Juniper Networks has urgently released security updates to address a critical vulnerability affecting some of its routers, identified as CVE-2024-2973. This flaw, with a maximum CVSS severity score of 10.0, could potentially allow attackers to bypass authentication mechanisms and gain unauthorized control over affected devices. The router vulnerability specifically impacts Juniper Networks' Session Smart Router and Conductor products when deployed with redundant peers. In such configurations, a network-based attacker could exploit the flaw to circumvent authentication safeguards, thereby compromising the entire device.

Juniper Networks Issues Patches for Router Vulnerability

[caption id="attachment_79708" align="alignnone" width="1105"] Source: Juniper Networks[/caption] Juniper Networks issued an advisory, highlighting the severity of the vulnerabilities in routers: "An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device." Affected products include Session Smart Router versions before 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts, as well as Session Smart Conductor versions before 5.6.15, from 6.0 before 6.1.9-lts, and 6.2 before 6.2.5-sts. Additionally, WAN Assurance Router versions 6.0 before 6.1.9-lts and 6.2 before 6.2.5-sts are impacted. Juniper Networks has moved swiftly to address this issue by releasing updated software versions that resolve the vulnerability. Users are strongly advised to upgrade affected systems to the following patched releases: SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent versions. For deployments managed by a Conductor, upgrading Conductor nodes will automatically apply the fix to connected routers, though direct router upgrades are still recommended for comprehensive protection.

No Threat Detected 

It is reassuring that Juniper Networks' Security Incident Response Team (SIRT) has not detected any instances of malicious exploitation of CVE-2024-2973 in the wild. The company discovered this vulnerability internally during routine security testing and promptly took action to mitigate the risk. For users of MIST-managed WAN Assurance routers connected to the Mist Cloud, the patch has been applied automatically to safeguard against potential exploitation. Importantly, applying this fix is designed to be non-disruptive to normal network operations, with minimal downtime expected during implementation. Juniper Networks emphasizes that no other products or platforms in its portfolio are affected by this specific vulnerability, limiting the scope of necessary updates to the identified router models. While the discovery of CVE-2024-2973 highlights the importance of cybersecurity practices, Juniper Networks' proactive response through prompt patching and clear mitigation guidance exemplifies industry best practices in safeguarding against router vulnerabilities. Users are encouraged to promptly update their systems to the latest recommended versions to ensure optimal security posture against emerging threats.

TeamViewer, a provider of remote access software, has confirmed that a recent cyberattack has been successfully contained within its internal corporate IT environment. Crucially, the company has reassured its customers and stakeholders that the breach did not affect its product environment, the TeamViewer connectivity platform, or any customer data. This announcement comes as the investigation into the TeamViewer data breach progresses, providing clarity and reassurance to the millions of users who rely on it's services.

TeamViewer Breach Overview and Immediate Response

The TeamViewer data breach was first detected on June 26, 2024, prompting an immediate response from TeamViewer’s security team. The company has attributed the breach to an advanced persistent threat group, tracked as APT29, also known as Midnight Blizzard or Cozy Bear. This group is renowned for its sophisticated cyberespionage capabilities and has a history of targeting high-profile entities, including Western diplomats and technology firms. In an initial statement posted on Thursday in the company’s Trust Center, TeamViewer explained that the breach was confined to its internal corporate IT environment. The company emphasized that this environment is distinct and separate from its product environment, where customer interactions occur. As such, there is no evidence to suggest that the product or customer data was compromised. "TeamViewer’s internal corporate IT environment is completely independent from the product environment. There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems," reads the initial statement.

Details of the Data Compromise

According to TeamViewer, the threat actor leveraged a compromised employee account to gain access to the internal corporate IT environment. This access allowed the attacker to copy certain employee directory data, including names, corporate contact information, and encrypted employee passwords. Importantly, the compromised data was limited to internal corporate information, and no customer data was involved. The company has taken swift action to mitigate the risk associated with the encrypted passwords. "According to current findings, the threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment. We have informed our employees and the relevant authorities. The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft," reads the statement. In collaboration with leading experts from their incident response partner, Microsoft, TeamViewer has implemented enhanced authentication procedures and added further strong protection layers. These measures ensure that the authentication processes for employees are now at the maximum security level. "The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state," reads TeamViewer statement.

The Role of NCC Group

The cybersecurity firm NCC Group played a significant role in highlighting the TeamViewer data breach. NCC Group was alerted to the compromise of TeamViewer’s remote access and support platform by APT29. Their involvement underscores the importance of third-party cybersecurity firms in detecting and responding to advanced threats. For TeamViewer’s customers, the key takeaway from this incident is that their data and the functionality of the TeamViewer connectivity platform remain secure. The company has reiterated that its overall system architecture follows best practices, with a clear segmentation between the corporate IT environment, the production environment, and the TeamViewer connectivity platform. This segmentation is a critical factor in ensuring that breaches in one area do not affect others.

CISA, in collaboration with the Fauquier County Sheriff’s Office, the Fauquier County Fire Rescue System, and Fauquier County Public Schools, recently conducted a comprehensive K-12 active shooter exercise to strengthen the safety and security of schools in the region.  This exercise, held at Kettle Run High School and Greenville Elementary School on June 27, aimed to evaluate and enhance emergency response strategies in simulated active shooter scenarios. The joint effort involved various local stakeholders, including law enforcement, school administrators, teachers, and emergency medical services. These participants played pivotal roles in testing the effectiveness of current safety protocols, particularly in scenarios involving mock injuries, evacuations, and the reunification of students with their families.

CISA and Fauquier County’s K-12 Active Shooter Exercise

David Mussington, CISA’s Executive Assistant Director for Infrastructure Security, highlighted the importance of K-12 active shooter exercise in fostering collaboration among federal, state, and local entities to safeguard educational environments. He emphasized that such initiatives are crucial for preparing communities to respond effectively to potential threats. Sheriff Jeremy Falls further highlighted the exercise's role in improving preparedness for real-world incidents, stating, “Our primary goal is the safety and well-being of our community. This exercise provided invaluable insight into our readiness and identified areas for further strengthening our response capabilities.” Dr. Major Warner, superintendent of Fauquier County Public Schools, emphasized the partnership’s role in enhancing school safety, noting, “Testing our emergency protocols has significantly bolstered our readiness as a school division, ensuring a safer learning environment for our students and staff.”

Collaborative Training Exercises

The exercise also aimed to assess the speed and coordination of law enforcement responses, emergency medical operations, and communication between agencies during crises. Chief Kalvyn Smith of the Fauquier County Fire Rescue System stressed the importance of collaborative training exercises in preparing agencies to protect and serve the community effectively. Janelle Downes, Fauquier County Administrator, highlighted the necessity of involving various stakeholders in such exercises, stating, “Large-scale critical incidents demand a coordinated response. This exercise allowed us to plan and refine our coordination for potential future emergencies.” Bill Ryan, CISA’s Regional Director, emphasized the value of these exercises in identifying strengths and areas for improvement, ensuring continuous learning and adaptation to maintain readiness. CISA remains committed to supporting local communities through training and collaborative initiatives aimed at enhancing security measures. This exercise with Fauquier County represents a significant step in these ongoing efforts to safeguard schools and promote community resilience.

It’s been almost two weeks since the CDK Global cyberattack paralyzed the US automotive industry and many car sales outlets are still limping back to normalcy. The CDK Global cyberattack has reportedly raked up millions of dollars in losses for dealerships. According to a report by CNN, the cyber automobile, the cyberattack has made it difficult for dealers to track customer interactions, orders and sales.

Background of CDK Global Cyberattack

On June 19, 2024, CDK Global, a provider of software solutions to around 15,000 auto dealerships across the United States, experienced a cyberattack. On June 21, the company disclosed that it experienced twin cyberattacks in the same week. The cyberattacks, had a profound impact on major clients of CDK Global, including General Motors dealerships, Group 1 Automotive, Asbury Automotive Group, AutoNation, Lithia Motors, Penske, Sonic Automotive and Holman, which operates dealerships across the U.S. These dealerships rely heavily on CDK’s software to manage their daily operations, from sales transactions to inventory management. CNN reported that due to the outage, some dealers started fulfilling orders with pen and paper. Other services, such as state inspections, repairs and parts deliveries, came to a standstill in some parts of the country. After the initial attack, CDK Global shut down most of its systems to investigate the incident and restore systems. “We are actively investigating a cyber incident,” the company had said. “Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible.”

How Victim Firms Responded to Cyberattacks

In response to the cyberattacks, Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive activated their incident response plans and disconnected from CDK systems as a precaution. Sonic Automotive mentioned that as of June 24, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but “slower than normal.” It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

Cyberattack Could Almost Cost a Billion in Losses: Report

An estimate study prepared by the Anderson Economic Group, reported that the cyberattacks on CDK could result in approximately $944 million in direct losses due to business interruptions for affected car dealers if the outage lasts a full three weeks. In an automated voice message to its clients on Friday, CDK company said it was making progress in bringing some dealerships back online  but it did not expect the issue to be entirely resolved until July. “We do feel it’s important to share that we do not believe that we will be able to get all dealers live prior to June 30,” the message said. The CNN report, quoting a CDK spokesperson, said, “We have successfully brought two small groups of dealers and one large publicly traded dealer group live on the Dealer Management System (DMS). We are also actively working to bring live additional applications — including our Customer Relationship Management (CRM) and Service solutions — and our Customer Care channels. “We understand and share the urgency for our customers to get back to business as usual, and we will continue providing updates as more information is available,” the CDK spokesperson added.

In a recent advisory, the Reserve Bank of India (RBI) has cautioned scheduled commercial banks about the increasing risk of cyberattacks. The RBI advisory, issued by the Department of Banking Supervision at the Central Office in Mumbai, highlights the critical importance of cybersecurity measures in today's digital banking domain. Central to the RBI advisory is the role of Corporate Governance in ensuring accountability within banks. It emphasizes that IT Governance forms an integral part of this framework, requiring strong leadership support, a well-defined organizational structure, and streamlined processes. Effective IT Governance, according to the RBI, is the responsibility of both the Board of Directors and Executive Management.

Technological Adoption in Banking

Highlighting the widespread adoption of technology across banking operations, the RBI cybersecurity advisory notes that nearly every commercial bank branch has embraced technology to some extent. This includes the implementation of core banking solutions (CBS) and various alternate delivery channels such as internet banking, mobile banking, phone banking, and ATMs. The RBI advisory provides clear guidance to banks on enhancing their IT Governance: Roles and Responsibilities: Clearly defining the roles and responsibilities of the Board and Senior Management is crucial for effective IT Governance. This ensures proper project control and accountability. Organizational Framework: Recommends establishing an IT Strategy Committee at the Board level, comprising technically competent members with substantial IT expertise. The committee's responsibilities include advising on strategic IT directions, reviewing IT investments, and ensuring alignment with business goals. IT Organizational Structure: Suggests structuring IT functions based on the bank’s size and business activities, with divisions such as technology and development, IT operations, IT assurance, and supplier management. Each division should be led by experienced senior officials to manage IT systems effectively.

Implementing IT Governance Practices

The RBI cybersecurity advisory stresses the implementation of robust IT Governance practices aligned with international standards such as COBIT (Control Objectives for Information and Related Technologies). These practices focus on value delivery, IT risk management, strategic alignment, resource management, and performance measurement.

Information Security Governance

Addressing the critical aspect of information security, the RBI advises banks to implement comprehensive security governance frameworks. This includes developing security policies, defining roles and responsibilities, conducting regular risk assessments, and ensuring compliance with regulatory requirements. The advisory recommends separating the information security function from IT operations to enhance oversight and mitigate risks effectively.

Risk Management and Compliance

Emphasizing the importance of risk management, the advisory highlights the need for banks to integrate IT risks into their overall risk management framework. This involves identifying threats, assessing vulnerabilities, and implementing appropriate controls to mitigate risks effectively. Regular monitoring and oversight through steering committees are essential to ensure compliance with policies and regulatory standards.

Conclusion

In conclusion, the RBI’s advisory highlights the importance of strengthening their cybersecurity posture amidst digital threats. By implementing IT Governance and information security frameworks, banks can enhance operational resilience, protect customer data, and safeguard financial stability. Adhering to these guidelines will not only ensure regulatory compliance but also bolster trust and confidence in the banking sector. The RBI continues to monitor cybersecurity developments closely and urges banks to remain vigilant against emerging threats. With technology playing an increasingly pivotal role in banking, proactive measures are essential to mitigate risks and maintain a secure banking environment. For further information and detailed guidelines on implementing RBI’s cybersecurity advisory, banks are encouraged to refer to the official communication from the Reserve Bank of India. Taking proactive steps today will safeguard the future of banking operations against cybersecurity challenges.

The need for cyber insurance has reduced drastically as businesses worldwide upgrade their defenses against rising cyber threats, according to a recent report by Howden. Despite an uptick in ransomware attacks, premiums for cyber insurance have declined globally. This shift comes as businesses enhance their cybersecurity measures, mitigating potential losses from cyber incidents. In the wake of the COVID-19 pandemic, cyber insurance premiums surged in 2021 and 2022 due to increased cybercrime activity. However, the latest annual report from Howden reveals a noteworthy decrease in premiums over the past year. The cyber insurance market experienced significant price reductions, reflecting improved security practices and technologies businesses adopt.

The Need for Cyber Insurance Declines

Sarah Neild, Head of UK Cyber Retail at Howden, emphasized the critical role of multifactor authentication (MFA) in safeguarding company data. "MFA is fundamental, akin to locking your door when leaving the house," Neild remarked. She highlighted the multi-layered nature of cybersecurity, noting increased investments in IT security and employee training which have collectively bolstered resilience against cyber threats. Despite the rising frequency of ransomware incidents, the report highlighted a drop in global ransomware attacks following geopolitical events. Nevertheless, recorded ransomware incidents spiked by 18% in the initial months of 2024 compared to the previous year. Ransomware typically involves encrypting data and demanding cryptocurrency payments in exchange for decryption keys. Business interruption remains a significant cost post-attacks; however, businesses are mitigating these costs with robust backup systems, including cloud-based solutions, as outlined in the report.

Firms are Less Likely to Invest in Cyber Insurance

While the United States dominates the cyber insurance market, Europe is expected to witness accelerated growth in the coming years, driven by increasing awareness and adoption among businesses. Smaller firms, despite facing heightened cyber risks, are less likely to invest in cyber insurance due to limited awareness and perceived complexities. Earlier in 2024, Howden introduced a new cyber insurance platform tailored for small and medium-sized enterprises (SMEs). This initiative aims to simplify the process of obtaining comprehensive cyber insurance coverage, crucial for protecting businesses from financial devastation following cyber incidents. The platform, designed for SMEs with revenues up to $250 million, offers streamlined access to up to $6 million in coverage, supported by leading global carriers. Jean Bayon de La Tour, International Head of Cyber at Howden, highlighted the platform's user-friendly interface and rapid quotation process, facilitated by open APIs. This approach ensures that SMEs receive high-quality cyber insurance without the traditional complexities associated with policy procurement. The platform also integrates advanced data analytics tools, including Cyberwrite, to empower businesses with actionable insights pre- and post-policy issuance. Shay Simkin, Global Head of Cyber at Howden, emphasized the platform's role in bridging the cyber insurance gap for SMEs, critical given the growing cyber threats faced by small businesses. Simkin stressed the platform's comprehensive coverage terms, including breach response and enhanced policy wording, aimed at fortifying businesses against cyber threats.

This week on TCE Cyberwatch we are seeing a rise of caution around cybersecurity, and rightfully so as vulnerabilities become more and more common.  There have been recalls to previous data breaches, with the true impacts being brought to light. But also, we are seeing the consequences faced by many organizations who do not have strong security. A devastating example of this is the 911 outage in Massachusetts for a whole two hours because of their weak Firewall. Keep reading to find out more news from this week.

UnitedHealth discloses the data stolen in Change Healthcare.

UnitedHealth has disclosed the types of medical and patient data stolen in a cyberattack on Change Healthcare (CHC). CHC plans to notify affected individuals by mail starting in late July, though not all may receive notifications due to insufficient addresses. The ransomware attack exposed a significant amount of data, potentially affecting a third of Americans. The stolen data includes contact information, health insurance details, medical records, billing information, and personal identifiers. The breach occurred between February 17 and February 20, 2024, and was confirmed on April 22, 2024. CHC has since taken steps to mitigate the impact, including shutting down systems, investigating with cybersecurity experts, and enhancing security measures. Notifications to customers began on June 20, 2024. Read More

UK’s nuclear waste site admits to cybersecurity failings from the last 4 years.

The UK’s Sellafield nuclear waste site has admitted to cybersecurity failings from 2019-2023, acknowledging inadequate protection of sensitive nuclear information. Home to the world’s largest plutonium store, Sellafield's cybersecurity issues have been a concern for over a decade. A 2012 report highlighted critical vulnerabilities, and recent revelations showed breaches dating back to 2015, with sleeper malware discovered. Despite claims of no successful cyberattacks, Russian and Chinese actors had compromised systems. The UK’s Office for Nuclear Regulation had placed Sellafield under special measures for recurring failings. While current protections are said to be robust, the GMB trade union has raised concerns over inadequate training, safety procedures, and a culture of fear among staff. Sellafield has pleaded guilty to all charges and is working to enhance cyber resilience. Read More

Kaspersky Lab banned from providing products or services in the U.S.

The Department of Commerce’s Bureau of Industry and Security (BIS) has banned Kaspersky Lab Inc., a Russian cybersecurity firm, from providing products or services in the U.S., effective September 29, 2024. This historic ban is the first Final Determination by the Office of Information and Communications Technology and Services (OICTS). Concerns over national security risks linked to foreign technology firms, especially from adversarial states, prompted this decision. Kaspersky's software has been linked to Russian military and intelligence activities. The ban reflects escalating U.S. efforts to protect its cyber infrastructure. Kaspersky must cease operations in the U.S., and users are advised to switch to alternative cybersecurity solutions. This move continues the scrutiny of Kaspersky that began during the Trump administration and has intensified under Biden. Read More

Ticketmaster data breach hackers release records of a million customers for free. 

The Ticketmaster data breach has worsened, with hackers releasing records of 1 million customers for free. Live Nation, Ticketmaster’s parent company, confirmed the breach involved unauthorized access to sensitive customer information. The hackers, initially demanding $100,000, escalated by publicly releasing data on a dark web forum, pressuring Ticketmaster to meet their demands. The breach affects 680 million customers and includes personal details such as names, addresses, IP addresses, emails, birthdates, and partial credit card information. The breach occurred on May 20, involving a database on Snowflake, a third-party cloud storage provider. Live Nation acknowledged the incident and is working with cybersecurity experts and authorities to investigate and enhance security measures. Despite the breach, Live Nation does not expect a significant impact on its operations. Read More

Firewall issues causes two-hour state-wide 911 outage in Massachusetts.

A firewall issue caused a two-hour state-wide 911 outage in Massachusetts, preventing emergency calls from reaching dispatch centres on Tuesday. The Massachusetts Executive Office of Public Safety and Security reported that the firewall, intended to protect against cyberattacks, blocked calls due to a technical issue with its vendor, Comtech. An initial review confirmed that the outage was not caused by a cyberattack, but the exact cause remains under investigation. Although some calls failed, dispatch centres could identify and return missed calls. No emergencies were reported as impacted during the interruption. The outage began around 1:15 pm and was resolved by 3:15 pm. Comtech has since applied a technical solution to prevent future incidents. Read More

Netflix has paid over $1 million since launching its bug bounty program.

