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible.” Later on the same day, the software firm managed to restore systems involved with its core DMS and Digital Retailing activities. In a statement to the Cyber Express, a spokesman from CDK Global said:

“As we’ve communicated previously, we are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing and consulted with external third-party experts. With the work done so far, our core DMS and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications, and we will provide updates as we bring those applications back online. Our first priority is always the security of our customers, and our actions reflect our obligation to them as a trusted partner.”

However, this restoration was short-lived, as the firm experienced a subsequent cyberattack on the same day:

“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.”

According to CNN, sources appeared to confirm that the outage could last for several days in light of the second cyberattack. The CDK Global outage makes information related to sales deals, negotiations and customer appointments inaccessible by salespeople who work at affected dealerships.

Incident Comes Ahead of Summer Sales Season

The incident has caused concerns among dealers who anticipate business during the summer months. “This is where we need systems functioning,” stated Jeff Ramsey, an executive with Ourisman Auto Group which operates various dealerships. This had led to dealers switching to alternative methods to handle sales such as hand-written notes of buyer's orders. Brian Benstock, general manager of Paragon Honda and Paragon Acura, stated, “My selling team can hand-write a buyer’s order.” Companies such as Kia, Toyota and Stellantis and Ford have also been working on alternate ways to handle customer services due to the CDK outage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A ransomware attack in May against Ascension, one of America's largest hospital chains, has severely disrupted operations and patient care at its more than 140 hospitals across at least 10 states. Doctors, nurses and other clinicians have reported weeks-long outages of key technology systems, medication errors, delays in lab results, and a lack of routine safeguards - lapses they say have put the health of patients at risk. The May 8 cyberattack locked Ascension out of electronic medical records systems, some phones, test and medication ordering platforms, and other tools essential for the coordination of patient care. While Ascension said its clinicians are "trained for these kinds of disruptions," many on the frontlines feel unprepared.

Ascension Hospitals Cyberattack Places Strain on Staff

"I had no training for this," said Marvin Ruckle, a neonatal ICU nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, who nearly gave a baby the wrong dose of medication. Lisa Watson, a critical care nurse who works at the same hospital, says she almost administered the wrong drug to a critically ill patient because she couldn't scan it electronically. "My patient probably would have passed away," she said. Doctors and nurses across Ascension report relying on paper records, handwritten notes, faxes and basic spreadsheets to deliver care - many cobbled together in real time. An ER doctor in Detroit said a mix-up due to paperwork issues led a patient to receive the wrong narcotic and end up on a ventilator. In Baltimore, ICU nurse Melissa LaRue described narrowly avoiding giving an incorrect blood pressure medication dosage due to confusion from paperwork. Several clinicians said errors could threaten their licenses, but patient privacy laws prevented verifying their accounts. Ascension declined to address specific claims but said in a statement it is "confident that our care providers...continue to provide quality medical care."

Ascension Hospitals' Staff Urge Changes

While federal regulations require safeguarding patient data, hospitals currently face no cyberattack preparation or prevention mandates. Experts regard health care as the top target for ransomware attacks, which are rising exponentially. Proposed regulations are pending, but timelines and requirements remain unclear. Nurses and doctors urging reforms at Ascension say cyberattacks should be treated similarly to natural disasters, with contingency plans that account for outages lasting weeks or longer. Many also echoed a plea for more staff support to shoulder the additional workload. "We implore Ascension," one Michigan clinician wrote, "to recognize the internal problems that continue to plague its hospitals, both publicly and privately, and take earnest steps toward improving working conditions for all of its staff." While the Biden administration has pushed for stronger cybersecurity standards in health care, the new requirements are still in development. Meanwhile, hospital industry lobbyists argue mandates could divert resources from cybersecurity efforts. These incidents prove that patients may ultimately pay the price when hospitals fall victim to cybercrime, while staff experience additional burden affecting routine practice and judgement. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Association of Texas Professional Educators (ATPE) is notifying more than 414,000 of its members that their personal information may have been compromised in a data breach incident that occurred earlier this year. ATPE is largest community of educators in Texas, and aims to elevate public education in the state. The association advocates for Texas educators and provides affordable, high-quality products and services, including legal and educational services. The professional organization for educators said in a recent letter that it detected suspicious activity on its network on Feb. 12 and launched an investigation with the help of a cybersecurity firm.

Association of Texas Professional Educators Data Breach

On February 12, 2024, ATPE detected abnormal activity on its network, which led to a comprehensive forensic investigation. The investigation concluded on March 20, 2024, and found evidence that some of ATPE's systems had been accessed by an unauthorized user. Based on this finding, ATPE reviewed the affected systems to identify the specific individuals and types of information that may have been compromised. The accessed information varied depending on when members joined:

• For those who became members before May 15, 2021, the breach may have exposed names, addresses, dates of birth, Social Security numbers and medical records. Tax Identification Numbers could also possibly have been accessed if employers used them as identifiers.
• For members who received payments from ATPE via ACH transactions, financial account information could also have been accessed.

ATPE said that while it has no evidence that anyone's information has been misused, it is notifying members "out of an abundance of caution and for purposes of full transparency."

Response to Breach Incident and Credit Offering

Since discovery of the breach, ATPE stated that it has taken several steps to secure its systems, including:

• Disconnecting all access to its network.
• Change of administrative credentials.
• Installation of enhanced security safeguards on ATPE's environment and endpoints.
• Restoration of ATPE's website in a Microsoft Azure hosted environment.

The organization said it will continue efforts to mitigate potential harm in the future. ATPE is providing affected members with free credit monitoring and identity protection services for one year through Cyberscout, a company specializing in fraud assistance. Members must enroll by Sept. 15, 2024. Details on how to activate the free services are included in the notification letters sent to members' homes. The association has also advised individuals to remain vigilant for possible incidents of identity theft and fraud, review account statements, and monitor credit reports for suspicious or unauthorized activity. ATPE said it sincerely regrets any concern or inconvenience caused by the incident but remains committed to safeguarding users' personal information. Law firm Federman & Sherwood has announced that it would conduct a separate investigation into the Association of Texas Professional Educators data breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers have discovered that various threat actors groups associated with Chinese state-linked espionage have been conducting a sustained hacking campaign targeting telecommunications operators in an unnamed Asian country since at least 2021. The attackers relied on custom malware and tactics tied to several China-linked espionage groups, suggesting Chinese state sponsorship.

Malware Variants Used in Chinese Espionage Campaign

Researchers from Symantec observed the use of several custom malware linked to China-based threat actors, including:

• Coolclient: A backdoor used by the Fireant group that logs keystrokes and communicates with command servers. The campaign utilized a version delivered via a trojanized VLC media player. It is linked to the Fireant group, also known as Mustang Panda or Earth Preta.
• Quickheal: A backdoor associated with the Needleminer group, also known as RedFoxtrot or Nomad Panda. The variant used in the campaign was nearly identical to those documented in 2021. It communicated with a command server at swiftandfast[.]net.
• Rainyday: A backdoor tied to the Firefly group, also known as Naikon. Multiple variants were deployed using trojanized executables to sideload malicious loaders and decrypt payloads. At least one loader variant matched those linked to Firefly in 2021.

The attackers also used a variety of tactics, techniques, and procedures (TTPs) to compromise targets. These included keylogging malware that were possibly custom-developed, and port scanning tools to identify vulnerable systems. They also employed credential theft through the dumping of registry hives and exploited the Remote Desktop Protocol (RDP). Additionally, they used a publicly available tool, Responder, to act as a Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS) and multicast DNS (mDNS) poisoner. Nearly all victims in the campaign were telecoms operators, along with a services company that caters to the telecoms sector and a university in a different country in Asia. The researchers suggested that the campaign may even date as far back as the year 2020.

