Credit Suisse, a global investment bank and financial services firm, has reportedly fallen victim to a cyberattack. The Credit Suisse data breach was allegedly masterminded by a threat actor (TA), operating under the alias “888,” on the data hack site BreachForums. The TA claims to have accessed highly sensitive data of the bank and posted it on the dark web marketplace. According to the the threat actor, the data breach contains personal information of about 19,000 of the bank’s Indian employees.

Credit Suisse Data Breach Details

Credit Suisse was founded in 1856 and has approximately $15.21 Billion in revenue. It is one of the leading institutions in private banking and asset management, with strong expertise in investment banking. On June 25, 2024, the threat actor claimed to have carried out a cyberattack on the bank and exfiltrated details on 19,000 of its users. [caption id="attachment_79024" align="alignnone" width="1622"] Source: X[/caption] The breached data purportedly includes names of employees, 6,623 unique email addresses, their codes, date of birth, gender, policy name, relationships, dates of joining, effective dates, statuses, and entities. To substantiate the claim, the threat actor 888 provided a sample of the data breach, which contains details of Credit Suisse employees in India. [caption id="attachment_79025" align="alignnone" width="1362"] Source: X[/caption] The TA, however, did not provide a specific price for the sale of data and has requested potential buyers to quote a figure. The hacker commented that they are only accepting cryptocurrency as the mode of payment. More specifically, the hacker was open to payment on Monero (XMR), a digital currency renowned for its privacy and anonymity attributes. This method of payment is often utilized in illegal transactions to evade detection. Despite these claims by the threat actor, a closer inspection reveals that the bank’s website is currently functioning normally, showing no signs of a security breach. The Cyber Express has reached out to the bank to verify the alleged cyberattack. As of now, no official statements or responses have been received, leaving the claims unverified.

Not the First Credit Suisse Data Breach

This is not the first time that Credit Suisse has been involved in a security breach. According to a report published in The Economic Times, in 2023, the bank warned its staff that a former employee stole personal data of its employees, including salaries and bonuses. The information included salary and "variable compensation" for a period between 2013 and 2015. Another Bloomberg report said that a data breach in 2023 impacted numerous former Credit Suisse clients who collectively held a staggering $100 billion in accounts.

Credit Suisse Hacker Targeted Big Multinationals Recently

There are many concerns over the potential misuse of sensitive information found in the data breach, which includes customer names, dates of birth, and relationships. Credit Suisse should investigate the data breach claims considering the history of the threat actor. Earlier this month, the TA 888 claimed to have stolen data of over 32,000 current and former employees of Accenture. The company, however, denied the claims and said that the data set published by the hacker had only three employee names and email addresses. The hacker also claimed responsibility for leaking details about 8,174 employees of Heineken across several countries. Prior to this, 888 also staked claims for an attack on oil and gas multinational Shell.  The TA posted sample information sharing personal details of Australian customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.  

The infamous cybercrime marketplace BreachForums faced an awkward scenario on June 25, 2024, when a threat actor leaked unverified information about "Aegis”, one of the forum moderators. The doxxing incident of BreachForums moderator was first reported by a LinkedIn user on a cybersecurity forum named “CISO2CISO”.

BreachForums Moderator Doxxing Details

On Tuesday, Bhavesh Mohinani, an SOC analyst and a member of "CISO2CISO,"  shared screenshots of a BreachForums post by an anonymous threat actor that allegedly contained sensitive Personally Identifiable Information (PII) of BreachForums moderator "Aegis". [caption id="attachment_78802" align="alignnone" width="1069"] Source: LinkedIn[/caption] The threat actor claimed that he obtained “bits and pieces” information about Aegis through his friend. “One thing I was given was a first name and an IP. Looking into it, you find out his information is very much out there! So much OPSEC, am I right,” the TA wrote in his post. OPSEC or Operational Security, is a process that identifies seemingly innocuous actions that could inadvertently reveal critical or sensitive data to a cybercriminal. Elaborating the details of Aegis, the threat actor claimed, “Aegis is a 17-year-old Egyptian resident living with his mother. His father seems not to have been found. Aegis started off being a skid, stealing code, claiming to be harmful and so on...he is a loser. “Aegis will most likely deny this being his information but if this post gets taken down, you will know the truth/ love everyone! Expect this loser,” the TA wrote. The user also shared details claiming to be the moderator’s phone number, IP address, residential address and telegram account. [caption id="attachment_78803" align="alignnone" width="1091"] Source: LinkedIn[/caption] While there is no confirmation or credibility to the claims shared by the anonymous actor, the post was deleted as soon as it was shared. However, the post has raised concerns about the security and trustworthiness of online communities.

What is Doxxing?

Doxxing, or doxing for short, is when someone puts your personal information out there on the internet. This can include information like where you work, your home address, your credit card numbers, and other private details. Usually, the intention of the threat actor is to harass the victims. The word "doxxing" first came about in the 1990s, starting from the word "documents," which got shortened to "docs," and then finally became "dox." When people talk about "dropping dox," they mean cybercriminals revealing the true identities of their rivals, taking away their anonymity, and making them vulnerable to the authorities. A doxxing attack begins with the threat actor gathering extensive information about their target, searching online and checking social media for clues. Social media can reveal workplace details, which can be exploited for attacks. Skilled threat actors might also trace a target’s IP address to determine their location. The more data a threat actor collects, the more harm they can inflict. While some doxxing incidents are minor, like sending unwanted pizza deliveries, others can lead to severe consequences such as online harassment, swatting, identity theft, reputational damage, physical assault, job loss, or stalking. The alleged doxxing of the BreachForums moderator has raised questions about whether it would lead to the arrest of another threat actor and if it signals the decline of the forums. For example, in California, doxing is considered a serious offense, and individuals engaging in this activity could face legal consequences. Individuals arrested and charged with cyber harassment (doxing) under Penal Code §653.2 face up to one year in jail and a fine of up to $1,000. In April 2023, Hong Kong’s privacy watchdog, Office of the Privacy Commissioner for Personal Data, arrested a 27-year-old woman on suspicion of doxxing after she allegedly posted the personal details of her friend’s ex-boyfriend on social media.

Prevention Against Doxxing

To protect users against doxxing, one must use strong, unique passwords for each account and enable Multi-Factor Authentication (MFA). Cleaning the digital footprint by removing personal information from online sites, deactivating old accounts, and adjusting privacy settings is regarded as a healthy practice. Using a VPN is recommended to hide the user’s IP address and prevent location tracking. Users must also be vigilant against phishing scams by recognizing poor spelling, mismatched email addresses, and unsolicited links. Finally, avoiding oversharing personal information online and keeping social media profiles private is a healthy digital practice to enhance security. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Lindex Group, an international retail giant specializing in high-quality fashion, has reportedly fallen victim to a data breach. According to claims made by threat actor IntelBroker on dark web forums, the Lindex Group data breach allegedly occurred in June 2024, targeting Lindex Group's internal GitLab. The perpetrator allegedly exploited vulnerabilities stemming from developers storing credentials in their Jira workplace, thereby gaining access to a collection of source code belonging to the company. Lindex Group, which has been a part of the Finnish Stockmann Group since 2007, operates approximately 480 stores across 18 markets, including the Nordic countries, the Baltic states, Central Europe, and the Middle East. With a workforce of around 5,000 employees, the company holds a prominent position in the retail industry, focusing on an omnichannel approach to fashion retailing.

Decoding IntelBroker’s Claims of Lindex Group Data Breach

[caption id="attachment_78687" align="alignnone" width="1242"] Source: X[/caption] The claims made by IntelBroker on the dark web suggest that the compromised source code of Lindex Group is now accessible through undisclosed channels, although specific details such as the price for access or direct communication channels have not been publicly disclosed. The situation has prompted concerns about the potential impact on Lindex Group's operations and the security of its customers' data. Despite these reports, Lindex Group has yet to issue an official statement or response regarding the alleged breach. The Cyber Express has reached out to the organization to learn more about this the breach claims. However, at the time of this, no official statement or response has been received. Visitors to Lindex Group's website may find it operational without immediate signs of intrusion, suggesting that the attack may have targeted backend systems rather than initiating a more visible front-end assault like a Distributed Denial-of-Service (DDoS) attack or website defacements.

IntelBroker Hacking Spree

IntelBroker, the solo hacker claiming responsibility for the breach, has a history of similar actions, having previously claimed involvement in cybersecurity incidents affecting other major companies. One notable example includes an alleged data breach targeting Advanced Micro Devices (AMD), a leading semiconductor manufacturer, and Apple was another alleged victim. The incident, disclosed on platforms like BreachForums, involved the exposure of sensitive data, prompting AMD to initiate investigations in collaboration with law enforcement authorities and third-party cybersecurity experts. The situation highlights the persistent nature of hackers like IntelBroker, who continue to exploit vulnerabilities in digital infrastructure for financial gain or malicious intent. For organizations like Lindex Group, the fallout from such breaches can encompass not only financial losses but also reputational damage and regulatory scrutiny. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Handala hacker group has claimed responsibility for breaching Zerto, an Israeli firm specializing in critical cybersecurity services. The Zerto cyberattack reportedly yielded a substantial 51 terabytes of data, potentially exposing sensitive information integral to Zerto's operations. Zerto is renowned for its pivotal role in disaster recovery synchronization and site recovery, providing essential services utilized by numerous global enterprises. The cyberattack on Zerto by Handala, a group sympathetic to Palestinian causes and named after a symbol of Palestinian resilience, highlights the increasing intersection of geopolitical tensions and cybersecurity threats.

Handala Hacker Group Claims Responsibility for Zerto Cyberattack

[caption id="attachment_78661" align="alignnone" width="1280"] Source: X[/caption] According to the threat actor's post, Handala hacker group claims that they have targeted Zerto and also shared multiple screenshots on dashboards associated with the cybersecurity company. The group, previously claimed cyberattack on Israel’s radars and allegedly took down Iron Dome missile defense systems. The Handala hacker group draws its inspiration from the iconic figure created by Palestinian cartoonist Naji al-Ali. The character, depicted as a ten-year-old with hands clasped behind his back, symbolizes defiance against imposed solutions and solidarity with the marginalized Palestinian population. Since al-Ali's tragic assassination in 1987, Handala has remained a potent symbol of Palestinian identity, prominently displayed across the West Bank, Gaza, and Palestinian refugee camps. The cyberattack on Zerto marks another chapter in Handala's campaign, aligning their actions with broader movements supporting Palestinian rights globally. The group's activities have resonated within these movements, akin to its adoption by the Boycott, Divestment, and Sanctions movement and the Iranian Green Movement. Despite the bold claims by the Handala hacker group, official confirmation from Israeli authorities regarding the extent and impact of the cyberattack is pending. However, security experts within Israel have expressed concerns over the plausibility of Iranian involvement in cyber operations targeting critical Israeli infrastructure.

The Implication of Cyberattack on Zerto

The Cyber Express reached out to Handala for further insights into their motives and objectives behind the Zerto cyberattack. As of the latest update, no formal response has been received, leaving the claims and motivations of the attack unverified. The incident highlights the ongoing cybersecurity challenges faced by firms operating in sensitive sectors, exacerbated by geopolitical tensions and sophisticated cyber threats. The implications of the Zerto breach are profound, highlighting vulnerabilities in cybersecurity defenses and the need for robust measures to protect critical infrastructure. As stakeholders await further developments, The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Zerto cyberattack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Jollibee Foods Corporation (JFC), which is the largest fast-food chain operator in Philippines, has launched an investigation for an alleged data breach in its system that may have affected millions of its customers across the globe. The Jollibee probe was initiated after a threat actor claimed responsibility for breaching the systems of the Jollibee Foods Corporation. On June 21, The Cyber Express reported that a notorious attacker, operating under the alias “Sp1d3r”, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000 on the dark web. [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption]

Details of Jollibee Probe into Cyberattack

The Philippines National Privacy Commission (NPC) regulations make it mandatory for organizations in the country to report and inform stakeholders of cybersecurity incidents within 72 hours of discovery. A statement was released on June 22 by Richard Shin, Chief Financial Officer and Corporate Information Officer of JFC, which said that it was addressing “a cybersecurity incident” that reportedly affected the company, “in addition to other subsidiaries”. “The Company is addressing the incident and has implemented its response protocols and deployed enhanced security measures to further protect the Company’s and its subsidiaries’ data against threats. The Company has also launched its investigation on the matter to understand the scope of this incident, and is currently working with the relevant authorities and experts in its investigation,” the statement said. JFC, however, added that its e-commerce platforms and those of its subsidiaries’ brands remained unaffected by the cyberattack and continued to be operational. It added that the safety of data from stakeholders was paramount for the company. “JFC recognizes the value and importance of the confidentiality of personal information of its stakeholders. The Company assures the public of its commitment to prioritize the protection and confidentiality of such personal information, including customer data, by continuously fortifying its defenses against future threats,” the company said. “The Company further assures the public that it continues to monitor and update its security measurements as appropriate under the circumstances, and as may be required by the results of its investigation into this matter,” it added. The fast-food delivery group urged the public to be vigilant and exercise good information security practices, including keeping passwords secure and changing them often.

