A significant number of Windows users around the globe have been grappling with a severe technical issue: the Blue Screen of Death (BSOD). The error, which has caused several Windows systems to crash, has been traced back to a file named “csagent.sys” associated with CrowdStrike’s Falcon Sensor. The outage has disrupted operations across various sectors and is generating widespread frustration among users. The issue first came to light when users began experiencing sudden system crashes upon startup or reboot. The problem quickly spread, with social media platforms becoming a hive of activity as users shared their distressing experiences. The BSOD error, linked to CrowdStrike’s Falcon Sensor, has affected users in numerous countries including US, Germany, India, Japan, among others. 

Social Media in Uproar: CrowdStrike-Linked Windows BSOD Sparks Global Reaction

On Twitter, the reaction to the bluescreen chaos due CrowdStrike has been a mix of frustration, sarcasm, and humor. Many users turned to social media to express their annoyance and share humorous takes on the situation. Here's a glimpse of the social media reaction: @sxchopea lightened the mood with a tweet: “Happy International Blue Screen Day 😍.” The caption was paired with a picture of a meeting room, suggesting a global acknowledgment of the mishap. Another X user, Craig Campbell (@flappg) expressed frustration with a touch of sarcasm: “Well today’s a good day to come back to work. Cheers CloudStrike.” Wayne Jeffrey (@WayneJeffrey78) captured the predicament of IT professionals: “IT people realizing their quiet Friday just turned to sh1t!!! #Microsoft #CloudStrike.” Shaun Tremayne (@shauntremayne) expressed frustration with the lack of information available: “So who is having a bad day with @Azure, @Microsoft Active Directory & CloudStrike? Love the CloudStrike website’s lack of information but advertising scare tactics to buy in!” Zem (@Zemochcb) noted the broader implications of the incident: “This is what happens when so many organisations rely on a single system.” MistyVelo (@MistyVelo) provided a whimsical take: “Oh boy, this is gonna be a wild ride! Imagine you’re in a super cool underwater city called Bikini Bottom, and Cloudstrike helps with computer stuff. But uh-oh, they had a little hiccup!”   Karmay (@Karmaycholera) reflected on the broader impact: “If you really think about it, you will realise how much of a blunder it creates when a single company runs every major thing. If that goes down, airports, servers, and even banks have to completely shut down. Also shows how widely used Microsoft systems are.” Ian Patterson (@ianpatterson99) provided a technical perspective: “So the worldwide IT outage is being blamed on Cloudstrike - some antivirus SW used on some Windows systems. Most Windows machines aren’t built by hand - the software on them is built centrally - so the fix isn’t quite as below to do it manually. But still.”

Crowdstrike and Future Implications

In response to the widespread Windows outage, CrowdStrike released a comprehensive statement addressing the BSOD issue, acknowledging their awareness of the problem along with their current action plan. The BSOD crisis also serves as a reminder of the complex interdependencies in modern IT ecosystems. With critical systems and services affected, the incident has far-reaching implications for businesses and organizations worldwide. As the situation evolves, users and companies alike will be closely watching for updates and solutions to this significant technical disruption.

Bassett Furniture Industries has disclosed a major cyberattack that has severely disrupted its operations. The Virginia-based company revealed in a recent filing with the U.S. Securities and Exchange Commission (SEC) that it detected the breach on July 10, 2024. The Bassett Furniture data breach led to immediate shutdowns of several systems and halted manufacturing processes, posing serious challenges for the company’s business continuity. "On July 10, 2024, Bassett Furniture Industries, Incorporated (the “Company”) detected unauthorized occurrences on a portion of its information technology (IT) systems," reads the SEC filing.

Bassett Furniture Data Breach and Initial Response

Bassett detected unauthorized activity on its information technology (IT) systems on July 10, 2024. The company swiftly initiated its incident response plan, which involved taking immediate steps to contain the breach. This included shutting down affected systems to prevent further damage and initiating an investigation into the nature and scope of the attack. According to the initial filing, the cyberattack disrupted Bassett’s business operations by encrypting some of its data files. As a precautionary measure, the company temporarily halted its manufacturing processes. However, Bassett’s retail stores and e-commerce platform remained operational, allowing customers to place orders and purchase merchandise. Despite this, the company’s ability to fulfill orders was impacted due to the disruption of its manufacturing capabilities. "As a result of the Company’s containment measures, which included shutting down some systems, the Company has not been, and, as of the date of this Report is not operating its manufacturing facilities. The Company’s retail stores and e-commerce platform are open, and customers are able to place orders and purchase available merchandise; however, the Company’s ability to fulfill orders is currently impacted," reads the SEC filling further.

Ongoing Investigation and Business Impact

As the investigation into the Bassett Furniture cyberattack continues, Bassett stated that the full extent and impact of the attack are not yet known. The company has emphasized that, at this time, there is no evidence to suggest that personal information from consumers was compromised. Nonetheless, the incident has had a material impact on Bassett’s business operations, with potential ongoing effects as recovery efforts proceed. The company is actively working to restore its affected IT systems and implement workarounds to mitigate disruption. Despite these efforts, the cyberattack is expected to continue affecting the company’s operations until the recovery process is complete.

Financial Implications and Restructuring Efforts

On the same day, Bassett disclosed the cyberattack, the company also reported its second-quarter earnings. The financial results reflected the strain on the business, with revenues decreasing by 17% year-over-year to $83.4 million. Bassett reported an operating loss of $8.5 million for the quarter, a significant decline from the operating profit of $2.5 million recorded in the same period last year. In response to the financial pressures and operational challenges, Bassett announced a restructuring strategy aimed at realigning its business operations and addressing the issues exacerbated by the cyberattack. The company’s restructuring efforts are expected to play a crucial role in its recovery and long-term stability.

Cybersecurity Trends and Regulatory Changes

Bassett’s cyberattack highlights a growing trend in the design and manufacturing sectors, with high-profile companies like auction house Christie’s also falling victim to similar breaches. These incidents often come with ransom demands and represent a significant financial burden on affected businesses. The broader impact of such cyberattacks extends beyond immediate disruptions, costing American businesses billions annually. The increased transparency around cybersecurity incidents may be attributed to recent regulatory changes. Late last year, the SEC implemented a new rule requiring publicly traded companies to disclose cyberattacks that could be material to investors. This rule aims to enhance accountability and provide investors with critical information about potential risks. Companies such as Microsoft, Hewlett Packard, and now Bassett have adhered to this new disclosure requirement, bringing to light incidents that may have previously gone unreported. This shift towards greater transparency is crucial for stakeholders and investors, as it provides a clearer picture of the cybersecurity landscape and the risks companies face. For now, Bassett continues to address the repercussions of the cyberattack while embarking on a restructuring strategy to stabilize and strengthen its operations in the face of adversity.

A significant portion of the U.S. Securities and Exchange Commission’s (SEC) high-profile lawsuit against SolarWinds, the IT software company at the center of the 2020 cyberattack, was dismissed by a federal judge on Thursday. While the SolarWinds data breach compromised several major tech firms and government agencies, the number of customers affected is thought to be fewer than 100 customers. The recent ruling marks a notable development closely watched by security chiefs and executives concerned about the SEC’s increasing scrutiny on breach management and cybersecurity disclosures to shareholders.

The Court’s Decision on SolarWinds Data Breach

The U.S. District Judge Paul Engelmayer’s 107-page decision marked a notable victory for SolarWinds. He concluded that the SEC’s complaint failed to “plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack” and criticized the claims for relying on “hindsight and speculation.” The case, filed in October 2023 in the Southern District of New York, targeted both SolarWinds and its Chief Information Security Officer (CISO) Tim Brown. The 98-page complaint accused SolarWinds and Brown of concealing the company’s poor cybersecurity practices and heightened risks leading up to the hack, widely believed to have been orchestrated by Russian intelligence. The hackers inserted malicious code into SolarWinds’ flagship Orion software, which then spread to customers through routine updates. Engelmayer’s ruling found that SolarWinds’ post-hack disclosures were accurate and “fairly captured known facts,” stating that they “read as a whole, captured the big picture: the severity of the SUNBURST attack.” He dismissed the SEC’s allegations that SolarWinds failed to maintain appropriate internal accounting controls, noting that cybersecurity controls do not fall within the scope of accounting. A spokesperson from SolarWinds shared the following statement to the Cyber Express Team:

“We are pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims. We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate. We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.”

Remaining Claims and Industry Concerns

However, the case is not entirely resolved. Judge Engelmayer allowed the SEC’s claims that SolarWinds and Brown made misleading statements about the company’s cybersecurity on its website to proceed. He found these representations materially misleading, particularly concerning access controls and password protection policies. These claims have alarmed chief security officers, who fear increased personal liability in such cases. The SEC’s lawsuit against SolarWinds, based in Austin, Texas, is notable for targeting a company victimized by a cyberattack without a simultaneous settlement. It is also rare for the SEC to sue public company executives not directly involved in financial statement preparation. The SEC alleged that SolarWinds hid the vulnerabilities in its products before the attack and downplayed its severity afterward. The complaint accused SolarWinds of filing a “boilerplate” disclosure that misrepresented real cyber threats as hypothetical. It also claimed SolarWinds misled the public about the breach’s magnitude once it became known. Judge Engelmayer disagreed, ruling that the anti-fraud laws do not require risk warnings to have “maximum specificity,” which could potentially provide cyberattackers with additional exploitable information. He noted that SolarWinds had disclosed the likelihood of cyberattacks as an inevitable aspect of business, with no obligation to detail individual incidents. The Sunburst attack, which targeted SolarWinds’ Orion software, infiltrated several U.S. government agencies, including the Departments of Commerce, Energy, Homeland Security, State, and Treasury. The full impact of the breach remains unknown, but U.S. officials have attributed the attack to Russia, which has denied responsibility. The ongoing legal battle highlights the complexities and challenges companies face in managing cybersecurity threats and regulatory scrutiny. As the case proceeds, it will continue to be a focal point for cybersecurity professionals and corporate executives alike.

The Cybersecurity and Infrastructure Security Agency (CISA) has officially appointed Jeff Greene as Executive Assistant Director for Cybersecurity and Trent Frazier as Assistant Director for Stakeholder Engagement. Both appointments at CISA have been serving in acting capacities before their formal appointments. “I’m thrilled to welcome Jeff to Team CISA to lead our cybersecurity division and to elevate Trent as the leader of our stakeholder engagement efforts,” said CISA Director Jen Easterly. “Both Jeff and Trent bring a wealth of expertise and experience to these critical roles, and I’m grateful for their willingness to continue to serve our nation. As America’s Cyber Defense Agency and the National Coordinator for critical infrastructure security and resilience, CISA’s efforts to reduce risk to the nation have never been more important, and I’m proud of our ability to continue to attract top talent to lead our teams.”

Jeff Greene to Lead Cybersecurity Division at CISA

In his new role, Greene will spearhead CISA’s mission to protect and strengthen federal civilian agencies and the nation’s critical infrastructure against cyber threats. “CISA’s mission is more important than ever, and the Cybersecurity Division’s work to improve the cybersecurity of our nation – both what the public sees and what goes on behind the scenes – would not be possible without the dedicated and talented people who make up the Division. I’m honored to be part of this team,” Greene remarked. Before his appointment at CISA, Greene held the position of Senior Director at the Aspen Institute, leading the global cybersecurity policy program. His extensive experience also includes serving as Chief for Cyber Response & Policy in the National Security Council at the White House. Additionally, Greene was the Director of the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology (NIST) and served as Vice President of Global Government Affairs and Policy at Symantec. His career also encompasses roles on the House and Senate Homeland Security Committees, as well as legal practice at a prominent Washington, D.C. law firm.

Trent Frazier to Enhance Stakeholder Engagement

Frazier, now the Assistant Director for Stakeholder Engagement, was previously the Deputy Assistant Director for Stakeholder Engagement at CISA. His career at the Department of Homeland Security has been marked by various leadership roles, focusing on protecting and building resiliency within the higher education community, developing cross-border transportation infrastructure, workforce acquisition, and program management. “I am excited to assume the role of Assistant Director and to continue the exceptional progress the Stakeholder Engagement Division has made in advancing CISA’s strategic collaboration across both government and industry over the past several years,” said Frazier. “I look forward to our next evolution, further solidifying meaningful engagement as a cornerstone to CISA’s success.” As the Assistant Director of the Stakeholder Engagement Division (SED) at CISA, Frazier will oversee the agency’s national and international partnerships and stakeholder outreach programs. His responsibilities include directing efforts for shared engagement information and coordination that supports CISA’s unified mission delivery. By leveraging the agency’s convening authorities, Frazier will facilitate the CISA Director’s national coordinator role, overseeing multiple sector and cross-sector functions, including those of Sector Risk Management Agency for eight of the nation’s 16 critical infrastructure sectors. He will also manage multiple partnership and advisory councils that provide advice to both the Director and the President, ensuring that CISA engages directly with subject matter experts to collaboratively identify and address high-priority issues.

Appointments at CISA Representing Nationally and Internationally

Frazier's new role will see him regularly representing CISA to senior administration officials, engaging with congressional leaders, and participating in bilateral and multilateral exchanges with both domestic and international partners on a wide range of policy and operational concerns. His previous work at the Department of Homeland Security included roles that earned him the Secretary’s Award for Excellence and multiple leadership awards. Frazier holds a Juris Doctorate from Washington University School of Law and a Bachelor of Arts from the University of Missouri at Columbia. He began his federal career as a Presidential Management Fellow and has been a fellow in the Harvard Senior Executive Fellows Program. The appointments at CISA of Greene and Frazier will be instrumental in advancing CISA’s mission to safeguard the nation’s critical infrastructure and enhance collaboration across government and industry sectors.

Blockchain identity platform Fractal ID experienced a data breach on July 14, which was publicly disclosed on its website and X, formerly known as Twitter on July 17. The Fractal ID data breach has raised concerns about the security of personal data within the Web3 ecosystem, particularly among Fractal ID's partners, which include prominent platforms like Gnosis Pay, Acala, Polygon ID, and Lukso. Fractal ID revealed that approximately 0.5% of its user base was affected by the Fractal ID data breach. The company did not specify which of its partners, if any, were directly impacted. However, users on social media platform X reported receiving emails from the Gnosis Pay team, advising them to be wary of unsolicited communications.