Campaign Motives and Attribution

The custom malware exclusively used by Fireant, Needleminer and Firefly provides strong evidence that this campaign involves Chinese state-sponsored groups. Firefly has been linked to a Chinese military intelligence unit by the U.S.-China Commission. The level of coordination between the groups involved is unclear but possibilities include independent action, personnel/tool sharing, or active collaboration. The ultimate motives behind the hacking campaign remain uncertain. Potential objectives include intelligence gathering on the telecommunications sector, eavesdropping on voice and data communications, or developing disruptive capabilities against critical infrastructure. To protect against these threats, telecom operators and other organizations should ensure they have the latest protection updates and implement robust security measures to detect and block malicious files. The researchers shared several Indicators of compromise and file hashes to help defenders detect against the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers have discovered a new phishing campaign that relies on a phishing-as-a-service platform called ONNX Store, available for purchase over Telegram. ONNX Store appears to be a rebranded version of an already existing phishing kit called Caffeine. The kits share infrastructure and are advertised on the same Telegram channels. The phishing campaign targets financial institutions with QR codes embedded in PDF attachments. When victims scan these codes with their phones, they are redirected to fake login pages designed to collect login credentials and two-factor authentication keys.

ONNX Store Enables Theft of Credentials in Real Time

[caption id="attachment_77987" align="alignnone" width="1179"] Source: blog.eclecticiq.com[/caption] ONNX Store offers a  variety of powerful phishing tools designed to support cybercriminals, including custom phishing pages, webmail servers, 2FA cookie stealers, and "fully undetectable" referral services that use trusted domains to direct victims to phishing landing pages. Researchers from EclecticIQ have noticed that threat actors using the ONNX Store phishing kit tend to distribute PDF files as attachments in phishing emails. Impersonating a reputable service, these documents contain a QR code that directs victims to malicious phishing landing pages. This tactic, known as "quishing," takes advantage of the lack of detection or prevention present on employee's personal mobile devices, which are usually left unprotected. The lack of protection on mobile devices also makes it challenging to monitor these threats. The phishing landing pages aim to steal sensitive credentials using the Adversary-in-The-Middle (AiTM) method, which allows for real-time capture and transmission of stolen data without the need for frequent HTTP requests. This makes the phishing operation more efficient and harder to detect. The ONNX Store Phishing Kit uses encrypted JavaScript code that decrypts itself upon page load and includes a basic anti-JavaScript debugger. This adds a layer of protection against phishing scanners and complicates detection. The decrypted JavaScript code then collects the victims' network metadata, including details such as browser name, IP address, and location. The decrypted JavaScript code is designed to steal 2FA tokens entered by the victims. This allows attackers to bypass typical 2FA protection and gain unauthorized access to the victim's account before it expires. Researchers identified similarities in domain registrant and SSL issuer across various infrastructures deployed by the ONNX Store phishing kit. These similarities indicated the use of bulletproof hosting services to host the campaign.

Researchers Believe ONNX Store is Rebranding of Caffeine Kit

Researchers have assessed that the ONNX Store phishing kit is likely a rebranding of the Caffeine phishing kit. This assessment is based on the significant overlaps in infrastructure and advertising on the same Telegram channels. This overlap includes the involvement of the Arabic-speaking threat actor MRxC0DER as the likely developer and maintainer behind the Caffeine kit. [caption id="attachment_77989" align="alignnone" width="1393"] Source: blog.eclecticiq.com[/caption] The rebranding of the platform appears to be focused on improving operational security for malicious actors. The ONNX Store service enables threat actors to control operations through Telegram bots with an additional support channel to assist clients rather than a single web server. This shift in infrastructure and management makes it more challenging to take down the platform's phishing domains. To further increase its resilience, ONNX Store uses Cloudflare services to delay the removal process of its phishing domains. This abuse of Cloudflare's CAPTCHA feature and IP proxy helps attackers avoid detection through the use of phishing web crawlers and URL sandboxes. This practice also hides the original host and makes it more difficult to take down phishing domains. Advertised with slogans like "Anything is allowed" and "Ignore all reports of abuse", these services are designed to support a wide range of illegal activities without the risk of being blocked, creating a safe haven for cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new threat actor group called Void Arachne is conducting a malware campaign targeting Chinese-speaking users. The group is distributing malicious MSI installer files bundled with legitimate software like AI tools, Chinese language packs, and virtual private network (VPN) clients. During installation, these files also covertly install the Winos 4.0 backdoor, which can fully compromise systems.

Void Arachne Tactics

Researchers from Trend Micro discovered that the Void Arachne group employs multiple techniques to distribute malicious installers, including search engine optimization (SEO) poisoning and posting links on Chinese-language Telegram channels.

• SEO Poisoning: The group set up websites posing as legitimate software download sites. Through SEO poisoning, they pushed these sites to rank highly on search engines for common Chinese software keywords. The sites host MSI installer files containing Winos malware bundled with software like Chrome, language packs, and VPNs. Victims unintentionally infect themselves with Winos, while believing that they are only installing intended software.
• Targeting VPNs: Void Arachne frequently targets Chinese VPN software in their installers and Telegram posts. Exploiting interest in VPNs is an effective infection tactic, as VPN usage is high among Chinese internet users due to government censorship. [caption id="attachment_77950" align="alignnone" width="917"] Source: trendmicro.com[/caption]
• Telegram Channels: In addition to SEO poisoning, Void Arachne shared malicious installers in Telegram channels focused on Chinese language and VPN topics. Channels with tens of thousands of users pinned posts with infected language packs and AI software installers, increasing exposure.
• Deepfake Pornography: A concerning discovery was the group promoting nudifier apps generating nonconsensual deepfake pornography. They advertised the ability to undress photos of classmates and colleagues, encouraging harassment and sextortion. Infected nudifier installers were pinned prominently in their Telegram channels.
• Face/Voice Swapping Apps: Void Arachne also advertised voice changing and face swapping apps enabling deception campaigns like virtual kidnappings. Attackers can use these apps to impersonate victims and pressure their families for ransom. As with nudifiers, infected voice/face swapper installers were shared widely on Telegram.

Winos 4.0 C&C Framework

The threat actors behind the campaign ultimately aim to install the Winos backdoor on compromised systems. Winos is a sophisticated Windows backdoor written in C++ that can fully take over infected machines. The initial infection begins with a stager module that decrypts malware configurations and downloads the main Winos payload. Campaign operations involve encrypted C&C communications that use generated session keys and a rolling XOR algorithm. The stager module then stores the full Winos module in the Windows registry and executes shellcode to launch it on affected systems. [caption id="attachment_77949" align="alignnone" width="699"] Source: trendmicro.com[/caption] Winos grants remote access, keylogging, webcam control, microphone recording, and distributed denial of service (DDoS) capabilities. It also performs system reconnaissance like registry checks, file searches, and process injection. The malware connects to a command and control server to receive further modules/plugins that expand functionality. Several of these external plugins were observed providing functions such as collecting saved passwords from programs like Chrome and QQ, deleting antivirus software and attaching themselves to startup folders.

Concerning Trend of AI Misuse and Deepfakes

Void Arachne demonstrates technical sophistication and knowledge of effective infection tactics through their usage of SEO poisoning, Telegram channels, AI deepfakes, and voice/face swapping apps. One particularly concerning trend observed in the Void Arachne campaign is the mass proliferation of nudifier applications that use AI to create nonconsensual deepfake pornography. These images and videos are often used in sextortion schemes for further abuse, victim harassment, and financial gain. An English translation of a message advertising the usage of the nudifier AI uses the word "classmate," suggesting that one target market is minors:

Just have appropriate entertainment and satisfy your own lustful desires. Do not send it to the other party or harass the other party. Once you call the police, you will be in constant trouble! AI takes off clothes, you give me photos and I will make pictures for you. Do you want to see the female classmate you yearn for, the female colleague you have a crush on, the relatives and friends you eat and live with at home? Do you want to see them naked? Now you can realize your dream, you can see them naked and lustful for a pack of cigarette money.

[caption id="attachment_77953" align="alignnone" width="437"] Source: trendmicro.com[/caption] Additionally, the threat actors have advertised AI technologies that could be used for virtual kidnapping, a novel deception campaign that leverages AI voice-alternating technology to pressure victims into paying ransom. The promotion of this technology for deepfake nudes and virtual kidnapping is the latest example of the danger of AI misuse.  

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified numerous vulnerabilities in traditional virtual private network (VPN) solutions that have been exploited in recent high-profile cyber attacks, leading the agency to recommend that organizations adopt new approaches to network access security. CISA has urged businesses to switch to modern approaches like Secure Access Service Edge (SASE) and Secure Service Edge (SSE) to integrate enhanced identity verification, adaptive access controls, and cloud-delivered security. This move would help advance their way on their zero trust journey.