Jollibee’s Cybersecurity Concerns  

The alleged data breach of the fast-food chain took place on popular data hack site BreachForums on June 20. The threat actor, “Sp1d3r”, claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. JFC, meanwhile, is investigating this alleged cyberattack on its brands and subsidiaries, including Greenwich, Red Ribbon, Burger King Philippines, and Highlands Coffee. This is not the first time that Jollibee has faced flak for its cybersecurity measures. In December 2017, JFC had informed of a data breach of its delivery website. The NPC had then warned that the data of 18 million customers was at “a very high risk” of being exposed. After an investigation, the NPC in May 2018 suspended Jollibee’s delivery website due to “serious vulnerabilities.” JFC also took down the delivery websites of its other brands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Jollibee, the Philippines’ largest fast-food chain, has allegedly been hit by a massive data breach. The Jollibee cyberattack came to light on June 20, 2024, when a threat actor claimed responsibility for breaching the systems of Jollibee Foods Corporation. The notorious attacker, operating under the alias “Sp1d3r“, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000.

Details of Jollibee Cyberattack

The data breach of the fast-food chain was posted by the threat actor on popular data hack site BreachForums. The threat actor stated that “Jollibee is a Filipino chain of fast-food restaurants owned by Jollibee Foods Corporation. As of September 2023, there were over 1,500 Jollibee outlets worldwide, with restaurants in Southeast Asia, East Asia, the Middle East, North America, and Europe.” [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption] The threat actor claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. To support these claims, the TA included a sample in tabular data format accessible through spreadsheet programs like Microsoft Excel and Google Sheets. While the exact details of the alleged data breach remains unclear, the potential impact on millions of customers is cause for concern.

Jollibee Yet to React to Cyberattack Claims

The motive behind the Jollibee cyberattack remains unknown. So far, Jollibee Foods Corporation has not reacted or issued any official statement regarding the alleged data breach. The Cyber Express has reached out to the corporation to verify the claims. This article will be updated once the company responds to the allegations and shares any preventive measures in place to prevent critical data from being misused. The Philippines National Privacy Commission (NPC) has yet to receive any notification from Jollibee Foods Corporation regarding the breach. The NPC regulations require organizations to inform affected individuals and report such incidents within 72 hours of discovery.

Jollibee Cyberattack Threat Actor Responsible for Snowflake Breach

While Jollibee investigates the claims made by “Sp1d3r”, the threat actor has been responsible for several recent breaches, which includes many customers of third-party cloud data storage vendor Snowflake. On June 1, “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes, and other information. The same threat actor was responsible for the data breach at American automobile aftermarket component supplier Advance Auto Parts, Inc. The attacker “Sp1d3r” claimed to have stolen three terabytes of customer data from the company’s Snowflake cloud storage and was selling the data for US$1.5 million. In its report, the company stated that the cyberattack could create damages up to $3 million. The Jollibee Cyberattack is a stark reminder of the vulnerabilities of the digital world, where even the largest and most established companies could become victims of notorious data hackers. Customers should stay vigilant and follow any further guidance provided by Jollibee and cybersecurity professionals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Ticketmaster data breach update is distressing as the threat actors have now released records of 1 million customers for free. The Ticketmaster data leak, earlier confirmed by Live Nation, Ticketmaster's parent company, involves unauthorized access and potential leak of sensitive customer information. According to the threat actor responsible for the breach, the stolen data in this incident includes a vast trove of data belonging to 680 million Ticketmaster customers. Initially demanding $100,000 for the stolen data, the threat actors have since escalated their tactics by publicly releasing records on a popular dark web forum. 

The Fallout of Ticketmaster Data Breach

This move appears to be an attempt to pressure Ticketmaster into meeting their demands, underlining the severity of the breach and its potential repercussions. [caption id="attachment_78485" align="alignnone" width="1415"] Source: Dark Web[/caption] In its post, the threat actor claims that Ticketmaster is not responding to the request to buy data from the hacker collective. In response, the hackers assert that the organization does not care “for the privacy of 680 million customers, so give you the first 1 million users free.” The compromised data includes a wide array of personal details: names, addresses, IP addresses, emails, dates of birth, credit card types, last four digits of credit cards, and expiration dates. This extensive breach of sensitive information raises serious concerns about the privacy and security of Ticketmaster's user base. The Ticketmaster data breach, which reportedly occurred on May 20, involved a database hosted on Snowflake, a third-party cloud storage provider utilized by Ticketmaster. Live Nation has acknowledged unauthorized activity within this cloud environment but has not provided specific details regarding the breach's origins or the complete extent of data exfiltrated.

Live Nation Confirms the Ticketmaster Data Leak Incident

Live Nation confirmed the Ticketmaster data leak in a regulatory filing, stating the incident occurred on May 20. They reported that a cybercriminal had offered what appeared to be company user data for sale on the dark web. The affected personal information is believed to be related to customers. “As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing”, reads the official filing.  Ticketmaster and Live Nation are expected to collaborate closely with cybersecurity experts and regulatory authorities to investigate the incident thoroughly. They will likely focus on enhancing security measures to prevent future breaches and mitigate the impact on affected customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Army Aviation and Missile Command (AMCOM), based at Redstone Arsenal, Alabama, has been spotlighted following an alleged data breach claimed by a prolific dark web hacker. The AMCOM data breach, announced by the threat actor on June 16, 2024, but occurring in August 2023, involved the unauthorized release of critical documents related to key military aircraft. The US Army Aviation and Missile Command (AMCOM) plays a pivotal role in supporting the U.S. Army by managing the development, acquisition, and sustainment of aviation and missile systems. It ensures the operational readiness of these systems, provides logistical support and maintains the supply chain critical for defense operations.

Decoding the AMCOM Data Breach Claims

The AMCOM data leak, disclosed on BreachForums by a user known as IntelBroker, exposed detailed technical documents and images about the Boeing CH-47F Chinook and Sikorsky H-60 Black Hawk helicopters. IntelBroker, a moderator on the platform, claimed responsibility for the leak, stating, "Today, I'm releasing the U.S. Army Aviation and Missile Command data breach." The Cyber Express reached out to the U.S. Army Aviation and Missile Command to learn more about the authenticity of the AMCOM data breach. However, at the time of writing this, no official statement or response has been received, leaving the claims for the AMCOM data leak unconfirmed right now.  Moreover, the AMCOM website appears operational, suggesting the breach may have targeted specific backend systems rather than impacting public-facing services like DDoS attacks or website defacements.

IntelBroker and the Recent Exploits 

IntelBroker, a notorious threat actor known for orchestrating multiple high-profile data breaches, recently claimed responsibility for infiltrating Apple's security infrastructure. This assertion follows their previous claims of breaching organizations like Advanced Micro Devices (AMD), where sensitive data such as customer databases and source code was compromised. The cybercriminal has a track record of targeting prominent entities such as government agencies like Europol and the U.S. State Department, as well as major corporations including Barclays Bank, Facebook Marketplace, and Home Depot. In the latest incident, IntelBroker purportedly accessed the source code of three internal tools utilized by Apple: AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin. While Apple has not confirmed the breach, reports from tech news outlets detailed claims made on BreachForums suggesting a June 2024 data breach on Apple.com facilitated by IntelBroker. The threat actor's activities highlight the ongoing challenges in cybersecurity, highlighting vulnerabilities across diverse sectors and institutions globally. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Threat actor IntelBroker, notorious for a series of daring cyberattacks, has resurfaced with claims of orchestrating a data breach of Apple’s website. The TA allegedly has gained access to internal source code of three popular tools of Apple.com. This claim comes just a day after IntelBroker claimed to have orchestrated a data breach of another tech giant, Advanced Micro Devices (AMD).

Decoding Apple Data Breach Claims

Per the available information, IntelBroker allegedly breached Apple’s security in June 2024 and has managed to lay hands on the internal source code of three commonly used Apple tools, namely, AppleConnect-SSO, Apple-HWE-Confluence-Advanced and AppleMacroPlugin. The information was posted by the threat actor on BreachForums, a high-profile platform for trading stolen data and hacking tools. “I'm releasing the internal source code to three of Apple's commonly used tools for their internal site, thanks for reading and enjoy!” the TA posted. AppleConnect is the Apple-Specific Single Sign-On (SSO) and authentication system that allows a user to access certain applications inside Apple's network. Apple-HWE-Confluence-Advanced might be used for team projects or to share some information inside the company, and AppleMacroPlugin is presumably an application that facilitates certain processes in the company. Apple has not yet responded to the alleged data breach by IntelBroker or the leaked code. However, if the data breach occurred as claimed, it may lead to the exposure of important information that could be sensitive to the workings and operations of Apple. If legitimate, this breach could compromise Apple's internal operations and workflow. Leaked source code could expose vulnerabilities and inner workings of these tools. The Cyber Express has reached out to Apple to learn more about the potential data breach. However, at the time of publication, no official statement or response has been received, leaving the claims for the Apple data leak unconfirmed for now. The article will be updated as soon as we receive a response from the tech giant.

Previous Attacks by IntelBroker

The alleged data breach at Apple could prove significant considering the history of the threat actor. IntelBroker is believed to be a mature threat actor and is known to have been responsible for high-profile intrusions in the past. On June 18th, 2024, chipmaker AMD acknowledged that they were investigating a potential data breach by IntelBroker. The attacker claimed to be selling stolen AMD data, including employee information, financial documents, and confidential information. Last month, the threat actor is believed to have breached data of European Union’s law enforcement agency, Europol’s Platform for Experts (EPE). Some of the other organizations that the attacker is believed to have breached data include Panda Buy, Home Depot, and General Electric. The hacker also claimed to have targeted US Citizenship and Immigration Services (USCIS) and Facebook Marketplace.

Apple's Security Posture

Apple prides itself on its robust security measures and user privacy. However, the company has faced security threats in the past. In December 2023, Apple released security updates to address vulnerabilities in various Apple products, including iOS, iPadOS, macOS, tvOS, watchOS, and Safari. One critical vulnerability patched allowed attackers to potentially inject keystrokes by mimicking a keyboard. This incident highlights the importance of keeping software updated to mitigate security risks. In November 2023, there were reports of a state-sponsored attack targeting Apple iOS devices used in India. While details about this attack remain scarce, it serves as a reminder that even Apple devices are susceptible to cyberattacks.

Looking Ahead

The situation with IntelBroker's claims is ongoing. If the leak is verified, Apple will likely need to take steps to mitigate the potential damage. This could involve patching vulnerabilities in the leaked code and improving internal security measures. It is important to note that these are unconfirmed reports at this stage. However, they serve as a stark reminder of the ever-evolving cyber threat landscape. Apple, and all tech companies for that matter, must constantly work to stay ahead of determined attackers like IntelBroker. For users, it is a reminder to be vigilant about potential phishing attempts or malware that could exploit these alleged vulnerabilities. Keeping software updated and practicing good cyber hygiene are crucial steps for protecting yourself online.

AJE Group, a prominent company in the manufacture, distribution, and sale of alcoholic and nonalcoholic beverages, has allegedly fallen victim to a MEDUSA ransomware attack. Founded in 1988 and headquartered in Lima, Peru, AJE Group employs 2,896 people. The unconfirmed ransomware attack on AJE Group has allegedly resulted in a significant data breach, putting allegedly 646.4 GB of data at risk.

Ransomware Attack on AJE Group: Ransom Demand and Countdown

The ransomware group has set an ominous countdown of eight days, 21 hours, 20 minutes, and 30 seconds for the company to comply with their demands. The attackers have placed a hefty price tag of US$1,500,000 to prevent unauthorized distribution of the compromised data. Additionally, for every day that passes without payment, the ransom amount increases by US$100,000. However, these claims remain unconfirmed as AJE Group has yet to release an official statement regarding the incident. [caption id="attachment_77719" align="aligncenter" width="1024"] Source: X[/caption] A preliminary investigation into AJE Group’s official website revealed no apparent disruptions; the site was fully operational, casting doubt on the authenticity of the ransomware group’s claims. Nevertheless, without an official statement from AJE Group, it is premature to conclude whether the ransomware attack on AJE Group has genuinely occurred. If the ransomware attack on AJE Group is confirmed, the implications for the Group could be extensive and severe. Data breaches can lead to significant financial losses, reputational damage, and operational disruptions. The compromised data may include sensitive information that, if leaked, could affect the company's competitive standing and expose its employees and customers to further risks.

