Reading view
Russian Hackers Target Ukraine with XWorm RAT Malware Payload
Technical Overview of XWorm RAT Campaign
The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, "pkg.zip" and "NewCopy.xlsx", from a specified URL. The LNK shortcut file then executes "pythonw.exe" using the start command, which duplicates files and stores them in a new folder. The "pythonw.exe" loads a malicious DLL, "python310.dll", through DLL sideloading, injecting shellcode into the MSBuild process. [caption id="attachment_78917" align="alignnone" width="1529"]![Russia Ukraine XWorm Malware](https://thecyberexpress.com/wp-content/uploads/Russia-Ukraine-XWorm-Malware.webp)
![XWorm Malware Excel](https://thecyberexpress.com/wp-content/uploads/XWorm-Malware-Excel.webp)
Protecting Against XWorm RAT
The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:- Implement strong email filtering to block malicious attachments.
- Exercise caution with email attachments, especially from unknown senders.
- Limit execution of scripting languages where possible.
- Use application whitelisting to control which programs can run.
- Deploy robust antivirus and anti-malware solutions.
- Enforce strong, unique passwords and two-factor authentication.
- Monitor networks for unusual activity or data exfiltration attempts.
EU Issues New Sanctions Against Russia-Linked Threat Actors
Russian Military Intelligence and FSB Operative Sanctions
The sanctions will take effect following publication in the Official Journal of the European Union. The council document justified the new sanctions as measures in response to the ongoing war between Russia and Ukraine and its resulting cyber activities:The use of cyber operations that have enabled and accompanied Russia’s unprovoked and unjustified war of aggression against Ukraine affects global stability and security, represents an important risk of escalation, and adds to the already significant increase of malicious cyber activities outside the context of armed conflict over recent years. The growing cybersecurity risks and an overall complex cyber threat landscape, with a clear risk of rapid spill-over of cyber incidents from one Member State to others, and from third countries to the Union, further call for restrictive measures under Decision (CFSP) 2019/797.Among those sanctioned are Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both identified as members of the "Callisto group" linked to Russian military intelligence. The group, also known as "Seaborgium" or "Star Blizzard," is accused of conducting multi-year phishing campaigns to steal credentials and data, targeting individuals and critical state functions in defense and foreign relations. Two Ukrainian nationals, Oleksandr Sklianko and Mykola Chernykh, were sanctioned for their involvement in the "Armageddon" hacker group, allegedly supported by Russia's Federal Security Service (FSB). The group was found carrying out cyberattacks against the Ukrainian government and EU member states using phishing emails and malware campaigns.
Wizard Spider Threat Group Members Sanctioned
The EU also targeted two key players in the Russia-based threat group Wizard Spider: Mikhail Mikhailovich Tsarev and Maksim Sergeevich Galochkin. Both are implicated in deploying the "Conti" and "Trickbot" malware programs, which have caused substantial economic damage in the EU through ransomware campaigns targeting essential services such as healthcare, banking and defense. The EU Council has emphasized the need to protect these vital sectors from cyber threats, which can have devastating consequences for individuals, businesses, and societies as a whole. The Council said the sanctions imposed on these six individuals are a clear message that the EU will not tolerate malicious cyber activities that threaten its security, economy, and democracy. The Council document stated:"As part of the sustained, tailored and coordinated Union action against persistent cyber threat actors, six natural persons should be included in the list of natural and legal persons, entities and bodies subject to restrictive measures set out in the Annex to Decision (CFSP) 2019/797. Those persons are responsible for, or were involved in, cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States."The sanctions demonstrate that the EU will continue to work closely with its Member States, international partners, and other stakeholders to address the growing cybersecurity threat landscape escalated by geopolitical tensions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Apple Fixes ‘Bug’ in Vision Pro That Allowed Hackers To Fill Room with Bugs And Spiders
Spatial Hack in Apple Vision Pro Devices
Apple designed the Vision Pro with strict privacy controls. This includes limiting device apps to a default 'Shared Space' and mandating explicit user consent for more engaging and immersive content. Websites must also obtain explicit user permission to generate 3D content within a user's physical environment. [caption id="attachment_78754" align="alignnone" width="720"]![Apple Vision Pro](https://thecyberexpress.com/wp-content/uploads/Apple-Vision-Pro-.webp)
![Apple Vision Pro Spiders](https://thecyberexpress.com/wp-content/uploads/Apple-Vision-Pro-Spiders.webp)
![Apple Vision Pro Bats](https://thecyberexpress.com/wp-content/uploads/Apple-Vision-Pro-Bats.webp)
Bug Reporting and Gaps in Vulnerability Assessment
After trying to disclose the flaw to Apple, the researcher felt the tech giant had downplayed its relation to spatial computing and the generation of 3D objects, instead focusing on the potential for system crashes and reboots. The CVE description claimed that the issue had been addressed by improving the file handling protocol, which the researcher believed was unrelated to the bug. This highlights the challenges of triaging and classifying bugs in emerging fields such as Spatial Computing. The researcher believes the bug's impact goes beyond simple system crashes or reboots, raising questions about the security and privacy of the technology and the need for reevaluating existing threat models. "Perhaps it's time for Apple to re-evaluate their Vision Pro threat model," Pickren suggested. "This is a deeply personal product and classic vulnerability triaging guidelines may not capture the full impact anymore." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Indonesia National Data Center Hack Disrupts Government Services, Affecting Over 200 Agencies
Authorities Have Detected Samples of LockBit 3.0 Ransomware
Samuel Abrijani Pangerapan, director general of informatics applications at the Communications and Informatics Ministry, confirmed that essential services like immigration checks at airports had been disrupted. Long lines were formed at affected airports after automated passport machines were rendered useless. While some of these services have been restored, including the government's immigration services, ongoing efforts are aimed at restoring other critical operations, such as investment licensing. Samuel stated, “We have tried our best to carry out recovery while the (National Cyber and Crypto Agency) is currently carrying out forensics.” The National Cyber and Crypto Agency has detected samples of LockBit 3.0 ransomware, a variant known for encrypting victims' data and demanding payment for its release. PT Telkom Indonesia, an Indonesian multinational telecommunications company, is working with domestic and international authorities and leading the efforts to efforts to break the encryption and restore access to the compromised data. Herlan Wijanarko, the company's director of network & IT solutions, confirmed that the attackers had offered a decryption key in exchange for an $8 million ransom.Experts Concerned About Indonesia Government Infrastructure Security
Cybersecurity experts warn that the severity of the attack highlights significant vulnerabilities in the government's digital infrastructure and incident response capabilities. Cybersecurity expert Teguh Aprianto described the latest attack as "severe" and notes that it highlights the need for improved infrastructure, manpower, and vendor management to prevent such attacks in the future. Teguh stated, "It shows that the government infrastructure, manpower handling this and the vendors are all problematic." In recent years, Indonesia has faced a series of high-profile cyber attacks, including a ransomware attack on its central bank and a data breach at its largest Islamic lender. The consequences of these attacks can be severe, with victims often forced to pay large sums to regain access to their data. Last year, the LockBit ransomware gang claimed responsibility for an attack on the Bank Syariah Indonesia. Sensitive information of over 15 million individuals had been stolen in the attack, affecting both customers and employees. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.ANY.RUN Malware Sandbox Provider’s Employee Email Compromised
ANY.RUN Employee Email Compromise
[caption id="attachment_78600" align="alignnone" width="531"]![ANY.RUN Phishing](https://thecyberexpress.com/wp-content/uploads/ANY.RUN-Phishing.webp)
ANY.RUN Response and Next Steps
Upon discovery of the incident, ANY.RUN took steps to minimize possible compromise and share details about the incident. An ongoing investigation is being done to determine the full impact of the breach and gather additional details. While the comprehensive report, the company has assured its customers that they are taking the matter seriously. In the coming days and weeks, ANY.RUN would work to: 1. Continue their investigation and analysis of the incident 2. Provide regular updates on their progress 3. Compile a detailed report of their findings The company acknowledges that many questions remain unanswered at this stage. However, they are committed to keeping all parties informed throughout the process. Customers appear to have viewed the effort at communication positively, highlighting it as an example of transparency around cybersecurity incident reporting and disclosure. The incident serves as a stark reminder that even companies working in the cybersecurity industry remain a potential target for attacks. Last year, Okta, a provider of identity and access management software, had suffered a security incident in which attackers had managed to access its support incident management through the use of stolen credentials. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.UK’s Sellafield Nuclear Waste Site Pleads Guilty To Cybersecurity Failings
Sellafield Nuclear Waste Site's Cybersecurity Failings
Concerns over the site's security implementations grew after a 2012 report warned of "critical security vulnerabilities" requiring urgent attention. Due to the extreme sensitivity of the issues, problems were referred to with the codename "Voldemort." While Sellafield stated there has never been a successful cyberattack, revelations of IT failures last year raised alarms. In an investigative report last year, the Guardian uncovered that the site had been attacked by threat actors affiliated with the Russian and Chinese governments. The report found out that the site's authorities were not aware of when Sellafield's systems began to be compromised, but breaches may have gone as far back as the year 2015. In 2015, security experts had realized that Sellafield's computer systems had been compromised by sleeper malware. Sellafield had been earlier forced into “special measures” for regular cybersecurity failings by the UK's Office for Nuclear Regulation (ONR) and security services. The status of the compromised systems are unknown, but may have possibly led to the theft of sensitive information regarding moving of radioactive waste, monitoring for leaks of dangerous material, and fire checks. Sellafield stated that current protections on critical systems are robust, with isolated networks preventing external IT breaches from penetrating operational controls. An ONR spokesperson stated to the Guardian: “We acknowledge that Sellafield Limited has pleaded guilty to all charges," but emphasized that there was no evidence the vulnerabilities led to compromise. A Sellafield spokesman stated in the report, “We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. The charges relate to historic offences and there is no suggestion that public safety was compromised."Concerns of GMB Trade Union
With attention now focused on improving cyber resilience, officials are working to prevent sensitive materials or dangerous nuclear operations from potential disruption by hackers. Earlier the GMB trade union, which represents tens of thousands of workers across the energy industry, also expressed concerns over the security of Sellafield, with its national secretary Andy Prendergast noting a “lack of training and competence among staff, inadequate safety procedures and a culture of fear and intimidation.” Prendergast added, “GMB has repeatedly raised concerns over safety and staffing levels, which are mainly due to turnover and the age and demographic of the workforce.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.CDK Global Struck By Second Cyberattack While Investigating Incident
Incident Extends CDK Global Systems Outage
After the initial attack, CDK Global shut down most of its systems on Wednesday, while working to investigate the incident and restore systems. "We are actively investigating a cyber incident.," the company said. "Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible.” Later on the same day, the software firm managed to restore systems involved with its core DMS and Digital Retailing activities. In a statement to the Cyber Express, a spokesman from CDK Global said:“As we’ve communicated previously, we are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing and consulted with external third-party experts. With the work done so far, our core DMS and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications, and we will provide updates as we bring those applications back online. Our first priority is always the security of our customers, and our actions reflect our obligation to them as a trusted partner.”However, this restoration was short-lived, as the firm experienced a subsequent cyberattack on the same day:
“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.”According to CNN, sources appeared to confirm that the outage could last for several days in light of the second cyberattack. The CDK Global outage makes information related to sales deals, negotiations and customer appointments inaccessible by salespeople who work at affected dealerships.