Vulnerabilities in Traditional VPN Systems

CISA has identified several different vulnerabilities in legacy VPN systems can enable broad network compromise if exploited, given their typical lack of granular access controls. While VPNs provide ease of access for employees to connect to remote company applications and external data servers, they also make organizations more susceptible to compromise through various vulnerabilities inherent to typical network design. Recent examples of successful exploitation of VPNs include:

• Vulnerabilities affecting Ivanti Connect Secure gateways (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) allowed threat actors to reverse tunnel from the VPN device, hijack sessions, and move laterally across victim networks while evading detection.
• The Citrix Bleed vulnerability (CVE-2023-4966) enabled bypassing of multifactor authentication, allowing threat actors to impersonate legitimate users, harvest credentials, and conduct ransomware attacks.

Compromised user devices connected via VPNs also introduce risks from poor cyber hygiene. And third-party vendors granted VPN access may lack sufficient network segmentation controls and least privilege protections. While some VPNs can enforce firewall policies, not all provide the identity-based adaptive access controls central to zero trust. Software-based VPNs also carry inherent vulnerabilities lacking in hardware-based solutions.

Modern Solutions to Network Access Security

Modern alternatives to VPN-based network access control includes zero trust architecture, SSE, SASE and identity-based adaptive access policies. These solutions provide access to applications and services based on continuous, granular validation of user identity and authorization - rejecting those not explicitly authenticated for specific resources. Zero Trust is a collection of different concepts and ideas that help organizations enforce accurate per-request access decisions based on the principles of least privilege. SSE is a comprehensive approach that combines networking, security practices, policies and services within a single platform. Key capabilities like multi-factor authentication, endpoint security validation, and activity monitoring better secure data in network transit while reducing attack surfaces. Tighter access controls also help secure data at rest by limiting exposure of internal applications. Effectiveness relies heavily on aligning network and infrastructure with zero trust principles like least privilege. Implementing zero trust even partially can greatly enhance protections against threats and data loss. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Two Rhode Island men pleaded guilty to hacking into a confidential federal law enforcement database and using the sensitive information to threaten and extort a victim. Sagar Steven Singh, 20, and Nicholas Ceraolo, 26, were members of a hacking group called “ViLe” that collected victims’ personal data to harass, threaten or extort them in a practice known as “doxxing,” prosecutors said. Victims could pay to have their information removed from or kept off ViLe’s public website.

Breach and Abuse of Federal Law Enforcement Portal

According to the press release, on May 7, 2022, Singh used a stolen password belonging to a police officer to access a non-public, password-protected federal law enforcement portal. The portal, maintained by the U.S. Drug Enforcement Administration (DEA), holds detailed records on narcotics and currency seizures as well as law enforcement intelligence reports with respective state and local agencies. [caption id="attachment_77700" align="alignnone" width="1954"] Source:archive.org[/caption] The next day, Singh told Ceraolo in an online chat that he shouldn’t have accessed the portal and was “no gov official.” Ceraolo then shared the stolen login credentials with others in the ViLe hacking group. Shortly after, Singh used the database to obtain personal information on an individual. He messaged the victim, referred to in court documents as Victim-1, threatening to harm their family if they did not provide login credentials to their Instagram accounts. To prove he had access to sensitive information, Singh included Victim-1’s Social Security number, driver’s license number and home address. He told Victim-1 that through the database portal, “i can request information on anyone in the US doesn’t matter who, nobody is safe.” Singh instructed Victim-1 to sell access to the Instagram accounts and give him the money. His messages implied he would use the information to harm Victim-1’s parents if demands were not met. [caption id="attachment_77699" align="alignnone" width="2186"] Source: dea.gov[/caption] While the court documents focus on the case of Victim-1, the duo also threatened other individuals whose information they had access to for financial gains. According to an earlier report from Vice, the portal that was used by the duo is the EPIC(El Paso Intelligence Center) Portal.

Guilty Pleas Over Actions

Singh and Ceraolo were charged in March 2023 with computer intrusion conspiracy and aggravated identity theft. Singh pleaded guilty to both counts on June 17, while Ceraolo had done so May 30, the U.S. Attorney’s Office in the Eastern District of New York announced. U.S. Attorney Breon Peace condemned the men’s actions as “ViLe,” a reference to the hacking group’s disturbing logo depicting a hanging girl. He stated, “They hacked into a law enforcement database and had access to sensitive personal information, then threatened to harm a victim’s family and publicly release that information unless the defendants were ultimately paid money. Our Office is relentless in protecting victims from having their sensitive information stolen and used to extort them by cybercriminals.” He thanked the HSI's El Dorado Task Force, the Federal Bureau of Investigation and the New York Police Department for assistance in the case. HSI New York Special Agent in Charge Ivan J. Arvelo stated, “The defendants, along with their co-conspirators, exploited vulnerabilities within government databases for their own personal gain. These guilty pleas send a strong message to those that would seek illicit access to protected computer systems." He added, "HSI New York's El Dorado Task Force will continue to work with law enforcement partners to uncover evidence until every member of the ViLe group and similar criminal organizations are brought to justice.” The defendants face two to seven years in federal prison upon sentencing for the case in charges related to conspiring to commit computer intrusion and aggravated identify theft. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

NHS Dumfries and Galloway health authorities have warned that confidential patient data from its systems had been accessed and copied by cybercriminals in February before being published online in early May. The cybercriminals attempted to force the health authorities of the Scottish region to cede to their demands, sharing sensitive details online after failing to extort money.

NHS Dumfries and Galloway Breach

NHS Dumfries and Galloway’s computer systems were breached by hackers in February 2024. The threat actors had accessed and copied confidential patient data including X-rays, test results and communications between health care providers and patients. However, the stolen data had not been deleted or altered on NHS systems and patient care has not been impacted. [caption id="attachment_77683" align="alignnone" width="1084"] Source: nhsdg.co.uk[/caption] On May 6, the criminals made good on threats to publish the data online after NHS Dumfries and Galloway did not meet undisclosed demands. The leaked data includes millions of small, individual files on NHS patients. Authorities said they are prioritizing notifications to vulnerable patient groups that may be at higher risk due to the breach. The NHS Dumfries and Galloway has been working alongside national agencies like Police Scotland, The National Crime Agency, The National Cyber Security Centre and The Scottish Government for advice and direction in investigating the incident. "On behalf of NHS Dumfries and Galloway, I would like to apologise for the anxiety which may have been caused to you due to this situation. We have sought to be as open as possible while adhering to the very explicit guidance we have received from Police Scotland and partner agencies," stated Julie White, Chief Executive of NHS Dumfries and Galloway.

Risks and Recommendations

The Chief Executive of NHS Dumfries and Galloway stated that patients should assume some personal data was likely copied and published. The health authority identified potential risks including identity theft, extortion attempts and anxiety stemming from the data breach. Patients are advised to remain vigilant. NHS recommends patients refrain from opening suspicious emails, clicking unknown links or providing personal information over the phone to unverified parties. Suspicious communications should be reported to Police Scotland immediately. The health authority also advises patients to frequently update passwords and to make them as strong as possible. A helpline and website have been set up to provide information and support relating to the cyber attack. Psychological services are available for those experiencing anxiety regarding stolen personal data. The criminal investigation remains ongoing alongside technology partners to secure NHS systems against future attacks. Patients with additional questions can visit www.nhsdg.co.uk/cyberattack or call the helpline at 01387 216 777, open 9 a.m. to 6 p.m. weekdays and 9 a.m. to 1 p.m. Saturdays. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers that were called to investigate a cyberattack on a large organization in late 2023 have traced the activity to a sophisticated Chinese-linked threat actor group dubbed 'Velvet Ant,' based on tactics and infrastructure. The investigation found that Velvet Ant infiltrated the company’s network at least three years prior to the incident using the remote access trojan PlugX, which granted the threat actors access to sensitive systems across the enterprise environment.