MEDUSA Ransomware: A Rising Threat

Earlier, The Cyber Express (TCE) reported that Threat Actors (TAs) associated with the notorious MEDUSA ransomware have escalated their activities, allegedly targeting two institutions in the USA. The first target is Tri-Cities Preparatory High School, a public charter middle and high school located in Prescott, Arizona. The threat actors claim to have access to 1.2 GB of the school’s data and have threatened to publish it within seven to eight days. The second target is Fitzgerald, DePietro & Wojnas CPAs, P.C., an accounting firm based in Utica, New York. The attackers claim to have access to 92.5 GB of the firm’s data and have threatened to release it within eight to nine days.

History and Modus Operandi of MEDUSA

MEDUSA first emerged in June 2021 and has since launched attacks on organizations across various countries and industries, including healthcare, education, manufacturing, and retail. Despite its global reach, most victims have been based in the United States. MEDUSA operates as a Ransomware-as-a-Service (RaaS) platform, offering malicious software and infrastructure to would-be attackers. This model enables less technically skilled criminals to launch sophisticated ransomware attacks. MEDUSA's TAs often utilize a public Telegram channel to post stolen data, leveraging public exposure as an extortion tactic to pressure organizations into paying the ransom.

The Broader Impact of Ransomware Attacks

The reported MEDUSA ransomware attack on AJE Group highlights the growing threat posed by ransomware groups. Ransomware attacks have become increasingly prevalent, targeting critical sectors and causing widespread disruption. The healthcare industry, for instance, has seen hospitals forced to shut down operations, delaying critical medical procedures and compromising patient care. Educational institutions have faced similar disruptions, with students' data at risk and academic schedules thrown into disarray. The manufacturing and retail sectors, too, have not been spared. Companies in these industries have experienced production halts, supply chain disruptions, and significant financial losses due to ransomware attacks. These incidents highlight the importance of enhanced cybersecurity measures and prompt incident response protocols to mitigate the impact of such attacks. Additionally, organizations must prioritize cybersecurity awareness and preparedness to defend against ransomware attacks. Regular employee training, stringent access controls, and up-to-date security software are essential components of a robust cybersecurity strategy. Further, organizations should have a well-defined incident response plan to quickly address and contain any breaches.

Conclusion

While the authenticity of the ransomware attack on AJE Group remains unconfirmed, the potential consequences are significant. TCE will continue to monitor this ongoing situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious threat actor known as Intelbroker claims to have orchestrated a massive data breach of Advanced Micro Devices (AMD), a top player in the semiconductor industry. The unconfirmed AMD data breach, disclosed on the notorious BreachForums site, shared details of the intrusion, with multiple data samples shared to the dark web forum users.  Between these speculations, AMD officials released a statement that it is investigating claims of a data breach by a cybercriminal organization. "We are working closely with law enforcement officials and a third-party hosting partner to investigate the claim and the significance of the data," the chipmaker told Reuters.

Decoding the AMD Data Breach Claims by Intelbroker

Intelbroker claims the AMD data leak encompasses a vast array of sensitive information from AMD's databases. This includes detailed data on future AMD products, specification sheets, customer databases, property files, ROMs, source code, firmware, financial records, and comprehensive employee data such as user IDs, full names, job functions, phone numbers, and email addresses. [caption id="attachment_77588" align="alignnone" width="926"] Source: Dark Web[/caption] Samples of the stolen data shared by Intelbroker highlight the potential severity of the AMD data leak. Screenshots and snippets from AMD's internal systems, allegedly obtained by the threat actor, provide a glimpse into the breadth and depth of the compromised information. Such disclosures not only highlight the possible extent of the intrusion but also highlight potential vulnerabilities within AMD's cybersecurity infrastructure. The incident is not the first time AMD has faced a cybersecurity challenge. In 2022, the company was reportedly targeted by the RansomHouse hacking group, which claimed responsibility for extracting data from AMD's networks. The 2022 breach, similar to the current incident, prompted AMD to launch an extensive investigation to assess the breach's impact and fortify its defenses against cyber threats.

Intelbroker's Modus Operandi

Intelbroker, the alleged perpetrator behind the new AMD data breach, has gained notoriety for a series of high-profile cyber intrusions targeting diverse organizations. Operating as a lone actor, Intelbroker has a documented history of penetrating critical infrastructure, major tech corporations, and government contractors. The hacker's actions suggest a sophisticated approach to exploiting vulnerabilities and accessing sensitive information. In previous instances, the hacker has claimed responsibility for breaches at institutions like the Los Angeles International Airport and Acuity, a U.S. federal technology consulting firm.

Data Samples and Technical Details

The data shared by Intelbroker includes technical specifications, product details, and internal communications purportedly from AMD's secure servers. These samples, posted on breach forums, reportedly reveal intricate details about AMD's upcoming products, financial documents, and proprietary software codes. Such disclosures not only could compromise AMD's competitive advantage but also raise concerns about intellectual property theft and corporate espionage. Technical codes and alphanumeric sequences, allegedly extracted from AMD's databases, have been posted alongside screenshots on BreachForums. These snippets, though cryptic to the untrained eye, contain critical information about AMD's internal systems and operational protocols. The exposure of such technical data could pose significant risks to AMD's reputation and operational integrity.

Response and Investigation

The Cyber Express has reached out to AMD to learn more about the potential data breach. However, at the time of publication, no official statement or response has been received, leaving the claims for the AMD data leak unconfirmed for now. Moreover, the official AMD website seems to be operational at the moment and doesn’t show any immediate sign of a cyberattack. The hacker could possibly have targeted the backend of the website or the databases instead of launching a front-end assault like a DDoS or a website defacement. AMD's response strategy will likely involve comprehensive forensic analysis, collaboration with cybersecurity agencies, and the implementation of enhanced security measures to mitigate future risks.

Previous Cyber Incidents Linked to Intelbroker

Intelbroker has demonstrated massive cyber operations beyond the alleged AMD data breach, targeting multinational corporations, government entities, and prominent tech firms globally. Notable breaches attributed to Intelbroker include infiltrations at Los Angeles International Airport (LAX), compromising millions of records encompassing personal and flight details. The hacker also accessed sensitive data from U.S. federal agencies via Acuity, exposing vulnerabilities in government IT systems. Furthermore, Intelbroker claimed responsibility for a cyberattack on Shoprite, Africa's largest retailer, highlighting their widespread impact. These incidents highlight Intelbroker's skill at exploiting security vulnerabilities to extract valuable data, posing significant challenges to affected organizations and cybersecurity professionals. The motivations driving Intelbroker's cyber activities range from financial gain through selling stolen data on dark web platforms to potential geopolitical agendas aimed at disrupting critical infrastructure and corporate operations. The Cyber Express will update readers as we get more information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Several pro-Russia hacker groups have allegedly carried out a massive Distributed Denial-of-Service (DDoS) attack in Romania on June 18, 2024. The Romania Cyberattack has affected critical websites, including the official site of Romania and portals of the country’s stock exchange and financial institutions. The attack was allegedly conducted by NoName in collaboration with the Russian Cyber Army, HackNet, and CyberDragon and Terminus. The extent of the damage, however, remains unclear.

Details About Romania Cyberattack

According to NoName, the cyberattack was carried out on Romania for its pro-Ukraine stance in the Russia-Ukraine war. In its post on X, NoName claimed, “Together with colleagues shipped another batch of DDoS missiles to Romanian government websites.” The threat actor claimed to have attacked the following websites:

• The Government of Romania: This is not the first time that the country’s official site was hacked. In 2022, Pro-Russia hacker group Killnet claimed to have carried out cyberattacks on websites of the government and Defense Ministry. However, at that time, the Romania Government claimed that there was no compromise of data due to the attack and the websites were soon restored.
• National Bank of Romania: The National Bank of Romania is the central bank of Romania and was established in April 1880. Its headquarters are in the capital city of Bucharest.
• Aedificium Bank for Housing: A banking firm that provides residential lending, home loans, savings, and financing services. It was founded in 2004 and has branches in the European Union (EU), and Europe, Middle East, and Africa (EMEA).
• Bucharest Stock Exchange: The Bucharest Stock Exchange is the stock exchange of Romania located in Bucharest. As of 2023, there were 85 companies listed on the BVB.

Despite the bold claims made by the NoName group, the extent of the Romania cyberattack, details of compromised data, or the motive behind the attack remain undisclosed. A visual examination of the affected organizations’ websites shows that all the listed websites are experiencing accessibility issues. These issues range from “403 Forbidden” errors to prolonged loading times, indicating a probable disruption or compromise. The situation is dynamic and continues to unravel. It is imperative to approach this information cautiously, as unverified claims in the cybersecurity world are not uncommon. The alleged NoName attack highlights the persistent threat of cyberattacks on critical entities, such as government organizations and financial institutions. However, official statements from the targeted organizations have yet to be released, leaving room for skepticism regarding the severity and authenticity of the Romania cyberattack claim. Until official communication is provided by the affected organizations, the true nature and impact of the alleged NoName attack remain uncertain.

Romania Cyberattacks Are Not Uncommon

This isn’t the first instance of NoName targeting organizations in Romania. In March this year, NoName attacked the Ministry of Internal Affairs, The Service of Special Communications, and the Central Government. In February, Over a hundred Romanian healthcare facilities were affected by a ransomware attack by an unknown hacker, with some doctors forced to resort to pen and paper.

How to Mitigate NoName DDoS attacks

Mitigation against NoName’s DDoS attacks require prolonged cloud protection tools and specialized software and filtering tools to detect the flow of traffic before it can hit the servers. In some cases, certain antivirus software can be successful in detecting threats that can be used by organizations to launch DDoS attacks. A robust and essential cyber hygiene practice to avoid threats includes patching vulnerabilities and not opening phishing emails that are specially crafted to look like urgent communications from legitimate government organizations and other spoofed entities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

TETRA Technologies, Inc., a diversified oil and gas services company operating through divisions including Fluids, Production Testing, Compression, and Offshore, has reportedly fallen victim to the Akira ransomware group. This TETRA Technologies cyberattack has put crucial data at risk, including personal documents like passports, birth certificates, and driver’s licenses, as well as confidential agreements and NDAs. The threat actor responsible for the attack has indicated their intention to release approximately 40GB of sensitive data. Despite these claims, TETRA Technologies has not yet issued an official statement confirming or denying the breach.

Decoding the TETRA Technologies Cyberattack Claim by Akira Ransomware

[caption id="attachment_77529" align="alignnone" width="716"] Source: Dark Web[/caption] The Cyber Express has reached out to the organization to learn more about this TETRA Technologies cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for the TETRA Technologies cyberattack unconfirmed. While the company’s public-facing website appears to be operational, it is speculated that the attack may have targeted internal systems or backend infrastructure rather than causing a visible disruption like a DDoS attack or website defacement. The threat actor behind this attack, Akira ransomware, has emerged as a significant threat in cybersecurity, highlighted by the Cybersecurity and Infrastructure Security Agency (CISA) warning and its widespread impact across various industries worldwide. Known for a dual extortion tactic involving data exfiltration and encryption, Akira ransomware demands ransom payments to prevent data publication on their dark website and to receive decryption keys. The group's name references a 1988 anime film, and they use specific strings like "*.akira" and "akira_readme.txt" for detection. 

TETRA Technologies Releases New Processes for Managing Cybersecurity Risks and Governance

In their recent regulatory filings, specifically the 10-K filed on 2024-02-27, TETRA Technologies detailed their cybersecurity risk management and governance processes. These include ongoing risk assessments, incident response planning, and the implementation of cybersecurity training programs for employees. The company acknowledges the persistent evolution of cyber threats and emphasizes the importance of maintaining robust defenses against potential attacks. The Vice President of Information Technology leads TETRA Technologies’ cybersecurity initiatives, supported by a comprehensive framework to assess, identify, and manage cybersecurity risks across their operations. Regular updates and enhancements to their security protocols are integral to adapting to emerging threats and complying with regulatory standards. The Board of Directors and Audit Committee of TETRA Technologies provide oversight on cybersecurity matters, receiving periodic updates on the company’s cybersecurity risk profile and incident response capabilities. Management highlighted its commitment to safeguarding sensitive information and maintaining operational continuity despite the challenges posed by cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Chinese University of Hong Kong (CUHK) has been confronted by a massive data breach that has compromised personal information of precisely 20,870 students, staff and past graduates. The CUHK data breach was initially identified on June 3, 2024, prompting swift action by the institution. An investigation is currently underway to trace the culprits and to take corrective measures.

