A 17-year-old from Walsall, England, has been apprehended in connection with the infamous Scattered Spider ransomware syndicate. The teen suspect was taken into custody on charges of blackmail and violation of the Computer Misuse Act.

The teen, whose identity remains undisclosed due to his age, allegedly played a key role in the Scattered Spider cybercrime group that wreaked havoc on numerous high-profile organizations worldwide, including MGM Resorts.

Officers from the West Midlands Regional Organized Crime Unit (ROCUWM), in tandem with the U.K.'s National Crime Agency and the FBI, executed a search warrant at the teen’s residence. Digital devices seized during the operation will undergo forensic analysis. While the suspect has been released on bail, the arrest marks a significant milestone in a global investigation targeting a cybercrime network responsible for extorting millions of dollars from victims worldwide.

Scattered Spider Investigation Spanned Continents

Detective Inspector Hinesh Mehta, who heads the ROCUWM Cyber Crime Unit, underscored the complexity of the investigation, which spanned continents. He warned potential cybercriminals that law enforcement possesses the capabilities to track them down, regardless of their location.

"These cyber groups have targeted well known organisations with ransomware and they have successfully targeted multiple victims around the world taking from them significant amounts of money. We want to send out a clear message that we will find you. It’s simply not worth it.” - DI Hinesh Mehta, Head of WM Cyber Resilience Centre

Echoing Mehta’s sentiments, Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, praised the collaborative efforts between law enforcement agencies and private sector entities. “The FBI, in coordination with its partners, will continue to relentlessly pursue malicious actors who target American companies, no matter where they may be located or how sophisticated their techniques are,” Vorndran said.

Who is Scattered Spider and What was the MGM Resorts Attack?

Scattered Spider, a relatively new player on the ransomware scene, has rapidly ascended in notoriety. This loosely organized criminal collective is known for its audacious attacks on high-profile targets and has inflicted substantial financial losses on businesses worldwide.

Their modus operandi often involves a combination of social engineering, phishing, and exploiting vulnerabilities to infiltrate target networks. The group is suspected of collaborating with other cybercrime syndicates, including the notorious ALPHV ransomware gang, to enhance their capabilities.

The MGM Resorts attack, a high-profile incident attributed to Scattered Spider, caused significant disruption to the casino gaming giant’s operations. The hackers gained initial access through a social engineering attack, posing as a legitimate employee to bypass security measures. Once inside the network, they deployed ransomware, encrypting critical systems and demanding a hefty ransom. MGM Resorts, demonstrating resilience, opted not to pay the ransom and instead focused on restoring its systems with the assistance of law enforcement.

MGM Resorts expressed gratitude for the law enforcement’s efforts after the UK teen's arrest. “We’re proud to have assisted law enforcement in locating and arresting one of the alleged criminals responsible for the cyberattack against MGM Resorts and many others," MGM said.

“We know first-hand the damage these criminals can do and the importance of working with law enforcement to fight back. By voluntarily shutting down our systems, refusing to pay a ransom and working with law enforcement on their investigation and response, the message to criminals was clear: it’s not worth it," it added.

Microsoft, a technology giant often at the forefront of cybersecurity, applauded the arrest, viewing it as a deterrent to other cybercriminals. The company reiterated its dedication to combatting cyber threats through collaboration with both public and private sector partners.

The arrest of the 17-year-old marks a crucial step in dismantling Scattered Spider. However, the group’s decentralized structure and the involvement of potential international collaborators suggest the challenge of completely eradicating this threat is far from over.

With major banks, media companies, big tech and critical infrastructures including airports and airlines being disrupted all over the globe due to a "Blue Screen of Death" - or better know as the BSOD error stemming from a little known about file named “csagent.sys” associated to CrowdStrike’s Falcon Sensor, Australian government on Friday night said was not a "cybersecurity incident" and that "there is no reason to panic." Australian Home Affairs and Cyber Security Minister Clare O'Neil said her government  conducted a National Coordination Mechanism meeting late Friday evening, where representatives of the cybersecurity company under the scanner - CrowdStrike also attended. Post the meeting, O'Neil said, "We can confirm there is no evidence that this is a cyber-security incident." O'Neil explained that it is a technical issue caused by a CrowdStrike update that was shipped to its customers. "They have issued a fix for this, allowing affected companies and organizations to reboot their systems without the problem," she added.

"The company has informed us that most issues should be resolved through the fix they have provided, but given the size and nature of this incident it may take some time to resolve." - Clare O'Neil, Minister of Cyber Security

Australia's National Cyber Security Coordinator Lieutenant General Michelle McGuinness, reiterated O'Neil's words and said, "There is no information to suggest it is a cyber security incident."

"I am aware of a large-scale technical outage affecting a number of companies and services across Australia this afternoon. Our current information is this outage relates to a technical issue with a third-party software platform [from CrowdStrike] employed by affected companies." - Michelle McGuinness, National Cyber Security Coordinator

The Blue Screen of Death Error Widespread But No Need to Panic

Since the early hours of Friday morning, several Australian entities across sectors reported outages. A screenshot shared by a platform X (formerly known as Twitter) user gave a gist of the number of entities that were impacted by the Blue Screen of Death or BSOD error. [caption id="attachment_82757" align="aligncenter" width="366"] Source: Platform X user @RMXD[/caption] Owing to the widespread impact and a general panic observed around the nation, Australian Prime Minister Anthony Albanese stepped in to address the issue at hand. He said, "I understand Australians are concerned about the outage that is unfolding globally and affecting a wide range of services. My Government is working closely with the National Cyber Security Coordinator." Albanese assured that, "There is no impact to critical infrastructure, government services or Triple-0 services at this stage." He added that the National Coordination Mechanism was activated and the response to the incident is currently an all of government approach. After the conclusion of the National Coordination Mechanism meeting, Australian Deputy Secretary of Home Affairs Ministry, Hamish Hansford reassured the Australian people that "there is no reason to panic. CrowdStrike are on it. It is not a cybersecurity incident and we are working as fast as possible to resolve the situation."

Response from CrowdStrike

CrowdStrike said it is actively working with customers impacted by a defect found in a single content update for Windows hosts. "Mac and Linux hosts are not impacted. This is not a security incident or cyberattack," CrowdStrike said. CrowdStrikes engineers have identified, isolated and fixed the issue, according to their blogpost. "We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers."

Dark web monitoring is essential for CEOs in the banking industry to combat the escalating threat of cybercrime.

In 2023, an estimated $3.1 trillion in illicit funds flowed through the global financial system. Of these, fraud scams and bank fraud schemes totaled $485.6 billion in projected losses globally, emphasizing the critical need for proactive cybersecurity measures. The dark web has become a breeding ground for cybercriminals targeting banks, making dark web monitoring an indispensable tool for protecting sensitive financial data.

Why the Banking and Finance Sector?

If there is one sector that has remained under the close watch of cyber crooks since the early days of Industry 4.0, it's the financial sector. The finance sector has been a prime target for fraud, cybercrime and laundering illicit funds. This alarming trend underscores the need for robust cybersecurity measures, particularly regarding the shadowy corners of the internet: The dark web.

The dark web refers to encrypted online spaces not indexed by search engines. This anonymity fosters criminal activity, with forums and marketplaces dedicated to selling stolen data, including login credentials, customer information, and intellectual property. Banks, brimming with valuable financial information, are a prime target for these cybercriminals.

The Dark Web Threat Landscape for Banks

Data breaches are a constant threat to banks. In 2022, Flagstar Bank in the U.S. notified 1.5 million customers of a data breach where hackers accessed their personal data, including Social Security numbers. Flagstar is a Michigan-based financial services provider and one of the largest banks in the United States, with total assets of over $30 billion.

In 2023, the U.S. bank faced another breach that stemmed from a MOVEit Transfer software vulnerability that was accessed using stolen contractor login credentials. This highlights the vulnerability of even well-established banking institutions.

