Reading view
Chrome to ‘Distrust’ Entrust Certificates: Major Shakeup for Website Security
Google's Chrome browser is making a significant security move by distrusting certificates issued by Entrust, a prominent Certificate Authority (CA), beginning late 2024. This decision throws a wrench into the operations of numerous websites including those of major organizations like Bank of America, ESPN, and IRS.GOV, among others.
Digital certificates (SSL/TLS) play a vital role in ensuring secure connections between users and websites. These certificates issued by trusted CAs act as a security seal - more like a blue tick for websites - and helps users gauge the legitimacy of the website. It also ensures an encrypted communication to prevent data breaches.
However, Chrome is removing Entrust from its list of trusted CAs due to a concerning pattern of "compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress" over the past six years. Entrust's repeated shortcomings in upholding security standards have led Google to lose confidence in their ability to act as a reliable CA.
"It is our opinion that Chrome’s continued trust in Entrust is no longer justified." - Google Chrome
This move also extends to AffirmTrust, a lesser-known provider acquired by Entrust. While these certificates account for only a small fraction (0.1%) compared to Let's Encrypt (49.7%), the impact is still significant considering organizations like Bank of America, BookMyShow, ESPN and even government websites like IRS.gov, which have high internet traffic volumes, are also certified by Entrust.
[caption id="attachment_79569" align="aligncenter" width="1024"] Bank of America and IRS.gov certificates as displayed on Chrome Certificate Viewer[/caption]What This Means for Users and Website Owners
Starting November 1, 2024, Chrome users encountering websites with distrusted Entrust certificates will be met with a full-page warning proclaiming the site as "not secure."
[caption id="attachment_79563" align="aligncenter" width="1024"] Sample of how Chrome will display warning for websites having a certificate from Entrust or AffirmTrust (Source: Google)[/caption]This warning only applies to certificates issued after October 31, 2024, providing a grace period for websites with existing Entrust certificates. However, as certificates have lifespans, website owners must transition to a different CA before expiration. Considering its market share Let's Encrypt, a free and trusted option, comes highly recommended.
This shift is crucial for maintaining a secure web environment. When a CA fails to meet expectations, it jeopardizes the entire internet ecosystem. Chrome's decision prioritizes user protection by eliminating trust in potentially compromised certificates.
Website owners using impacted Entrust certificates should act swiftly to switch to a different CA. The Chrome Certificate Viewer can be used to identify certificates issued by Entrust. While this may seem inconvenient, it's necessary to ensure continued user access without security warnings.
Potential Workaround Only on Internal Networks
Large organizations managing internal networks have some leeway. Chrome allows enterprises to bypass these changes by installing the affected certificates as trusted on their local networks. This ensures internal websites using these certificates function normally.
The Entrust Controversy: A Deeper Look
Further context emerges from discussions on Mozilla's Bug Tracker (Bug 1890685). It reveals a critical issue – Entrust's failure to revoke a specific set of Extended Validation (EV) TLS certificates issued between March 18 and 21, 2024. This violated their own Certification Practice Statement (CPS).
Entrust opted against revoking the certificates, citing potential customer confusion and denying any security risks. However, this decision sparked outrage. Critics emphasized the importance of proper revocation procedures to uphold trust in the CA system. Entrust's prioritization of customer convenience over security raised concerns about their commitment to strict adherence to security best practices.
A detailed post on Google Groups by Mike Shaver sheds further light on the situation. Shaver expresses doubt in Entrust's ability to comply with WebPKI and Mozilla Root Store Program (MRSP) requirements. Despite attempts to address these concerns, Entrust's handling of certificate revocation, operational accountability, and transparency remain under scrutiny.
Shaver points out Entrust's tendency to prioritize customer convenience over strict adherence to security standards. He also criticizes the lack of detailed information regarding organizational changes and Entrust's failure to meet Mozilla's incident response requirements. Until Entrust demonstrates substantial improvements and transparency, continued trust in their certificates poses a significant risk to the overall web PKI and the security of internet users.
But this is not the end of it. In fact it is just the tip of the ice berg. Shaver's comments in the forum are in response to a host of compliance incidents between March and May related to Entrust. Ben Wilson summarized these recent incidents in a dedicated wiki page.
"In brief, these incidents arose out of certificate mis-issuance due to a misunderstanding of the EV Guidelines, followed by numerous mistakes in incident handling including a deliberate decision to continue mis-issuance," Wilson said.
This is a very serious shortcoming on Entrust's behalf considering the stringent norms and root store requirements, he added.
However, Chrome's decision to distrust Entrust certificates sends a strong message – prioritizing user safety requires holding CAs accountable for upholding the highest security standards.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
SnailLoad Allows Attackers to Trace Visited Websites By Measuring Network Latency
How The SnailLoad Exploit Works
SnailLoad takes advantage of the bandwidth bottleneck present in most internet connections. When a user's device communicates with a server, the last mile of the connection is typically slower than the server's connection. An attacker can measure delays in their own packets sent to the victim to deduce when the victim's connection is busy. [caption id="attachment_79548" align="alignnone" width="1287"] Source: snailload.com[/caption] The attack masquerades as a download of a file or any website component (like a style sheet, a font, an image or an advertisement). The attacking server sends out the file at a snail's pace, to monitor the connection latency over an extended period of time. The researchers decided to name the technique 'SnailLoad' as "apart from being slow, SnailLoad, just like a snail, leaves traces and is a little bit creepy." The attack requires no JavaScript or code execution on the victim's system. It simply involves the victim loading content from an attacker-controlled server that sends data at an extremely slow rate. By monitoring latency over time, the attacker can correlate patterns with specific online activities. The researchers have shared the conditions required to recreate the SnailLoad attack:- Victim communicates with the attack server.
- Communicated server has a faster Internet connection than the victim's last mile connection.
- Attacker's packets sent to victim are delayed if the last mile is busy.
- Attacker infers website visited or video watched by victim through side-channel attack.
SnailLoad Implications and Mitigation
In testing, SnailLoad was able to achieve up to 98% accuracy in identifying YouTube videos watched by victims. It also showed 62.8% accuracy in fingerprinting websites from the top 100 most visited list. While not currently observed in the wild, SnailLoad could potentially affect most internet connections. Mitigation is challenging, as the root cause stems from fundamental bandwidth differences in network infrastructure. The researchers stated that while adding random noise to the network can reduce the accuracy of the attack, it could impact performance and cause inconvenience to users. As online privacy concerns grow, SnailLoad highlights how even encrypted traffic could potentially be exploited to leak information through subtle timing differences. Further research could be required to develop effective countermeasures against this new class of remote side-channel attacks.Weekly Vulnerability Report: Critical Flaws Identified by Cyble in Microsoft, Adobe, MOVEit & More
The Week’s Top Vulnerabilities
These are the 10 high-severity and critical vulnerabilities Cyble researchers focused on this week.CVE-2024-5276
Impact Analysis: This critical SQL Injection vulnerability in Fortra FileCatalyst Workflow, a web-based file transfer platform accelerating large file exchanges, allows an attacker to modify application data, with likely impacts including the creation of administrative users and deletion or modification of data in the application database. It is worth noting that data exfiltration via SQL injection is not possible by leveraging the vulnerability; further successful unauthenticated exploitation requires a Workflow system with anonymous access enabled; otherwise, an authenticated user is required. Internet Exposure? No Patch Available? YesCVE-2024-5806
Impact Analysis: This critical improper authentication vulnerability impacts Progress MOVEit Transfer (SFTP module), which can lead to authentication bypass in the secure managed file transfer application. With successful exploitation, an attacker could access sensitive data stored on the MOVEit Transfer server; upload, download, delete, or modify files; and intercept or tamper with file transfers. Within a day of the vendor disclosing the vulnerability, security researchers started to observe exploitation attempts targeting it due to its vast exposure and impact, Cyble researchers noted. Patch Available? YesCVE-2024-0762
Impact Analysis: This high-severity buffer overflow vulnerability impacts unsafe UEFI variable handling in Phoenix SecureCore, an advanced UEFI firmware solution developed for client PCs, notebooks, and IoT/embedded devices. The vulnerability could be exploited to execute code on vulnerable devices. Furthermore, given the enormous number of Intel CPUs that use this firmware, the vulnerability might affect hundreds of models from vendors, including Lenovo, Dell, Acer, and HP, Cyble researchers noted. Internet Exposure? No Patch Available? YesCVE-2024-34102
Impact Analysis: This critical improper restriction of XML external entity reference ('XXE') vulnerability impacts Adobe Commerce, a leading digital commerce solution for merchants and brands. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities, leading to arbitrary code execution. Patch Available? YesCVE-2024-28995
Impact Analysis: The high severity directory transversal vulnerability impacts SolarWinds Serv-U, a secure managed file transfer (MFT) solution. Successful exploitation of the vulnerability could allow threat actors access to read sensitive files on the host machine. Recently researchers have observed active exploitation of vulnerability leveraging publicly available proof-of-concept (PoC) exploits. Patch Available? YesCVE-2017-11882
Impact Analysis: The high-severity vulnerability impacts Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016. It could allow an attacker to run arbitrary code in the context of the current user by failing to handle objects in memory properly. Recently, researchers uncovered that this 7-year-old vulnerability was leveraged in cyberespionage campaigns orchestrated by alleged state-sponsored groups. Internet Exposure? No Patch Available? YesCVE-2024-6027
Impact Analysis: The high-severity vulnerability impacts the Themify WooCommerce Product Filter plugin for WordPress, which could lead to time-based SQL Injection via the ‘conditions’ parameter. Exploiting the vulnerability makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Internet Exposure? Yes Patch Available? Yes – upgrade to version 1.5.0CVE-2024-37079
Impact Analysis: Cyble also addressed this vulnerability in last week’s vulnerability report. The critical severity heap-overflow vulnerability impacts the VMware vCenter Server, a central management platform for VMware vSphere that enables the management of virtual machines and ESXi hosts. Given the global usage of the impacted product and the history of leveraging the flaws impacting vCenter, Cyble said there are possibilities that threat actors (TAs) could also leverage this critical vulnerability. Internet Exposure? Yes Patch Available? YesCVE-2024-30103
Impact Analysis: This high-severity remote code execution (RCE) vulnerability impacts Microsoft Outlook. Since the RCE flaw can be exploited simply by opening and previewing an email that contains a malicious payload in the body, requiring no further interaction from the user, there are high possibilities for TAs to weaponize the vulnerability in targeting government and private entities. Internet Exposure? No Patch Available? YesCVE-2024-30078
Impact Analysis: This high severity remote code execution (RCE) vulnerability impacts Windows Wi-Fi Driver. With the wide usage of Windows devices around the world and the ability to exploit without the need for any user interaction, TAs can leverage the flaw to gain initial access to the devices and later install malware and exfiltrate user data. Internet Exposure? No Patch Available? YesDark Web Exploits
Cyble’s scans of customer environments found nearly a million exposed assets for just 7 vulnerabilities this week. Nearly 200,000 assets were exposed to the the VMware vCenter Server vulnerability, while a PHP vulnerability (CVE-2024-4577) reported two weeks ago continues to dominate, affecting nearly 600,000 exposed assets. Cyble researchers also observed five instances of alleged zero-day vulnerabilities being offered on sale on underground forums, plus a number of exploits/proof of concepts/custom scripts observed over underground forums. The full report available for clients covers all these vulnerabilities, along with details and discussion around exploits found on the dark web, industrial control system (ICS) vulnerability intelligence, and cybersecurity defenses.Researchers Uncover Flaws in Widely Used Emerson Rosemount Industrial Gas Chromatographs
Flaws in Emerson Rosemount Gas Chromatographs
Operational technology security firm Claroty discovered the vulnerabilities, which include two command injection flaws and two authentication bypass issues. If exploited, these flaws could enable unauthenticated attackers to run arbitrary commands, access sensitive data and gain administrative control. [caption id="attachment_79530" align="alignnone" width="649"] Source: Wikipedia[/caption] [caption id="attachment_79525" align="alignnone" width="1476"] Emulated system (Source: claroty.com)[/caption] To study the Emerson Rosemount 370XA gas chromatograph, commonly used in industrial settings for gas analysis, the researchers took efforts to emulate the systems. This complex process was undertaken because the physical device could cost over $100,000 while the research was limited to a six-week project. The emulation process involved download and extraction of the device firmware from the official Emerson Rosemount website, and a search for an application that could implements its proprietary protocols. The researchers used the QEMU emulator to emulate the PowerPC architecture used by the gas chromatograph and run the extracted firmware. Upon investigation, the researchers were able to uncover four key vulnerabilities:- CVE-2023-46687: Allows remote execution of root-level commands without authentication (CVSS score: 9.8)
- CVE-2023-49716: Enables authenticated users to run arbitrary commands remotely (CVSS score: 6.9)
- CVE-2023-51761: Permits unauthenticated users to bypass authentication and gain admin access by resetting passwords (CVSS score: 8.3)
- CVE-2023-43609: Allows unauthenticated users to access sensitive information or cause denial-of-service (CVSS score: 6.9)
Industry Impact and Mitigation
Gas chromatographs play a crucial role in various sectors, from environmental monitoring to medical diagnostics. Compromised devices could have far-reaching consequences. In food processing, attacks on chromatographs might prevent accurate bacteria detection, halting production. In healthcare settings, disrupted blood sample analysis could impact patient care. Emerson has released updated firmware addressing these vulnerabilities. The Claroty researchers said they "appreciate Emerson for its swift response and cooperation, which demonstrates their dedication to our shared goal." Emerson advises customers to apply the patches and implement best practices in the cybersecurity industry according to current standards. The firm stated, "In addition, Emerson recommends end users continue to utilize current cybersecurity industry best practices and in the event such infrastructure is not implemented within an end user’s network, action should be taken to ensure the Affected Product is connected to a well-protected network and not connected to the Internet. In its advisory CISA shared the following recommendations for securing these systems:- Minimize network exposure: Ensure that control system devices and/or systems, are not publicly accessible from the internet.
- Locate control system networks: Place remote devices behind firewalls and isolate them from business networks
- Secure Remote Access: Use Virtual Private Networks (VPNs) to secure remote access. However, the agency also warned of potential inherent risks in VPNs, asking organizations and businesses to be aware of them.