Velvet Ant Campaign Used Evasive Tactics

Researchers from Sygnia disclosed that the attack began with the compromise of the organization's internet-facing F5 BIG-IP appliances, which were running on vulnerable OS versions. These appliances usually occupy a trusted position within network architecture, allowing potential attackers significant control over network traffic while evading most forms of detection. These appliances were used within the organization to manage its firewall, WAF (web application firewall), load balancing, and local traffic . [caption id="attachment_77649" align="alignnone" width="1802"] Source: sygnia.co[/caption] The attackers used known remote code execution flaws to install custom malware on the compromised F5 appliances. To obscure the execution chain, the attackers manipulated file-creation times and used three different files (‘iviewers.exe’, ‘iviewers.dll’ and ‘iviewers.dll.ui’) for deployment of the PlugX malware on affected systems. Once installed, PlugX harvested credentials and executed reconnaissance commands to map the internal network. The hackers then used the open-source tool Impacket for lateral movement across the network. [caption id="attachment_77647" align="alignnone" width="1872"] Source: sygnia.co[/caption] During the initial compromise, the threat actor compromised both modern workstations and legacy Windows Server 2003 systems. On modern endpoints, the hackers routinely tampered with the installed antivirus prior to deploying additional tools. This careful targeting of security controls demonstrates Velvet Ant’s operational maturity. However, the focus on legacy platforms ultimately assisted the hackers in evading detection. The researchers identified the placement of 4 additional malware programs on compromised F5 appliances:

• VELVETSTING - This program was configured to connect to a remote server located in China to check for encoded commands on an hourly basis. Once commands were received, the program would execute them via a Unix shell.
• VELVETTAP - Malware seems to have been monitoring and capturing data from the F5 internal network interface.
• SAMRID - This software has been identified as a publicly available tunneling program that had previously been utilized by Chinese state-sponsored groups. While dormant during the researcher's investigation, it may have provided the attackers remote access.
• ESRDE - This backdoor works similarly to VELVETSTING, running commands delivered from an external server. It was also inactive at the time of analysis.

The VELVET programs were set up to restart upon reboot of compromised F5 appliances. These additional malware payloads were likely intended to provide attackers with multiple backdoors even after the discovery and removal of the initial malware. Each infection had been carefully established to resist removal various and facilitate additional infiltration.

Organizations Systems Were Reinfected Upon Malware Removal

After an extensive incident response operation apparently eliminated the threat actor’s access, researchers detected a PlugX reinfection on clean hosts again a few days later. Further analysis found that the new version of PlugX lacked an external command and control server. Instead, the malware was configured to use an internal file server for command and control. This adaptation blended malicious traffic with normal internal communications, helping Velvet Ant operate undetected. While the attack was eventually contained, its sophistication and persistence highlight the challenges defenders face against advanced persistent threats (APTs). The researchers stated that they could not rule out the possibility of the campaign being a ‘false-flag’ operation by a different APT group. However, the PlugX malware has previously been associated with other China-linked APTs. The researchers have shared several recommendations as well as indicators of compromise (IOCs) on their blog. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Globe Life disclosed a recent cybersecurity incident that may have resulted in unauthorized access to its consumer and policyholder information. Globe Life is a Texas-based insurance holding company. It offers life, health, and worksite insurance products and services to consumers nationwide through its subsidiaries. The company has over 3,600 employees and also owns several insurance providers like Liberty National, United American and Family Heritage Life. The company had also been accused of shady financial tactics and business operations by short sellers Fuzzy Panda Research and Viceroy Research, allegations the company has denied.

Globe Life Breach Discovery and Containment

According to Globe Life's filing with the SEC, the company had conducted a security review on one of its web portals to discover potential vulnerabilities that may have affected its access permissions and user identity management. The investigation was prompted by a legal inquiry from a state insurance regulator on June 13, 2024. The review revealed that an unauthorized party may have accessed the company's web portal, compromising sensitive customer and policyholder data. The company stated that it had immediately revoked external access to the affected portal upon breach discovery. Globe Life said that at this stage, it believes the security issue is isolated to the one web portal. All other company systems remain fully operational. Globe Life added that it expected minimal impact to its business operations after the take down of the affected web portal. The company has activated its cybersecurity incident response plan and engaged external forensics experts to investigate the breach's scope. In its SEC filing, Globe Life disclosed that the investigation remains ongoing. The full impact and nature of the incident are unclear at the moment.

Incident Comes After Scrutiny Over Business Tactics

The company said it has yet to determine if the breach qualifies as a reportable cybersecurity incident under the SEC's disclosure rules. The disclosure comes amidst increasing scrutiny and financial setbacks suffered by the company. The Texas-based insurer has faced allegations of fraudulent sales tactics and other business and workplace improprieties. The short sellers Fuzzy Panda Research and Viceroy Research had made these allegations public in April 2024. While the company has continued to deny these claims, its share price has dropped by 24% since the publication of the Fuzzy Panda report. The reports claimed that Globe Life and its biggest subsidiary, American Income Life (AIL), had engaged in insurance fraud, framing of policies for dead and fictitious individuals, withdrawal of consumer funds without approval, unfair dismissal, misleading sales tactics and illegal kickbacks. They also alleged that some of AIL's most profitable agents had faced accusations of kidnapping, assault and child grooming from defendants, witnesses and plaintiffs. It remains unclear if the state insurance regulator contact that led to the breach discovery is related to these allegations. Insurers like Globe Life are regulated at the state level rather than federal level. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The UK, US and Canada have accused Russia of an elaborate plot to interfere in Moldova’s upcoming presidential election and referendum on EU membership. The allegations came in a joint statement released on the opening day of the G7 summit, pointing to a far-reaching campaign of political meddling by Moscow. The three nations claim Russia is actively spreading disinformation to 'undermine Moldovan democratic institutions' and 'degrade public confidence' in the government ahead of the votes on October 20th. Specific targets include President Maia Sandu and her pro-Western administration, which has strongly backed Ukraine in the Russia-Ukraine conflict.

Kremlin Actors Seeking to Discredit Moldova's Leaders

According to a statement from the U.S. Embassy in Russia, Russian threat actors are aggressively distributing propaganda to “foment negative public perceptions” of President Sandu. This involves fabricating electoral irregularities while also aiming to incite protests if the incumbent president is re-elected. The plot dates back years, with the Kremlin providing support to fugitive Moldovan businessman Ilan Shor. Shor had previously been sentenced to 15 years in prison in connection with the disappearance of $1 billion from Moldovan banks in 2014. All three countries had issued sanctions on Shor for his connection to the incident. The statement singled out Russian state-television channel RT for providing several years of support to Shor. The UK, US and Canada claim they have already shared detailed evidence with Moldovan authorities to enable further investigation and disruption. They also state they will continue backing Moldova with a range of support measures as it deals with Russian interference and fallout from the Ukraine war.

All Three Countries Announce Support at G7 Summit

The three nations expressed confidence in Moldova's ability to manage these threats linked to Russian interference. They have taken several measures to support Moldova's efforts, including:

• The sharing of detailed information with Moldovan partners to investigate, thwart, and put a stop to the Kremlin's plans.
• Increasing accountability and punishment for individuals and entities involved in covertly financing political activities in Moldova through sanctions and potential further actions.
• Strongly supporting Moldova's democratic, economic, security, and anti-corruption reforms, as well as its deepening European integration.

The three nations affirmed their support deepening ties between Moldova and the EU. President Sandu is widely perceived as a firmly pro-Ukranian and pro-Western leader since her election in 2020. In reaction, the Kremlin appears intent on preventing her re-election in order to install a more Russia-friendly president. By publicizing the interference plot, the Western allies hope to deter Moscow while urging respect for Moldovan sovereignty and free, fair elections. However, with under five months until the votes, concerns remain high over Russia's determination to influence election results. "We will continue to stand with all of our friends, partners, and Allies in defense of our shared democratic values and freedoms," the statement read. The U.S. embassy's statement also highlighted the surrounding threat to elections in 2024, a year in which "hundreds of millions of people across Europe and North America go to the polls to select their leaders in European, national, regional, and local elections."

Russia Is a Threat to Election Security: Researchers

An earlier report from Mandiant in April suggested that Russia presented the biggest threat to election security in the United States, United Kingdom and European Union. “Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” the report stated. Experts also fear Russian attempts at spreading disinformation or influencing public opinion on non-election events such as the upcoming 2024 Summer Olympics in Paris. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

As anticipation builds for the upcoming Paris 2024 Summer Olympic Games, security researchers and officials have observed an uptick in scams abusing legitimate Olympics branding. French Gendarmerie officials discovered over 300 bogus ticketing sites aiming to steal money and personal information by deceiving individuals who are in a hurry to book tickets for the events. Recent research investigates a prominent example (paris24tickets[.]com) from these websites. The site appears among the top paid results in Google searches and promotes itself as a secondary marketplace for sports and live events tickets.