Stolen banking data is a valuable commodity on the dark web. Cybercriminals can utilize this data for a range of nefarious purposes, including:

• Account Takeover (ATO): Using stolen login credentials, criminals can hijack customer accounts and steal funds.
• Identity Theft: Stolen personal information can be used to open fraudulent accounts or obtain credit cards.
• Selling on Marketplaces: Criminals can sell stolen data in bulk to other cybercriminals for further exploitation.

The consequences of a data breach can be devastating for banks. Beyond the financial losses incurred from fraudulent transactions, banks face reputational damage, eroded customer trust, and potential regulatory fines.

How Dark Web Monitoring for CEOs in Banking Is Useful

Dark web monitoring is a proactive cybersecurity strategy that involves continuously scanning dark web forums, marketplaces, and other hidden corners of the internet for mentions of the bank's data. Here's how this can benefit CEOs and CISOs in the banking industry:

Proactive Defense: Early detection is crucial in mitigating the damage caused by a data breach. Dark web monitoring allows banks to identify potential leaks before they become full-blown crises. Informed Decision-Making: Knowing what type of data is exposed empowers CEOs to prioritize security measures. This could involve tightening access controls, implementing stricter password policies, or focusing security awareness training on specific vulnerabilities. Improved Customer Trust: Proactive data security measures demonstrate a commitment to safeguarding customer information, fostering trust and loyalty.

A study by IBM found that organizations that detected and contained a data breach within 30 days experienced an average cost of $3.8 million, compared to $4.35 million for those taking longer. This highlights the significant cost savings associated with early detection through dark web monitoring.

Third-Party Risk Management (TPRM) and Dark Web Monitoring

Banks rely heavily on third-party vendors for various services, from cloud computing to payment processing. These third parties may connect to bank networks and possess sensitive data, making them prime targets for cybercriminals. A successful attack on a third-party vendor can expose a bank's data as well. Integrating dark web monitoring into a comprehensive TPRM program strengthens a bank's overall cybersecurity posture. Here's how:

Vendor Due Diligence: During vendor selection, dark web monitoring can reveal potential red flags associated with a vendor's security practices. A history of data breaches or associations with suspicious online activity can be a cause for concern. Ongoing Monitoring: Even after onboarding a vendor, continuous dark web monitoring can identify leaks or compromises within the vendor's systems that might indirectly expose the bank's data. Contractual Obligations: Banks can leverage dark web monitoring capabilities as part of their vendor contracts, ensuring vendors maintain robust cybersecurity practices and promptly disclose any security incidents.

The Power of AI and Threat Intelligence in Dark Web Monitoring

The dark web is vast and complex, generating massive volumes of data. Manually analyzing this data is time-consuming and inefficient, if not impossible. This is where AI and threat intelligence come into play.

AI-Powered Analysis: Advanced AI algorithms can process vast amounts of dark web data, identifying patterns, anomalies, and potential threats with speed and accuracy far surpassing human capabilities. Threat Intelligence Enrichment: Integrating threat intelligence feeds provides context to the detected threats. Understanding the tactics, techniques, and procedures (TTPs) of cybercriminals helps prioritize alerts and develop effective countermeasures. Predictive Analytics: By analyzing historical threat data, AI can predict potential attack vectors, enabling proactive security measures.

Actionable Steps for Banking CEOs

Here are concrete steps CEOs in banking can take to leverage dark web monitoring:

Implement Dark Web Monitoring Services: Several reputable cybersecurity firms including Cyble offer dark web monitoring solutions tailored for the financial industry. These services typically involve continuous scanning, real-time alerts, and expert analysis of potential threats. Employee Training: Educate employees on cybersecurity best practices, including strong password hygiene, phishing awareness, and the importance of reporting suspicious activity. Human error is a significant factor in data breaches, so a well-trained workforce is critical. Develop a Data Breach Response Plan: Having a plan in place ensures a swift and coordinated response if a data breach occurs. This plan should outline communication protocols, customer notification procedures, and steps to contain the damage. Invest in AI and Threat Intelligence: Incorporate AI-powered dark web monitoring solutions like Cyble's award-winning AI-Powered cyber threat intelligence platform and leverage threat intelligence feeds to enhance your organization's cybersecurity posture.

By combining dark web monitoring, third-party risk management, AI and threat intelligence, CEOs in the banking industry can significantly reduce the risk of data breaches, protect customer information, and maintain a strong reputation with customers.

A cyberattack on MediSecure, a former Australian e-prescription delivery service, has resulted in a colossal data breach impacting nearly 13 million individuals. This staggering number makes the MediSecure data breach one of the largest healthcare data breaches in Australian history.

MediSecure disclosed on Thursday that a malicious actor breached its database and potentially exfiltrated 6.5 terabytes of data that contained 12.9 million records of Australians.

The findings are a part of the investigation conducted along with cyber and forensic experts from McGrathNicol Advisory in collaboration with the National Cyber Security Coordinator. The main motive of taking outside help was to confirm the extent of the data breach and all individuals impacted, at the earliest.

According to the findings, the compromised data includes a treasure trove of highly sensitive personal and health information.

• full name;
• title;
• date of birth;
• gender;
• email address;
• address;
• phone number;
• individual healthcare identifier (IHI);
• Medicare card number, including individual identifier, and expiry;
• Pensioner Concession card number and expiry;
• Commonwealth Seniors card number and expiry;
• Healthcare Concession card number and expiry;
• Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry;
• prescription medication, including name of drug, strength, quantity and repeats; and
• reason for prescription and instructions.

While MediSecure emphasizes that Medicare and other government-issued card numbers cannot be used solely for identity theft, the breach significantly increases the risk of phishing attacks and other online scams targeting the affected individuals.

Challenges in Identifying Victims and Questions of Financial Preparedness

While acknowledging the severity of the breach, MediSecure highlighted the difficulty in pinpointing every impacted individual. The company cites the sheer volume (6.5 terabytes) and complexity of the exposed data as hindrances. This lack of granular identification raises concerns about the timeliness of notifying victims and empowering them to take proactive security measures. MediSecure further explains that financial limitations prevented them from conducting a more in-depth analysis to identify specific victims, which questions the company's preparedness for such large-scale cyber incidents and their commitment to user data security.

"The impacted server analyzed by McGrathNicol Advisory consisted of an extremely large volume of semi-structured and unstructured data stored across a variety of data sets. This made it not practicable to specifically identify all individuals and their information impacted by the Incident without incurring substantial cost that MediSecure was not in a financial position to meet." - MediSecure

The company also reveals that their request for financial assistance from the Commonwealth Government to aid in the response efforts was denied.

Addressing recent reports suggesting they requested government funding to cover operational costs unrelated to the cyberattack, the company clarified that the funding request was "limited and confined" to the specific costs associated with the cyberattack incident response.

This clarification comes amidst concerns regarding the financial viability of MediSecure after it filed for liquidation in June 2024.

Despite the funding denial, MediSecure maintains it has been working diligently with various government agencies, including the National Cyber Security Coordinator (ACSC), the Australian Federal Police (AFP), and the Australian Signals Directorate (ASD).

Dark Web Data Sale Claim Investigation Ongoing

According to a MediSecure's statement, the company is also currently reviewing a data set recovered from a dark web forum to determine which individuals were affected by the breach. This process, however, appears to be taking longer than anticipated. The company is collaborating with the Commonwealth Government to notify all impacted individuals as soon as possible. A week after the MediSecure data breach incident became public, a Russian hacking forum member claimed to have 6.5TB of data including personal information of thousands of Australians. The post on the forum read, “For sale: Database of an Australian medical prescriptions company MedSecure [sic].” The forum user detailed the leaked information available, which likely matches the data that MediSecure now confirmed as compromised. The Australian National Cyber Security Coordinator, however, warned people against hunting for any such leaked data sets. No one should go looking for or access stolen sensitive or personal information from the dark web. This activity only feeds the business model of cyber criminals and can be a criminal offence," the Australian NCSC said.