Incident Comes Ahead of Summer Sales Season
The incident has caused concerns among dealers who anticipate business during the summer months. “This is where we need systems functioning,” stated Jeff Ramsey, an executive with Ourisman Auto Group which operates various dealerships. This had led to dealers switching to alternative methods to handle sales such as hand-written notes of buyer's orders. Brian Benstock, general manager of Paragon Honda and Paragon Acura, stated, “My selling team can hand-write a buyer’s order.” Companies such as Kia, Toyota and Stellantis and Ford have also been working on alternate ways to handle customer services due to the CDK outage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Cyberattack on Ascension Hospitals Led to Lapses in Patient Care Such As Wrongful Administration of Narcotics
Ascension Hospitals Cyberattack Places Strain on Staff
"I had no training for this," said Marvin Ruckle, a neonatal ICU nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, who nearly gave a baby the wrong dose of medication. Lisa Watson, a critical care nurse who works at the same hospital, says she almost administered the wrong drug to a critically ill patient because she couldn't scan it electronically. "My patient probably would have passed away," she said. Doctors and nurses across Ascension report relying on paper records, handwritten notes, faxes and basic spreadsheets to deliver care - many cobbled together in real time. An ER doctor in Detroit said a mix-up due to paperwork issues led a patient to receive the wrong narcotic and end up on a ventilator. In Baltimore, ICU nurse Melissa LaRue described narrowly avoiding giving an incorrect blood pressure medication dosage due to confusion from paperwork. Several clinicians said errors could threaten their licenses, but patient privacy laws prevented verifying their accounts. Ascension declined to address specific claims but said in a statement it is "confident that our care providers...continue to provide quality medical care."Ascension Hospitals' Staff Urge Changes
While federal regulations require safeguarding patient data, hospitals currently face no cyberattack preparation or prevention mandates. Experts regard health care as the top target for ransomware attacks, which are rising exponentially. Proposed regulations are pending, but timelines and requirements remain unclear. Nurses and doctors urging reforms at Ascension say cyberattacks should be treated similarly to natural disasters, with contingency plans that account for outages lasting weeks or longer. Many also echoed a plea for more staff support to shoulder the additional workload. "We implore Ascension," one Michigan clinician wrote, "to recognize the internal problems that continue to plague its hospitals, both publicly and privately, and take earnest steps toward improving working conditions for all of its staff." While the Biden administration has pushed for stronger cybersecurity standards in health care, the new requirements are still in development. Meanwhile, hospital industry lobbyists argue mandates could divert resources from cybersecurity efforts. These incidents prove that patients may ultimately pay the price when hospitals fall victim to cybercrime, while staff experience additional burden affecting routine practice and judgement. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Association of Texas Professional Educators Reports Data Breach Affecting Over 414,000 Members
Association of Texas Professional Educators Data Breach
On February 12, 2024, ATPE detected abnormal activity on its network, which led to a comprehensive forensic investigation. The investigation concluded on March 20, 2024, and found evidence that some of ATPE's systems had been accessed by an unauthorized user. Based on this finding, ATPE reviewed the affected systems to identify the specific individuals and types of information that may have been compromised. The accessed information varied depending on when members joined:- For those who became members before May 15, 2021, the breach may have exposed names, addresses, dates of birth, Social Security numbers and medical records. Tax Identification Numbers could also possibly have been accessed if employers used them as identifiers.
- For members who received payments from ATPE via ACH transactions, financial account information could also have been accessed.
Response to Breach Incident and Credit Offering
Since discovery of the breach, ATPE stated that it has taken several steps to secure its systems, including:- Disconnecting all access to its network.
- Change of administrative credentials.
- Installation of enhanced security safeguards on ATPE's environment and endpoints.
- Restoration of ATPE's website in a Microsoft Azure hosted environment.
Several Chinese APTs Have Been Targeting Telecommunications of Asian Country Since 2021
Malware Variants Used in Chinese Espionage Campaign
Researchers from Symantec observed the use of several custom malware linked to China-based threat actors, including:- Coolclient: A backdoor used by the Fireant group that logs keystrokes and communicates with command servers. The campaign utilized a version delivered via a trojanized VLC media player. It is linked to the Fireant group, also known as Mustang Panda or Earth Preta.
- Quickheal: A backdoor associated with the Needleminer group, also known as RedFoxtrot or Nomad Panda. The variant used in the campaign was nearly identical to those documented in 2021. It communicated with a command server at swiftandfast[.]net.
- Rainyday: A backdoor tied to the Firefly group, also known as Naikon. Multiple variants were deployed using trojanized executables to sideload malicious loaders and decrypt payloads. At least one loader variant matched those linked to Firefly in 2021.
Campaign Motives and Attribution
The custom malware exclusively used by Fireant, Needleminer and Firefly provides strong evidence that this campaign involves Chinese state-sponsored groups. Firefly has been linked to a Chinese military intelligence unit by the U.S.-China Commission. The level of coordination between the groups involved is unclear but possibilities include independent action, personnel/tool sharing, or active collaboration. The ultimate motives behind the hacking campaign remain uncertain. Potential objectives include intelligence gathering on the telecommunications sector, eavesdropping on voice and data communications, or developing disruptive capabilities against critical infrastructure. To protect against these threats, telecom operators and other organizations should ensure they have the latest protection updates and implement robust security measures to detect and block malicious files. The researchers shared several Indicators of compromise and file hashes to help defenders detect against the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.ONNX Store Phishing Kit Leverages QR Codes To Target Financial Sector
ONNX Store Enables Theft of Credentials in Real Time
[caption id="attachment_77987" align="alignnone" width="1179"]![ONNX Store Phishing Kit 2](https://thecyberexpress.com/wp-content/uploads/ONNX-Store-Phishing-Kit-2.webp)
Researchers Believe ONNX Store is Rebranding of Caffeine Kit
Researchers have assessed that the ONNX Store phishing kit is likely a rebranding of the Caffeine phishing kit. This assessment is based on the significant overlaps in infrastructure and advertising on the same Telegram channels. This overlap includes the involvement of the Arabic-speaking threat actor MRxC0DER as the likely developer and maintainer behind the Caffeine kit. [caption id="attachment_77989" align="alignnone" width="1393"]![ONNX Store](https://thecyberexpress.com/wp-content/uploads/ONNX-Kit.webp)
New Threat Group Void Arachne Targets Chinese-Speaking Audience; Promotes AI Deepfake and Misuse
Void Arachne Tactics
Researchers from Trend Micro discovered that the Void Arachne group employs multiple techniques to distribute malicious installers, including search engine optimization (SEO) poisoning and posting links on Chinese-language Telegram channels.- SEO Poisoning: The group set up websites posing as legitimate software download sites. Through SEO poisoning, they pushed these sites to rank highly on search engines for common Chinese software keywords. The sites host MSI installer files containing Winos malware bundled with software like Chrome, language packs, and VPNs. Victims unintentionally infect themselves with Winos, while believing that they are only installing intended software.
- Targeting VPNs: Void Arachne frequently targets Chinese VPN software in their installers and Telegram posts. Exploiting interest in VPNs is an effective infection tactic, as VPN usage is high among Chinese internet users due to government censorship.
[caption id="attachment_77950" align="alignnone" width="917"]
Source: trendmicro.com[/caption]
- Telegram Channels: In addition to SEO poisoning, Void Arachne shared malicious installers in Telegram channels focused on Chinese language and VPN topics. Channels with tens of thousands of users pinned posts with infected language packs and AI software installers, increasing exposure.
- Deepfake Pornography: A concerning discovery was the group promoting nudifier apps generating nonconsensual deepfake pornography. They advertised the ability to undress photos of classmates and colleagues, encouraging harassment and sextortion. Infected nudifier installers were pinned prominently in their Telegram channels.
- Face/Voice Swapping Apps: Void Arachne also advertised voice changing and face swapping apps enabling deception campaigns like virtual kidnappings. Attackers can use these apps to impersonate victims and pressure their families for ransom. As with nudifiers, infected voice/face swapper installers were shared widely on Telegram.