Details of the Fractal ID Data Breach

According to Fractal's official notification, the data breach occurred on July 14, when a third party gained unauthorized access to an operator’s account and executed an API script to access user data. The Fractal ID cyberattack began at 05:14 AM UTC and was detected and contained by 07:29 AM UTC. Despite the quick response, the attacker accessed the personal data of approximately 0.5% of Fractal ID's user base, which includes names, email addresses, wallet addresses, phone numbers, physical addresses, and images of uploaded documents. "The attacker had access to data from approximately 0.5% of the Fractal ID user base. The potential compromised information includes information contained in Fractal ID user profiles. This data may include names, email addresses, wallet addresses, phone numbers, physical addresses, images and pictures of uploaded documents," reads the official statement of Fractal ID. Fractal ID emphasized its commitment to user security and privacy, stating, "We have taken immediate steps to mitigate the impact of this breach and have implemented additional security measures. We have also contacted the pertinent data protection authorities and the cybercrime police division." "The breach was contained within our environment and did not affect any of our clients' systems, or their products that use our services. Data breaches can result in the accessed data being shared with third parties or used for commercial purposes. We encourage affected users to be cautious of unsolicited communications requesting additional personal information," informed Fractal ID. [caption id="attachment_82467" align="aligncenter" width="598"] Source: Fractal ID's X account[/caption] Fractal also warned users to be wary of unsolicited communications requesting additional personal information.

Reactions and Speculations

The breach has sparked significant concern among users and partners. A Twitter account named "ethereal" expressed frustration, questioning the trust placed in service providers with sensitive personal information. [caption id="attachment_82465" align="aligncenter" width="600"] Source: etherael's X account[/caption] Web3 developer Paulo Fonseca also shared an image of an email reportedly sent to some Gnosis Pay users, which stated, "At 7:30 PM CET on Monday, July 15, 2024, our KYC service provider Fractal ID notified the Gnosis Pay team of a data breach that occurred on Sunday, July 14, 2024. [caption id="attachment_82471" align="aligncenter" width="673"] Source: Paulo Fonseca's X account[/caption] Adding to the complexity of the situation, on July 16, Gnosis Pay tweeted about a separate security incident involving an exploit on the Li.Fi/Jumper service. They disabled the widget in their web app and provided steps for users to revoke token approvals. This exploit reportedly led to a loss of nearly $10 million in cryptocurrency, as reported by The Cyber Express Team. The Li.Fi attack, which occurred on July 16, targeted a vulnerability in Li.Fi’s contract, allows attackers to drain funds from users’ wallets. [caption id="attachment_82466" align="aligncenter" width="604"] Source: Gnosis Pay's X account[/caption]

Potential Connections and Broader Implications

While there is no confirmed link between the Fractal ID breach and the Li.Fi exploit, the coincidence of timing raises questions. The Cyber Express Team reached out to Gnosis for comment but did not receive a response before publication. The Fractal ID data breach highlights the vulnerabilities inherent in systems that handle sensitive user data, particularly in the context of cryptocurrency and Web3 applications. Most jurisdictions require cryptocurrency exchanges or payment providers to collect and store Know Your Customer (KYC) information, which includes images of users' identity documents, names, physical addresses, emails, and other sensitive data. Supporters of KYC requirements argue that this practice is essential for preventing money laundering and other illicit activities. However, critics contend that the storage of such sensitive data poses significant risks, as evidenced by the Fractal ID breach.

Atturra Limited, a prominent player in advisory and technology services, has announced its acquisition of Exent Holdings Pty Ltd, a Brisbane-based advisory and consulting firm specializing in business transformation. Atturra Limited is an ASX-listed technology business specializing in enterprise advisory, consulting, and IT services across various sectors including local government, utilities, education, defence, federal government, financial services, and manufacturing. Known for its partnerships with leading global providers, Atturra serves some of Australia's largest public and private sector organizations.

Strategic Atturra Acquisition for Expansion

The acquisition, facilitated through Atturra's subsidiary Atturra Advisory Pty Ltd, marks a strategic move aimed at enhancing Atturra's advisory capabilities beyond its traditional Canberra and Defence sectors, extending its footprint nationally. Under the terms of the agreement, Atturra will initially pay $6 million in cash for Exent, with an additional $2 million potentially payable post-completion, contingent on Exent achieving specified performance targets in the first half of FY25. The transaction, structured to leverage Exent's forecasted EBITDA contribution, values the acquisition at a multiple of 6.5 times, excluding integration costs projected to be under $400,000. Exent, known for its expertise in vendor-neutral business transformation advisory, specializes in guiding organizations through comprehensive technology, process, and people-centric transformations. With a strong presence in sectors such as aged care and health, Exent has earned recognition for its innovative approach and client-focused outcomes, ranking among Australia's fastest-growing firms. Stephen Kowal, CEO of Atturra, expressed enthusiasm about the acquisition, highlighting Exent's proven track record and strategic fit with Atturra's growth strategy. "As businesses increasingly seek comprehensive advisory services for technology change initiatives, the acquisition of Exent provides us with a strategic entry into new commercial sectors," Kowal stated. "We look forward to integrating Exent's capabilities and welcoming their talented team to Atturra." Founded with a mission to innovate the consulting landscape, Exent has built a reputation for delivering transformative outcomes across diverse sectors. Joe Fazzari, Founder of Exent, emphasized the alignment between the two firms in terms of culture and mission. "Atturra's scale and depth in technology services perfectly complement Exent's capabilities in complex technology advisory and implementation," Fazzari noted. "This acquisition propels our shared vision to lead in technology-enabled transformations across Australia."

Enhanced Service Offerings and Opportunities

Managing Partner of Exent, Phil Fowdar, echoed these sentiments, highlighting the acquisition's potential to enhance service offerings and career opportunities for Exent's team. "Joining forces with Atturra allows us to leverage their extensive resources and reputation to further our commitment to delivering impactful client outcomes," Fowdar remarked. "Together, we are well-positioned to establish a leading full-service advisory firm with a distinct competitive edge." The transaction is slated for completion by the end of July 2024, subject to customary closing conditions. Atturra's acquisition of Exent signifies a significant step in expanding its advisory and consulting portfolio, reinforcing its position as a key player in Australia's technology services sector.

A threat actor has recently claimed to have leaked sensitive data from Ghayar, a UAE-based e-commerce platform specializing in spare parts. According to the allegations, the Ghayar data breach occurred in July 2024 and compromised the personal information of approximately 7,100 users. The potentially exposed data reportedly includes customer IDs, names, email addresses, country codes, mobile numbers, passwords, and customer statuses.

Extent of the Alleged Ghayar Data Breach

The threat actor's claim details the extent of the compromised data, highlighting significant risks for the affected users. The exposed information includes:

• Customer IDs: Unique identifiers for users on the Ghayar platform.
• Names: Full names of the customers.
• Email Addresses: Personal email addresses used for account registration.
• Country Codes: Codes indicating the customers' countries of residence.
• Mobile Numbers: Contact numbers associated with the user accounts.
• Passwords: Encrypted or possibly plaintext passwords.
• Customer Statuses: Information regarding the customers' activity and status on the platform.

Despite these extensive details, the threat actor has not disclosed any specific motive behind the Ghayar cyberattack. This lack of clarity raises questions about whether the breach was driven by financial gain, a desire to damage Ghayar's reputation or another unknown reason. Ghayar e-Dealing, a limited liability company (L.L.C) registered in the Emirate of Dubai, UAE, owns and operates the website and the Ghayar App. The company specializes in providing spare parts for all types of vehicles, offering quick and safe delivery services. Ghayar is committed to global policies that guarantee the quality of spare parts and provide flexible return options to ensure total customer satisfaction. As of the time of writing, the Ghayar official website remains fully functional, with no visible signs of disruption or foul play. To verify the claim of the data breach, The Cyber Express Team reached out to Ghayar officials for comment. However, no response has been received, leaving the claim unverified at this moment. The Cyber Express will update the story as soon as more information becomes available.

Previous Incidents in the Sector

This alleged data breach at Ghayar follows another significant incident involving Advance Auto Parts, Inc., a major provider of automobile aftermarket components. In this case, a threat actor using the handle “Sp1d3r” claimed responsibility for stealing three terabytes of data from the company’s Snowflake cloud storage. The stolen information was allegedly being sold for $1.5 million. Advance Auto Parts reported the data breach to the US Securities and Exchange Commission (SEC) in June 2024. In their SEC filing, the company detailed the unauthorized access and subsequent investigation: "On May 23, 2024, Advance Auto Parts, Inc. identified unauthorized activity within a third-party cloud database environment containing Company data and launched an investigation with industry-leading experts. On June 4, 2024, a criminal threat actor offered what it alleged to be Company data for sale. The Company has notified law enforcement." The Advance Auto Parts incident underscores the vulnerability of cloud storage solutions and the critical need for robust cybersecurity measures.

Implications and Recommendations

For the customers potentially affected by the alleged Ghayar data breach, several precautionary measures are recommended to protect their information:

1. Change Passwords: Users should change their passwords for Ghayar and any other accounts where they might have used the same password.
2. Enable Two-Factor Authentication (2FA): Adding an extra layer of security to their accounts.
3. Monitor Accounts: Keeping a close watch on financial accounts and email for any suspicious activity.
4. Be Wary of Phishing Attempts: Users should be cautious of any unusual emails or messages, especially those asking for personal information.
5. Update Security Software: Ensuring all devices have the latest security software installed to protect against potential threats.

[contact-form][contact-field label="Name" type="name" required="true" /][contact-field label="Email" type="email" required="true" /][contact-field label="Website" type="url" /][contact-field label="Message" type="textarea" /][/contact-form] The lack of response from Ghayar's officials leaves the situation unresolved, but the potential implications for affected customers are serious. The Cyber Express will continue to monitor the situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Imagine waking up to discover that hackers have breached your company's defenses, accessed sensitive customer data and crippled your operations. This nightmare became a reality for Snowflake on May 31, 2024, when attackers infiltrated customer accounts using single-factor authentication. Leveraging credentials obtained through infostealing malware, these cybercriminals launched data breaches starting in April 2024. Snowflake initially downplayed the impact, calling it "limited," but a deeper investigation by Mandiant revealed a much graver scenario: 165 customers, including giants like Ticketmaster, Advance Auto Parts, and Santander, were affected. Snowflake's ordeal is far from an isolated incident. The infamous SolarWinds attack saw hackers inject a backdoor into a software update of this popular networking tool, granting them remote access to thousands of corporate and government servers worldwide. This massive breach led to numerous security incidents and exposed critical data. Similarly, British Airways found itself in hot water when a Magecart supply chain attack compromised its trading system, leaking sensitive customer information. These high-profile cyberattacks shine a spotlight on the escalating vulnerabilities within supply chains, underlining the dire need for robust cybersecurity measures. As these threats continue to grow, businesses are left pondering a critical question: Is investing in cyber insurance worth it? This article explores the potential benefits and challenges of cyber insurance, helping businesses determine if it's a worthy investment for safeguarding their operations against the ever-evolving cyber threat landscape.

Understanding Cyber Insurance

Cyber insurance, also known as cyber liability or cybersecurity insurance, is a specialized contract designed to mitigate the financial risks associated with online business operations. By paying a monthly or quarterly fee, businesses can transfer some of their cyber risk to an insurer. Unlike traditional insurance plans, cyber insurance policies are highly dynamic, often changing from month to month to keep pace with the evolving nature of cyber threats. This variability is due to the limited historical data available to underwriters, making it challenging to create stable risk models for determining coverage, rates, and premiums.

So, From Where Did It Origin?

The origins of cyber insurance trace back to the late 1990s when the growing reliance on technology and the rise in cyber threats necessitated a new type of protection. Initially focused on data breaches and computer attacks, cyber insurance has since expanded to cover a wide range of cybercrimes, including ransomware, cyber extortion, social engineering attacks, system failures, and business interruptions resulting from cybersecurity incidents. The increasing popularity of cyber insurance is well-founded. The financial impact of cyberattacks on businesses can be devastating, encompassing direct financial losses, operational disruptions, and severe damage to reputation and customer trust. For instance, a cyberattack can lead to halted production lines, breached customer data, and a significant loss of market confidence. As the cyber insurance market rapidly grows—it was valued at approximately $13 billion in 2023, nearly double its size in 2020—forecasts suggest it will continue to expand, reaching an estimated $22.5 billion by 2025. This growth highlights the necessity of cyber insurance in today's digital landscape, where the true cost of cyberattacks can be staggering. With 70 percent of businesses experiencing a cyberattack, the importance of having cyber insurance cannot be overstated.

Components of Cyber Insurance Relevant to Supply Chains

Cyber insurance tailored for supply chains encompasses critical components designed to mitigate the multifaceted risks posed by cyber threats. Coverage details typically include protection against data breaches, crucial for safeguarding sensitive information compromised during cyber incidents. This coverage extends to forensic expenses, covering the costs of hiring external forensic teams to investigate and ascertain the extent of data breaches—a vital step in understanding and mitigating the damage. Business interruption coverage is equally pivotal, offering compensation for revenue losses incurred due to cyber incidents disrupting normal operations. This aspect of cyber insurance becomes indispensable, especially considering that supply chain disruptions last year led to an average annual loss of $82 million per company across key industries. Third-party liability coverage shields businesses from legal and financial repercussions arising from breaches affecting external stakeholders. This includes expenses for legal representation to navigate regulatory fines, penalties, and compliance requirements mandated by federal and state authorities. Additionally, cyber insurance often covers credit monitoring and identity theft repair services, not only to mitigate legal liability but also as a proactive measure to rebuild customer trust and uphold ethical business practices. Exclusions and limitations in cyber insurance policies are essential considerations. Common exclusions may include certain types of cyber incidents or inadequate coverage for specific losses, necessitating careful review and customization of policies to align with supply chain vulnerabilities and risk tolerance. Limitations and caps on coverage are also critical, outlining the maximum financial assistance available for various aspects of cyber incident response and recovery. The benefits of cyber insurance for supply chains extend beyond financial protection to encompass enhanced risk management strategies. Policies often include comprehensive support services such as incident response teams and legal assistance, pivotal in minimizing the impact of cyber incidents on business continuity and reputation. Moreover, investing in cyber insurance can confer a competitive advantage by demonstrating proactive risk management to customers, partners, and stakeholders—crucial in differentiating businesses in today's hyper-connected marketplace.