Since launching its bug bounty program in 2016, Netflix has paid over $1 million for vulnerabilities found in its systems and products. More than 5,600 researchers have submitted nearly 8,000 unique vulnerability reports, with rewards given for 845 vulnerabilities, including many rated as critical or high severity. Initially hosted by Bugcrowd, Netflix's program moved to the HackerOne platform, offering enhanced triage, increased bounties, expanded scope, and researcher feedback. Rewards range from $300 to $5,000 for content authorization issues and up to $20,000 for critical vulnerabilities on Netflix.com. A recent vulnerability in Microsoft’s PlayReady technology was exploited to download movies illegally from Netflix, though it's unclear if this qualifies for Netflix’s bug bounty program. Read More

Car dealers face cyberattacks which disrupt operations.

Thousands of auto dealers in the U.S. and Canada face operational disruptions due to cyberattacks on CDK Global, a key software and data services provider. CDK Global, which serves over 15,000 retail locations, experienced two attacks on June 19, leading the company to shut down systems to protect customer data and restore services. The outage has slowed sales, forcing dealers to use alternative methods for essential paperwork such as titles, contracts, and registrations. Despite the challenges, dealers like Brian Benstock of Paragon Honda in New York remain open and continue selling cars. CDK Global is actively working to reinstate services and regularly updating its customers on progress. Read More

Bug found which means attackers can impersonate Microsoft corporate email accounts.

A researcher, Vsevolod Kokorin, discovered a flaw that allows attackers to impersonate Microsoft corporate email accounts, enabling phishing attacks. Despite demonstrating the bug to TechCrunch and reporting it to Microsoft, the company stated it couldn't reproduce the issue. Kokorin disclosed the flaw on X. The vulnerability is triggered when an attacker sends an email to Outlook accounts. Microsoft did not respond to TechCrunch's request for comment. The technical details of the bug are withheld to prevent exploitation by malicious hackers. The issue remains unaddressed, and it is unclear if it has been used in attacks. Kokorin expressed surprise at Microsoft's reaction, noting his intention was to assist the company. The situation is ongoing, and updates will follow. Read More

China-linked state-sponsored group to have conducted a cyber espionage campaign targeting various organizations in Taiwan.

A likely China-linked state-sponsored group, RedJuliett, has been conducting a cyber espionage campaign targeting various organizations in Taiwan from November 2023 to April 2024. Recorded Future's Insikt Group reports that the group operates from Fuzhou, China, to support Beijing's intelligence collection. RedJuliett has also targeted organizations in Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the U.S. The group has exploited internet-facing devices and used techniques such as SQL injection for initial access. RedJuliett employs tools like SoftEther to exfiltrate data and maintain persistence using web shells like China Chopper. The group focuses on Taiwan's economic policies and international relations. China's Ministry of Foreign Affairs has dismissed the allegations as disinformation. Read More

Organizations in different sectors are adopting military-grade cyber defences.

As cyber threats grow, organizations in highly regulated sectors like finance, healthcare, and government are increasingly adopting military-grade cyber defences to protect sensitive information and comply with strict regulations. These defences, which leverage advanced technologies such as real-time data analytics, machine learning, and predictive modelling, help identify and neutralize threats before breaches occur. Content Disarm and Reconstruction (CDR) is one such technology that ensures only safe data is transmitted, enhancing protection against advanced attacks. Additionally, insider risk programs are crucial for addressing internal threats. Collaboration with military and private-sector experts provides access to cutting-edge technologies and threat intelligence. Adopting military-inspired strategies, such as proactive threat prevention and layered security, is essential for safeguarding critical assets and maintaining regulatory compliance. This approach enhances resilience and mitigates risks in an era of escalating cyber threats. Read More

Apple releases firmware update for AirPods which allows unauthorized access.

Apple has released a firmware update for AirPods to fix a vulnerability (CVE-2024-27867) that allows unauthorized access to the headphones. This issue affects various models, including AirPods (2nd generation and later), AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro. An attacker within Bluetooth range could exploit this flaw to eavesdrop on conversations by spoofing a previously paired device. Apple addressed the issue with improved state management in Firmware Updates 6A326 and 6F8. The flaw was discovered by Jonas Dreßler. Additionally, Apple patched 21 issues in visionOS, including a logic flaw (CVE-2024-27812) reported by Ryan Pickren. This flaw allowed a denial-of-service (DoS) attack and enabled the injection of arbitrary 3D objects into a user's environment without interaction, due to a permissions oversight in the ARKit Quick Look feature. Read More

A Microsoft software engineer accidentally exposes 4GB of crucial data.

A Microsoft software engineer inadvertently posted internal PlayReady DRM source code on a public developer forum, exposing 4GB of data crucial for compiling the DLL and potentially compromising the DRM technology. PlayReady, a widely-used DRM system, protects media files via encryption and other features. The leak, occurring in early June, included configurations and obfuscation libraries essential to PlayReady. Cybersecurity firm AG Security Research Lab built the PlayReady DLL from the leaked code, revealing vulnerabilities in the Protected Media Path (PMP) that could decrypt high-definition content on Windows 10 and 11 systems. Despite the post's removal within 12 hours, the download link remained active. Microsoft downplayed the issue, but the incident underscores the need for stringent data handling protocols. The breach could impact major streaming services reliant on PlayReady DRM, posing a significant security risk given the $544 billion valuation of the video streaming industry. Read More

Wrap Up

This week we have seen many reasons to be afraid about the impacts of cyberattacks. However, it’s important to know the mitigations and security measures that can be taken to prevent you from falling victim to it. Kaspersky Lab Inc. is just one of many to be banned but it is nothing to worry about as cybersecurity companies are on the rise as attacks on huge corporations like Netflix, Microsoft, and even the 911 emergency call lines, are constantly vulnerable to falling under attack. Remember to stay vigilant and updated on cybersecurity measures.

By Lakshmi Mitra

As Artificial Intelligence (AI) continues to transform industries worldwide, tech enthusiasts must equip themselves with the right skillsets to stay relevant and competitive. The swift evolution of AI technologies is altering job roles, opening up new career opportunities, and establishing benchmarks for the future of employment. Whether you're a budding developer or an experienced IT professional, mastering these key skills will enable you to excel in an AI-dominated environment.

Skills to Master in the Era of Artificial Intelligence

1. Understanding the fundamentals of AI/ML - AI and ML are at the core of today’s technological innovations. From automating routine tasks to enabling sophisticated data analysis, these technologies are driving the next wave of digital transformation. A deep understanding of AI principles and machine learning techniques is crucial for anyone looking to future-proof their career. Aspirants must learn the basics of AI and its implementation in real-world scenarios.
2. Building proficiency in Data Analysis - In the AI era, data is often referred to as the new black gold. The ability to analyse and interpret data is invaluable, as it forms the foundation for AI and machine learning models. Data science skills enable tech enthusiasts to derive actionable insights from vast datasets, driving informed decision-making. Hence, aspirants must focus on understanding key statistical methods for analysing data, including regression, hypothesis testing, and probability, and build proficiency in data visualization tools such as Tableau, Matplotlib, and Seaborn.
3. Learn advanced programming skills - Programming remains a fundamental skill in the tech world. As AI continues to evolve, the demand for advanced programming skillsets is rising exponentially. Tech enthusiasts need to be proficient in writing efficient, scalable code to develop complex AI systems and applications. Aspirants should try to gain expertise in languages like Python, which is widely used in AI and ML. They must also gain a good understanding of languages such as Java, C++, and JavaScript. They should also try to become proficient in algorithms, data structures, and their applications in problem-solving.
4. Cloud Computing and AI Integration - Cloud computing has revolutionized the way we build and deploy AI solutions. Understanding how to leverage cloud platforms is crucial for developing scalable AI applications and managing big data.
5. Cybersecurity Awareness and Skills - As AI systems become more integrated into our daily lives, the need for robust cybersecurity measures becomes increasingly important. Cybersecurity skills are essential for protecting data, ensuring the integrity of AI systems, and mitigating risks associated with cyber threats. Aspirants keen on building skillsets in these, must begin by understanding the basics of cybersecurity in terms of threat modelling, encryption, and network security. They should also learn about the unique security challenges posed by AI systems, such as adversarial attacks and data poisoning.

Conclusion

The AI era presents both challenges and opportunities for tech enthusiasts. By developing these essential skills, you can future-proof your career. Embrace the continuous learning journey, stay curious, and keep adapting to the advancements in AI and related technologies.

By Emily Newton Data center liquid cooling systems are increasingly common due to their superior efficiency in managing heat compared to traditional air cooling methods. However, this technological advancement brings new security threats, including cybersecurity and physical risks. These concerns are critical for industry experts as they can lead to data breaches, system disruptions and significant operational downtime. Understanding and mitigating these risks ensures a data center’s reliability and security. This approach highlights the importance of a comprehensive approach to digital and physical security in the evolving landscape of data center cooling technologies.

Cybersecurity Risks of Data Center Liquid Cooling Systems

Liquid cooling systems — while enhancing efficiency in data centers — introduce cybersecurity challenges demanding attention from industry experts. These systems present new vulnerabilities malicious actors can exploit.

Data Breaches

Attackers can intercept and manipulate sensor data in liquid cooling systems by exploiting vulnerabilities in the interconnected IoT devices that monitor and control these systems. By gaining unauthorized access, they can alter critical sensor readings, cause disruptions in temperature regulation and lead to hardware damage or system shutdowns. According to a recent survey, 36% of respondents reported that their worst breach in the past three years cost $1 million or more. This number underscores the severe financial implications of such attacks. These systems’ interconnectedness amplifies the risks because compromised sensors can provide a gateway to broader network infiltration. This can lead to widespread operational and security consequences for data centers.

Network Vulnerabilities

IoT devices in data center liquid cooling systems can be entry points for cyberattacks due to their connectivity and often insufficient security measures. Attackers can exploit these devices — integral to monitoring and managing cooling processes — to access the broader network. Alarmingly, 93% of external cyberattacks successfully breach organizational networks and access information within IoT systems, illustrating the prevalent risks. These cooling systems' remote access and control features also present significant vulnerabilities. Unauthorized individuals can manipulate system settings, disrupt operations and cause physical damage. These factors compromise the data center's overall security and functionality.

Malware and Ransomware

Malware can significantly disrupt cooling operations in data centers by targeting the control systems that regulate temperature and manage liquid flow. By infecting these systems, malware can alter operational parameters and cause overheating or shutdowns, leading to critical system failures. In 2023, organizations worldwide detected over 317 million ransomware attempts, highlighting the persistent threat landscape. Ransomware attacks on data center liquid cooling systems are particularly concerning because attackers can turn off these systems and demand ransom payments to restore functionality. Such disruptions threaten the data center's physical integrity and pose severe financial and operational risks. That makes it imperative for organizations to enhance their cybersecurity defenses against these sophisticated threats.

Physical Risks of Data Center Liquid Cooling Systems

While cybersecurity threats are a significant concern, the physical risks associated with liquid cooling systems are equally critical. Here are examples that can severely impact data center operations.

Environmental Threats

Cooling system failures in data centers can lead to rapid temperature increases, jeopardizing the integrity of sensitive hardware components. Excessive heat can also cause servers and other critical equipment to malfunction or fail, which can result in data loss and significant operational downtime. Additionally, contaminants entering the liquid cooling system — such as particulate matter or chemical impurities — can clog or corrode essential parts, further exacerbating the risk of hardware damage. These issues threaten the data center infrastructure’s physical health and necessitate costly repairs and replacements. They underscore the importance of maintaining robust and clean cooling systems to ensure optimal performance and reliability.

Hardware Failures

Liquid leaks in data centers pose significant risks of hardware damage and data loss. For instance, an incident at Global Switch’s data center in Paris — where a leak in the battery room sparked a fire — caused Google services throughout Europe to go down. Such leaks can result in short circuits, corrosion and other physical damage to critical components, leading to substantial downtime and financial losses. Maintaining data center liquid cooling systems involves complex procedures, including regular inspections, leak detection and fluid replacement, each of which presents a set of risks. Improper maintenance or undetected leaks can escalate into severe problems. This highlights the need for rigorous protocols and advanced monitoring solutions to safeguard against these threats and ensure data center reliability.

Physical Security

Physical tampering with data center liquid cooling systems presents significant security risks, as unauthorized alterations can disrupt operations and compromise system integrity. Malicious insiders — such as disgruntled employees or contractors with access to these systems — can exploit their physical access to manipulate settings, introduce contaminants or turn off cooling mechanisms. Such actions can lead to overheating, hardware failures and extended downtime, severely impacting data center performance and security. The potential for insider threats underscores the necessity for strict access controls, thorough background checks and continuous monitoring of personnel activities. These factors prevent and quickly respond to attempts at physical sabotage.

Mitigation Strategies

Addressing the security threats of data center liquid cooling systems requires a multifaceted approach. Here’s how organizations can significantly reduce the risks and ensure system integrity.

Physical Security Measures

Design improvements are crucial to minimize leakage and damage risks in liquid cooling systems. For example, investing in linear movement solutions can precisely position components within the system. It enhances efficiency and productivity while reducing the likelihood of leaks. Additionally, robust sealing technologies and materials can further mitigate the risk of fluid escape. Advanced environmental monitoring systems are also advisable because they provide real time temperature, humidity and potential contaminants data. This information allows prompt detection and response to anomalies. These proactive measures ensure cooling operations' reliability and safety, safeguarding critical data center infrastructure.

Cybersecurity Measures

Securing IoT devices and network endpoints in liquid cooling systems involves implementing best practices such as robust encryption, regular firmware updates and strong authentication mechanisms. Network segmentation can also help isolate critical systems from potential threats. Likewise, continuous monitoring and auditing of cooling systems are essential to promptly detect and respond to security incidents. Organizations can maintain vigilance over their network by employing real time analytics and intrusion detection systems to identify and address anomalies. Regular audits further reinforce security by identifying vulnerabilities and ensuring compliance with security protocols.

Prioritizing the Security of Data Center Liquid Cooling Systems

Industry experts must prioritize robust security measures and remain vigilant about evolving threats to ensure the resilience of liquid cooling systems. Future advancements in AI-driven monitoring and smart materials promise to enhance these systems’ safety and efficiency, further mitigating security risks

There are numerous movies that envision futuristic scenarios, often portraying advanced technology within utopian or dystopian settings. While these films captivate audiences with their imaginative takes on the future, they often fall short of accurately depicting the intricate world of cybersecurity. The real-life nuances of hacking and cybercrimes are frequently overlooked or sensationalized. In this article, we aim to spotlight films that delve deeply into the realm of hacking and cybersecurity. These movies go beyond mere futuristic speculation to explore the complexities of cybercrimes, showcasing the skills, challenges, and ethical dilemmas faced by hackers. From intense cyber heists to battles against digital espionage, these films provide a more authentic portrayal of the hacking landscape. Join us as we uncover a selection of movies that bring the gritty reality of cybersecurity to the forefront, offering a compelling and realistic glimpse into the digital underworld.

Top 7 Hacking Movies Highlighting Cybersecurity and Cybercrimes

7. Firewall 

FireWall is a 2006 action thriller directed by Richard Loncraine. The film centers on a security expert for a Seattle-based bank named Jack, played by the famous Harrison Ford, whose life takes a perilous turn when he is manipulated into helping a team steal millions from his bank. They threaten Jack's family to ensure his cooperation and Jack struggles to outwit the thieves while protecting them.  This is one of those hacking movies that represents cybersecurity threats greatly as the main character is someone who works in the cybersecurity industry. Although filled with action and dramatic tension, this movie is an insight into how hackings can occur and why cybercrime threats are on the rise with how profitable they can be.  

6. Ghost in the Shell 

Ghost in the Shell is a 1995 Japanese animated cyberpunk film directed by Mamoru Oshii, and originally based on the manga. The movie takes place in a futuristic world where cybernetic enhancements are the norm and follows Major Motoko Kusanagi, a cyborg agent of Section 9, a government agency that specializes in cybercrime. She and her team go after the Puppet Master, an infamous hacker capable of infiltrating and manipulating human minds.   This film is a staple in the cyberpunk genre and has influenced many others after it. It can tackle how the advancement of technology can be something detrimental as we lose the idea of where human beings end and machines begin. We are also given insight into how hacking may become a much more prevalent issue in the future if we lose this divide, and how it may be harmful to people on a different level.  

5. Skyfall 

Skyfall is an action movie part of the James Bond film series and directed by Sam Mendes. The film follows the 6th iteration of James Bond, portrayed by Daniel Craig, who is presumed dead after a failed mission. However, Bond resurfaces when MI6 comes under attack by a cyberterrorist. As Bond returns to duty, he faces both physical and psychological challenges while trying to track down and stop the cyberterrorist.   Skyfall shows us cybersecurity threats on a national level. With cyberwars occurring more and more in the real world, this movie is a fun and attention-catching depiction of how these hackings may be dealt with by security intelligence agents and agencies. While it may not be accurate as other hacking movies, it gives the public some insight as these national occurrences are usually shielded from the public eye.  

4. Hackers 

Hackers is a 1995 film directed by Iain Softley, also in the cyberpunk genre. The film follows a group of young hackers led by Dade Murphy who goes by the alias "Zero Cool." After being banned from computers for crashing 1,507 systems at a young age, Dade returns to hacking as a teenager. Alongside his friends, they uncover a conspiracy involving a powerful corporation and a malicious hacker known as "The Plague".  This film introduces ideas surrounding hacking culture and internet security, but also the ethics of hacking as it shows the clash between rebellious youth and corporate interests. The film is sure to feature stylized depictions of hacking techniques and virtual reality sequences as the hackers in it are presented as countercultural heroes navigating the digital landscape. 

3. Untraceable 

Untraceable is a 2008 thriller directed by Gregory Hoblit that follows FBI agent Jennifer Marsh who specializes in cybercrime. Marsh and her team investigate a website called "KillWithMe.com," where victims are tortured and killed live on camera. On this site, the more viewers the site attracts, the faster the victims die. As Marsh races against time to track down the tech-savvy killer.  The film explores themes of online voyeurism as the killers exploit the public's morbid curiosity for their profit and gain. Along with this, it tackles the dangers of internet anonymity along with the responsibility of internet platforms in facilitating harmful content. The movie serves as a cautionary tale about the dark side of technology and the lack of cybersecurity not only in the cyber world but also its fallout into the real world because of how hyper-connected everything is. 

2. The Beekeeper 

The Beekeeper (2024), directed by David Ayer, follows Adam Clay, portrayed by Jason Statham, who is a beekeeper in the country who raises and sells honey. He lives next to an older woman who rents his place out to him and takes care of him. However, one day she responds to a phishing scam from a data mining company which then steals everything in not only her bank account but also the account of a non-profit she helped found, causing her to kill herself. Adam then works to get back on thieving tech bros that use the latest technology to take advantage of people online.   This hacking movie depicts immensely well the detrimental impacts and fallout cybercrime can have. Phishing scams are the most common way for cybercriminals to steal data and money. So, this movie hits even closer to the heart as viewers realize this could happen to any of them. The main character acts as an enforcer of justice as he goes after cybercriminals that are good at hiding their steps and so usually don’t face the consequences for their crimes by law enforcement.  

1. The Imitation Game 

The Imitation Game is a biographical drama directed by Morten Tyldum, based on the life of Alan Turing, a renowned mathematician and cryptanalyst during World War II. The movie follows the real-life events of Turing as he is recruited by the British government to join a team tasked with deciphering the Enigma code used by Nazi Germany. Turing uses unorthodox methods to work tirelessly to break the code, a task vital to Allied victory.  This movie is different from the other ones on the list due to its mostly “non-fiction” nature. This movie depicts a very real-life issue where coding, a part of hacking, was essential to the survival of millions of people. The Imitation Game highlights Turing's pivotal role in history while shedding light on the complexities of his life and legacy. At the same time, it documents the impact of the team put together to figure out this essential code against the Nazis.  