Italy Cyberattacks: Three Companies Targeted in 24 Hours by RansomHub, RansomHouse
Details of Italy ransomware attacks
Cloud Europe is a Tier IV certified carrier-neutral data center located in Rome’s Tecnopolo Tiburtino. According to details on the company website, it specializes in the design and management of data centers, with particular attention to the problems of security and service continuity. The company builds, hosts and manages modular infrastructure for customer data centers in the private and public sectors. [caption id="attachment_79490" align="alignnone" width="1173"] Source: X[/caption] The threat actor RansomHub claimed to have encrypted the servers of Cloud Europe, exfiltrating more than 70 TB of its data. “In addition, we have stolen over 541.41 GB of your sensitive data, obtained access to another company from your sensitive transformations,” RansomHub stated on its site. The other company targeted by RansomHub is Mangimi Fusco, which is an animal food manufacturer. It also supplies farm products and raw materials to wholesale merchants. According to the ransomware group, it has stolen 490 GB of “Private and confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, finance information, etc…we give you three days to come for negotiations.” [caption id="attachment_79491" align="alignnone" width="1189"] Source: X[/caption] Meanwhile, RansomHouse has allegedly breached the website of Francesco Parisi, which is a group of freight forwarding and shipping agents. It was established by Francesco Parisi in Trieste and has been operating in Central Europe since 1807. The group has around 100 employees and has a revenue of $13.7 million. The ransomware group claims that it stole 150 GB of the company’s data on May 29. [caption id="attachment_79492" align="alignnone" width="1491"] Source: X[/caption] Despite these claims, a closer inspection reveals that that the websites of Cloud Europe and Mangimi Fusco seem to be functioning normally, showing no signs of the ransomware attack as alleged by the threat actor. However, Francesco Parisi has put up a disclaimer on its home site which reads, “Important notice: Hacker Attack. We are aware that our infrastructure was subjected to a hacker attack. We want to reassure our users, customers and suppliers that we have immediately taken the necessary measures to restore operations and protect their data. Safety is a top priority. We are working hard to investigate the incident and implement additional security measures to prevent future attacks. We apologize for any inconvenience this event may have caused. We will keep you informed of developments in the situation and will let you know as soon as we have further information. In the meantime, if you have any questions or concerns, please feel free to contact us. Thank you for understanding.” [caption id="attachment_79494" align="alignnone" width="1196"] Source: X[/caption] Meanwhile, The Cyber Express has reached out to both Cloud Europe and Mangimi Fusco regarding the purported cyberattack orchestrated by the RansomHub group. However, at the time of publication, no official statements or responses have been received, leaving the claims of the ransomware cyberattack on these entities unverified.Inglorious Past of RansomHub, RansomHouse
The origins of RansomHub trace back to February 2024, when it emerged as a Ransomware-as-a-Service (RaaS) on cybercrime forums. They employ sophisticated encryption techniques and target organizations predominantly in the IT & ITES sector. RansomHub has hackers from various global locations united by a common goal of financial gain. The gang openly mentions prohibiting attacks on non-profit organizations. RansomHouse emerged in March 2022 and is labelled as a multi-pronged extortion threat. In the words of RansomHouse representatives, the group claims to not encrypt data and that they are ‘extortion only,’ claiming itself as a ‘force for good’ that intends ‘shine a light’ on companies with poor security practices. The group has been observed accepting only Bitcoin payments. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Scammers Promoted Fake Donald Trump Live Stream Urging Cryptocurrency Donations During Presidential Debate
Fake Trump Cryptocurrency Promotion Scam Streamed Ahead of Presidential Debate
The timing of the fake live stream coincided with the scheduled debate this week between current U.S. President Joe Biden and former President and challenger Donald J. Trump. Scammers behind the campaign appeared to be taking advantage of actual statements made by Trump supporting cryptocurrency in the past, coupled with a repeated AI-generated video where he sits alongside popular YouTuber Logan Paul to speak about promoting cryptocurrency within the United States if elected. [caption id="attachment_79454" align="alignnone" width="1351"] Screenshot taken from the livestream.[/caption] The fake video appears to stem from an edit of a podcast video where Trump joined the YouTuber to speak on various issues, including the election, U.S. politics, his personal life and his opponent. The edited fake video shared a QR code and website (donaldtrump[.]gives) where viewers could be tricked into making donations. The website incorporates official Trump campaign branding for the 2024 presidential election, sharing instructions for participation in the "unique event," a multiplier to lure visitors with calculations on how much cryptocurrency they would receive in return for their donation, and a "live" feed of ongoing donations made to the shared cryptocurrency addresses. [caption id="attachment_79477" align="alignnone" width="690"] Cryptocurrency addresses involved with the scam[/caption] "During this unique event, you have the opportunity to take a share of 2,000 BTC & 50,000 ETH & 500,000,000 DOGE & 50,000,000 USDT. Have a look at the rules and don't miss out on this. You can only participate once!" the scam website stated. According to details from a WhoIs lookup, the website appears to have been registered on June 27th, the same day as the Presidential debate, using a Russian registrant.YouTube Channel Connected To Scam Taken Down
The YouTube channel behind this promotion was taken down shortly after a report to YouTube, but the website promoted during the stream still appears to be up and running. The channel was noted to have about 1.38 million subscribers before its takedown, nearly half the subscriber count (2.9 million) for the official Donald J Trump YouTube channel. [caption id="attachment_79462" align="alignnone" width="606"] Email confirmation of Channel takedown[/caption] It is unknown if the live transaction feed featured on the scam website reflects actual real-time transactions. The full extent and the victim count from this cryptocurrency scam is unknown; details of the campaign have been sent to CRIL (Cyble Research and Intelligence Labs) researchers for further investigation. [caption id="attachment_79474" align="alignnone" width="2604"] Screenshot of alleged transactions[/caption] The campaign highlights the threat of Artificial Intelligence content to election-related processes, legitimate campaign donations and impersonation of candidates or well-known figures. In a recent incident, crypto scammers had taken over the YouTube channel of Channel 7 News Australia to use a deepfake Elon Musk to promote dubious crypto investments.Indonesia’s Civil Aviation Data Breached? Hacker Claims Access to Employees, Flight Data
Decoding Indonesian Civil Aviation Data Breach
The threat actor’s post on hacking site Breachforums, stated that the exfiltration of data occurred on June 27,2024. In his post, the hacker stated, “The Directorate General of Civil Aviation (DGCA) is an element that implements some of the duties and functions of the Indonesian Ministry of Transportation, which is under and responsible to the Minister of Transportation. The Directorate General of Civil Aviation is led by the Director General. The Directorate General of Civil Aviation has the task of formulating and implementing policies and technical standardization in the field of air transportation. The Directorate General of Civil Aviation handles the administration and management of civil aviation within the Unitary State of the Republic of Indonesia.” To substantiate the data breach claim, the threat actor attached the following sample records.- User log for small, unmanned aircraft certificates, remote pilot certificate and unmanned aircraft operation approval.
- Sample chats which probably refer to communication of DGCA employees with pilots on 04/13/2022
- ID card photo data for all employees
- Userrname and password of employees who logged on to a DGCA application
Indonesia Battles Three Major Cyberattack Claims in One Week
Hackers have recently carried out allegedly three major cyberattacks on key Indonesian establishments. Last week, a ransomware attack on Indonesia’s national data center has disrupted official government services including immigration services at airports. The attack has reportedly affected more than 200 government agencies at national and regional levels. The attack was carried out by LockBit 3.0 ransomware, a variant known for encrypting victims’ data and demanding payment for its release. The attackers had offered a decryption key in exchange for an $8 million ransom. The AFP however reported that the Indonesian government though refused to pay the ransom but admitted that the cyberattack would have been rendered useless if there was a backup to the main server. Earlier this week, a hacker “MoonzHaxor” had claimed to have breached Indonesian Military's (TNI) Strategic Intelligence Agency (Bais) and offered to sell this data for $1,000 USD. The same hacker had announced breaching Indonesia's Automatic Finger Identification System (Inafis) owned by the National Police (Polri). The data reportedly includes fingerprint images, email addresses, and SpringBoot application configurations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Vanna AI Vulnerability Exposes SQL Databases to Remote Code Execution
Vanna AI Vulnerability Leads to Remote Code Execution (RCE)
The Vanna AI vulnerability was first identified by cybersecurity researchers at JFrog. They found that by injecting malicious prompts into the "ask" function, attackers could bypass security controls and force the library to execute unintended SQL commands. This technique, known as prompt injection, exploits the inherent flexibility of LLMs in interpreting user inputs. According to JFrog, "Prompt injection vulnerabilities like CVE-2024-5565 highlight the risks associated with integrating LLMs into user-facing applications, particularly those involving sensitive data or backend systems. In this case, the flaw in Vanna.AI allows attackers to subvert intended query behavior and potentially gain unauthorized access to databases." The issue was also independently discovered and reported by Tong Liu through the Huntr bug bounty platform, highlighting its significance and widespread impact potential.Understanding Prompt Injection and Its Implications
Prompt injection exploits the design of LLMs, which are trained on diverse datasets and thus susceptible to misinterpreting prompts that deviate from expected norms. While developers often implement pre-prompting safeguards to guide LLM responses, these measures can be circumvented by carefully crafted malicious inputs. "In the context of Vanna.AI," explains JFrog, "prompt injection occurs when a user-supplied prompt manipulates the SQL query generation process, leading to unintended and potentially malicious database operations. This represents a critical security concern, particularly in applications where SQL queries directly influence backend operations."Technical Details and Exploitation
The Vanna AI vulnerability arises primarily from how Vanna.AI handles user prompts within its ask function. By injecting specially crafted prompts containing executable code, attackers can influence the generation of SQL queries. This manipulation can extend to executing arbitrary Python code, as demonstrated in scenarios where the library dynamically generates Plotly visualizations based on user queries. "In our analysis," notes JFrog, "we observed that prompt injection in Vanna.AI allows for direct code execution within the context of generated SQL queries. This includes scenarios where the generated code inadvertently includes malicious commands, posing a significant risk to database security." Upon discovery, Vanna.AI developers were promptly notified and have since released mitigation measures to address the CVE-2024-5565 vulnerability. These include updated guidelines on prompt handling and additional security best practices to safeguard against future prompt injection attacks. "In response to CVE-2024-5565," assures JFrog, "Vanna.AI has reinforced its prompt validation mechanisms and introduced stricter input sanitization procedures. These measures are crucial in preventing similar vulnerabilities and ensuring the continued security of applications leveraging LLM technologies."Data Security Officer from Philippines Admits to Hacking 93 Different Websites
Implications for Philippines National Security
Kangkong's hacking spree exposed significant vulnerabilities in the cybersecurity measures of various organizations. Among the high-profile targets were the peacekeeping operations center website of the Armed Forces of the Philippines, the mail server of the National Security Council, and the Join the PH Army website. The hacker along with two others individuals were arrested by the National Bureau of Investigation (NBI) Cybercrime Division on June 19 after reports of multiple unauthorized access attempts and breaches on websites. [caption id="attachment_79338" align="alignnone" width="1200"] Arrested data officer Kangkong (Source: www.onenews.ph)[/caption] The hacker acknowledged the serious consequences of his actions, including the potential exposure of sensitive data of soldiers to foreign entities. "That's when I realized that we have many enemies and we should not be going against each other," Kangkong stated. The officer revealed in an interview with ABS-CBN that he had left specific pictures on compromised websites as proof of his involvement.Senior Technology Officer May Be Implicated
In his extrajudicial confession, Kangkong initially implicated Art Samaniego, Manila Bulletin's senior technology officer, as the person who ordered the hacking of several websites. However, he later expressed regret for this claim. Samaniego has denied allegations that he ordered the hacking to boost his social media reach. The NBI Cybercrime Division has issued a subpoena for Samaniego to explain his side to the authorities. Meanwhile, the Manila Bulletin has suspended Samaniego pending an internal investigation. Kangkong also highlighted the inadequate cybersecurity measures in place for government and private companies' websites, stating that this was a key factor in his ability to hack them. He urged organizations to invest in security measures to prevent similar breaches in the future. Kangkong's confession highlights the urgent need for improved cybersecurity measures in the Philippines. He emphasized that inadequate security was a key factor in his ability to breach these websites. "Cybersecurity is not really a priority in the Philippines," he stated, urging organizations to invest in better security measures despite the associated costs.Recently Disclosed Progress MOVEit Transfer Flaw Observed Being Actively Exploited
Progress MOVEit Vulnerability Details
WatchTowr Labs was sent details of the vulnerability by a user who identified as 'dav1d_bl41ne' on its IRC channel, an unusual method of vulnerability sharing, the researchers noted. The researchers decided to investigate further, setting up a test environment to replicate the vulnerability. [caption id="attachment_79318" align="alignnone" width="471"] Source: labs.watchtowr.com[/caption] The debugger output from the test environment showed that the server was throwing exceptions and attempting to access files in unexpected ways. Upon further investigation, the researchers discovered that the vulnerability could be exploited by providing a valid file path instead of the SSH public key during authentication. This led to the server attempting to access the file, giving the attacker unauthorized access to the system. The researchers shared the following steps on exploiting the vulnerability:- Upload a public key to the File Transfer server.
- Rather than supplying a legitimate public key, send a file path to the public key, signing the authentication request with the same public key.
- The key will be accepted by the server with successful login, allowing for the access of target files.
- Block public inbound RDP access to MOVEit Transfer server(s).
- Limit outbound access on MOVEit Transfer server(s) to only trusted endpoints.
Implications of the MOVEit Vulnerability
The discovery of this vulnerability soon after major exploitation last year has reignited discussions about the security of file transfer solutions in enterprise environments. The potential for unauthorized access to sensitive files could have far-reaching consequences for the large number of enterprises that rely on MOVEit Transfer. While the full extent of the vulnerability's impact is still being assessed, the incident has sparked more debate about responsible disclosure practices in the cybersecurity community. Some argue that early, private notifications to affected parties are crucial, while others advocate for more transparent, public disclosures to ensure widespread awareness and prompt action. As the situation develops, IT administrators and security professionals are advised to stay vigilant, monitor for any signs of exploitation, and implement recommended security measures to protect their MOVEit Transfer deployments.Crypto Scammers Hijack Channel 7 News Australia’s YouTube Account, Use Elon Musk Deepfake to Ask for Crypto Investment
Crypto Scammers Shift to Deepfake Deployment
Crypto scammers hijacking social media accounts of popular brands and celebrities on platforms like YouTube and X is not a novel thing. But what transpired on Thursday could very well be a snippet of things to come as we move towards the Age of AI.
Crypto scammers first took over the YouTube account of Channel 7 News and modified it in a way that it masqueraded the official Tesla channel.
[caption id="attachment_79292" align="aligncenter" width="300"] Hijacked Channel 7 News' YouTube Account Screenshot (Source: Reddit)[/caption]After making aesthetic changes to the YouTube account, the crypto scammers replaced the videos in the channel with a deepfake live stream of Tesla chief Elon Musk. The AI-generated Musk was seen encouraging viewers to scan a QR code and invest in cryptocurrency.