Winos 4.0 C&C Framework
The threat actors behind the campaign ultimately aim to install the Winos backdoor on compromised systems. Winos is a sophisticated Windows backdoor written in C++ that can fully take over infected machines. The initial infection begins with a stager module that decrypts malware configurations and downloads the main Winos payload. Campaign operations involve encrypted C&C communications that use generated session keys and a rolling XOR algorithm. The stager module then stores the full Winos module in the Windows registry and executes shellcode to launch it on affected systems. [caption id="attachment_77949" align="alignnone" width="699"]![Void Arachne Winos](https://thecyberexpress.com/wp-content/uploads/Void-Arachne-Winos.webp)
Concerning Trend of AI Misuse and Deepfakes
Void Arachne demonstrates technical sophistication and knowledge of effective infection tactics through their usage of SEO poisoning, Telegram channels, AI deepfakes, and voice/face swapping apps. One particularly concerning trend observed in the Void Arachne campaign is the mass proliferation of nudifier applications that use AI to create nonconsensual deepfake pornography. These images and videos are often used in sextortion schemes for further abuse, victim harassment, and financial gain. An English translation of a message advertising the usage of the nudifier AI uses the word "classmate," suggesting that one target market is minors:Just have appropriate entertainment and satisfy your own lustful desires. Do not send it to the other party or harass the other party. Once you call the police, you will be in constant trouble! AI takes off clothes, you give me photos and I will make pictures for you. Do you want to see the female classmate you yearn for, the female colleague you have a crush on, the relatives and friends you eat and live with at home? Do you want to see them naked? Now you can realize your dream, you can see them naked and lustful for a pack of cigarette money.[caption id="attachment_77953" align="alignnone" width="437"]
![](https://thecyberexpress.com/wp-content/uploads/Void-Arachne-Deepfake.webp)
CISA Releases Guide on Modern Approaches to Network Access Security
Vulnerabilities in Traditional VPN Systems
CISA has identified several different vulnerabilities in legacy VPN systems can enable broad network compromise if exploited, given their typical lack of granular access controls. While VPNs provide ease of access for employees to connect to remote company applications and external data servers, they also make organizations more susceptible to compromise through various vulnerabilities inherent to typical network design. Recent examples of successful exploitation of VPNs include:- Vulnerabilities affecting Ivanti Connect Secure gateways (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) allowed threat actors to reverse tunnel from the VPN device, hijack sessions, and move laterally across victim networks while evading detection.
- The Citrix Bleed vulnerability (CVE-2023-4966) enabled bypassing of multifactor authentication, allowing threat actors to impersonate legitimate users, harvest credentials, and conduct ransomware attacks.
Modern Solutions to Network Access Security
Modern alternatives to VPN-based network access control includes zero trust architecture, SSE, SASE and identity-based adaptive access policies. These solutions provide access to applications and services based on continuous, granular validation of user identity and authorization - rejecting those not explicitly authenticated for specific resources. Zero Trust is a collection of different concepts and ideas that help organizations enforce accurate per-request access decisions based on the principles of least privilege. SSE is a comprehensive approach that combines networking, security practices, policies and services within a single platform. Key capabilities like multi-factor authentication, endpoint security validation, and activity monitoring better secure data in network transit while reducing attack surfaces. Tighter access controls also help secure data at rest by limiting exposure of internal applications. Effectiveness relies heavily on aligning network and infrastructure with zero trust principles like least privilege. Implementing zero trust even partially can greatly enhance protections against threats and data loss. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.ViLe: Two Men Plead Guilty For Hacking Into Law Enforcement Portal and Threatening Victim
Breach and Abuse of Federal Law Enforcement Portal
According to the press release, on May 7, 2022, Singh used a stolen password belonging to a police officer to access a non-public, password-protected federal law enforcement portal. The portal, maintained by the U.S. Drug Enforcement Administration (DEA), holds detailed records on narcotics and currency seizures as well as law enforcement intelligence reports with respective state and local agencies. [caption id="attachment_77700" align="alignnone" width="1954"]![](https://thecyberexpress.com/wp-content/uploads/Vile-Hacking-Group.webp)
![ViLe EPIC HACKING](https://thecyberexpress.com/wp-content/uploads/ViLe-EPIC-HACKING.webp)
Guilty Pleas Over Actions
Singh and Ceraolo were charged in March 2023 with computer intrusion conspiracy and aggravated identity theft. Singh pleaded guilty to both counts on June 17, while Ceraolo had done so May 30, the U.S. Attorney’s Office in the Eastern District of New York announced. U.S. Attorney Breon Peace condemned the men’s actions as “ViLe,” a reference to the hacking group’s disturbing logo depicting a hanging girl. He stated, “They hacked into a law enforcement database and had access to sensitive personal information, then threatened to harm a victim’s family and publicly release that information unless the defendants were ultimately paid money. Our Office is relentless in protecting victims from having their sensitive information stolen and used to extort them by cybercriminals.” He thanked the HSI's El Dorado Task Force, the Federal Bureau of Investigation and the New York Police Department for assistance in the case. HSI New York Special Agent in Charge Ivan J. Arvelo stated, “The defendants, along with their co-conspirators, exploited vulnerabilities within government databases for their own personal gain. These guilty pleas send a strong message to those that would seek illicit access to protected computer systems." He added, "HSI New York's El Dorado Task Force will continue to work with law enforcement partners to uncover evidence until every member of the ViLe group and similar criminal organizations are brought to justice.” The defendants face two to seven years in federal prison upon sentencing for the case in charges related to conspiring to commit computer intrusion and aggravated identify theft. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.NHS Dumfries and Galloway Warns Affected Individuals of Data Breach After Refusing to Pay Ransom to Cybercriminals
NHS Dumfries and Galloway Breach
NHS Dumfries and Galloway’s computer systems were breached by hackers in February 2024. The threat actors had accessed and copied confidential patient data including X-rays, test results and communications between health care providers and patients. However, the stolen data had not been deleted or altered on NHS systems and patient care has not been impacted. [caption id="attachment_77683" align="alignnone" width="1084"]![NHS Dumfries and Galloway](https://thecyberexpress.com/wp-content/uploads/NHS-Dumfries-and-Galloway.webp)
Risks and Recommendations
The Chief Executive of NHS Dumfries and Galloway stated that patients should assume some personal data was likely copied and published. The health authority identified potential risks including identity theft, extortion attempts and anxiety stemming from the data breach. Patients are advised to remain vigilant. NHS recommends patients refrain from opening suspicious emails, clicking unknown links or providing personal information over the phone to unverified parties. Suspicious communications should be reported to Police Scotland immediately. The health authority also advises patients to frequently update passwords and to make them as strong as possible. A helpline and website have been set up to provide information and support relating to the cyber attack. Psychological services are available for those experiencing anxiety regarding stolen personal data. The criminal investigation remains ongoing alongside technology partners to secure NHS systems against future attacks. Patients with additional questions can visit www.nhsdg.co.uk/cyberattack or call the helpline at 01387 216 777, open 9 a.m. to 6 p.m. weekdays and 9 a.m. to 1 p.m. Saturdays. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Chinese Hackers Compromised Large Organization’s F5 BIG-IP Systems for 3 Years
Velvet Ant Campaign Used Evasive Tactics
Researchers from Sygnia disclosed that the attack began with the compromise of the organization's internet-facing F5 BIG-IP appliances, which were running on vulnerable OS versions. These appliances usually occupy a trusted position within network architecture, allowing potential attackers significant control over network traffic while evading most forms of detection. These appliances were used within the organization to manage its firewall, WAF (web application firewall), load balancing, and local traffic . [caption id="attachment_77649" align="alignnone" width="1802"]![Velvet Ant China F5](https://thecyberexpress.com/wp-content/uploads/Velvet-Ant-China-F5.webp)
![Velvet Ant Chinese Hackers](https://thecyberexpress.com/wp-content/uploads/Velvet-Ant-Chinese-Hackers.webp)
- VELVETSTING - This program was configured to connect to a remote server located in China to check for encoded commands on an hourly basis. Once commands were received, the program would execute them via a Unix shell.
- VELVETTAP - Malware seems to have been monitoring and capturing data from the F5 internal network interface.
- SAMRID - This software has been identified as a publicly available tunneling program that had previously been utilized by Chinese state-sponsored groups. While dormant during the researcher's investigation, it may have provided the attackers remote access.
- ESRDE - This backdoor works similarly to VELVETSTING, running commands delivered from an external server. It was also inactive at the time of analysis.
Organizations Systems Were Reinfected Upon Malware Removal
After an extensive incident response operation apparently eliminated the threat actor’s access, researchers detected a PlugX reinfection on clean hosts again a few days later. Further analysis found that the new version of PlugX lacked an external command and control server. Instead, the malware was configured to use an internal file server for command and control. This adaptation blended malicious traffic with normal internal communications, helping Velvet Ant operate undetected. While the attack was eventually contained, its sophistication and persistence highlight the challenges defenders face against advanced persistent threats (APTs). The researchers stated that they could not rule out the possibility of the campaign being a ‘false-flag’ operation by a different APT group. However, the PlugX malware has previously been associated with other China-linked APTs. The researchers have shared several recommendations as well as indicators of compromise (IOCs) on their blog. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Globe Life Discloses Breach Amid Accusations of Fraud and Shady Business Tactics
Globe Life Breach Discovery and Containment
According to Globe Life's filing with the SEC, the company had conducted a security review on one of its web portals to discover potential vulnerabilities that may have affected its access permissions and user identity management. The investigation was prompted by a legal inquiry from a state insurance regulator on June 13, 2024. The review revealed that an unauthorized party may have accessed the company's web portal, compromising sensitive customer and policyholder data. The company stated that it had immediately revoked external access to the affected portal upon breach discovery. Globe Life said that at this stage, it believes the security issue is isolated to the one web portal. All other company systems remain fully operational. Globe Life added that it expected minimal impact to its business operations after the take down of the affected web portal. The company has activated its cybersecurity incident response plan and engaged external forensics experts to investigate the breach's scope. In its SEC filing, Globe Life disclosed that the investigation remains ongoing. The full impact and nature of the incident are unclear at the moment.Incident Comes After Scrutiny Over Business Tactics
The company said it has yet to determine if the breach qualifies as a reportable cybersecurity incident under the SEC's disclosure rules. The disclosure comes amidst increasing scrutiny and financial setbacks suffered by the company. The Texas-based insurer has faced allegations of fraudulent sales tactics and other business and workplace improprieties. The short sellers Fuzzy Panda Research and Viceroy Research had made these allegations public in April 2024. While the company has continued to deny these claims, its share price has dropped by 24% since the publication of the Fuzzy Panda report. The reports claimed that Globe Life and its biggest subsidiary, American Income Life (AIL), had engaged in insurance fraud, framing of policies for dead and fictitious individuals, withdrawal of consumer funds without approval, unfair dismissal, misleading sales tactics and illegal kickbacks. They also alleged that some of AIL's most profitable agents had faced accusations of kidnapping, assault and child grooming from defendants, witnesses and plaintiffs. It remains unclear if the state insurance regulator contact that led to the breach discovery is related to these allegations. Insurers like Globe Life are regulated at the state level rather than federal level. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.UK, US and Canada Accuse Russia of Plot to Interfere With Elections in Moldova
Kremlin Actors Seeking to Discredit Moldova's Leaders
According to a statement from the U.S. Embassy in Russia, Russian threat actors are aggressively distributing propaganda to “foment negative public perceptions” of President Sandu. This involves fabricating electoral irregularities while also aiming to incite protests if the incumbent president is re-elected. The plot dates back years, with the Kremlin providing support to fugitive Moldovan businessman Ilan Shor. Shor had previously been sentenced to 15 years in prison in connection with the disappearance of $1 billion from Moldovan banks in 2014. All three countries had issued sanctions on Shor for his connection to the incident. The statement singled out Russian state-television channel RT for providing several years of support to Shor. The UK, US and Canada claim they have already shared detailed evidence with Moldovan authorities to enable further investigation and disruption. They also state they will continue backing Moldova with a range of support measures as it deals with Russian interference and fallout from the Ukraine war.All Three Countries Announce Support at G7 Summit
The three nations expressed confidence in Moldova's ability to manage these threats linked to Russian interference. They have taken several measures to support Moldova's efforts, including:- The sharing of detailed information with Moldovan partners to investigate, thwart, and put a stop to the Kremlin's plans.