Conclusion 

We hope at least some of these hacking movies may have piqued your interest. Whether you’re a fan of older movies from the 90s or a newer one from just this year, whether a fictional storyline or nonfiction one, at least one of these should have piqued your interest. I hope we cybersecurity enthusiasts will have more of these movies coming out around the corner.

A new survey, "Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders," highlights the impact of cyber insurance on security investments. According to the report, 97% of organizations with a cyber policy enhanced their defenses to comply with insurance requirements. Among these, 76% stated that the improvements helped them qualify for coverage, 67% achieved better pricing, and 30% obtained improved policy terms. The survey, conducted by security company Sophos, also revealed that recovery costs from cyberattacks are outpacing insurance coverage. Only one percent of those that made a claim said that their carrier funded 100% of the costs incurred while remediating the incident.

Cyber Insurance and Cyber Defenses 2024

The most common reason for the policy not paying for the costs in full was because the total bill exceeded the policy limit. According to The State of Ransomware 2024 survey, recovery costs following a ransomware incident increased by 50% over the last year, reaching $2.73 million on average.  “The Sophos Active Adversary report has repeatedly shown that many of the cyber incidents companies face are the result of a failure to implement basic cybersecurity best practices, such as patching in a timely manner. In our most recent report, for example, compromised credentials were the number one root cause of attacks, yet 43% of companies didn’t have multi-factor authentication enabled,” said Chester Wisniewski, director, global Field CTO.   “The fact that 76% of companies invested in cyber defenses to qualify for cyber insurance shows that insurance is forcing organizations to implement some of these essential security measures. It’s making a difference, and it’s having a broader, more positive impact on companies overall. However, while cyber insurance is beneficial for companies, it is just one part of an effective risk mitigation strategy. Companies still need to work on hardening their defenses. A cyberattack can have profound impacts for a company from both an operational and a reputational standpoint, and having cyber insurance doesn’t change that.”  Across the 5,000 IT and cybersecurity leaders surveyed, 99% of companies that improved their defenses for insurance purposes said they had also gained broader security benefits beyond insurance coverage due to their investments, including improved protection, freed IT resources and fewer alerts.  “Investments in cyber defenses appear to have a ripple effect in terms of benefits, unlocking insurance savings that organizations can be diverted into other defenses to more broadly improve their security posture. As cyber insurance adoption continues, hopefully, companies’ security will continue to improve. Cyber insurance won’t make ransomware attacks disappear, but it could very well be part of the solution,” said Wisniewski.  Data for the Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders report comes from a vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific. Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.

Netflix is renowned for its diverse and engaging lineup of drama-filled shows that cater to a wide array of audiences. Among its extensive catalog, Netflix has also produced and curated a significant number of series that delve into the complex and often thrilling world of technology and cybersecurity. These shows not only entertain but also shed light on the intricate issues and challenges that define the digital age. In this article, we highlight some of the best cybersecurity-themed shows available on Netflix. These selections range from riveting docuseries that explore real-life cybercrimes and the people behind them, to fictional dramas that imagine high-stakes scenarios involving hacking, data breaches, and digital espionage. Whether you are a tech enthusiast, a cybersecurity professional, or simply someone who enjoys a good thriller, these shows offer a fascinating look at the digital world's darker side. Join us as we explore these top-notch series that bring the exciting and often perilous world of cybersecurity to your screen.

Best Cybersecurity Shows on Netflix

 7. The Great Hack 

The Great Hack is a 2019 Netflix documentary that explores the Cambridge Analytica scandal and its impact on privacy and democracy. The film discloses how the political consulting firm used personal data derived from Facebook to influence voter behaviors in various elections like the 2016 U.S. presidential election and the Brexit referendum. There are key figures from the actual events like data scientists and former Cambridge Analytica employees who share their thoughts on the ethical implications and societal impact of data exploitation.   This is one of those cybersecurity shows on Netflix that is a particularly great watch as it aims to share with the public the extent to which personal data can be manipulated to sway public opinion.  It also helps the audience critically evaluate the security and political climate of the world they’re living in as it raises questions about data privacy, corporate power, and the role of democracy in a digital world. 

6. The Billion Dollar Code 

The Billion Dollar Code is a 2021 German Netflix drama series that follows two young German computer enthusiasts who develop TerraVision in the 1990s. TerraVision was an innovative software that allowed users to virtually navigate the globe using satellite images, which is similar to what Google Earth does today. These initial idea and development phases lead to their eventual legal battle against Google, who accuse them of infringing on their creation of Google Earth.   This show consists of courtroom drama and flashbacks that cover the steps of innovation and the battles surrounding intellectual property in the tech industry. The movie provides insight into the moral dilemmas faced by inventors when working with or against powerful corporations. 

5. Connected 

Connected is a 2020 Netflix docuseries hosted by science journalist Latif Nasser, who explores the different ways in which aspects of our world are interconnected. Each episode dives into a different subject, ranging from surveillance to the human microbiome, and how they could be linked through hidden patterns and systems. Nasser meets with experts all over the globe and uncovers stories that reveal the science and history behind these connections. This is one of those cybersecurity shows that has a very broad concept, but there are specific episodes that explore technology-based matters. Weather forecasting devices, surveillance technology, and nuclear weapons are some of the topics they explore. It is a great educational show to look at how the cyberworld is intertwined with the physical world.

4. Cyber Hell: Exposing an Internet Horror 

Cyber Hell: Exposing an Internet Horror is a 2022 Netflix documentary that investigates the dark underbelly of the Internet. It focuses on a terrible case of digital exploitation in South Korea dubbed the "Nth Room" case. This case followed a network of online chat rooms where anonymous users exploited and blackmailed young women and minors into producing explicit content. These crimes utilised encrypted messaging apps which made it difficult for law enforcement to track down the perpetrators. This documentary follows victims’ advocates, journalists, and most notably, cybercrime experts, as they break down the web of digital abuse and try to successfully apprehend the offenders. It highlights the challenges of combating cybercrime in an age of increasing digital anonymity and highlights the dangerous need for stronger online protections. The film acts as a reminder of the real-world consequences of unchecked digital behavior. 

3. The Future Of 

The Future Of is a 2022 Netflix docuseries that explores how cutting-edge innovations and technologies might shape various aspects of our lives in the near future. Each episode focuses on a different topic, such as gaming, food, fashion, space exploration, and love. Through interviews with experts, futurists, and industry leaders, the series presents a blend of scientific predictions and creative speculation of where these topics may go.  It uses current advancements to create possible scenarios, highlighting the many possibilities but also the ethical dilemmas that come with extensive technological progress. This show inspires curiosity about what's to come but also probes viewers to think critically about the implications of technology on society. 

2. Love, Death + Robots. 

Love, Death + Robots is a Netflix animated anthology series that features a collection of short stories surrounding science fiction, fantasy, horror, and comedy. This show is known for its mix of animation styles, ranging from photorealistic CGI to traditional 2D animation. Each episode offers its own unique narratives that explore themes such as AI, dystopian futures, and extra-terrestrials. Love, Death + Robots differs from the other shows due to its fictional nature sports mature themes, and provides fresh and innovative takes on the development of technology through an animated form of storytelling.

1. Black Mirror 

"Black Mirror" is one of Netflix’s most popular series, it follows an anthology format where every episode explores a different dark and often dystopian side of technological advancements. Each standalone episode presents a story set in a near-future or alternate present, delving into the consequences of human beings’ relationship with technology. The series tackles themes like surveillance, virtual reality, social media, AI, and human consciousness.  Black Mirror forces viewers to confront the darker aspects of technological progress and its impact on human behavior and societal norms as it highlights the potential for misuse and ethical dilemmas. This show has garnered critical acclaim for its ability to provoke reflection on the potential future of humanity in an extensive digital world, even having an episode that criticizes its very own streaming service, Netflix.  We hope at least one of these may have triggered your interest. Especially as there’s a show in there for everybody. Whether you’re interested in learning about real-life cybersecurity events that have occurred, or curious about predictive storylines that address the dangers of advanced technology.  

Microsoft and Proximus Group have formally signed a 5-year strategic partnership, allowing both companies to strengthen their digital lead and accelerate their innovative offerings to business and residential customers in Belgium and abroad. Both Proximus and Microsoft will reinforce their leadership positions thanks to this partnership.  Microsoft will strengthen its use of the best-in-class products of Proximus' international affiliates BICS, Telesign and Route Mobile, while Proximus will benefit from Microsoft's Azure Cloud, leveraging all innovative AI & Data evolutions. The newly formed strategic partnership between Microsoft and Proximus, will allow both parties to leverage their respective expertise and product leadership, accelerated by the power and potential of AI-applications and solutions. It focuses on three key areas: 

• Communication Platform as a Service (CPaaS) and Digital Identity (DI) Collaboration: The partnership will focus on advancing communication platform services, enabling seamless customer engagement across multiple channels. Proximus Group's expertise in CPaaS and DI, with Telesign and Route Mobile enabled by BICS global networks and coverage will drive innovation in customer communication and security services even further thanks to this partnership. Both organizations will increase their collaboration to make the digital world a safer place, by ensuring trusted communication through Digital Identity and anti-fraud solutions. 

• Proximus joining forces with Microsoft for a strategic cloud transformation: Key platforms will be migrated to Azure cloud services, ensuring enhanced scalability, quicker market delivery, and strengthened security. The transformation will accelerate the integration of the newest generative AI technologies in customer service and operations. Additionally, it will provide Proximus engineers with a best-in-class development environment to build innovative products and experiences. 

• Enhanced Go-to-Market for Proximus: Microsoft will work closely with Proximus to optimize its go-to-market strategy, empowering Proximus to optimize its reseller role for Microsoft products and services in Belgium. This collaboration will strengthen Proximus' position as a top-tier Microsoft reseller in the region and will benefit all Proximus customers who are also users of Microsoft products and services. Another concrete example of this collaboration: the two partners are already working hand in hand to bring some particularly innovative sovereign cloud solutions to market. 

Microsoft and Proximus: Advancing Technology

The collaboration between Microsoft and Proximus underscores their shared commitment to drive technological advancement and deliver unparalleled value to customers across Belgium and abroad. Both companies are enthusiastic about the future possibilities and are eager to shape the technological landscape together. Marijke Schroos, General Manager of Microsoft Belux, stated, “This strategic partnership is a confirmation of the shared vision of Microsoft and Proximus when it comes to leveraging the power of innovation through cloud applications and AI innovation. Our combined strengths will create a true powerhouse of technological innovation to the benefit of our partners, customers and society as a whole.” Guillaume Boutin, CEO of Proximus, shared his excitement: “I'm particularly enthusiastic about this partnership, because when two leading companies join forces, the results are bound to be positive. Our international expansion strategy is bearing fruit, as it now puts us in the right position to sign relevant partnerships with the biggest players in the IT and digital sector, such as Microsoft. This strategic partnership represents excellent news for our business and residential customers, which will continue to benefit from cutting-edge technology and seamless connectivity.” Boutin also emphasized the benefits for Proximus: “It’s also good news for Proximus as a group, because it will lead Microsoft to strengthen its use of our best-in-class products suites of CPaaS & DI. This new strategic partnership with Microsoft, which will open up new frontiers in communication services, shows how Proximus Group is on track to further redefine customer experiences in Belgium and abroad thanks to the combined efforts of our international affiliates BICS, Telesign and Route Mobile.”

Internet of Things (IoT) devices—ranging from everyday sensors and smart gadgets to sophisticated appliances—have seamlessly integrated into our lives, enhancing convenience at the cost of increasing cybersecurity risks. IoT devices constantly communicate over the internet, making them potential gateways for unauthorized access and cyber threats. As the fabric of connectivity expands, the urgency to safeguard these devices becomes paramount. In this feature, we explore effective strategies to fortify your IoT devices against potential breaches and cyberattacks, ensuring that convenience does not compromise security.

IoT devices: Use of Insecure or Outdated Components 

Using insecure or outdated components in IoT devices poses cybersecurity risks as whether they’re hardware, firmware, or software, they’re able to contain vulnerabilities that can be exploited by attackers. Manufacturers may not take initiative in updating older components to address newly discovered security flaws, which mean devices can be left exposed and can result in unauthorized access and data breaches.   Ensuring that all devices have regular updates and patches, is essential to mitigate vulnerabilities and enhance the overall security of IoT devices against cyber threats. Using components with built-in security features would further help in safeguarding against potential attacks. By avoiding insecure or outdated components, organizations can make it more challenging for cybercriminals to exploit weaknesses in their IoT infrastructure. 

Lack of Physical Barriers 

A lack of physical barriers in IoT devices can mean attackers can tamper with hardware to extract sensitive data or deploy malicious firmware. This is cause for concern in devices located in public or unmonitored locations. Implementing physical security measures is essential to protect IoT devices from such threats. This includes using tamper-evident seals, secure enclosures, and access controls to restrict physical access.   Additionally, devices with the ability to detect and respond to physical tampering by triggering alarms or disabling functionality would be helpful. Ensuring that physical security is integrated into the overall security strategy helps protect devices from things like hardware manipulation and data extraction. 

Installation of Insecure Network Services 

Installing insecure network service such as web interfaces, communication protocols, or management APIs, may be essential for device functionality, but can become entry points for attackers if not properly secured. Insecure network services may expose devices to risks such as unauthorized access, data breaches, and remote code execution. To mitigate these risks, it is crucial to implement secure configurations, disable unnecessary services, and use strong authentication mechanisms.   Regular security assessments and vulnerability scans can help identify and address potential weaknesses in network services. Using secure communication protocols like TLS/SSL, and ensuring proper access controls, can further enhance the security of network services. By securing network services, organizations can protect IoT devices from exploitation, safeguard sensitive data, and maintain the integrity and availability of their IoT systems. 

Lack of Secure Update System 

A lack of a secure update system in IoT devices can leave them vulnerable to exploitation and compromise. Regular updates are essential for patching security vulnerabilities, adding new features, and improving overall device performance. Without a secure update mechanism, devices may remain exposed to known vulnerabilities, increasing the risk of cyber-attacks.   Implementing a secure update system involves using encrypted and authenticated update packages, ensuring that only legitimate updates are applied. Devices should be able to support over-the-air (OTA) updates to allow for timely and efficient patching. Regularly updating device firmware and software is crucial for maintaining the security and functionality of IoT devices.  

Insufficient Privacy Protection 

Insufficient privacy protection in IoT devices can lead to risks including unauthorized access and data breaches. IoT devices often collect and transmit vast amounts of personal data, making them attractive targets for cybercriminals. Without the proper privacy measures, this data can be intercepted, accessed, or misused, compromising user confidentiality and trust. Ensuring privacy protection involves implementing strong encryption protocols, secure data storage, and strict access controls.   These measures help protect data both in transit and at rest, reducing the risk of exposure. Additionally, adhering to privacy-by-design principles during the development of IoT devices ensures that privacy considerations are integrated from the outset. This includes conducting regular privacy impact assessments and adopting transparency practices, such as clear user consent mechanisms and data anonymization techniques. By prioritizing privacy protection, organizations can enhance user trust, comply with regulatory requirements, and safeguard sensitive information from potential cyber threats. 

Google's Chrome browser is making a significant security move by distrusting certificates issued by Entrust, a prominent Certificate Authority (CA), beginning late 2024. This decision throws a wrench into the operations of numerous websites including those of major organizations like Bank of America, ESPN, and IRS.GOV, among others.

Digital certificates (SSL/TLS) play a vital role in ensuring secure connections between users and websites. These certificates issued by trusted CAs act as a security seal - more like a blue tick for websites - and helps users gauge the legitimacy of the website. It also ensures an encrypted communication to prevent data breaches.

However, Chrome is removing Entrust from its list of trusted CAs due to a concerning pattern of "compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress" over the past six years. Entrust's repeated shortcomings in upholding security standards have led Google to lose confidence in their ability to act as a reliable CA.

"It is our opinion that Chrome’s continued trust in Entrust is no longer justified." - Google Chrome

This move also extends to AffirmTrust, a lesser-known provider acquired by Entrust. While these certificates account for only a small fraction (0.1%) compared to Let's Encrypt (49.7%), the impact is still significant considering organizations like Bank of America, BookMyShow, ESPN and even government websites like IRS.gov, which have high internet traffic volumes, are also certified by Entrust.

[caption id="attachment_79569" align="aligncenter" width="1024"] Bank of America and IRS.gov certificates as displayed on Chrome Certificate Viewer[/caption]

What This Means for Users and Website Owners

Starting November 1, 2024, Chrome users encountering websites with distrusted Entrust certificates will be met with a full-page warning proclaiming the site as "not secure."

[caption id="attachment_79563" align="aligncenter" width="1024"] Sample of how Chrome will display warning for websites having a certificate from Entrust or AffirmTrust (Source: Google)[/caption]

This warning only applies to certificates issued after October 31, 2024, providing a grace period for websites with existing Entrust certificates. However, as certificates have lifespans, website owners must transition to a different CA before expiration. Considering its market share Let's Encrypt, a free and trusted option, comes highly recommended.

This shift is crucial for maintaining a secure web environment. When a CA fails to meet expectations, it jeopardizes the entire internet ecosystem. Chrome's decision prioritizes user protection by eliminating trust in potentially compromised certificates.

Website owners using impacted Entrust certificates should act swiftly to switch to a different CA. The Chrome Certificate Viewer can be used to identify certificates issued by Entrust. While this may seem inconvenient, it's necessary to ensure continued user access without security warnings.

Potential Workaround Only on Internal Networks

Large organizations managing internal networks have some leeway. Chrome allows enterprises to bypass these changes by installing the affected certificates as trusted on their local networks. This ensures internal websites using these certificates function normally.

The Entrust Controversy: A Deeper Look

Further context emerges from discussions on Mozilla's Bug Tracker (Bug 1890685). It reveals a critical issue – Entrust's failure to revoke a specific set of Extended Validation (EV) TLS certificates issued between March 18 and 21, 2024. This violated their own Certification Practice Statement (CPS).

Entrust opted against revoking the certificates, citing potential customer confusion and denying any security risks. However, this decision sparked outrage. Critics emphasized the importance of proper revocation procedures to uphold trust in the CA system. Entrust's prioritization of customer convenience over security raised concerns about their commitment to strict adherence to security best practices.

A detailed post on Google Groups by Mike Shaver sheds further light on the situation. Shaver expresses doubt in Entrust's ability to comply with WebPKI and Mozilla Root Store Program (MRSP) requirements. Despite attempts to address these concerns, Entrust's handling of certificate revocation, operational accountability, and transparency remain under scrutiny.

Shaver points out Entrust's tendency to prioritize customer convenience over strict adherence to security standards. He also criticizes the lack of detailed information regarding organizational changes and Entrust's failure to meet Mozilla's incident response requirements. Until Entrust demonstrates substantial improvements and transparency, continued trust in their certificates poses a significant risk to the overall web PKI and the security of internet users.

But this is not the end of it. In fact it is just the tip of the ice berg. Shaver's comments in the forum are in response to a host of compliance incidents between March and May related to Entrust. Ben Wilson summarized these recent incidents in a dedicated wiki page.

"In brief, these incidents arose out of certificate mis-issuance due to a misunderstanding of the EV Guidelines, followed by numerous mistakes in incident handling including a deliberate decision to continue mis-issuance," Wilson said.

This is a very serious shortcoming on Entrust's behalf considering the stringent norms and root store requirements, he added.

However, Chrome's decision to distrust Entrust certificates sends a strong message – prioritizing user safety requires holding CAs accountable for upholding the highest security standards.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers from Austria's Graz University of Technology have uncovered a novel side-channel attack called SnailLoad that exploits network latency to infer user activity. SnailLoad is a non-invasive attack technique that could allow attackers to gather information about websites visited or videos watched by victims without needing direct access to their network traffic.