Challenges and Considerations

Cyber insurance presents a myriad of challenges, reflecting the complex and evolving nature of cyber threats. One of the primary hurdles is the lack of mandatory reporting for cyber breaches that don't directly impact consumer data, leaving a significant number of attacks unreported. This data gap undermines insurers' ability to accurately assess the full costs of cyber incidents, complicating the development of effective cyber insurance policies tailored to diverse risks. Another significant challenge stems from organizations' varying levels of preparedness and awareness regarding cyber threats. Many businesses lack comprehensive knowledge about their internal cybersecurity readiness, posing difficulties for insurers in accurately underwriting cyber risks. This uncertainty makes it challenging to formulate precise policies that adequately cover potential vulnerabilities and exposures. Public awareness and perception of cyber insurance also play a critical role. While a substantial portion of U.S. adults are familiar with cyber insurance, there remains a disparity in understanding between those who have experienced cybercrime and those who haven't. Concerns about the perceived cost of premiums and the need for more research deter many organizations from investing in cyber insurance, despite the growing necessity in today's digital age. Moreover, defining and categorizing cyber threats accurately present ongoing challenges for insurers. The rapid evolution of technologies like IoT complicates risk assessment and policy formulation, as insurers grapple with defining and quantifying the impact of emerging cyber risks. This ambiguity can lead to gaps in coverage and potentially expose organizations to significant financial and reputational damage in the event of a major cyberattack. Geographical limitations further complicate cyber insurance coverage, unlike traditional insurance which typically defines risks based on physical locations. In the world of cyber insurance, where attacks can originate and propagate globally with minimal regard for physical boundaries, insurers face complexities in determining the scope and extent of coverage across diverse operational environments. Finally, the "actuarial paradox" poses a unique conundrum in cyber insurance. Unlike traditional insurance where historical data can reliably predict future risks, the response to a cyber breach can potentially mitigate future vulnerabilities. Insurers must grapple with assessing whether companies that have experienced breaches and responded effectively are indeed lower risks deserving of reduced premiums—an intricate balancing act in the ever-changing cybersecurity landscape. Addressing these challenges requires collaboration between insurers, businesses, and cybersecurity experts to develop innovative solutions that effectively mitigate cyber risks while enhancing the accessibility and efficacy of cyber insurance policies in safeguarding organizations against the evolving threat landscape.

Making the Decision: Is It Worth The Investment?

Investing in cyber insurance tailored for supply chain attacks demands a careful cost-benefit analysis to determine its viability. As the cyber insurance market continues its rapid expansion—nearly tripling in size over the past five years—the landscape of cyber threats grows increasingly complex. Conducting a thorough evaluation involves weighing the potential costs of cyber incidents, such as data breaches and operational disruptions, against the premiums and coverage offered by cyber insurance policies. For businesses, particularly small and medium-sized enterprises (SMEs), the decision hinges on customizing policies to align with specific supply chain risks. This customization not only requires a keen understanding of internal vulnerabilities but also necessitates a comprehensive risk assessment to identify potential exposures. While large companies dominate the cyber insurance market, SMEs often shoulder their cyber risks independently due to perceived complexities and costs associated with cyber insurance. However, recent trends indicate a growing commitment from reinsurers and emerging interest from capital markets in mitigating cyber risks. Despite these developments, a significant portion of cyber risks remains uninsured, highlighting the need for broader adoption and tailored solutions to protect supply chains effectively. In conclusion, the decision to invest in cyber insurance for supply chain attacks is not merely about financial protection but also strategic resilience. It entails proactive risk management, enhanced operational continuity, and bolstered customer trust—all critical components in navigating today's digital landscape. By aligning insurance investments with specific risk profiles and leveraging tailored policies, businesses can fortify their defenses against cyber threats while positioning themselves for sustainable growth and resilience in an increasingly interconnected world.

Google's parent company, Alphabet, is reportedly in advanced negotiations to acquire the cybersecurity startup Wiz for approximately US$23 billion, according to Reuters. If the deal materializes, it would mark Alphabet's largest acquisition to date. The potential Alphabet Wiz acquisition, primarily funded in cash, could be finalized soon. Wiz, originally founded in Israel and now headquartered in New York, has rapidly emerged as one of the fastest-growing software startups globally. The company specializes in cloud-based cybersecurity solutions, offering real-time threat detection and response capabilities powered by artificial intelligence.

Wiz's Financial Performance and Clientele

Should Alphabet proceed with this acquisition, it would represent a notable move amidst the current climate of heightened regulatory scrutiny of major technology companies under President Joe Biden's administration. In recent years, U.S. regulators have shown increasing resistance to large tech companies expanding through significant acquisitions. In 2023, Wiz generated approximately $350 million in revenue and collaborates with 40% of Fortune 100 companies, according to information on its website. The company recently raised $1 billion in a private funding round, which valued it at $12 billion. On reaching out for comments, both Alphabet and Wiz have not yet responded to The Cyber Express Team's requests on the potential deal. Wiz collaborates with multiple cloud service providers, including Microsoft and Amazon, and boasts a client roster that includes Morgan Stanley and DocuSign. With a workforce of 900 employees spread across the United States, Europe, Asia, and Israel, Wiz has previously announced plans to expand its global team by an additional 400 employees in 2024.

Strategic Decisions of Alphabet

Interestingly, Alphabet recently decided against pursuing a takeover of the online marketing software company HubSpot. The broader technology sector has seen an uptick in dealmaking activity this year. In January, design software company Synopsys (SNPS.O) agreed to acquire its smaller rival Ansys for around $35 billion. Additionally, Hewlett Packard Enterprise (HPE.N) struck a deal to purchase networking gear maker Juniper Networks (JNPR.N) for $14 billion. Technology has accounted for the largest share of mergers and acquisitions during the first half of the year, with activity surging over 42% year-on-year to reach $327.2 billion, based on data from Dealogic. Moreover, The New York Times reports that Google is pushing forward with the Wiz acquisition despite potential regulatory hurdles. The company appears willing to challenge any opposition to enhance its cloud-computing division, which currently trails behind Amazon Web Services and Microsoft Azure.

The City of Philadelphia has disclosed about data breach that occurred in May 2023, impacting the personal information of 35,881 individuals. This revelation came through a filing with the Office of Maine's Attorney General. On July 8, 2024, the City of Philadelphia sent out written notifications to those potentially affected, including approximately 15 residents of Maine. The City of Philadelphia clarifies that by providing this notice, it does not waive any rights or defenses concerning the applicability of Maine law, the Maine data event notification statute, or personal jurisdiction.

City of Philadelphia Data Breach: What Exactly Happened?

On May 24, 2023, the City detected suspicious activity within its email environment. An investigation was immediately launched with the help of third-party cybersecurity experts to understand the extent and nature of the breach. The investigation revealed that between May 26, 2023, and July 28, 2023, an unauthorized individual gained access to specific City email accounts. On August 22, 2023, the City learned that these compromised email accounts potentially contained protected health information (PHI). Although the investigation could not conclusively determine whether any information was accessed or acquired, the City opted to conduct a comprehensive review to identify what information was potentially exposed and who was affected. To comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the City notified the U.S. Department of Health and Human Services (HHS) on October 20, 2023, posted substitute notices on its website, and informed the media through the Philadelphia Inquirer. Once the data review concluded, the City validated the findings and sought to obtain missing address information for those potentially affected. Subsequently, on May 16, 2024, the City mailed written notices to individuals whose PHI might have been compromised (excluding Maine residents), provided additional notice to HHS, updated its website, and informed the Philadelphia Inquirer once more. By June 12, 2024, the City had completed the validation of the review results and had located the necessary address information. The personal information related to Maine residents that was potentially accessible during the event included names, addresses, Social Security numbers, and financial account information.

Steps Taken and Future Actions

Upon learning of the data breach, the City of Philadelphia acted swiftly to investigate and respond to the event. They assessed the security of their network and email system and identified the individuals who might be affected. The City also notified federal law enforcement and is working to implement additional safeguards and provide employee training to prevent future incidents. Affected individuals, including Maine residents, were offered twelve months of credit monitoring services at no cost. The City has also provided guidance to potentially impacted individuals on protecting against identity theft and fraud. This includes advising them to report any suspected incidents to their bank, credit card company, or other relevant institutions. The City has also provided instructions on how to place fraud alerts and credit freezes on credit files, the contact details for national consumer reporting agencies, information on obtaining free credit reports, and reminders to stay vigilant by reviewing account statements and monitoring credit reports. Affected individuals are encouraged to contact the Federal Trade Commission, their state Attorney General, and law enforcement to report any attempts or actual instances of identity theft and fraud.

Fujitsu, the renowned Japanese tech giant, has confirmed a data breach that compromised personal and business information of some individuals and customers. The Fujitsu data breach, discovered earlier this year, did not involve ransomware but utilized sophisticated mechanisms to evade detection while exfiltrating sensitive details. "We would like to inform you of the results of our investigation into the possible leak of personal information, which we announced on March 15, 2024, and the measures that have already been implemented. Customers affected by this incident have already been notified individually," reads the company's official statement. In March 2024, Fujitsu detected malware infections in several of its systems, raising concerns about potential compromises of sensitive customer information. The company promptly initiated a comprehensive investigation, in collaboration with an external specialist research firm, to identify the scope and cause of the Fujitsu data breach. The investigation included a thorough analysis of log information and interviews with internal personnel. Here is what the investigation revealed:

Fujitsu Data Breach: Malware Behavior and Scope of Impact

The Fujitsu data breach investigation revealed that the malware was installed on one of Fujitsu's business computers and subsequently spread to other work computers within the company's internal network in Japan. This malware, unlike ransomware, employed advanced techniques to disguise itself and evade detection. Despite its sophistication, the investigation confirmed that the number of infected work computers and those affected by executed copying commands did not exceed the initially detected 49 computers. "After malware was installed on one of our company's business computers, it was confirmed that the malware's behavior spread from that computer to other business computers. This malware was not ransomware, but rather a type of attack that used advanced techniques, such as disguising itself in various ways to make it difficult to detect, making it extremely difficult to detect," informed Fujitsu Team. Importantly, these compromised computers were not involved in managing Fujitsu's cloud services, and no traces of access to customer-provided services were found. Therefore, it was determined that the impact did not extend beyond the company’s internal network to customer environments.

Scope of Information Leak in Fujitsu Data Breach

Further examination of Fujitsu's communication and operation logs revealed that the malware executed commands to copy certain files. These files contained personal information of some individuals and business-related information of customers. Although there have been no reports of misuse of the compromised information, Fujitsu has proactively notified the affected customers and is taking necessary measures to mitigate any potential risks. "The files that were able to be copied contained personal information of some individuals and information related to the business of customers, and we have reported this to the affected customers individually and are taking the necessary measures. At this time, we have not received any reports that personal information or information related to customers' business has been misused," the Fujitsu team informed further.

So What Measures Fujitsu Is Taking

Fujitsu has implemented several measures to address the breach and enhance its information security:

1. Isolation and Initialization: Upon detecting suspicious behavior, all business PCs suspected of being affected were isolated from the company network and initialized to prevent further spread of the malware.
2. Blocking External Connections: Connections to external servers used by the attackers as sources of intrusion were blocked to cut off the malware's communication channels.
3. Enhanced Security Monitoring: The characteristics of the malware’s attack method were identified and incorporated into security monitoring rules for all business PCs within the company. Additionally, virus detection software was enhanced and updated to improve its effectiveness against such sophisticated threats.

Fujitsu has assured its customers that it is committed to further strengthening its information security measures to prevent similar incidents in the future. Fujitsu extends its deepest apologies to all individuals and customers affected by this incident. "We would like to offer our deepest apologies to all those involved for the great concern and inconvenience caused," said Fujitsu. The data breach at Fujitsu highlights the evolving nature of cyber threats and the importance of strong security measures. The company’s swift response and transparent communication demonstrate its dedication to maintaining trust and accountability in the face of cyber challenges.h

The UK and its international allies have issued a new advisory shedding light on the evolving techniques of China state-sponsored cyber actors. The alert, spearheaded by the UK's National Cyber Security Centre (NCSC), a part of GCHQ, comes in collaboration with cybersecurity agencies from Australia, the US, Canada, New Zealand, Germany, the Republic of Korea, and Japan. The advisory focuses on the methods employed by a particular China state-sponsored cyber actor, APT40, in attacks against Australian networks.

APT40: Exploiting Vulnerable Devices

APT40 has notably adopted the tactic of exploiting vulnerable small-office and home-office (SoHo) devices. These devices often do not run the latest software or lack recent security updates, making them prime targets. By leveraging these softer targets, APT40 can effectively conceal malicious traffic and launch broader attacks. The advisory includes two technical case studies to help network defenders identify and mitigate this malicious activity. These techniques are not limited to APT40; they are also employed by other China-state-sponsored actors globally.

Historical Context and Previous Attributions

The UK has previously attributed APT40 to the Chinese Ministry of State Security (MSS). The threat group, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk, has a history of targeting organizations across various countries, including Australia and the United States. APT40 is known for quickly adapting vulnerability proofs of concept (POCs) for reconnaissance and exploitation operations. They exploit new vulnerabilities in widely used software such as Log4J, Atlassian Confluence, and Microsoft Exchange.

International Collaboration and Advisory Details

The advisory, titled "PRC MSS Tradecraft in Action," was co-released by the NCSC and its international partners. These include:

• Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
• US Cybersecurity and Infrastructure Security Agency (CISA)
• US National Security Agency (NSA)
• US Federal Bureau of Investigation (FBI)
• Canadian Cyber Security Centre (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV)
• Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC)
• Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA)

The advisory is based on the shared understanding of APT40’s tactics, techniques, and procedures (TTPs) as well as current incident response investigations led by ASD’s ACSC.

Persistent and Adaptive Threats

APT40’s capability to rapidly exploit new public vulnerabilities makes it a persistent threat. They conduct regular reconnaissance on networks of interest, looking for vulnerable, end-of-life, or unpatched devices to exploit. The group prefers exploiting vulnerable, public-facing infrastructure over techniques requiring user interaction, such as phishing. They place a high priority on obtaining valid credentials to enable a range of follow-on activities. Once initial access is gained, APT40 focuses on establishing persistence to maintain access within the victim’s environment. This often involves using web shells for persistence early in the intrusion lifecycle.

Evolution of Techniques

APT40 has evolved its techniques over time, moving from using compromised Australian websites as command and control (C2) hosts to leveraging compromised SoHo devices as operational infrastructure. These devices offer a launching point for attacks, blending in with legitimate traffic and presenting challenges to network defenders. This technique is also used by other PRC state-sponsored actors worldwide, underscoring a shared threat.

Tooling and Recommendations

The advisory includes details on some of the malicious files identified during investigations, which have been uploaded to VirusTotal. This enables the broader cybersecurity community to better understand the threats and enhance their defenses. The advisory urges all organizations and software manufacturers to review the provided guidance to identify, prevent, and remediate APT40 intrusions. It also emphasizes the importance of incorporating Secure by Design principles to strengthen the security posture of software products.