[caption id="attachment_79296" align="aligncenter" width="600"] Musk's Deepfake Asking Users to Scan or Regret (Source: Reddit)[/caption] As per local media, the Musk deepfake said, "All you need to do is scan the QR code on the screen, go to the website and watch your cryptocurrency double. Today's event is a chance for all crypto enthusiasts and users to double their assets.""This is an opportunity that cannot be missed." - Elon Musk Deepfake
The deepfake video was made in a way that Musk's AI version even interacted with the audience, where he continued to say that twice as much would return to investors' wallets.
The Channel 7 News has several region- and programming-specific YouTube channels, and most of them seemed to be hijacked at present, with all of them running the same deepfake live stream on loop. The page is no longer accessible via direct links from the company website, but as pointed by a Reddit user, if you go to the YouTube channel via the platform's search, it still displays the changes made by crypto scammers, which is a Tesla logo as seen in the images above.Experts, Leaders Press for Deep Fake Regulations
Owing to the menace of deepfakes, nearly 1,500 AI and tech experts in February urged global regulation of deepfakes to curb risks like fraud and political disinformation. An open letter recommends that lawmakers criminalize deepfake child pornography, penalize creators and facilitators of harmful deepfakes, and hold software developers accountable."The whole deepfake supply chain should be held accountable, just as they are for malware and child pornography." - The Open LetterLegal experts and technologists have also previously urged the U.S. Congress to regulate the use of deepfake technologies and provide new protections particularly for women and minority communities against the use of digitally manipulated media. Experts warned that the deceptive content is already affecting national security, personal privacy and public trust.
Polyfill Supply Chain Attack Could Affect 4% of the Web; Shutdowns, DDoS Attacks Among Spillover
Extent of Polyfill Supply Chain Attack Unknown, But Big Names Among Users
Some of the biggest names turning up in a search for cdn(.)polyfill(.)io include Intuit, JSTOR, the World Economic Forum, a Coldwell Banker real estate site, major educational sites like Brandeis University, the technical standards organization ASTM, the Bank of Ireland, Live Nation sites for Spain and the UK, the RAINN anti-sexual violence organization, data management vendor AvePoint, investment company MSCI, industrial network company Moxa, the Environmental Defense Fund, and the Dubai Airports Company. The extent of the Polyfill supply chain attack may be unknown for some time. In February, a Chinese company bought the Polyfill domain and the Github account, and concern about the deal surfaced almost immediately. The Sansec researchers who initially publicly disclosed the threat two days ago noted that since the acquisition, “this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed from the Github repository.” The researchers said that the polyfill code is dynamically generated based on the HTTP headers, “so multiple attack vectors are likely.” Sansec decoded one particular malware strain that redirects mobile users to a sports betting site using a fake Google analytics domain (googie-anaiytics(.)com). The researchers said they were subsequently hit by a DDoS attack after publishing their initial report. [caption id="attachment_79278" align="alignnone" width="400"] Researchers hit by DDoS attack (source: X)[/caption]Google Started Blocking Ads in Mid-June
It’s not clear how long the threat has been known – it is standard practice for threat researchers to wait to reveal their findings until affected parties have had a chance to fix vulnerabilities – but Google has apparently been rejecting ads that link to the googie-anaiytics domain since at least mid-June. In a letter to advertisers this week (reprinted below), Google cited redirects coming from “a few different third-party web resource providers including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org” for the rejected ads. [caption id="attachment_79305" align="alignleft" width="260"] Google Ads Polyfill letter[/caption] In addition to those four domains, Sansec researchers added an additional five malicious domains to their original report: staticfile(.)net, unionadjs(.)com, xhsbpza(.)com, union(.)macoms(.)la, and newcrbpc(.)com. That gives website owners a total of nine services and domains to monitor and remove from their sites. The connection between the sites apparently came from a secrets leak on the Polyfill site. Some of the domains have been used for malicious activity since at least June 2023.Mitigations Set Up By Cloudflare, Fastly
To mitigate supply chain risk, Cloudflare released an automatic JavaScript URL rewriting service that will rewrite any link to polyfill(.)io found in a website proxied by Cloudflare to a link to the company’s mirror under cdnjs. Cloudflare also charged that Polyfill was falsely misusing the Cloudflare name and logo on its website. Fastly – which hosted the CDN for free before it was sold – had also set up an alternative service based on the Polyfill open source project. Developer Andrew Betts, who had created the Polyfill service project, said in an X post at the time of the sale in February that "No website today requires any of the polyfills in the polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."Polyfill Owner Responds
The Polyfill(.)io owners took to X to respond to the malware charges. “Someone has maliciously defamed us,” said a post to the Polyfill_Global account. “We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize (sic) our own reputation.” [caption id="attachment_79275" align="alignnone" width="400"] Polyfill response (source: X)[/caption] The Cyber Express will continue to update readers as this story evolves. Note: This article was updated on June 28 to report that 9 malicious domains relating to the Polyfill supply chain attack have now been identified.Scammers Spotted Promoting Fake Olympics Cryptocurrency With AI Generated Imagery
Olympics Initial Coin Offerings (ICO) Fraud
Researchers from Trend Micro uncovered a recent scheme that claimed to offer an official "Olympics Games Token" for sale. The Olympic Games Token ICO website, theolympictoken[.]com, was registered on March 30, 2024, and its website went live a day later. The website also links to a legitimate Olympics 2024 logo and a countdown to the event, making it seem like a legitimate project. [caption id="attachment_79264" align="alignnone" width="395"] Source: trendmicro.com[/caption] It linked to a "whitepaper" – a document explaining the project's tech and goals. But that link led nowhere useful. Instead of details, it dumped visitors on the official Olympics website. Red flag number one. A Twitter account and Telegram channel pushed followers to buy tokens ASAP. When the original site got shut down, a near-identical one (olympictokensolana[.]com) popped up under a new name. The researchers spotted at least ten other websites using 2024 Olympics-associated branding to lure victims into ICO scams; some of them were shut down shortly after their discovery.Use of AI-Generated Images Olympics in ICO Scams
[caption id="attachment_79257" align="alignnone" width="1263"] Source: trendmicro.com[/caption] The researchers remarked that AI-generated images are becoming increasingly common in such ICO scams, as they offer a cost-effective and time-efficient way to create convincing lures. Cybercriminals can use AI to generate text, correct spelling and grammatical errors, and even create sentences in languages they do not speak. [caption id="attachment_79256" align="alignnone" width="384"] Source: trendmicro.com[/caption] The researchers spotted at least three other ICO Olympics scam websites employing the usage of AI-generated imagery for promotion.Spotting Fake ICO Campaigns
ICOs have gained significant attention as cryptocurrency continues to be adopted in various industries. While most new tokens lack utility and are simply memecoins, it does not always mean they are scams. Investors should be vigilant and look out for potential scams and rug-pulls. A legitimate ICO should have a proper website and social media presence, a transparent team, an active community, a comprehensive whitepaper, legitimacy of claims, token distribution, smart contract audit, and liquidity management. The researchers have shared the following guidelines to help identify such scams:- Proper website and social media presence: The researchers stated that scam sites are often poorly designed or lack active presence on social media.
- Transparent team: Cross-check the identities and credentials of the teams behind the offering. Anonymity is a red flag.
- Active community: Genuine projects have engaged followers on platforms like Discord, Twitter or Telegram, which suggests genuine interest and support.
- Comprehensive whitepaper: A whitepaper that outlines the project's goals, utility, and technical aspects, which demonstrates a thorough understanding of the project's concept and planning.
- Legitimacy of claims: Claims backed by verifiable evidence, such as partnerships, use cases, and endorsements.
- Token distribution: Avoid projects with highly concentrated token ownership which might increase the chances of exit scams.
- Smart contract audit: Audit by reputable third-parties, which identify vulnerabilities.
- Liquidity management: Liquidity is locked to prevent premature withdrawals and is decentralized among the community, which secures investors' funds.
More than $250M Seized in Global Online Scam Crackdown
“By confiscating such large amounts of money, and disrupting the networks behind them, we not only safeguard our communities but also deal a significant blow to the transnational organized crime groups that pose such a serious threat to global security.” - Director of Interpol’s Financial Crime and Anti-Corruption Centre (IFCACC), Dr Isaac Kehinde Oginni
Global Online Scam Crackdown Impact
The impact of this police operation against global online scam is “more than just numbers – they represent lives protected, crimes prevented, and a healthier global economy worldwide,” Oginni said. Interpol’s Global Rapid Intervention of Payments (I-GRIP) mechanism traced and intercepted the illicit proceeds from online scams across borders in both, fiat currency cash ($135 million) and cryptocurrency ($2 million). An example of this interception was a business email compromise fraud that involved a Spanish citizen who unwittingly transferred $331,000 to Hong Kong, China, the Interpol said. In another case, the Australian authorities successfully recovered AU$ 5.5 million (approximately $3.7 million) for an impersonation scam victim, after the online scammers fraudulently transferred the funds to Malaysia and Hong Kong-based bank accounts. The global nature of online scams was underscored by the operation’s diverse participants. From rescuing 88 young people forced to work in a Namibian scam ring to preventing a tech support scam targeting a senior citizen in Singapore, Operation First Light 2024 showcased the importance of international cooperation. Operations of First Light have been coordinated since 2014 and are designed to fight social engineering and telecom fraud. The operation is funded by China’s Ministry of Public Security and coordinated by Interpol. [caption id="attachment_79238" align="aligncenter" width="1024"] Operation First Light conclusion meeting in Tianjin, China (Source: Interpol)[/caption] In 2022, First Light saw a coordinated effort between law enforcement of 76 countries that resulted in the seizure of $50 million worth of illicit funds that was defrauded from more than 24,000 victims. “The world is grappling with the severe challenges of social engineering fraud, and organized crime groups are operating from Southeast Asia to the Middle East and Africa, with victims on every continent,” Oginni said.“No country is immune to this type of crime, and combating it requires very strong international cooperation.” - Dr Isaac Kehinde Oginni
Investment and Phishing Scams Top Threats to U.S.
According to FBI's Internet Crime report (IC3), Investment scams led to the highest reported losses in the United Stated last year. Totaling $4.57 billion, investment scams saw a 38% increase from 2022. Crypto-investment fraud also rose 53% to $3.94 billion. Scammers mainly targeted individuals aged 30-49 in these scam types. Phishing schemes, on the other hand, were the most reported crime in 2023, with over 298,000 complaints, comprising 34% of all complaints received. In the FBI San Francisco division, there were 364 complaints with nearly $1.5 million in losses. Santa Clara County had the most complaints, while Alameda County had the highest losses at $500,000.Data of 93,000 Volunteers of India’s NDMA Allegedly Put Up for Sale
Exploring Data Leak Claims of NDMA Volunteers
The NDMA was created in 2006. Its primary responsibility is to coordinate response to natural or man-made disasters and for capacity-building in disaster resiliency and crisis response. It is also the apex body for setting policies, plans and guidelines for disaster management to ensure a timely and effective response to disasters. The allegation that NDMA data had been hacked emerged on June 25 on the data leak site BreachForums. The threat actor “infamous” claimed to be in possession of a stolen database, consisting of the Personally Identifiable Information (PII) of NDMA volunteers, including their personal details such as name, title, gender, blood group, date of birth, email, mobile number, ID number, marital status, family contact number, education qualifications, skills, cadre, address, postal code, and the current state of residence. [caption id="attachment_79228" align="alignnone" width="1596"] Source: X[/caption] To substantiate the data breach claim, the threat actor attached sample records, with the latest timestamp of June 2024, while disclosing that the database includes records of 93,000 volunteers. The cyberattacker is asking $1,000 for the entire data set on BreachForums. Despite these claims by the threat actor, a closer inspection reveals that NDMA’s website is currently functioning normally, showing no signs of a security breach. The threat actor has also not provided clarity on the time period when the services of volunteers occurred. The Cyber Express has reached out to NDMA to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.NDMA Volunteers Must Stay Vigilant
While authorities investigate the data breach claim, NDMA volunteers must be vigilant and take steps to prevent any malicious activities. Cybercriminals usually employ a range of tactics to misuse personal information, perpetuating identity theft and financial fraud. Some prominent techniques include phishing, where hackers trick individuals into revealing their PII by mimicking legitimate entities through fraudulent emails or phone calls. Individuals are also susceptible to identity theft and fraud, where fraudsters use psychological tactics to divulge sensitive information, such as passwords or credit card details. Since the email addresses have also been allegedly leaked, individuals must be vigilant of suspicious messages requesting sensitive information, as well as any unusual activity involving new or existing accounts.Hackers Target 373 Indian Govt Websites in Five Years: Report
According to data published by the Indian Government, hackers have repeatedly targeted key websites run by the administration. An article in The Hindustan Times, quoting data from the Ministry of Electronics and Information Technology, said that, “As per the information reported to and tracked by CERT-In (Indian Computer Emergency Response Team), a total number of 110, 54, 59, 42, 50 and 58 website hacking incidents of Central Ministries/Departments and State Government organizations were observed during the years 2018, 2019, 2020, 2021, 2022 and 2023 (up to September).” The report added that some government offices were still using outdated Windows versions in their official computers and laptops, making them vulnerable to cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Apple Rolls Out Critical AirPods Firmware Update to Fix Bluetooth Security Flaw
AirPods Firmware Update Fixes Major Bluetooth Vulnerability
Initially, Apple's AirPods firmware update patch notes appeared routine, mentioning "bug fixes and other improvements." However, further details on Apple's security website revealed the update's critical nature, specifically addressing an authentication issue with improved state management related to Bluetooth connections. For affected users, the AirPods firmware update will be applied automatically when AirPods are paired with an iPhone or another compatible device. To verify the update, users can check the firmware version by navigating to Settings > Bluetooth on iOS devices or System Settings > Bluetooth on Macs. This proactive approach highlights the regular updates required by devices regardless of operation systems. By promptly addressing vulnerabilities such as the AirPods vulnerability, Apple aims to create a safer digital environment for its users worldwide.Fixing Several Apple Product Vulnerabilities
Beyond addressing the AirPods vulnerability, the firmware update also includes general bug fixes and performance improvements. This comprehensive approach ensures not only enhanced security but also a smoother user experience across the AirPods ecosystem. Users are encouraged to stay vigilant and keep their devices updated to the latest firmware version. This practice is crucial for safeguarding against potential security risks and maintaining the integrity of personal data. Apple's dedication to security is further demonstrated through its adherence to industry-standard practices, including not disclosing specific security issues until patches or releases are available and thoroughly tested. This approach ensures that users can trust Apple products to protect their privacy and security effectively. For more detailed information about the update and additional security-related matters, users can visit Apple's official security updates page and review the comprehensive product security documentation available.AzzaSec, NoName Cyberattackers Join Hands to Potentially Target Pro-Ukriane Allies
Understanding the AzzaSec Ransomware