Understanding the CUHK Data Breach

The CUHK is one of the premier institutes in China which was established in 1963 and is the first research university in Hong Kong. The cyberattack on CUHK reportedly took place on June 1 at its School of Continuing and Professional Studies (CUSCS). In a statement put out by the school on June 13, CUSCS said that it had undertaken an investigation into the breach on June 3. An information technology security consultant was appointed by the college to assess the breach. The investigation revealed that the school’s “Moodle learning management system” was hacked. Moodle is an open-source learning management system designed. It allows educators, administrators and learners to create personalized learning environments for online projects in schools, colleges and workplaces. Moodle can be used to create custom websites with online courses and allows for community-sourced plugins. [caption id="attachment_77266" align="alignnone" width="1196"] Source: CUSCS Website[/caption] According to the CUSCS, the leaked data included the names, email addresses, and student numbers of 20,870 Moodle accounts of tutors, students, graduates, and visitors. This personal data was reportedly stolen after a server at one of the institution’s schools was hacked. Despite the university management stating that the sensitive data was not leaked on any public platforms, the breached information was found to be readily available on the dark web domain BreachForums. A Threat Actor (TA), who goes by the alias “Valerie”, put up a post on dark web stating that the hacker was willing to sell the data. The TA noted that, “75 per cent of the stolen data was sold to a private party, which financed the breach.  The rest of the data was not shared. So upon multiple offers, we decided to make a public sell.” To claim that the data was credible, the TA provided samples, which included the username, first name, last name, institution, department, mobile number and city of the victims of the data breach.

Investigation Status of CUHK Data Breach

The CUSCS stated that as soon as its investigation revealed a massive data breach, it had deactivated the relevant account and reset the password. It added that, apart from the relevant server, the online learning platform has been moved, and security measures have been strengthened to block any account after three unsuccessful login attempts. “CUHK has also been notified of the incident. The college has also established a crisis management team composed of the dean, deputy dean, information technology services director, administrative director and communications and public relations director to assess the risks,” CUSCS said. The college also had filed a complaint over the data breach to the local police. The university, too, has notified the city’s privacy watchdog-Office of the Privacy Commissioner for Personal Data (PCPD), in accordance with established procedures. The PCPD acknowledged receipt of the complaint on June 13.

CUHK Data Breach: Institutions in Hong Kong Under Scanner

In what is becoming a trend, CUHK has become the third educational institute in Hong Kong this year to fall victim to cyberattacks. In May, the Hong Kong Institute of Contemporary Culture, Lee Shau Kee School of Creativity, fell victim to a ransomware attack where the data of over 600 people was leaked. Similarly, in April, a private medical facility, Union Hospital, suffered a ransomware attack affecting its servers, which allegedly resulted in operational paralysis. The Hong Kong College of Technology too suffered a ransomware attack in February, which led to the data of around 8,100 students being breached.

Hacktivist group 177 Members Team has claimed a cyberattack on Malaysia's leading internet service provider, Unifi TV. The Unifi TV cyberattack was posted on a dark web leak site, highlighting crucial details about the organization with links shared to confirm the intrusion. Unifi TV, a subsidiary of Telekom Malaysia Berhad, offers a range of services including internet access, VoIP, and IPTV. The threat actor claimed this attack on June 12, 2024, and took responsibility for compromising Unifi TV's systems and launching multiple Distributed Denial of Service (DDoS) attacks against the company.

177 Members Team Claims Unifi TV Cyberattack

[caption id="attachment_77209" align="alignnone" width="525"] Source: Dark Web[/caption] The cyberattack on Unifi TV was aimed at disrupting the operation of the organization and highlighted the importance of robust cybersecurity measures in safeguarding critical digital infrastructure. Despite claims by the threat actor that the Unifi TV website was down, the web pages seem to be operational at the moment and don’t show any immediate sign of the cyberattack. The impact of the cyberattack extends beyond Unifi TV, affecting not only the telecommunications industry but also posing a threat to Malaysia's digital ecosystem as a whole. With the country witnessing over 3,000 cyber attacks daily, according to Defence Minister Datuk Seri Mohamed Khaled Nordin, the cyberattacks on Malaysia highlights the growing nature of ransomware groups and hacktivist collectives targeting the nation. 

Previous Cybersecurity Incidents

While Unifi TV has yet to release an official statement regarding the cyberattack, concerns about data breaches have been previously raised. In July 2023, Telekom Malaysia issued a data breach alert to Unifi users, stating that personal information, including names, identification numbers, and contact details, may have been compromised. The company assured users that measures had been taken to contain the breach and protect customer data. In light of these incidents, cybersecurity experts emphasize the need for proactive measures to mitigate future threats. Collaborative efforts between government agencies, law enforcement, and private sector entities are crucial in addressing online threats that target Asian nations. As for the current Unifi TV cyberattack claims, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged attack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Dordt University, a distinguished private Christian liberal arts college renowned for its reformed Christian perspective on education, has encountered a cybersecurity incident carried out by the BianLian ransomware group. The Dordt University data breach has listed a substantial amount of sensitive information online, leaving both the institution and its stakeholders in a state of vulnerability. The ramifications of this Dordt University data leak are profound, with a staggering revenue of $36.2 million and a data cache of approximately 3 terabytes compromised. Among the trove of exposed data are intricate financial records, personnel files, vital databases, internal and external email correspondences, incident logs, as well as comprehensive student profiles encompassing both local and international enrollees. 

Unverified Claims of Dordt University Data Breach

[caption id="attachment_77186" align="alignnone" width="1240"] Source: Dark Web[/caption] According to the threat actors, even minors' data has reportedly fallen prey to this Dordt University breach, alongside personally identifiable information (PII) and protected health records (PHI). Despite the gravity of the situation, official responses from Dordt University have yet to materialize, leaving the authenticity of the claims surrounding the Dordt University data leak in a precarious limbo.  Notably, the BianLian ransomware group seems to have targeted the database infrastructure rather than executing a frontal assault on the university's website, suggesting a meticulously orchestrated campaign targeting the institution's digital backbone.

The Rise of BianLian Ransomware Group

The BianLian ransomware group has carried out similar cyberattacks in the past and this Dordt University data leak has prompted a collaborative effort from cybersecurity agencies, including the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC), to disseminate crucial intelligence on the modus operandi of the BianLian ransomware and data extortion group. Originating in June 2022, BianLian has brazenly targeted critical infrastructure sectors in both the United States and Australia, leveraging tactics such as exploiting valid Remote Desktop Protocol (RDP) credentials and employing open-source tools for reconnaissance and credential harvesting. The evolution of BianLian's extortion tactics, transitioning from double-extortion encryption schemes to data exfiltration-based coercion since January 2023, highlights the escalating sophistication of cyber threats faced by modern organizations. In response, FBI, CISA, and ACSC have issued a joint cybersecurity advisory, urging critical infrastructure entities and small- to medium-sized organizations to fortify their defenses against ransomware groups by implementing robust mitigation strategies outlined in the advisory. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor on a dark web forum has listed data from Truist Bank for sale following a cyberattack on the banking institution. Meanwhile, Kulicke and Soffa Industries, Inc. (K&S) is also dealing with a data breach. Reports indicate that Truist Bank client data, including sensitive information such as employee details and bank transactions, has been put up for sale on the dark web. The alleged Truist Bank data leak is attributed to a threat actor known as Sp1d3r. The data, reportedly obtained via the Snowflake breach, raises questions about the security measures in place at Truist Bank.

Truist Bank Data Breach Allegedly Goes on Sale on Dark Web

According to the threat actor’s post, the Truist Bank data breach is now selling for $1 million. The compromised data includes details of 65,000 employees, bank transactions containing names, account numbers, balances, and the source code for IVR funds transfers. [caption id="attachment_77051" align="alignnone" width="595"] Source: Dark Web[/caption] The post by the threat actor provides specific information about the data for sale and contact details for purchase. Additionally, the post includes various usernames, threads, reputation points, and contact information such as XMPP handles and email addresses associated with the threat actor. Meanwhile, Kulicke and Soffa Industries, a renowned semiconductor and electronics manufacturing company, disclosed a breach compromising millions of files. Initially detected on May 12, 2024, the breach exposed critical data, including source codes, engineering information, and personally identifiable information.

Two Cybersecurity Incidents at Once

In response to the Kulicke and Soffa data breach, K&S swiftly initiated containment measures in collaboration with cybersecurity experts and law enforcement agencies. The company's cybersecurity team worked diligently to isolate affected servers and prevent further intrusion. Despite the breach, K&S remains committed to safeguarding its systems and data integrity. In a filing with the U.S. Securities and Exchange Commission (SEC), K&S detailed its efforts to mitigate the impact of the breach. The company assured stakeholders that, as of the filing date, the incident had not materially disrupted its operations. However, investigations are ongoing to ascertain the full extent of the breach and increase the cybersecurity measures in place. The Truist Bank data breach and the Kulicke and Soffa cyber incident highlight the persistent threat of cyberattacks faced by organizations worldwide. While both entities are actively addressing the breaches, the incidents highlight a broader case of cybersecurity measures and their impact in safeguarding sensitive information and maintaining trust in the digital age. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The city of Dubai, known for its affluence and wealthy residents, has allegedly been hit by a ransomware attack claimed by the cybercriminal group Daixin Team. The group announced the city of Dubai ransomware attack on its dark web leak site on Wednesday, claiming to have stolen between 60-80GB of data from the Government of Dubai’s network systems. According to the Daixin Team's post, the stolen data includes ID cards, passports, and other personally identifiable information (PII). Although the group noted that the 33,712 files have not been fully analyzed or dumped on the leak site, the potential exposure of such sensitive information is concerning. Dubai, a city with over three million residents and the highest concentration of millionaires globally, presents a rich target for cybercriminals. [caption id="attachment_77008" align="aligncenter" width="504"] Source: Dark Web[/caption]

Potential Impact City of Dubai Ransomware Attack

The stolen data reportedly contains extensive personal information, such as full names, dates of birth, nationalities, marital statuses, job descriptions, supervisor names, housing statuses, phone numbers, addresses, vehicle information, primary contacts, and language preferences. Additionally, the databases appear to include business records, hotel records, land ownership details, HR records, and corporate contacts. [caption id="attachment_77010" align="aligncenter" width="1024"] Source: Dark Web[/caption] Given that over 75% of Dubai's residents are expatriates, the stolen data provides a treasure of information that could be used for targeted spear phishing attacks, vishing attacks, identity theft, and other malicious activities. The city's status as a playground for the wealthy, including 212 centi-millionaires and 15 billionaires, further heightens the risk of targeted attacks.

Daixin Team: A Persistent Threat

The Daixin Team, a Russian-speaking ransomware and data extortion group, has been active since at least June 2022. Known primarily for its cyberattacks on the healthcare sector, Daixin has recently expanded its operations to other industries, employing sophisticated hacking techniques. A 2022 report by the US Cybersecurity and Infrastructure Security Agency (CISA) highlights Daixin Team's focus on the healthcare sector in the United States. However, the group has also targeted other sectors, including the hospitality industry. Recently, Daixin claimed responsibility for a cyberattack on Omni Hotels & Resorts, exfiltrating sensitive data, including records of all visitors dating back to 2017. In another notable case, Bluewater Health, a prominent hospital network in Ontario, Canada, fell victim to a cyberattack attributed to Daixin Team. The attack affected several hospitals, including Windsor Regional Hospital, Erie Shores Healthcare, Chatham-Kent Health, and Hôtel-Dieu Grace Healthcare. The Government of Dubai has yet to release an official statement regarding the ransomware attack. However, on accessing the official website of the Dubai government, no foul play was sensed as the websites were fully functional. This leaves the alleged ransomware attack unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A notorious Chinese hacking group has reportedly gone on a cyber offensive against South Korea and targeted most of the country’s Government and financial sites. The CyberDragon hacking group has a mixture of Chinese and Russian ties and has been critically targeting countries that have been condemning Russia for the ongoing war in Ukraine. South Korea President Yoon Suk Yeol had recently confirmed his country's participation in a Ukraine peace summit in Switzerland this weekend to rally support for the country ending its war with Russia. Last year, Seoul had increased its Ukraine Aid package to $394 Million For 2024.

Government, Financial Sites Attacked by CyberDragon Hacking Group

Irked by its support being garnered against Russia, CyberDragon launched an extensive cyberattack on key South Korean sites and criticized the country for its alleged promotion of Russophobia. In its post on darkweb, CyberDragon said, “We are joining the “South Korean Company”. This is a country that has long been promoting Russophobia by supporting the Kyiv regime.” The list of websites reportedly targetted by CyberDragon include: Shinhan Financial Group: It was founded in September 2001 and is one of South Korea's big five financial groups. Its subsidiaries provide a full range of financial services, including banking, securities, life insurance, and investment banking. State Korean Import-Export Bank KEXIM:  The Export-Import Bank of Korea, also commonly known as the Korea Eximbank (KEXIM), is the official export credit agency of South Korea. The bank was first established in 1976. Its primary purpose is to support South Korea's export-led economy by providing loans, financing mega projects and thereby facilitating economic cooperation with other countries. [caption id="attachment_77014" align="alignnone" width="1600"] Home Page of Korea Eximbank[/caption] Korea Customs Service: The Korea Customs Service was established in 1970 and is one of tax organizations in South Korea and is run under the Ministry of Economy and Finance. The headquarters is in Seo District, Daejeon. Korean National Police: The Korean National Police Agency (KNPA), also known as the Korean National Police (KNP), is one of the national police organizations in South Korea. It is run under the Ministry of the Interior and Safety and is headquartered in Seodaemun, Seoul. National Tax Service: It is the tax organization in South Korea and is run under the Ministry of Economy and Finance. Its headquarters is in Sejong City. Like many of the previous attacks carried out by the Cyberdragon hacking group, it is unclear if sensitive data of the organisations listed above was compromised. Prima Facie, it looks like the group carried out a DDoS attack meant to disrupt the platform’s services. None of the organizations have publicly responded to the alleged breach. Most of the organizations too seem to have restored the functioning of its websites, hours after the group claimed to have carried out a cyberattack.