Broader Implications and Ongoing Threats

The publication of this advisory follows a warning made by the Director of GCHQ in May about the "genuine and increasing cyber risk to the UK" posed by China. The threat from APT40 and similar groups is ongoing, with the potential for far-reaching implications. APT40’s ability to rapidly exploit vulnerabilities and their preference for using compromised infrastructure make them a formidable adversary. The international collaboration highlighted in this advisory highlights the global nature of the threat and the need for coordinated efforts to defend against state-sponsored cyber activities.

The Washington Times has allegedly become the latest victim of a cyberattack, with the hacker group SN Blackmeta claiming responsibility. In a provocative post, the group announced, "A cyberattack has disrupted all services of The Washington Times. This is just the beginning or a warm-up exercise before moving to a larger target." SN Blackmeta's statement went beyond claiming responsibility for the cyberattack on The Washington Times. The group criticized the United States for what it perceives as selective freedom and expression, focusing on LGBTQ rights while neglecting other issues. "The United States, the so-called land of freedom and expression, seems to reserve its freedoms solely for the rights of the LGBTQ community. A nation built on lies and the illusion of perfection. Where is the media's voice on the rights of Palestinians and the situation in Gaza today?" the statement read. The Washington Times cyberattack appears to be motivated by a combination of political and ideological grievances, with the hackers using the incident to draw attention to their perspective on U.S. domestic and foreign policies. The Cyber Express Team has reached out to officials at The Washington Times to verify the cyberattack. However, as of the writing of this report, no official statement has been released, leaving SN Blackmeta's claims unverified. The Washington Times website was still accessible at the time of reporting, adding to the uncertainty surrounding the hacker group’s assertion. [caption id="attachment_80930" align="aligncenter" width="523"] Source: X[/caption]

Potential Implications of Cyberattack on The Washington Times

If the claim is confirmed, the implications could be far-reaching, affecting not only the operations of The Washington Times but also signaling potential threats to other media outlets and larger targets.

1. Operational Disruption: If SN Blackmeta's claims are validated, The Washington Times could face significant operational challenges. Disruption of services might impact news delivery, advertising revenue, and overall trust in the outlet's digital security.
2. Reputational Damage: Such an attack could damage the reputation of The Washington Times, raising questions about its cybersecurity measures and ability to protect sensitive information.
3. Broader Threat Landscape: The statement from SN Blackmeta hints at future attacks on larger targets, potentially escalating the threat level for other media organizations and even critical infrastructure.
4. Political and Ideological Fallout: The group's statements indicate a broader ideological battle, suggesting that their attacks are not merely technical but also deeply political, targeting institutions they perceive as symbolizing hypocrisy or oppression.

Background on SN Blackmeta

SN Blackmeta, a relatively new but formidable entity in the cyber threat landscape, has rapidly gained notoriety through its rhetoric and actions that leverage cyberattacks for political messaging. The group’s focus on U.S. policies and media representation indicates a strategic approach aimed at drawing maximum attention to their causes. The alleged cyberattack on The Washington Times by SN Blackmeta underscores the ongoing vulnerabilities faced by media organizations in the digital age. This incident follows a series of high-profile cyberattacks targeting media and digital companies globally. In early July 2024, The Cyber Express reported that the notorious Rhysida ransomware group had added MYC Media to its list of victims. MYC Media, a leading creative agency based in Canada specializing in comprehensive marketing solutions, was allegedly attacked on July 7, 2024. The Rhysida group demanded a ransom of 5 bitcoins, giving the company six days to respond and threatening to sell the stolen data if their demands were not met. In another significant incident in April 2024, Ukraine’s major media conglomerate, 1+1 Media, reported a debilitating cyberattack targeting its satellite TV channels. This attack rendered 39 channels, including some of its flagship networks, inaccessible, marking a significant blow to the country’s media infrastructure. The cyberattack coincided with heightened regional tensions and was described by officials as a “cynical attack” on peaceful Chernihiv, with deliberate attempts to disrupt satellite communications on the Astra 4A 11766 H transponder. These incidents, including the threat by SN Blackmeta to target larger entities, serve as a wake-up call for the entire media industry to enhance their cybersecurity defenses. The increasing frequency and sophistication of these cyberattacks highlight the urgent need for robust security protocols to protect sensitive information and maintain operational integrity. As the situation with SN Blackmeta and The Washington Times develops, The Cyber Express Team will continue to monitor and provide updates on any official statements from The Washington Times and further actions by SN Blackmeta. For continuous updates on this developing story, follow The Cyber Express Team and stay tuned to official announcements from The Washington Times. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Excelsior Orthopaedics, a leading musculoskeletal healthcare center in New York, has been allegedly targeted by the notorious MONTI ransomware group. The group claims to have obtained critical data from the organization and has threatened to publish it on July 16, 2024. As of now, the extent of Excelsior Orthopaedics data breach, the specific nature of the compromised information, and the motive behind the cyberattack remain undisclosed. The Cyber Express Team attempted to access the official website of Excelsior Orthopaedics, only to find it inaccessible. This raises serious concerns about the validity of the ransomware group's claims. However, the website's inaccessibility could also be due to a technical glitch. Confirmation of the cyberattack on Excelsior Orthopaedics and its details will be possible only after an official statement from the targeted firm.

Overview of MONTI Ransomware

MONTI ransomware, known for its capability to target both Windows and Linux systems, first captured the attention of cybersecurity experts in June 2022. Its notoriety stems not only from its name, reminiscent of the infamous Conti ransomware, but also from its deliberate adoption of similar tactics, techniques, and procedures (TTPs). The group has been noted for incorporating many of Conti's tools and exploiting Conti's leaked source code. Since its discovery, MONTI has consistently targeted companies, exfiltrating data and exposing it on their leak site. This aggressive approach has made them a formidable threat in the cybersecurity landscape.

Recent Developments in MONTI Ransomware

In June 2024, The Cyber Express Team reported a significant change in the ownership of the MONTI ransomware. The new owners, according to their latest updates, stated, “This project was bought. It was bought because it suited our goals perfectly and did not have a bad reputation.” This shift in ownership marks a strategic pivot, with the group now focusing more on Western countries. The new owners have expressed their intentions to revamp the ransomware's infrastructure, signaling a possible increase in the frequency and sophistication of future attacks. In a cryptic post, the group hinted at upcoming developments and called for a collaborative effort to “build the future of the USA and Europe together.”

Implications of Excelsior Orthopaedics Data Breach

If the cyberattack is proven true, the ramifications could be significant, affecting not only the organization but also its patients and partners. Data breaches in healthcare institutions can lead to severe privacy violations, financial loss, and a tarnished reputation.

1. Patient Privacy: Sensitive patient information could be compromised, leading to potential identity theft and privacy violations.
2. Financial Impact: The financial repercussions for the healthcare center could be substantial, including costs related to incident response, legal fees, and potential regulatory fines.
3. Reputation Damage: The breach could severely damage the organization’s reputation, eroding trust among patients and partners.
4. Operational Disruption: The attack could disrupt the center's operations, affecting patient care and administrative functions.

The Cyber Express Team is closely monitoring the situation and will provide updates as soon as new information is available from Excelsior Orthopaedics or other relevant authorities. The alleged cyberattack on Excelsior Orthopaedics by the MONTI ransomware group highlights the ongoing threat posed by ransomware operations. The healthcare sector, with its wealth of sensitive information, remains a lucrative target for cybercriminals. For continuous updates on this developing story, follow The Cyber Express Team and stay tuned to official announcements from Excelsior Orthopaedics.

Frankfurt University of Applied Sciences announced on Monday that it had fallen victim to a cyberattack, leading to a complete shutdown of its IT systems. The university revealed that the cyberattack on Frankfurt University occurred at approximately 8 p.m. on Saturday, July 6, 2024. "The Frankfurt University of Applied Sciences was the target of a serious hacker attack on July 6, 2024 at around 8 p.m.," reads the official statement. In a statement posted on their website, which now serves as a temporary homepage, the institution shared details of the incident and the steps being taken to mitigate the damage.

Details of the Cyberattack on Frankfurt University 

"Despite very high-security precautions, the criminals managed to gain access to parts of the university's IT infrastructure. As an immediate security measure, external access to our IT systems was blocked and some services were switched off. The communications infrastructure was also restricted. In addition, the police and the relevant authorities were called in," read the official statement from the university. The exact nature of the Frankfurt University cyberattack remains unconfirmed, and the university has yet to determine the full extent of the damage. Consequently, there is currently no timeline for when IT systems and services will return to normal. While on-site operations, including all courses, are continuing, several key services have been disrupted:

• Elevators: For safety reasons, elevators in the university buildings are out of service.
• Online Enrollment: Enrollment processes have been halted due to the unavailability of online systems.
• Communication: The university is not reachable by email or telephone for external communication.

In urgent cases, individuals can contact the university via a temporary email address: kontakt@frankfurt-uas.de. Further, the university is directing students to their website, www.frankfurt-uas.de, for detailed information regarding examinations, CampUAS, colloquia, and which services from the internal campus network are currently operational. Frankfurt University of Applied Sciences has committed to providing continuous updates on its website, as well as through its LinkedIn and Facebook profiles, to keep the university community informed about the latest developments and any changes to the status of its IT systems and services. "We will continuously inform you about new developments on this website and on the university’s LinkedIn and Facebook profiles," reads the official post. Professors, employees, and lecturers have been advised to access critical information through Confluence within the university's LAN at https://confluence.frankfurt-university.de/x/TbP_DQ.

A leading cybersecurity expert has issued a warning that the National Health Service (NHS) remains highly vulnerable to cyberattacks unless significant updates are made to its computer systems. This comes in the wake of a major ransomware attack that has severely disrupted healthcare services across London. Professor Ciaran Martin, the founding CEO of the UK's National Cyber Security Centre (NCSC), shared his concerns in an interview with the BBC. "I was horrified, but not completely surprised. Ransomware attacks on healthcare are a major global problem," Prof. Martin stated. Despite NHS England’s investment of £338 million over the past seven years to enhance cybersecurity resilience, Prof. Martin’s warnings suggest that more urgent and extensive actions are necessary to protect the NHS from future threats. On June 3, 2024, a cyberattack targeted Synnovis, a pathology testing organization, severely affecting services at Guy's, St Thomas', King's College, and Evelina London Children's Hospitals. NHS England declared it a regional incident, resulting in the postponement of 4,913 acute outpatient appointments and 1,391 operations. The cyberattack raised significant data security concerns and has been described as one of the most severe cyber incidents in British history.

The Attackers and Their Demands

The Russian-based hacking group Qilin believed to be part of a Kremlin-protected cyber army, claimed responsibility for the attack. They demanded a £40 million ransom, which the NHS refused to pay. Consequently, the group published stolen data on the dark web, reflecting a growing trend of Russian cyber criminals targeting global healthcare systems. Prof. Martin, now a professor at the University of Oxford, highlighted three critical issues facing NHS cybersecurity: outdated IT systems, the need to identify vulnerable points, and the importance of basic security practices. "In parts of the NHS estate, it's quite clear that some of the IT is out of date," he noted. He emphasized the necessity of identifying "single points of failure" in the system and implementing better backups. Improving basic security measures could significantly hinder attackers. "Those little things make the point of entry quite a lot harder for the thugs to get in," Prof. Martin added.

Front-line Staff Concerns

Concerns among front-line staff are mounting in the wake of the recent cyber-attacks. Many have pointed to outdated equipment and a lack of unified systems as major vulnerabilities. A senior intensive care doctor in London remarked, "The NHS is vulnerable. It's a patient safety issue, but there's no interest in addressing it." An A&E consultant in north London highlighted the use of "decade-old computers and Windows 7," noting that systems crash "every few months." A junior doctor expressed concerns over the risks posed by outdated equipment and the impact of privatization. "Old computers pose a security risk for patient data. The Synnovis incident shows how vulnerable we are," the doctor said. A senior orthopedic surgeon described the fragmented nature of NHS IT systems, where a patient’s X-ray in one hospital cannot be accessed in another. "It's shocking and worrying for cybersecurity," he said. Dr. Daniel Gardham from the Surrey Centre for Cyber Security echoed Prof. Martin’s concerns, emphasizing the link between outdated systems and cyber-attacks. "If you have old computers, then simply put, there's going to be unpatched vulnerabilities," Dr. Gardham explained. He stressed that while sophisticated attacks do occur, many breaches result from basic security oversights. "It could be something really, really, simple and actually most likely it is something very, very, simple. It would be one person, perhaps, that had a weak password or left their computer unattended in a cafe."

NHS England’s Response

An NHS England spokesperson told the BBC, "We are increasing cyber resilience across the NHS and over £338 million has been invested over the past seven years to help keep health and care organizations as safe as possible. Our ambitious Cyber Improvement Programme will support the NHS to respond to the changing cyber threats, expand protection, and reduce the risk of a successful attack." As cyber threats continue to evolve, the NHS must prioritize these updates to safeguard patient data and ensure the continuity of critical healthcare services. The collective insights from cybersecurity experts and front-line staff highlight the pressing need for immediate and sustained action to protect the NHS from future cyber threats.

The infamous ransomware group NoName has allegedly launched cyberattacks on MitID, the Finland Chamber of Commerce, and OP Financial Group. The NoName ransomware took to a dark web forum to announce their actions, framing them as retaliation against Denmark and Finland's recent military and infrastructural initiatives supportive of NATO. In a post filled with both defiance and threat, NoName stated: "Denmark has trained the first 50 Ukrainian specialists in servicing F-16 fighter jets, Commander of the Danish Air Force Jan Dam said in an interview with TV2. Most of the specialists have already returned to Ukraine to prepare for the reception of F-16s at local air bases. The training of the first group of Ukrainian pilots continues in Denmark." The message did not stop at Denmark. It continued with a pointed statement about Finland's recent activities: "Finland has begun repairing roads and bridges in Lapland to prepare for the deployment of NATO troops on its territory. ERR.EE reports on its change of stance on NATO forces and planned infrastructure work." NoName concluded with a chilling warning: "As you can see, the Russophobic authorities of these countries have not learned the lessons of the past. Therefore, we decided to clearly show what such initiatives lead to." [caption id="attachment_80729" align="aligncenter" width="441"] Source: X[/caption] [caption id="attachment_80730" align="aligncenter" width="447"] Source: X[/caption]

Background of the Allegedly Targeted Companies

MitID: MitID is Denmark's new digital identification system, replacing the NemID. It is an essential component of Denmark's digital infrastructure, allowing citizens and businesses to access various public and private services securely. An attack on this system could potentially disrupt countless services and erode trust in the nation's digital security. Finland Chamber of Commerce: The Finland Chamber of Commerce plays a critical role in supporting Finnish businesses, fostering economic growth, and promoting international trade. A cyberattack on Finland Chamber of Commerce could aim to destabilize economic activities and undermine business confidence. OP Financial Group: As Finland's largest financial services group, OP Financial Group's services range from banking to insurance. A cyber attack here could have severe ramifications, potentially affecting millions of customers, disrupting financial transactions, and causing significant economic damage. Upon accessing the official websites of the targeted companies, they appeared fully functional, showing no signs of foul play. To verify further, The Cyber Express Team reached out to the targeted companies. However, as of the time of writing this report, no official response has been received, leaving the claim unverified.