MediSecure No Longer Part of National System, But Risk of Phishing and Scams Remains High

Both MediSecure and the Home Affairs Department said it's crucial to clarify that MediSecure is no longer involved in Australia's national prescription delivery service.​ This e-prescription service transitioned to eRx Script Exchange (eRx) in late 2023, and this new system remains unaffected by the current breach, the Home Affairs ministry said.

"The affected data relates to prescriptions distributed by MediSecure’s systems up until November 2023." - Australian Department of Home Affairs

However, while the specific individuals impacted remain unidentified, that exposed data significantly increases the risk of cyberattacks targeting these individuals. Phishing scams, identity theft attempts, and other online fraud schemes are likely to exploit the stolen information, the home department warned.

Recommendations for Impacted Australians and Lingering Concerns

Heightened Vigilance Advised: While the investigation unfolds, MediSecure advises potentially affected individuals to exercise heightened vigilance against phishing attempts, identity theft, and other cyber scams. Australians are encouraged to monitor their financial statements closely, be wary of unsolicited emails or calls, and leverage strong passwords across all online accounts. Additionally, the Australian Government's dedicated webpage provides resources and guidance on protecting personal information and online accounts. Long-Term Impact and Importance of Robust Cybersecurity: This unprecedented data breach exposes critical vulnerabilities in data security practices and raises concerns about the long-term impact on affected individuals. The potential for misuse of sensitive health information is significant, and the lack of immediate identification hinders proactive measures. This incident serves as a stark reminder for organizations handling sensitive data to invest in robust cybersecurity measures and prioritize user privacy.

A new revolution in cybersecurity training is underway, driven by the fusion of artificial intelligence and the NIST NICE framework. Google Gemini AI now offers a comprehensive library of over 6,000 cybersecurity prompts, designed to enhance cybersecurity skills and knowledge. The NIST NICE framework, developed by the U.S. National Institute of Standards and Technology, serves as the cornerstone of cybersecurity education. It maps specific tasks, knowledge, and skills (TKSs) required for various cybersecurity roles, helping individuals, employers, and training providers. The NICE framework helps in identifying career paths, defining job requirements and developing targeted curricula. Aligning one’s skillset with the NICE framework invests in career development and bolsters collective defense against cyber threats. But the framework's vastness can be daunting. Here’s where AI steps in. Google Gemini AI's prompts are tailored to offer a dynamic, personalized learning experience, accelerating the journey to cybersecurity expertise.

Also listen to our Podcast: AI’s Role in Cybersecurity: Insights From Mike Beck

Prompt Engineering: The Key to Unlocking LLM Potential

Large Language Models like Google Gemini and OpenAI's ChatGPT are powerful tools capable of understanding and generating human-like text. But how do we harness this power for cybersecurity learning? The answer lies in prompt engineering – the art of crafting the right questions and scenarios to guide the LLM's responses.

Well-crafted prompts tailored to the NICE Framework TKSs can:

• Pinpoint Knowledge Gaps: Identify areas where you need to upskill by analyzing the TKSs for your target role.
• Develop Specific Skills: Craft prompts that focus on specific TKSs, enabling deep dives into crucial cybersecurity skills.
• Simulate Real-World Scenarios: Put yourself in the shoes of a security professional facing real-world challenges, applying TKSs in practical situations.
• Create Personalized Learning Plans: LLMs can generate personalized learning paths based on your needs and goals, ensuring efficient progress.

There are several prompt types to consider:

1. Conceptual prompts, which challenge understanding of fundamental concepts like encryption and risk management.
2. Scenario-based prompts, which simulate real-world challenges, such as responding to data breaches.
3. Knowledge-check prompts, which test understanding of specific TKSs.

Google Gemini AI's natural language processing capabilities make it ideal for crafting prompts aligned with the NICE Framework and accelerates skill development.

The researchers behind this project created a comprehensive library of prompts by:

1. TKS Identification: Extracting unique TKS statement IDs and descriptions from the NICE Framework.
2. Prompt Generation with Gemini: Using Gemini within AI Studio to create three prompt types for each TKS: conceptual, scenario-based, and knowledge-check.
3. Structured Organization: Utilizing AI Studio's table formatting to organize prompts with corresponding TKS IDs, descriptions, and outputs.

This streamlined process ensures each prompt precisely aligns with the corresponding NICE Framework competency.

The NICE framework aids in training security-specific LLMs, such as Google's SecLM. By aligning LLMs with specific TKSs, models proficient in cybersecurity tasks are created, enhancing threat detection, analysis and response.

AI-Powered Cybersecurity Toolkit

The meticulously crafted library of NIST NICE-aligned prompts is now freely available to the entire cybersecurity community.

Editor's Note: Clicking on the above link will directly download a ZIP file, which contains the cybersecurity prompts aligned with the NIST NICE framework in a spreadsheet format.

This treasure trove includes prompts for various TKSs, giving you a glimpse of what awaits. The format followed is:

• TKS ID
• TKS Description
• Conceptual Prompt
• Scenario-Based Prompt
• Knowledge-Check Prompt

Elevate Your Expertise Taking these Actions

Here's how to effectively integrate these cybersecurity prompts into your daily routine:

• Identify Your Goals: Define your learning objectives. Are you targeting a specific NICE category or certification exam? Choose relevant prompts to focus on.
• Daily Integration: Dedicate time each day to engage with the prompts. Use them as warm-up exercises, knowledge checks, or creative sparks for brainstorming.
• Experiment with Styles: The beauty of prompts lies in their versatility. Use them for solo study, group discussions, or even presentations.
• Embrace the Interactive Nature: Ask follow-up questions, challenge the AI's responses, and delve deeper into the topics at hand.
• Track Your Progress: Monitor your responses, insights, and questions as you work through the prompts. This helps measure progress and identify areas for improvement.

The release of the NIST NICE-aligned prompt library marks a significant step in empowering the cybersecurity community with AI. Future explorations will delve into advanced prompt engineering, real-world AI applications in cybersecurity, and innovative integration of AI into daily workflows.

The Information Commissioner's Office (ICO) has issued a damning verdict on the London Borough of Hackney's (LBoH) cybersecurity practices following a 2020 ransomware attack that exposed the personal data of at least 280,000 residents. The privacy watchdog did not impose any fines, but the Hackney Council has been reprimanded for the catastrophic incident that was "avoidable."

The breach, attributed to the Pysa ransomware gang, highlights the devastating consequences of lax security protocols and underscores the importance of robust patch management and access controls.

The 2020 Hackney Council Ransomware Incident

The attack unfolded through a series of critical security lapses. A dormant account with a username and password – both set to "kiosk" – remained active for eight years, providing a backdoor for attackers. This vulnerability was compounded by a failure to apply a critical Microsoft security patch for a bug tracked as CVE-2020-0787 that had been readily available since March 2020. The attackers exploited this unpatched system to gain elevated privileges and access the council's network.

In October 2020, using the elevated privileges, the attacker accessed servers and devices within the LBoH network and encrypted its data. Data encryption is a known attack methodology of ransomware attackers.

The attacker was able to encrypt LBoH's on-premises environment that included 125 servers running Microsoft server operating systems and approximately 1,000 VDI desktop instances running Microsoft client OS. Overall, 440,000 files containing data of 280,000 resident of Hackney and their staff was encrypted.

The breach wasn't limited to data encryption. The attacker also accessed the LBoH's backup and initiated a deletion process of the data. The deletion process was identified and stopped by the engineers responding to the attack but not before 10% of the data was lost.

The attackers also managed to exfiltrate a subset of the compromised data, further jeopardizing the privacy of 9,605 individuals. The ICO investigation revealed that this data included highly sensitive categories such as racial or ethnic origin, religious beliefs, sexual orientation, and health information.