Website Incorporates Official Paris 2024 Summer Olympic Games Branding

The 'paris24tickets[.]com' website appeared professional and legitimate at first glance. The site advertised itself as a “secondary marketplace for sports and live events tickets,” and was displayed as the second result among sponsored Google search results for 'paris 2024 tickets.' It allowed visitors to navigate through upcoming Olympic events, select event specific tickets, and enter payment information. Its polished design resembled that of trusted ticketing platforms, along with the official Olympics ticket purchase site. Proofpoint researchers warned that the website was entirely fraudulent despite its authentic look and feel. The site was likely collecting users’ financial and personal information rather than actually processing ticket orders. The researchers acted swiftly to suspend the misleading domain upon its discovery. [caption id="attachment_77366" align="alignnone" width="2800"] Impersonating domain 'paris24tickets[.]com' (Source: archive.org)[/caption] [caption id="attachment_77365" align="alignnone" width="2800"] Official Olympics Ticketing Site (Source: https://tickets.paris2024.org)[/caption] The researchers noticed that in some cases, the scammers even sent emails promising "discounts" on coveted tickets to victims. This tactic was likely done to lure unsuspecting individuals, who may have been desperate to secure tickets at lower costs. Victims who have provided their personal or financial information on the fraudulent website risk having their identities and money stolen. The scammers behind these websites may also collect important personal data, such as names, contact information, and credit card details, for sale or further malicious campaigns.

French Gendarmerie Nationale Reported the Discovery of 338 Scam Sites

The 'paris24tickets[.]com' website represents just a tiny fraction of a much broader network of fraudulent Olympics domains. The French Gendarmerie Nationale had identified approximately 338 such websites since March 2023, and made subsequent efforts to shut them down; 51 of these sites were stated to have been closed while 140 of them were put on notice. The fraudsters behind these scams likely rely on sponsored search engine ads and targeted emails to drive traffic to impersonating websites. Offers of special deals and discounts are further lures to draw-in potential victims. [caption id="attachment_77367" align="alignnone" width="1000"] Source: Shutterstock[/caption] 200 French gendarmes had been mobilized as a distinct unit to monitor the internet and various different social networks for Olympics ticketing-related fraud and mass resales, under the direction of the Europol. These units work along with the DGCCRF (Directorate General for Consumer Affairs, Competition and Fraud Prevention) in France. Captain Etienne Lestrelin, director of operations at the unit, told France Info radio that social media such as Facebook, Leboncoin, Telegram and Instagram were often “the primary source of resale attempts.” He added, “This is an exchange from individual to individual. Except that the buyer does not know if the person really owns the tickets, since they are virtual tickets, not tickets paper. So people are selling you wind, we don't know what they're selling." Lestrelin advised that tickets sold at too low of a price can alert potential buyers: "You will never have a ticket below its original cost. The goal of people who were able to buy tickets in volume and with the intention of reselling them, it is to make a profit So it is an alert if you find a much cheaper ticket. The sentence to remember is that there is no. very good deals on the internet, it's not possible." He instructed that it was also not possible to own a ticket before the event begins and QR Codes are generated. Anyone who claims to be currently in possession of a ticket, or owns tickets that seem visually legitimate, is still a fraud. He warned buyers to be vigilant about buying such tickets outside of official sources because it can also be an offense. "You are associating yourself with the offense that the seller commits when he resells without going through the official website. This is a criminal offense," he stated. To validate purchases, buyers can cross-check provided references with the official Paris 2024 Summer Olympic Games application. Buyers who suspect that they may have been duped can report to a police station, a gendarmerie or the DGCCRF. Legitimate ticket purchases can be made through the official ticketing website or official sub-distributor network.

A significant data breach has exposed the private information of more than 1,200 Baw Baw Shire residents who contacted customer service after-hours over a nearly two-year period, the Baw Baw Shire council revealed. The breach occurred at OracleCMS, a third-party call center contracted by the council to field inquiries outside normal business hours. It reportedly does not impact the council's own systems and databases.

Over 1,200 Baw Baw Shire Residents Affected

The exposed information includes customer contact details and call notes—dates from June 2014 to January 2016 when customers rang the council hotline during evenings, weekends and holidays. Calls made during the specified period had been automatically forwarded to OracleCMS call agents. It remains unclear precisely how the contractor failed to protect confidential constituent information or when the company first discovered the breach. Upon learning of the breach earlier this month, Baw Baw officials urgently contacted every affected resident—over 1,250 in total—through SMS messages and personal calls to vulnerable groups like the elderly. While the breach did not infiltrate Baw Baw's systems directly with the council's own systems, it represents a alarming security gap by a third-party vendor given access to constituents' sensitive information.

OracleCMS Provider Implicated in Other Breaches

Authorities are currently investigating the incident, which may have also impacted other clients of the Australia-based company. OracleCMS provides outsourced contact center services for an array of local governments and organizations. OracleCMS had previously been implicated in a long list of data breaches affecting several different cities in Australia. According to some official press release statements, OracleCMS appeared to initially downplay the incident. An earlier release from Merri-bek City Council stated:

OracleCMS informed Council in April that there had been a cyber security incident where identifiable information of customers had been compromised. Until last week we were informed that Council’s customer data was not involved. Council has now been informed that the OracleCMS data breach does include records of calls handled by OracleCMS on Council’s behalf. We take the privacy of our customers very seriously and we are taking urgent action to address this issue.

The OracleCMS data breach also affected some businesses such as several entities belonging to Nissan in the Australia and New Zealand region, such as Nissan Financial Services Australia Pty Ltd, Nissan Motor Co. Pty Ltd, Nissan Financial Services, New Zealand Pty Ltd and Nissan New Zealand Ltd.

OracleCMS subsequently suffered a data breach, which it was alerted to on 15 April 2024. This separate incident resulted in certain data which was held by OracleCMS, including the summary information Nissan provided to OracleCMS, being compromised and published on the dark web.

As cyberattacks surge, some have questioned whether outsourcing critical customer service channels renders individuals and businesses more vulnerable to data theft. The incident serves as reminder for governments and organizations to lock down vulnerabilities present in third-party vendors or tools while conducting regular security audits. Residents with concerns regarding the breach may contact Baw Baw Shire Council’s customer service line at +61 3 5624 2411. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Toronto District School Board is investigating a recent ransomware attack that affected its testing environment. The Toronto board is Canada's largest school board, serving approximately 238,000 students across 600 schools in the city of Toronto. The board stated that it had taken immediate action and launched an investigation upon becoming aware of possible intrusion.

Toronto District School Board's Investigation Underway

The school board stated that the incident had affected its testing environment, which had been used to evaluate new technology and programs before being deployed on systems. The board's cybersecurity team had taken immediate action upon discovering the incident, securing systems and preserving data. The Toronto District School Board had notified details of the incident to the Toronto police and the Information and Privacy Commissioner of Ontario. [caption id="attachment_77136" align="alignnone" width="2800"] Source: www.tdsb.on.ca[/caption] In its letter of notification sent to parents and guardians, the Toronto District School Board stated that it had launched an investigation with the aid of third-party experts to fully assess the nature and scope of the incident. This includes potential compromise of its networks or breach of sensitive personal information. [caption id="attachment_77137" align="alignnone" width="1770"] Source: www.tdsb.on.ca[/caption] The letter added, "If it is determined that any personal information has been impacted, we will provide notice to all affected individuals. We understand that news of a cyber incident is concerning, but please know that we are doing everything possible to learn more about what occurred and address this situation.