How The SnailLoad Exploit Works

SnailLoad takes advantage of the bandwidth bottleneck present in most internet connections. When a user's device communicates with a server, the last mile of the connection is typically slower than the server's connection. An attacker can measure delays in their own packets sent to the victim to deduce when the victim's connection is busy. [caption id="attachment_79548" align="alignnone" width="1287"] Source: snailload.com[/caption] The attack masquerades as a download of a file or any website component (like a style sheet, a font, an image or an advertisement). The attacking server sends out the file at a snail's pace, to monitor the connection latency over an extended period of time. The researchers decided to name the technique 'SnailLoad' as "apart from being slow, SnailLoad, just like a snail, leaves traces and is a little bit creepy." The attack requires no JavaScript or code execution on the victim's system. It simply involves the victim loading content from an attacker-controlled server that sends data at an extremely slow rate. By monitoring latency over time, the attacker can correlate patterns with specific online activities. The researchers have shared the conditions required to recreate the SnailLoad attack:

• Victim communicates with the attack server.
• Communicated server has a faster Internet connection than the victim's last mile connection.
• Attacker's packets sent to victim are delayed if the last mile is busy.
• Attacker infers website visited or video watched by victim through side-channel attack.

In the related user study detailed in the SnailLoad research paper, the researchers approached local undergraduate and graduate students who volunteered to run a measurement script that employs the SnailLoad attack technique. The researchers took steps to ensure that no personal information had been exposed to information leakage at any point. Furthermore, the researchers had planned to destroy collected traces after the paper had been published and offer students the option to directly request the deletion of traces or exclusion of their traces in the paper's results at any point. The researchers reported the attack technique to Google on March 9 under the responsible disclosure section of their paper, with Google acknowledging the severity of the issue. The tech giant also stated that it was investigating possible server-side mitigations for YouTube.  The researchers shared working proof of concept on GitHub along with instructions and an online demo.

SnailLoad Implications and Mitigation

In testing, SnailLoad was able to achieve up to 98% accuracy in identifying YouTube videos watched by victims. It also showed 62.8% accuracy in fingerprinting websites from the top 100 most visited list. While not currently observed in the wild, SnailLoad could potentially affect most internet connections. Mitigation is challenging, as the root cause stems from fundamental bandwidth differences in network infrastructure. The researchers stated that while adding random noise to the network can reduce the accuracy of the attack, it could impact performance and cause inconvenience to users. As online privacy concerns grow, SnailLoad highlights how even encrypted traffic could potentially be exploited to leak information through subtle timing differences. Further research could be required to develop effective countermeasures against this new class of remote side-channel attacks.

Cyble Research & Intelligence Labs (CRIL) analyzed 23 vulnerabilities in its weekly vulnerability report for June 19-25, including critical flaws in products from the likes of Microsoft, Adobe, MOVEit and more. The report focuses on 10 vulnerabilities in particular: Three in Microsoft products – including a 7-year-old Office flaw facing new exploits – and one each in products from Adobe, MOVEit, VMware, Fortra, Phoenix Technologies, SolarWinds, and Themify. Thousands of new security vulnerabilities are discovered each year, yet only a small percentage of those are actively exploited by threat actors. To help security teams focus on the most important vulnerabilities and threats, The Cyber Express each week partners with Cyble’s highly skilled dark web and threat intelligence researchers to highlight security vulnerabilities that warrant particularly close attention.

The Week’s Top Vulnerabilities

These are the 10 high-severity and critical vulnerabilities Cyble researchers focused on this week.

CVE-2024-5276

Impact Analysis: This critical SQL Injection vulnerability in Fortra FileCatalyst Workflow, a web-based file transfer platform accelerating large file exchanges, allows an attacker to modify application data, with likely impacts including the creation of administrative users and deletion or modification of data in the application database. It is worth noting that data exfiltration via SQL injection is not possible by leveraging the vulnerability; further successful unauthenticated exploitation requires a Workflow system with anonymous access enabled; otherwise, an authenticated user is required. Internet Exposure? No Patch Available? Yes

CVE-2024-5806

Impact Analysis: This critical improper authentication vulnerability impacts Progress MOVEit Transfer (SFTP module), which can lead to authentication bypass in the secure managed file transfer application. With successful exploitation, an attacker could access sensitive data stored on the MOVEit Transfer server; upload, download, delete, or modify files; and intercept or tamper with file transfers. Within a day of the vendor disclosing the vulnerability, security researchers started to observe exploitation attempts targeting it due to its vast exposure and impact, Cyble researchers noted. Patch Available? Yes

CVE-2024-0762

Impact Analysis: This high-severity buffer overflow vulnerability impacts unsafe UEFI variable handling in Phoenix SecureCore, an advanced UEFI firmware solution developed for client PCs, notebooks, and IoT/embedded devices. The vulnerability could be exploited to execute code on vulnerable devices. Furthermore, given the enormous number of Intel CPUs that use this firmware, the vulnerability might affect hundreds of models from vendors, including Lenovo, Dell, Acer, and HP, Cyble researchers noted. Internet Exposure? No Patch Available? Yes

CVE-2024-34102

Impact Analysis: This critical improper restriction of XML external entity reference ('XXE') vulnerability impacts Adobe Commerce, a leading digital commerce solution for merchants and brands. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities, leading to arbitrary code execution. Patch Available? Yes

CVE-2024-28995

Impact Analysis: The high severity directory transversal vulnerability impacts SolarWinds Serv-U, a secure managed file transfer (MFT) solution. Successful exploitation of the vulnerability could allow threat actors access to read sensitive files on the host machine. Recently researchers have observed active exploitation of vulnerability leveraging publicly available proof-of-concept (PoC) exploits. Patch Available? Yes

CVE-2017-11882

Impact Analysis: The high-severity vulnerability impacts Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016. It could allow an attacker to run arbitrary code in the context of the current user by failing to handle objects in memory properly. Recently, researchers uncovered that this 7-year-old vulnerability was leveraged in cyberespionage campaigns orchestrated by alleged state-sponsored groups. Internet Exposure? No Patch Available? Yes

CVE-2024-6027

Impact Analysis: The high-severity vulnerability impacts the Themify WooCommerce Product Filter plugin for WordPress, which could lead to time-based SQL Injection via the ‘conditions’ parameter. Exploiting the vulnerability makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Internet Exposure? Yes Patch Available? Yes – upgrade to version 1.5.0

CVE-2024-37079

Impact Analysis: Cyble also addressed this vulnerability in last week’s vulnerability report. The critical severity heap-overflow vulnerability impacts the VMware vCenter Server, a central management platform for VMware vSphere that enables the management of virtual machines and ESXi hosts. Given the global usage of the impacted product and the history of leveraging the flaws impacting vCenter, Cyble said there are possibilities that threat actors (TAs) could also leverage this critical vulnerability. Internet Exposure? Yes Patch Available? Yes

CVE-2024-30103

Impact Analysis: This high-severity remote code execution (RCE) vulnerability impacts Microsoft Outlook. Since the RCE flaw can be exploited simply by opening and previewing an email that contains a malicious payload in the body, requiring no further interaction from the user, there are high possibilities for TAs to weaponize the vulnerability in targeting government and private entities. Internet Exposure? No Patch Available? Yes

CVE-2024-30078

Impact Analysis: This high severity remote code execution (RCE) vulnerability impacts Windows Wi-Fi Driver. With the wide usage of Windows devices around the world and the ability to exploit without the need for any user interaction, TAs can leverage the flaw to gain initial access to the devices and later install malware and exfiltrate user data. Internet Exposure? No Patch Available? Yes

Dark Web Exploits

Cyble’s scans of customer environments found nearly a million exposed assets for just 7 vulnerabilities this week. Nearly 200,000 assets were exposed to the the VMware vCenter Server vulnerability, while a PHP vulnerability (CVE-2024-4577) reported two weeks ago continues to dominate, affecting nearly 600,000 exposed assets. Cyble researchers also observed five instances of alleged zero-day vulnerabilities being offered on sale on underground forums, plus a number of exploits/proof of concepts/custom scripts observed over underground forums. The full report available for clients covers all these vulnerabilities, along with details and discussion around exploits found on the dark web, industrial control system (ICS) vulnerability intelligence, and cybersecurity defenses.

Security experts have identified multiple vulnerabilities in widely used industrial gas chromatographs manufactured by Emerson Rosemount. These flaws could potentially allow malicious actors to access sensitive information, disrupt operations and execute unauthorized commands. Gas chromatographs are critical instruments used for analyzing chemical compounds across a range of industries, including environmental facilities, hospitals, and food processing companies. These devices are critical for ensuring the accuracy of gas measurements and the safety of the environment, patients, and consumers.

Flaws in Emerson Rosemount Gas Chromatographs

Operational technology security firm Claroty discovered the vulnerabilities, which include two command injection flaws and two authentication bypass issues. If exploited, these flaws could enable unauthenticated attackers to run arbitrary commands, access sensitive data and gain administrative control. [caption id="attachment_79530" align="alignnone" width="649"] Source: Wikipedia[/caption] [caption id="attachment_79525" align="alignnone" width="1476"] Emulated system (Source: claroty.com)[/caption] To study the Emerson Rosemount 370XA gas chromatograph, commonly used in industrial settings for gas analysis, the researchers took efforts to emulate the systems. This complex process was undertaken because the physical device could cost over $100,000 while the research was limited to a six-week project. The emulation process involved download and extraction of the device firmware from the official Emerson Rosemount website, and a search for an application that could implements its proprietary protocols. The researchers used the QEMU emulator to emulate the PowerPC architecture used by the gas chromatograph and run the extracted firmware. Upon investigation, the researchers were able to uncover four key vulnerabilities:

• CVE-2023-46687: Allows remote execution of root-level commands without authentication (CVSS score: 9.8)
• CVE-2023-49716: Enables authenticated users to run arbitrary commands remotely (CVSS score: 6.9)
• CVE-2023-51761: Permits unauthenticated users to bypass authentication and gain admin access by resetting passwords (CVSS score: 8.3)
• CVE-2023-43609: Allows unauthenticated users to access sensitive information or cause denial-of-service (CVSS score: 6.9)

The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory in January warning that successful attacks could lead to "denial-of-service conditions" and unauthorized system access. The affected models include GC370XA, GC700XA and GC1500XA running firmware versions 4.1.5 and earlier.

Industry Impact and Mitigation

Gas chromatographs play a crucial role in various sectors, from environmental monitoring to medical diagnostics. Compromised devices could have far-reaching consequences. In food processing, attacks on chromatographs might prevent accurate bacteria detection, halting production. In healthcare settings, disrupted blood sample analysis could impact patient care. Emerson has released updated firmware addressing these vulnerabilities. The Claroty researchers said they "appreciate Emerson for its swift response and cooperation, which demonstrates their dedication to our shared goal." Emerson advises customers to apply the patches and implement best practices in the cybersecurity industry according to current standards. The firm stated, "In addition, Emerson recommends end users continue to utilize current cybersecurity industry best practices and in the event such infrastructure is not implemented within an end user’s network, action should be taken to ensure the Affected Product is connected to a well-protected network and not connected to the Internet. In its advisory CISA shared the following recommendations for securing these systems:

• Minimize network exposure: Ensure that control system devices and/or systems,  are not publicly accessible from the internet.
• Locate control system networks:  Place remote devices behind firewalls and isolate them from business networks
• Secure Remote Access: Use Virtual Private Networks (VPNs) to secure remote access. However, the agency also warned of potential inherent risks in VPNs, asking organizations and businesses to be aware of them.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures," the advisory stated.

Hackers have claimed three prominent cyberattacks in Italy in the last 24 hours. The Italy ransomware attacks were allegedly carried out by the RansomHub and RansomHouse groups. RansomHub targeted the websites of the Cloud Europe and Mangimi Fusco firms, while RansomHouse took credit for orchestrating a cyberattack on Francesco Parisi.

Details of Italy ransomware attacks

Cloud Europe is a Tier IV certified carrier-neutral data center located in Rome’s Tecnopolo Tiburtino. According to details on the company website, it specializes in the design and management of data centers, with particular attention to the problems of security and service continuity. The company builds, hosts and manages modular infrastructure for customer data centers in the private and public sectors. [caption id="attachment_79490" align="alignnone" width="1173"] Source: X[/caption] The threat actor RansomHub claimed to have encrypted the servers of Cloud Europe, exfiltrating more than 70 TB of its data. “In addition, we have stolen over 541.41 GB of your sensitive data, obtained access to another company from your sensitive transformations,” RansomHub stated on its site. The other company targeted by RansomHub is Mangimi Fusco, which is an animal food manufacturer. It also supplies farm products and raw materials to wholesale merchants. According to the ransomware group, it has stolen 490 GB of “Private and confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, finance information, etc…we give you three days to come for negotiations.” [caption id="attachment_79491" align="alignnone" width="1189"] Source: X[/caption] Meanwhile, RansomHouse has allegedly breached the website of Francesco Parisi, which is a group of freight forwarding and shipping agents. It was established by Francesco Parisi in Trieste and has been operating in Central Europe since 1807. The group has around 100 employees and has a revenue of $13.7 million. The ransomware group claims that it stole 150 GB of the company’s data on May 29. [caption id="attachment_79492" align="alignnone" width="1491"] Source: X[/caption] Despite these claims, a closer inspection reveals that that the websites of Cloud Europe and Mangimi Fusco seem to be functioning normally, showing no signs of the ransomware attack as alleged by the threat actor. However, Francesco Parisi has put up a disclaimer on its home site which reads, “Important notice: Hacker Attack. We are aware that our infrastructure was subjected to a hacker attack. We want to reassure our users, customers and suppliers that we have immediately taken the necessary measures to restore operations and protect their data. Safety is a top priority. We are working hard to investigate the incident and implement additional security measures to prevent future attacks. We apologize for any inconvenience this event may have caused. We will keep you informed of developments in the situation and will let you know as soon as we have further information. In the meantime, if you have any questions or concerns, please feel free to contact us. Thank you for understanding.” [caption id="attachment_79494" align="alignnone" width="1196"] Source: X[/caption] Meanwhile, The Cyber Express has reached out to both Cloud Europe and Mangimi Fusco regarding the purported cyberattack orchestrated by the RansomHub group. However, at the time of publication, no official statements or responses have been received, leaving the claims of the ransomware cyberattack on these entities unverified.

Inglorious Past of RansomHub, RansomHouse

The origins of RansomHub trace back to February 2024, when it emerged as a Ransomware-as-a-Service (RaaS) on cybercrime forums. They employ sophisticated encryption techniques and target organizations predominantly in the IT & ITES sector. RansomHub has hackers from various global locations united by a common goal of financial gain. The gang openly mentions prohibiting attacks on non-profit organizations. RansomHouse emerged in March 2022 and is labelled as a multi-pronged extortion threat. In the words of RansomHouse representatives, the group claims to not encrypt data and that they are ‘extortion only,’ claiming itself as a ‘force for good’ that intends ‘shine a light’ on companies with poor security practices. The group has been observed accepting only Bitcoin payments.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A convincing live stream featuring a seemingly-legitimate Donald Trump YouTube channel quickly gained massive traction before the U.S. Presidential debate Thursday, reaching nearly half the number of subscribers as the official Donald Trump YouTube channel before it was taken down. The channel and Trump deepfake urged viewers to donate in cryptocurrency, with promises of substantial rewards in exchange. The video was titled with keywords related to the official Presidential debate between Trump and Biden while sharing a fake promotional website and QR code for donations through Bitcoin, Ethereum, Doge and Tether cryptocurrencies.

Fake Trump Cryptocurrency Promotion Scam Streamed Ahead of Presidential Debate

The timing of the fake live stream coincided with the scheduled debate this week between current U.S. President Joe Biden and former President and challenger Donald J. Trump. Scammers behind the campaign appeared to be taking advantage of actual statements made by Trump supporting cryptocurrency in the past, coupled with a repeated AI-generated video where he sits alongside popular YouTuber Logan Paul to speak about promoting cryptocurrency within the United States if elected. [caption id="attachment_79454" align="alignnone" width="1351"] Screenshot taken from the livestream.[/caption] The fake video appears to stem from an edit of a podcast video where Trump joined the YouTuber to speak on various issues, including the election, U.S. politics, his personal life and his opponent. The edited fake video shared a QR code and website (donaldtrump[.]gives) where viewers could be tricked into making donations. The website incorporates official Trump campaign branding for the 2024 presidential election, sharing instructions for participation in the "unique event," a multiplier to lure visitors with calculations on how much cryptocurrency they would receive in return for their donation, and a "live" feed of ongoing donations made to the shared cryptocurrency addresses. [caption id="attachment_79477" align="alignnone" width="690"] Cryptocurrency addresses involved with the scam[/caption] "During this unique event, you have the opportunity to take a share of 2,000 BTC & 50,000 ETH & 500,000,000 DOGE & 50,000,000 USDT. Have a look at the rules and don't miss out on this. You can only participate once!" the scam website stated. According to details from a WhoIs lookup, the website appears to have been registered on June 27th, the same day as the Presidential debate, using a Russian registrant.

YouTube Channel Connected To Scam Taken Down

The YouTube channel behind this promotion was taken down shortly after a report to YouTube, but the website promoted during the stream still appears to be up and running. The channel was noted to have about 1.38 million subscribers before its takedown, nearly half the subscriber count (2.9 million) for the official Donald J Trump YouTube channel. [caption id="attachment_79462" align="alignnone" width="606"] Email confirmation of Channel takedown[/caption] It is unknown if the live transaction feed featured on the scam website reflects actual real-time transactions. The full extent and the victim count from this cryptocurrency scam is unknown; details of the campaign have been sent to CRIL (Cyble Research and Intelligence Labs) researchers for further investigation. [caption id="attachment_79474" align="alignnone" width="2604"] Screenshot of alleged transactions[/caption] The campaign highlights the threat of Artificial Intelligence content to election-related processes, legitimate campaign donations and impersonation of candidates or well-known figures. In a recent incident, crypto scammers had taken over the YouTube channel of Channel 7 News Australia to use a deepfake Elon Musk to promote dubious crypto investments.

💾

Indonesia’s civil aviation authority has alleged suffered a massive security breach where a threat actor has claimed to have accessed critical data related to handling of air traffic in the country. The Indonesian civil aviation data breached was allegedly orchestrated by a threat actor, operating under the alias, “Hacker Mail”. The threat actor has alleged exfiltrated more than 3GB of database which includes all employees and passwords for all applications, website user data, ID card photo data for all employees, drone pilot certificate participants, and flight data related to aircraft, pilot’s personal data, as well as all other activities in Indonesian airports.

Decoding Indonesian Civil Aviation Data Breach

The threat actor’s post on hacking site Breachforums, stated that the exfiltration of data occurred on June 27,2024. In his post, the hacker stated, “The Directorate General of Civil Aviation (DGCA) is an element that implements some of the duties and functions of the Indonesian Ministry of Transportation, which is under and responsible to the Minister of Transportation. The Directorate General of Civil Aviation is led by the Director General. The Directorate General of Civil Aviation has the task of formulating and implementing policies and technical standardization in the field of air transportation. The Directorate General of Civil Aviation handles the administration and management of civil aviation within the Unitary State of the Republic of Indonesia.” To substantiate the data breach claim, the threat actor attached the following sample records.

• User log for small, unmanned aircraft certificates, remote pilot certificate and unmanned aircraft operation approval.

In this sample of data leak, the cyberattacker has claimed to  expose sensitive personal information of pilots, IP address used to login and date and time of login. The data is for users who logged in to one of the applications of the DGCA on 08/15/2022 and 08/16/2022.