While LBoH took steps to mitigate the damage and improve security posture post-breach, the ICO emphasized that these efforts came too late. Stephen Bonner, Deputy Commissioner of the ICO, stated, "This was a clear and avoidable error... This is entirely unacceptable and should not have happened."

"Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided."

- Stephen Bonner, Deputy Commissioner of the ICO

Hackney Council Reprimanded, Not Fined; Why?

The ICO opted for a reprimand instead of a fine due to LBoH's remedial actions. Bonner said the council took swift and comprehensive action to mitigate the harm of the attack as soon as it became aware of the incident, engaged with NCSC, the NCA and the Metropolitan Police, and took a number of remedial steps since the incident.

These steps included breach notifications to all residents, in-person notifications for those deemed at significant risk, and improved cybersecurity with a new "zero trust" model designed to provide resilience against future ransomware attacks. The council had also sought to replace its patch management system with a new state-of-the-art system to reduce vulnerabilities, but the ransomware attack took place before that. "We commend the council's good governance structures, policies, improvement plans and training and development of staff, as well as acknowledging the impact that the Covid-19 pandemic has had on the resources of organisations like local authorities... the public sector approach has been applied and a reprimand has been issued instead for the established infringements of UK GDPR," the ICO said.

The incident serves as a reminder for local authorities and organizations handling sensitive data. Patch management, proper access control practices, and vigilant monitoring are fundamental to preventing such catastrophic breaches.

The ramifications of the Hackney breach extend beyond financial penalties. The potential for identity theft, discrimination, and reputational damage for affected individuals underscores the importance of prioritizing cybersecurity even at a local governance level. In light of the ransomware attack on local London hospitals last month that has led to the cancellation of more than 8,000 surgeries and appointments, this seems to be more important than ever.

With Ukraine embroiled in a brutal war and formally seeking EU membership, the recent EU-Ukraine Cyber Dialogue in Brussels signaled a critical shift – cybersecurity is no longer just a technical concern, it's a cornerstone of national security and geopolitical strategy.

The 3rd EU-Ukraine Cyber Dialogue that took place on Monday yielded a multi-pronged approach. Both parties reaffirmed their commitment to responsible state behavior in cyberspace, a crucial step in deterring future cyberattacks. Collaboration on cyber diplomacy in international forums will further amplify their voices and shape global norms.

Harmonizing EU and Ukraine Cybersecurity Frameworks, Sharing

Recognizing the evolving threat landscape, the EU and Ukraine will work together to harmonize their cybersecurity frameworks. Ukraine will align its legislation with the EU's Network and Information Security (NIS) 2 Directive, strengthening critical infrastructure and supply chain resilience. This harmonization, however, goes beyond technicalities. It fosters a unified approach to cyber defense, making it harder for attackers to exploit vulnerabilities across borders.

The dialogue wasn't merely theoretical. The EU and Ukraine agreed to enhance information sharing on cyber threats, risks, and crisis management. This improved situational awareness will aid in understanding the cyber landscape in real-time and be crucial in countering ongoing and future Russian cyberattacks.

The EU's commitment to Ukraine's cyber resilience is unwavering. The union has pledged continued support through initiatives like "CyberEast" and collaboration with member states through the Tallinn Mechanism, a platform for coordinating cyber defense efforts.

[caption id="attachment_82058" align="aligncenter" width="1024"] Attendees of the 3rd EU Ukraine Cyber Dialogue, (Source: National Security and Defense Council of Ukraine)[/caption]

Looking ahead, Ukraine may leverage the EU Cybersecurity Reserve, a pool of cybersecurity experts readily deployable in crisis situations. Additionally, the European Security and Defence College, EUAM Ukraine (European Union Advisory Mission), and EUMAM Ukraine (EU Military Assistance Mission) will provide targeted training for Ukrainian civilian and military personnel.

The existing working arrangement with ENISA, the EU's cybersecurity agency, and operational agreement with Europol will continue to facilitate close cooperation between relevant authorities. This structured collaboration ensures a swift and coordinated response to cyber threats.

U.S.-Ukraine Bilateral Cybersecurity Partnership

Last month, a similar extension of a cybersecurity partnership between Washington and Kyiv was announced. The 10-year bilateral security agreement provides a framework for continued U.S. support for Ukraine’s defense and deterrence capabilities, as well as for Ukraine’s economic recovery and reconstruction. One of the key components of the Security Agreement signed by U.S. President Joe Biden and Ukrainian President Volodymyr Zelensky is cybersecurity and critical infrastructure protection. Biden committed to support Ukraine’s capacity to increase the cybersecurity and protection of its critical infrastructure and government information resources, including by strengthening its cyber defenses against malicious cyber activities by Russia and other hostile state and non-state actors. "Both sides commit to work together to improve Ukraine’s ability to detect and remediate intrusions by malicious actors, including through technical assistance from the United States," the Security Agreement said. "The United States intends to assist Ukraine to improve the cyber resilience of its critical infrastructure, especially energy facilities, against aerial strikes, and to support the quick restoration of destroyed infrastructure, including by providing material and technical assistance."

After multiple claims that Virginia election candidates' data had been leaked surfaced in the past few weeks, the Virginia Department of Elections has finally dismissed the allegations, saying the details were scraped from the election department's official website. The Virginia Department of Elections is responsible for providing and overseeing open and secure elections for the citizens of the Commonwealth of Virginia. It is responsible for voter registration, absentee voting, ballot access for candidates, campaign finance disclosure and voting equipment certification in coordination with about 133 local election offices.

Virginia Department of Elections Breach Claims

On June 29, a threat actor under the moniker IntelBroker claimed a breach of the Virginia Department of Elections, which resulted in the siphoning of 65,000 election candidate records. The compromised data allegedly included sensitive information such as timestamps, usernames, election data, candidate information, and voting method details. [caption id="attachment_81842" align="aligncenter" width="1024"] Virginia Department of Elections data breach claim on an underground hacker forum[/caption] "This breach was previously being sold on the forum, but as the data is still online, I decided to leak it to prevent new accounts scamming and gatekeeping this database," the threat actor said. Prior to this, another threat actor on the same hacker forum under the moniker "pwns3c" claimed a breach of the Virginia Department of Elections, but said only 6,500 records were compromised. The hacker was selling the data set, which contained similar details as those advertised by IntelBroker, for just $30. “pwns3c” has also offered access and sale of a database purported to contain sensitive data and documents from a City of New York data breach. On Monday, another threat actor known as "LoveBeauty" exposed detailed information about election candidates and results, raising concerns over the integrity of the state’s electoral data and processes. The data, easily understandable to anyone, consisted of a 16.6MB CSV file with 65,548 lines of detailed election-related information. This dataset includes candidate IDs, names, total votes received, party affiliations, write-in votes, locality codes, precinct details, district information, office titles, and specific election details. Covering local governmental roles and legislative positions from Virginia's 2023 November General and Special Elections, the data’s scope is extensive. The allegedly leaked data includes unique identifiers and vote counts for candidates running for the house of delegates, commissioners, senators, directors, and members of the board of supervisors. An independent media agency that claimed to have investigated the data’s legitimacy by cross-referencing a sample of the leaked information with actual candidates and parties from the 2023 elections, confirmed the data's authenticity.

Data Likely Scraped: Virginia Department of Elections

However, the Virginia Department of Elections spokesperson told The Cyber Express that this is likely scraped data.