The Reason Behind NoName Attack

The timing and targets of these cyberattacks are no coincidence. They align closely with recent developments in Denmark and Finland's military and infrastructural commitments to NATO, particularly regarding support for Ukraine amidst its ongoing conflict with Russia. Denmark's training of Ukrainian specialists in F-16 fighter jet maintenance marks a significant step in bolstering Ukraine's military capabilities. This initiative underscores Denmark's commitment to supporting Ukraine, which has been under sustained aggression from Russia since the 2014 annexation of Crimea and the more recent 2022 invasion. Finland's decision to repair roads and bridges in Lapland for NATO troop deployment signals a notable shift in its defense strategy. Since joining NATO, Finland has taken several steps to align its infrastructure and military readiness with NATO standards, a move likely aimed at deterring Russian aggression in the region.

To Sum Up

NoName's actions exemplify the increasing use of cyber warfare as a tool for political and military coercion. These attacks are designed to cause immediate disruption and send a message of deterrence and retaliation. Targeting critical national infrastructure and prominent institutions highlights the vulnerabilities modern societies face in the digital age. The cyber attacks claimed by NoName against Danish and Finnish institutions remain unverified. The Cyber Express Team is closely monitoring the situation and will update its readers as more information or responses from the allegedly targeted companies become available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious Space Bears ransomware group has allegedly targeted three prominent Canadian entities, compromising substantial volumes of sensitive data. The victims—Haylem, Un Museau Vaut Mille Mots, and Lexibar—have had details about their breaches posted on a dark web forum by the ransomware group, heightening concerns over data privacy and security.

Details of Space Bears Ransomware Attack Victim

The first victim identified by the Space Bears ransomware is Haylem, a leading software development company based in Terrebonne, Canada. Haylem is well-known for its specialization in creating educational tools designed to assist individuals with learning disabilities. The ransomware group has threatened to release a trove of sensitive data, including financial reports, databases, and personal information of both employees and clients, within the next 5-6 days. [caption id="attachment_80493" align="aligncenter" width="1024"] Source: ransomlook.io[/caption] The second target of the Space Bears ransomware is Un Museau Vaut Mille Mots, a renowned orthophonics clinic in Terrebonne, Quebec. Developed by Haylem, this clinic is dedicated to providing exceptional orthophonics services using innovative technologies. The ransomware group has announced plans to disclose sensitive data from the clinic, including patient histories and personal information, within the same 5-6 day timeframe. [caption id="attachment_80494" align="aligncenter" width="1024"] Source: ransomlook.io[/caption] Lastly, Lexibar, another product developed by Haylem, has fallen prey to the Space Bears ransomware. Lexibar is widely used in French schools and specialized clinics for treating language disorders. The ransomware group claims that it will publish sensitive data from Lexibar, including financial reports, databases, and personal information of employees and clients, within 5-6 days. patients who depend on Lexibar for their learning and treatment. [caption id="attachment_80495" align="aligncenter" width="1024"] Source: ransomlook.io[/caption]

Verification Efforts and Current Status

In an attempt to verify the claims made by the Space Bears ransomware group, The Cyber Express Team accessed the official websites of the targeted companies. Upon inspection, the websites of Haylem, Un Museau Vaut Mille Mots, and Lexibar were found to be fully functional with no immediate signs of foul play detected. Despite the ransomware group’s threats, the digital presence of these companies remains intact as of now. The Cyber Express Team has also reached out to the officials of the targeted companies for comments on the alleged breaches. However, as of the writing of this news report, no official response has been received. This lack of communication leaves the claims unverified, adding to the uncertainty and anxiety surrounding the situation.

Potential Implications if Claims Are Verified

If the claims made by the Space Bears ransomware group are proven to be true, the implications could be far-reaching. The exposure of sensitive data from Haylem, Un Museau Vaut Mille Mots, and Lexibar could lead to significant financial losses, reputational damage, and legal ramifications for the affected companies. For Haylem, the breach could undermine its position as a trusted provider of educational tools, potentially affecting its client base and market share. For Un Museau Vaut Mille Mots, the release of patient data could lead to a loss of trust from patients and legal actions for violating privacy laws. Similarly, the breach of Lexibar’s data could disrupt educational and clinical services, impacting the progress and treatment of numerous individuals relying on the tool. The Space Bears ransomware attack serves as a reminder of the growing threat posed by cybercriminals in today’s digital age. The Cyber Express Team will continue to monitor the situation closely and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Vintage Investment Partners, a global venture capital platform managing $4 billion in assets, has announced the appointment of Ilan Leiferman as Chief Value-Add Officer. Leiferman will lead Vintage's Value+ platform, bringing extensive experience from his nearly four-year tenure at Amazon Web Services (AWS), where he spearheaded business development for top-tier venture capitalists and startups and built AWS's global cybersecurity business practice for startups. Vintage's Value+ platform is a pivotal part of the firm's strategy to add value to the venture ecosystem. It leverages Vintage's extensive network, including over 4,000 venture funds and over 25,000 startups, to connect venture-backed technology startups with corporations seeking digital transformation support. The platform has facilitated over 280 purchase orders and paid proofs of concept for startups from global corporations, amounting to over $200 million in business.

Ilan Leiferman: Leadership Transition and Strategic Vision

Ilan Leiferman will be succeeding Orit Shilo, who will be relocating abroad after three impactful years at Vintage. Abe Finkelstein, Co-Managing Partner of Vintage, expressed enthusiasm about the leadership transition, stating, "Value+ is a critical component of Vintage's strategy of adding value to the ecosystem, and we are excited to have Ilan on board to enhance our focus on connecting startups and corporates as well as leveraging the power of Gen-AI to roll out new free services for funds and startups across the globe." Leiferman's expertise in fostering business development and his strategic vision for integrating advanced technologies like Gen-AI will be instrumental in expanding the Value+ platform's capabilities. This appointment is poised to enhance the platform's offerings, ensuring that it continues to be a vital resource for startups and corporations navigating their digital journeys. Leiferman's background at AWS, where he was responsible for developing business opportunities for leading VCs and startups, highlights his capability to drive innovation and growth within the venture ecosystem. His work in establishing AWS's global cybersecurity business practice for startups demonstrates his proficiency in addressing complex technological needs and creating impactful business solutions.

About Vintage Investment Partners

Vintage Investment Partners is a distinguished global venture platform that combines Secondary Funds, Growth-Stage Funds, and Fund-of-Funds. With $4 billion in assets under management across 15 active funds, Vintage has established itself as a significant player in the venture capital landscape. The firm's investments span leading venture funds and mid-to-late-stage startups, positioning it at the forefront of innovation and growth in the technology sector. As Orit Shilo transitions from her role at Vintage, the firm extends its gratitude for her contributions and wishes her success in her future endeavors. Her leadership over the past three years has been integral to the development and success of the Value+ platform. Looking ahead, Leiferman's appointment signals a new phase of growth and innovation for Vintage Investment Partners. The focus on leveraging Gen-AI and enhancing the platform's services reflects Vintage's dedication to staying at the cutting edge of technological advancement and providing unparalleled value to its stakeholders.

Amazon Web Services (AWS) has announced a $2 billion strategic partnership with the Australian Government to create a "Top Secret" AWS Cloud (TS Cloud). This initiative is set to significantly enhance Australia's defence and intelligence capabilities. "The partnership leverages AWS's global experience, reliability, security, and performance, with local skilled personnel, the ability to dedicate thousands of engineers and experts to long-term government initiatives. It provides for continuous infrastructure investment and focus on enhancing cloud services to meet evolving needs," reads the AWS official release. While this may seem like a massive leap forward in terms of innovation and security, it also raises questions about dependency on a single corporation for critical national infrastructure. Let's dive in and dig more into this AWS and Australian Government partnership.

AWS History of Investment and Innovation

AWS's commitment to Australia isn't new. Since establishing a local presence with the 2012 launch of the AWS Asia Pacific (Sydney) Region, the company has been a driving force behind digital transformation in both the public and private sectors. The 2023 launch of the AWS Asia Pacific (Melbourne) Region further solidified this relationship. AWS claims that these investments have already amounted to over $9.1 billion into the local economy, with plans to invest an additional $13.2 billion by 2027. While these numbers are staggering, they also highlight the immense influence AWS has accumulated over the past decade. The TS Cloud initiative, albeit promising, cements AWS's role as a critical player in Australia's digital infrastructure, raising concerns about monopolistic tendencies and the risks associated with single-provider dependencies.

AWS Partnership: Implications for Defence and Intelligence

The TS Cloud is purpose-built for Australia’s Defence and Intelligence agencies to securely host sensitive information and facilitate seamless data sharing between the National Intelligence Community and the Australian Defence Force. AWS touts that the cloud will unlock new Artificial Intelligence (AI) and Machine Learning (ML) capabilities, potentially revolutionizing how classified data is managed and analyzed. "With the TS Cloud, Australia’s Defence and Intelligence agencies will have the ability to select from AWS’s services across compute, storage, databases, analytics, AI and ML. Cloud technology is an important capability for agencies to accelerate innovation and agility whilst staying secure. By eliminating the basic, routine IT infrastructure tasks, agencies can focus on what’s most important to them: protecting and advancing Australia’s interests. The cloud eliminates the undifferentiated heavy lifting of sourcing and maintaining IT hardware, and enables a mission first focus," AWS statement reads. However, while the potential benefits are significant, the security implications of entrusting such sensitive data to a cloud environment, even one designed with the highest security standards, cannot be overlooked. The success of this initiative will largely depend on AWS's ability to continually meet stringent security requirements and protect against increasingly sophisticated cyber threats.

Security and Compliance

AWS's certification as a Strategic Hosting Provider under the Australian Government’s Hosting Certification Framework and its ongoing compliance with the Information Security Registered Assessors Program (IRAP) for operating workloads at the PROTECTED level is reassuring. As of June 2024, AWS boasts 151 Cloud services available in Australia, supporting a plethora of security standards and compliance certifications. The AWS-Australia partnership is not just about technology; it’s also about economic growth and workforce development. AWS claims that the TS Cloud initiative will generate local jobs in fields like cybersecurity, data analytics, and cloud computing. Additionally, AWS’s collaboration with educational institutions aims to prepare Australians for future roles, with over 400,000 individuals having already received cloud skills training since 2017. "We’re excited by the opportunities the TS Cloud initiative brings to Australia’s economy and communities. The government’s investment opens doors for creating new jobs, developing skills, and sparking innovation across multiple sectors. By enabling Australian businesses to design, build, and integrate cutting-edge cloud capabilities, this collaboration will generate new local jobs in fields like cybersecurity, data analytics, and cloud computing," reads the statement. While the creation of new jobs and skills development is a positive outcome, it also raises questions about the long-term impact on the local tech industry. As AWS continues to expand its footprint, there is a risk of creating a dependency on AWS-specific skills, potentially limiting the diversity and resilience of Australia's tech ecosystem.

AWS and Australian Government Partnership: Sustainability Efforts

AWS’s investment in sustainable cloud infrastructure, including renewable energy projects like the 125MW Amazon Solar Farm in Wandoan, Queensland, reflects a commitment to environmental responsibility. These projects are forecast to generate significant economic benefits and contribute to Australia’s GDP. However, it remains to be seen how these initiatives will balance with the overall environmental impact of large-scale data centers, which are known for their substantial energy consumption. The integration of sustainable practices within such a large operation will require continuous effort and innovation.

A Double-Edged Sword

The AWS-TS Cloud initiative represents a significant leap forward in enhancing Australia’s national security and digital capabilities. However, this partnership also exemplifies the complex interplay between innovation, security, and economic dependency. As Australia embraces this ambitious project, it must also navigate the inherent risks and ensure that the benefits do not come at the cost of sovereignty and independence in critical national infrastructure. As AWS and the Australian Government move forward with the TS Cloud initiative, ongoing scrutiny and transparent reporting will be essential to safeguard the interests of all stakeholders. The Cyber Express will continue to monitor developments and provide in-depth analysis on the implications of this strategic partnership.

The Fédération Internationale de l'Automobile (FIA), the auto racing governing body since the 1950s, has confirmed that attackers gained unauthorized access to personal data after compromising several FIA email accounts in a phishing attack. The FIA data breach has raised significant concerns within the motorsport community and beyond, as the organization manages sensitive information related to its various operations and members. In an official statement, the FIA revealed the extent of the breach: "Recent incidents pursuant to phishing attacks has led to the unauthorized access to personal data contained in two email accounts belonging to the FIA." The organization has acknowledged the seriousness of the incident and has taken immediate action to mitigate the impact. The Cyber Express reached out to an FIA spokesperson with additional questions about the incident. In an exclusive response to The Cyber Express, an FIA spokesperson said, "I can confirm that the incidents were identified as part of a wider phishing attempt across the motor sport sphere, rather than a targeted attack on the FIA’s systems."

FIA Data Breach: Immediate Response and Regulatory Notification

Upon discovering the breach, the FIA acted swiftly to rectify the issues, notably cutting off illegitimate accesses in a very short time. The organization notified relevant regulatory bodies, including the Commission Nationale de l'Informatique et des Libertés (the French data protection regulator) and the Préposé Fédéral à la Protection des Données et à la Transparence (the Swiss data protection regulator). "The FIA took all actions to rectify the issues, notably in cutting the illegitimate accesses in a very short time, once it became aware of the incidents and notified the Commission Nationale de l'Informatique et des Libertés (the French data protection regulator), and the Préposé Fédéral à la Protection des Données et à la Transparence (the Swiss data protection regulator)," reads the official statement. The FIA has expressed regret for any concern caused to the affected individuals and emphasized its dedication to data protection. "We take our data protection and information security obligations very seriously and continuously review our systems to ensure they are robust, in the context of evolving cyber-criminality. The FIA has put additional security measures in place to protect against any future attacks.," the FIA stated. The organization has implemented additional security measures to protect against future attacks and is committed to ongoing improvements in its cybersecurity posture.