• Sample chats which probably refer to communication of DGCA employees with pilots on 04/13/2022
• ID card photo data for all employees
• Userrname and password of employees who logged on to a DGCA application

Despite these high-profile declarations, a closer inspection reveals that Indonesia’s DGCA website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the DGCA officials to verify the alleged cyberattack. The authorities too are yet to release an official statement or response regarding the reported data breach, leaving the claims unverified as of now. The article too would be updated if any information is provided by the officials.

Indonesia Battles Three Major Cyberattack Claims in One Week

Hackers have recently carried out allegedly three major cyberattacks on key Indonesian establishments. Last week, a ransomware attack on Indonesia’s national data center has disrupted official government services including immigration services at airports. The attack has reportedly affected more than 200 government agencies at national and regional levels. The attack was carried out by LockBit 3.0 ransomware, a variant known for encrypting victims’ data and demanding payment for its release. The attackers had offered a decryption key in exchange for an $8 million ransom. The AFP however reported that the Indonesian government though refused to pay the ransom but admitted that the cyberattack would have been rendered useless if there was a backup to the main server. Earlier this week, a hacker “MoonzHaxor” had claimed to have breached Indonesian Military's (TNI) Strategic Intelligence Agency (Bais) and offered to sell this data for $1,000 USD. The same hacker had announced breaching Indonesia's Automatic Finger Identification System (Inafis) owned by the National Police (Polri). The data reportedly includes fingerprint images, email addresses, and SpringBoot application configurations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A critical security flaw has been uncovered in the Vanna.AI library, exposing SQL databases to potential remote code execution (RCE) attacks through prompt injection techniques. Tracked as CVE-2024-5565 with a CVSS score of 8.1, this Vanna AI vulnerability allows malicious actors to manipulate prompts in Vanna.AI's "ask" function of Vanna.AI, leveraging large language models (LLMs) to execute arbitrary commands. Vanna.AI is a Python-based machine learning library designed to simplify interaction with SQL databases by converting natural language prompts into SQL queries. This functionality, facilitated by LLMs, enables users to query databases simply by asking questions.

Vanna AI Vulnerability Leads to Remote Code Execution (RCE)

The Vanna AI vulnerability was first identified by cybersecurity researchers at JFrog. They found that by injecting malicious prompts into the "ask" function, attackers could bypass security controls and force the library to execute unintended SQL commands. This technique, known as prompt injection, exploits the inherent flexibility of LLMs in interpreting user inputs. According to JFrog, "Prompt injection vulnerabilities like CVE-2024-5565 highlight the risks associated with integrating LLMs into user-facing applications, particularly those involving sensitive data or backend systems. In this case, the flaw in Vanna.AI allows attackers to subvert intended query behavior and potentially gain unauthorized access to databases." The issue was also independently discovered and reported by Tong Liu through the Huntr bug bounty platform, highlighting its significance and widespread impact potential.

Understanding Prompt Injection and Its Implications

Prompt injection exploits the design of LLMs, which are trained on diverse datasets and thus susceptible to misinterpreting prompts that deviate from expected norms. While developers often implement pre-prompting safeguards to guide LLM responses, these measures can be circumvented by carefully crafted malicious inputs. "In the context of Vanna.AI," explains JFrog, "prompt injection occurs when a user-supplied prompt manipulates the SQL query generation process, leading to unintended and potentially malicious database operations. This represents a critical security concern, particularly in applications where SQL queries directly influence backend operations."

Technical Details and Exploitation

The Vanna AI vulnerability arises primarily from how Vanna.AI handles user prompts within its ask function. By injecting specially crafted prompts containing executable code, attackers can influence the generation of SQL queries. This manipulation can extend to executing arbitrary Python code, as demonstrated in scenarios where the library dynamically generates Plotly visualizations based on user queries. "In our analysis," notes JFrog, "we observed that prompt injection in Vanna.AI allows for direct code execution within the context of generated SQL queries. This includes scenarios where the generated code inadvertently includes malicious commands, posing a significant risk to database security." Upon discovery, Vanna.AI developers were promptly notified and have since released mitigation measures to address the CVE-2024-5565 vulnerability. These include updated guidelines on prompt handling and additional security best practices to safeguard against future prompt injection attacks. "In response to CVE-2024-5565," assures JFrog, "Vanna.AI has reinforced its prompt validation mechanisms and introduced stricter input sanitization procedures. These measures are crucial in preventing similar vulnerabilities and ensuring the continued security of applications leveraging LLM technologies."

Geisinger Healthcare, a leading provider in Pennsylvania's healthcare sector, has recently disclosed a data breach involving the unauthorized access of patient information by a former employee of Nuance, an IT services contractor. This Geisinger Healthcare data breach has impacted over one million patients across its extensive network of care facilities. Founded in 1915, Geisinger operates 134 care sites and ten hospitals, serving 1.2 million individuals across urban and rural Pennsylvania. The non-profit organization is renowned for its commitment to delivering value-based care and employs 26,000 staff, including 1,600 physicians.

Geisinger Data Breach Links to Former Employee

The Geisinger data breach was first identified in November 2023 when the organization detected unauthorized access to its patient database by a former Nuance employee, shortly after their termination. Geisinger promptly notified Nuance, which took immediate steps to sever the employee's access to their systems containing patient records. According to Geisinger's Chief Privacy Officer, Jonathan Friesen, "Our patients' and members' privacy is a top priority, and we take protecting it very seriously." Nuance, in collaboration with law enforcement authorities, launched an investigation resulting in the arrest of the former employee, who now faces federal charges. The investigation revealed that the compromised information included patient names along with various details such as date of birth, addresses, medical record numbers, and contact information. Importantly, sensitive financial information such as credit card numbers or Social Security numbers remained unaffected.

Geisinger has Notified the Customers About the Data Leak

Geisinger has taken proactive measures to notify affected patients and has provided a dedicated helpline (855-575-8722) for assistance. Patients are advised to review any communications from their health insurer and report any discrepancies promptly. This incident underscores the critical importance of robust data security measures within healthcare systems, especially when handling sensitive patient information," said Friesen. Geisinger continues to cooperate closely with authorities as the investigation progresses, aiming to mitigate any further risks to patient privacy and security. Geisinger urges recipients of the notification to carefully review the details provided and reach out with any questions or concerns. The organization has shared customer service numbers where affected individuals can contact from Monday through Friday, Eastern Time, excluding major U.S. holidays, and reference engagement number B124651. In light of the breach, Geisinger emphasizes its commitment to transparency and patient care, ensuring affected individuals receive the support and resources necessary to safeguard their personal information and mitigate potential risks associated with the Geisinger data leak.

TeamViewer, a leading provider of remote access software, has attributed a security breach in its corporate network to an advanced persistent threat group, tracked as APT29. The TeamViewer data breach incident was first detected on June 26, 2024, prompting immediate action from TeamViewer's security team. In an initial statement posted on Thursday in the the company's Trust Center, TeamViewer reassured users that the breach occurred solely within their internal corporate IT environment, which is separate from their product environment. They emphasized that there is currently no evidence suggesting that customer data or the product itself has been compromised. In a Friday update the company reiterated the same and tied the compromise to employee account credentials that gave the threat actor access to Team Viewer's corporate IT environment.

"Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data." - TeamViewer

The company that provides enterprise solutions for remote access, reassured its customers that it follows best-practices in its overall system architecture and thus, has segmented the Corporate IT, the production environment, and the TeamViewer connectivity platform.

"This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach." - TeamViewer

Despite ongoing investigations, the company remains focused on safeguarding system integrity and ensuring transparency in its communication regarding the incident.

TeamViewer Data Breach Confirmed 

The TeamViewer data breach was highlighted by cybersecurity firm NCC Group, which was alerted about the compromise of TeamViewer's remote access and support platform by an APT group. This group, identified as APT29, aka Midnight Blizzard or Cozy Bear, is known for its cyberespionage capabilities and has previously been linked to cyberattacks targeting various global entities, including Western diplomats and technology firms. “On Wednesday, 26 June 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment. We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts, and implemented necessary remediation measures”, reads the official statement. Coinciding with TeamViewer's disclosure, alerts from the Dutch Digital Trust Center and Health-ISAC highlighted the severity of the situation. The Health-ISAC alert specifically warned of active exploitation of TeamViewer by APT29, advising organizations to monitor remote desktop traffic for any suspicious activity.

Mitigation Against the TeamViewer Data Leak

TeamViewer, known for its widespread adoption with thousands of customers globally and installed on billions of devices, continues to update stakeholders through its IT security update page. However, concerns have been raised about transparency practices, as the page currently includes a directive preventing indexing by search engines. “There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems. Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we value transparent communication and will continuously update the status of our investigations as new information becomes available” concludes the statement.  For users and organizations relying on remote access solutions like TeamViewer, vigilance and proactive monitoring are recommended to mitigate risks posed by sophisticated cyber adversaries.  *Update (Friday, June 28 - 8:10 A.M. ET): The headline and text through the article was updated to reflect TeamViewer's Friday update and attribution of the cyberattack to APT29 or Midnight Blizzard. 

A data security officer from the Manila Bulletin has admitted to hacking 93 websites, including government and private company sites, as well as servers abroad. The hacker, known by the alias "Kangkong," was arrested along with two others by the National Bureau of Investigation (NBI) Cybercrime Division on June 19 following reports of multiple unauthorized access attempts and breaches. Kangkong issued a public apology to President Marcos, the general public, and especially the military community for his actions.

Implications for Philippines National Security

Kangkong's hacking spree exposed significant vulnerabilities in the cybersecurity measures of various organizations. Among the high-profile targets were the peacekeeping operations center website of the Armed Forces of the Philippines, the mail server of the National Security Council, and the Join the PH Army website. The hacker along with two others individuals were arrested by the National Bureau of Investigation (NBI) Cybercrime Division on June 19 after reports of multiple unauthorized access attempts and breaches on websites. [caption id="attachment_79338" align="alignnone" width="1200"] Arrested data officer Kangkong (Source: www.onenews.ph)[/caption] The hacker acknowledged the serious consequences of his actions, including the potential exposure of sensitive data of soldiers to foreign entities. "That's when I realized that we have many enemies and we should not be going against each other," Kangkong stated. The officer revealed in an interview with ABS-CBN that he had left specific pictures on compromised websites as proof of his involvement.

Senior Technology Officer May Be Implicated

In his extrajudicial confession, Kangkong initially implicated Art Samaniego, Manila Bulletin's senior technology officer, as the person who ordered the hacking of several websites. However, he later expressed regret for this claim. Samaniego has denied allegations that he ordered the hacking to boost his social media reach. The NBI Cybercrime Division has issued a subpoena for Samaniego to explain his side to the authorities. Meanwhile, the Manila Bulletin has suspended Samaniego pending an internal investigation. Kangkong also highlighted the inadequate cybersecurity measures in place for government and private companies' websites, stating that this was a key factor in his ability to hack them. He urged organizations to invest in security measures to prevent similar breaches in the future. Kangkong's confession highlights the urgent need for improved cybersecurity measures in the Philippines. He emphasized that inadequate security was a key factor in his ability to breach these websites. "Cybersecurity is not really a priority in the Philippines," he stated, urging organizations to invest in better security measures despite the associated costs.

A newly disclosed vulnerability in Progress MOVEit Transfer has sparked concern among cybersecurity experts due to the lingering memory of high-profile attacks by ransomware gangs using a different vulnerability last year that hit organizations such as the BBC and FBI. The new authentication bypass flaw, officially designated CVE-2024-5806, could potentially allow unauthorized access to sensitive data. MOVEit Transfer, designed for large-scale enterprise use, boasts features compliant with regulations like PCI and HIPAA. It offers various file transfer methods, including SFTP and HTTPS, making it a critical component in many organizations' data management infrastructure. Progress initially kept details of CVE-2024-5806 under wraps, advising customers to patch systems before its disclosure. On June 25th, 2024, Progress officially un-embargoed the vulnerability, revealing that it affects both MOVEit Transfer version 2023.0 and newer, as well as MOVEit Gateway version 2024.0 and newer.

Progress MOVEit Vulnerability Details

WatchTowr Labs was sent details of the vulnerability by a user who identified as 'dav1d_bl41ne' on its IRC channel, an unusual method of vulnerability sharing, the researchers noted. The researchers decided to investigate further, setting up a test environment to replicate the vulnerability. [caption id="attachment_79318" align="alignnone" width="471"] Source: labs.watchtowr.com[/caption] The debugger output from the test environment showed that the server was throwing exceptions and attempting to access files in unexpected ways. Upon further investigation, the researchers discovered that the vulnerability could be exploited by providing a valid file path instead of the SSH public key during authentication. This led to the server attempting to access the file, giving the attacker unauthorized access to the system. The researchers shared the following steps on exploiting the vulnerability:

• Upload a public key to the File Transfer server.
• Rather than supplying a legitimate public key, send a file path to the public key, signing the authentication request with the same public key.
• The key will be accepted by the server with successful login, allowing for the access of target files.

The flaw affects MOVEit Transfer versions 2023.0 and newer, as well as MOVEit Gateway 2024.0 and later. Progress describes it as an "Improper Authentication vulnerability" in the SFTP module that could lead to "Authentication Bypass in limited scenarios." In limited scenarios, CVE-2024-5806 allows for authentication bypass, potentially giving attackers unauthorized access to sensitive files. The vulnerability is particularly concerning because the software is widely used among enterprises, making it a prime target for APT groups, ransomware gangs, and other malicious actors. Progress has shared the following recommendations to prevent exploitation of the flaw:

• Block public inbound RDP access to MOVEit Transfer server(s).
• Limit outbound access on MOVEit Transfer server(s) to only trusted endpoints.

According to a post on X from The Shadowserver Foundation, the foundation has already observed active exploitation attempts using the vulnerability soon after its disclosure. [caption id="attachment_79326" align="alignnone" width="1170"] Source: X.com[/caption]

Implications of the MOVEit Vulnerability

The discovery of this vulnerability soon after major exploitation last year has reignited discussions about the security of file transfer solutions in enterprise environments. The potential for unauthorized access to sensitive files could have far-reaching consequences for the large number of enterprises that rely on MOVEit Transfer. While the full extent of the vulnerability's impact is still being assessed, the incident has sparked more debate about responsible disclosure practices in the cybersecurity community. Some argue that early, private notifications to affected parties are crucial, while others advocate for more transparent, public disclosures to ensure widespread awareness and prompt action. As the situation develops, IT administrators and security professionals are advised to stay vigilant, monitor for any signs of exploitation, and implement recommended security measures to protect their MOVEit Transfer deployments.  

Crypto scammers hijacked Channel 7 News Australia's YouTube account to run a live stream of an Elon Musk deepfake on loop. The AI-generated version of the business tycoon was seen luring users to scan a QR code and invest in a money-doubling scheme through cryptocurrency. The news and media company is investigating claims even as traces of account takeover persist at the time this article was published.

Crypto Scammers Shift to Deepfake Deployment

Crypto scammers hijacking social media accounts of popular brands and celebrities on platforms like YouTube and X is not a novel thing. But what transpired on Thursday could very well be a snippet of things to come as we move towards the Age of AI.

Crypto scammers first took over the YouTube account of Channel 7 News and modified it in a way that it masqueraded the official Tesla channel.

[caption id="attachment_79292" align="aligncenter" width="300"] Hijacked Channel 7 News' YouTube Account Screenshot (Source: Reddit)[/caption]

After making aesthetic changes to the YouTube account, the crypto scammers replaced the videos in the channel with a deepfake live stream of Tesla chief Elon Musk. The AI-generated Musk was seen encouraging viewers to scan a QR code and invest in cryptocurrency.

[caption id="attachment_79296" align="aligncenter" width="600"] Musk's Deepfake Asking Users to Scan or Regret (Source: Reddit)[/caption] As per local media, the Musk deepfake said, "All you need to do is scan the QR code on the screen, go to the website and watch your cryptocurrency double. Today's event is a chance for all crypto enthusiasts and users to double their assets."

"This is an opportunity that cannot be missed." - Elon Musk Deepfake

The deepfake video was made in a way that Musk's AI version even interacted with the audience, where he continued to say that twice as much would return to investors' wallets.

The Channel 7 News has several region- and programming-specific YouTube channels, and most of them seemed to be hijacked at present, with all of them running the same deepfake live stream on loop. The page is no longer accessible via direct links from the company website, but as pointed by a Reddit user, if you go to the YouTube channel via the platform's search, it still displays the changes made by crypto scammers, which is a Tesla logo as seen in the images above.

Experts, Leaders Press for Deep Fake Regulations

Owing to the menace of deepfakes, nearly 1,500 AI and tech experts in February urged global regulation of deepfakes to curb risks like fraud and political disinformation. An open letter recommends that lawmakers criminalize deepfake child pornography, penalize creators and facilitators of harmful deepfakes, and hold software developers accountable.

"The whole deepfake supply chain should be held accountable, just as they are for malware and child pornography." - The Open Letter

Legal experts and technologists have also previously urged the U.S. Congress to regulate the use of deepfake technologies and provide new protections particularly for women and minority communities against the use of digitally manipulated media. Experts warned that the deceptive content is already affecting national security, personal privacy and public trust.

Claims, counterclaims, website shutdowns, redirections and DDoS attacks were among the highlights (or lowlights) as news of the Polyfill supply chain attack entered its second day. After Polyfill(.)io was shut down by registrar Namecheap, the allegedly compromised JavaScript CDN service relaunched at Polyfill(.)com, and claimed it had been “maliciously defamed.” Meanwhile, the researchers who first reported the supply chain compromise were hit by a DDoS attack, while many security researchers wondered how such a widely used web component could have been sold to a Chinese company in the first place. Here are the latest developments in the attack, which is potentially the largest-ever digital supply chain attack. While the full extent of malware distributed through the CDN remains unknown, initial estimates were that more than 100,000 websites were using the service. However, in a post on X, Cloudflare CEO Matthew Prince said “Tens of millions of websites (4% of the web) uses Polyfill(.)io. Extremely concerning malware has been discovered impacting any site using Polyfill.” He also said Cloudflare was automatically replacing Polyfill links with its own mirror. [caption id="attachment_79279" align="alignnone" width="400"] Extent of website exposure to Polyfill(.)io (source: X)[/caption]

Extent of Polyfill Supply Chain Attack Unknown, But Big Names Among Users

Some of the biggest names turning up in a search for cdn(.)polyfill(.)io include Intuit, JSTOR, the World Economic Forum, a Coldwell Banker real estate site, major educational sites like Brandeis University, the technical standards organization ASTM, the Bank of Ireland, Live Nation sites for Spain and the UK, the RAINN anti-sexual violence organization, data management vendor AvePoint, investment company MSCI, industrial network company Moxa, the Environmental Defense Fund, and the Dubai Airports Company. The extent of the Polyfill supply chain attack may be unknown for some time. In February, a Chinese company bought the Polyfill domain and the Github account, and concern about the deal surfaced almost immediately. The Sansec researchers who initially publicly disclosed the threat two days ago noted that since the acquisition, “this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed from the Github repository.” The researchers said that the polyfill code is dynamically generated based on the HTTP headers, “so multiple attack vectors are likely.” Sansec decoded one particular malware strain that redirects mobile users to a sports betting site using a fake Google analytics domain (googie-anaiytics(.)com). The researchers said they were subsequently hit by a DDoS attack after publishing their initial report. [caption id="attachment_79278" align="alignnone" width="400"] Researchers hit by DDoS attack (source: X)[/caption]

Google Started Blocking Ads in Mid-June

It’s not clear how long the threat has been known – it is standard practice for threat researchers to wait to reveal their findings until affected parties have had a chance to fix vulnerabilities – but Google has apparently been rejecting ads that link to the googie-anaiytics domain since at least mid-June. In a letter to advertisers this week (reprinted below), Google cited redirects coming from “a few different third-party web resource providers including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org” for the rejected ads. [caption id="attachment_79305" align="alignleft" width="260"] Google Ads Polyfill letter[/caption] In addition to those four domains, Sansec researchers added an additional five malicious domains to their original report: staticfile(.)net, unionadjs(.)com, xhsbpza(.)com, union(.)macoms(.)la, and newcrbpc(.)com. That gives website owners a total of nine services and domains to monitor and remove from their sites. The connection between the sites apparently came from a secrets leak on the Polyfill site. Some of the domains have been used for malicious activity since at least June 2023.