On June 26, 2024, NoName formally announced on its social media channels about the alliance. “Today we have formed an alliance with the Italian hacker group AzzaSec, which is one of the TOP 3 coolest hack teams in Italy! We are always open to cooperation with various trance around the world!” the post read. [caption id="attachment_79189" align="alignnone" width="837"] Source: X[/caption] AzzaSec is an infamous actor that infects computers and encrypts files. It later demands a ransom for its decryption. Once a computer is infected, AzzaSec assigns the '.AzzaSec' extension to the filenames. It alters files such as '1.png' to '1.png.AzzaSec' and '2.pdf' to '2.pdf.AzzaSec.' Additionally, it changes the desktop wallpaper and provides a ransom note via a pop-up window like the screenshot below. [caption id="attachment_79190" align="alignnone" width="1828"] Source: X[/caption] The group demands ransom through Bitcoin. AzzaSec’s sophisticated encryption techniques and the secrecy of cryptocurrency transactions make it increasingly difficult for authorities to crackdown and defuse the cybercriminals. AzzaSec recently announced the release of a Windows ransomware builder. The group claimed that their ransomware could bypass major antivirus solutions such as Windows 10 / 11 Defender, Avast, Kaspersky, and AVG. AzzaSec’s emergence into the ransomware scene signals a reminder for organizations and individuals alike to upgrade their cybersecurity measures and remain vigilant against online threats.Inglorious Past of NoName
NoName057(16) , on the other hand, first emerged in March 2022 and is known for its cyber-attacks on Ukrainian, American, and European government agencies, media, and private companies. The group is considered one of the biggest unorganised and free pro-Russian activist group. Renowned for its widespread cyber operations, NoName057(16) has garnered notoriety for developing and distributing custom malware, notably the DDoS attack tool, the successor to the Bobik DDoS botnet. [caption id="attachment_79192" align="alignnone" width="1280"] Source: X[/caption] According to a report by Google-owned Mandiant, NoName057(16), along with other Russian state hackers, pose the biggest cyber threat to elections in regions with Russian interest. “Mandiant is tracking multiple self-proclaimed hacktivist groups primarily conducting DDoS attacks and leaking compromised data in support of Russian interests. These groups claim to have targeted organizations spanning the government, financial services, telecommunications, transportation, and energy sectors in Europe, North America, and Asia; however, target selection and messaging suggests that the activity is primarily focused on the conflict in Ukraine. Relevant groups include KillNet, Anonymous Sudan, NoName057(16), JokerDNR/DPR, Beregini, FRwL_Team (aka "From Russia with Love"), and Moldova Leaks,” Google stated in its threat intelligence report in April. The alliance between AzzaSec and NoName057(16) raises serious concerns about the evolving cyber threat landscape. With a combined skillset for ransomware deployment and large-scale attacks, these groups pose a significant risk to organizations and governments aligned with Ukraine. As the Russo-Ukrainian war rages on, the digital front is likely to see further escalation in cyberattacks. It is crucial for targeted nations and organizations to bolster their cybersecurity defenses, implement robust incident response plans, and collaborate on international efforts to counter these cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Exploring Memory Safety in Critical Open Source Projects: A Guide by CISA and Partners
Understanding Memory Safety Vulnerabilities with The Case for Memory Safe Roadmaps
Memory safety vulnerabilities pose threats to software integrity and security, leading to costly consequences such as frequent patching and incident responses. Recognizing these challenges, CISA advocates for the adoption of memory-safe roadmaps by software manufacturers. These roadmaps are designed to address memory safety concerns, particularly in external dependencies, which often include OSS components. The joint report by CISA, FBI, ACSC, and CCCS analyzed 172 critical OSS projects to assess their vulnerability to memory safety risks. The findings reveal that a substantial proportion of these projects are written in memory-unsafe languages, with 52% of projects containing such code. Even more strikingly, memory-unsafe languages account for 55% of the total lines of code across all projects studied. The report highlights that many of the largest OSS projects, critical to global digital infrastructure, rely heavily on memory-unsafe languages. For instance, among the ten largest projects analyzed, the median proportion of memory-unsafe code is 62.5%, highligheting the pervasive nature of this issue even in prominent software initiatives.Implications and Industry Response
Despite efforts to promote memory-safe programming languages like Rust, the analysis found that projects purportedly written in memory-safe languages often incorporate dependencies that are still coded in memory-unsafe languages. This interdependence highlights the complexity of achieving comprehensive memory safety across complex software ecosystems. In response to these findings, CISA is urging organizations and software manufacturers to take several proactive steps. One key recommendation is to prioritize efforts aimed at mitigating memory safety vulnerabilities in open-source software (OSS). By addressing these vulnerabilities, organizations can bolster the overall security posture of their software environments. Additionally, CISA emphasizes the importance of informed decision-making when it comes to software dependencies. Organizations are encouraged to carefully evaluate and select software based on considerations of memory safety. This strategic approach can help mitigate risks associated with potential vulnerabilities in OSS. Furthermore, CISA calls for collaboration with the OSS community to advance the adoption of memory-safe practices and languages. By working together, industry stakeholders can contribute to the development and implementation of more secure software solutions.Evolve Bank Confirms Data Breach, Customer Information Exposed
Details of the Evolve Bank Data Breach
There were reports that the Russian hacker group LockBit was responsible for the ransomware attack and data breach at Evolve Bank. LockBit had claimed to possess Federal Reserve data and, when their demands were not met, released approximately 33 terabytes of data from Evolve's systems. The group had allegedly touted their cache of Federal Reserve data, which was used to pressure the bank into meeting their demands. In response to the reports surfacing about the Evolve data breach, Evolve Bank & Trust is actively informing affected individuals about the breach. The bank has started reaching out to impacted customers and financial technology partners' customers through emails sent from notifications@getevolved.com. The communication includes detailed instructions on how to enroll in complimentary credit monitoring and identity theft detection services.Steps Taken by Evolve Bank & Trust
The bank is undertaking a comprehensive response to this incident, which includes:- Engagement with Law Enforcement: Evolve has involved appropriate law enforcement authorities to aid in the investigation and response efforts.
- Customer Communication: Direct communication with affected customers and financial technology partners' customers is ongoing to ensure they are informed and can take necessary protective measures.
- Credit Monitoring Services: Impacted individuals are being offered complimentary credit monitoring and identity theft detection services.
- Continuous Monitoring: Evolve is closely monitoring the situation and will provide updates as necessary to keep customers informed.
Recommendations for Affected Customers
Evolve Bank & Trust advises all retail banking customers and financial technology partners' customers to remain vigilant by:- Monitoring Account Activity: Regularly check bank accounts and report any suspicious activity immediately.
- Credit Report Checks: Set up free fraud alerts with nationwide credit bureaus—Equifax, Experian, and TransUnion. Customers can also request and review their free credit report through Freecreditreport.com.
- Reporting Suspicious Activity: Contact the bank immediately if any fraudulent or suspicious activity is detected. Additionally, individuals can file a report with the Federal Trade Commission (FTC) or law enforcement authorities if they suspect identity theft or fraud.
South Korean ISP Accused of Installing Malware on Devices of 600,000 Who Used Torrenting Services
Malware Infiltrated Systems of Torrenting Subscribers
The incident came to light in May 2020 when numerous web hard drives suddenly stopped working. Users flooded company forums with complaints about unexplained errors. An investigation revealed that malware had infiltrated the "Grid Program," software that enables direct data exchange between users. [caption id="attachment_79121" align="alignnone" width="2800"] Source: mnews.jtbc.co.kr[/caption] The malware, which was designed to interfere with BitTorrent traffic, was allegedly used to monitor and control the internet activities of KT subscribers. The police believe that the motive behind this hacking was to reduce network-related costs, as torrent transfers can be costly for internet service providers. KT, however, claims that it was merely trying to manage traffic on its network to ensure a smooth user experience. KT instead stated that the Webhard services were malicious, however after the the Gyeonggi Southern District Office conducted raids on KT facilities, they believe the ISP may have violated communications and network laws. A police follow-up investigation stated that KT operated a dedicated team responsible for developing, distributing, and operating the malware program. The hacking was traced to KT's Bundang IDC Center, one of its data centers. Over five months, an estimated 20,000 PCs were infected daily. The malware reportedly created strange folders, made files invisible, and disabled web hard programs.Legal and Ethical Implications
KT and Webhard companies have a history of conflict, including lawsuits. While a previous court ruled in KT's favor regarding traffic blocking of grid services, the current situation differs significantly. KT was alleged to have planted malicious code on individual users' PCs without consent or explanation. South Korean legal experts question KT's methods, suggesting the company could have pursued formal procedures through its legal team instead of resorting to hacking. The incident raises serious concerns about privacy, corporate responsibility, and the extent to which internet service providers can control network traffic. The scandal has also raised concerns about the security of KT's customers' data, with many wondering what other sensitive information may have been compromised. The company's CEO has since resigned, and the company's reputation has taken a significant hit. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Polyfill Supply Chain Attack Compromises Over 100,000 Websites
Malicious Polyfill Injection and Its Impact
Researchers stated that the injected malware is dynamically generated based on HTTP headers, making it difficult to detect. The Polyfill injection attack is a classic example of a supply chain attack against a widely used library. [caption id="attachment_79097" align="alignnone" width="2454"] At least 104183 websites might be affected. (Source: publicwww.com)[/caption] The compromised Polyfill code dynamically generates malware based on HTTP headers, potentially utilizing multiple attack vectors. Researchers from Sansec decoded one variant that redirects mobile users to a sports betting site using a fake Google Analytics domain. The malware employs sophisticated techniques and defenses against reverse engineering to evade detection, including:- Activating only on specific mobile devices at certain hours
- Avoiding execution when an admin user is detected
- Delaying activation when web analytics services are present
Mitigation and Recommendations
Andrew Betts, the original Polyfill author, took to X to advise against the usage of Polyfill altogether, stating that modern browsers no longer require it. He added that he had no influence over the sale of the project and was never in possession of the new domain, and cautioned that websites that serve third-party scripts are a huge security concern. [caption id="attachment_79101" align="alignnone" width="623"] Source: X.com(@triblondon)[/caption] [caption id="attachment_79102" align="alignnone" width="634"] Source: X.com(@triblondon)[/caption] Experts have set up a domain (polykill.io) to warn against the compromise of the project and have recommend the following steps for website owners:- Immediately and remove usage of cdn.polyfill.io from websites and projects.
- Replace with a secure alternative such as those being offered by Fastly and CloudFlare. Fastly has saved and hosted an earlier version(https://polyfill-fastly.io/) of the project's codebase before its sale to Funnull.
"There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the web browser."CloudFlare had also published its findings and recommendations in response to concerns over the compromise of domains. The company stated in a blog article:
The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack. Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."This incident serves as a stark reminder of the security implications of relying on external code libraries/third-party scripts and the importance of vigilance in maintaining website integrity, plus the potential malicious takeover of massively deployed projects. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Microsoft Engineer Accidentally Leaked 4GB of PlayReady DRM Internal Code Used To Protect Streaming Services
PlayReady DRM Internal Code Leak
In early June, a Microsoft engineer had published information about an Apple TV service crash on a Surface Pro 9 device in a public forum. The shared data included a 771MB file attachment that revealed 4GB of internal code related to Microsoft PlayReady upon extraction. [caption id="attachment_79066" align="alignnone" width="1920"] Original Post Before Deletion (Source: security-explorations.com)[/caption] The leaked PlayReady data is said to include: 1. WarBird configurations for creating the PlayReady library 2. WarBird libraries for code obfuscation functions 3. Libraries with symbolic information related to PlayReady [caption id="attachment_79063" align="alignnone" width="1428"] Partial Directory View of Leaked Data (Source: security-explorations.com)[/caption]HD Keys Could Be Decrypted
Researchers from cybersecurity company AG Security Research Lab managed to successfully build the required Windows PlayReady DLL library from the leaked internal code, aided by step-by-step instructions provided by another user on the same forum. Their investigation uncovered several deficiencies in Protected Media Path (PMP) components of PlayReady, which could be exploited to access plaintext content keys secured by the system on Windows 10 and 11 systems. The researchers demonstrated that these extracted keys could successfully decrypt high-definition movies protected by PlayReady. Notably, the vulnerability persists even on systems with hardware DRM capabilities, as this feature can be easily disabled. The root cause appears to lie in the software DRM implementation used by default on Windows 10 systems without hardware DRM capability. Given that Windows 10 still holds a 69% market share worldwide, this vulnerability could potentially affect a significant number of users until the operating system's retirement in October 2025. The team also demonstrated that the technique used to extract plaintext values of content keys could work for other platforms relying on SW Microsoft PlayReady technology in a Windows OS environment.Implications and Microsoft's Response
The researchers had notified Microsoft about the leak on June 12, 2024. While Microsoft removed the forum post within 12 hours, the download link reportedly remained active. On June 26, MSRC stated to the researchers that it had conducted an investigation and determined that the incident was not a vulnerability to service as the post had already been taken down. The researchers confirmed that the download link no longer remains active. The incident highlights the ongoing challenges in maintaining the security and secrecy of DRM implementations. It also underscores the importance of adhering to guidelines for handling sensitive information in public forums, as the leak violated Microsoft's own guidelines for posting link reproduction information publicly. These guidelines specify:- All information in reports and any comments and replies are publicly visible by default.
- Don't put anything you want to keep private in the title or content of the initial report, which is public.
- To maintain your privacy and keep your sensitive information out of public view, exercise caution.
Major Streaming Services Potentially Affected
The same research team had earlier tested Microsoft's Protected Media Path and had discovered several streaming platforms were affected by vulnerabilities within the environment: Canal+ Online, Netflix, HBO Max, Amazon Prime Video, Sky Showtime, and others. DRM protection is crucial to the video streaming industry, which is valued at $544 billion, making this security breach a matter of serious concern. Microsoft reportedly demonstrated interest in a full disclosure of the stated vulnerabilities and technical details along with Proof of Concept over its MSRC channel, offering potential rewards for the disclosure. However, the researchers declined, as they felt a full disclosure would have to include a commercial agreement, would jeopardize their own confidential technology and tools along with future research on the Windows operating system. The researchers also believed that Microsoft should focus on conducting a more comprehensive review of its Protected Media Path environment, which could result in the discovery and fixing of additional issues rather than focusing on a single exploit. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Russian Man Indicted for Cyberattacks Targeting Ukraine with WhisperGate Malware Ahead of 2022 Invasion
A U.S. grand jury has indicted a Russian citizen, Amin Timovich Stigal, for allegedly conspiring with Russia's military intelligence agency (GRU) to launch cyberattacks crippling Ukrainian government systems and data ahead of Russia's full-scale invasion in February 2022.