- Increasing accountability and punishment for individuals and entities involved in covertly financing political activities in Moldova through sanctions and potential further actions.
- Strongly supporting Moldova's democratic, economic, security, and anti-corruption reforms, as well as its deepening European integration.
Russia Is a Threat to Election Security: Researchers
An earlier report from Mandiant in April suggested that Russia presented the biggest threat to election security in the United States, United Kingdom and European Union. “Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” the report stated. Experts also fear Russian attempts at spreading disinformation or influencing public opinion on non-election events such as the upcoming 2024 Summer Olympics in Paris. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Fraudsters Have Been Creating Websites Impersonating the Official Olympics Ticketing Website
Website Incorporates Official Paris 2024 Summer Olympic Games Branding
The 'paris24tickets[.]com' website appeared professional and legitimate at first glance. The site advertised itself as a “secondary marketplace for sports and live events tickets,” and was displayed as the second result among sponsored Google search results for 'paris 2024 tickets.' It allowed visitors to navigate through upcoming Olympic events, select event specific tickets, and enter payment information. Its polished design resembled that of trusted ticketing platforms, along with the official Olympics ticket purchase site. Proofpoint researchers warned that the website was entirely fraudulent despite its authentic look and feel. The site was likely collecting users’ financial and personal information rather than actually processing ticket orders. The researchers acted swiftly to suspend the misleading domain upon its discovery. [caption id="attachment_77366" align="alignnone" width="2800"]![Official Olympics Paris 2024 Summer Olympic Games 3](https://thecyberexpress.com/wp-content/uploads/Official-Olympics-Paris-2024-Summer-Olympic-Games-3-scaled.webp)
![Official Olympics Paris 2024 Summer Olympic Games 5](https://thecyberexpress.com/wp-content/uploads/Official-Olympics-Paris-2024-Summer-Olympic-Games-5-scaled.webp)
French Gendarmerie Nationale Reported the Discovery of 338 Scam Sites
The 'paris24tickets[.]com' website represents just a tiny fraction of a much broader network of fraudulent Olympics domains. The French Gendarmerie Nationale had identified approximately 338 such websites since March 2023, and made subsequent efforts to shut them down; 51 of these sites were stated to have been closed while 140 of them were put on notice. The fraudsters behind these scams likely rely on sponsored search engine ads and targeted emails to drive traffic to impersonating websites. Offers of special deals and discounts are further lures to draw-in potential victims. [caption id="attachment_77367" align="alignnone" width="1000"]![French Gendarmerie Nationale Official Paris 2024 Summer Olympic Games](https://thecyberexpress.com/wp-content/uploads/French-Gendarmerie-Nationale-Official-Paris-2024-Summer-Olympic-Games.webp)
Baw Baw Shire Residents Impacted By OracleCMS Breach That Hit Several Major Cities in Australia
Over 1,200 Baw Baw Shire Residents Affected
The exposed information includes customer contact details and call notes—dates from June 2014 to January 2016 when customers rang the council hotline during evenings, weekends and holidays. Calls made during the specified period had been automatically forwarded to OracleCMS call agents. It remains unclear precisely how the contractor failed to protect confidential constituent information or when the company first discovered the breach. Upon learning of the breach earlier this month, Baw Baw officials urgently contacted every affected resident—over 1,250 in total—through SMS messages and personal calls to vulnerable groups like the elderly. While the breach did not infiltrate Baw Baw's systems directly with the council's own systems, it represents a alarming security gap by a third-party vendor given access to constituents' sensitive information.OracleCMS Provider Implicated in Other Breaches
Authorities are currently investigating the incident, which may have also impacted other clients of the Australia-based company. OracleCMS provides outsourced contact center services for an array of local governments and organizations. OracleCMS had previously been implicated in a long list of data breaches affecting several different cities in Australia. According to some official press release statements, OracleCMS appeared to initially downplay the incident. An earlier release from Merri-bek City Council stated:OracleCMS informed Council in April that there had been a cyber security incident where identifiable information of customers had been compromised. Until last week we were informed that Council’s customer data was not involved. Council has now been informed that the OracleCMS data breach does include records of calls handled by OracleCMS on Council’s behalf. We take the privacy of our customers very seriously and we are taking urgent action to address this issue.The OracleCMS data breach also affected some businesses such as several entities belonging to Nissan in the Australia and New Zealand region, such as Nissan Financial Services Australia Pty Ltd, Nissan Motor Co. Pty Ltd, Nissan Financial Services, New Zealand Pty Ltd and Nissan New Zealand Ltd.
OracleCMS subsequently suffered a data breach, which it was alerted to on 15 April 2024. This separate incident resulted in certain data which was held by OracleCMS, including the summary information Nissan provided to OracleCMS, being compromised and published on the dark web.As cyberattacks surge, some have questioned whether outsourcing critical customer service channels renders individuals and businesses more vulnerable to data theft. The incident serves as reminder for governments and organizations to lock down vulnerabilities present in third-party vendors or tools while conducting regular security audits. Residents with concerns regarding the breach may contact Baw Baw Shire Council’s customer service line at +61 3 5624 2411. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Canada’s Largest District School Board Investigates Ransomware Incident
Toronto District School Board's Investigation Underway
The school board stated that the incident had affected its testing environment, which had been used to evaluate new technology and programs before being deployed on systems. The board's cybersecurity team had taken immediate action upon discovering the incident, securing systems and preserving data. The Toronto District School Board had notified details of the incident to the Toronto police and the Information and Privacy Commissioner of Ontario. [caption id="attachment_77136" align="alignnone" width="2800"]![Toronto District School Board Ransomware Attack cyberattack 2](https://thecyberexpress.com/wp-content/uploads/Toronto-District-School-Board-Ransomware-Attack-cyberattack-2-scaled.webp)
![Toronto District School Board Ransomware Attack cyberattack](https://thecyberexpress.com/wp-content/uploads/Toronto-District-School-Board-Ransomware-Attack-cyberattack.webp)
Impact Unknown; More Details Expected Soon
Despite the attack, the district school board's systems remained fully operational and functional. While only the school's testing environment had been affected, Humber College cybersecurity expert Francis Syms remained concerned over the incident, as personal information is sometimes used on test environments. He added that test environments are usually not secured by multifactor authentication, potentially making data easier to access. However, he admitted that he was not aware of the testing system being used, as he was not part of the investigation team. The Toronto District School Board did not clarify whether the testing environment or its data contained any personal information. Ryan Bird, a spokesperson from the school district board, disclosed to CityNews Toronto that the full extent of the breach was unknown, or if any personal data had been compromised in the attack, but further details would be revealed by the end of the day. The Cyber Express team has reached out to the Toronto District School Board for further details and investigation results, but no responses have been received as of yet. Toronto's cybersecurity defenders have observed an uptick in cyberattacks in recent years, from both financially-motivated hackers and 'hacktivists' disrupting public systems. Some attacks occur during sensitive times such as elections, global conflicts, or visits by foreign leaders. However, ransomware attacks remain the most common form of attacks. City officials have been working with several agencies to rebuild trust in the safety of public systems and services. Charles Finlay, Toronto resident and executive director at Rogers Cybersecure Catalyst, had earlier stated to the Toronto Star, “I think the city has to be more forthcoming about what it is doing to ensure that those services are secure from cyber-attacks.” The City had witnessed several attacks on its public institutions such a Cl0p ransomware intrusion into the City of Toronto's computer systems as well as an attack last year on the Toronto Public Library's computer systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.CISA Warns of Phone Scammers Impersonating Its Employees
CISA Impersonation Scam
The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:- Unsolicited phone calls that claim to be from CISA.
- Callers requesting personal information, such as passwords, social security numbers, or financial information.
- Callers demanding payment or transfer of money to "protect" your account.
- Callers creating a sense of urgency or pressuring you to take immediate action.
- Do not pay the caller.
- Take record of the numbers used.
- Hang up the phone immediately while ignoring further calls from suspicious numbers.
- Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).
FTC Observes Uptick in Impersonation Scams
The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:- Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
- Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
- Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
- Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
- Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.