"No breaches or data compromises have been detected." - Virginia Department of Elections

The Department of Elections (ELECT) is aware of the social media post from a user purporting to expose a data breach of Department of Elections data. The message posted on X, formerly known as Twitter, references data that is already publicly available on the Department of Elections’ website under Election Reports/Results," the spokesperson said. Although election authorities dismissed the leak claims this time, the repercussions of such data breaches are potentially significant. Not only could they put the personal information of candidates at risk, but they could also undermine confidence in the electoral process. Public trust, already fragile in many places, could be further eroded by a significant breach. Election integrity is a cornerstone of democracy, and breach threats underscore the urgent need for enhanced cybersecurity measures to safeguard electoral processes. The Virginia Department of Elections pledged vigilance around any potential threats to its election infrastructure. It continues to work with local, state and federal partners to ensure the safety and security of the electoral process. State officials are involved in the MS-ISAC pilot project. The Department of Homeland Security and the Virginia Information Technologies Agency continue to provide various cyber services to the department, and any identified issues will be addressed appropriately, the department said.

Kaspersky Lab, the embattled Russian cybersecurity firm, has announced the closure of its U.S. operations this week, laying off its entire American workforce of less than 50 employees.

In a statement to The Cyber Express, Kaspersky said:

"Starting from July 20, 2024 Kaspersky will gradually wind down its U.S. operations and eliminate U.S.-based positions. The decision and process follows the Final Determination by the U.S. Department of Commerce, prohibiting the sales and distribution of Kaspersky products in the U.S."

The completion of its exit formalities, however, will still take time. "It's a long process that can take more than a year," Kaspersky said.

The antivirus provider has been operating in the U.S. for close to 20 years. But after last month's ban, the company "carefully examined and evaluated the impact of the U.S. legal requirements and made this sad and difficult decision as business opportunities in the country are no longer viable," Kaspersky told The Cyber Express.

As told by Kaspersky, the move follows last month's U.S. Commerce Department ban on Kaspersky software sales and the U.S. Treasury Department's sanctioning of its top executives, citing national security concerns.

The Treasury Department’s Office of Foreign Assets Control (OFAC) specifically targeted key individuals within Kaspersky Lab, including the chief operating officer, chief legal officer, chief of human resources, and chief business development and technology officers, among others.

The Department of Homeland Security (DHS) had previously banned Kaspersky from government systems in 2017, followed by a similar ban on its use within the U.S. military in 2018. However, the June 2024 Commerce Department ban effectively crippled Kaspersky's commercial business in the U.S.

The U.S. government has never provided concrete evidence that Kaspersky or the Russian government used its software for espionage. Kaspersky maintains its innocence, claiming the ban is based on "geopolitical climate and theoretical concerns" rather than a factual evaluation of their products.

Unanswered Questions and Potential Security Risks

Despite the lack of concrete evidence, the U.S. government expressed concern about Russia's potential to compel Kaspersky to cooperate with surveillance activities. Secretary of Commerce Gina Raimondo said last month, “Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people."

Kaspersky software's deep access to system files, a necessity for antivirus functionality, raises potential security risks in the eyes of U.S. officials.

The recent ban prevents Kaspersky from not only selling new software but also providing security updates to existing users after September 29. This leaves millions of endpoints vulnerable as the software becomes increasingly ineffective against evolving threats.

Uncertain Future for Existing Users

While the U.S. government won't penalize those continuing to use Kaspersky software, they strongly advise switching to alternative solutions. Security professionals managing potentially vulnerable systems with Kaspersky software face a critical decision: replace Kaspersky entirely or find alternative mitigation strategies until a new solution can be implemented.

Fallout for Kaspersky

The U.S. ban is a significant blow to Kaspersky. While the U.S. sales only accounted for roughly 10% of their global revenue and only about 3% of antivirus users were running Kaspersky software in the country before the U.S. government banned sales in June, losing access to the U.S. market weakens their brand reputation and could potentially influence other countries to follow suit.

Kaspersky's future remains uncertain, particularly as they grapple with the closure of their U.S. operations and the ongoing scrutiny from governments around the world. However Kaspersky told The Cyber Express:

"Kaspersky's business remains resilient, and our key priority remains the same – to protect our customers in any country from cyberthreats. Being a global cybersecurity vendor, the company will continue investing in strategic markets and remain committed to serving its customers and partners and ensuring their protection."

"As a global company operating in more than 200 territories and countries, Kaspersky will be able to adapt its sales pipeline and maintain its global presence by focusing on the markets where it sees the most potential for its business development," the company told TCE.

Security professionals and network engineers should closely monitor this evolving situation and consider alternative antivirus solutions to ensure the security of their networks.

* Update July 15, 4:15 p.m.- Added Kaspersky's statement on how much time it will take for the company to completely exit U.S.

Cyble Research & Intelligence Labs (CRIL) analyzed 21 vulnerabilities in its weekly vulnerability report for the second week of July, including high severity flaws in products from Rockwell Automation, Microsoft and Johnson Controls. The report also emphasized critical-severity vulnerabilities in Gogs, Rejetto and OpenSource Geospatial Foundation, which pose a significant threat. A recent study led by Microsoft found that more than 80% of successful cyberattacks could have easily been prevented through timely patches and software updates. And with an estimate that the average computer needs about 76 patches per year from 22 different vendors, The Cyber Express each week partners with Cyble’s highly efficient dark web and threat intelligence to highlight critical security vulnerabilities that warrant urgent attention.

The Week’s Top Vulnerabilities

These are the three most critical vulnerabilities Cyble researchers focused on this week:

CVE-2024-39930: Gogs

Impact Analysis: A critical vulnerability in the built-in SSH server of Gogs versions through 0.13.0 that allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Successful exploitation could lead to unauthorized access, data breaches, and complete compromise of the Gogs server potentially allowing attackers to run arbitrary commands, access or modify sensitive data, install malware, or use the server as a pivot point for further attacks on the network. Internet Exposure? Yes Patch? Yes

CVE-2023-2071: Rockwell Automation

Impact Analysis: This is a critical vulnerability in Rockwell Automation's FactoryTalk View Machine Edition on PanelView Plus that allows an unauthenticated attacker to achieve remote code execution. Successful exploitation could lead to complete system compromise, allowing attackers to gain unauthorized access, steal sensitive data, or use the compromised system as a foothold for further attacks on the network. Internet Exposure? NA Patch? Yes

CVE-2023-29464: Rockwell Automation

Impact Analysis: This is a vulnerability in Rockwell Automation's FactoryTalk Linx that allows an unauthorized attacker to achieve a denial-of-service (DoS) condition. The vulnerability stems from improper input validation, where the FactoryTalk Linx software fails to handle certain malformed packets properly. Exploitation of the vulnerability may lead to a DoS that could disrupt critical industrial control systems and processes that rely on FactoryTalk Linx for communication, potentially leading to operational downtime, production delays, and safety risks. Internet Exposure? NA Patch? Yes

CISA Adds 3 Vulnerabilities to KEV Catalog

Three of the vulnerabilities in the Cyble report were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-23692, Rejetto HTTP File Server vulnerability with a 9.8 CVSSv3 criticality score
• CVE-2024-38080, a Microsoft Windows Hyper-V Elevation of Privilege vulnerability with a 7.8 criticality rating that gives attackers SYSTEM privileges to the attacker
• CVE-2024-38112, a Windows MSHTML Platform Spoofing vulnerability with a 7.8 criticality rating

The researchers observed multiple threat actors, including notable groups like LemonDuck, actively exploiting CVE-2024-23692 vulnerability to gain initial access to the infected system and deploy various malware. The full report available for CRIL subscribers covers all these vulnerabilities and more, 5 advisories covering eight vulnerabilities specific to Industrial Control Systems (ICS) assets affecting the likes of Johnson Controls, Mitsubishi Electric and Delta Electronincs.