Mitigations Set Up By Cloudflare, Fastly

To mitigate supply chain risk, Cloudflare released an automatic JavaScript URL rewriting service that will rewrite any link to polyfill(.)io found in a website proxied by Cloudflare to a link to the company’s mirror under cdnjs. Cloudflare also charged that Polyfill was falsely misusing the Cloudflare name and logo on its website. Fastly – which hosted the CDN for free before it was sold – had also set up an alternative service based on the Polyfill open source project. Developer Andrew Betts, who had created the Polyfill service project, said in an X post at the time of the sale in February that "No website today requires any of the polyfills in the http://polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."

Polyfill Owner Responds

The Polyfill(.)io owners took to X to respond to the malware charges. “Someone has maliciously defamed us,” said a post to the Polyfill_Global account. “We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize  (sic) our own reputation.” [caption id="attachment_79275" align="alignnone" width="400"] Polyfill response (source: X)[/caption] The Cyber Express will continue to update readers as this story evolves. Note: This article was updated on June 28 to report that 9 malicious domains relating to the Polyfill supply chain attack have now been identified.

Scammers are exploiting the buzz around the 2024 Paris Olympics to lure victims into investing in initial coin offerings (ICOs). These scams tend to promise big returns on "Olympic" tokens. The campaigns manufacture hype around such offerings through the use of use fake websites, AI-generated images, and social media campaigns to entice investors.

 Olympics Initial Coin Offerings (ICO) Fraud

Researchers from Trend Micro uncovered a recent scheme that claimed to offer an official "Olympics Games Token" for sale. The Olympic Games Token ICO website, theolympictoken[.]com, was registered on March 30, 2024, and its website went live a day later.  The website also links to a legitimate Olympics 2024 logo and a countdown to the event, making it seem like a legitimate project. [caption id="attachment_79264" align="alignnone" width="395"] Source: trendmicro.com[/caption] It linked to a "whitepaper" – a document explaining the project's tech and goals. But that link led nowhere useful. Instead of details, it dumped visitors on the official Olympics website. Red flag number one. A Twitter account and Telegram channel pushed followers to buy tokens ASAP. When the original site got shut down, a near-identical one (olympictokensolana[.]com) popped up under a new name. The researchers spotted at least ten other websites using 2024 Olympics-associated branding to lure victims into ICO scams; some of them were shut down shortly after their discovery.

Use of AI-Generated Images Olympics in ICO Scams

[caption id="attachment_79257" align="alignnone" width="1263"] Source: trendmicro.com[/caption] The researchers remarked that AI-generated images are becoming increasingly common in such ICO scams, as they offer a cost-effective and time-efficient way to create convincing lures. Cybercriminals can use AI to generate text, correct spelling and grammatical errors, and even create sentences in languages they do not speak. [caption id="attachment_79256" align="alignnone" width="384"] Source: trendmicro.com[/caption] The researchers spotted at least three other ICO Olympics scam websites employing the usage of AI-generated imagery for promotion.

Spotting Fake ICO Campaigns

ICOs have gained significant attention as cryptocurrency continues to be adopted in various industries. While most new tokens lack utility and are simply memecoins, it does not always mean they are scams. Investors should be vigilant and look out for potential scams and rug-pulls. A legitimate ICO should have a proper website and social media presence, a transparent team, an active community, a comprehensive whitepaper, legitimacy of claims, token distribution, smart contract audit, and liquidity management. The researchers have shared the following guidelines to help identify such scams:

• Proper website and social media presence: The researchers stated that scam sites are often poorly designed or lack active presence on social media.
• Transparent team: Cross-check the identities and credentials of the teams behind the offering. Anonymity is a red flag.
• Active community: Genuine projects have engaged followers on platforms like Discord, Twitter or Telegram, which suggests genuine interest and support.
• Comprehensive whitepaper: A whitepaper that outlines the project's goals, utility, and technical aspects, which demonstrates a thorough understanding of the project's concept and planning.
• Legitimacy of claims: Claims backed by verifiable evidence, such as partnerships, use cases, and endorsements.
• Token distribution: Avoid projects with highly concentrated token ownership which might increase the chances of exit scams.
• Smart contract audit: Audit by reputable third-parties, which identify vulnerabilities.
• Liquidity management: Liquidity is locked to prevent premature withdrawals and is decentralized among the community, which secures investors' funds.

In the case of the Olympic Games Token, the website raised several red flags such as a very low number of token holders and an invalid whitepaper link. Investors and those interested in cryptocurrency should follow adequate precautions to avoid falling victim to such scams. Experts have been monitoring Olympics-related search engine results and social media activity to counter fraudulent ticketing scams and coordinated disinformation campaigns.

A coordinated international police operation led by Interpol has resulted in the disruption of global online scam networks that carried out phishing, investment fraud, romance and impersonation scams and operated fake online shopping sites. The global operation, codenamed “First Light,” led to the seizure of assets amounting to $257 million and froze more than 6,700 bank accounts linked to the online scam syndicates. Under the banner of Operation First Light 2024, the police also arrested a total of 3,950 suspects and identified another 14,643 as likely members of the global online scam syndicates.

“By confiscating such large amounts of money, and disrupting the networks behind them, we not only safeguard our communities but also deal a significant blow to the transnational organized crime groups that pose such a serious threat to global security.” - Director of Interpol’s Financial Crime and Anti-Corruption Centre (IFCACC), Dr Isaac Kehinde Oginni

Global Online Scam Crackdown Impact

The impact of this police operation against global online scam is “more than just numbers – they represent lives protected, crimes prevented, and a healthier global economy worldwide,” Oginni said. Interpol’s Global Rapid Intervention of Payments (I-GRIP) mechanism traced and intercepted the illicit proceeds from online scams across borders in both, fiat currency cash ($135 million) and cryptocurrency ($2 million). An example of this interception was a business email compromise fraud that involved a Spanish citizen who unwittingly transferred $331,000 to Hong Kong, China, the Interpol said. In another case, the Australian authorities successfully recovered AU$ 5.5 million (approximately $3.7 million) for an impersonation scam victim, after the online scammers fraudulently transferred the funds to Malaysia and Hong Kong-based bank accounts. The global nature of online scams was underscored by the operation’s diverse participants. From rescuing 88 young people forced to work in a Namibian scam ring to preventing a tech support scam targeting a senior citizen in Singapore, Operation First Light 2024 showcased the importance of international cooperation. Operations of First Light have been coordinated since 2014 and are designed to fight social engineering and telecom fraud. The operation is funded by China’s Ministry of Public Security and coordinated by Interpol. [caption id="attachment_79238" align="aligncenter" width="1024"] Operation First Light conclusion meeting in Tianjin, China (Source: Interpol)[/caption] In 2022, First Light saw a coordinated effort between law enforcement of 76 countries that resulted in the seizure of $50 million worth of illicit funds that was defrauded from more than 24,000 victims. “The world is grappling with the severe challenges of social engineering fraud, and organized crime groups are operating from Southeast Asia to the Middle East and Africa, with victims on every continent,” Oginni said.

“No country is immune to this type of crime, and combating it requires very strong international cooperation.” - Dr Isaac Kehinde Oginni

Investment and Phishing Scams Top Threats to U.S.

According to FBI's Internet Crime report (IC3), Investment scams led to the highest reported losses in the United Stated last year. Totaling $4.57 billion, investment scams saw a 38% increase from 2022. Crypto-investment fraud also rose 53% to $3.94 billion. Scammers mainly targeted individuals aged 30-49 in these scam types. Phishing schemes, on the other hand, were the most reported crime in 2023, with over 298,000 complaints, comprising 34% of all complaints received. In the FBI San Francisco division, there were 364 complaints with nearly $1.5 million in losses. Santa Clara County had the most complaints, while Alameda County had the highest losses at $500,000.

A threat actor claims to have carried out a cyberattack on India’s National Disaster Management Authority (NDMA). The NDMA is the top statutory body for disaster management in India, with the Prime Minister as its chairperson. The threat actor, operating under the alias “infamous,” has allegedly gained access to personal data of 93,000 volunteers, including their names, age, mobile numbers and other critical records. The hacker is currently selling the data on the dark web for $1,000.

Exploring Data Leak Claims of NDMA Volunteers

The NDMA was created in 2006. Its primary responsibility is to coordinate response to natural or man-made disasters and for capacity-building in disaster resiliency and crisis response. It is also the apex body for setting policies, plans and guidelines for disaster management to ensure a timely and effective response to disasters. The allegation that NDMA data had been hacked emerged on June 25 on the data leak site BreachForums. The threat actor “infamous” claimed to be in possession of a stolen database, consisting of the Personally Identifiable Information (PII) of NDMA volunteers, including their personal details such as name, title, gender, blood group, date of birth, email, mobile number, ID number, marital status, family contact number, education qualifications, skills, cadre, address, postal code, and the current state of residence. [caption id="attachment_79228" align="alignnone" width="1596"] Source: X[/caption] To substantiate the data breach claim, the threat actor attached sample records, with the latest timestamp of June 2024, while disclosing that the database includes records of 93,000 volunteers. The cyberattacker is asking $1,000 for the entire data set on BreachForums. Despite these claims by the threat actor, a closer inspection reveals that NDMA’s website is currently functioning normally, showing no signs of a security breach. The threat actor has also not provided clarity on the time period when the services of volunteers occurred. The Cyber Express has reached out to NDMA to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.

NDMA Volunteers Must Stay Vigilant

While authorities investigate the data breach claim, NDMA volunteers must be vigilant and take steps to prevent any malicious activities. Cybercriminals usually employ a range of tactics to misuse personal information, perpetuating identity theft and financial fraud. Some prominent techniques include phishing, where hackers trick individuals into revealing their PII by mimicking legitimate entities through fraudulent emails or phone calls. Individuals are also susceptible to identity theft and fraud, where fraudsters use psychological tactics to divulge sensitive information, such as passwords or credit card details. Since the email addresses have also been allegedly leaked, individuals must be vigilant of suspicious messages requesting sensitive information, as well as any unusual activity involving new or existing accounts.

Hackers Target 373 Indian Govt Websites in Five Years: Report

According to data published by the Indian Government, hackers have repeatedly targeted key websites run by the administration. An article in The Hindustan Times, quoting data from the Ministry of Electronics and Information Technology, said that, “As per the information reported to and tracked by CERT-In (Indian Computer Emergency Response Team), a total number of 110, 54, 59, 42, 50 and 58 website hacking incidents of Central Ministries/Departments and State Government organizations were observed during the years 2018, 2019, 2020, 2021, 2022 and 2023 (up to September).” The report added that some government offices were still using outdated Windows versions in their official computers and laptops, making them vulnerable to cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Apple has taken steps to enhance the security of its popular AirPods lineup by addressing a critical Bluetooth vulnerability through a new firmware update. This AirPods firmware update,  identified as Firmware 6A326 and 6F8, is aimed at several models including AirPods, AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro. The AirPods vulnerability tracked as CVE-2024-27867 and discovered by Jonas Dreßler, posed a potential risk where attackers within Bluetooth range could spoof a user's device and gain unauthorized access to their AirPods. This issue highlights the importance of timely updates to protect Apple devices from cyberattacks. 

AirPods Firmware Update Fixes Major Bluetooth Vulnerability

Initially, Apple's AirPods firmware update patch notes appeared routine, mentioning "bug fixes and other improvements." However, further details on Apple's security website revealed the update's critical nature, specifically addressing an authentication issue with improved state management related to Bluetooth connections. For affected users, the AirPods firmware update will be applied automatically when AirPods are paired with an iPhone or another compatible device. To verify the update, users can check the firmware version by navigating to Settings > Bluetooth on iOS devices or System Settings > Bluetooth on Macs. This proactive approach highlights the regular updates required by devices regardless of operation systems. By promptly addressing vulnerabilities such as the AirPods vulnerability, Apple aims to create a safer digital environment for its users worldwide.

Fixing Several Apple Product Vulnerabilities

Beyond addressing the AirPods vulnerability, the firmware update also includes general bug fixes and performance improvements. This comprehensive approach ensures not only enhanced security but also a smoother user experience across the AirPods ecosystem. Users are encouraged to stay vigilant and keep their devices updated to the latest firmware version. This practice is crucial for safeguarding against potential security risks and maintaining the integrity of personal data. Apple's dedication to security is further demonstrated through its adherence to industry-standard practices, including not disclosing specific security issues until patches or releases are available and thoroughly tested. This approach ensures that users can trust Apple products to protect their privacy and security effectively. For more detailed information about the update and additional security-related matters, users can visit Apple's official security updates page and review the comprehensive product security documentation available.

Experts are raising eyebrows after OpenAI announced a one-month delay in the rollout of its highly anticipated “Voice Mode” feature for ChatGPT, citing safety concerns. The company said it needs more time to ensure the model can “detect and refuse certain content.”

“We’re improving the model’s ability to detect and refuse certain content. We’re also working on enhancing the user experience and scaling our infrastructure to support millions of users while maintaining real-time responses.” - OpenAI

The stalling of the rollout comes a month after OpenAI announced a new safety and security committee that would oversee issues related to the company’s future projects and operations. It is unclear if this postponement was suggested by the committee or by internal stakeholders.

Features of ChatGPT’s ‘Voice Mode’

OpenAI unveiled its GPT-4o system in May, boasting significant advancements in human-computer interaction. “GPT-4o (‘o’ for ‘omni’) is a step towards much more natural human-computer interaction,” OpenAI said at the time. The omni model can respond to audio inputs at an average of 320 milliseconds, which is similar to the response time of humans. Other salient features of the “Voice Mode” promise real-time conversations with human-like emotional responses, but this also raises concerns about potential manipulation and the spread of misinformation. The May announcement gave a snippet at the model’s ability to understand nuances like tone, non-verbal cues and background noise, further blurring the lines between human and machine interaction. While OpenAI plans an alpha release for a limited group of paid subscribers in July, the broader rollout remains uncertain. The company emphasizes its commitment to a “high safety and reliability” standard but the exact timeline for wider access hinges on user feedback.

The ‘Sky’ of Controversy Surrounding ‘Voice Mode’

The rollout delay of “voice mode” feature of ChatGPT follows the controversy sparked by actress Scarlett Johansson, who accused OpenAI of using her voice without permission in demonstrations of the technology. OpenAI refuted the claim stating the controversial voice of “Sky” - one of the five voice modulation that the Voice Mode offers for responses – belonged to a voice artist and not Johansson. The company said an internal team reviewed the voices it received from over 400 artists, from a product and research perspective, and after careful consideration zeroed on five of them, namely Breeze, Cove, Ember, Juniper and Sky. OpenAI, however, did confirm that its top boss Sam Altman reached out to Johannson to integrate her voice.

“On September 11, 2023, Sam spoke with Ms. Johansson and her team to discuss her potential involvement as a sixth voice actor for ChatGPT, along with the other five voices, including Sky. She politely declined the opportunity one week later through her agent.” - OpenAI

Altman took a last chance of onboarding the Hollywood star this May, when he again contacted her team to inform the launch of GPT-4o and asked if she might reconsider joining as a future additional voice in ChatGPT. But instead, with the demo version of Sky airing through, Johannson threatened to sue the company for “stealing” her voice. Owing to the pressure from her lawyers, OpenAI removed the Sky voice sample since May 19.

“The voice of Sky is not Scarlett Johansson's, and it was never intended to resemble hers. We cast the voice actor behind Sky’s voice before any outreach to Ms. Johansson. Out of respect for Ms. Johansson, we have paused using Sky’s voice in our products. We are sorry to Ms. Johansson that we didn’t communicate better.” – Sam Altman

Although the issue seems to have resolved for the time being, this duel between Johannson and Altman brought to the fore the ethical considerations surrounding deepfakes and synthetic media.

Likely Delays in Apple AI and OpenAI Partnership Too

If the technical issues and the Sky voice mode controversy weren’t enough, adding another layer of complication to OpenAI’s woes is Apple’s recent brush with EU regulators that now casts a shadow over the future of ChatGPT integration into Apple devices. Announced earlier this month, the partnership aimed to leverage OpenAI's technology in Cupertino tech giant’s “Apple Intelligence” system. However, with Apple facing potential regulatory roadblocks under the EU’s Digital Markets Act (DMA), the integration’s fate remains unclear. This confluence of factors – safety concerns, potential for misuse, and regulatory hurdles – paints a complex picture for OpenAI's “Voice Mode.” The cybersecurity and regulatory industry will undoubtedly be watching closely as the technology evolves, with a keen eye on potential security vulnerabilities and the implications for responsible AI development.

A critical security flaw has been reported in Fortra FileCatalyst Workflow, a widely used platform designed for efficient file exchange and collaboration within private cloud environments. This vulnerability, identified as CVE-2024-5276, allows remote attackers to exploit SQL injection to potentially create unauthorized administrative accounts and manipulate the application's database. Fortra FileCatalyst Workflow serves as a pivotal tool for organizations requiring rapid and secure data transfers across large file sizes. It facilitates seamless collaboration in secure, private cloud spaces, making it indispensable for many businesses globally.

Understanding Fortra FileCatalyst Workflow Vulnerability 

[caption id="attachment_79207" align="alignnone" width="1382"] Source: Fortra[/caption] Tenable researchers discovered Fortra FileCatalyst Workflow vulnerability or CVE-2024-5276 on June 18, 2024, marking it as a critical vulnerability due to its potential impact. This flaw affects versions up to and including FileCatalyst Workflow 5.1.6 Build 135. The vulnerability arises from improper input validation within the application's handling of SQL queries, specifically through the 'jobID' parameter in various URL endpoints. Exploitation of this flaw can allow attackers to inject malicious SQL code, thereby gaining unauthorized access to the system. Fortra promptly addressed the issue following Tenable's responsible disclosure. In their security bulletin, Fortra clarified that while the vulnerability allows for the creation of admin users and manipulation of data, it does not facilitate data theft directly. They have released a fix in FileCatalyst Workflow version 5.1.6 Build 139, which patches the vulnerability and is strongly recommended for all users.

Mitigation and Upgrade Steps

Users of affected versions (up to Build 135) are advised to upgrade immediately to the patched version (Build 139) to mitigate the risk of exploitation. For those unable to upgrade immediately, disabling anonymous access on the Workflow system can reduce exposure to potential attacks leveraging CVE-2024-5276. As of the latest reports, there have been no documented cases of CVE-2024-5276 being actively exploited. However, given the severity of the vulnerability and the availability of exploit details, organizations are urged to prioritize updates to safeguard their systems against potential threats. The identification and swift response to CVE-2024-5276 highlight the critical importance of proactive security measures in maintaining the integrity and confidentiality of organizational data. Fortra's proactive approach in releasing a patch highlights the rise of vulnerabilities within internet devices and the security of user data. For more information on CVE-2024-5276 and to download the latest patched version of FileCatalyst Workflow, visit the official Fortra FileCatalyst Workflow website.