Previous Operations by CyberDragon Hacking Group

The CyberDragon group gained popularity after it took down the website and app for almost 24 hours after a massive data breach in March 2024. CyberDragon had then posted evidence of the attack on its TOR platform but LinkedIn didn’t comment on the attack. The peculiar hacking actor has both Chinese and Russian ties. It carries out cyberattacks with many pro-Russian hackers and most of its statements are posted in Russian. Both China and Russia are global allies and the targets of CyberDragon indicate their ideological and political affiliations. This scenario is, however, not new in the cybercrime world. Organizations around the world must deal with the fallout of cyberattacks by groups like CyberDragon. Their attacks indicate why it is crucial to remain vigilant and implement stringent security measures against cyberattacks.

The St. Petersburg International Economic Forum (SPIEF 2024) was reportedly targeted by a siege from a prolonged cyberattack. The SPIEF 2024 cyberattack, orchestrated by the IT Army of Ukraine, unfolded over a four-day period, commencing on June 5 and culminating on June 8, 2024. This brazen act of digital aggression targeted not only the SPIEF but also its cybersecurity guardian, Solar SC, a state-owned enterprise specializing in safeguarding information assets. The modus operandi of the cyberattack on SPIEF 2024 primarily involved a barrage of Distributed Denial of Service (DDoS) assaults, with the intensity reaching a staggering 200,000 malicious requests per second. 

IT Army of Ukraine Claims SPIEF 2024 Cyberattack

[caption id="attachment_76981" align="alignnone" width="1000"] Source: Dark Web[/caption] The claim of responsibility was boldly asserted by the IT Army of Ukraine through their Telegram channel. Their message, accompanied by a tone of defiance, boasted of rattling the nerves of their adversaries, even if the anticipated "big bang" did not materialize. Meanwhile, amidst the chaos, there emerged reports of Samara students joining the ranks of cyber vigilantes, highlighting the growing complexity of cybersecurity challenges faced by nations worldwide. The impact of this SPIEF 2024 cyberattack beyond the St. Petersburg International Economic Forum itself, affecting Solar SC and its crucial role in fortifying the forum's digital infrastructure. The ramifications reverberated not only across the Russian Federation but also rippled through Europe and the UK, highlighting the interconnected nature of contemporary cyber warfare.

More Cyberattacks to Counter

In response to inquiries regarding the authenticity of these claims, Solar SC's General Director, Igor Lyapunov, reassured the public that despite the relentless onslaught, the forum's infrastructure remained resilient. The collaborative efforts of cybersecurity experts successfully repelled all attacks, safeguarding the integrity and functionality of SPIEF's digital ecosystem. However, concerns linger as to the broader implications of such cyber incursions, particularly in an era where economic forums serve as pivotal platforms for global cooperation and exchange. The sophistication and audacity demonstrated by threat actors underscore the pressing need for better cybersecurity measures and international collaboration to mitigate future risks. The Cyber Express reached out to SPIEF organizers for further insights into the incident and the authenticity of the IT Army of Ukraine's claims. As of the time of reporting, no official statement has been issued, leaving the allegations surrounding the SPIEF 2024 cyberattack unconfirmed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web hacker that goes by the name “Tombstone” has claimed and advertised multiple vulnerabilities affecting a subdomain affiliated with Google LLC. The hacker claimed these flaws on the Russian-language cybercrime forum Exploit and stressed the susceptibility of the domain to XSS-DOM and prototype pollution vulnerabilities. Screenshots shared by threat actor Tombstone showcased 'edu.google.com' as one of the allegedly impacted domains, raising concerns about potential exploits. Tombstone's post on Exploit lacked a specified price for the vulnerabilities, urging interested parties to initiate private communications for further details. The disclosed vulnerabilities pose significant risks to Google and its associated services, warranting immediate attention to mitigate potential cyber threats. "These vulnerabilities are in the software, not the source code Note that I only sell bugs with POC and full proof not exploits With a great price for long-term cooperation in other projects Exchange of Apple, FB, Meta, Microsoft banks", reads the threat actor post.

Dark Web Hacker Claims Prototype Pollution and XSS-DOM Vulnerability

[caption id="attachment_76830" align="alignnone" width="1108"] Source: Dark Web[/caption] The vulnerabilities advertised by Tombstone have direct implications for Google LLC, a prominent entity within the IT & ITES industry. Notably, domains such as google.com and edu.google.com have been identified as being at risk, primarily affecting users currently using the Google services.  The vulnerabilities disclosed by Tombstone encompass XSS-DOM and prototype pollution, both of which can serve as entry points for malicious cyber activities. XSS-DOM vulnerabilities, in particular, enable threat actors to inject client-side scripts into web pages viewed by other users, potentially leading to session hijacking, phishing attacks, malware distribution, and data theft. Prototype pollution vulnerabilities, however, involve manipulating a JavaScript object's prototype to achieve unintended behavior, often resulting in unauthorized data manipulation or code execution. The combination of these vulnerabilities within Google's subdomain highlights the critical need for robust cybersecurity measures to safeguard against potential cyberattacks.

Previous Incidents and Security Research

Prior to Tombstone's disclosure, security researcher Henry N. Caga had identified the XSS vulnerability within a Google subdomain, further emphasizing the susceptibility of Google's infrastructure to such exploits. Caga's research revealed the presence of a vulnerability within the URL associated with 'https://aihub.cloud.google.com,' prompting an in-depth investigation. Despite initial challenges in replicating the XSS pop-up, Caga's persistence ultimately led to the discovery of a double-encoded payload that triggered the vulnerability. Subsequent testing unveiled the widespread nature of the vulnerability across all URLs within the aihub.cloud.google.com domain, accentuating the severity of the issue. Following responsible disclosure protocols, Caga promptly reported the findings to Google's security team, accompanied by comprehensive documentation and proof of concept scripts. Google's swift response included an upgrade in the issue's priority and severity levels, acknowledging Caga's contributions with a reward of $4,133.70, along with a $1,000 bonus for the thoroughness of the report and proof of concept scripts. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious hacker group SN Blackmeta has allegedly claimed responsibility for a cyberattack on Snapchat's infrastructure. The Snapchat cyberattack has reportedly led to disruptions in service in specific regions and the disabling of login and account creation features within the app.  In a post attributed to SN Blackmeta, the threat actor outlined their motives for the cyberattack on Snapchat, citing reasons such as their opposition to the content promoted by the social media platform, which they claim includes pornography and undermines moral values.  Additionally, the group accuses the application of supporting Israel while opposing efforts in support of Palestine. These grievances, according to SN Blackmeta, prompted them to target Snapchat as a means to "test their strength."

Decoding the Snapchat Cyberattack by SN Blackmeta 

[caption id="attachment_76796" align="alignnone" width="379"] Source: X[/caption] The claimed Snapchat cyberattack has allegedly resulted in service disruptions in certain countries and the temporary incapacitation of key features within the Snapchat application. Despite SN Blackmeta's claims, Snapchat has not yet released an official statement about the incident, leaving the details of the cyberattack unconfirmed. The Cyber Express has reached out to the company, and we are currently awaiting their response.  [caption id="attachment_76798" align="alignnone" width="372"] Source: X[/caption] Interestingly, this isn't the first time SN Blackmeta has made headlines for their cyber activities. In the past few days alone, the group has launched attacks on various targets, including the Social Security Administration (SSA) website and Microsoft's OneDrive. These attacks aim to disrupt services and hinder user access, demonstrating the group's proficiency in executing cyber warfare. The recent surge in cyberattacks by SN Blackmeta comes amidst a backdrop of escalating tensions in the digital world. Other hacktivist groups have also been active, targeting prominent organizations and government entities with coordinated attacks.

Previous Cybersecurity Challenges

The current Snapchat cyberattack is not the first time that the Snap INC-owned platform has faced cybersecurity challenges. The most recent controversy with Snapchat was reported by Vice in May 2019 wherein researchers discovered that Snapchat employees were misusing their access privileges to spy on users. This breach of trust raised concerns about user privacy and data security within the platform. Between January 2014 and February 2018, Snapchat faced a series of cybersecurity challenges. In July 2017, a phishing attack compromised over 55,000 accounts by luring users to a fake login page. The attackers then published stolen credentials, granting unauthorized access.  In February 2016, a phishing scam targeted Snapchat employees, resulting in the disclosure of payroll information. The October 2014 incident involved a third-party app hack, leaking 200,000 explicit images. Though Snapchat denied system compromise, blame was placed on the app providers.  In January 2014, a security vulnerability led to the exposure of 4.6 million user details, despite Snapchat's claim of addressing the issue promptly. As for the current Snapchat cyberattack claim, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged cyberattack on the social media platform or any official confirmation from Snap INC.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The NoName ransomware group has claimed responsibility for yet another cyberattack targeting government websites in Germany. The proclamation of the attack comes just 11 days after the group is said to have targeted German entities such as Energie Baden-Württemberg AG, Leistritz AG, and Aareal Bank AG. In this latest attack, the group allegedly targeted the Federal Office for Logistics and Mobility and the Federal Ministry of the Interior and Community. NoName allegedly carried out a DDos (Distributed Denial-of-Service) attack, preventing other users from accessing the websites. In the message posted on a dark web forum on Tuesday, NoName claimed that the attack on German websites was to condemn the visit of Ukrainian President Volodymyr Zelenskiy to the country to participate in a conference on Ukraine’s post-war recovery. “Ukrainian President Volodymyr Zelenskyy arrived in Germany late in the evening on Monday, June 10, to take part in an international conference on Ukraine's reconstruction. In his message in Telegram, Zelenskyy said that during his visit he had meetings with German Federal President Frank-Walter Steinmeier, Chancellor Olaf Scholz and Bundestag chairwoman Berbel Bas,” NoName said. “We decided to visit the conference too, and crush some websites,” it added. Despite the hack, NoName has not provided elaborate evidence or context of the cyberattack nor has it provided any details of how the German websites would be affected. While many experts had previously warned people not to underestimate thread actors who take out DDoS attacks, their effectiveness remains a big question, as most of the targets suffer only a few hours of downtime before returning to normal operations. As of the writing of this report, there has been no response from officials of the alleged target websites, leaving the claims unverified.

Previous Instances of NoName Ransomware Attacks

Since first emerging on dark web in March 2022, the pro-Russian hacker group NoName has been increasingly active, shortly after Russia’s invasion of Ukraine. The group has taken responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe. Before making the claim of targeting German websites, NoName had a history of targeting prominent organizations in other countries. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry. These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives. In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks. The ongoing cyberattacks by NoName across several countries serve as a reminder of the perils of the digital landscape. The operations of NoName ransomware, combined with their alleged political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Underground Team ransomware group has allegedly claimed a cyberattack on Central Securities Corporation, asserting access to a staggering 42.8 GB of sensitive data compromised, spanning decades of company history and containing a trove of confidential information. The scope of the Central Securities Corporation cyberattack is staggering, reportedly encompassing a range of data from historical reports to personal correspondence and even passports of employees and their relatives. Such a comprehensive breach not only threatens the integrity of Central Securities Corporation but also poses a significant risk to the privacy and security of its employees and stakeholders.

Underground Team Ransomware Claims Central Securities Corporation Cyberattack

[caption id="attachment_76481" align="alignnone" width="1319"] Source: Dark Web[/caption] The aftermath of the Central Securities Corporation cyberattack is evident as the company's website remains inaccessible, leaving concerned parties in the dark about the extent of the damage and the company's response. Efforts to reach out to Central Securities Corporation have been impeded by the website's downtime, exacerbating the sense of urgency surrounding the situation. The cybercriminals behind the Central Securities Corporation cyberattack have brazenly demanded nearly $3 million in ransom, further compounding the company's woes. This incident highlights the ransomware strain like the Underground Team leverages novel approaches to extort money and exploit sensitive data.