FIA's Legacy and Role

Founded in 1904 as the Association Internationale des Automobile Clubs Reconnus (AIACR), the FIA is a non-profit international association that coordinates numerous auto racing championships, including the prestigious Formula 1 and the World Rally Championship (WRC). The FIA brings together 242 member organizations from 147 countries across five continents and controls the FIA Foundation, which promotes and funds road safety research. Despite the swift response, the FIA has yet to disclose critical details about the cyberattack on FIA, including when it was detected, how many individuals' personal information was accessed, and what specific data was exposed or stolen. This lack of information has left many stakeholders eager for further updates to understand the full scope and potential implications of the incident. The Cyber Express will continue to monitor the situation and provide updates as more information becomes available. In the meantime, organizations across all sectors are urged to review and strengthen their cybersecurity protocols to safeguard against similar threats.

Cognizant Technology Solutions, a leading American multinational specializing in IT services and consulting, has provided an update regarding the alleged Cognizant data breach claimed by IntelBroker, a prominent member of the notorious BreachForums. In response to inquiries by The Cyber Express, a spokesperson from Cognizant confirmed that their investigation revealed the incident involved a cloud-based testing environment with fictional test data.

"We have investigated the claim and found that the impact involved a cloud-based testing environment with fictional test data," the Cognizant spokesperson told The Cyber Express.

The organization further clarified that no clients or client data were impacted by this event.

"No clients or client data were impacted by this event," reads the official statement from Cognizant.

The company has not confirmed any other claims regarding the alleged data breach. In a prior statement to The Cyber Express, the spokesperson had stated,

"We are aware of the reports made by a cybercriminal organization, claiming it has targeted some of our services. We take this matter very seriously and we are investigating the validity and extent of this claim."

Initial Cognizant Data Breach Claims by IntelBroker

Earlier, The Cyber Express had reported that IntelBroker had allegedly leaked a substantial amount of data stolen from Cognizant Technology Solutions. According to IntelBroker, the leak included a document with 12 million lines from Cognizant’s internal website and user data from the company’s Oracle Insurance Policy Admin System (OIPA), a cloud-based DevOps solution. The purported leaked file reportedly contained approximately 40,000 user records with various sensitive data fields, such as policy number, role code, client name, company code, state code, role sequence number, arrangement number, arrangement status, start date, start year, end date, end year, draft day, modular amount, and next premium due date.

IntelBroker’s Notorious History

IntelBroker is well-known for high-profile cyber intrusions. The hacker has previously claimed responsibility for a massive data breach involving Advanced Micro Devices (AMD), a leading player in the semiconductor industry. This unverified breach, disclosed on BreachForums, included multiple data samples shared with the forum’s users, raising serious concerns about the security of AMD’s infrastructure. AMD officials have since stated that they are investigating the claims. IntelBroker's notoriety is rooted in a history of targeting diverse organizations, including critical infrastructure, major tech corporations, and government contractors. The hacker's sophisticated approach to exploiting vulnerabilities has enabled access to sensitive information on multiple occasions. Previous claims include breaches at institutions like Apple, Lindex Group, and Acuity, a U.S. federal technology consulting firm. Cognizant Technology Solutions' prompt response and thorough investigation highlight their commitment to security and client data protection. By swiftly addressing the claims of Cognizant cyberattack and confirming the integrity of their client data, Cognizant has taken an essential step in maintaining trust and transparency with their stakeholders. The Cyber Express will continue to monitor the situation closely, providing updates as more information becomes available. As investigations continue, it is crucial for organizations to communicate clearly and promptly with stakeholders, providing accurate information about the nature and extent of any data breaches. By staying informed and prepared, organizations can better protect their digital assets and maintain the trust of their clients and partners. The Cyber Express remains committed to delivering timely and accurate updates to keep the public informed about significant cybersecurity developments.

Axis Finance Limited, a prominent non-banking financial company, has announced a strategic leadership appointment that is set to strengthen its information security and compliance framework. Praveen Mishra, a seasoned expert in IT risk management and security, has been named Chief Information Security Officer (CISO) and Senior Vice President (SVP). This appointment marks a significant step for Axis Finance Limited in its ongoing commitment to enhancing its cybersecurity measures and regulatory compliance. [caption id="attachment_80105" align="aligncenter" width="840"] Source: Praveen Mishra's LinkedIn Post[/caption]

Praveen Mishra's Extensive Background in IT Security and Compliance

Praveen Mishra joins Axis Finance Limited with a distinguished career at Axis Bank, where he held various pivotal roles that honed his expertise in IT risk management, compliance, and security. His journey at Axis Bank began as an operations trainee, but his dedication and strategic acumen quickly propelled him through the ranks to become Vice President. In this capacity, he oversaw numerous regulatory compliance projects and provided critical advice on technological regulations. During his tenure at Axis Bank, Mishra spearheaded several key initiatives, including the development and implementation of IT risk frameworks and conducting thorough IT audits. His leadership in ensuring adherence to ISO standards was instrumental in maintaining high levels of security and compliance within the organization. Praveen's strategic approach to IT security involved not only the formulation of comprehensive security strategies but also the meticulous allocation of budgets to support these initiatives. His focus on risk mitigation measures was always balanced with a keen understanding of the importance of user experience, ensuring that security protocols did not hinder the efficiency and effectiveness of technological operations.

New Role and Responsibilities at Axis Finance Limited

In his new role as CISO and SVP at Axis Finance Limited, Praveen Mishra will leverage his experience to enhance the company’s information security posture. He will be responsible for ensuring regulatory compliance across all technological operations and driving initiatives that safeguard the company’s digital assets. His appointment is expected to bring a renewed focus on cybersecurity, aligning with the company's strategic goals of maintaining high standards of security and compliance. The appointment of Praveen Mishra as CISO and SVP represents a strategic move for Axis Finance Limited, reflecting the company’s dedication to strengthening its cybersecurity and compliance frameworks. Praveen's extensive background in IT risk management, his leadership in regulatory compliance, and his strategic vision for information security make him an ideal choice for this critical role. As Axis Finance Limited continues to grow and expand its operations, Praveen's expertise will be instrumental in navigating the challenges of the digital landscape. His proactive approach to security and compliance will help ensure that the company remains at the forefront of the financial industry, delivering secure and efficient services to its clients.

The Securities and Exchange Commission (SEC) has charged Silvergate Capital Corporation, along with its former executives Alan Lane, Kathleen Fraher, and Antonio Martino, with misleading investors regarding the strength of its compliance programs and financial stability. From November 2022 to January 2023, Silvergate, along with its then-CEO Alan Lane and former Chief Risk Officer Kathleen Fraher, falsely assured investors of the robustness of its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program.

Silvergate Misleading Investors About Compliance Programs

This was an attempt to allay concerns following the collapse of one of its largest clients, FTX. The reality, as the SEC alleges, was far bleaker. Silvergate’s automated transaction monitoring system failed to oversee more than $1 trillion worth of transactions on its payments platform, the Silvergate Exchange Network. This failure allegedly allowed nearly $9 billion in suspicious transfers among FTX and related entities to go undetected. “At all times, but especially during moments of crises, public companies and their officers must speak truthfully to the investing public. Here, we allege that Silvergate, Lane, and Fraher fell not only woefully, but also fraudulently, short in that regard,” stated Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. Adding further, Grewal said, “Rather than coming clean to investors about serious deficiencies in its compliance programs in the wake of the collapse of FTX, one of Silvergate’s largest banking customers, they doubled down in a way that misled investors about the soundness of the programs. In fact, because of those deficiencies, Silvergate allegedly failed to detect nearly $9 billion in suspicious transfers among FTX and its related entities. Silvergate’s stock eventually cratered, wiping out billions in market value for investors.” The repercussions of this deception were severe. Silvergate’s stock plummeted, erasing billions in market value and leaving investors in the lurch.

SEC’s Legal Action and Settlements

Adding to the gravity of the situation, Silvergate and its former CFO Antonio Martino were accused of misrepresenting the company’s financial condition during the liquidity crisis and bank run that followed FTX’s collapse. They reportedly understated losses from expected securities sales and falsely claimed that Silvergate remained well-capitalized as of December 31, 2022. By March 2023, Silvergate announced it would wind down its banking operations, leading to a further nosedive in its stock value, which plummeted to near zero. The SEC’s complaint, filed in the U.S. District Court for the Southern District of New York, charges Silvergate, Lane, and Fraher with negligence-based fraud and violations of reporting, internal accounting controls, and books-and-records provisions. In a bid to settle the charges, Silvergate has agreed to a $50 million civil penalty and a permanent injunction. Lane and Fraher have also agreed to settlements, including permanent injunctions, five-year officer-and-director bars, and civil penalties of $1 million and $250,000, respectively. These settlements, however, are still subject to court approval, and Silvergate's payment might be offset by penalties from other regulatory bodies. Martino faces charges for violating certain antifraud and books-and-records provisions and for aiding and abetting some of Silvergate’s violations. The SEC’s litigation against Martino is ongoing, reflecting the seriousness of the allegations and the need for thorough judicial scrutiny. The broader implications of this case are significant. It highlights a troubling trend where financial institutions involved with high-risk clients, such as those in the cryptocurrency sector, may prioritize short-term gains over regulatory compliance and transparency. The SEC’s stringent actions serve as a reminder that such behavior will not go unchecked. In parallel actions, the Board of Governors of the Federal Reserve System (FRB) and the California Department of Financial Protection and Innovation (DFPI) have also announced settled charges against Silvergate. The SEC’s investigation was thorough and collaborative, involving numerous staff members and assistance from the FRB and DFPI.

To Wrap Up

This case exemplifies the critical role of regulatory bodies in safeguarding investor interests and maintaining the integrity of financial markets. The Silvergate saga should serve as a wake-up call for all financial institutions. In an era where the boundaries of traditional banking are increasingly blurred by emerging technologies and high-risk sectors like cryptocurrency, the importance of enhanced compliance programs and transparency cannot be overstated. Investors and regulators alike must remain vigilant to ensure that the pursuit of innovation does not come at the expense of ethical standards and financial stability.

Cisco has patched a critical zero-day vulnerability in its NX-OS software. The patched Cisco zero-day vulnerability was exploited in April attacks to install previously unknown malware as root on vulnerable switches. The cybersecurity firm Sygnia, which reported the incidents to Cisco, attributed the attacks to a Chinese state-sponsored threat actor it tracks as Velvet Ant. "The vulnerability was identified as part of a larger forensic investigation performed by Sygnia of a China-nexus cyber espionage operation that was conducted by a threat actor Sygnia dubs as ‘Velvet Ant’," reads Sygnia's official statement.

Cisco Zero-Day Vulnerability Overview

The patched Cisco zero-day vulnerability, identified as CVE-2024-20399, is a command injection flaw in the Cisco NX-OS Software Command Line Interface (CLI). This vulnerability affects a wide range of Cisco Nexus devices. On July 1, Cisco published an advisory detailing the nature and scope of the vulnerability, which allows attackers with valid administrator credentials to execute arbitrary commands on the underlying Linux operating system of the affected devices. "Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability," reads Cisco's official statement. Sygnia discovered this vulnerability during a forensic investigation of a China-nexus cyber espionage operation conducted by Velvet Ant. The investigation revealed that the threat actor had exploited the zero-day vulnerability to execute malicious code on the underlying OS of the Nexus switches. Velvet Ant's exploitation of CVE-2024-20399 enabled the execution of custom malware on compromised Cisco Nexus devices. This malware facilitated remote connections to the devices, allowing the attackers to upload additional files and execute further code. Network appliances, particularly switches, often go unmonitored, and their logs are rarely forwarded to a centralized logging system, making it challenging to detect and investigate such malicious activities. "This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices," informed Sygnia.

Background on Cisco NX-OS

Cisco NX-OS Software is a network operating system used for Cisco’s Nexus series of switches. Although NX-OS is based on a Linux kernel, it abstracts the underlying Linux environment and provides its own set of commands via the NX-OS CLI. To execute commands on the underlying Linux OS from the switch management console, an attacker would need a "jailbreak" type of vulnerability to escape the NX-OS CLI context. The newly identified vulnerability allows attackers with administrator-level access to the Switch management console to escape the NX-OS CLI and execute arbitrary commands on the underlying Linux OS.

Impact and Risk Assessment

Cisco Nexus switches are widely deployed in enterprise environments, particularly in data centers. Exploiting the identified vulnerability requires the threat group to possess valid administrator-level credentials and have network access to the Nexus switch. Given that most Nexus switches are not directly exposed to the internet, attackers must first achieve initial access to an organization’s internal network to exploit this vulnerability. This reduces the overall risk to organizations, but the incident highlights the importance of monitoring and protecting network appliances.

Mitigation Strategies

Cisco has released software updates to address the vulnerability described in the advisory. Updating affected devices is the primary mitigation strategy. However, when software updates are not immediately available, it is crucial to adopt security best practices to prevent unauthorized access and mitigate potential exploitation. These practices include:

1. Restrict Administrative Access: Utilize Privileged Access Management (PAM) solutions or dedicated, hardened jump servers with multi-factor authentication (MFA) to restrict access to network equipment. If these options are not feasible, restrict access to specific network addresses.
2. Centralize Authentication, Authorization, and Accounting Management (AAA): Use TACACS+ and systems like Cisco ISE to streamline and enhance security. Centralized user management simplifies monitoring, password rotation, and access reviews, and allows for quick remediation in case of a compromise.
3. Enforce Strong Password Policies: Ensure that administrative users have complex, securely stored passwords. Use Privileged Identity Management (PIM) solutions to auto-rotate administrative account passwords or employ a password vault with restricted access.
4. Restrict Outbound Internet Access: Implement strict firewall rules and access control lists (ACLs) to prevent switches from initiating outbound connections to the internet.
5. Implement Regular Patch and Vulnerability Management: Regularly review and apply patches to all network devices. Use automated tools to identify and prioritize vulnerabilities.

"When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers," urges Cisco.

Monitoring and Detection

Enhancing visibility and forwarding logs to a central logging solution are crucial steps in identifying malicious activities on network devices. Organizations should:

• Enable Syslog on all switches to send log data to a centralized server.
• Integrate switch logs with a Security Information and Event Management (SIEM) system to correlate events and detect anomalies.
• Configure alerts to identify suspicious activities, such as unauthorized SSH connections.
• Regularly analyze network traffic for anomalies associated with Cisco switches, focusing on management ports like SSH and Telnet.

The exploitation of CVE-2024-20399 by Velvet Ant highlights the persistent and evolving threats posed by state-sponsored cyber actors.  Cisco’s timely patching of the vulnerability and Sygnia’s detailed forensic investigation provide crucial insights into mitigating such threats.