The indictment, unsealed yesterday in Maryland, sheds light on a coordinated effort to disrupt critical Ukrainian infrastructure and sow panic among the population.
“As alleged, the defendant conspired with Russian military intelligence on the eve of Russia’s unjust and unprovoked invasion of Ukraine to launch cyberattacks targeting the Ukrainian government and later targeting its allies, including the United States.” - Attorney General Merrick B. Garland
Attacker Aimed for 'Complete Destruction' in Cyberattacks Targeting Ukraine
Stigal, 22, who remains at large, was charged for his alleged role in using a deceptive malware strain called "WhisperGate" to infiltrate dozens of Ukrainian government networks, including ministries, state services, and critical infrastructure entities. Disguised as ransomware, WhisperGate reportedly went beyond data encryption, aiming for complete destruction of targeted systems and data.
The attacks coincided with the defacement of Ukrainian websites displaying threatening messages designed to intimidate the public. Sensitive data, including patient health records, was exfiltrated and offered for sale online, further amplifying the chaos.
U.S. Critical Infrastructure Targeted Too
But the malicious campaign wasn't limited to cyberattacks targeting Ukraine. The indictment broadens the scope beyond Ukraine, revealing attempts to probe U.S. government networks in Maryland using similar tactics.
“These GRU actors are known to have targeted U.S. critical infrastructure. During these malicious cyber activities, GRU actors launched efforts to scan for vulnerabilities, map networks, and identify potential website vulnerabilities in U.S.-based critical infrastructure – particularly the energy, government, and aerospace sectors.” - Rewards for Justice
The scope of the malicious campaign highlights the potential wide-ranging objectives of the GRU cyber campaign and the ongoing threat posed by nation-state actors.
Reward Offered for Info Leading to Capture
The Justice Department emphasized its commitment to holding accountable those responsible for Russia's malicious cyber activity. The indictment carries a maximum sentence of five years, but international cooperation remains crucial to apprehend Stigal.
The U.S. Department of State's Rewards for Justice program is offering a significant reward – up to $10 million – for information leading to Stigal's capture or the disruption of his cyber operations. This substantial reward underscores the seriousness of the charges and the international effort to dismantle Russia's cyber warfare apparatus.
This case serves as a stark reminder of the evolving cyber threat landscape. The destructive capabilities of malware like WhisperGate, coupled with the targeting of critical infrastructure necessitates vigilance and collaboration between governments and security professionals to defend against nation-state cyberattacks.
“Malicious cyber actors who attack our allies should know that we will pursue them to the full extent of the law,” said Erek L. Barron, U.S. Attorney for the District of Maryland. “Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals.”
Who is Amin Stigal?
The U.S. linked 22-year-old Amin Stigal to the Russian GRU and labelled him for his involvement in the WhisperGate malware operations. But who is Amin Stigal and what is the extent of his involvement? [caption id="attachment_79079" align="aligncenter" width="947"] Source: Rewards for Justice[/caption] The U.S. authorities, along with the $10 million bounty, released scarce but very important details on Stigal's cyber trail - his aliases or the threat group names with whom he is affiliated. The Cyber Express did an open-source intelligence (OSINT) study on these aliases and found the following details on Amin Stigal's cyber activities:DEV-0586/Cadet Blizzard
Microsoft first tracked this threat actor as DEV-0586 and observed its destructive malware targeting Ukrainian organizations in January 2022. The tech giant later in April 2023 shifted to a new threat actor-naming taxonomy and thus named the TA "Cadet Blizzard." Cadet Blizzard has been operational since at least 2020 and has initiated a wave of destructive wiper attacks against Ukraine in the lead up to Russia's February 2022 invasion of Ukraine. Specifically, it created and developed WhisperGate, a wiper that deletes the master boot record, Microsoft said.EMBER BEAR
Crowd Strike tracked this threat actor as EMBER BEAR (aka Lorec Bear, Bleeding Bear, Saint Bear) and linked it to an adversary group that has operated against government and military organizations in eastern Europe since early 2021. The likely motive of this TA is to collect intelligence from target networks, the cybersecurity firm said. EMBER BEAR primarily weaponized the access and data obtained during their intrusions to support information operations (IO), according to CrowdStrike. Their aim in employing this tactic was to create public mistrust in targeted institutions and degrade respective government's ability to counter Russian cyber operations.UAC-0056
The Computer Emergency Response Team of Ukraine tracked this Russian-linked threat actor/group as UAC-0056 and observed its malicious campaigns targeting Ukraine through phishing campaigns in July 2022. In the discovered attack, threat actors sought to disrupt the integrity and availability of government websites by exploiting several backdoors and deploying Cobalt Strike Beacon malware. The threat actors communicated with the web shell using IP addresses, including those belonging to neighboring devices of other hacked organizations due to their previous account abuse and additional VPN connection to the corresponding organizations. The hackers also applied other malware samples in this campaign including the GOST (Go Simple Tunnel) and Ngrok utilities, to deploy the HoaxPen backdoor.What is WhisperGate Malware?
WhisperGate is a destructive malware that is seemingly designed like a ransomware, but it is not. Unlike ransomware, which encrypts data and demands a ransom for decryption, WhisperGate aimed to completely destroy data, rendering the infected systems inoperable. It first targeted Ukrainian organizations in January 2022 and ever since continues to remain on the list of top malware variants used to target Kyiv.
Key Points on WhisperGate:
- Multi-stage Attack: It operated in stages, with the first stage overwriting the Master Boot Record (MBR) to prevent the system from booting normally and displaying a fake ransom note.
- Data Wiping: The MBR overwrite made data recovery nearly impossible.
- Motive: Experts believe the goal was data destruction, not financial gain, due to the lack of a real decryption method.
- Deployment: The malware resided in common directories like C:\PerfLogs and used a publicly available tool called Impacket to spread laterally within networks.
California Privacy Watchdog Inks Deal with French Counterpart to Strengthen Data Privacy Protections
What the CPPA-CNIL Data Privacy Protections Deal Means
The CPPA on Tuesday outlined the goals of the partnership, stating, “This declaration establishes a general framework of cooperation to facilitate joint internal research and education related to new technologies and data protection issues, share best practices, and convene periodic meetings.” The strengthened framework is designed to enable both agencies to stay ahead of emerging threats and innovations in data privacy. Michael Macko, the deputy director of enforcement at the CPPA, said there were practical benefits of this collaboration. “Privacy rights are a commercial reality in our global economy,” Macko said. “We’re going to learn as much as we can from each other to advance our enforcement priorities.” This mutual learning approach aims to enhance the enforcement capabilities of both agencies, ensuring they can better protect consumers’ data in an ever-evolving digital landscape.CPPA’s Collaborative Approach
The partnership with CNIL is not the CPPA’s first foray into international cooperation. The California agency also collaborates with three other major international organizations: the Asia Pacific Privacy Authorities (APPA), the Global Privacy Assembly, and the Global Privacy Enforcement Network (GPEN). These collaborations help create a robust network of privacy regulators working together to uphold high standards of data protection worldwide. The CPPA was established following the implementation of California's groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA). As the first comprehensive consumer privacy law in the United States, the CCPA set a precedent for other states and countries looking to enhance their data protection frameworks. The CPPA’s role as an independent data protection authority mirror that of the CNIL - France’s first independent data protection agency – which highlights the pioneering efforts of both regions in the field of data privacy. By combining their resources and expertise, the CPPA and CNIL aim to tackle a range of data privacy issues, from the implications of new technologies to the enforcement of data protection laws. This partnership is expected to lead to the development of innovative solutions and best practices that can be shared with other regulatory bodies around the world. As more organizations and governments recognize the importance of safeguarding personal data, the need for robust and cooperative frameworks becomes increasingly clear. The CPPA-CNIL partnership serves as a model for other regions looking to strengthen their data privacy measures through international collaboration.Credit Suisse Data Breach Allegedly Exposes Info of 19,000 Indian Employees
Credit Suisse Data Breach Details
Credit Suisse was founded in 1856 and has approximately $15.21 Billion in revenue. It is one of the leading institutions in private banking and asset management, with strong expertise in investment banking. On June 25, 2024, the threat actor claimed to have carried out a cyberattack on the bank and exfiltrated details on 19,000 of its users. [caption id="attachment_79024" align="alignnone" width="1622"] Source: X[/caption] The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities. To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India. [caption id="attachment_79025" align="alignnone" width="1362"] Source: X[/caption] The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The hacker commented that they are only accepting cryptocurrency as the mode of payment. More specifically, the hacker was open to payment on Monero (XMR), a digital currency renowned for its privacy and anonymity attributes. This method of payment is often utilized in illegal transactions to evade detection. Despite these claims by the threat actor, a closer inspection reveals that the bank’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the bank to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.Not the First Credit Suisse Data Breach
This is not the first time that Credit Suisse has been involved in a security breach. According to a report published in The Economic Times, in 2023, the bank warned its staff that a former employee stole personal data of its employees, including salaries and bonuses. The information included salary and "variable compensation" for a period between 2013 and 2015. Another Bloomberg report said that a data breach in 2023 impacted numerous former Credit Suisse clients who collectively held a staggering $100 billion in accounts.Credit Suisse Hacker Targeted Big Multinationals Recently
There are many concerns over the potential misuse of sensitive information found in the data breach, which includes customer names, dates of birth, and relationships. Credit Suisse should investigate the data breach claims considering the history of the threat actor. Earlier this month, the TA 888 claimed to have stolen data of over 32,000 current and former employees of Accenture. The company, however, denied the claims and said that the data set published by the hacker had only three employee names and email addresses. The hacker also claimed responsibility for leaking details about 8,174 employees of Heineken across several countries. Prior to this, 888 also staked claims for an attack on oil and gas multinational Shell. The TA posted sample information sharing personal details of Australian customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.BianLian Ransomware Targets Better Business Bureau, US Dermatology Partners
BianLian Ransomware Attack: Critical Details
The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million. [caption id="attachment_79001" align="alignnone" width="1259"] Source: X[/caption] The threat actor claims to have accessed 1.2 TB of organization data, including accounting, budget, and financial data; contract data and NDAs; files from the CFO's computer; operational and business files; and email and PST archives. The group has also disclosed sensitive information such as the names, personal email addresses, and phone numbers of BBB’s CEO, vice president, chief accreditation officer, and chief activation officer. The other organization that has allegedly fallen victim to the ransomware group is US Dermatology Partners. The organization, with a revenue of $213.7 Million, is one of the premier dermatology practitioners in the USA, caring for over two million patients annually. [caption id="attachment_79002" align="alignnone" width="1259"] Source: X[/caption] The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.Potential Impact of BianLian Ransomware Attack
If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.History of BianLian Ransomware Group Attacks
BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks. Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake. Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.BSNL Data Breached Yet Again? Millions of Users Face Risk of SIM Card Cloning, Financial Fraud
Exploring Claims of BSNL Data Breach
The BSNL data leak was first disclosed by an Indian firm, Athenian Tech, in its threat intelligence report. According to the report, a threat actor, operating under the alias “kiberphant0m”, leaked a significant amount of sensitive data affecting millions of users. The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information could be compromised. The hacker also posted details of call log samples which leaked sensitive information like mobile numbers of users, the date and duration of calls, and the amount charged for the call in Indian Rupees. The call log samples were being leaked in two sets: one for the month of May 2024 and another from 2020. This indicates that the data breach was a recent attack raising questions over the security checks in place at BSNL. The threat actor was selling the alleged stolen data for $5,000. The steep price tag could indicate the significant value of the stolen data which is sensitive. The Cyber Express has yet to verify the authenticity of the recent BSNL data breach and has contacted the organization for an official response. This article will be updated based on their response.Potential Implications of BSNL Data Breach
- SIM Cloning and Identity Theft: Cloning a SIM involves creating a duplicate card that has the same IMSI and authentication keys, thus making it easy for the attackers to intercept messages/ calls, gain access to people’s bank accounts, and embezzle their finances.
- Privacy Violations: Identity theft means that one can gain unauthorized access to the individuals’ communication and breaches.
- Financial and Identity Theft: Illegal operations can defeat protective procedures in the financial portfolios, which entail substantial monetary losses and cases of identity theft.
- Targeted Attacks and Scams: The user could be exposed to major security risks and could be vulnerable to phishing schemes and other social engineering attacks, exploiting their trust in BSNL.
Second BSNL Data Breach in Less Than Six Months
If the data theft claims are proven, it would be the second instance of a cyberattack on BSNL in less than six months. In December 2023, a threat actor known as “Perell” claimed access to critical information about fiber and landline users of BSNL. The dataset contained about 32,000 lines of data allegedly impacting over 2.9 million users. However, BSNL did not validate the claims back then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Don’t Fall for Fake Recovery: FBI Warns of Cryptocurrency Scam
Cryptocurrency Scam: Emerging Criminal Tactic
The FBI's announcement aims to inform the public about a new criminal tactic designed to exploit cryptocurrency scam victims further. Using social media and other messaging platforms, fraudsters posing as lawyers from fictitious law firms are contacting scam victims and offering their services. These "lawyers" claim they have the authority to investigate fund recovery cases and often assert that they are working with, or have received information from, the FBI, Consumer Financial Protection Bureau (CFPB), or other government agencies to validate their legitimacy. In some instances, victims have reached out to these scammers through fake websites that appear legitimate, hoping to recover their lost funds. The scammers use various methods to further the recovery scam, including:- Verification Requests: They ask victims to verify their identities by providing personal identifying information or banking details.
- Judgment Amount Requests: They request that victims provide a judgment amount they are seeking from the initial fraudster.
- Upfront Fees: They demand a portion of the fees upfront, with the balance due upon recovery of the funds.
- Additional Payments: They direct victims to make payments for back taxes and other fees purportedly necessary to recover their funds.
- Credibility Building: They reference actual financial institutions and money exchanges to build credibility and further their schemes.
Tips to Protect Yourself
The FBI offers several tips to help individuals protect themselves from falling victim to these scams:- Be Wary of Advertisements: Be cautious of advertisements for cryptocurrency recovery services. Research the advertised company thoroughly and be suspicious if the company uses vague language, has a minimal online presence, and makes unrealistic promises about its ability to recover funds.
- Do Not Release Information: If an unknown individual contacts you claiming to be able to recover stolen cryptocurrency, do not release any financial or personal identifying information, and do not send money.
- No Fees from Law Enforcement: Remember that law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm their legitimacy.
Victim Reporting
The FBI urges victims to file a report with the Internet Crime Complaint Center. When filing a report, try to include the following information:- Contact Information: Details about how the individual initially contacted you and how they identified themselves, including name, phone number, address, email address, and username.