The European Commission's Thierry Breton and platform X (formerly known as Twitter) owner Elon Musk were seen sparring each other - ironically - on the latter's platform after the commission found X in violation of the Digital Services Act. The war of words began when Breton tweeted in support of the commissions preliminary findings into X's non-compliance linked to dark patterns, advertising transparency and data access for researchers. Breton said: "Back in the day, Blue Checks used to mean trustworthy sources of information. Now with X, our preliminary view is that they deceive users and infringe DSA. We also consider that X’s ads repository and conditions for data access by researchers are not in line with the DSA transparency requirements." Breton said that Musk and X now have the right to defense but threatened that "if our view is confirmed we will impose fines and require significant changes." Initially, Musk cheekily responded to the tweet saying "How we know you’re real?" possibly referring to the blue tick against Breton's name. However, a couple of hours later the social media platform owner blew the battle bugle by saying, "The European Commission offered 𝕏 an illegal secret deal: if we quietly censored speech without telling anyone, they would not fine us. The other platforms accepted that deal. 𝕏 did not." He then added: "We look forward to a very public battle in court, so that the people of Europe can know the truth." [caption id="attachment_81543" align="aligncenter" width="500"] Source: X[/caption] Breton responded asking Musk to be his guest. "There has never been — and will never be — any “secret deal”. With anyone," Breton said. "The DSA provides X (and any large platform) with the possibility to offer commitments to settle a case. To be extra clear: it’s *YOUR* team who asked the Commission to explain the process for settlement and to clarify our concerns. We did it in line with established regulatory procedures. Up to you to decide whether to offer commitments or not. That is how rule of law procedures work." The sparring seemed to have stopped for the time being but will be interesting to know whether it will continue or as Breton said: "See you (in court or not)."

Breton Says X in Violation with Dark Patterns, Ad Transparency and Researcher Data Access

The European Commission (EC) flexed its regulatory muscle today, sending a shot across the bow of social media giant X with preliminary findings of non-compliance with the Digital Services Act (DSA).

The DSA, a landmark piece of legislation enacted in November 2022, aims to create a safer and fairer online environment by holding large platforms accountable for content moderation and advertising practices.

The EC's investigation focused on three key areas:

• Deceptive "Verified Accounts": The Commission alleges X employs misleading tactics with its "verified account" system, which awards a blue checkmark. They argue the current system, where users can potentially subscribe for verification, undermines users' ability to discern genuine accounts and the legitimacy of information. The EC points to instances of malicious actors exploiting this system to deceive users.

• Opaque Advertising Practices: X is also accused of failing to provide a transparent and accessible advertising repository. According to the EC, the current system uses design elements and access barriers that hinder users and researchers from effectively scrutinizing online advertising practices. This lack of transparency hampers efforts to identify and mitigate emerging risks associated with online advertising.

• Limited Researcher Data Access: The EC further found X's current approach to public data access for researchers falls short of DSA requirements. Specifically, X reportedly prohibits researchers from independently accessing public data through techniques like scraping, a practice explicitly permitted by the DSA's terms. The API access process for researchers is also criticized for being cumbersome and potentially dissuasive, with some researchers facing exorbitant fees.

These preliminary findings initiate a formal process where X can respond to the EC's concerns. They have the right to examine the investigation file and submit a written defense. The European Board for Digital Services will also be consulted.

If the EC's preliminary findings are upheld, X could face significant consequences. Potential sanctions include fines up to 6% of its global annual turnover and mandated corrective actions to address the identified violations. The EC may also impose enhanced supervision or even periodic penalty payments to ensure compliance.

"Today we issue for the first time preliminary findings under the Digital Services Act. In our view, X does not comply with the DSA in key transparency areas, by using dark patterns and thus misleading users, by failing to provide an adequate ad repository, and by blocking access to data for researchers. The DSA has transparency at its very core, and we are determined to ensure that all platforms, including X, comply with EU legislation."  - Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age

This move by the EC signals a strong commitment to enforcing the DSA and holding Very Large Online Platforms (VLOPs) accountable. The investigation against X follows similar actions initiated against TikTok, AliExpress, and Meta earlier this year. Security professionals and researchers closely following the evolution of the online landscape will be keenly interested in the outcome of this case and its potential impact on the broader VLOP landscape.

AT&T disclosed a massive data breach today that impacts "nearly all" its customers call and text records. The hackers gained unauthorized access to a third-party cloud platform containing this data, which an AT&T spokesperson confirmed to be Snowflake to The Cyber Express.

The incident, discovered in April, impacts a vast swathe of AT&T's mobile and landline customers, raising concerns about potential identity theft and targeted attacks. However, a spokesperson for AT&T told The Cyber Express:

"This was aggregated metadata, not the content of calls or texts, nor was it social security numbers or credit card information. This incident took place outside of our network. Our systems were not breached."

According to AT&T, the compromised data spans May 1 to October 31, 2022, for most customers, with a limited number affected from January 2nd, 2023. While the data doesn't include call and text content, Social Security numbers, or other personally identifiable information (PII), it does contain phone numbers and, for some records, cellular site location details.

"Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T's cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T's wireless network, as well as AT&T's landline customers who interacted with those cellular numbers."

The phone numbers, coupled with publicly available online tools, can be used to identify individuals, AT&T warned. Though the telecom giant assures the data isn't publicly available currently, the potential for future exposure remains a significant risk.

AT&T Data Breach Tied to Larger Snowflake Breach

Details regarding the attackers or their motivations are not yet clear, however, an AT&T spokesperson told TCE the access point for the breach was through cloud platform Snowflake.

Snowflake is currently at the center of probably the biggest and most high profile breaches, including Ticketmaster, Santander, Advanced Auto Parts, Pure Storage, and Neiman Marcus, among others.

In June, cybersecurity company Mandiant said it had found 165 of Snowflake customers’ credentials exposed by infostealer malware since 2020. Infostealers typically harvest credentials from infected machines, including usernames and passwords but also authentication tokens and cookies. Many of these credentials are then put out for sale on dark web forums from a few tens to thousands of dollars.

Snowflake did not immediately respond for comment request but in May the company’s CISO Brad Jones had said, “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” attributing the breaches to poor credential hygiene in customer accounts instead.

Since then, Snowflake has taken several measures to refine it security posture including the establishment of a Trust Center and enabling Snowflake admins to make multifactor authentication (MFA) mandatory.

One Arrested in Relation to the AT&T Data Breach

The telecom giant has enlisted cybersecurity experts to investigate the intrusion and partnered with law enforcement, the company confirmed in an 8-K filing with the U.S. Securities and Exchange Commission.

"AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended."

AT&T plans to notify impacted customers and offer resources to safeguard their information. This incident underscores the critical need for robust cloud security measures and highlights the expanding threat landscape for the telecommunication industry.

The lack of call content or PII might be a saving grace, but the potential for identity theft and targeted attacks using phone numbers persists. Security professionals will be keenly interested in learning more about the attack methodology and the specific cloud platform vulnerability exploited.

Several counties in the United States are facing the wrath of ransomware - with one confirming hundreds of thousands were impacted in a late 2023 attack and the other declaring an attack from earlier this week as a “local disaster.” Last year, 95 ransomware attacks on local governments were reported, according to Emsisoft. There have already been more than 50 reported attacks on cities and counties this year with the most prominent ones being Washington, Miami, Fulton, Kershaw, Hidalgo, Gallup-Mckinsley, and Los Angeles.

Dallas County October Ransomware Attack Exposed Data of 200,000 People

In October 2023, the Play ransomware gang claimed to have stolen data during an attack on Dallas County systems. The county publicly acknowledged the incident and assured the public that they successfully contained the damage caused in the incident. “Due to our containment measures, Dallas County interrupted data exfiltration from its environment and effectively prevented any encryption of its files or systems,” the county said, at the time. However, it also said that it was in process of assessing the nature of the exposed information when Play published it. As the review process was extensive, Dallas County provided details of the actual impact only on Wednesday in a filing with the Maine Attorney General and sent data breach notices to 201,404 impacted individuals. The types of data confirmed to have been exposed could contain full name, Social Security number (SSN), dates of birth, driver's license, state identification number, taxpayer identification number, medical information, and Health insurance information.

Palo Alto Networks has issued security updates to address vulnerabilities impacting its products, including a critical vulnerability in its Expedition migration tool that could grant attackers complete administrator control.