Researchers Highlight Underground Team Ransomware Group

Security experts from Cyble have previously warned of the growing prevalence of targeted attacks, where hackers tailor their strategies to infiltrate specific targets with devastating consequences. The emergence of new ransomware variants highlights the constant battle organizations face in safeguarding their digital assets against evolving threats. One such variant, the Underground Team ransomware, has caught the attention of researchers for its unique ransom note and sophisticated techniques. Offering more than just decryption services, the ransom note promises insights into network vulnerabilities and data recovery assistance, signaling a new level of sophistication in ransomware operations. Technical analysis of the ransomware reveals intricate mechanisms employed to identify and encrypt system files, demonstrating the attackers' proficiency in exploiting vulnerabilities. By selectively targeting files and directories while bypassing certain extensions and folders, the ransomware achieves its malicious objectives with alarming efficiency. As for the cyberattack on Central Securities Corporation, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Central Securities Corporation cyberattack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

INC Ransom group has targeted the building technology solutions provider, ControlNET LLC. The ControlNET cyberattack on June 10, 2024, allegedly targeted the supply chain factor of the organization and also asserted intrusion on Rockford Public Schools. ControlNET, renowned for its expertise in HVAC, lighting, video surveillance, access control, and power solutions, is now facing an alleged attack by a hacker group. In its post, the group not only infiltrated ControlNET's systems but also exposed sensitive information, including invoice details, building floor plans, email communications, and sample folders of ControlNET and their clientele.

Understanding the ControlNET Cyberattack

The ramifications of this breach extend beyond ControlNET with operations disrupted and data compromised for the organization. However, the claims for this cyberattack on ControlNET have not been verified. The hacker group’s post on the dark web shed light on their motives, citing ControlNET's alleged negligence in safeguarding customer data.  [caption id="attachment_76431" align="alignnone" width="1357"] Source: Dark Web[/caption] “This company has taken very poor care of the data entrusted to them by its customers. In the course of a successful attack, we stole a huge amount of data. We also attacked the clients of this company ROCKFORD SCHOOL. Which we have access to thanks to CONTROL NET”, reads the threat actor post.  The leaked information highlights the urgent need for enhanced cybersecurity measures, particularly in industries like construction and education, where sensitive data is at stake.

Who is the INC Ransom Hacker Group?

The Cyber Express has reached out to the organization to learn more about this ControlNET cyberattack and the authenticity of the claims made by the threat actor. However, at the time of writing this, no official statement or response has been received, leaving the claims for the cyberattack on ControlNET unverified.  Moreover, the company's website appears to be operational, suggesting that the attack may have targeted the backend infrastructure rather than the front-end interface. The threat actor in this attack, INC Ransom, is a ransomware group that emerged in August 2023, employing double and triple extortion tactics on victims, leaking data on their blog. Victims, mainly from Western countries, face threats and coercion during negotiations, with evidence packs published to pressure payment. The group's leaked blog includes light and dark UI options, a feedback box, and a Twitter link. While similar to LockBit 3.0's blog, INC Ransom does not charge for leaked data. Victims, spanning private sector businesses, a government organization, and a charity association, hail mostly from the United States and Europe, emphasizing the widespread impact of this cyber threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web actor named "komarod” is claiming credit for a June 8 Shadow PC data breach, allegedly stealing data from the UK-based cloud service provider. The Shadow PC cybersecurity incident has raised concerns about the security of Shadow's systems and the safety of user data. The leaked database shared on an English-language cybercrime forum called Leakbase contains a staggering 545,014 records. These records encompass a range of data fields such as ID, email, first name, last name, user creation date, and billing address, all encapsulated in a JSON format.

Understanding the Shadow PC Data Breach Claims

[caption id="attachment_76271" align="alignnone" width="988"] Source: Dark Web[/caption] Shadow.tech, a cloud computing service developed by the French company Blade, has been at the forefront of innovative cloud technology, offering users the capability to run video games and other Windows software applications remotely on Windows 10 servers. This service, acquired by OVHcloud founder Octave Klaba in 2021, has garnered significant attention in the IT & ITES industry. The impact of the Shadow PC data breach extends to both Shadow.tech and its parent company, Blade. With the leak affecting users primarily in the United Kingdom and across Europe, concerns about the safety of personally identifiable information (PII) have heightened. While the cyberattack has yet to be officially confirmed by Shadow.tech or Blade, the threat actor's post on the cybercrime forum indicates a breach in the system's security defenses. The lack of an official statement or response from the organization has left the claims regarding the Shadow data breach unverified.

Previous Shadow.tech Cybersecurity Incidents

Interestingly, despite the Shadow PC data leak, the website remains operational, showing no immediate signs of a cyberattack. This suggests that the hacker group may have targeted the backend of the website, focusing on data extraction rather than launching a front-end assault such as a DDoS attack or website defacement. However, this is not the first time Shadow.tech has faced cybersecurity challenges. In a previous incident in 2023, the company experienced a similar breach where customer data was compromised due to a social engineering attack against one of its employees. Over half a million customers were potentially impacted by the breach, raising concerns about the security measures in place at Shadow. CEO Eric Sele, while acknowledging that breach, refrained from disclosing the exact number of individuals affected. Despite claims from the threat actor regarding the sale of stolen data on a cybercrime forum, the company remained tight-lipped about the specifics of the breach and its implications for customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

VIT Bhopal University, a leading academic institution in India, has allegedly been hit by a significant data breach, raising concerns among 8,000+ students and faculty alike. The alleged VIT Bhopal Data Breach was first reported on June 10, 2024, on the notorious data hacking website BreachForums.The Threat Actor (TA) has claimed to have leaked valuable data, raising concerns about the security of sensitive student and faculty information.

VIT Bhopal Data Breach Decoded

VIT Bhopal was established in 2017 and is a deemed university located on the outskirts of Bhopal, the capital city of the state of Madhya Pradesh. The institution is authorized by the University Grants Commission (UGC), which is a statutory organization of the Government of India for the maintenance of standards of teaching, examination, and research in university education. VIT Bhopal ranks among the top universities in India. As per the National Institutional Ranking Framework (NIRF) Ranking, it stands in 65th position amongst all the universities in India. It offers specialized programs across various disciplines, including engineering, technology, management, and architecture. Streams like mechanical engineering, computer science and engineering, artificial intelligence and robotics are particularly popular among students pursuing higher education here. [caption id="attachment_76218" align="alignnone" width="792"] Source: FalconFeedsio on X[/caption] According to a post on BreachForums, the threat actor has shared screenshots of the hack and claims to possess the following information:. ID: Unique Identification number assigned to each student and faculty member of the university Username: Login credentials of all the stakeholders used to access university portals, maintain and share records, post newsletters, and research materials confined to the institution. Full name: First and last name of the students and faculty of VIT Bhopal. Email: This contains email addresses of stakeholders, which is the official mode of communication for announcements, course materials and student-faculty interactions. Password: If this data is compromised, it poses significant risk as it could grant unauthorized access to personal accounts and university resources. User Activation Key: This could be a unique code required for initial account activation or password resets.

VIT Bhopal Data Breach Leaves Students Anxious

The news of the alleged data breach has understandably caused anxiety among the current batch of students. They are worried over the threat of stolen passwords, emails, and information, including research material, being used for malicious purposes. The students are worried of being vulnerable to targeted phishing attacks, where hackers use stolen email addresses to send data that appears to be from legitimate sources, such as the university administration. These emails might trick students into revealing their personal data or clicking on malicious links that could infect their devices with malware. The university has yet to react to the alleged data breach. There is no clarity yet on the extent of the breach, the extent of the information compromised, or the steps taken by the university to address the situation. The article will be updated once there is any public information shared by the university. While the university investigates the situation, students and staff can take a few healthy steps to protect themselves. This includes being wary of phishing attempts by hackers, monitoring suspicious links, and keeping an eye out for any unusual activity on their accounts, such as unauthorized login attempts or changes to their profile information. They can also enhance their security measures by enabling Two-Factor Authentication (2FA) and change their passwords regularly. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor known as spr1ngtr4p has purportedly advertised a Remote Code Execution (RCE) vulnerability affecting a subdomain of Italy's Ministry of Defence website. This RCE vulnerability was posted on June 7, 2024, on a Russian-language cybercrime forum called XSS and sheds light on the malicious intent of the threat actor.  RCE vulnerabilities, such as the one claimed by spr1ngtr4p, pose significant risks as they allow malicious actors to execute code remotely on targeted systems. The implications of such an exploit can be severe, ranging from the deployment of malware to the complete compromise of affected machines.

The RCE Vulnerability and Possible Cyberattack on the Italian Ministry of Defence

[caption id="attachment_76184" align="alignnone" width="1240"] Source: Dark Web[/caption] The affected organization, as claimed by the threat actor, is the Ministry of Defence of Italy, Ministero Difesa, highlighting the gravity of the situation. The website in question, difesa.it, falls under the purview of this governmental body, making it a matter of national security concern. With Italy being the impacted country, the ramifications extend to the wider European and UK regions, emphasizing the potential for geopolitical implications. The post by the threat actor, shared on the cybercrime forum, offers insights into the nature of the RCE vulnerability. However, it lacks substantial evidence to validate the claims made. The absence of proof raises doubts about the credibility of the assertions and necessitates a thorough investigation into the matter.

No Confirmation of Intrusion

Efforts to ascertain the authenticity of the alleged cyberattack on the Italian Ministry have been initiated, with inquiries directed towards the Ministry of Defence of Italy. As of the time of this report, official confirmation or denial from the ministry is pending, leaving the status of the Italian Ministry of Defence cyberattack unresolved. Despite the alarming nature of the disclosure, there are indications that the Ministry of Defence website remains operational and unaffected by any apparent cyber intrusion. This suggests that either the threat actor has refrained from exploiting the vulnerability or that the website's security measures have effectively thwarted any attempted attacks. Nevertheless, the potential threat posed by the RCE vulnerability cannot be understated, warranting proactive measures to mitigate risks and fortify cyber defenses. Organizations, especially those in the government and law enforcement sectors, must remain vigilant and employ robust security protocols to safeguard against emerging cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor known as Desec0x has claimed to possess a database allegedly stolen from the State Grid Corporation of China (SGCC), offering it for sale on the nuovo BreachForums. In the post, Desec0x claimed a cyberattack on SGCC and stated to have gained access through a third-party network, allowing them to exfiltrate sensitive data. The threat actor claimed that multiple databases containing user account information, user details, department information, and roles were accessed. The employee information allegedly includes headers such as eID, username, phone number, email, employee number, username, and password. The database is allegedly available in SQL and XLSX formats for US$1,000.

Potential Implications of Cyberattack on SGCC

Established on December 29, 2002, SGCC is the largest utility company in the world and consistently ranks second on the Fortune Global 500 list. SGCC operates as a group with RMB 536.3 billion in registered capital and employs 1.72 million people. It provides power to over 1.1 billion people across 26 provinces, autonomous regions, and municipalities, covering 88% of China's national territory. Additionally, SGCC owns and operates overseas assets in countries such as the Philippines, Brazil, Portugal, Australia, and Italy. If the claims of the cyberattack on SGCC made by Desec0x are proven to be true, the implications could be far-reaching. The sensitive nature of the data allegedly stolen, including personal and departmental information of SGCC employees, could have serious consequences for the company and its stakeholders. However, upon accessing the official SGCC website, no signs of foul play were detected, and the website appeared to be functioning normally.

Global Context of Cyberattacks in the Energy Sector

The energy sector has been increasingly targeted by cyberattacks, often involving third-party data breaches. According to Security Intelligence, 90% of the world’s top energy companies suffered from third-party data breaches in 2023. Additionally, nearly 60% of cyberattacks in the energy sector are attributed to state-affiliated actors. In late 2023, 22 energy firms were targeted in a large-scale coordinated attack on Danish infrastructure. In April 2024, a group called Cyber Army Russia claimed responsibility for a cyberattack on Consol Energy, a prominent American energy company headquartered in Cecil Township, Pennsylvania. This cyberattack reportedly disrupted the company's website accessibility, causing issues for users outside the United States. In March 2024, a dark web actor was reportedly selling access to an Indonesian energy company, believed to be the same threat actor who targeted an American manufacturer. In 2023, a suspected cyberattack on Petro-Canada was officially confirmed. Suncor Energy, the holding company of Petro-Canada, acknowledged that an IT outage over the weekend was indeed a cyberattack. The company stated that it took immediate action upon discovering the attack, collaborating with third-party experts to investigate and address the situation. This incident caused significant disruptions to Petro-Canada's operations, affecting gas stations and preventing customers from accessing the Petro-Canada app and website. In the case of the State Grid Corporation of China, the claims made by Desec0x remain unverified until an official statement is released by SGCC. Without confirmation from the company, the alleged cyberattack on SGCC and data breach cannot be substantiated. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Absolute Telecom Pte Ltd, a prominent telecommunications company based in Singapore, has fallen victim to an alleged cyberattack.  The Absolute Telecom data breach, allegedly on May 15, 2024, has been attributed to a hacker known as "GHOSTR," who claims to have infiltrated and compromised the company's server networks.  This Absolute Telecom data leak has resulted in the exposure of sensitive data totaling over 34GB, including internal information such as login credentials, passwords, and subscriber details.