- Financial Transaction Information: Details such as the date, type of payment, amount, account numbers involved (including cryptocurrency addresses), name and address of the receiving financial institution, and receiving cryptocurrency addresses.
Cyble Recognized in Attack Surface Management Solutions Landscape Report
Key Capabilities of Cyble Vision X include:
- Attack Surface Management: Ensures digital security by identifying and mitigating threats.
- Brand Intelligence: Comprehensive protection against online brand abuse, including brand impersonation, phishing, and fraudulent domains.
- Cyber Threat Intelligence: Helps organizations gain insights and enhance their defense with AI-driven analysis and continuous threat monitoring.
- Dark Web and Cyber Crime Monitoring: Helps organizations stay vigilant and ahead of cybercriminals
- Third-Party Risk Management (TPRM): Helps organizations identify, assess, and mitigate risks that may arise from a business's interactions with third parties.
Cyber Attack Forces South Africa’s National Health Laboratory Service To Shut Down Systems
Impact on South Africa's National Health Laboratory Service
NHLS Chief Executive Officer Prof Koleka Mlisana informed staff of the incident in a memo, stating that the breach had caused damage and that the organization was treating the matter with extreme urgency and concern. Milsana stated, “I regret to inform you that our IT systems are unavailable due to a suspected incident that occurred over the weekend.” Mlisana assured staff that the organization's Incident Response Team was working around the clock to determine the scope of the intrusion and deploy the necessary safeguards to secure systems and data. The NHLS has implemented its "Downtime Protocol" to minimize disruption to services, prioritizing patients' samples and processing, with results communicated directly to clinicians whenever urgent. The cyber attack comes at a critical time for South Africa's healthcare system. The country is currently grappling with a Mpox outbreak, and the NHLS was already facing a significant backlog in toxicology tests as of March. The shutdown of IT systems is likely to exacerbate these challenges. Mzi Gcukumana, the NHLS Communication, Marketing, and PR officer, disclosed: “Preliminary investigation suggests that our Enterprise Resource Planning (Oracle) environment, Laboratory Information System (LIS) (TrakCare) database, and CDW are not affected. Therefore, no patient data has been lost or compromised. All patient data is safe."Response and Recovery Efforts
“Please rest assured that our priority focus is on data security. We are determined to solve this issue swiftly and transparently,” Milsana stated to patients. In response to the breach, the NHLS has deployed its Incident Response Team to assess the scope of the intrusion and implement necessary safeguards. Mlisana assured staff that the team is working around the clock to secure systems and data. “I want to take this opportunity to thank you in advance as we all put in our efforts to ensure that disruption to our services is minimised,” Milsana added. The NHLS had determined that that certain sections of its systems, including its backup server were deleted, requiring the rebuilding of affected systems. Gcukumana stated, “All users will be aware that the NHLS networked laboratory system is heavily reliant on these information technology systems that have been disrupted.” He added, “Unfortunately, this will take time, and investigations thus far have not advanced enough for us to give a timeframe for the restoration of our systems and full service. All stakeholders and the public will be informed as soon as more information becomes available.” The National Department of Health, which oversees the NHLS, has been informed of the incident. A spokesperson for the department called for patience as efforts to resolve the issue continue. As the investigation unfolds, the NHLS has promised regular updates on the compromise and ongoing response activities. The organization emphasizes its commitment to data security and swift, transparent resolution of the issue. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Russian Hackers Target Ukraine with XWorm RAT Malware Payload
Technical Overview of XWorm RAT Campaign
The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, "pkg.zip" and "NewCopy.xlsx", from a specified URL. The LNK shortcut file then executes "pythonw.exe" using the start command, which duplicates files and stores them in a new folder. The "pythonw.exe" loads a malicious DLL, "python310.dll", through DLL sideloading, injecting shellcode into the MSBuild process. [caption id="attachment_78917" align="alignnone" width="1529"] Source: Cyble[/caption] The hackers use a technique called DLL sideloading, where a malicious library file masquerades as a legitimate one. This allows the attackers to run their code under the guise of trusted software. Additionally, they employ a tool called Shadowloader to inject the XWorm RAT into a running process, further obscuring its presence. The XWorm RAT is then executed, offering a range of capabilities, including data theft, DDoS attacks, and cryptocurrency address manipulation. The malware attempts to connect to a Command-and-Control (C&C) server, but at the time of analysis, the server was inactive, resulting in no observed malicious activities. [caption id="attachment_78919" align="alignnone" width="537"] Source: Cyble[/caption] While the initial infection vector remains unclear, researchers suspect phishing emails may play a role. The intended victim could not be ascertained from accessing the the Excel lure used in the campaign. CRIL researchers had previously observed the UAC-0184 threat actor group employing lures tailored to appeal to Ukrainian targets, often mimicking official government or utility communications.Protecting Against XWorm RAT
The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:- Implement strong email filtering to block malicious attachments.
- Exercise caution with email attachments, especially from unknown senders.
- Limit execution of scripting languages where possible.
- Use application whitelisting to control which programs can run.
- Deploy robust antivirus and anti-malware solutions.
- Enforce strong, unique passwords and two-factor authentication.
- Monitor networks for unusual activity or data exfiltration attempts.
GrimResource: New Microsoft Management Console Attack Found in Wild
GrimResource Attack Uses Old XSS Flaw
GrimResource is a “a novel, in-the-wild code execution technique leveraging specially crafted MSC files,” the researchers wrote. “GrimResource allows attackers to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal security warnings, ideal for gaining initial access and evading defenses.” The key to the attack technique is an old XSS flaw present in the apds.dll library. “By adding a reference to the vulnerable APDS resource in the appropriate StringTable section of a crafted MSC file, attackers can execute arbitrary javascript in the context of mmc.exe,” they said. Attackers can combine the technique with DotNetToJScript to gain arbitrary code execution. The sample begins with a TransformNode obfuscation technique, which was recently reported by open source tool developer Philippe Lagadec in unrelated macro samples. The obfuscation technique helps evade ActiveX security warnings and leads to an obfuscated embedded VBScript, which sets the target payload in a series of environment variables before leveraging the DotNetToJs technique to execute an embedded .NET loader. The researchers named that component PASTALOADER. PASTALOADER retrieves the payload from environment variables set by the VBScript and “spawns a new instance of dllhost.exe and injects the payload into it. This is done in a deliberately stealthy manner using the DirtyCLR technique, function unhooking, and indirect syscalls. In this sample, the final payload is Cobalt Strike.” Using the DotNetToJScript technique triggers another detection looking for RWX memory allocation from .NET on behalf of a Windows Script Host (WSH) script engine. The researchers created a rule in Elastic’s Event Query Language (EQL) to detect execution via the .NET loader.GrimResource Detection Rules Provided
Those detections can be bypassed with stealthier methods, the researchers noted: Using apds.dll to execute Jscript via XSS, which can create detectable artifacts in the mmc.exe Procmon output as a CreateFile operation (apds.dll is not loaded as a library), and the creation of a temporary HTML file in the INetCache folder, named redirect[*] as a result of the APDS XSS redirection. In addition to EQL rules, the researchers also provided a YARA detection rule: [caption id="attachment_78894" align="alignnone" width="500"] GrimResource YARA detection rule (source: Elastic Security Labs)[/caption] “Defenders should leverage our detection guidance to protect themselves and their customers from this technique before it proliferates into commodity threat groups,” the researchers warned.CISA: Hackers Breached Chemical Facilities’ Data in January
Potential Data Compromised in Chemical Facilities' Targeting
CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.CISA's Response and Recommendations
CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.Investigation Findings
The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.Experts Say More Transparency Required
Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.
"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"
"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.
"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."
EU Issues New Sanctions Against Russia-Linked Threat Actors
Russian Military Intelligence and FSB Operative Sanctions
The sanctions will take effect following publication in the Official Journal of the European Union. The council document justified the new sanctions as measures in response to the ongoing war between Russia and Ukraine and its resulting cyber activities:The use of cyber operations that have enabled and accompanied Russia’s unprovoked and unjustified war of aggression against Ukraine affects global stability and security, represents an important risk of escalation, and adds to the already significant increase of malicious cyber activities outside the context of armed conflict over recent years. The growing cybersecurity risks and an overall complex cyber threat landscape, with a clear risk of rapid spill-over of cyber incidents from one Member State to others, and from third countries to the Union, further call for restrictive measures under Decision (CFSP) 2019/797.Among those sanctioned are Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both identified as members of the "Callisto group" linked to Russian military intelligence. The group, also known as "Seaborgium" or "Star Blizzard," is accused of conducting multi-year phishing campaigns to steal credentials and data, targeting individuals and critical state functions in defense and foreign relations. Two Ukrainian nationals, Oleksandr Sklianko and Mykola Chernykh, were sanctioned for their involvement in the "Armageddon" hacker group, allegedly supported by Russia's Federal Security Service (FSB). The group was found carrying out cyberattacks against the Ukrainian government and EU member states using phishing emails and malware campaigns.
Wizard Spider Threat Group Members Sanctioned
The EU also targeted two key players in the Russia-based threat group Wizard Spider: Mikhail Mikhailovich Tsarev and Maksim Sergeevich Galochkin. Both are implicated in deploying the "Conti" and "Trickbot" malware programs, which have caused substantial economic damage in the EU through ransomware campaigns targeting essential services such as healthcare, banking and defense. The EU Council has emphasized the need to protect these vital sectors from cyber threats, which can have devastating consequences for individuals, businesses, and societies as a whole. The Council said the sanctions imposed on these six individuals are a clear message that the EU will not tolerate malicious cyber activities that threaten its security, economy, and democracy. The Council document stated:"As part of the sustained, tailored and coordinated Union action against persistent cyber threat actors, six natural persons should be included in the list of natural and legal persons, entities and bodies subject to restrictive measures set out in the Annex to Decision (CFSP) 2019/797. Those persons are responsible for, or were involved in, cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States."The sanctions demonstrate that the EU will continue to work closely with its Member States, international partners, and other stakeholders to address the growing cybersecurity threat landscape escalated by geopolitical tensions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
BlackBasta Ransomware Gang Claims Cyberattack on Key Benefit Administrators, Scrubs & Beyond
Decoding BlackBasta Ransomware's Alleged Attack
The first organization targeted by BlackBasta is Key Benefit Administrators, Inc., which offers financial services. The company provides employment benefit services that manages pension, retirement, health, and welfare funds. BlackBasta claims to have access to 2.5TB of sensitive data of the firm, including client, executive, and employee info. [caption id="attachment_78852" align="alignnone" width="1247"] Source: Ransomware.live[/caption] The other organization targeted by the ransomware group is Scrubs & Beyond, which is the largest retailer of healthcare apparel and accessories in the U.S. The ransomware crew claims to have accessed 600GB of the organization’s sensitive data, including HR, employee, and departmental files. [caption id="attachment_78853" align="alignnone" width="1238"] Source: Ransomware.live[/caption] Until an official statement is released by the two firms, the facts behind the BlackBasta ransomware attack claim will likely remain elusive. If BlackBasta's claims are proven true, the implications could be significant. The compromise of sensitive legal information and client data could have broad consequences, not only for the firms concerned but also for its clients and partners.How Does BlackBasta Group Operate?
BlackBasta is a highly active ransomware group that has quickly gained a reputation for targeting high-value organizations across various industries. BlackBasta typically uses sophisticated phishing campaigns, and exploits known vulnerabilities in software to obtain access to their targets' systems. After gaining access, the group encrypts critical data and demands hefty ransoms for its release.Previous Attacks By BlackBasta
A recent joint security advisory from the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) stated that Black Basta has, through its affiliates, compromised more than 500 organizations all over the world. The victims include organizations that span 12 of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. A few of BlackBasta’s victims include Microsoft, Hyundai Europe, Capita, The American Dental Association, Yellow Pages Canada, and Dish, among others.How to Protect Against Ransomware
The ever-present threat of ransomware requires vigilant cybersecurity practices by consumers and organizations alike. Keeping software and operating systems up-to-date: Many ransomware attacks exploit vulnerabilities in outdated software and operating systems. By keeping software and operating systems up-to-date, you can minimize the possibility of a ransomware attack. Backing up important data: If your files are encrypted by ransomware, you may be able to restore them from a backup. By regularly backing up important data, you can increase the chances that you can recover your files if they are encrypted by ransomware. However, those backups should be immutable and ransomware-resistant - a good backup service provider may be your surest bet. Using antivirus software: Antivirus software can detect and remove various types of malware, including ransomware. By using antivirus or endpoint security software, you can reduce the risk of a ransomware attack. Being cautious of suspicious emails: Many ransomware attacks are spread via phishing emails. You can lower the risk of a ransomware attack by being wary of suspicious emails and refraining from clicking on links or opening attachments from unknown sources. Educating employees about cybersecurity: Employees play a critical role in defending against cyberattacks. It is of utmost importance that they understand the best practices and know how to identify and report suspicious activities. Isolating critical workloads and data: Isolating your most important data and applications with technologies such as microsegmentation, VLANs, firewalls and strict access and permission controls will create an extra layer of security that will make it that much harder for ransomware to infect your most critical systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.With U.S. Plea Deal, WikiLeaks Founder Assange is Free after 14-Year Legal Battle
WikiLeaks and Human Rights Groups Celebrate Assange's Release
In a statement on platform X, WikiLeaks wrote, “Julian Assange is free.”“He left Belmarsh maximum security prison on the morning of 24 June, after having spent 1901 days there. He was granted bail by the High Court in London and was released at Stansted airport during the afternoon, where he boarded a plane and departed the UK.” – WikiLeaksAssange is being flown to Saipan, the capital of the Northern Mariana Islands and a U.S. commonwealth in the Western Pacific Ocean. The formal hearing and sentencing is set to take place in the U.S. District Court for the Northern Mariana Islands at 9 a.m. local time Wednesday. Assange was reluctant to fly to the mainland U.S., his prosecutors said, and thus Saipan was decided as an alternative due to its proximity with Australia. If the guilty plea is approved by the judge – as is expected – the WikiLeaks founder will head to Australia after the sentencing. Human rights organization Amnesty International’s Secretary General, Agnès Callamard welcomed the “positive news.”
“We firmly believe that Julian Assange should never have been imprisoned in the first place and have continuously called for charges to be dropped.” - Amnesty International’s Secretary General, Agnès Callamard“The years-long global spectacle of the US authorities hell-bent on violating press freedom and freedom of expression by making an example of Assange for exposing alleged war crimes committed by the USA has undoubtedly done historic damage,” Callamard said. “Amnesty International salutes the work of Julian Assange’s family, campaigners, lawyers, press freedom organizations and many within the media community and beyond who have stood by him and the fundamental principles that should govern society’s right and access to information and justice.” The Mexican President Andrés Manuel, sounded a similar sentiment and said:
“I celebrate the release of Julian Assange from prison. At least in this case, the Statue of Liberty did not remain an empty symbol; She is alive and happy like millions in the world.”