This critical vulnerability, designated CVE-2024-5910, boasts a CVSS score of 9.3 and stems from a lack of authentication within the Expedition migration tool. This missing safeguard could allow malicious actors with network access to Expedition to seize administrative accounts.

All Expedition Versions Before 1.2.92 At Risk

The ramifications of a compromised Expedition migration tool admin account are significant. According to the Palo Alto Networks advisory, "configuration secrets, credentials, and other data imported into Expedition is at risk" and would be exposed to attackers who exploit this flaw.

The vulnerability affects all versions of Expedition prior to 1.2.92, which incorporates a fix. Thankfully, there's no evidence of this vulnerability being actively exploited. However, Palo Alto Networks strongly recommends updating Expedition to the latest version to mitigate potential threats.

As a temporary workaround, Palo Alto Networks advises restricting network access to Expedition solely to authorized users, devices and networks.

Palo Alto Firewalls Face Blast-RADIUS

In addition to the Expedition migration tool flaw, Palo Alto Networks also addressed a recently discovered vulnerability in the RADIUS protocol, dubbed Blast-RADIUS. This vulnerability, tracked as CVE-2024-3596, could enable attackers to bypass authentication procedures on Palo Alto Networks firewalls leveraging RADIUS servers.

Technical details delve into how Blast-RADIUS exploits a scenario where an attacker positions themselves between a Palo Alto Networks PAN-OS firewall and a RADIUS server, launching a so-called "man-in-the-middle" attack. This maneuver allows the attacker to potentially "escalate privileges to 'superuser' when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile," as outlined in the Palo Alto Networks advisory.

For those unfamiliar, CHAP (Challenge-Handshake Authentication Protocol) and PAP (Password Authentication Protocol) are two authentication protocols that, according to the advisory, "should not be used unless they are encapsulated by an encrypted tunnel" due to their lack of inherent Transport Layer Security (TLS) encryption. Luckily, PAN-OS firewalls configured to utilize EAP-TTLS with PAP for RADIUS server authentication are not susceptible to this exploit.

"Palo Alto Networks is aware of proof of concept code demonstrating how to exploit this generic issue."

Palo Alto Networks has identified several PAN-OS versions impacted by Blast-RADIUS, with fixes already available for most.

The following PAN-OS versions are impacted:

• PAN-OS 11.1 (fixed in versions >= 11.1.3)
• PAN-OS 11.0 (fixed in versions >= 11.0.4-h4)
• PAN-OS 10.2 (fixed in versions >= 10.2.10)
• PAN-OS 10.1 (fixed in versions >= 10.1.14)
• PAN-OS 9.1 (fixed in versions >= 9.1.19)

A fix for Prisma Access is anticipated by July 30.

Security professionals and system administrators should prioritize patching a critical vulnerability in Citrix NetScaler Console, as recommended not only by the networking appliance manufacturer but also the U.S. Cybersecurity and Infrastructure Security Agency and the National Cyber Security Centre of Ireland.

The vulnerability, tracked as CVE-2024-6235, is found in the Citrix NetScaler Console, a cloud-based management tool for NetScaler appliances. Exploiting this flaw could grant attackers unauthorized access to sensitive data, posing a significant security risk.

This high-severity vulnerability scores 9.4 on the Common Vulnerability Scoring System (CVSS), indicating its critical nature. It stems from improper authentication controls within NetScaler Console, potentially allowing attackers with access to the console's IP address to bypass security measures and steal sensitive information.

Versions of NetScaler Console 14.1 before 14.1-25.53 are impacted.

Both CISA and NCSC issued advisories urging immediate patching. CISA’s alert warns, “A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

Patching Beyond NetScaler Console: Addressing Denial-of-Service Threats

The security updates address not only the critical authentication bypass vulnerability but also a high-severity denial-of-service (DoS) flaw within NetScaler Console that is tracked as CVE-2024-6236. This DoS vulnerability exists similarly in the NetScaler Agent and NetScaler Service Virtual Machine (SVM). The flaw allows attackers with access to any of these components' IPs to launch DoS attacks, potentially disrupting critical services.

Citrix also addressed another high-severity DoS vulnerability (CVE-2024-5491) affecting NetScaler ADC and Gateway appliances.

Privilege Escalation Risk in Citrix Workspace App

The security updates encompass a high-severity vulnerability (CVE-2024-6286) within the Citrix Workspace app for Windows. This flaw could allow low-privileged attackers with local access to a system to escalate their privileges to SYSTEM level, granting them complete control over the system. This vulnerability impacts Citrix Workspace app versions before 2403.1 in the current release and versions before 2402 in the long-term service release.

NetScaler: A Repeated Target

This is not the first time NetScaler has been exploited by malicious actors. Last year, a critical-severity flaw, identified as CVE-2023-4966, in Citrix NetScaler ADC and Gateway appliances was leveraged to target professional services, technology, and government organizations. This previous flaw stemmed from an unauthenticated buffer overflow issue and could enable attackers to steal sensitive information.

Given NetScaler's history as a target and the severity of the newly patched vulnerabilities, applying the security updates is paramount to maintaining a secure environment. Security professionals and system administrators should prioritize patching all affected Citrix products immediately.

A global cryptocurrency derivatives exchange BitMEX (HDR Global Trading Limited) admitted guilt on Wednesday to violating the Bank Secrecy Act by "willfully" flouting U.S. anti-money laundering (AML) regulations. This admission, following previous actions against its founders, exposes significant vulnerabilities in cryptocurrency exchange oversight.

The Department of Justice (DoJ) accused BitMEX of operating from 2015 to 2020 as a "vehicle for large-scale money laundering and sanctions evasion schemes." The exchange allegedly failed to implement a "Know Your Customer" (KYC) program, a cornerstone of AML compliance that verifies user identities and helps prevent illicit activities.

"By only mandating lax service access credentials, BitMEX not only failed to comply with nationally required anti-money laundering procedures designed to protect the US financial markets from illicit actors and transactions, but knowingly did so to increase the business’s revenue," said FBI Assistant Director Christie M. Curtis, highlighting a deliberate effort to circumvent regulations. This raises concerns about the potential for other cryptocurrency exchanges to exploit similar loopholes.

The DoJ charges echo a 2022 guilty plea by Gregory Dwyer, BitMEX's first employee, for violating the Bank Secrecy Act. Prosecutors previously secured convictions against the exchange's founders for similar offenses. These actions demonstrate a coordinated effort to hold BitMEX and its leadership accountable.

BitMEX Founders Also Admitted Guilt and Received Sentences

In 2022, the three founders of BitMEX pleaded guilty to the same charges as Dwyer. Judge Koeltl took into account the exchange's belated efforts to implement AML and KYC controls during sentencing.

36-year-old Florida resident Hayes, the former CEO, received a six-month home detention sentence and two years of probation. 38-year-old Delo was sentenced to 30 months of probation and allowed to return to Hong Kong. The judge found Reed slightly less culpable than the other founders and sentenced the Massachusetts resident to 18 months of probation in July.

Both, Hayes and Delo agreed to pay a $10 million fine, at the time. All three founders – Hayes, Delo, and Reed – still own BitMEX.

The founders also reached a settlement agreement with the Department of Treasury. The agreement did not require them to admit or deny allegations that BitMEX "processed over $200 million in suspicious transactions and failed to report nearly 600 suspicious activities," according to the DOJ.

Cryptocurrency's Regulatory Struggles

The case also underscores the ongoing struggle to regulate the cryptocurrency space. While the Commodity Futures Trading Commission (CFTC) imposed a $100 million civil penalty on BitMEX in 2021 for related violations, the lack of a centralized authority creates challenges in enforcing AML and KYC requirements across the entire cryptocurrency ecosystem.