Amidst the ongoing Russo-Ukrainian war, hackers from Italy have decided to join forces with an infamous cyber attacker group in Russia. Azzasec is an Italian hacktivist group who has been involved in anti-Israel campaigns and has teamed up with the infamous pro-Russian hacktivists Noname057(16). Azzasec has a large network of partner groups, whereas Noname05716 is selective in their allies. The alliance between these two nefarious groups signifies a potential increase in the scale and sophistication of cyberattacks on Ukraine and its allies.

Understanding the AzzaSec Ransomware

On June 26, 2024, NoName formally announced on its social media channels about the alliance. “Today we have formed an alliance with the Italian hacker group AzzaSec, which is one of the TOP 3 coolest hack teams in Italy! We are always open to cooperation with various trance around the world!” the post read. [caption id="attachment_79189" align="alignnone" width="837"] Source: X[/caption] AzzaSec is an infamous actor that infects computers and encrypts files. It later demands a ransom for its decryption. Once a computer is infected, AzzaSec assigns the '.AzzaSec' extension to the filenames. It alters files such as '1.png' to '1.png.AzzaSec' and '2.pdf' to '2.pdf.AzzaSec.' Additionally, it changes the desktop wallpaper and provides a ransom note via a pop-up window like the screenshot below. [caption id="attachment_79190" align="alignnone" width="1828"] Source: X[/caption] The group demands ransom through Bitcoin. AzzaSec’s sophisticated encryption techniques and the secrecy of cryptocurrency transactions make it increasingly difficult for authorities to crackdown and defuse the cybercriminals. AzzaSec recently announced the release of a Windows ransomware builder. The group claimed that their ransomware could bypass major antivirus solutions such as Windows 10 / 11 Defender, Avast, Kaspersky, and AVG. AzzaSec’s emergence into the ransomware scene signals a reminder for organizations and individuals alike to upgrade their cybersecurity measures and remain vigilant against online threats.

Inglorious Past of NoName

NoName057(16) , on the other hand,  first emerged in March 2022 and is known for its cyber-attacks on Ukrainian, American, and European government agencies, media, and private companies. The group is considered one of the biggest unorganised and free pro-Russian activist group. Renowned for its widespread cyber operations, NoName057(16) has garnered notoriety for developing and distributing custom malware, notably the DDoS attack tool, the successor to the Bobik DDoS botnet. [caption id="attachment_79192" align="alignnone" width="1280"] Source: X[/caption] According to a report by Google-owned Mandiant, NoName057(16), along with other Russian state hackers, pose the biggest cyber threat to elections in regions with Russian interest. “Mandiant is tracking multiple self-proclaimed hacktivist groups primarily conducting DDoS attacks and leaking compromised data in support of Russian interests. These groups claim to have targeted organizations spanning the government, financial services, telecommunications, transportation, and energy sectors in Europe, North America, and Asia; however, target selection and messaging suggests that the activity is primarily focused on the conflict in Ukraine. Relevant groups include KillNet, Anonymous Sudan, NoName057(16), JokerDNR/DPR, Beregini, FRwL_Team (aka "From Russia with Love"), and Moldova Leaks,” Google stated in its threat intelligence report in April. The alliance between AzzaSec and NoName057(16) raises serious concerns about the evolving cyber threat landscape. With a combined skillset for ransomware deployment and large-scale attacks, these groups pose a significant risk to organizations and governments aligned with Ukraine. As the Russo-Ukrainian war rages on, the digital front is likely to see further escalation in cyberattacks.  It is crucial for targeted nations and organizations to bolster their cybersecurity defenses, implement robust incident response plans, and collaborate on international efforts to counter these cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web actor is advertising a zero-day exploit targeting Google Chrome. The exploit specifically targets versions 126.0.6478.126 and 126.0.6478.127 of Google Chrome for Windows, specifically the 21H1 and 21H2 versions. This exploit, which allows for Sandbox escape, was put up for sale by a threat actor identified as 'ctf' on the XSS forum. The threat actor's post on the forum detailed the nature of the exploit, highlighting its capability to execute remote code on affected systems potentially. The asking price for this exploit was set at an exorbitant $1 million, payable in cryptocurrencies like Monero or Bitcoin. Notably, the threat actor did not provide a proof-of-concept demonstration but insisted on dealing through a mutually agreed-upon guarantor or middleman.

Dark Web Actor Selling Sandbox Escape Exploit

[caption id="attachment_79184" align="alignnone" width="1352"] Source: Dark Web[/caption] Sandbox escape vulnerabilities like these pose a significant risk by allowing malicious actors to break out of the confinement typically imposed by security measures such as sandboxes. Such exploits can enable attackers to execute arbitrary code on a system beyond the restricted environment, thereby potentially compromising sensitive data or even gaining full control over the affected machine. In a separate incident earlier this year, vulnerabilities in the sandboxing mechanism of Judge0, an online code execution system, were also reported. These vulnerabilities, described as critical, could similarly enable attackers to perform sandbox escapes and gain root permissions on the host machine. Tanto Security, an Australian cybersecurity firm, highlighted the severity of these flaws, which could be exploited to achieve a complete system takeover.

The Threat of Sandbox Escape Vulnerabilities

Judge0, known for facilitating online code execution for various applications including e-learning platforms and code editors, experienced these vulnerabilities due to issues in its sandbox setup scripts. Specifically, flaws in the isolation mechanism allowed attackers to manipulate symbolic links and execute arbitrary code outside the designated sandbox environment. The ongoing emergence of such sandbox escape vulnerabilities highlights the importance of cybersecurity practices and prompt patch management. Organizations and individuals are advised to remain vigilant, apply security updates promptly, and employ defense-in-depth strategies to mitigate the risks posed by such exploits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In collaboration with the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), and Canadian Cyber Security Center (CCCS), the Cybersecurity and Infrastructure Security Agency (CISA) have released comprehensive guidance aimed at tackling memory safety vulnerabilities within critical open source software (OSS) projects. This initiative highlights the importance of mitigating risks associated with memory safety, as outlined in "The Case for Memory Safe Roadmaps".

Understanding Memory Safety Vulnerabilities with The Case for Memory Safe Roadmaps

Memory safety vulnerabilities pose threats to software integrity and security, leading to costly consequences such as frequent patching and incident responses. Recognizing these challenges, CISA advocates for the adoption of memory-safe roadmaps by software manufacturers. These roadmaps are designed to address memory safety concerns, particularly in external dependencies, which often include OSS components. The joint report by CISA, FBI, ACSC, and CCCS analyzed 172 critical OSS projects to assess their vulnerability to memory safety risks. The findings reveal that a substantial proportion of these projects are written in memory-unsafe languages, with 52% of projects containing such code. Even more strikingly, memory-unsafe languages account for 55% of the total lines of code across all projects studied. The report highlights that many of the largest OSS projects, critical to global digital infrastructure, rely heavily on memory-unsafe languages. For instance, among the ten largest projects analyzed, the median proportion of memory-unsafe code is 62.5%, highligheting the pervasive nature of this issue even in prominent software initiatives.

Implications and Industry Response

Despite efforts to promote memory-safe programming languages like Rust, the analysis found that projects purportedly written in memory-safe languages often incorporate dependencies that are still coded in memory-unsafe languages. This interdependence highlights the complexity of achieving comprehensive memory safety across complex software ecosystems. In response to these findings, CISA is urging organizations and software manufacturers to take several proactive steps. One key recommendation is to prioritize efforts aimed at mitigating memory safety vulnerabilities in open-source software (OSS). By addressing these vulnerabilities, organizations can bolster the overall security posture of their software environments. Additionally, CISA emphasizes the importance of informed decision-making when it comes to software dependencies. Organizations are encouraged to carefully evaluate and select software based on considerations of memory safety. This strategic approach can help mitigate risks associated with potential vulnerabilities in OSS. Furthermore, CISA calls for collaboration with the OSS community to advance the adoption of memory-safe practices and languages. By working together, industry stakeholders can contribute to the development and implementation of more secure software solutions.

Evolve Bank & Trust disclosed that it has been the target of a cybersecurity incident. In a statement, the bank confirmed that customers' personal information had been illegally obtained and released on the dark web by cybercriminals. This Evolve Bank data breach affected both retail bank customers and the customers of Evolve’s financial technology partners. The Evolve Bank data breach involved a known cybercriminal organization that illegally obtained and published sensitive information. The stolen data includes Personal Identification Information (PII) such as names, Social Security Numbers, dates of birth, account details, and other personal information. "Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users)," reads the official statement. Evolve Bank & Trust has confirmed that its debit cards, and online, and digital banking credentials have not been compromised in the incident and remain secure. "Evolve has engaged the appropriate law enforcement authorities to aid in our investigation and response efforts. Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat," reads the official statement.

Details of the Evolve Bank Data Breach

There were reports that the Russian hacker group LockBit was responsible for the ransomware attack and data breach at Evolve Bank. LockBit had claimed to possess Federal Reserve data and, when their demands were not met, released approximately 33 terabytes of data from Evolve's systems. The group had allegedly touted their cache of Federal Reserve data, which was used to pressure the bank into meeting their demands. In response to the reports surfacing about the Evolve data breach, Evolve Bank & Trust is actively informing affected individuals about the breach. The bank has started reaching out to impacted customers and financial technology partners' customers through emails sent from notifications@getevolved.com. The communication includes detailed instructions on how to enroll in complimentary credit monitoring and identity theft detection services.

Steps Taken by Evolve Bank & Trust

The bank is undertaking a comprehensive response to this incident, which includes:

1. Engagement with Law Enforcement: Evolve has involved appropriate law enforcement authorities to aid in the investigation and response efforts.
2. Customer Communication: Direct communication with affected customers and financial technology partners' customers is ongoing to ensure they are informed and can take necessary protective measures.
3. Credit Monitoring Services: Impacted individuals are being offered complimentary credit monitoring and identity theft detection services.
4. Continuous Monitoring: Evolve is closely monitoring the situation and will provide updates as necessary to keep customers informed.

Recommendations for Affected Customers

Evolve Bank & Trust advises all retail banking customers and financial technology partners' customers to remain vigilant by:

1. Monitoring Account Activity: Regularly check bank accounts and report any suspicious activity immediately.
2. Credit Report Checks: Set up free fraud alerts with nationwide credit bureaus—Equifax, Experian, and TransUnion. Customers can also request and review their free credit report through Freecreditreport.com.
3. Reporting Suspicious Activity: Contact the bank immediately if any fraudulent or suspicious activity is detected. Additionally, individuals can file a report with the Federal Trade Commission (FTC) or law enforcement authorities if they suspect identity theft or fraud.

Recently, Evolve received an enforcement action from its primary regulator, the Federal Reserve Board, highlighting deficiencies in the bank's IT practices and requiring a plan and timetable to correct these issues. This breach highlights the importance of addressing these security concerns promptly. Evolve Bank & Trust is known for its partnerships with several high-profile fintech companies, including Mercury, Stripe, Affirm, Airwallex, Alloy, Bond (now part of FIS), Branch, Dave, EarnIn, and TabaPay. The bank has also worked with Wise and Rho in the past, though both have since migrated to other banking partners.

South Korean telecommunications giant KT is under investigation for allegedly hacking the systems of customers who used torrent services such as web hard drives (Webhard), a popular file-sharing service in the country. The scandal, which has been ongoing for nearly five months, has affected an estimated 600,000 customers, with the police investigation revealing that KT may have operated a dedicated malware team.

Malware Infiltrated Systems of Torrenting Subscribers

The incident came to light in May 2020 when numerous web hard drives suddenly stopped working. Users flooded company forums with complaints about unexplained errors. An investigation revealed that malware had infiltrated the "Grid Program," software that enables direct data exchange between users. [caption id="attachment_79121" align="alignnone" width="2800"] Source: mnews.jtbc.co.kr[/caption] The malware, which was designed to interfere with BitTorrent traffic, was allegedly used to monitor and control the internet activities of KT subscribers. The police believe that the motive behind this hacking was to reduce network-related costs, as torrent transfers can be costly for internet service providers. KT, however, claims that it was merely trying to manage traffic on its network to ensure a smooth user experience. KT instead stated that the Webhard services were malicious, however after the the Gyeonggi Southern District Office conducted raids on KT facilities, they believe the ISP may have violated communications and network laws. A police follow-up investigation stated that KT operated a dedicated team responsible for developing, distributing, and operating the malware program. The hacking was traced to  KT's Bundang IDC Center, one of its data centers. Over five months, an estimated 20,000 PCs were infected daily. The malware reportedly created strange folders, made files invisible, and disabled web hard programs.

Legal and Ethical Implications

KT and Webhard companies have a history of conflict, including lawsuits. While a previous court ruled in KT's favor regarding traffic blocking of grid services, the current situation differs significantly. KT was alleged to have planted malicious code on individual users' PCs without consent or explanation. South Korean legal experts question KT's methods, suggesting the company could have pursued formal procedures through its legal team instead of resorting to hacking. The incident raises serious concerns about privacy, corporate responsibility, and the extent to which internet service providers can control network traffic. The scandal has also raised concerns about the security of KT's customers' data, with many wondering what other sensitive information may have been compromised. The company's CEO has since resigned, and the company's reputation has taken a significant hit. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A widespread supply chain attack has hit more than 100,000 websites, including notable platforms like JSTOR, Intuit, and the World Economic Forum. The attack stems from a fake domain impersonating the popular open-source library Polyfill.js, which supports older browsers. In February, the Chinese company Funnull had acquired the domain and GitHub account associated with the project, leading to the injection of malware into sites that embed cdn.polyfill.io. The malicious code is designed to redirect mobile users to sports betting sites or pornographic sites using a fake Google Analytics domain.

Malicious Polyfill Injection and Its Impact

Researchers stated that the injected malware is dynamically generated based on HTTP headers, making it difficult to detect. The Polyfill injection attack is a classic example of a supply chain attack against a widely used library. [caption id="attachment_79097" align="alignnone" width="2454"] At least 104183 websites might be affected. (Source: publicwww.com)[/caption] The compromised Polyfill code dynamically generates malware based on HTTP headers, potentially utilizing multiple attack vectors. Researchers from Sansec decoded one variant that redirects mobile users to a sports betting site using a fake Google Analytics domain. The malware employs sophisticated techniques and defenses against reverse engineering to evade detection, including:

•  Activating only on specific mobile devices at certain hours
•  Avoiding execution when an admin user is detected
•  Delaying activation when web analytics services are present

The attack's scope is significant, with Google already blocking Google Ads for e-commerce sites using polyfill.io. Researchers later reported that their infrastructure had been subjected to DDoS attacks after reporting on the campaign.

Mitigation and Recommendations

Andrew Betts, the original Polyfill author, took to X to advise against the usage of Polyfill altogether, stating that modern browsers no longer require it. He added that he had no influence over the sale of the project and was never in possession of the new domain, and cautioned that websites that serve third-party scripts are a huge security concern. [caption id="attachment_79101" align="alignnone" width="623"] Source: X.com(@triblondon)[/caption] [caption id="attachment_79102" align="alignnone" width="634"] Source: X.com(@triblondon)[/caption] Experts have set up a domain (polykill.io) to warn against the compromise of the project and have recommend the following steps for website owners:

• Immediately and remove usage of cdn.polyfill.io from websites and projects.
• Replace with a secure alternative such as those being offered by Fastly and CloudFlare. Fastly has saved and hosted an earlier version(https://polyfill-fastly.io/) of the project's codebase before its sale to Funnull.

The website cautioned of the risks associated with the takeover of the project:

"There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the web browser."

CloudFlare had also published its findings and recommendations in response to concerns over the compromise of domains. The company stated in a blog article:

The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack. Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."

This incident serves as a stark reminder of the security implications of relying on external code libraries/third-party scripts and the importance of vigilance in maintaining website integrity, plus the potential malicious takeover of massively deployed projects. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Microsoft software engineer accidentally published internal PlayReady DRM source code on a publicly accessible developer forum. The 4GB data leak contains sufficient information to compile the required DLL from the source code, potentially opening the door for reverse engineering or cracking of the DRM protection technology. PlayReady, introduced in 2007, is Microsoft's platform-independent digital rights management (DRM) system used for protecting media files. It includes encryption, output protection, and digital rights management features. The leak could have significant implications for the security of this widely-used technology.

PlayReady DRM Internal Code Leak

In early June, a Microsoft engineer had published information about an Apple TV service crash on a Surface Pro 9 device in a public forum. The shared data included a 771MB file attachment that revealed 4GB of internal code related to Microsoft PlayReady upon extraction. [caption id="attachment_79066" align="alignnone" width="1920"] Original Post Before Deletion (Source: security-explorations.com)[/caption] The leaked PlayReady data is said to include: 1. WarBird configurations for creating the PlayReady library 2. WarBird libraries for code obfuscation functions 3. Libraries with symbolic information related to PlayReady [caption id="attachment_79063" align="alignnone" width="1428"] Partial Directory View of Leaked Data (Source: security-explorations.com)[/caption]

HD Keys Could Be Decrypted

Researchers from cybersecurity company AG Security Research Lab managed to successfully build the required Windows PlayReady DLL library from the leaked internal code, aided by step-by-step instructions provided by another user on the same forum. Their investigation uncovered several deficiencies in Protected Media Path (PMP) components of PlayReady, which could be exploited to access plaintext content keys secured by the system on Windows 10 and 11 systems. The researchers demonstrated that these extracted keys could successfully decrypt high-definition movies protected by PlayReady. Notably, the vulnerability persists even on systems with hardware DRM capabilities, as this feature can be easily disabled. The root cause appears to lie in the software DRM implementation used by default on Windows 10 systems without hardware DRM capability. Given that Windows 10 still holds a 69% market share worldwide, this vulnerability could potentially affect a significant number of users until the operating system's retirement in October 2025. The team also demonstrated that the technique used to extract plaintext values of content keys could work for other platforms relying on SW Microsoft PlayReady technology in a Windows OS environment.

Implications and Microsoft's Response

The researchers had notified Microsoft about the leak on June 12, 2024. While Microsoft removed the forum post within 12 hours, the download link reportedly remained active. On June 26, MSRC stated to the researchers that it had conducted an investigation and determined that the incident was not a vulnerability to service as the post had already been taken down. The researchers confirmed that the download link no longer remains active. The incident highlights the ongoing challenges in maintaining the security and secrecy of DRM implementations. It also underscores the importance of adhering to guidelines for handling sensitive information in public forums, as the leak violated Microsoft's own guidelines for posting link reproduction information publicly. These guidelines specify:

• All information in reports and any comments and replies are publicly visible by default.
• Don't put anything you want to keep private in the title or content of the initial report, which is public.
• To maintain your privacy and keep your sensitive information out of public view, exercise caution.

Major Streaming Services Potentially Affected

The same research team had earlier tested Microsoft's Protected Media Path and had discovered several streaming platforms were affected by vulnerabilities within the environment: Canal+ Online, Netflix, HBO Max, Amazon Prime Video, Sky Showtime, and others. DRM protection is crucial to the video streaming industry, which is valued at $544 billion, making this security breach a matter of serious concern. Microsoft reportedly demonstrated interest in a full disclosure of the stated vulnerabilities and technical details along with Proof of Concept over its MSRC channel, offering potential rewards for the disclosure. However, the researchers declined, as they felt a full disclosure would have to include a commercial agreement, would jeopardize their own confidential technology and tools along with future research on the Windows operating system. The researchers also believed that Microsoft should focus on conducting a more comprehensive review of its Protected Media Path environment, which could result in the discovery and fixing of additional issues rather than focusing on a single exploit.   Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A U.S. grand jury has indicted a Russian citizen, Amin Timovich Stigal, for allegedly conspiring with Russia's military intelligence agency (GRU) to launch cyberattacks crippling Ukrainian government systems and data ahead of Russia's full-scale invasion in February 2022.