Brief Timeline of Julian Assange Espionage Case
Julian Assange, the founder and Editor-in-Chief of WikiLeaks, gained prominence after the site published more than 90,000 classified U.S. military documents on the Afghanistan war and about 400,000 classified U.S. documents on the Iraq war. After the release of these documents via WikiLeaks, Assange was indicted by the U.S. on 18 counts, including 17 espionage charges under the 1917 Espionage Act and one for computer misuse, where he allegedly gained unauthorized access to a government computer system of a NATO country. In 2012, Assange communicated directly with a leader of the hacking group LulzSec (who by then was cooperating with the FBI), and provided a list of targets for LulzSec to hack, the indictment said. With respect to one target, Assange asked the LulzSec leader to look for (and provide to WikiLeaks) mail and documents, databases and PDFs. In another communication, Assange told the LulzSec leader that the most impactful release of hacked materials would be from the CIA, NSA, or the New York Times. WikiLeaks obtained and published emails from a data breach committed against an American intelligence consulting company by an “Anonymous” and LulzSec-affiliated hacker. According to that hacker, Assange indirectly asked him to spam that victim company again. An August 2010 arrest warrant for sexual assault allegations in Sweden was initially dropped but later reopened, leading to an international arrest warrant against him. Assange then sought refuge in the Ecuadorian embassy in London. In 2019, Ecuador revoked his asylum, and he was arrested by London police and sentenced to 50 weeks in prison for breaching bail conditions. Swedish prosecutors dropped their case in 2019 because the passage of time had weakened evidence, but they said they retained confidence in the complainant.Assange’s Freedom Starts ‘a New Chapter’
Stella Assange, the WikiLeaks founder’s wife, was elated and thanked everyone who stood by her husband. “Throughout the years of Julian’s imprisonment and persecution, an incredible movement has been formed. People from all walks of life from around the world who support not just Julian ... but what Julian stands for: truth and justice,” Stella Assange said. “What starts now with Julian’s freedom is a new chapter.” It will be interesting to see if Assange will be back at the helm of WikiLeaks and if he will keep his fight on against human right exploitations but for now it seems like he would be eager to reunite with his wife Stella Assange, and his children, “who have only known their father from behind bars.” Update* (June 25 1:30 p.m. ET): Added comments from Amnesty International’s Secretary General, Agnès Callamard and President of Mexico, Andrés Manuel.Synnovis Confirms Data Published by Qilin Ransomware Gang as Legitimate
“Last week a group claiming responsibility for the cyberattack published data online. We have now been able to confirm that this data was stolen from Synnovis’ systems.” - SynnovisAn initial review from Synnovis over the weekend revealed no evidence that the Laboratory Information Management Systems (LIMS) - the primary databases for patient test requests and results - were posted. However, fragments of patient-identifiable data from an administrative working drive have been published, Synnovis said. The payroll information storage area remains unaffected but further review of employee-related data that appeared in the dataset published on the dark web is underway. Synnovis emphasized the priority of understanding the compromised administrative working drive. The company is working alongside technical experts to ascertain more details and mitigate concerns among service users, employees and partners. The Information Commissioner’s Office (ICO) is investigating the breach, acknowledging the sensitivity of the leaked data and the anxiety it may cause. “While we are continuing to make enquiries into this matter, we recognize the sensitivity of some of the information in question and the worry this may have caused,” the ICO said. The ICO advises concerned individuals to visit its website and NHS England’s site for guidance and support. NHS England continues collaborating with Synnovis and the National Crime Agency to address the ransomware attack. NHS England acknowledged Synnovis’ initial analysis that confirmed the published data originated from their systems. The complex nature of such investigations means it could take weeks to identify all impacted individuals, it said. As the investigation proceeds, NHS England and Synnovis will provide updates and have established a helpline for those affected. Local health systems are working together to manage the impact on patients and have deployed additional resources to ensure urgent blood samples are processed. Laboratories can now also access historical patient records, which aids continuity of care, NHS England said. The cyberattack has significantly delayed blood tests, with some media reports stating NHS patients potentially waiting up to six months for sample collection. Earlier, Synnovis said the ransomware attack had significantly brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day. The Guardian cited a letter to one of the patients from the impacted hospital being told:
“Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again. If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”The pathology service provider was processing only “clinically critical” blood samples flagged by clinicians. These delays have prompted some patients to seek private clinics for faster testing and analysis that cost significantly high. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this month to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.
Doxxing on BreachForums Allegedly Exposes Moderator’s Personal Information
BreachForums Moderator Doxxing Details
On Tuesday, Bhavesh Mohinani, an SOC analyst and a member of "CISO2CISO," shared screenshots of a BreachForums post by an anonymous threat actor that allegedly contained sensitive Personally Identifiable Information (PII) of BreachForums moderator "Aegis". [caption id="attachment_78802" align="alignnone" width="1069"] Source: LinkedIn[/caption] The threat actor claimed that he obtained “bits and pieces” information about Aegis through his friend. “One thing I was given was a first name and an IP. Looking into it, you find out his information is very much out there! So much OPSEC, am I right,” the TA wrote in his post. OPSEC or Operational Security, is a process that identifies seemingly innocuous actions that could inadvertently reveal critical or sensitive data to a cybercriminal. Elaborating the details of Aegis, the threat actor claimed, “Aegis is a 17-year-old Egyptian resident living with his mother. His father seems not to have been found. Aegis started off being a skid, stealing code, claiming to be harmful and so on...he is a loser. “Aegis will most likely deny this being his information but if this post gets taken down, you will know the truth/ love everyone! Expect this loser,” the TA wrote. The user also shared details claiming to be the moderator’s phone number, IP address, residential address and telegram account. [caption id="attachment_78803" align="alignnone" width="1091"] Source: LinkedIn[/caption] While there is no confirmation or credibility to the claims shared by the anonymous actor, the post was deleted as soon as it was shared. However, the post has raised concerns about the security and trustworthiness of online communities.What is Doxxing?
Doxxing, or doxing for short, is when someone puts your personal information out there on the internet. This can include information like where you work, your home address, your credit card numbers, and other private details. Usually, the intention of the threat actor is to harass the victims. The word "doxxing" first came about in the 1990s, starting from the word "documents," which got shortened to "docs," and then finally became "dox." When people talk about "dropping dox," they mean cybercriminals revealing the true identities of their rivals, taking away their anonymity, and making them vulnerable to the authorities. A doxxing attack begins with the threat actor gathering extensive information about their target, searching online and checking social media for clues. Social media can reveal workplace details, which can be exploited for attacks. Skilled threat actors might also trace a target’s IP address to determine their location. The more data a threat actor collects, the more harm they can inflict. While some doxxing incidents are minor, like sending unwanted pizza deliveries, others can lead to severe consequences such as online harassment, swatting, identity theft, reputational damage, physical assault, job loss, or stalking. The alleged doxxing of the BreachForums moderator has raised questions about whether it would lead to the arrest of another threat actor and if it signals the decline of the forums. For example, in California, doxing is considered a serious offense, and individuals engaging in this activity could face legal consequences. Individuals arrested and charged with cyber harassment (doxing) under Penal Code §653.2 face up to one year in jail and a fine of up to $1,000. In April 2023, Hong Kong’s privacy watchdog, Office of the Privacy Commissioner for Personal Data, arrested a 27-year-old woman on suspicion of doxxing after she allegedly posted the personal details of her friend’s ex-boyfriend on social media.Prevention Against Doxxing
To protect users against doxxing, one must use strong, unique passwords for each account and enable Multi-Factor Authentication (MFA). Cleaning the digital footprint by removing personal information from online sites, deactivating old accounts, and adjusting privacy settings is regarded as a healthy practice. Using a VPN is recommended to hide the user’s IP address and prevent location tracking. Users must also be vigilant against phishing scams by recognizing poor spelling, mismatched email addresses, and unsolicited links. Finally, avoiding oversharing personal information online and keeping social media profiles private is a healthy digital practice to enhance security. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Apple Fixes ‘Bug’ in Vision Pro That Allowed Hackers To Fill Room with Bugs And Spiders
Spatial Hack in Apple Vision Pro Devices
Apple designed the Vision Pro with strict privacy controls. This includes limiting device apps to a default 'Shared Space' and mandating explicit user consent for more engaging and immersive content. Websites must also obtain explicit user permission to generate 3D content within a user's physical environment. [caption id="attachment_78754" align="alignnone" width="720"] Source: ryanpickren.com[/caption] However, Pickren discovered that the AR Quick Look feature that had been introduced in 2018 for iOS remained active in the visionOS without the implementation of proper safeguards. This oversight allowed websites to manipulate HTML anchor tags to spawn unlimited 3D objects coupled with animations and spatial audio. By adding specific anchor tags to webpages, malicious websites can instruct Safari to render a 3D model, surprisingly without any form of user interaction. "If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats," Pickren explained. "Freaky stuff," he exclaimed. [caption id="attachment_78758" align="alignnone" width="1168"] Source: ryanpickren.com[/caption] [caption id="attachment_78756" align="alignnone" width="1186"] Source: ryanpickren.com[/caption] The researcher stated that the exploit code is straightforward and that closing Safari doesn't get rid of the 3D objects, as they are handled by a separate application. "To make things even freakier – since these animated files are being handled by a separate application (Quick Look), closing Safari does not get rid of them," Pickren noted. He added, "There is no obvious way to get rid of them besides manually running around the room to physically tap each one."Bug Reporting and Gaps in Vulnerability Assessment
After trying to disclose the flaw to Apple, the researcher felt the tech giant had downplayed its relation to spatial computing and the generation of 3D objects, instead focusing on the potential for system crashes and reboots. The CVE description claimed that the issue had been addressed by improving the file handling protocol, which the researcher believed was unrelated to the bug. This highlights the challenges of triaging and classifying bugs in emerging fields such as Spatial Computing. The researcher believes the bug's impact goes beyond simple system crashes or reboots, raising questions about the security and privacy of the technology and the need for reevaluating existing threat models. "Perhaps it's time for Apple to re-evaluate their Vision Pro threat model," Pickren suggested. "This is a deeply personal product and classic vulnerability triaging guidelines may not capture the full impact anymore." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.CDK Global Cyberattack Ripple Effect: Several Car Dealers Report Disruptions
Systems Shut Down After Attack
CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.How CDK Global Cyberattack Impacts Customers
Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.CDK Customers Move to Manual Methods
Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.CDK May Pay Ransom
Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.Indonesia National Data Center Hack Disrupts Government Services, Affecting Over 200 Agencies
Authorities Have Detected Samples of LockBit 3.0 Ransomware
Samuel Abrijani Pangerapan, director general of informatics applications at the Communications and Informatics Ministry, confirmed that essential services like immigration checks at airports had been disrupted. Long lines were formed at affected airports after automated passport machines were rendered useless. While some of these services have been restored, including the government's immigration services, ongoing efforts are aimed at restoring other critical operations, such as investment licensing. Samuel stated, “We have tried our best to carry out recovery while the (National Cyber and Crypto Agency) is currently carrying out forensics.” The National Cyber and Crypto Agency has detected samples of LockBit 3.0 ransomware, a variant known for encrypting victims' data and demanding payment for its release. PT Telkom Indonesia, an Indonesian multinational telecommunications company, is working with domestic and international authorities and leading the efforts to efforts to break the encryption and restore access to the compromised data. Herlan Wijanarko, the company's director of network & IT solutions, confirmed that the attackers had offered a decryption key in exchange for an $8 million ransom.Experts Concerned About Indonesia Government Infrastructure Security
Cybersecurity experts warn that the severity of the attack highlights significant vulnerabilities in the government's digital infrastructure and incident response capabilities. Cybersecurity expert Teguh Aprianto described the latest attack as "severe" and notes that it highlights the need for improved infrastructure, manpower, and vendor management to prevent such attacks in the future. Teguh stated, "It shows that the government infrastructure, manpower handling this and the vendors are all problematic." In recent years, Indonesia has faced a series of high-profile cyber attacks, including a ransomware attack on its central bank and a data breach at its largest Islamic lender. The consequences of these attacks can be severe, with victims often forced to pay large sums to regain access to their data. Last year, the LockBit ransomware gang claimed responsibility for an attack on the Bank Syariah Indonesia. Sensitive information of over 15 million individuals had been stolen in the attack, affecting both customers and employees. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Weekly Vulnerability Report: Critical Security Flaws Identified by Cyble in Microsoft, VMware, Veeam, ASUS Products
The Week’s Top Vulnerabilities
Cyble’s weekly report focused on 9 of the vulnerabilities in particular; they are:CVE-2024-37079, CVE-2024-37080 and CVE-2024-37081: VMware
Impact Analysis: These critical and high severity heap-overflow and privilege escalation vulnerabilities impact the VMware vCenter Server, a central management platform for VMware vSphere, enabling the management of virtual machines and ESXi hosts. With the global usage of the impacted product and the history of leveraging flaws impacting vCenter, there is strong potential for threat actors (Tas) to leverage these critical vulnerabilities also. Internet Exposure: Yes Available Patch? YesCVE-2024-3080: ASUS Router Bypass
Impact Analysis: This critical authentication bypass vulnerability impacts certain ASUS router models, allowing unauthenticated remote attackers to log in to the device. Recently, the Taiwan Computer Emergency Response Team informed users about the vulnerability and released an advisory with fixes to patch the flaw. Internet Exposure: Yes Patch Available? YesCVE-2024-3912: ASUS Arbitrary Firmware Upload Vulnerability
Impact Analysis: This critical arbitrary firmware upload vulnerability impacts certain ASUS router models, allowing unauthenticated remote attackers to execute arbitrary system commands on the device. The Taiwan Computer Emergency Response Team also informed users about this vulnerability and released an advisory with fixes to patch the flaw. Internet Exposure: Yes Patch Available? YesCVE-2024-29855: Veeam Recovery Orchestrator
Impact Analysis: This critical authentication bypass vulnerability impacts the Veeam Recovery Orchestrator. The recovery solution extends the capabilities of the Veeam Data Platform by automating recovery processes and providing comprehensive reporting and testing features. The availability of a recent publicly available proof-of-concept (PoC) exploit for this vulnerability elevates the risk of exploitation in attacks by TAs. Internet Exposure: No Patch Available? YesCVE-2024-30103: Microsoft Outlook RCE Vulnerability
Impact Analysis: This high-severity remote code execution (RCE) vulnerability impacts Microsoft Outlook. Since the zero-click RCE flaw can be exploited simply by opening and previewing an email that contains a malicious payload in the body of the email, requiring no further interaction from the user, there are high possibilities for the weaponization of the vulnerability by TAs in targeting government and private entities. Internet Exposure: No Patch Available? YesCVE-2024-30078: Windows Wi-Fi Driver RCE Vulnerability