Decoding the Absolute Telecom Data Breach Claims

[caption id="attachment_76122" align="alignnone" width="1280"] Source: Dark Web[/caption] The compromised data in this Absolute Telecom data breach encompasses a range of crucial information, including corporate records, accounting data, sales statistics, customer particulars, full credit card details, and call records. GHOSTR, in a post on a hacker forum, boasted about the successful breach and the acquisition of the extensive database belonging to Absolute Telecom Pte Ltd. Attempts to reach out to Absolute Telecom for clarification on the extent and impact of the breach have been impeded by the unavailability of their website, which is currently offline and unresponsive. This outage has hindered communication with the organization, leaving many questions unanswered regarding the security implications and measures being taken to address the breach. After the alleged cyberattack on Absolute Telecom's website, users attempting to access the site may encounter a 'took too long to respond' error message. This service disruption indicates the impact of the breach on the company's digital infrastructure, highlighting the severity of the situation and the challenges faced in restoring normalcy to their online operations.

Who is the GHOSTR Hacker Group?

GhostR, a financially driven threat actor, gained notoriety for pilfering a confidential database of 5.3 million records from World-Check. They also leaked approximately 186GB of data from a stock trading platform. GhostR's activities on Breachforums include exposing extensive data breaches affecting Thai users, and revealing personal information like full names, phone numbers, email addresses, and ID card numbers. As of now, there are no associated families linked with this actor. The cyberattack on Absolute Telecom underscores the persistent threat posed by malicious actors seeking to exploit vulnerabilities in digital infrastructure. As organizations continue to rely heavily on technology to conduct their operations, safeguarding against cyber threats remains paramount to protect sensitive data and maintain the trust of customers and stakeholders alike. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on the alleged Absolute Telecom data breach or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A major French telecommunications company, Corse GSM, has allegedly been hit by a massive data breach. It could have a potential impact on millions of its customers. The Corse GSM data breach claims was made by a threat actor, using the alias "ssh_xyz," on popular data hack site BreachForums. In the post, the threat actor claimed to have stolen a massive amount of data containing information on 200,000 users of the telecom company. The hacker claimed that the data was exfiltrated between May 3 and May 25, 2024. To support these claims, the TA included a sample of the data in JSON format, a common method for storing and transmitting data between servers and web applications.

Exploring the Corse GSM Data Breach

The threat actor provided a detailed sample dataset that provided a look into the kind of information that may have been compromised in the breach. The leaked data consists of: User Identification: This covers fields like ID and possibly other unique markers used by Corse GSM for tracking purposes. Personal Details: The breach reportedly involves customer information such as name, last name and phone number. Contact Info: It is said that hackers have also accessed customer email addresses. This raises concerns about targeted phishing attempts. Subscription Information: This may encompass subscription plans, internet packages, and other services subscribed to by customers of Corse GSM. Financial Information: The TA had shared details about the presence of fields like BIC (Business Identifier Code), IBAN (International Bank Account Number), and KYC (Know Your Customer) data. If the above information is true, then it could possibly leverage the risk of financial fraud or identity theft. Blacklist Status: If this data field is included in the leak, it might expose details of a customer who could be blacklisted by Corse GSM for reasons like missed payments or service violations.

Corse GSM Hacker Claims Possession of Financial Details of Customers

If the sample above seems like a precarious scenario for the privacy of customers, the hacker further alleged that the entire leaked database contains a much broader range of information, including: National Identity Card (CNI) Details: CNI or France’s National Identity Card details allegedly leaked by the threat actor could put citizens at huge security risk. The CNI contains fingerprint details, which is a major security breach if the corresponding data is compromised. SEPA Information: Single Euro Payments Area or SEPA data could include bank account details critical for financial transactions. The threat actor is seeking substantial sums for the database on the dark web, suggesting that the hacker believes the information holds significant value for malicious actors.

Corse GSM Yet to React to Data Breach Claims

Corse GSM has not reacted or issued any official statement regarding the alleged data breach. This article will be updated once the company responds to the allegations and takes action to prevent crucial data from being misused. Meanwhile, customers can take preventive steps like changing passwords and login credentials of accounts linked to Corse GSM. They should also be wary and not fall victim to phishing attempts. Fraudsters could use the leaked email addresses to send fraudulent links. They should also monitor their bank accounts linked to the subscription of Corse GSM mobile plans. They should also relay information of any suspicious activity to law enforcement authorities. The potential data breach at Corse GSM highlights the ever-present threat of cyberattacks and the importance of robust data security practices. Telecommunications companies handle a vast amount of sensitive customer information, making them prime targets for hackers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor has come forward, asserting responsibility for a significant breach in the security infrastructure of HopSkipDrive, a well-known rideshare service connecting families with reliable drivers. This HopSkipDrive data breach, allegedly occurring in June 2023, has led to the unauthorized access of sensitive data belonging to the company's drivers. According to the claims made by the hackers, HopSkipDrive's network and cloud infrastructure fell victim to this breach, resulting in the exposure of detailed personal information stored within its database. This compromised data reportedly includes a trove of 60,000 folders, each containing comprehensive details about individual users, ranging from driving licenses and insurance documents to vehicle inspection records and more.

Decoding the HopSkipDrive Data Breach Claims

The threat actor has purportedly made public a staggering 500GB of sensitive information, encompassing various personal identifiers such as first and last names, email addresses, Social Security Numbers (SSNs), home addresses, zip codes, and even countries of residence.  Additionally, the leaked data from this data leak HopSkipDriveallegedly includes source code snippets, including private admin panel information, alongside driving licenses, insurance particulars, vehicle inspection records, selfie photographs, and even criminal records. In a dark web post, the threat actor claimed responsibility, stating, "We disclose all HopSkipDrive data publicly. Indeed, in June 2023, we compromised the company's network and cloud infrastructure of HopSkipDrive." The HopSkipDrive data leak post further details the nature of the compromised data, providing evidence of the breach's magnitude and the extent of information exposed.

HopSkipDrive Data Leak Investigation

Efforts to verify these claims have been met with silence from HopSkipDrive, as the organization has yet to issue an official statement or response regarding the alleged data breach. Despite this lack of confirmation, the severity of the situation cannot be overstated, with the potential implications for affected drivers and their privacy remaining a cause for concern. Interestingly, despite the reported breach, the HopSkipDrive website appears to be operational, showing no immediate signs of an attack. This suggests that the threat actor may have gained access to the data without launching a visible front-end assault, such as a Distributed Denial of Service (DDoS) attack or website defacement. As the investigation into the HopSkipDrive data breach continues, the priority lies in addressing the security vulnerabilities that allowed such unauthorized access to occur. Additionally, affected individuals must remain vigilant and take necessary precautions to safeguard their personal information against potential misuse or exploitation in the aftermath of this breach. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged HopSkipDrive data leak or any official confirmation from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor (TA) has posted databases belonging to two prominent companies utilizing blockchain technology, The DFINITY Foundation and Cryptonary, on the Russian-language forum Exploit. The databases, if genuine, contain sensitive information of hundreds of thousands of users, allegedly exposing them to significant security risks. The threat actor's post on Exploit detailed the alleged data breaches at DFINITY and Cryptonary.

Details of Alleged Data Breaches at DFINITY and Cryptonary

For The DFINITY Foundation, the threat actor claimed to have over 246,000 user records with information fields including:

• Email Address
• First Name
• Last Name
• Birthday
• Member Rating
• Opt-in Time and IP
• Confirm Time and IP
• Latitude and Longitude
• Timezone, GMT offset, DST offset
• Country Code, Region
• Last Changed Date
• Leid, EUID
• Notes

For Cryptonary, the post advertised 103,000 user records containing:

• Email
• First Name
• Last Name
• Organization
• Title
• Phone Number
• Address
• City, State/Region, Country, Zip Code
• Historic Number of Orders
• Average Order Value
• User Topics

The prices quoted for these datasets were $9,500 for DFINITY's data and $3,500 for Cryptonary's data. The DFINITY Foundation is a Swiss-based not-for-profit organization known for its innovative approach to blockchain technology. It operates a web-speed, internet-scale public platform that enables smart contracts to serve interactive web content directly into browsers. This platform supports the development of decentralized applications (dapps), decentralized finance (DeFi) projects, open internet services, and enterprise systems capable of operating at hyper-scale. On the other hand, Cryptonary is a leading platform in the crypto tools and research space. It provides essential insights and analysis to help users navigate the complexities of the cryptocurrency market and capitalize on emerging opportunities. When The Cyber Express Team accessed the official website of The DFINITY Foundation, they found a message warning visitors about phishing scams on third-party job boards. The message read: “Recently, we've seen a marked increase in phishing scams on third-party job boards — where an individual impersonating a DFINITY team member persuades job-seekers to send confidential information and/or payment. As good practice, please continue to be vigilant regarding fraudulent messages or fake accounts impersonating DFINITY employees. If you need to confirm the legitimacy of a position, please reach out to recruiting@dfinity.org.” [caption id="attachment_75612" align="aligncenter" width="1024"] Source: Offical Website of The DFINITY Foundation[/caption] While this message serves as a caution regarding phishing scams, it is unclear whether it hints at a broader security issue or is merely a general warning. The DFINITY website and the Cryptonary website both appeared fully functional with no evident signs of compromise. The Cyber Express Team reached out to the officials of both companies for verification of the breach claims. However, as of the time of writing, no official response had been received, leaving the authenticity of the threat actor's claims unverified. Now whether this message is a hint that they are being attacked by a criminal or it's just a caution message, we can come to the conclusion they release any official statement regarding the same.

Implication of Cyberattack on Blockchain Technology

However, if the claims of the data breaches are proven true, the implications could be far-reaching for both The DFINITY Foundation and Cryptonary. The exposure of sensitive user data could lead to: Identity Theft and Fraud: Users whose personal information has been compromised could become victims of identity theft and fraud, leading to financial and personal repercussions. Reputational Damage: Both companies could suffer significant reputational harm. Trust is a critical component in the blockchain and cryptocurrency sectors, and a data breach could erode user confidence in their platforms. Legal and Regulatory Consequences: Depending on the jurisdictions affected, both companies might face legal actions and regulatory fines for failing to protect user data adequately. Operational Disruptions: Addressing the breach and enhancing security measures could divert resources and attention from other business operations, impacting overall performance and growth. While the claims remain unverified, the potential consequences highlight the importance of vigilance and proactive security strategies. The Cyber Express Team will continue to monitor the situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

First Priority Restoration (FPR), a prominent company in the disaster restoration industry, has reportedly been targeted by a ransomware attack claimed by the Cactus Ransomware group. Headquartered in Odessa, Florida, First Priority Restoration has been a leader in disaster restoration for decades. The company provides comprehensive restoration services following natural and man-made disasters, ensuring swift recovery and mitigation of damage for affected properties. While the ransomware group has not disclosed the specific details of the compromised data, the alleged cyberattack on First Priority Restoration could have significant implications for the company and its clients if proven true. [caption id="attachment_75588" align="aligncenter" width="1024"] Source: X[/caption]

What Will be The Implication of the FPR Cyberattack

Ransomware attacks typically involve the encryption of critical data, rendering it inaccessible to the affected organization. The cybercriminals then demand a ransom, usually in a cryptocurrency, in exchange for the decryption key. Failure to pay the ransom often leads to the publication or destruction of the stolen data. In this case, the ransomware attack on FPR could lead to substantial operational disruptions, financial losses, reputational damage, and potential legal and regulatory repercussions. Critical data may become inaccessible, hindering the company's ability to provide timely disaster restoration services. Additionally, the exposure of sensitive client information could result in identity theft and fraud. However, upon accessing the official website, no signs of foul play were detected, and the website was fully functional. To verify the claim further, The Cyber Express Team (TCE) reached out to FPR officials. However, as of this writing, no response or statement has been received, leaving the Cactus Ransomware claim about the FPR cyberattack unverified.

Cactus Ransomware Previous Cyberattacks Claims

The Cactus Ransomware group is a notorious cybercriminal organization known for its complex and targeted ransomware campaigns. Previously, the group claimed responsibility for the cyberattack on Petersen Health Care, which compromised the company’s digital infrastructure and exposed sensitive information. Petersen Health Care subsequently filed for bankruptcy, burdened by a staggering $295 million in debt. Another example is the Schneider Electric data breach, where the Cactus group claimed to have stolen 1.5 TB of personal documents, confidential agreements, and non-disclosure agreements. Ransomware attacks have become increasingly predominant, with cybercriminals continuously evolving their tactics to exploit vulnerabilities in organizations. In the first quarter of 2024 alone, 1,075 ransomware victims were posted on leak sites, despite the disruption of major ransomware groups like LockBit and ALPHV/BlackCat, which accounted for 22% and 8% of the activity, respectively. As cybercriminals continue to refine their tactics, organizations must remain vigilant and proactive in safeguarding their data and operations. For First Priority Restoration, TCE is closely monitoring the situation and will provide updates as soon as a response is received regarding the alleged FPR cyberattack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A massive data breach has allegedly been reported in the Indian state of Tamil Nadu, where apparently data of over 600,000 migrant employees has been leaked on dark web. A thread actor, who identified himself as Pills, claimed to have allegedly leaked the data. In a post on June 4, 2024, on the popular hacking site BreachForums, the threat actor claimed to be selling the complete database of migrant workers in Tamil Nadu.