Affirm Holdings, a prominent U.S. financial technology firm, announced that the personal information of Affirm card users may have been compromised due to a cybersecurity incident at Arkansas-based Evolve Bank and Trust. This Evolve Bank data breach, which occurred last week, involved the illegal release of customer data on the dark web. Evolve Bank, a third-party issuer of Affirm cards, revealed it was the target of a significant cybersecurity attack. Affirm has reassured its customers that its systems remain secure, and Affirm cardholders can continue to use their cards without interruption. However, the company has acknowledged that the breach involved shared personal information used to facilitate card issuance and servicing. In a statement, Affirm's spokesperson highlighted, "Affirm is aware of a cybersecurity incident involving Evolve, a third party vendor that serves as an issuing partner on the Affirm Card. We are actively investigating the issue. We will communicate directly with any impacted consumers as we learn more."

LockBit Blamed for Evolve Bank Data Breach

Evolve Bank disclosed that the incident was a ransomware attack perpetrated by the criminal organization LockBit. "This was a ransomware attack by the criminal organization, LockBit," reads Evolve Bank's official statement. The ransomware attack involved unauthorized access to the bank’s systems, resulting in the download and subsequent leak of sensitive customer information. This Evolve Bank data breach occurred in two phases, in February and May when an employee inadvertently clicked on a malicious internet link. "They appear to have gained access to our systems when an employee inadvertently clicked on a malicious internet link. There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May," said Evolve Bank. Further, the Bank disclosed that the threat actor also encrypted some data within its environment. However, the Bank had backups available and experienced limited data loss and impact on its operations. Moreover, Evolve Bank confirmed that they have refused to pay the ransom demand because of which LockBit has leaked the data they downloaded. "The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank," inform Evolve Bank.

Incident Details and Evolve Bank’s Response

Evolve Bank provided a comprehensive update on the data breach. The bank identified unusual system behavior in late May 2024, initially suspected to be a hardware failure but later confirmed as unauthorized activity. Cybersecurity specialists were engaged, and Evolve promptly initiated its incident response protocols, successfully halting the attack by May 31, 2024. The attack did not compromise customer funds, but sensitive data was accessed and downloaded from the bank’s databases. "At this time, we have evidence that files were downloaded from our systems," informed Bank. This included names, Social Security numbers, bank account numbers, and contact information of personal banking customers and partners, including Affirm card users. Additionally, personal information related to Evolve employees was likely impacted. "We have now learned that personal information relating to our employees was also likely impacted. We are still investigating what other personal information was affected, including information regarding our Business, Trust, and Mortgage customers," reads the official statement of Evolve Bank. Evolve Bank has undertaken several measures to enhance security and prevent future incidents:

• Global password resets.
• Reconstructing critical Identity Access Management components, including Active Directory.
• Hardening of firewall and dynamic security appliances.
• Deploying endpoint detection and response tools.

The bank is also strengthening its security response protocols, policies, and procedures to improve detection and response to suspected incidents.

Impact on Affirm Card Users and Future Actions

Affirm cardholders whose data may have been compromised will be directly notified. "The incident may have compromised some data and personal information Evolve had on record. If you do not have an Affirm Card, the incident does not impact you. If you do have an Affirm Card, we’re still investigating and we will have your back," said Affirm official statement. Evolve Bank is offering affected individuals two years of free credit monitoring and identity theft protection. Notifications will begin via email on July 8, 2024, including details about a dedicated call center for assistance and enrollment in credit monitoring services. Evolve Bank urges all affected customers to remain vigilant by monitoring their account activity and credit reports. The bank provided resources for setting up fraud alerts with nationwide credit bureaus (Equifax, Experian, and TransUnion) and obtaining free credit reports. Customers suspecting identity theft or fraud are encouraged to file reports with the Federal Trade Commission (FTC) or local law enforcement. Evolve Bank stated, "We appreciate your patience and understanding as we navigate this challenging situation. Your trust is of utmost importance to us, and we are committed to transparency."

TeamViewer, a provider of remote access software, has confirmed that a recent cyberattack has been successfully contained within its internal corporate IT environment. Crucially, the company has reassured its customers and stakeholders that the breach did not affect its product environment, the TeamViewer connectivity platform, or any customer data. This announcement comes as the investigation into the TeamViewer data breach progresses, providing clarity and reassurance to the millions of users who rely on it's services.

TeamViewer Breach Overview and Immediate Response

The TeamViewer data breach was first detected on June 26, 2024, prompting an immediate response from TeamViewer’s security team. The company has attributed the breach to an advanced persistent threat group, tracked as APT29, also known as Midnight Blizzard or Cozy Bear. This group is renowned for its sophisticated cyberespionage capabilities and has a history of targeting high-profile entities, including Western diplomats and technology firms. In an initial statement posted on Thursday in the company’s Trust Center, TeamViewer explained that the breach was confined to its internal corporate IT environment. The company emphasized that this environment is distinct and separate from its product environment, where customer interactions occur. As such, there is no evidence to suggest that the product or customer data was compromised. "TeamViewer’s internal corporate IT environment is completely independent from the product environment. There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems," reads the initial statement.

Details of the Data Compromise

According to TeamViewer, the threat actor leveraged a compromised employee account to gain access to the internal corporate IT environment. This access allowed the attacker to copy certain employee directory data, including names, corporate contact information, and encrypted employee passwords. Importantly, the compromised data was limited to internal corporate information, and no customer data was involved. The company has taken swift action to mitigate the risk associated with the encrypted passwords. "According to current findings, the threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment. We have informed our employees and the relevant authorities. The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft," reads the statement. In collaboration with leading experts from their incident response partner, Microsoft, TeamViewer has implemented enhanced authentication procedures and added further strong protection layers. These measures ensure that the authentication processes for employees are now at the maximum security level. "The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state," reads TeamViewer statement.

The Role of NCC Group

The cybersecurity firm NCC Group played a significant role in highlighting the TeamViewer data breach. NCC Group was alerted to the compromise of TeamViewer’s remote access and support platform by APT29. Their involvement underscores the importance of third-party cybersecurity firms in detecting and responding to advanced threats. For TeamViewer’s customers, the key takeaway from this incident is that their data and the functionality of the TeamViewer connectivity platform remain secure. The company has reiterated that its overall system architecture follows best practices, with a clear segmentation between the corporate IT environment, the production environment, and the TeamViewer connectivity platform. This segmentation is a critical factor in ensuring that breaches in one area do not affect others.

Evolve Bank & Trust disclosed that it has been the target of a cybersecurity incident. In a statement, the bank confirmed that customers' personal information had been illegally obtained and released on the dark web by cybercriminals. This Evolve Bank data breach affected both retail bank customers and the customers of Evolve’s financial technology partners. The Evolve Bank data breach involved a known cybercriminal organization that illegally obtained and published sensitive information. The stolen data includes Personal Identification Information (PII) such as names, Social Security Numbers, dates of birth, account details, and other personal information. "Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users)," reads the official statement. Evolve Bank & Trust has confirmed that its debit cards, and online, and digital banking credentials have not been compromised in the incident and remain secure. "Evolve has engaged the appropriate law enforcement authorities to aid in our investigation and response efforts. Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat," reads the official statement.

Details of the Evolve Bank Data Breach

There were reports that the Russian hacker group LockBit was responsible for the ransomware attack and data breach at Evolve Bank. LockBit had claimed to possess Federal Reserve data and, when their demands were not met, released approximately 33 terabytes of data from Evolve's systems. The group had allegedly touted their cache of Federal Reserve data, which was used to pressure the bank into meeting their demands. In response to the reports surfacing about the Evolve data breach, Evolve Bank & Trust is actively informing affected individuals about the breach. The bank has started reaching out to impacted customers and financial technology partners' customers through emails sent from notifications@getevolved.com. The communication includes detailed instructions on how to enroll in complimentary credit monitoring and identity theft detection services.

Steps Taken by Evolve Bank & Trust

The bank is undertaking a comprehensive response to this incident, which includes:

1. Engagement with Law Enforcement: Evolve has involved appropriate law enforcement authorities to aid in the investigation and response efforts.
2. Customer Communication: Direct communication with affected customers and financial technology partners' customers is ongoing to ensure they are informed and can take necessary protective measures.
3. Credit Monitoring Services: Impacted individuals are being offered complimentary credit monitoring and identity theft detection services.
4. Continuous Monitoring: Evolve is closely monitoring the situation and will provide updates as necessary to keep customers informed.

Recommendations for Affected Customers

Evolve Bank & Trust advises all retail banking customers and financial technology partners' customers to remain vigilant by:

1. Monitoring Account Activity: Regularly check bank accounts and report any suspicious activity immediately.
2. Credit Report Checks: Set up free fraud alerts with nationwide credit bureaus—Equifax, Experian, and TransUnion. Customers can also request and review their free credit report through Freecreditreport.com.
3. Reporting Suspicious Activity: Contact the bank immediately if any fraudulent or suspicious activity is detected. Additionally, individuals can file a report with the Federal Trade Commission (FTC) or law enforcement authorities if they suspect identity theft or fraud.

Recently, Evolve received an enforcement action from its primary regulator, the Federal Reserve Board, highlighting deficiencies in the bank's IT practices and requiring a plan and timetable to correct these issues. This breach highlights the importance of addressing these security concerns promptly. Evolve Bank & Trust is known for its partnerships with several high-profile fintech companies, including Mercury, Stripe, Affirm, Airwallex, Alloy, Bond (now part of FIS), Branch, Dave, EarnIn, and TabaPay. The bank has also worked with Wise and Rho in the past, though both have since migrated to other banking partners.

The Federal Bureau of Investigation (FBI) has warned the public about a new wave of cybercriminal activity targeting victims of cryptocurrency scams. These fraudsters are posing as lawyers and law firms, offering bogus cryptocurrency recovery services to steal funds and personal information from those already defrauded. This latest cryptocurrency investment scam alert is an update to a previous warning from the FBI's Internet Crime Complaint Center (IC3), which had highlighted a surge in scams involving fake services for recovering digital assets. The updated Public Service Announcement (PSA), titled "Increase in Companies Falsely Claiming an Ability to Recover Funds Lost in Cryptocurrency Investment Scams," was originally published on August 11, 2023. Moreover, in April 2024, the FBI warned of financial risks tied to using unregistered cryptocurrency transfer services, highlighting potential law enforcement actions against these platforms. The announcement focused on crypto transfer services operating without registration as Money Services Businesses (MSBs) and non-compliance with U.S. anti-money laundering laws. These platforms are often targeted by law enforcement, especially when used by criminals to launder illegally obtained funds, such as ransomware payments.

Cryptocurrency Scam: Emerging Criminal Tactic

The FBI's announcement aims to inform the public about a new criminal tactic designed to exploit cryptocurrency scam victims further. Using social media and other messaging platforms, fraudsters posing as lawyers from fictitious law firms are contacting scam victims and offering their services. These "lawyers" claim they have the authority to investigate fund recovery cases and often assert that they are working with, or have received information from, the FBI, Consumer Financial Protection Bureau (CFPB), or other government agencies to validate their legitimacy. In some instances, victims have reached out to these scammers through fake websites that appear legitimate, hoping to recover their lost funds. The scammers use various methods to further the recovery scam, including:

• Verification Requests: They ask victims to verify their identities by providing personal identifying information or banking details.
• Judgment Amount Requests: They request that victims provide a judgment amount they are seeking from the initial fraudster.
• Upfront Fees: They demand a portion of the fees upfront, with the balance due upon recovery of the funds.
• Additional Payments: They direct victims to make payments for back taxes and other fees purportedly necessary to recover their funds.
• Credibility Building: They reference actual financial institutions and money exchanges to build credibility and further their schemes.

Between February 2023 and February 2024, cryptocurrency scam victims who were further exploited by these fictitious law firms reported losses totaling over $9.9 million, according to the FBI Internet Crime Complaint Center (IC3).

Tips to Protect Yourself

The FBI offers several tips to help individuals protect themselves from falling victim to these scams:

• Be Wary of Advertisements: Be cautious of advertisements for cryptocurrency recovery services. Research the advertised company thoroughly and be suspicious if the company uses vague language, has a minimal online presence, and makes unrealistic promises about its ability to recover funds.
• Do Not Release Information: If an unknown individual contacts you claiming to be able to recover stolen cryptocurrency, do not release any financial or personal identifying information, and do not send money.
• No Fees from Law Enforcement: Remember that law enforcement does not charge victims a fee for investigating crimes. If someone claims an affiliation with the FBI, contact your local FBI field office to confirm their legitimacy.

Victim Reporting

The FBI urges victims to file a report with the Internet Crime Complaint Center. When filing a report, try to include the following information:

• Contact Information: Details about how the individual initially contacted you and how they identified themselves, including name, phone number, address, email address, and username.
• Financial Transaction Information: Details such as the date, type of payment, amount, account numbers involved (including cryptocurrency addresses), name and address of the receiving financial institution, and receiving cryptocurrency addresses.

The FBI's announcement highlights the importance of vigilance and caution when dealing with unsolicited offers of assistance, particularly in the highly targeted and vulnerable area of cryptocurrency investments. By staying informed and following the FBI's guidelines, individuals can better protect themselves from becoming victims of these crypto scams.

Yana Li, Director of IT & Platform Security at WebBeds, embodies resilience, determination, and a passion for cybersecurity that has propelled her from a challenging childhood to a leadership role in one of the most critical sectors of IT. Recently honored for her contributions at the World CyberCon Meta Edition, Yana's path to cybersecurity wasn't straightforward. In a candid interview with The Cyber Express (TCE), Yana reflects on her journey, the challenges she faced, and her unwavering commitment to empowering women in cybersecurity.

Early Challenges and Discovering Passion

Yana's childhood was marked by financial hardship and the absence of familial support. Emerging from a modest upbringing in Russia, she navigated childhood challenges with an independent spirit and unwavering resolve. Opportunities are to be seized," Yana reflects, recalling how she secured a full scholarship for Computer Science and Engineering studies in the United States, setting the stage for her remarkable journey through the realms of IT and cybersecurity. Her career trajectory initially flourished in technical support and project management, roles that equipped her with a profound understanding of IT infrastructures. However, it was a pivotal security project that ignited Yana's passion for cybersecurity. "It's not merely a project," she realized; "it opens doors to a whole new world." This revelation spurred her to further her education, including a transformative semester at Harvard focused on cybersecurity, where she engaged with industry leaders and broadened her expertise significantly.