Impact Unknown; More Details Expected Soon

Despite the attack, the district school board's systems remained fully operational and functional. While only the school's testing environment had been affected, Humber College cybersecurity expert Francis Syms remained concerned over the incident, as personal information is sometimes used on test environments. He added that test environments are usually not secured by multifactor authentication, potentially making data easier to access. However, he admitted that he was not aware of the testing system being used, as he was not part of the investigation team. The Toronto District School Board did not clarify whether the testing environment or its data contained any personal information. Ryan Bird, a spokesperson from the school district board, disclosed to CityNews Toronto that the full extent of the breach was unknown, or if any personal data had been compromised in the attack, but further details would be revealed by the end of the day. The Cyber Express team has reached out to the Toronto District School Board for further details and investigation results, but no responses have been received as of yet. Toronto's cybersecurity defenders have observed an uptick in cyberattacks in recent years, from both financially-motivated hackers and 'hacktivists' disrupting public systems. Some attacks occur during sensitive times such as elections, global conflicts, or visits by foreign leaders. However, ransomware attacks remain the most common form of attacks. City officials have been working with several agencies to rebuild trust in the safety of public systems and services. Charles Finlay, Toronto resident and executive director at Rogers Cybersecure Catalyst, had earlier stated to the Toronto Star, “I think the city has to be more forthcoming about what it is doing to ensure that those services are secure from cyber-attacks.” The City had witnessed several attacks on its public institutions such a Cl0p ransomware intrusion into the  City of Toronto's computer systems as well as an attack last year on the Toronto Public Library's computer systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a recent impersonation scam in which scammers posed as its representatives and employees. Fraudsters in the campaign may extort money in various ways, such as bank transfers, gift cards or cryptocurrency payments.

CISA Impersonation Scam

The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:

• Unsolicited phone calls that claim to be from CISA.
• Callers requesting personal information, such as passwords, social security numbers, or financial information.
• Callers demanding payment or transfer of money to "protect" your account.
• Callers creating a sense of urgency or pressuring you to take immediate action.

If you're targeted by a CISA impersonation scam, here's what you should do:

• Do not pay the caller.
• Take record of  the numbers used.
• Hang up the phone immediately while ignoring further calls from suspicious numbers.
• Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).

FTC Observes Uptick in Impersonation Scams

The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:

1. Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
2. Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
3. Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
4. Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
5. Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.

To avoid such scams, the FTC has advised consumers to not click on unexpected links or messages, avoid scenarios where gift cards are offered as an option to fix problems, and scrutinize urgent offers and claims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Kaspersky researchers discovered widespread vulnerabilities in biometric terminals developed by ZKTeco, which are known to be deployed internationally. These flaws could be exploited by threat actors to bypass authentication, steal sensitive data, and even gain full control over affected terminals. The vulnerabilities pose a major risk, as these biometric terminals are often white-labeled to be sold under various brand names by multiple distributors. They are also widely used in high-security/sensitive environments, such as nuclear power plants, chemical plants or hospitals while storing thousands of facial templates.

Vulnerabilities in ZKTeco Biometric Terminals

Biometric terminals see multiple uses aside from their primary purpose of acquiring biometric data such as fingerprints, voices, facial features, or irises. They can be connected to other scanners to support alternative authentication methods, or be deployed as a means of ensuring employee productivity or to reduce fraud. These devices see increasing usage in confidential facilities such as power plants, executive suites or server rooms. ZKTeco biometric terminals support facial recognition(with the ability to store thousands of face templates), password entry, electronic pass, and QR codes. Researchers conducted several tests to assess the security and reliability of these devices, finding 24 different vulnerabilities that may be exploited by threat actors in real attack scenarios on confidential facilities:

• 6 SQL injection vulnerabilities
• 7 buffer stack overflow vulnerabilities
• 5 command injection vulnerabilities
• 4 arbitrary file write vulnerabilities
• 2 arbitrary file read vulnerabilities

The researchers grouped some of the more critical vulnerabilities present in these devices by their attack type:

• Physical Bypass via Fake QR Codes CVE-2023-3938 allows cybercriminals to perform a SQL injection attack by injecting malicious code into access strings. This could allow them to gain unauthorized entry to restricted areas.
• Biometric Data Theft and Backdoor Deployment The CVE-2023-3940 and CVE-2023-3942 vulnerabilities could give attackers access to sensitive user data and password hashes stored on the device. Additionally, CVE-2023-3941 could allow them to remotely alter device databases, allowing them to potentially add unauthorized individuals into systems or create a backdoor.
• Remote Code Execution The CVE-2023-3939 and CVE-2023-3943 flaws enable the execution of arbitrary commands or code on the device, effectively giving attackers full control and the ability to launch further attacks on the wider network.

Georgy Kiguradze, Senior Application Security Specialist at the cybersecurity firm, expressed concern over the risks posed by these vulnerabilities in real scenarios, risks posed by deepfake and social engineering tactics, and the urgency of immediately patching these vulnerabilities. He stated:

“The impact of the discovered vulnerabilities is alarmingly diverse. To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors. Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device's security settings for those using the devices in corporate areas.”

Mitigating Risks to Biometric Terminals

The researchers stated that they had disclosed all information about the discovered vulnerabilities to ZKTeco, but lacked accessible data on whether these vulnerabilities had been patched. The researchers have shared the following recommendations to protect these biometric terminals from attacks in the meanwhile:

• Isolate biometric reader usage into a separate network segment.
• Employ robust administrator passwords and change default ones.
• Audit and fortify the device's security settings, including enabling temperature detection.
• If feasible, minimize the use of QR code functionality.
• Regularly update the device's firmware.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A resident of Moreton Bay, Australia was shocked to discover that the private information of several resident ratepayers in the region, including their friends and neighbors, had been accidentally published on the Moreton Bay council's official website. The leaked information included names, residential addresses, email addresses, and phone numbers, as well as resident complaints to the council and details about council investigations.

Data Breach Discovered By Local Resident

City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers,  complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."

City of Moreton Bay Responses to Data Breach

After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"] Source: moretonbay.qld.gov.au[/caption]

We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.

The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a bold attempt to redefine cloud security and privacy standards, Apple has unveiled Private Cloud Compute (PCC), a groundbreaking cloud intelligence system designed to back its new Apple Intelligence with safety and transparency while integrating Apple devices into the cloud. The move comes after recognition of the widespread concerns surrounding the combination of artificial intelligence and cloud technology.

Private Cloud Compute Aims to Secure Cloud AI Processing

Apple has stated that its new Private Cloud Compute (PCC) is designed to enforce privacy and security standards over AI processing of private information. For the first time ever, Private Cloud Compute brings the same level of security and privacy that our users expect from their Apple devices to the cloud," said an Apple spokesperson. [caption id="attachment_76690" align="alignnone" width="1492"] Source: security.apple.com[/caption] At the heart of PCC is Apple's stated commitment to on-device processing. When Apple is responsible for user data in the cloud, we protect it with state-of-the-art security in our services," the spokesperson explained. "But for the most sensitive data, we believe end-to-end encryption is our most powerful defense." Despite this commitment, Apple has stated that for more sophisticated AI requests, Apple Intelligence needs to leverage larger, more complex models in the cloud. This presented a challenge to the company, as traditional cloud AI security models were found lacking in meeting privacy expectations. Apple stated that PCC is designed with several key features to ensure the security and privacy of user data, claiming the following implementations:

• Stateless computation: PCC processes user data only for the purpose of fulfilling the user's request, and then erases the data.
• Enforceable guarantees: PCC is designed to provide technical enforcement for the privacy of user data during processing.
• No privileged access: PCC does not allow Apple or any third party to access user data without the user's consent.
• Non-targetability: PCC is designed to prevent targeted attacks on specific users.
• Verifiable transparency: PCC provides transparency and accountability, allowing users to verify that their data is being processed securely and privately.

Apple Invites Experts to Test Standards; Online Reactions Mixed

At this week's Apple Annual Developer Conference, Apple's CEO Tim Cook described Apple Intelligence as a "personal intelligence system" that could understand and contextualize personal data to deliver results that are "incredibly useful and relevant," making "devices even more useful and delightful." Apple Intelligence mines and processes data across apps, software and services across Apple devices. This mined data includes emails, images, messages, texts, messages, documents, audio files, videos, contacts, calendars, Siri conversations, online preferences and past search history. The new PCC system attempts to ease consumer privacy and safety concerns. In its description of 'Verifiable transparency,' Apple stated:

"Security researchers need to be able to verify, with a high degree of confidence, that our privacy and security guarantees for Private Cloud Compute match our public promises. We already have an earlier requirement for our guarantees to be enforceable. Hypothetically, then, if security researchers had sufficient access to the system, they would be able to verify the guarantees."