Why Migrant Workers Flock to Tamil Nadu for Employment?

Tamil Nadu is one of the most industrialized states in India and is the country’s major hub for automobile manufacturing, textiles, agritech, and electronics parts and equipment. Owing to huge demand for workers in these sectors, which offer better salaries and continuous employment, laborers from other states tend to migrate to Tamil Nadu. Though the exact number of migrant workers currently working in the State is unknown, the number of workers registered on the Labor Department’s portal as of March 2023 is 600,000.

Portal to Track Migrant Workers in Tamil Nadu Allegedly Hacked

To keep track of the influx of migrant workers into the state and to ensure that they are provided with proper facilities, the Tamil Nadu Government launched a portal, http://labour.tn.gov.in/ism, in June 2023. Local entrepreneurs who employed these workers in shops, commercial establishments, hotels, restaurants, agriculture, schools, colleges, local bodies, and motor establishments were asked to create a login ID, submit details like a registration certificate, license number issued by the Labor Department, and fill in details about the migrant workers, such as their name, mobile number, date of birth, bank account details, address, and educational qualifications. [caption id="attachment_75460" align="alignnone" width="1920"] Source: Tamil Nadu Labor Department Website[/caption] Additionally, migrant workers in the construction sector were asked to furnish their employment certificate, age proof (to ensure no minors below the age of 18 were employed),  bank passbook, and documents for legal heir or nominee as a legal heir were to be submitted so that the kin of workers would be eligible for a claim of INR (Indian Rupees) 500,000 in case of death to the worker. Additionally, the workers were eligible for insurance coverage of up to INR 200,000.

Decoding Tamil Nadu Migrant Workers Data Breach

Thread Actor Pills on BreachForums has allegedly carried out a data breach on the above portal, which, at the time of writing this article, continues to remain inactive. According to the information posted by the threat actor, Pills is selling the full database of laborers, that includes a list of registered users and applications. The price quoted by the TA for selling the database is, however, not clear. A closer inspection on the sample data shared by the threat actor revealed that there are 2,356,430 rows of applications, 101,446 rows of contractors and 66,917 rows of registered users. The Tamil Nadu government officials are yet to react to this alleged data breach. The article would be updated based on further input. This is not the first time that a key website of the Tamil Nadu Government has been breached. In May 2024, miscreants hacked the Facial Recognition Software (FRS) portal of Tamil Nadu police.  The portal contained more than 60 lakh records of individuals, including pictures, names, FIR numbers, and details of police officers. It was being used by more than 46,000 people in the department across the state to identify and track suspects, missing people, and others through facial recognition. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

On June 6, 2024, a cyberattack on UAE Ministry of Education's website was claimed by a dark web actor. The threat actor, called DarkStormTeam, is a hacktivist group that supports Palestine and is infamous for carrying out similar attacks. As per the threat actor's post, the UAE Ministry of Education website allegedly targeted in a Distributed Denial of Service (DDoS) attack. The UAE Ministry of Education cyberattack, which lasted for approximately three hours on their official website, allegedly caused disruptions in online services. The DarkStormTeam published a message outlining their plan to target important government services and Emirati infrastructure. This is because UAE's allegedly support Israel, in the ongoing cyberware. The cyberattack on the Ministry of Education's website is believed to be part of their bigger campaign against groups affiliated with countries that support Israel. The Cyber Express has reached out to the UAE Ministry of Education in an attempt to obtain more information about the cyberattack. However, at the time of writing this news report, no official response was received, leaving the claims unverified.

Understanding UAE Ministry of Education Cyberattack

The UAE Ministry of Education is a crucial federal government organization that oversees all matters pertaining to education within the country. The Ministry is crucial to the growth and management of the UAE's educational system. It was established in accordance with Sheikh Zayed's Federal Law No. of 1972. This is not an isolated incident; DarkStormTeam has been aggressively launching cyberattacks against a various governmental and commercial sector institutions worldwide. In March 2024, the group turned its attention to organizations, focusing on the US, Brazil, Denmark, Egypt, France, Israel, and the United Arab Emirates, among other countries. Although their precise intentions are still unknown, they might be anything from anti-Israel bigotry to political grievances.

The Rise of DarkStormTeam Hacker Group

It's worth noting that DarkStormTeam's activities often include promoting hacking services for hire, suggesting potential financial motivations alongside their ideological objectives. This blend of ideological and potentially profit-driven motives adds complexity to their operations and highlights the challenges in addressing cyber threats posed by hacktivist groups. This is an ongoing story and The Cyber Express will be closely monitoring the situation. TCE will update this post once it receive more information on the alleged UAE Ministry of Education cyberattack or any official confirmation from the ministry. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Akira ransomware group allegedly targeted E-T-A Elektrotechnische Apparate GmbH, an organization located in Germany. The ransomware group claims to have stolen 24 gigabytes of sensitive material, including customer information, non-disclosure agreements (NDAs), financial records, and employee personal information. To substantiate these claims, the threat actor has attached a screenshot with all this information. E-T-A Elektrotechnische Apparate GmbH operates six production facilities and has a presence in 60 countries worldwide. The company’s product range includes a variety of electrical protection solutions essential to numerous industries. The company is renowned for manufacturing circuit breakers, electronic circuit protectors, and various other electronic components. Despite the ransomware group's claims, the company's official website appeared to be fully functional, and there were no signs of foul play. Further to verify Akira's cyberattack on E-T-A claims, The Cyber Express Team reached out to E-T-A Elektrotechnische Apparate GmbH for an official statement. As of the time of writing, no response has been received from the company. This leaves the ransomware claims unverified, with no confirmation or denial from E-T-A's officials.

Akira Ransomware: Previous Track Record

The Akira ransomware gang has arisen as a danger to small and medium-sized organizations (SMBs), mostly in Europe, North America, and Australia. The group uses advanced tactics to infiltrate systems, frequently acquiring illegal access to a company's virtual private networks (VPNs). Sophos X-Ops research shows that Akira often uses compromised login credentials or exploits weaknesses in VPN technologies such as Cisco ASA SSL VPN or Cisco AnyConnect. Recently, in May 2024, Akira targeted Western Dovetail, a well-known woodworking shop. In April 2024, Akira was identified as the gang responsible for a series of cyberattacks against businesses and key infrastructure in North America, Europe, and Australia. According to the US Federal Bureau of Investigation (FBI), Akira has hacked over 250 firms since March 2023, collecting roughly $42 million in ransom payments. Initially, Akira's attacks targeted Windows systems. However, the gang has since broadened its tactics to include Linux computers, causing anxiety among international cybersecurity agencies. These cyberattacks show Akira's strategy of targeting a wide range of industries and businesses of all sizes, frequently resulting in major operational interruptions and financial losses. As it stands, the Akira ransomware group's claims against E-T-A Cyberattack are unsubstantiated. The lack of an official response from the company creates a vacuum in the confirmation of these claims. While the company's website is still operational, signaling no immediate disruption, a data breach might have serious consequences, compromising client confidentiality, financial integrity, and employee privacy. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Advance Auto Parts, Inc., a significant provider of automobile aftermarket components, has allegedly suffered a massive data breach. A threat actor going by the handle "Sp1d3r" claimed Advance Auto Parts data breach. The threat actor further claims to have stolen three terabytes of data from the company's Snowflake cloud storage. The stolen information is allegedly being sold for US$1.5 million. According to the threat actor, Sp1d3r, post the stolen data includes:

• 380 million customer profiles, containing names, emails, mobile numbers, phone numbers, addresses, and more.
• 44 million Loyalty/Gas card numbers, along with customer details.
• Information on 358,000 employees, though the company currently employs around 68,000 people. This discrepancy suggests the data might include records of former employees.
• Auto parts and part numbers.
• 140 million customer orders.
• Sales history
• Employment candidate information, including Social Security numbers, driver's license numbers, and demographic details.
• Transaction tender details.
• Over 200 tables of various data.

The threat actor has specified that a middleman is required to facilitate the sale of the stolen data, and no dealings will be conducted via Telegram. Furthermore, what’s worth noting is that in its post, the threat actor claimed to sell the stolen information of 358,000 employees, despite the fact that the organization now employs approximately 68,000 people. The disparity could be due to old data from former employees and associates. [caption id="attachment_75319" align="aligncenter" width="815"] Source: X[/caption] [caption id="attachment_75320" align="aligncenter" width="346"] Source: X[/caption] To find answers to these doubts and verify the threat actor's claims, The Cyber Express Team reached out to the officials to verify the breach, however, as of writing this news report no response has been received. Therefore, the confirmation or denial of these claims has yet to be verified. Advance Auto Parts operates 4,777 stores and 320 Worldpac branches primarily within the United States, with additional locations in Canada, Puerto Rico, and the U.S. Virgin Islands. The company also serves 1,152 independently owned Carquest branded stores across these locations, as well as in Mexico and various Caribbean islands.

Advance Auto Parts Data Breach: Linked to Snowflake Cyberattacks

The Advance Auto Parts data breach is part of a recent series of attacks targeting customers of Snowflake, a cloud storage company. These attacks have been ongoing since at least mid-April 2024. Snowflake acknowledged the issue in a statement, informing a limited number of customers who they believe may have been impacted by the attacks. However, Snowflake did not provide specific details about the nature of the cyberattacks or confirm if data had been stolen from customer accounts. This incident follows another significant breach involving Live Nation, the parent company of Ticketmaster. Hackers claimed to have stolen personal details of 560 million customers, and the stolen data was hosted on Snowflake's cloud storage. Live Nation disclosed this breach in a filing to the U.S. Securities and Exchange Commission (SEC), revealing that a criminal actor had offered the company's user data for sale on the dark web. In response to the breach, Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, issued a joint statement regarding their ongoing investigation into the targeted threat campaign against some Snowflake customer accounts. They are working diligently to understand the extent of the breach and mitigate its impact. Screenshots shared by the threat actor indicate that the leaked data contains numerous references to 'SNOWFLAKE,' supporting the claim that it was stolen during the recent Snowflake data theft attacks. The full extent of the data breach and its implications for Advance Auto Parts and other companies using Snowflake remains to be seen. With Snowflake's large client base and the significant volume of data they manage, the repercussions could be widespread. Only time will tell how many more companies will disclose their data breaches linked to the recent Snowflake attacks. In the meantime, affected customers and employees are advised to monitor their personal information closely and take necessary precautions to protect their data. Companies utilizing Snowflake's services should stay vigilant and follow cybersecurity best practices to safeguard their data against potential threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A hack on Malaysia's Railway Assets Corporation (RAC) has been reported by a dark web actor. The key entity under Malaysia's Ministry of Transport was the target of the RAC data hack. The threat actor "billy100" carried out this breach and posted its allegations on the BreachForums platform.  The RAC data breach, which was made public on a dark web forum, refers to personnel records that have been allegedly leaked and connected to the Railway Assets Corporation (RAC). There are 481 lines of documents in the compromised database, according to billy100. As evidence, the threat actor provided samples from the CSV files "users_id" and "detail," which included hashed passwords, email addresses, and usernames.

RAC Data Breach Allegedly Exposes Sensitive Information

[caption id="attachment_75309" align="alignnone" width="1445"] Source: Dark Web[/caption] Established under the Railways Act of 1991, the Railway Assets Corporation (RAC) is a federal statutory entity tasked with supporting Malaysia's railway infrastructure. Since its founding in 1992, RAC has played a significant role in bringing the nation's railway industry up to par with other leading nations. Since the corporation is in charge of managing and growing railway assets, it is very important. Sensitive employee data is purportedly hidden in the RAC data breach exposed database. Information about several aspects of personnel records is one of the disclosed details. The two main files that make up the stolen data are users_id.csv, which contains vital user information like IDs, names, emails, passwords, and more, and detail.csv, which offers additional in-depth employee information such as personal identifiers, department information, salary, and dates of birth.

Investigation and Cyberattacks on the Railway Sector

Inquiries on the RAC data loss and potential ransomware gang involvement have been made to the organization by The Cyber Express. However, as of the time of this writing, no formal response or statement had been made, so the allegations regarding the RAC data leak remain unsubstantiated.  Railroads, being essential infrastructure in the digital age, are increasingly vulnerable to cyber threats that endanger both their daily operations and public safety. Attacks on international railway networks in recent times have brought attention to the need for stronger cybersecurity protections. Vulnerabilities brought on by outdated systems, unsecured networking, and IoT devices raise the risks.  Rail operators need to prioritize asset visibility, implement strong authentication, encrypt communication networks, and keep a stockpile of up-to-date patches and upgrades to strengthen security. Ensuring that staff members receive comprehensive cybersecurity training is also essential. If transportation is to continue being reliable and secure in the future, cybersecurity must be fully integrated into railway operations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.