Researchers Discovered 24 Vulnerabilities in ZKTeco Biometric Terminals Used In Nuclear Plants
Vulnerabilities in ZKTeco Biometric Terminals
Biometric terminals see multiple uses aside from their primary purpose of acquiring biometric data such as fingerprints, voices, facial features, or irises. They can be connected to other scanners to support alternative authentication methods, or be deployed as a means of ensuring employee productivity or to reduce fraud. These devices see increasing usage in confidential facilities such as power plants, executive suites or server rooms. ZKTeco biometric terminals support facial recognition(with the ability to store thousands of face templates), password entry, electronic pass, and QR codes. Researchers conducted several tests to assess the security and reliability of these devices, finding 24 different vulnerabilities that may be exploited by threat actors in real attack scenarios on confidential facilities:- 6 SQL injection vulnerabilities
- 7 buffer stack overflow vulnerabilities
- 5 command injection vulnerabilities
- 4 arbitrary file write vulnerabilities
- 2 arbitrary file read vulnerabilities
- Physical Bypass via Fake QR Codes CVE-2023-3938 allows cybercriminals to perform a SQL injection attack by injecting malicious code into access strings. This could allow them to gain unauthorized entry to restricted areas.
- Biometric Data Theft and Backdoor Deployment The CVE-2023-3940 and CVE-2023-3942 vulnerabilities could give attackers access to sensitive user data and password hashes stored on the device. Additionally, CVE-2023-3941 could allow them to remotely alter device databases, allowing them to potentially add unauthorized individuals into systems or create a backdoor.
- Remote Code Execution The CVE-2023-3939 and CVE-2023-3943 flaws enable the execution of arbitrary commands or code on the device, effectively giving attackers full control and the ability to launch further attacks on the wider network.
“The impact of the discovered vulnerabilities is alarmingly diverse. To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks. Furthermore, the ability to alter the database weaponizes the original purpose of the access control devices, potentially granting access to restricted areas for nefarious actors. Lastly, some vulnerabilities enable the placement of a backdoor to covertly infiltrate other enterprise networks, facilitating the development of sophisticated attacks, including cyberespionage or sabotage. All these factors underscore the urgency of patching these vulnerabilities and thoroughly auditing the device's security settings for those using the devices in corporate areas.”
Mitigating Risks to Biometric Terminals
The researchers stated that they had disclosed all information about the discovered vulnerabilities to ZKTeco, but lacked accessible data on whether these vulnerabilities had been patched. The researchers have shared the following recommendations to protect these biometric terminals from attacks in the meanwhile:- Isolate biometric reader usage into a separate network segment.
- Employ robust administrator passwords and change default ones.
- Audit and fortify the device's security settings, including enabling temperature detection.
- If feasible, minimize the use of QR code functionality.
- Regularly update the device's firmware.
City of Moreton Bay Investigates Data Breach After Resident Discovered Leak of Private Information
Data Breach Discovered By Local Resident
City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council's customer request online portal. The couple had discovered that the information included their phone numbers, complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search. Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, "I would expect they'd have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that." She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, "If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they'll do."City of Moreton Bay Responses to Data Breach
After Piper's report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident. [caption id="attachment_76878" align="alignnone" width="2204"]![City of Moreton Bay Council Data Breach](https://thecyberexpress.com/wp-content/uploads/City-of-Moreton-Bay-Council-Data-Breach.webp)
We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.The notice appears to indicate that the breach stemmed from a third-party provider. The Cyber Express team has reached out to the Moreton Bay Council's Privacy Officer for further information on the breach, however no response has been received as of publication time. The potential scale of the data breach, as well as its impact on residents, is currently unknown. It is also unclear on how many individuals may have accessed the available data before the website had been temporarily taken down and subsequently limited. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Apple Launches ‘Private Cloud Compute’ Along with Apple Intelligence AI
Private Cloud Compute Aims to Secure Cloud AI Processing
Apple has stated that its new Private Cloud Compute (PCC) is designed to enforce privacy and security standards over AI processing of private information. For the first time ever, Private Cloud Compute brings the same level of security and privacy that our users expect from their Apple devices to the cloud," said an Apple spokesperson. [caption id="attachment_76690" align="alignnone" width="1492"]![Private Cloud Compute Apple Intelligence](https://thecyberexpress.com/wp-content/uploads/Private-Cloud-Compute-Apple-Intelligence.webp)
- Stateless computation: PCC processes user data only for the purpose of fulfilling the user's request, and then erases the data.
- Enforceable guarantees: PCC is designed to provide technical enforcement for the privacy of user data during processing.
- No privileged access: PCC does not allow Apple or any third party to access user data without the user's consent.
- Non-targetability: PCC is designed to prevent targeted attacks on specific users.
- Verifiable transparency: PCC provides transparency and accountability, allowing users to verify that their data is being processed securely and privately.
Apple Invites Experts to Test Standards; Online Reactions Mixed
At this week's Apple Annual Developer Conference, Apple's CEO Tim Cook described Apple Intelligence as a "personal intelligence system" that could understand and contextualize personal data to deliver results that are "incredibly useful and relevant," making "devices even more useful and delightful." Apple Intelligence mines and processes data across apps, software and services across Apple devices. This mined data includes emails, images, messages, texts, messages, documents, audio files, videos, contacts, calendars, Siri conversations, online preferences and past search history. The new PCC system attempts to ease consumer privacy and safety concerns. In its description of 'Verifiable transparency,' Apple stated:"Security researchers need to be able to verify, with a high degree of confidence, that our privacy and security guarantees for Private Cloud Compute match our public promises. We already have an earlier requirement for our guarantees to be enforceable. Hypothetically, then, if security researchers had sufficient access to the system, they would be able to verify the guarantees."However, despite Apple's assurances, the announcement of Apple Intelligence drew mixed reactions online, with some already likening it to Microsoft's Recall. In reaction to Apple's announcement, Elon Musk took to X to announce that Apple devices may be banned from his companies, citing the integration of OpenAI as an 'unacceptable security violation.' Others have also raised questions about the information that might be sent to OpenAI. [caption id="attachment_76692" align="alignnone" width="596"]
![Private Cloud Compute Apple Intelligence 1](https://thecyberexpress.com/wp-content/uploads/Private-Cloud-Compute-Apple-Intelligence-1.webp)
![Private Cloud Compute Apple Intelligence 2](https://thecyberexpress.com/wp-content/uploads/Private-Cloud-Compute-Apple-Intelligence-2.webp)
![Private Cloud Compute Apple Intelligence 3](https://thecyberexpress.com/wp-content/uploads/Private-Cloud-Compute-Apple-Intelligence-3.webp)
South Korean Researchers Observe Remcos RAT Distributed Through Fake Shipping Lures
Use of UUEncoding (UUE) Files to Distribute Remcos RAT Malware
Researchers from AhnLab discovered that the threat actors behind the campaign, use UUEncoding files with a .UUE extension, which are designed to encode binary data in plain text format. These file formats are suitable for attachment in e-mail or Usenet messages. The malicious .UUE files encode a VBS script attached in phishing emails. The threat actors seem to have leveraged the file format and encoding technique as an attempt to bypass detection. [caption id="attachment_76665" align="alignnone" width="1024"]![AhnLab Remcos RAT UUEncoding (UUE) .UUE](https://thecyberexpress.com/wp-content/uploads/AhnLab-Remcos-RAT-UUEncoding-UUE-.UUE-1.webp)
![](https://thecyberexpress.com/wp-content/uploads/AhnLab-Remcos-RAT-UUEncoding-UUE-.UUE-2.webp)
Remcos RAT malware
The Remcos RAT collects system information from infected systems and stores keylogging data in the %AppData% directory. The malware then sends this data to the remote command-and-control (C&C) server, which is hosted through a DuckDNS domain. [caption id="attachment_76667" align="alignnone" width="894"]![AhnLab Remcos RAT UUEncoding (UUE) .UUE 3](https://thecyberexpress.com/wp-content/uploads/AhnLab-Remcos-RAT-UUEncoding-UUE-.UUE-3.webp)
- b066e5f4a0f2809924becfffa62ddd3b (Invoice_order_new.uue)
- 7e6ca4b3c4d1158f5e92f55fa9742601 (Invoice_order_new.vbs)
- fd14369743f0ccd3feaacca94d29a2b1 (Talehmmedes.txt)
- eaec85388bfaa2cffbfeae5a497124f0 (mtzDpHLetMLypaaA173.bin)
- Downloader/VBS.Agent (2024.05.17.01)
- Data/BIN.Encoded (2024.05.24.00)
- frabyst44habvous1.duckdns[.]org:2980:0
- frabyst44habvous1.duckdns[.]org:2981:1
- frabyst44habvous2.duckdns[.]org:2980:0
- Refrain from accessing emails from unknown sources.
- Refrain from running or enabling macro commands when accessing downloaded attachment files. Users can set programs to highest levels of security, as lower levels may automatically execute macro commands without displaying any notification.
- Update anti-malware engines to their latest versions.