However, despite Apple's assurances, the announcement of Apple Intelligence drew mixed reactions online, with some already likening it to Microsoft's Recall. In reaction to Apple's announcement, Elon Musk took to X to announce that Apple devices may be banned from his companies, citing the integration of OpenAI as an 'unacceptable security violation.' Others have also raised questions about the information that might be sent to OpenAI. [caption id="attachment_76692" align="alignnone" width="596"] Source: X.com[/caption] [caption id="attachment_76693" align="alignnone" width="418"] Source: X.com[/caption] [caption id="attachment_76695" align="alignnone" width="462"] Source: X.com[/caption] According to Apple's statements, requests made on its devices are not stored by OpenAI, and users’ IP addresses are obscured. Apple stated that it would also add “support for other AI models in the future.” Andy Wu, an associate professor at Harvard Business School, who researches the usage of AI by tech companies, highlighted the challenges of running powerful generative AI models while limiting their tendency to fabricate information. “Deploying the technology today requires incurring those risks, and doing so would be at odds with Apple’s traditional inclination toward offering polished products that it has full control over.”   Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers have discovered a new phishing campaign in which threat actors distribute the Remcos RAT malware within UUEncoding (UUE) file attachments in emails purporting to be about importing or exporting shipments. The UUEncoding (UUE) file attachments are compressed with Power Archiver, a proprietary and cross-platform archive utility that supports both Windows and MacOS.

Use of UUEncoding (UUE) Files to Distribute Remcos RAT Malware

Researchers from AhnLab discovered that the threat actors behind the campaign, use UUEncoding files with a .UUE extension, which are designed to encode binary data in plain text format. These file formats are suitable for attachment in e-mail or Usenet messages. The malicious .UUE files encode a VBS script attached in phishing emails. The threat actors seem to have leveraged the file format and encoding technique as an attempt to bypass detection. [caption id="attachment_76665" align="alignnone" width="1024"] Source: asec.ahnlab.com[/caption] When decoded, the VBS script is obfuscated, making it difficult for researchers to analyze. The script saves a PowerShell script into the %Temp% directory and executes it. The running script then downloads the Haartoppens.Eft file, which executes an additional PowerShell script. This script is also obfuscated and is designed to load a shellcode to the wab.exe process. [caption id="attachment_76666" align="alignnone" width="638"] Source: asec.ahnlab.com[/caption] The shellcode maintains its persistence by adding a registry key to the infected system, and then accesses a remote C&C server to load additional instructions. The instructions ultimately download the Remcos RAT malware for execution on infected systems.

Remcos RAT malware

The Remcos RAT collects system information from infected systems and stores keylogging data in the %AppData% directory. The malware then sends this data to the remote command-and-control (C&C) server, which is hosted through a DuckDNS domain. [caption id="attachment_76667" align="alignnone" width="894"] Source: asec.ahnlab.com[/caption] Remcos is a commercial remote access tool (RAT) that is advertised as a legitimate tool, but has been observed in numerous threat actor campaigns. Successful loading of Remcos opens a backdoor on targeted systems, allowing for complete control. The researchers have shared the following indicators to help detect and stop this campaign: IOCs (Indicators of Compromise)

• b066e5f4a0f2809924becfffa62ddd3b (Invoice_order_new.uue)
• 7e6ca4b3c4d1158f5e92f55fa9742601 (Invoice_order_new.vbs)
• fd14369743f0ccd3feaacca94d29a2b1 (Talehmmedes.txt)
• eaec85388bfaa2cffbfeae5a497124f0 (mtzDpHLetMLypaaA173.bin)

File Detection

• Downloader/VBS.Agent (2024.05.17.01)
• Data/BIN.Encoded (2024.05.24.00)

C&C (Command & Control) Servers

• frabyst44habvous1.duckdns[.]org:2980:0
• frabyst44habvous1.duckdns[.]org:2981:1
• frabyst44habvous2.duckdns[.]org:2980:0

The researchers also shared the following general recommendations to avoid similar phishing campaigns:

• Refrain from accessing emails from unknown sources.
• Refrain from running or enabling macro commands when accessing downloaded attachment files. Users can set programs to highest levels of security, as lower levels may automatically execute macro commands without displaying any notification.
•  Update anti-malware engines to their latest versions.

The UUE file format has previously been used in several malicious campaigns due to its ability to easily evade detection from security tools, with a researcher previously discovering a UUEncode vulnerability in the main Python program. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Both the clearnet domain as well as the onion darkweb domain of the infamous BreachForums appear to be down in a move that has confused both security researchers and cybercriminals. Attempting to visit these sites leads to a '502- Bad Gateway' error. While the site has suffered several disruptions due to law enforcement attempts to take down the site, no direct connection has been made to law enforcement activities so far.

BreachForums Down with '502- Bad Gateway' Error

BreachForums had earlier faced an official domain seizure by the FBI in a coordinated effort with various law enforcement agencies. However, shortly after, 'ShinyHunters' managed to recover the seized domains, with allegedly leaked FBI communications revealing they had lost control over the domain while the BreachForums staff claimed that it had been transferred to a different host. However, the site appears to be down again, but with no seizure notice present, leading to speculation over what has struck the site as well as its admin ShinyHunters. On X and LinkedIn, security researcher Vinny Troia claimed that ShinyHunters had made a direct message through Telegram indicating that he was retiring from the forums, as it was 'too much heat' and has shut it down. [caption id="attachment_76597" align="alignnone" width="1164"] Source: X.com[/caption] Both the researcher's X and LinkedIn post attribute this incident to the FBI 'nabbing' ShinyHunters, even congratulating the agency.

BreachForums Telegram Channels Deleted

Shortly after the official domains went down, several official Telegram accounts that were associated with Breach Forums, including the main announcement channel and the Jacuzzi 2.0 account, were deleted. Forum moderator Aegis stated in a PGP signed message that Shiny Hunters had been banned from Telegram. [caption id="attachment_76580" align="alignnone" width="349"] Source: Telegram[/caption] [caption id="attachment_76582" align="alignnone" width="525"] Source: Telegram[/caption] In a new 'Jacuzzi' Telegram channel created shortly afterwards, a pinned message appears to confirm that the administrator ShinyHunters had quit after wishing to no longer maintain the forum. The message affirms that Shiny had not been arrested, but rather quit, while the forum has not been officially seized but taken down. [caption id="attachment_76604" align="alignnone" width="799"] Source: Telegram[/caption] A while later, a database allegedly containing data from the 'breachforums.is' domain (the previous official domain associated with BreachForums before it shifted to the .st domain) had been circulating among Telegram data leak and sharing channels. Another threat actor stated that the circulating leaks were likely an attempt to gain attention and subscribers in light of recent events, stating that the info is unverified and password-protected. [caption id="attachment_76578" align="alignnone" width="670"] Source: Telegram[/caption] Several threat actors had attempted to use these disruptions to promote their own alternatives such as Secretforums and Breach Nation. However, the administrator Astounded, who owned Secretforums, had himself announced his retirement from involvement from forum activity recently. [caption id="attachment_76590" align="alignnone" width="388"] Source: Telegram[/caption] The threat actor USDoD still appears to be promoting their Breach Nation as an alternative to BreachForums, even appreciating the move as a take down of 'competitors.' [caption id="attachment_76593" align="alignnone" width="1150"] Source: X.com[/caption] These incidents, along with ShinyHunter's disappearance, the deletion/unavailability of official channels as well as the arrests and disruptions associated with the forums, raise uncertainty over the community's future prospects as well as larger implications for data leak sharing. This article will be updated as we gather more information on events surrounding BreachForums. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

While the new-generation Xbox One consoles have been out for a while, until recently there weren't any softmods (software modifications to make a system behave differently) for users. That has seemingly changed, as an individual has revealed the existence of a Kernel-level exploit along with a limited proof of concept. The method uses an easily-available app called 'Game Script' present on the Microsoft store.