Yana Li Breaking Barriers in a Male-Dominated Field

Entering the IT field in 2013, particularly in Russia, Yana confronted a stark reality of gender disparity. The industry was predominantly male, and discouragement was a constant companion. "They tried to tell you that you don't have it," Yana recalls, referring to the discouragement she faced early in her career. Despite these obstacles, Yana persevered, buoyed by a growing network of supportive communities and initiatives aimed at empowering women in cybersecurity. "There's so much support now," she emphasizes, citing numerous organizations and communities dedicated to mentoring and guiding aspiring female professionals.

Championing Diversity and Mentorship

Reflecting on her journey, Yana is keenly aware of the importance of mentorship and advocacy. As an ambassador for Google's Women Techmakers initiative, she actively champions diversity and inclusivity in tech fields. "I want to be the person I needed when I was younger," she affirms, emphasizing the need for aspiring professionals to believe in their capabilities and seek out mentors who can offer guidance and support. Her message resonates deeply: "If your dreams don't scare you, they're not big enough." Yana emphasizes the importance of seeking mentorship, leveraging community resources, and believing in the limitless potential within oneself. In addressing the persistent gender gap in cybersecurity, Yana stresses the abundance of resources available today. From women-focused cybersecurity councils to mentorship programs offered by tech giants like Amazon, Google, and Microsoft, opportunities for growth and support abound. "Don't be shy," she encourages, urging women to leverage these resources and reach out for assistance when needed. "We've all been there," she reassures, highlighting the collective experience and solidarity within the community. "Just ask for help and believe that anything is possible."

Advice for Aspiring Women in Cybersecurity

Looking ahead, Yana remains optimistic about the future of cybersecurity and the role women will play in shaping its landscape. With increasing awareness and concerted efforts to foster diversity, she believes the field is ripe for innovation and transformation. "Anything in this world is possible," she asserts, a testament to her own journey and the limitless potential she sees in aspiring cybersecurity professionals. In conclusion, Yana Li's story is not just one of personal triumph but a testament to the transformative power of passion and perseverance in cybersecurity. As women continue to carve out their place in this critical field, Yana stands as a role model, advocating for inclusivity, empowerment, and excellence. Her journey reminds us that with dedication and support, barriers can be overcome, and dreams can be realized. For those embarking on similar paths, Yana's story offers guidance, encouragement, and a steadfast belief in the limitless possibilities within cybersecurity.

UnitedHealth has, for the first time, detailed the types of medical and patient data stolen in the extensive cyberattack on Change Healthcare (CHC). The company announced that CHC cyberattack notifications will be mailed in July to affected individuals. "CHC plans to mail written letters at the conclusion of data review to affected individuals for whom CHC has a sufficient address. Please note, we may not have sufficient addresses for all affected individuals. The mailing process is expected to begin in late July as CHC completes quality assurance procedures," reads the official statement by Change Healthcare. UnitedHealth issued a data breach notification, revealing that the ransomware attack exposed a "substantial quantity of data" for a "substantial proportion of people in America." During a congressional hearing, UnitedHealth CEO Andrew Witty estimated that "maybe a third" of all Americans' health data was compromised in the attack.

Stolen Data Information in CHC Cyberattack

The Change Healthcare data breach notification provided a comprehensive overview of the types of information that may have been affected. Although CHC cannot confirm exactly what data was compromised for each individual, the exposed information may include:

1. Contact Information: Names, addresses, dates of birth, phone numbers, and email addresses.
2. Health Insurance Information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
3. Health Information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
4. Billing, Claims, and Payment Information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
5. Other Personal Information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

This information may vary for each impacted individual. To date, CHC has not seen full medical histories appear in their data review. "The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review. Also, some of this information may have related to guarantors who paid bills for health care services. A guarantor is the person who paid the bill for health care services," the official statement reads further.

Cyberattack on Change Healthcare: What Exactly Happen?

The Change Healthcare cyberattack occurred when a cybercriminal gained unauthorized access to the CHC computer system on February 21, 2024. Upon discovering the ransomware deployment, CHC immediately took steps to halt the activity, disconnected and shut down systems to prevent further impact and initiated an investigation. Law enforcement was contacted, and CHC's security team, along with several top cybersecurity experts, worked tirelessly to address the breach and understand its scope. The investigation revealed that a significant amount of data was exfiltrated from CHC’s environment between February 17, 2024, and February 20, 2024. By March 7, 2024, CHC confirmed the data exfiltration and began analyzing the compromised files. On April 22, 2024, CHC publicly confirmed that the impacted data could affect a substantial proportion of the American population. As of June 20, 2024, CHC began notifying customers whose data was identified as compromised. When CHC learned about the activity, CHC immediately began an investigation with support from leading cybersecurity experts and law enforcement. In response to this incident, CHC immediately took action to shut down systems and sever connectivity to prevent further impact," informed Change Healthcare official release "CHC has also reinforced its policies and practices and implemented additional safeguards in an effort to prevent similar incidents from occurring in the future. CHC, along with leading external industry experts, continues to monitor the internet and dark web.

What Steps Affected Individuals Can Take

While the investigation continues, individuals who suspect their information may have been compromised can take several steps to protect themselves:

1. Enroll in Credit Monitoring and Identity Protection: CHC is offering two years of complimentary credit monitoring and identity protection services.
2. Monitor Statements and Reports: Regularly check explanations of benefits from health plans, statements from healthcare providers, bank and credit card statements, credit reports, and tax returns for any unfamiliar activity.
3. Report Unfamiliar Health Services: If any unauthorized healthcare services are found on an explanation of the benefits statement, contact the health plan or doctor.
4. Alert Financial Institutions: Immediately contact financial institutions or credit card companies if suspicious activity is detected on bank or credit card statements or tax returns.
5. File a Police Report: Contact local law enforcement if you believe you are a victim of a crime.

Individuals may also have additional rights depending on their state of residence and should refer to the provided Reference Guide for more information. The ransomware attack on CHC has highlighted significant vulnerabilities in the handling of sensitive health and personal information. As the investigation progresses, affected individuals are urged to stay vigilant and utilize the resources provided to mitigate potential risks.

ECU Worldwide, a global player in Less than Container Load (LCL) consolidation, has appointed Rajneesh Garg as its new Chief Information Officer (CIO). In his new role, Garg will focus on managing and supporting software applications, leading technology transformation initiatives, and ensuring their successful implementation and adoption. He will work closely with the IT group shared services organization and report to Kapil Mahajan, Global CIO of Allcargo Group, from the company's Mumbai headquarters. "I am excited to be a part of ECU Worldwide known for its vision of a digital-first approach to build unmatched customer centricity at a global scale,” said newly appointed CIO, Garg. He added further, “The role gives me an opportunity to leverage my know-how to drive the growth journey of the company led under the leadership of Founder and Chairman Mr. Shashi Kiran Shetty, which is based on sustainability, superior customer experience, and futuristic approach. I look forward to working with the Allcargo Group to contribute to ECU Worldwide's growth journey.”

Rajneesh Garg Extensive Background

Garg brings over 20 years of leadership experience across various sectors, including banking, insurance, travel, hospitality, manufacturing, energy resources, and retail. Before joining ECU Worldwide, he was Vice President of Information Technology at Capgemini, overseeing regional delivery and growth for consumer products and retail accounts in the Nordic region. Garg holds a postgraduate degree in computer science from Moscow State University in Russia and has also worked in senior leadership roles at Tata Consultancy Services for over two decades. "With his extensive and diversified leadership experience in various sectors, Rajneesh will be instrumental in driving our technology transformation forward. His strategic vision aligns with our efforts to fortify ECU Worldwide's IT division as we pursue our ambitious growth and expansion strategies. We are confident that under Garg's leadership, our IT division will continue to break new ground in offering superior customer experience. We look forward to working with him as we embark on the next phase of growth,’’ said Kapil Mahajan, Global Chief Information Officer, Allcargo Group.

Way Forward

Founded in 1987, ECU Worldwide is a wholly-owned global subsidiary of Allcargo Logistics. The company is a major player in multi-modal transport and a leader in LCL consolidation. ECU Worldwide operates with a digital-first approach and is supported by leaders with expertise in logistics, data science, and technology. The appointment of Garg as CIO is a significant step for ECU Worldwide. His extensive experience and strategic approach are expected to drive the company’s technology initiatives and support its growth in the global LCL market. Garg's collaboration with the Allcargo Group leadership aims to bring technological advancements and improvements to ECU Worldwide's services and operations.

The Department of Commerce's Bureau of Industry and Security (BIS) has announced a Final Determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of the Russian cybersecurity firm, from providing any products or services in the United States. This historic decision of the US banning Kaspersky marks the first Final Determination by the Office of Information and Communications Technology and Services (OICTS). The BIS has set a deadline of September 29, 2024, giving U.S. consumers and businesses time to switch to alternative cybersecurity solutions. Kaspersky will no longer be able to sell its software within the United States or provide updates to software already in use. The prohibition also applies to Kaspersky Lab, Inc.’s affiliates, subsidiaries, and parent companies (together with Kaspersky Lab, Inc., “Kaspersky” The US banning Kaspersky incident highlights rising concerns over national security risks linked to foreign technology companies, especially those from adversarial states. Further, it reflects years of scrutiny and represents a significant escalation in U.S. efforts to safeguard its cyber infrastructure. “This action is the first of its kind and is the first Final Determination issued by BIS’s Office of Information and Communications Technology and Services (OICTS), whose mission is to investigate whether certain information and communications technology or services transactions in the United States pose an undue or unacceptable national security risk,” reads the official BIS announcement. Additionally, BIS has added three entities—AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom)—to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives. This article delves into the timeline and context of U.S. actions against Kaspersky, highlighting the shift from the Trump administration to the Biden administration.

US vs Kaspersky: A Timeline of Cybersecurity Actions

2017

September- The Trump Administration’s heightened scrutiny of Kaspersky began. The Department of Homeland Security (DHS) issued a Binding Operational Directive (BOD 17-01) that mandated removing and discontinuing Kaspersky products from all federal information systems. This directive followed mounting evidence suggesting that the Russian government could use Kaspersky’s products to infiltrate U.S. networks. December- The National Defense Authorization Act (NDAA) for Fiscal Year 2018 cemented these concerns into law by prohibiting the use of Kaspersky software across all federal agencies. This legislative action reflected a bipartisan consensus on the potential risks posed by the Russian firm.

2022

March- The Federal Communications Commission (FCC) added Kaspersky to its “List of Communications Equipment and Services that Pose a Threat to National Security.” This action was part of a broader effort to secure the nation’s communications networks from foreign influence and control.

2024

June - Today’s Final Determination by the BIS represents the culmination of a thorough investigation by the Office of Information and Communications Technology and Services (OICTS). This office, established to assess whether certain information and communications technology (ICT) transactions pose unacceptable national security risks, has found Kaspersky’s operations in the U.S. untenable.

US Banning Kaspersky: The Context and Implications of BIS’s Final Determination

The BIS’s decision comes after a comprehensive investigation revealed that Kaspersky’s operations in the United States posed an undue or unacceptable national security risk. The key concerns highlighted include:

1. Jurisdiction and Control by the Russian Government: Kaspersky is subject to Russian laws requiring cooperation with intelligence agencies. This legal framework gives the Russian government potential access to data managed by Kaspersky’s software. Therefore, Kaspersky is subject to Russian laws, requiring it to comply with requests for information that could compromise U.S. national security.
2. Access to Sensitive Information: Kaspersky’s software has extensive administrative privileges over customer systems, creating opportunities for data exploitation.
3. Potential for Malicious Activities: Kaspersky could theoretically introduce malware or withhold crucial security updates, compromising U.S. cybersecurity.
4. Third-Party Integrations: Integrating Kaspersky products into third-party services further complicates the risk, as the source code might be obscured, increasing vulnerability in critical U.S. systems.

Transition Period and Recommendations

While users won’t face legal penalties for continued use of Kaspersky products during this period, they assume all associated cybersecurity risks. This grace period is crucial for minimizing disruptions and ensuring a smooth transition to secure alternatives. The Department of Commerce, along with DHS and DOJ, is actively working to inform and assist users in transitioning to alternative cybersecurity solutions. “The actions taken today are vital to our national security and will better protect the personal information and privacy of many Americans. We will continue to work with the Department of Commerce, state and local officials, and critical infrastructure operators to protect our nation’s most vital systems and assets,” said Secretary of Homeland Security Alejandro N. Mayorkas. runZero, meanwhile, released tools to detect Kaspersky products on in most Windows installations, which also work with the company's free community edition.

Historical Background: From Trump to Biden

The determination against Kaspersky is part of a broader U.S. strategy to safeguard its information and communications technology infrastructure. The roots of this policy can be traced back to Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” which empowers the Commerce Department to evaluate and act against risks posed by foreign ICTS transactions. The scrutiny of Kaspersky began during the Trump administration, amid growing concerns about Russia's cyber capabilities and potential espionage activities. The Trump-era directives and legislative actions laid the groundwork for stricter controls, reflecting a bipartisan consensus on the threat posed by foreign cyber interference. Under the Biden administration, the approach has evolved into a more comprehensive and coordinated effort. The establishment of the OICTS within BIS and the issuance of the Final Determination represents a significant escalation in the U.S. government's efforts to protect its digital infrastructure. The Biden administration's emphasis on a “whole-of-government” strategy underscores the critical importance of cybersecurity in national defense. The U.S. government has taken a coordinated approach to implementing this determination. Commerce Secretary Gina Raimondo emphasized the commitment to national security and innovation, stating that this action is a clear message to adversaries. “Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people. Today’s action, our first use of the Commerce Department’s ICTS authorities, demonstrates Commerce’s role in support of our national defense and shows our adversaries we will not hesitate to act when they use their technology poses a risk to the United States and its citizens,” said Raimondo.

The Future of U.S. Cybersecurity Policy

The inclusion of Kaspersky and related entities on the Entity List highlights the U.S. government’s proactive stance. This list, maintained under the Export Control Reform Act of 2018, identifies entities engaged in activities contrary to U.S. national security interests. Additions to this list involve rigorous interagency review, ensuring that actions are based on concrete, specific evidence of risk. “With today’s action, the American cyber ecosystem is safer and more secure than it was yesterday,” said Under Secretary for Industry and Security Alan Estevez. “We will not hesitate to protect U.S. individuals and businesses from Russia or other malign actors who seek to weaponize technology that is supposed to protect its users.” As the September deadline approaches, businesses and individuals alike must stay informed and take necessary steps to secure their digital environments. The U.S. government's decisive action against Kaspersky highlights the critical importance of vigilance and proactive measures in the ever-evolving landscape of cybersecurity.