BreachForums Down, Official Telegram Channels Deleted and Database Potentially Leaked
BreachForums Down with '502- Bad Gateway' Error
BreachForums had earlier faced an official domain seizure by the FBI in a coordinated effort with various law enforcement agencies. However, shortly after, 'ShinyHunters' managed to recover the seized domains, with allegedly leaked FBI communications revealing they had lost control over the domain while the BreachForums staff claimed that it had been transferred to a different host. However, the site appears to be down again, but with no seizure notice present, leading to speculation over what has struck the site as well as its admin ShinyHunters. On X and LinkedIn, security researcher Vinny Troia claimed that ShinyHunters had made a direct message through Telegram indicating that he was retiring from the forums, as it was 'too much heat' and has shut it down. [caption id="attachment_76597" align="alignnone" width="1164"]![ShinyHunters BreachForums](https://thecyberexpress.com/wp-content/uploads/ShinyHunters-BreachForums-.webp)
BreachForums Telegram Channels Deleted
Shortly after the official domains went down, several official Telegram accounts that were associated with Breach Forums, including the main announcement channel and the Jacuzzi 2.0 account, were deleted. Forum moderator Aegis stated in a PGP signed message that Shiny Hunters had been banned from Telegram. [caption id="attachment_76580" align="alignnone" width="349"]![BreachForums Telegram Channels BreachForums.st](https://thecyberexpress.com/wp-content/uploads/BreachForums-Telegram-Channels-BreachForums.st_.webp)
![BreachForums Telegram Channels Baph](https://thecyberexpress.com/wp-content/uploads/BreachForums-Telegram-Channels-Baph.webp)
![BreachForums ShinyHunters Jacuzi Telegram](https://thecyberexpress.com/wp-content/uploads/BreachForums-ShinyHunters-Jacuzi-Telegram.webp)
![BreachForums Telegram Channels Deleted Database leak](https://thecyberexpress.com/wp-content/uploads/BreachForums-Telegram-Channels-Deleted-Database-leak.webp)
![Astounding BreachForums Retirement](https://thecyberexpress.com/wp-content/uploads/Astounding-BreachForums-Retirement.webp)
![USDoD BreachForums Breach Nation](https://thecyberexpress.com/wp-content/uploads/USDoD-BreachForums-Breach-Nation.png)
Modder Discovered Kernel-Level Exploit in Xbox One Consoles
'Game Script' Xbox Console Kernel-Level Exploit
carrot_c4k3, the individual behind the discovery, disclosed on X that the exploit, which is not a jailbreak, works against the System OS software that exists on newer Xbox consoles such as the Xbox One. System OS exists to enable developers to run a wide variety of applications on these consoles through the use of virtualization technology. Applications downloaded from the Microsoft Store run on this layer. Xbox users can typically gain access to this environment by enabling developer mode on their consoles. However, carrot_c4k3 stated that while the exploit allows full control over vm homebrews on retail Xbox, it did not enable the use of pirated software upon usage. The method currently relies on the Game Script UWA application available on the Microsoft Store, which allows users to run and execute custom languages on the devices. The exploit consists of two components:- User mode: Initial steps where the user gains native code execution in the context of UWP (Microsoft Store) applications.
- Kernel exploit: In this step the user exploits a Kernel vulnerability on these devices to gain full read/write permissions, which would then enable them to elevate the privileges of a particular running process.
Exploit Might Have Been Patched In Newer Xbox Firmware Versions
A set of steps to be performed for the hack was shared on the Xbox One Research Github page:The page states that the exploit is "likely to be patched soon (in next System Update)." A thread on GBAtemp.net, a forum for discussing various video game platforms, stated that the latest firmware update for the Xbox One console has reportedly already patched the exploit, making the firmware 10.0.25398.4478 the last exploitable version. While the full consequences of this exploit and the one that will be shared are unknown, it highlights the interest that console players have in bypassing manufacturer-intended device limits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
- Ensure your Xbox Live account Login-Type is configured as “No barriers” aka. auto-login with no password prompt
- Set your console as “Home Console” for this account
- Download the App Game Script
- Start the app (to ensure license is downloaded/cached)
- Take your console offline! To make extra sure it cannot reach the internet, set a manual primary DNS address of 127.0.0.1
- Get a device/microcontroller that can simulate a Keyboard (rubber ducky or similar) - otherwise you have to type a lot manually :D
Microsoft and Google Announce Plans to Help Rural U.S. Hospitals Defend Against Cyberattacks
Microsoft and Google Cybersecurity Plans for Rural Hospitals
Microsoft has launched a full-fledged cybersecurity program to meet the needs of rural hospitals, which are often more vulnerable to cyberattacks due to more limited IT security resources, staff and training than their urban peers. The program will deliver free and low-cost technology services, including:- Nonprofit pricing and discounts of up to 75% on Microsoft's security products for independent Critical Access Hospitals and Rural Emergency Hospitals.
- Larger rural hospitals already equipped with eligible Microsoft solutions will receive free advanced security suites for free.
- Free Windows 10 security updates for participating rural hospitals for at least one year.
- Cybersecurity assessments and training are being made free to hospital employees to help them better manage system security.
“Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans’ access to critical care. Rural hospitals are particularly hard hit as they are often the sole source of care for the communities they serve and lack trained cyber staff and modern cyber defenses. President Biden is committed to every American having access to the care they need, and effective cybersecurity is a part of that. So, we’re excited to work with Microsoft to launch cybersecurity programs that will provide training, advice and technology to help America’s rural hospitals be safe online.”Alongside Microsoft's efforts, Google also announced that it will provide free cybersecurity advice to rural hospitals and non-profit organizations while also launching a pilot program to match its cybersecurity services with the specific needs of rural healthcare facilities.
Plans Are Part of Broader National Effort
Rural hospitals remain one of the most common targets for cyberattacks, according to data from the National Rural Health Association. Rural hospitals in the U.S. serve over 60 million people living in rural areas, who sometimes have to travel considerable distance for care even without the inconvenience of a cyberattack. Neuberger stated, “We’re in new territory as we see ... this wave of attacks against hospitals.” Rick Pollack, president of the American Hospital Association, said, “Rural hospitals are often the primary source of healthcare in their communities, so keeping them open and safe from cyberattacks is critical. We appreciate Microsoft stepping forward to offer its expertise and resources to help secure part of America’s healthcare safety net.” The plans are a part of a broader effort by the United States government to direct private partners and tech giants such as Microsoft and Google to use their expertise to plug significant gaps in the defense of the healthcare sector. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.NHS Makes Urgent Request for Blood Donations After Ransomware Attack Interrupts Blood Transfusions
NHS Blood and Transplant's Urgent Appeal for Blood Donations
The recent cyberattack on the pathology firm Synnovis, believed to have been orchestrated by the Russian cybercriminal group Qilin, caused significant disruption to several London hospitals. As a result, affected hospitals have been unable to match patients' blood at the usual rates, leading to the declaration of a critical incident and the cancellation of scheduled blood transfusions. Gail Miflin, chief medical officer at NHS Blood and Transplant, emphasized the importance of O blood-type donations during this critical time. She called on existing O blood donors to book urgent appointments and encouraged potential new donors to find out their blood type and contribute to solving the shortage. During NHS National Blood Week, it was revealed that hospitals require three blood donations every minute. With around 13,000 appointments available nationwide this week, and 3,400 specifically in London, there are many opportunity for donors to come forward and contribute to blood availability. Stephen Powis, the medical director for NHS England, praised the resilience of NHS staff amid the cyberattack and urged eligible donors to come forward to one of the 13,000 available appointments in NHS blood donor centers across the country. To learn more and find details on how to donate, interested individuals are encouraged to search 'GiveBlood' online and on social media or visit Blood.co.uk. [caption id="attachment_76310" align="alignnone" width="2562"]![NHS Blood and Transplant (NHSBT) Ransomware Blood Donations](https://thecyberexpress.com/wp-content/uploads/NHS-Blood-and-Transplant-NHSBT-Ransomware-Blood-Donations.webp)
Impact of the Cyberattack on London Hospitals
Several prominent London hospitals, including the King's College Hospital, Guy's and St Thomas', the Royal Brompton, and the Evelina London Children's Hospital, declared a critical incident following the cyberattack on the pathology firm Synnovis, which provides blood-testing facilities to these hospitals and several others in southeast London. The attack forced hospital staff to cancel health procedures such as cancer surgeries and transplants due to the unavailability of blood transfusion services after facing severe disruption. In a statement on its official website, an NHS London spokesperson stressed the importance of pathology services to health treatment procedures:“NHS staff are working around the clock to minimise the significant disruption to patient care following the ransomware cyber-attack and we are sorry to all those who have been impacted. Pathology services are integral to a wide range of treatments and we know that a number of operations and appointments have been cancelled due to this attack. We are still working with hospitals and local GP services to fully assess the disruption, and ensure the data is accurate. In the meantime our advice to patients remains, if you have not been contacted please do continue to attend your appointments.”A senior NHS manager disclosed to the Health Service Journal (HSJ) that the incident was “everyone’s worst nightmare.” As blood has a limited shelf life of 35 days, it is critical that these hospital stocks are continually replenished. More units of O-negative and O-positive blood will be required over the coming weeks to accommodate an anticipated increase in surgeries and procedures due to earlier delays. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
‘Commando Cat’ Cryptojacking Campaign Exploits Remote Docker API Servers
Commando Cat Initial Access and Attack Sequence
The Commando Cat campaign identified by researchers from Trend Micro has been active since early 2024. The attack begins with a probe to the Docker Remote API server. If the server responds positively, the attackers create a container using the "cmd.cat/chattr" image. Once a suitable target is located, the attacker deploys a docker image named cmd.cat/chattr, which appears harmless at first glance but serves as a stepping stone for the subsequent stages of the attack. The "cmd.cat/chattr" image allows the attackers to employ techniques like chroot and volume binding to escape the docker container and bind the host system's root directory to the container's own/hs
directory, thereby gaining unrestricted access to the host file system.
The attackers also bind the Docker socket to the container, allowing them to manipulate Docker as if they were on the host machine itself. If the "cmd.cat/chattr" image isn't found, the attackers pull it from the cmd.cat repository.
Once the image is in place, they create a Docker container, executing a base64-encoded script that downloads and executes a malicious binary from their command-and-control (C&C) server. The researchers identified the downloaded binary file as ZiggyStarTux, an open-source IRC botnet based on the Kaiten malware.
Commando Cat Detection and Mitigation
While the researchers noted that the campaign's C&C server was down during analysis, they noted several technical specifics from attack operations. Researchers have advised that potential misuse of DropBear SSH on TCP port 3022, along with use of the 1219 port for its C&C server, can help detect the presence of the malware. Unauthorized IRC communications along with these specific User-Agent strings are other indicators:- HackZilla/1.67 [en] (X11; U; Linux 2.2.16-3 x64)
- Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
- Properly configuring Docker containers and APIs.