Impact Analysis: This high severity remote code execution (RCE) vulnerability impacts Windows Wi-Fi Driver. With the wide usage of Windows devices around the world and the ability to exploit without the need for any user interaction, TAs can leverage the flaw to gain initial access to the devices and later install malware and exfiltrate user data. Internet Exposure: No Patch Available? YesCVE-2024-37051: JetBrains GitHub Plugin Vulnerability
Impact Analysis: This critical vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform affects all IntelliJ-based IDEs, leading to the exposure of GitHub access tokens. TAs can leverage the vulnerability by using exposed tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories. Internet Exposure: No Patch Available? YesCISA Adds 5 Vulnerabilities to KEV Catalog
Five of the vulnerabilities in the Cyble report were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog:- CVE-2024-32896, an Android Pixel vulnerability with a 7.8 CVSSv3 criticality score
- CVE-2024-26169, a Microsoft Windows error reporting service elevation of privilege vulnerability with a 7.8 criticality rating
- CVE-2024-4358, a Progress Telerik Report Server vulnerability with a 9.8 rating
- CVE-2024-4610, an Arm Mali GPU Kernel Driver vulnerability with a 5.5 rating
- CVE-2024-4577, a PHP remote code execution flaw, a 9.8 vulnerability that Cyble addressed in last week’s report
Lindex Group Faces Alleged Source Code Leak by Hacker IntelBroker
Decoding IntelBroker’s Claims of Lindex Group Data Breach
[caption id="attachment_78687" align="alignnone" width="1242"] Source: X[/caption] The claims made by IntelBroker on the dark web suggest that the compromised source code of Lindex Group is now accessible through undisclosed channels, although specific details such as the price for access or direct communication channels have not been publicly disclosed. The situation has prompted concerns about the potential impact on Lindex Group's operations and the security of its customers' data. Despite these reports, Lindex Group has yet to issue an official statement or response regarding the alleged breach. The Cyber Express has reached out to the organization to learn more about this the breach claims. However, at the time of this, no official statement or response has been received. Visitors to Lindex Group's website may find it operational without immediate signs of intrusion, suggesting that the attack may have targeted backend systems rather than initiating a more visible front-end assault like a Distributed Denial-of-Service (DDoS) attack or website defacements.IntelBroker Hacking Spree
IntelBroker, the solo hacker claiming responsibility for the breach, has a history of similar actions, having previously claimed involvement in cybersecurity incidents affecting other major companies. One notable example includes an alleged data breach targeting Advanced Micro Devices (AMD), a leading semiconductor manufacturer, and Apple was another alleged victim. The incident, disclosed on platforms like BreachForums, involved the exposure of sensitive data, prompting AMD to initiate investigations in collaboration with law enforcement authorities and third-party cybersecurity experts. The situation highlights the persistent nature of hackers like IntelBroker, who continue to exploit vulnerabilities in digital infrastructure for financial gain or malicious intent. For organizations like Lindex Group, the fallout from such breaches can encompass not only financial losses but also reputational damage and regulatory scrutiny. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Crypto Investors Alarmed as Coinstats Breach Impacts 1,590 Wallets
Understanding the Coinstats Data Breach
[caption id="attachment_78679" align="alignnone" width="733"] Source: Coinstats on X[/caption] In a public statement addressing the breach, Coinstats reassured its user base that the incident has been mitigated, and immediate steps have been taken to secure the platform. Users whose wallet addresses were compromised were advised to take action by transferring their funds using exported private keys. A spreadsheet link was provided for users to check if their wallets were among those affected. CEO Narek Gevorgyan highlighted the seriousness of the situation, acknowledging the challenges posed by the Coinstats cyberattack while emphasizing Coinstats' commitment to restoring normal operations swiftly and securely. Gevorgyan outlined that comprehensive security measures were being implemented during the restoration process to fortify the platform against future vulnerabilities. "We're actively working to bring the app back online as quickly as possible. Thank you for your patience," stated Gevorgyan in an update shared via Coinstats' official channels.North Korea-linked Hackers Behind the Data Breach at Coinstats
The revelation of North Korea-linked hackers being behind the breach adds a geopolitical dimension to the Coinstats data breach incident, highlighting the global reach and sophisticated tactics employed by cyber threat actors targeting digital assets and platforms. This aspect of the breach highlights the need for heightened cybersecurity measures across the cryptocurrency sector. In a similar case, another crypto firm, BtcTurk faced a cyberattack on its hot wallets on June 22, 2024. Binance Binance CEO Richard Teng confirmed this attack, pledging ongoing support for BtcTurk's investigation. Cryptocurrency investigator ZachXBT hinted at a possible link between the breach and a $54 million Avalanche transfer. Coinstats users have been urged to remain vigilant and monitor their accounts closely for any unauthorized transactions or suspicious activities. The company assured its users that it is actively investigating the extent of funds moved during the breach and pledged to provide updates as new information becomes available. In response to the breach, regulatory bodies and industry stakeholders may scrutinize Coinstats' security practices and response protocols. The outcome of such scrutiny could influence future cybersecurity standards within the cryptocurrency industry, potentially leading to more stringent requirements for platform security and user protection.TCE Cyberwatch: Your Weekly Cybersecurity Roundup
TCE Cyberwatch: A Weekly Round Up
CISA Issues Urgent Advisories to Patch Critical Flaws in Industrial Control Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued 20 advisories to address vulnerabilities in Industrial Control Systems (ICS). These advisories offer detailed technical information and mitigation strategies for various ICS components. Key vulnerabilities include CVE-2024-33500 in Siemens Mendix Applications, which poses remote exploitation risks due to improper privilege management, and issues in Siemens SIMATIC S7-200 SMART devices that can lead to denial-of-service attacks. Additional affected systems include Siemens TIA Administrator, SCALANCE devices, Fuji Electric’s Tellus Lite, and Rockwell Automation’s FactoryTalk View SE. CISA stresses the importance of timely updates, network access restrictions, and strict adherence to security protocols. Although no public exploits have been identified, CISA recommends proactive measures such as network segmentation and secure remote access to bolster ICS resilience against cyber threats. Read MoreMicrosoft Vows Security Overhaul After U.S. Report
Microsoft has faced severe criticism over its cybersecurity measures, highlighted by a U.S. Cyber Safety Review Board (CSRB) report detailing multiple security failures. These failures include a July 2023 attack by Chinese actors on senior U.S. officials' email accounts. Despite pledges to prioritize security, issues have been compounded by the flawed rollout of the Windows Recall feature. In a House Committee hearing, Microsoft President Brad Smith acknowledged these failings, accepted responsibility, and outlined plans for improvement. These measures include integrating security into executive bonuses and employee reviews, adding 1,600 security engineers, and expanding senior-level oversight. Microsoft is also addressing all CSRB recommendations and enhancing identity protection, network security, and threat detection. Smith emphasized the ongoing battle against cyberattacks, noting that Microsoft detects nearly 4,000 password-based attacks per second. Read MoreOver 300 Fake Paris 2024 Sites Target Olympic Ticket Buyers
As the Paris 2024 Summer Olympics approach, security researchers and officials have identified over 300 fraudulent ticketing sites exploiting legitimate Olympics branding to scam users. One notable site, paris24tickets[.]com, appeared professional and ranked highly in Google search results, misleading users into providing personal and financial information. Proofpoint researchers exposed this site as entirely fraudulent, collecting sensitive data instead of processing ticket orders. The French Gendarmerie Nationale has identified 338 scam sites since March 2023, shutting down 51 and putting 140 on notice. Scammers use ads and targeted emails to attract victims, often offering fake discounts. Captain Etienne Lestrelin advises against buying tickets outside official sources, warning that excessively cheap tickets are likely scams and could involve buyers in criminal activities. Read MoreTesla's $45 Billion Payout: Court Battle Looms Over Coercion Claims
Tesla's efforts to reinstate Elon Musk's $45 billion pay package continue to face legal challenges despite shareholder support. The package was nullified by a Delaware judge due to concerns over board independence. Tesla's chair plans to resubmit the deal to the court, but plaintiffs argue the vote was coerced and legally flawed. Richard Tornetta's lawyer, representing the plaintiffs, claims the new vote does not address the initial issues. Legal experts predict ongoing court battles in Delaware, with possible appeals to the state’s supreme court. They also highlight potential coercion by Musk, who threatened to develop AI and robotics outside Tesla if the vote failed. Future pay deals will be governed by Texas law following Tesla's incorporation move, but existing litigation remains in Delaware. Read MoreMFA Failure Exposes Millions: Medibank Fined for Massive Data Breach
A lack of multi-factor authentication (MFA) likely caused the Medibank data breach, exposing the personal data of 9.7 million customers in October 2022. The Australian Information Commissioner’s report revealed that hackers stole an IT service desk operator’s credentials via malware on a home device. The compromised VPN lacked MFA, allowing unauthorized access. Ignored security alerts further enabled the attackers to extract 520GB of sensitive data. Medibank's inadequate cybersecurity measures, highlighted in a 2020 risk assessment, included excessive access privileges and the absence of MFA. This negligence led to legal action by Australia's privacy regulator, with potential fines exceeding AU$2 million. Sanctions and arrests followed for the hackers involved. The breach underscores the critical need for MFA, proper alert management, regular security audits, and employee training. Read MoreMETA Stealer Ups the Ante: Encrypted Builds, Custom Stubs in v5.0 Update
META Stealer v5.0 has launched, introducing advanced features and heightened security for this information-stealing malware. Key improvements include TLS encryption for secure communication between the build and the control panel, similar to updates seen in other top stealers like Lumma and Vidar. The update also offers a new build system for generating unique builds, supported by a "Stub token" currency for creating Runtime stubs, enhancing customization. The "Crypt build" option encrypts builds to evade detection during scans, significantly boosting stealth capabilities. Additionally, the panel's security and licensing systems have been upgraded to minimize disruptions. While previous updates, such as version 4.3 in February 2023, introduced features like enhanced detection cleaning and Telegram integration for build creation, version 5.0 focuses on individualized security and continuous improvement. Read More In this week's edition of TCE Cyberwatch, we've covered critical cybersecurity updates, from CISA's advisories on industrial control systems to Microsoft's pledges for security improvements and the exposure of fraudulent Olympic ticketing sites. As cyber threats continue to evolve, staying informed and proactive is essential. By keeping abreast of the latest news and trends, you can better protect your digital assets and stay ahead in the ongoing battle against cyberattacks. Stay vigilant and informed with TCE Cyberwatch.Jollibee Probes Alleged Data Breach Affecting 32 Million Customers, Asks Public to Remain Vigilant
Details of Jollibee Probe into Cyberattack
The Philippines National Privacy Commission (NPC) regulations make it mandatory for organizations in the country to report and inform stakeholders of cybersecurity incidents within 72 hours of discovery. A statement was released on June 22 by Richard Shin, Chief Financial Officer and Corporate Information Officer of JFC, which said that it was addressing “a cybersecurity incident” that reportedly affected the company, “in addition to other subsidiaries”. “The Company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the Company’s and its subsidiaries’ data against threats. The Company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the statement said. JFC, however, added that its e-commerce platforms and those of its subsidiaries’ brands remained unaffected by the cyberattack and continued to be operational. It added that the safety of data from stakeholders was paramount for the company. “JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders. The Company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats,” the company said. “The Company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter,” it added. The fast-food delivery group urged the public to be vigilant and exercise good information security practices, including keeping passwords secure and changing them often.Jollibee’s Cybersecurity Concerns
The alleged data breach of the fast-food chain took place on popular data hack site BreachForums on June 20. The threat actor, “Sp1d3r”, claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. JFC, meanwhile, is investigating this alleged cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King Philippines, and Highlands Coffee. This is not the first time that Jollibee has faced flak for its cybersecurity measures. In December 2017, JFC had informed of a data breach of its delivery website. The NPC had then warned that the data of 18 million customers was at “a very high risk” of being exposed. After an investigation, the NPC in May 2018 suspended Jollibee’s delivery website due to “serious vulnerabilities.” JFC also took down the delivery websites of its other brands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Millions of Americans Affected: Change Healthcare Reveals Data Stolen in Cyberattack
Stolen Data Information in CHC Cyberattack
The Change Healthcare data breach notification provided a comprehensive overview of the types of information that may have been affected. Although CHC cannot confirm exactly what data was compromised for each individual, the exposed information may include:- Contact Information: Names, addresses, dates of birth, phone numbers, and email addresses.
- Health Insurance Information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
- Health Information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
- Billing, Claims, and Payment Information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
- Other Personal Information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.
Cyberattack on Change Healthcare: What Exactly Happen?
The Change Healthcare cyberattack occurred when a cybercriminal gained unauthorized access to the CHC computer system on February 21, 2024. Upon discovering the ransomware deployment, CHC immediately took steps to halt the activity, disconnected and shut down systems to prevent further impact and initiated an investigation. Law enforcement was contacted, and CHC's security team, along with several top cybersecurity experts, worked tirelessly to address the breach and understand its scope. The investigation revealed that a significant amount of data was exfiltrated from CHC’s environment between February 17, 2024, and February 20, 2024. By March 7, 2024, CHC confirmed the data exfiltration and began analyzing the compromised files. On April 22, 2024, CHC publicly confirmed that the impacted data could affect a substantial proportion of the American population. As of June 20, 2024, CHC began notifying customers whose data was identified as compromised. When CHC learned about the activity, CHC immediately began an investigation with support from leading cybersecurity experts and law enforcement. In response to this incident, CHC immediately took action to shut down systems and sever connectivity to prevent further impact," informed Change Healthcare official release "CHC has also reinforced its policies and practices and implemented additional safeguards in an effort to prevent similar incidents from occurring in the future. CHC, along with leading external industry experts, continues to monitor the internet and dark web.What Steps Affected Individuals Can Take
While the investigation continues, individuals who suspect their information may have been compromised can take several steps to protect themselves:- Enroll in Credit Monitoring and Identity Protection: CHC is offering two years of complimentary credit monitoring and identity protection services.
- Monitor Statements and Reports: Regularly check explanations of benefits from health plans, statements from healthcare providers, bank and credit card statements, credit reports, and tax returns for any unfamiliar activity.
- Report Unfamiliar Health Services: If any unauthorized healthcare services are found on an explanation of the benefits statement, contact the health plan or doctor.
- Alert Financial Institutions: Immediately contact financial institutions or credit card companies if suspicious activity is detected on bank or credit card statements or tax returns.
- File a Police Report: Contact local law enforcement if you believe you are a victim of a crime.