'Game Script' Xbox Console Kernel-Level Exploit

carrot_c4k3, the individual behind the discovery, disclosed on X that the exploit, which is not a jailbreak, works against the System OS software that exists on newer Xbox consoles such as the Xbox One. System OS exists to enable developers to run a wide variety of applications on these consoles through the use of virtualization technology. Applications downloaded from the Microsoft Store run on this layer. Xbox users can typically gain access to this environment by enabling developer mode on their consoles. However, carrot_c4k3 stated that while the exploit allows full control over vm homebrews on retail Xbox, it did not enable the use of pirated software upon usage. The method currently relies on the Game Script UWA application available on the Microsoft Store, which allows users to run and execute custom languages on the devices. The exploit consists of two components:

1. User mode: Initial steps where the user gains native code execution in the context of UWP (Microsoft Store) applications.
2. Kernel exploit: In this step the user exploits a Kernel vulnerability on these devices to gain full read/write permissions, which would then enable them to elevate the privileges of a particular running process.

The proof of concept exploit shared on Github is currently limited within the context of UWP apps, which are more 'locked down.' However, carrot_c4k3 shared their intent to release another exploit for Xbox one/X series consoles by next month that would allow for full Kernel-level access over read/write permissions within the System OS environment. The full exploit is stated to rely on leaks within the 'NtQuerySystemInformation' component, which are not available on UWP apps. Hence, the user is developing an alternative exploit that does not rely on UWP apps. The exploit allows users to bypass the fees required to enable the developer mode on Xbox consoles, as well as grant them the ability to modify game save data on the devices, but does not allow for the modding of the actual games themselves. The modder also discussed the possibility of using the exploit to allow the usage of 'simple emulators' meant to emulate games intended for older devices. carrot_c4k3 admitted that the exploit could potentially be detected by Microsoft, recommending to perform it on a dedicated offline console instead.

Exploit Might Have Been Patched In Newer Xbox Firmware Versions

A set of steps to be performed for the hack was shared on the Xbox One Research Github page:

• Ensure your Xbox Live account Login-Type is configured as “No barriers” aka. auto-login with no password prompt
• Set your console as “Home Console” for this account
• Download the App Game Script
• Start the app (to ensure license is downloaded/cached)
• Take your console offline! To make extra sure it cannot reach the internet, set a manual primary DNS address of 127.0.0.1
• Get a device/microcontroller that can simulate a Keyboard (rubber ducky or similar) - otherwise you have to type a lot manually :D

The page states that the exploit is "likely to be patched soon (in next System Update)." A thread on GBAtemp.net, a forum for discussing various video game platforms, stated that the latest firmware update for the Xbox One console has reportedly already patched the exploit, making the firmware 10.0.25398.4478 the last exploitable version. While the full consequences of this exploit and the one that will be shared are unknown, it highlights the interest that console players have in bypassing manufacturer-intended device limits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft and Google have announced plans to offer free or highly discounted cybersecurity services to rural hospitals across the United States. These initiatives come as the U.S. healthcare sector faces a surge in ransomware attacks that more than doubled last year, posing a serious threat to patient care and hospital operations. The program - developed in collaboration with the White House, the American Hospital Association, and the National Rural Health Association - aims to make rural hospitals less defenseless by providing them with free security updates, security assessments, and training for hospital staff.

Microsoft and Google Cybersecurity Plans for Rural Hospitals

Microsoft has launched a full-fledged cybersecurity program to meet the needs of rural hospitals, which are often more vulnerable to cyberattacks due to more limited IT security resources, staff and training than their urban peers. The program will deliver free and low-cost technology services, including:

• Nonprofit pricing and discounts of up to 75% on Microsoft's security products for independent Critical Access Hospitals and Rural Emergency Hospitals.
• Larger rural hospitals already equipped with eligible Microsoft solutions will receive free advanced security suites for free.
• Free Windows 10 security updates for participating rural hospitals for at least one year.
• Cybersecurity assessments and training are being made free to hospital employees to help them better manage system security.

Justin Spelhaug, corporate vice president of Microsoft Philanthropies, said in a statement, “Healthcare should be available no matter where you call home, and the rise in cyberattacks threatens the viability of rural hospitals and impact communities across the U.S. “Microsoft is committed to delivering vital technology security and support at a time when these rural hospitals need them most.” Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, said in a statement:

“Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans’ access to critical care. Rural hospitals are particularly hard hit as they are often the sole source of care for the communities they serve and lack trained cyber staff and modern cyber defenses. President Biden is committed to every American having access to the care they need, and effective cybersecurity is a part of that. So, we’re excited to work with Microsoft to launch cybersecurity programs that will provide training, advice and technology to help America’s rural hospitals be safe online.”

Alongside Microsoft's efforts, Google also announced that it will provide free cybersecurity advice to rural hospitals and non-profit organizations while also launching a pilot program to match its cybersecurity services with the specific needs of rural healthcare facilities.

Plans Are Part of Broader National Effort

Rural hospitals remain one of the most common targets for cyberattacks, according to data from the National Rural Health Association. Rural hospitals in the U.S. serve over 60 million people living in rural areas, who sometimes have to travel considerable distance for care even without the inconvenience of a cyberattack. Neuberger stated, “We’re in new territory as we see ... this wave of attacks against hospitals.” Rick Pollack, president of the American Hospital Association, said, “Rural hospitals are often the primary source of healthcare in their communities, so keeping them open and safe from cyberattacks is critical. We appreciate Microsoft stepping forward to offer its expertise and resources to help secure part of America’s healthcare safety net.” The plans are a part of a broader effort by the United States government to direct private partners and tech giants such as Microsoft and Google to use their expertise to plug significant gaps in the defense of the healthcare sector. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

NHS Blood and Transplant (NHSBT) is urgently appealing for O blood-type donors across England after a ransomware attack affected several major London hospitals. The cyberattack caused significant disruption on the hospitals' ability to match patients' blood types, leading to an increased demand for O-positive and O-negative blood donations, which are safe for all patients. The public health institution is asking donors of these blood types to book appointments at any of the 25 NHS blood donor centers in England in order to boost limited stocks and ensure the availability of essential blood supplies to patients.

NHS Blood and Transplant's Urgent Appeal for Blood Donations

The recent cyberattack on the pathology firm Synnovis, believed to have been orchestrated by the Russian cybercriminal group Qilin, caused significant disruption to several London hospitals. As a result, affected hospitals have been unable to match patients' blood at the usual rates, leading to the declaration of a critical incident and the cancellation of scheduled blood transfusions. Gail Miflin, chief medical officer at NHS Blood and Transplant, emphasized the importance of O blood-type donations during this critical time. She called on existing O blood donors to book urgent appointments and encouraged potential new donors to find out their blood type and contribute to solving the shortage. During NHS National Blood Week, it was revealed that hospitals require three blood donations every minute. With around 13,000 appointments available nationwide this week, and 3,400 specifically in London, there are many opportunity for donors to come forward and contribute to blood availability. Stephen Powis, the medical director for NHS England, praised the resilience of NHS staff amid the cyberattack and urged eligible donors to come forward to one of the 13,000 available appointments in NHS blood donor centers across the country. To learn more and find details on how to donate, interested individuals are encouraged to search 'GiveBlood' online and on social media or visit Blood.co.uk. [caption id="attachment_76310" align="alignnone" width="2562"] Source: www.blood.co.uk[/caption]

Impact of the Cyberattack on London Hospitals

Several prominent London hospitals, including the King's College Hospital, Guy's and St Thomas', the Royal Brompton, and the Evelina London Children's Hospital, declared a critical incident following the cyberattack on the pathology firm Synnovis, which provides blood-testing facilities to these hospitals and several others in southeast London. The attack forced hospital staff to cancel health procedures such as cancer surgeries and transplants due to the unavailability of blood transfusion services after facing severe disruption. In a statement on its official website, an NHS London spokesperson stressed the importance of pathology services to health treatment procedures:

“NHS staff are working around the clock to minimise the significant disruption to patient care following the ransomware cyber-attack and we are sorry to all those who have been impacted. Pathology services are integral to a wide range of treatments and we know that a number of operations and appointments have been cancelled due to this attack. We are still working with hospitals and local GP services to fully assess the disruption, and ensure the data is accurate. In the meantime our advice to patients remains, if you have not been contacted please do continue to attend your appointments.”

A senior NHS manager disclosed to the Health Service Journal (HSJ) that the incident was “everyone’s worst nightmare.” As blood has a limited shelf life of 35 days, it is critical that these hospital stocks are continually replenished. More units of O-negative and O-positive blood will be required over the coming weeks to accommodate an anticipated increase in surgeries and procedures due to earlier delays. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.