- Utilizing only official or certified Docker images.
- Running containers with non-root privileges.
- Limiting container access to trusted sources.
- Regularly performing security audits and scanning for suspicious docker containers.
Akira Ransomware Group Claims Attack on Panasonic Australia; Singapore Tells Victims to Not Pay Ransom
Akira Ransomware Group Attack on Panasonic Australia
The ransomware group alleged that it had exfiltrated sensitive project information and business agreements from the electronics manufacturer Panasonic Australia. No sample documents were posted to verify the authenticity of the breach claims. The potential impact of the breach on Panasonic Australia is unknown but could present a serious liability for the confidentiality of the company's stolen documents.Cyber Security Agency of Singapore Issues Advisory
Singapore's Cyber Security Agency (CSA) along with the country's Personal Data Protection Commission (PDPC) issued an advisory to organizations instructing them to report Akira ransomware attacks to respective authorities rather than paying ransom demands. The advisory was released shortly after an Akira ransomware group attack on the Shook Lin & Bok law firm. While the firm still continued to operate as normal, it had reportedly paid a ransom of US$1.4 million in Bitcoin to the group. The Akira ransomware group had demanded a ransom of US$2 million from the law firm earlier, which was then negotiated down after a week, according to the SuspectFile article. The Cyber Security Agency of Singapore (CSA) stated that it was aware of the incident and offered assistance to the law firm. However, it cautioned against similar payments from other affected victims. "Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data," the agency stated. "Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims." The Singaporean authorities offered a number of recommendations to organizations:- Enforce strong password policies with at least 12 characters, using a mix of upper and lower case letters, numbers, and special characters.
- Implement multi-factor authentication for all internet-facing services, such as VPNs and critical system accounts.
- Use reputable antivirus or anti-malware software to detect ransomware through real-time monitoring of system processes, network traffic, and file activity. Configure the software to block suspicious files, prevent unauthorized remote connections, and restrict access to sensitive files.
- Periodically scan systems and networks for vulnerabilities and apply the latest security patches promptly, especially for critical functions.
- Migrate from unsupported applications to newer alternatives.
- Segregate networks to control traffic flow between sub-networks to limit ransomware spread. Monitor logs for suspicious activities and carry out remediation measures as needed.
- Conduct routine backups following the 3-2-1 rule: keep three copies of backups, store them in two different media formats, and store one set off-site.
- Conduct incident response exercises and develop business continuity plans to improve readiness for ransomware attacks.
- Retain only essential data and minimize the collection of personal data to reduce the impact of data breaches.
University of Arkansas Leads Initiative to Improve Security of Solar Inverters
University of Arkansas Solar Inverter Cybersecurity Initiative
The new project led by the University of Arkansas is funded by the U.S. Department of Energy's Solar Energy Technologies Office (SETO) and aims to strengthen the cybersecurity measures of solar inverters. Solar inverters are used to convert direct current (DC) generated from solar panels into alternating current (AC) that can be used in households and within the energy grid. This effort involves collaboration among multiple universities, laboratories, and industry partners to develop custom-designed controls infused with multiple layers of cybersecurity protocols. [caption id="attachment_75768" align="alignnone" width="800"]![University of Arkansas Solar Inverter Cybersecurity Initiative](https://thecyberexpress.com/wp-content/uploads/University-of-Arkansas-Solar-Inverter-Cybersecurity-Initiative.webp)
Securing Renewable Energy and Electric Grids
As electric grids become increasingly digitized and connected, securing these grids becomes a top priority for the U.S. Department of Energy (DOE). The department has stated that while some cyberattacks target information technology (IT) systems, attacks on operating technology (OT) devices such as solar photovoltaic inverters could have potential physical impact, such as loss of power and creation of fires. The department cited an incident in March 2019 in which hackers managed to breach through a utility’s web portal firewall. The attack caused random interruptions to the visibility of segments of the grid from its operators for a period of 10 hours. The DOE's Solar Energy Technologies Office (SETO) is working to ensure that the electric grid is secure and capable of integrating more solar power systems and other distributed energy resources. The agency developed a roadmap for Photovoltaic Cybersecurity, supports ongoing efforts in Distributed Energy Resources (DER) cybersecurity standards, and participates in the Office of Energy Efficiency and Renewable Energy's Cybersecurity Multiyear Program Plan, along with the Department of Energy's broader cybersecurity research activities. The Solar Energy Technologies Office has recommended the use of dynamic survival strategy based on defense-in-depth measures that functional as additional layers of security to secure individual components as well as entire systems. These layers include installing anti-virus software on DER systems (solar inverters and battery controllers) and maintaining virus protection and detection mechanisms on the firewalls and servers integrating these individual systems to the broader system of grid operation. The Office admits that implementation of this strategy into DER technologies can be complex, with different owners, operators, and systems typically involved, but maintains the strategy's importance in reducing potential cyberattacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Patch Now! Center for Cybersecurity Belgium Warns About Critical Vulnerabilities in Telerik Report Server
Progress Telerik Vulnerabilities Overview
The CCB detailed all four vulnerabilities, associated risks and working exploits, and provided links that contain additional details about each vulnerability.Insecure Deserialization Vulnerabilities
The first two vulnerabilities (CVE-2024-1801 and CVE-2024-1856) are insecure deserialization vulnerabilities in Progress Telerik Reporting. Attackers could exploit these vulnerabilities to run arbitrary code. An attacker with local access could potentially exploit CVE-2024-1801, while CVE-2024-1856 may be exploited remotely if specific web application misconfigurations are in place.Remote Code Execution Vulnerability
The third vulnerability (CVE-2024-1800) is an insecure deserialization vulnerability in the Progress Telerik Report Server. Successfully exploitation of the vulnerability could allow for remote execution of arbitrary code on affected systems. Progress Telerik Report Server versions prior to 2024 Q1 (10.0.24.130) are vulnerable to this issue.Authentication Bypass Vulnerability
An additional vulnerability, CVE-2024-4358, that was disclosed later affects the Telerik Report Server. This is an authentication bypass vulnerability that could allow an unauthenticated attacker to gain access to restricted functionality within the Progress Telerik Report Server. The issue affects Progress Telerik Report Server versions up to 2024 Q1 (10.0.24.305).Recommended Actions for Telerik Vulnerabilities
The Centre for Cybersecurity Belgium strongly recommends applying, after thorough testing, the latest available software updates of Progress Telerik on vulnerable devices. Progress Telerik has explicitly stated that the only way to remediate the earlier three reported vulnerabilities was by updating to the latest available version (10.1.24.514). For the authentication bypass vulnerability (CVE-2024-4358), Progress Telerik has published a temporary mitigation. This mitigation involves applying a URL Rewrite rule in IIS to deny access to the vulnerable "startup/register" path. The Centre for Cybersecurity Belgium urges organizations to bolster their monitoring and detection capabilities to be alert for any malicious activities associated with these vulnerabilities. Organizations are further advised to check the list of users within the Progress Telerik Report Server to ensure that there is no addition of unauthorized accounts while responding quickly to detected intrusions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Researchers Warn About Phishing Emails That Trick Users Into Pasting Malicious Commands
'Paste and Run' Phishing Technique
The attackers behind the campaign send emails to potential victims purporting to be from legitimate businesses or organizations. Researchers from AhnLab stated that these emails often involve topics such as fee processing or operational instructions to entice recipients into opening attached files. The emails contain a file attachment with disguised intent, as in the examples below. [caption id="attachment_75497" align="alignnone" width="1200"]![Phishing Ctrl+V Email cybersecurity_3 (Phishing Ctrl+V Email cybersecurity)](https://thecyberexpress.com/wp-content/uploads/Phishing-CtrlV-Email-cybersecurity_3-Phishing-CtrlV-Email-cybersecurity.webp)
![Phishing Cybersecurity](https://thecyberexpress.com/wp-content/uploads/Phishing-Cybersecurity.webp)
Phishing Scheme Installs DarkGate Malware
The PowerShell script downloaded and executed by the scheme is a component of the DarkGate malware family. Once the script is run, it downloads and executes an HTA (HTML Application) file from a remote command-and-control server. The HTA file then executes additional instructions to launch an AutoIt3.exe file while passing a malicious AutoIt script (script.a3x) as an argument. The script appears to load the DarkGate malware to infect the system while also clearing the user's clipboard to conceal the execution of malicious commands. "The overall operation flow from the reception of the email to the infection is quite complex, making it difficult for users to detect and prevent," the researchers noted. [caption id="attachment_75496" align="alignnone" width="1200"]![Email Phishing Ctrl+ V](https://thecyberexpress.com/wp-content/uploads/Email-Phishing-Ctrl-V.webp)
Protecting Against the Phishing Campaign
The researchers advised email recipients to remain cautious when handling unsolicited emails, even if they appear to be from legitimate sources, to avoid falling victim to the phishing campaign. Recipients should refrain from opening attachment files or clicking on links until they can verify the email sender and its content. "Users must take extra caution when handling files from unknown sources, especially the URLs and attachments of emails," the researchers emphasized. Additionally, recipients should also be wary of any messages that prompt them to execute commands, as it is a common tactic used by attackers to compromise systems. Upon receiving such requests, it is recommended to either ignore the email or report it to your organization's IT security team. The researchers also shared various indicators of compromise (IOCs) such as Base64-encoded PowerShell commands, HTA files, and Autoit scripts, download URLs, file signatures and behavioral indicators associated with the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Researchers Accidentally Discover Bypass in Self-Service Check-In System of Hotel
Kiosk Mode Bypass Grants Access To Hotel's Windows Desktop
The hotel, which had no check-in staff, relied solely on the self-service check-in terminal running the Ariane Allegro Scenario Player in kiosk mode. Visiting researchers from Pentagrid discovered that the check-in terminal crashed when a single quote character was inserted into its guest search feature. Upon trying to interact with the terminal screen after the crash, the Windows operating system asks the user if it should wait longer or stop the running task. Selecting the second option halts the kiosk mode application entirely, unexpectedly allowing the team to access the underlying Windows Desktop. The researchers attributed the flaw as an accidental discovery by Martin "O'YOLO" Schobert. The researchers state that this bypass poses significant risks as attackers with access to the Windows desktop could potentially target a hotel's entire network, access stored data (including PII, reservations, and invoices), or create room keys for other hotel rooms by exploiting its RFID room-provisioning functionality. The kiosk mode bypass vulnerability has been rated with a CVSS score of 6.8 (medium). The researchers specified the following preconditions as necessary for successful exploitation of the vulnerability:- Physical access to the check-in terminal along with time, depending upon the attack's preparation.