The indictment, unsealed yesterday in Maryland, sheds light on a coordinated effort to disrupt critical Ukrainian infrastructure and sow panic among the population.

“As alleged, the defendant conspired with Russian military intelligence on the eve of Russia’s unjust and unprovoked invasion of Ukraine to launch cyberattacks targeting the Ukrainian government and later targeting its allies, including the United States.” - Attorney General Merrick B. Garland

Attacker Aimed for 'Complete Destruction' in Cyberattacks Targeting Ukraine

Stigal, 22, who remains at large, was charged for his alleged role in using a deceptive malware strain called "WhisperGate" to infiltrate dozens of Ukrainian government networks, including ministries, state services, and critical infrastructure entities. Disguised as ransomware, WhisperGate reportedly went beyond data encryption, aiming for complete destruction of targeted systems and data.

The attacks coincided with the defacement of Ukrainian websites displaying threatening messages designed to intimidate the public. Sensitive data, including patient health records, was exfiltrated and offered for sale online, further amplifying the chaos.

U.S. Critical Infrastructure Targeted Too

But the malicious campaign wasn't limited to cyberattacks targeting Ukraine. The indictment broadens the scope beyond Ukraine, revealing attempts to probe U.S. government networks in Maryland using similar tactics.

“These GRU actors are known to have targeted U.S. critical infrastructure. During these malicious cyber activities, GRU actors launched efforts to scan for vulnerabilities, map networks, and identify potential website vulnerabilities in U.S.-based critical infrastructure – particularly the energy, government, and aerospace sectors.” - Rewards for Justice

The scope of the malicious campaign highlights the potential wide-ranging objectives of the GRU cyber campaign and the ongoing threat posed by nation-state actors.

Reward Offered for Info Leading to Capture

The Justice Department emphasized its commitment to holding accountable those responsible for Russia's malicious cyber activity. The indictment carries a maximum sentence of five years, but international cooperation remains crucial to apprehend Stigal.

The U.S. Department of State's Rewards for Justice program is offering a significant reward – up to $10 million – for information leading to Stigal's capture or the disruption of his cyber operations. This substantial reward underscores the seriousness of the charges and the international effort to dismantle Russia's cyber warfare apparatus.

This case serves as a stark reminder of the evolving cyber threat landscape. The destructive capabilities of malware like WhisperGate, coupled with the targeting of critical infrastructure necessitates vigilance and collaboration between governments and security professionals to defend against nation-state cyberattacks.

“Malicious cyber actors who attack our allies should know that we will pursue them to the full extent of the law,” said Erek L. Barron, U.S. Attorney for the District of Maryland. “Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals.”

Who is Amin Stigal?

The U.S. linked 22-year-old Amin Stigal to the Russian GRU and labelled him for his involvement in the WhisperGate malware operations. But who is Amin Stigal and what is the extent of his involvement? [caption id="attachment_79079" align="aligncenter" width="947"] Source: Rewards for Justice[/caption] The U.S. authorities, along with the $10 million bounty, released scarce but very important details on Stigal's cyber trail - his aliases or the threat group names with whom he is affiliated. The Cyber Express did an open-source intelligence (OSINT) study on these aliases and found the following details on Amin Stigal's cyber activities:

DEV-0586/Cadet Blizzard

Microsoft first tracked this threat actor as DEV-0586 and observed its destructive malware targeting Ukrainian organizations in January 2022. The tech giant later in April 2023 shifted to a new threat actor-naming taxonomy and thus named the TA "Cadet Blizzard." Cadet Blizzard has been operational since at least 2020 and has initiated a wave of destructive wiper attacks against Ukraine in the lead up to Russia's February 2022 invasion of Ukraine. Specifically, it created and developed WhisperGate, a wiper that deletes the master boot record, Microsoft said.

EMBER BEAR

Crowd Strike tracked this threat actor as EMBER BEAR (aka Lorec Bear, Bleeding Bear, Saint Bear) and linked it to an adversary group that has operated against government and military organizations in eastern Europe since early 2021. The likely motive of this TA is to collect intelligence from target networks, the cybersecurity firm said. EMBER BEAR primarily weaponized the access and data obtained during their intrusions to support information operations (IO), according to CrowdStrike. Their aim in employing this tactic was to create public mistrust in targeted institutions and degrade respective government's ability to counter Russian cyber operations.

UAC-0056

The Computer Emergency Response Team of Ukraine tracked this Russian-linked threat actor/group as UAC-0056 and observed its malicious campaigns targeting Ukraine through phishing campaigns in July 2022. In the discovered attack, threat actors sought to disrupt the integrity and availability of government websites by exploiting several backdoors and deploying Cobalt Strike Beacon malware. The threat actors communicated with the web shell using IP addresses, including those belonging to neighboring devices of other hacked organizations due to their previous account abuse and additional VPN connection to the corresponding organizations. The hackers also applied other malware samples in this campaign including the GOST (Go Simple Tunnel) and Ngrok utilities, to deploy the HoaxPen backdoor.

What is WhisperGate Malware?

WhisperGate is a destructive malware that is seemingly designed like a ransomware, but it is not. Unlike ransomware, which encrypts data and demands a ransom for decryption, WhisperGate aimed to completely destroy data, rendering the infected systems inoperable. It first targeted Ukrainian organizations in January 2022 and ever since continues to remain on the list of top malware variants used to target Kyiv.

Key Points on WhisperGate:

• Multi-stage Attack: It operated in stages, with the first stage overwriting the Master Boot Record (MBR) to prevent the system from booting normally and displaying a fake ransom note.
• Data Wiping: The MBR overwrite made data recovery nearly impossible.
• Motive: Experts believe the goal was data destruction, not financial gain, due to the lack of a real decryption method.
• Deployment: The malware resided in common directories like C:\PerfLogs and used a publicly available tool called Impacket to spread laterally within networks.

In a significant move to bolster data privacy protections, the California Privacy Protection Agency (CPPA) inked a new partnership with France’s Commission Nationale de l'Informatique et des Libertés (CNIL). The collaboration aims to conduct joint research on data privacy issues and share investigative findings that will enhance the capabilities of both organizations in safeguarding personal data. The partnership between CPPA and CNIL shows the growing emphasis on international collaboration in data privacy protection. Both California and France, along with the broader European Union (EU) through its General Data Protection Regulation (GDPR), recognize that effective data privacy measures require global cooperation. France’s membership in the EU brings additional regulatory weight to this partnership and highlights the necessity of cross-border collaboration to tackle the complex challenges of data protection in an interconnected world.

What the CPPA-CNIL Data Privacy Protections Deal Means

The CPPA on Tuesday outlined the goals of the partnership, stating, “This declaration establishes a general framework of cooperation to facilitate joint internal research and education related to new technologies and data protection issues, share best practices, and convene periodic meetings.” The strengthened framework is designed to enable both agencies to stay ahead of emerging threats and innovations in data privacy. Michael Macko, the deputy director of enforcement at the CPPA, said there were practical benefits of this collaboration. “Privacy rights are a commercial reality in our global economy,” Macko said. “We’re going to learn as much as we can from each other to advance our enforcement priorities.” This mutual learning approach aims to enhance the enforcement capabilities of both agencies, ensuring they can better protect consumers’ data in an ever-evolving digital landscape.

CPPA’s Collaborative Approach

The partnership with CNIL is not the CPPA’s first foray into international cooperation. The California agency also collaborates with three other major international organizations: the Asia Pacific Privacy Authorities (APPA), the Global Privacy Assembly, and the Global Privacy Enforcement Network (GPEN). These collaborations help create a robust network of privacy regulators working together to uphold high standards of data protection worldwide. The CPPA was established following the implementation of California's groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA). As the first comprehensive consumer privacy law in the United States, the CCPA set a precedent for other states and countries looking to enhance their data protection frameworks. The CPPA’s role as an independent data protection authority mirror that of the CNIL - France’s first independent data protection agency – which highlights the pioneering efforts of both regions in the field of data privacy. By combining their resources and expertise, the CPPA and CNIL aim to tackle a range of data privacy issues, from the implications of new technologies to the enforcement of data protection laws. This partnership is expected to lead to the development of innovative solutions and best practices that can be shared with other regulatory bodies around the world. As more organizations and governments recognize the importance of safeguarding personal data, the need for robust and cooperative frameworks becomes increasingly clear. The CPPA-CNIL partnership serves as a model for other regions looking to strengthen their data privacy measures through international collaboration.

Credit Suisse, a global investment bank and financial services firm, has reportedly fallen victim to a cyberattack. The Credit Suisse data breach was allegedly masterminded by a threat actor (TA), operating under the alias “888,” on the data hack site BreachForums. The TA claims to have accessed highly sensitive data of the bank and posted it on the dark web marketplace. According to the the threat actor, the data breach contains personal information of about 19,000 of the bank’s Indian employees.

Credit Suisse Data Breach Details

Credit Suisse was founded in 1856 and has approximately $15.21 Billion in revenue. It is one of the leading institutions in private banking and asset management, with strong expertise in investment banking. On June 25, 2024, the threat actor claimed to have carried out a cyberattack on the bank and exfiltrated details on 19,000 of its users. [caption id="attachment_79024" align="alignnone" width="1622"] Source: X[/caption] The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities. To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India. [caption id="attachment_79025" align="alignnone" width="1362"] Source: X[/caption] The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The hacker commented that they are only accepting cryptocurrency as the mode of payment. More specifically, the hacker was open to payment on Monero (XMR), a digital currency renowned for its privacy and anonymity attributes. This method of payment is often utilized in illegal transactions to evade detection. Despite these claims by the threat actor, a closer inspection reveals that the bank’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the bank to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.

Not the First Credit Suisse Data Breach

This is not the first time that Credit Suisse has been involved in a security breach. According to a report published in The Economic Times, in 2023, the bank warned its staff that a former employee stole personal data of its employees, including salaries and bonuses. The information included salary and "variable compensation" for a period between 2013 and 2015. Another Bloomberg report said that a data breach in 2023 impacted numerous former Credit Suisse clients who collectively held a staggering $100 billion in accounts.

Credit Suisse Hacker Targeted Big Multinationals Recently

There are many concerns over the potential misuse of sensitive information found in the data breach, which includes customer names, dates of birth, and relationships. Credit Suisse should investigate the data breach claims considering the history of the threat actor. Earlier this month, the TA 888 claimed to have stolen data of over 32,000 current and former employees of Accenture. The company, however, denied the claims and said that the data set published by the hacker had only three employee names and email addresses. The hacker also claimed responsibility for leaking details about 8,174 employees of Heineken across several countries. Prior to this, 888 also staked claims for an attack on oil and gas multinational Shell.  The TA posted sample information sharing personal details of Australian customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.  

Hacktivist group KillSec has revealed a new weapon in their digital arsenal: a Ransomware as a Service (RaaS) program designed to empower aspiring cybercriminals with hacking capabilities. The threat actor revealed the RaaS program on June 24, 2024, sharing its features for those looking to deploy ransomware attacks on their targets.  The centerpiece of KillSec RaaS is its advanced locker, meticulously crafted in C++ for optimal performance and efficiency. This encryption tool is engineered to lock down files on victims' computers, rendering them inaccessible until a ransom is paid and a decryption key is provided. Operating through a user-friendly dashboard accessible via the Tor network, known for its anonymity features, KillSec ensures that its clients can operate discreetly.

KillSec Announces New RaaS Program for Hackers

[caption id="attachment_79012" align="alignnone" width="532"] Source: Dark Web[/caption] The dashboard boasts several essential features designed to streamline the ransomware deployment process. Users can track the success of their campaigns with detailed statistics, manage communications via an integrated chat function, and customize ransomware configurations using the built-in builder tool. In addition to its current capabilities, KillSec has announced forthcoming enhancements to its RaaS program. These include a stresser tool for launching distributed denial-of-service (DDoS) attacks, automated phone call capabilities to pressure victims into paying ransoms, and an advanced stealer for harvesting sensitive data such as passwords and financial information. Access to KillSec's RaaS program is available for a fee of $250, aimed at "trusted individuals," with KillSec taking a 12% commission from any ransom payments collected. This pricing model highlights the group's commitment to making advanced cyber weaponry accessible while maintaining a profitable partnership with their clients.

Who is the KillSec Hacktivist Group?

Founded in 2021, KillSec has emerged as a prominent force in the hacktivist community, often aligning itself with the ethos of the Anonymous movement. Their activities have included high-profile website defacements, data breaches, and ransomware attacks, including recent breaches affecting traffic police websites in Delhi and Kerala. Ransomware as a Service (RaaS) programs, similar to what KillSec has announced, represent an evolution in cybercrime tactics, democratizing access to powerful malicious software for a global audience.  The RaaS program model allows less technically skilled individuals to engage in cyber extortion with relative ease, leveraging customizable ransomware variants to target businesses and individuals worldwide. The proliferation of RaaS platforms has contributed to the escalating frequency and severity of ransomware attacks, posing substantial challenges to law enforcement agencies worldwide. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Notorious ransomware group BianLian has claimed to have added two new organizations as its latest cyberattack victims. The BianLian ransomware attack was allegedly carried out on two US-based firms, namely, Better Business Bureau Inc and U.S. Dermatology Partners. The infamous actor has claimed to have accessed sensitive data including financial, contract, and employee profiles from both its victims.

BianLian Ransomware Attack: Critical Details  

The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million. [caption id="attachment_79001" align="alignnone" width="1259"] Source: X[/caption] The threat actor claims to have accessed 1.2 TB of organization data, including accounting, budget, and financial data; contract data and NDAs; files from the CFO's computer; operational and business files; and email and PST archives. The group has also disclosed sensitive information such as the names, personal email addresses, and phone numbers of BBB’s CEO, vice president, chief accreditation officer, and chief activation officer. The other organization that has allegedly fallen victim to the ransomware group is US Dermatology Partners. The organization, with a revenue of $213.7 Million, is one of the premier dermatology practitioners in the USA, caring for over two million patients annually. [caption id="attachment_79002" align="alignnone" width="1259"] Source: X[/caption] The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.

Potential Impact of BianLian Ransomware Attack

If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.

History of BianLian Ransomware Group Attacks

BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks. Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by  BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake. Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A newly surfaced banking trojan named "Sniffthem," also known as Tnaket has emerged on the dark web forums. This Sniffthem trojan, introduced by threat actor oliver909 on the XSS Russian language forum, targets a wide spectrum of Windows operating systems ranging from Windows 7 to the latest Windows 11. Oliver909's forum post on June 24, 2024, detailed the capabilities of the banking trojan Sniffthem, highlighting its advanced functionalities designed for financial fraud. Among its notable features, Sniffthem possesses the ability to perform HTML injection, enabling it to compromise websites—even those secured with SSL certificates—by injecting malicious HTML code. This tactic undermines the integrity of supposedly secure web pages, facilitating the theft of sensitive information.

Dark Web Actors Reveals Banking Trojan Sniffthem

[caption id="attachment_78990" align="alignnone" width="1906"] Source: Dark Web[/caption] Another key feature of Sniffthem is its credit card grabber capability, allowing it to stealthily capture credit card details through the injection of fake web pages. This method operates covertly, ensuring that the theft of financial data goes unnoticed by users and security measures alike. Moreover, the trojan supports a wide range of web browsers including Firefox, Google Chrome, Edge, and Yandex, ensuring compatibility across various user environments. To evade detection, the banking trojan Sniffthem employs crypters, enhancing its stealth and persistence on infected systems. These crypters cloak the trojan's code, making it difficult for antivirus programs and security defenses to detect and remove the malware effectively. Oliver909 demonstrated the trojan's functionalities through a video shared on the forum, showcasing its management panel and user interface designed for seamless control over malicious activities. In terms of pricing, oliver909 offers Sniffthem on a subscription basis, setting a monthly rate of USD 600. This pricing strategy positions Sniffthem as a lucrative option within the cybercriminal marketplace, appealing to threat actors looking to capitalize on financial fraud opportunities.

Technical Insights into Sniffthem Banking Trojan

Sniffthem's technical specifications highlight its sophistication and potential impact on cybersecurity. The Sniffthem banking trojan operates persistently as a hidden process, evading detection and maintaining a covert presence on infected systems. Its integration with a web-based management panel allows threat actors to efficiently control compromised devices and orchestrate malicious activities remotely. Furthermore, Sniffthem's compatibility with a wide array of browsers—64 in total—highlights its versatility and ability to infiltrate diverse user environments. This capability extends its reach across various sectors, with a particular focus on the BFSI (Banking, Financial Services, and Insurance) industry where financial transactions and sensitive data are prime targets. The emergence of Sniffthem signifies a heightened threat to organizations and individuals alike, particularly within the financial sector. To mitigate risks associated with banking trojans like Sniffthem, cybersecurity best practices are essential. Organizations should prioritize regular software updates, endpoint protection, and employee training to recognize and respond to phishing attempts effectively. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

India’s largest government-owned-telecommunications service provider, Bharat Sanchar Nigam Ltd (BSNL), has allegedly suffered a massive data breach, the second such instance in less than six months. The BSNL data breach reportedly involves critical data including international Mobile Subscriber Identity (IMSI) numbers, SIM card information, Home Location Register (HLR) specifics, DP Card Data, and even snapshots of BSNL's SOLARIS servers which can be misused for SIM cloning.

Exploring Claims of BSNL Data Breach

The BSNL data leak was first disclosed by an Indian firm, Athenian Tech, in its threat intelligence report. According to the report, a threat actor, operating under the alias “kiberphant0m”, leaked a significant amount of sensitive data affecting millions of users. The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information could be compromised. The hacker also posted details of call log samples which leaked sensitive information like mobile numbers of users, the date and duration of calls, and the amount charged for the call in Indian Rupees. The call log samples were being leaked in two sets: one for the month of May 2024 and another from 2020. This indicates that the data breach was a recent attack raising questions over the security checks in place at BSNL. The threat actor was selling the alleged stolen data for $5,000. The steep price tag could indicate the significant value of the stolen data which is sensitive. The Cyber Express has yet to verify the authenticity of the recent BSNL data breach and has contacted the organization for an official response.  This article will be updated based on their response.

Potential Implications of BSNL Data Breach

1. SIM Cloning and Identity Theft: Cloning a SIM involves creating a duplicate card that has the same IMSI and authentication keys, thus making it easy for the attackers to intercept messages/ calls, gain access to people’s bank accounts, and embezzle their finances.
2. Privacy Violations: Identity theft means that one can gain unauthorized access to the individuals’ communication and breaches.
3. Financial and Identity Theft: Illegal operations can defeat protective procedures in the financial portfolios, which entail substantial monetary losses and cases of identity theft.
4. Targeted Attacks and Scams: The user could be exposed to major security risks and could be vulnerable to phishing schemes and other social engineering attacks, exploiting their trust in BSNL.

The threat is not just limited to the consumers, but also to BSNL’s operations and security. Illegal access to servers can result in service disruptions, slow performance, and unauthorized access to telecom operations. Leaking of such information poses a severe threat to critical infrastructures and paves the way for future attacks on complex systems interconnectivity. BSNL users should remain vigilant and monitor any unusual activity on their phones and bank accounts and enable two-factor authentication (2FA) for added security on all accounts. BSNL too should take immediate action if the breach is confirmed, secure network endpoints, and audit access logs. They should enhance security measures, conduct frequent security audits, and adopt advanced threat detection technologies.

Second BSNL Data Breach in Less Than Six Months

If the data theft claims are proven, it would be the second instance of a cyberattack on BSNL in less than six months. In December 2023, a threat actor known as “Perell” claimed access to critical information about fiber and landline users of BSNL. The dataset contained about 32,000 lines of data allegedly impacting over 2.9 million users. However, BSNL did not validate the claims back then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.