- The check-in terminal must be in a self-service state, as hotels might enable this option only during specific times or during staff shortage.
Disclosure Process and Vendor Response
The vulnerability's discovery led the team to investigate further, finding that a hotel chain from Liechtenstein and Switzerland use the check-in terminal for smaller hotel locations. The vulnerability could potentially affect several hotels that rely on Ariane's Allegro Scenario Player check-in system. The researchers first discovered the vulnerability on March 5, 2024, and immediately attempted to disclose it to the vendor through multiple channels, such as LinkedIn, contact numbers and official email addresses. The researchers also attempted to reach out to the company's technical leader and chief product officer, finding a delayed response on March 18 in which Ariane Systems claimed that the reported systems were legacy software models, and that no personally identifiable information (PII) or exploitable data could be retrieved from the kiosk machine. However, the researchers dispute the vendor's claim, stating that the kiosk was designed to produce and keep accessible invoice files. In a later call with Ariane Systems on April 11, further vulnerability details were shared, with the researchers awaiting a response. They state that as of June 5, 2024, there have been no updates from the vendor. They cite the initial delays and lack of additional updates as reasons for publicly disclosing the vulnerability after a waiting period of 90 days. To mitigate potential risks stemming from the vulnerability, the researchers recommended that hotels using the Ariane Allegro Scenario Player check to make sure they have the most recent version of the software installed, as the issue was reportedly fixed by the vendor. Additionally, they advised hotels to isolate check-in terminals to prevent potential bypasses that could allow attackers to compromise hotel networks or underlying Windows systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Researcher Develops ‘TotalRecall’ Tool That Can Extract Data From Microsoft Recall
TotalRecall Tool Demonstrates Recall's Inherent Vulnerabilities
Recall is a new Windows AI tool planned for Copilot+ PCs that captures screenshots from user devices every five seconds, then storing the data in a local database. The tool's announcement, however, led many to fear that this process would make sensitive information on devices susceptible to unauthorized access. TotalRecall, a new tool developed by Alex Hagenah and named after the 1990 sci-fi film, highlights the potential compromise of this stored information. Hagenah states that the the local database is unencrypted and stores data in plain text format. The researcher likened Recall to spyware, calling it a "Trojan 2.0." TotalRecall was designed to extract and display all the information stored in the Recall database, pulling out screenshots, text data, and other sensitive information, highlighting the potential for abuse by criminal hackers or domestic abusers who may gain physical access to a device. Hagenah's concerns are echoed by others in the cybersecurity community, who have also compared Recall to spyware or stalkerware. Recall captures screenshots of everything displayed on a user's desktop, including messages from encrypted apps like Signal and WhatsApp, websites visited, and all text shown on the PC. TotalRecall can locate and copy the Recall database, parse its data, and generate summaries of the captured information, with features for date range filtering and term searches. Hagenah stated that by releasing the tool on GitHub, he aims to push Microsoft to fully address these security issues before Recall's launch on June 18.Microsoft Recall Privacy and Security Concerns
Cybersecurity researcher Kevin Beaumont has also developed a website for searching Recall databases, though he has withheld its release to give Microsoft time to make changes. Microsoft's privacy documentation for Recall mentions the ability to disable screenshot saving, pause Recall on the system, filter out applications, and delete data. Nonetheless, the company acknowledges that Recall does not moderate the captured content, which could include sensitive information like passwords, financial details and more. The risks extend beyond individual users, as employees under "bring your own device" policies could leave with significant amounts of company data saved on their laptops. The UK's data protection regulator has requested more information from Microsoft regarding Recall and its privacy implications. Amid criticism over recent hacks affecting US government data, Microsoft CEO Satya Nadella has emphasized its need to prioritize security. However, the issues surrounding Recall demonstrate that security concerns were not given sufficient attention, and necessitate inspection of its data collection practices before its official release. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.U.S. Navy Punishes Senior Enlisted Leader for Operating Wi-Fi Network On Ship
U.S. Navy Chief Attempted to Cover Up Illicit Network
The U.S. Navy began investigating the ship's network installation in June 2023 when a crew member attempted to report the network to the ship's commanding officer. However, Marrero intercepted the tip from being sent and avoided sharing information about the deployment of the Wi-Fi network. The installation was eventually uncovered in August after Marrero edited an image of the ship's Starlink data usage to conceal the Wi-Fi network's activity. Prosecutors believe Marrero attempted this operation to impede pending disciplinary action against another sailor. It is unclear if the sailor was involved with the operation of the Wi-Fi network. Marrero, who had a background in Navy intelligence, was relieved of her leadership position aboard the Manchester in September 2023 due to a "loss of confidence," the Navy's Surface Force Pacific (SURFPAC) command said in a statement. The phrase “loss of confidence” is commonly used as a euphemism among military branches to announce that that enlisted officers and senior leaders have been relieved of their duty and while avoiding specific details or behavior behind the decision such as performance or misconduct. Marrero later faced a court-martial, where she pleaded guilty to willful dereliction of duty and making false statements to her superiors. She was also demoted from the E-8 level rank to E-7 as punishment.Other U.S. Sailors Implicated in the Wi-Fi Scandal
The Navy has also disciplined other sailors in connection with the illegal Wi-Fi network. While details of their involvement are scarce, a spokesperson for the Navy confirmed that other sailors were also punished for their role in the operation of the illicit network. The extent of their punishments is not yet clear, as the spokesman declined to provide further details. The Manchester's gold crew has faced significant changes in the past year, with Marrero and the ship's second-in-command, Cmdr. Matthew Yokeley, both being relieved of their duties. The Manchester, which was in or around San Diego, Hawaii and Guam during Marrero's alleged deeds, is a littoral combat ship assigned to SURFPAC, part of the U.S. Pacific Fleet. The reasons for Yokeley's ouster are unclear, and SURFPAC officials have declined to provide further details. In previous official press releases relating to the dismissal of Navy officers for unspecified reasons, such as the relieving of commodore Richard A. Zaszewski in March 2024, and commodore James Harne from duty in December 2023, the navy often made the following statement:Navy leaders are held to high standards of personal and professional conduct. They are expected to uphold the highest standards of responsibility, reliability, and leadership, and the Navy holds them accountable when they fall short of those standards.This incident serves as a reminder of the security concerns stemming from the use of unauthorized networks or digital communications while operating in official military or Navy duty. An official press release from the Navy, along with further information on other punishments involved with the unauthorized network, is expected in the coming months. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Google Announces Investment in 15 New Cybersecurity Clinics Across the U.S.
Cybersecurity Clinics Aim At Building Resilient Workforce
The cybersecurity clinic initiative, launched in collaboration with the Consortium of Cybersecurity Clinics, invites higher education institutions to apply for funding to establish new clinics. Approved clinics will receive $1 million in cybersecurity funding, mentorship, Titan Security Keys (phishing-resistant 2FA keys), and scholarships for Google's Cybersecurity Certification. Mentorship from these clinics attempts to serve as a bridge between academic knowledge and real-world application by allowing students to gain important hands-on experience. The clinics will also help regional organizations protect themselves from potential cyber threats. For example, Indiana University cybersecurity clinic students have been helping the local fire department in devising contingency plans for online communications compromise scenarios. At the Rochester Institute of Technology, students helped their local water authority review and improve their IT security configurations across operating sites. Google's collaboration page mentions the list of institutions through which the new cybersecurity clinics will be set up, marking them as 'New Grantees':- Tougaloo College
- Turtle Mountain Community College
- University of Hawai’i Maui College
- Cyber Center of Excellence (CCOE), San Diego State University (SDSU), California State University San Marcos (CSUSM) and National University
- West Virginia State University
- Dakota State University
- University of North Carolina Greensboro
- University of Arizona
- Franklin Cummings Tech
- Spelman College
- NSI CTC - HUSB
- Northeastern State University in Oklahoma
- Trident Technical College
- Eastern Washington University
- The University of Texas at El Paso
![Consortium of Cybersecurity Clinics Google Active](https://thecyberexpress.com/wp-content/uploads/Consortium-of-Cybersecurity-Clinics-Google-Active.webp)
- University of Texas at San Antonio
- UC Berkeley
- Rochester Institute of Technology
- Massachusetts Institute of Technology
- Stillman College
- Indiana University
- University of Nevada, Las Vegas
- The University of Alabama
- University of Georgia
- University of Texas at Austin
Clinics Attempt to Focus on Diversity and Inclusivity
In the announcement, Google also affirmed its commitment to foster diversity and inclusivity within the cybersecurity industry. In recognition of these values, Google has has extended its cybersecurity funding support to organizations such as the Computing Alliance of Hispanic-Serving Institutions (CAHSI), Stillman College, and the American Indian Science and Engineering Society (AISES). These institutions aid colleges and universities that served large populations of minorities such as black, Hispanic, indigenous or tribal students. "Cyber attacks are a threat to everyone's security, so it's essential that cyber education is accessible," said a Google spokesperson. "With these newest 15 clinics, we're supporting institutions that serve a variety of students and communities: traditional colleges and universities as well as community and technical colleges in both rural and urban communities." [caption id="attachment_75162" align="alignnone" width="588"]![Cybersecurity Diversity Cybersecurity Clinics](https://thecyberexpress.com/wp-content/uploads/Cybersecurity-Diversity-Cybersecurity-Clinics.webp)