This incident serves as a wake-up call for regulatory bodies. It necessitates a collaborative effort to establish clear and comprehensive AML/KYC frameworks for cryptocurrency exchanges. Strengthening international cooperation and information sharing is also crucial to combatting money laundering and other illicit activities within the crypto sphere.

Recently, the FBI warned of the financial risks associated with using unregistered cryptocurrency transfer services, especially considering potential law enforcement actions against these platforms. The warning focussed on crypto transfer platforms that operate without proper registration as Money Services Businesses (MSB) and fail to comply with anti-money laundering regulations mandated by the U.S. federal law.

The future of BitMEX remains uncertain. The exchange faces potential financial penalties and could struggle to regain user trust. The DOJ had earlier noted that "due to the lack of KYC controls, the full extent of criminal activity on BitMEX may never be known."

This case sets a significant precedent and paves the way for stricter enforcement of AML regulations within the cryptocurrency industry.

Evolve Bank & Trust, a financial institution with both traditional banking and open banking services, disclosed a data breach impacting a staggering 7.64 million individuals.

The Arkansas-based bank initially believed a "hardware failure" caused system disruptions in late May, but an investigation revealed a cyberattack with a much longer timeline.

Evolve confirmed hackers infiltrated their network as early as February, potentially compromising sensitive customer data. While the official notification letter filed with the Maine Attorney General avoids specifics, the bank has acknowledged stolen information, including names, Social Security numbers, bank account numbers, and contact details.

Affirm and Wise Customers Hit By Attack

This breach extends beyond Evolve's core clientele, impacting customers of its open banking platform (often referred to as Banking-as-a-Service) used by several fintech firms. "Buy now, pay later" provider Affirm and money transfer service Wise are among those notifying their customers of potential data exposure due to Evolve's security lapse.

The incident adds another layer of concern for Evolve, which faced a regulatory order from the Federal Reserve Board in June. The order mandated improvements to Evolve's anti-money laundering (AML) and risk management programs, citing the need for enhanced procedures in record keeping and consumer compliance. This regulatory action raises questions about whether vulnerabilities exploited in the cyberattack might have been linked to the bank's AML/compliance shortcomings.

LockBit Claims Evolve Bank Attack

LockBit, a Russian-speaking ransomware-as-a-service (RaaS) group, claimed responsibility for the attack. Interestingly, LockBit initially attributed the stolen data to the Federal Reserve, likely due to a stolen document referencing the central bank.

“The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank,” Evolve Bank said at the time.

This error highlights the evolving tactics of RaaS groups, who often employ misinformation or disinformation campaigns alongside cyberattacks to create confusion and maximize impact.

The Evolve breach serves as a stark reminder for financial institutions of the critical need for robust cybersecurity measures. With the increasing adoption of open banking platforms and the ever-present threat of RaaS attacks, institutions must prioritize data security and implement strong access controls, encryption, and incident response protocols. Regulatory bodies are likely to intensify their scrutiny of financial institutions' cybersecurity posture in the wake of this incident.

In a move likely fueled by intensifying antitrust scrutiny, Microsoft is exiting OpenAI and stepping down from its non-voting observer seat of the AI company's board of directors. This comes just days after reports suggested Apple might take a similar observer role, but now the Cupertino giant has also opted out.

Microsoft's exit, communicated via a letter on Tuesday, cited "significant progress" made by OpenAI's newly formed board, according to Axios. This explanation rings somewhat hollow, considering Microsoft's role was established just last November following a period of upheaval at OpenAI that saw the ousting and reinstatement of CEO Sam Altman.

OpenAI announced a new safety and security committee in May end as it began training a new AI model intended to replace the GPT-4 chatbot. A month later, OpenAI pushed out the rollout of its highly anticipated “Voice Mode” feature for ChatGPT to July, citing safety concerns. The company said it needed more time to ensure the model could “detect and refuse certain content.”

Microsoft Exits OpenAI, Caving to Regulatory Pressure?

The timing of these decisions coincides neatly with growing regulatory pressure on Big Tech's influence in the burgeoning field of artificial intelligence. Both the U.S. Federal Trade Commission (FTC) and the European Commission (EC) have expressed concerns that tech giants' investments in AI startups like OpenAI could stifle competition and create monopolies in key technological areas.

In June, the FTC launched an investigation into Big Tech investments in generative AI startups, including Microsoft, Amazon, and Google. The EC, meanwhile, explored the possibility of an antitrust probe into the Microsoft-OpenAI partnership after deciding against a merger control investigation.

AI Model Access Scrutinized

While both Microsoft and OpenAI maintain the company's independence despite the multi-billion dollar investment, the optics surrounding the close relationship are not lost on regulators. Microsoft's access to cutting-edge AI models through this partnership gives them a significant advantage, potentially hindering the growth of smaller competitors.

OpenAI seems to be taking a new approach to partner engagement. Moving forward, they plan to host regular meetings with key partners like Microsoft and Apple, alongside investors, to foster communication and collaboration. This strategy aims to maintain strong relationships without raising red flags for regulators.

The future trajectory of Big Tech's involvement in AI development remains to be seen. The recent retreat from board positions suggests a potential shift as companies navigate the increasingly complex regulatory landscape as they strive to maintain a competitive edge in the race for AI dominance.

As NATO leaders convene in Washington, D.C. for the organization's 75th Anniversary summit, a hidden war rages on – a relentless campaign of cyberattacks targeting the Alliance and its members.

This threat landscape is not merely a static backdrop, but a dynamic battlefield where adversaries employ a growing arsenal of tactics, from stealthy espionage to disruptive cyberattacks and disinformation campaigns, a report from Google-owned cybersecurity firm Mandiant said.

Espionage Actors Set Their Sights on Alliance Secrets

Nation-state actors like APT29 (ICECAP), attributed to Russia's SVR intelligence service, are notorious for targeting NATO members. These actors excel at compromising networks, often through social engineering or exploiting zero-day vulnerabilities, to steal sensitive political, diplomatic, and military intelligence. Their ability to operate undetected within compromised environments makes them particularly troublesome adversaries, Mandiant said.

China's cyber espionage efforts have also become more sophisticated, transitioning from loud operations to stealthier techniques. These actors exploit network edges and leverage complex infrastructure like operational relay box networks to mask their activities and hinder detection. Additionally, they increasingly rely on "living off the land" techniques, using legitimate system tools for malicious purposes, further complicating defenders' ability to identify intrusions.

Beyond Espionage: Disruptive and Destructive Attacks

Disruptive and destructive cyberattacks pose a direct threat to NATO's operational capabilities. Iranian and Russian actors have demonstrated a willingness to launch such attacks, often masking their involvement behind hacktivist groups. For instance, the destructive 2022 attack on Albania, initially attributed to "HomeLand Justice" hacktivists, was later linked to Iranian state actors. These incidents highlight the growing risk of attacks targeting critical infrastructure that could cripple essential services for NATO members.

Hacktivists and criminal actors further complicate the threat landscape. The global resurgence of hacktivism, fueled by geopolitical flashpoints like the Ukraine war, has resulted in a surge of attacks against NATO members. While these operations often lack sophistication and lasting impact, they can garner significant media attention and sow discord. Additionally, some hacktivist groups, like the pro-Russian Cyber Army Russia Reborn (CARR), are experimenting with more disruptive tactics, targeting critical infrastructure such as water supplies.

Financially motivated cybercrime, particularly ransomware attacks, pose a significant threat to critical infrastructure across NATO states. Healthcare institutions have become prime targets, disrupting patient care and highlighting the potential for widespread societal consequences. The ability of cybercriminals to operate with impunity from lax jurisdictions and the lucrative nature of ransomware attacks suggest this threat will only escalate.

Disinformation: A Weapon to Sow Discord

Information operations, encompassing social media manipulation and complex network intrusions, have become a hallmark of modern cyberwarfare. Russian and Belarusian actors have heavily targeted NATO with disinformation campaigns aimed at undermining Alliance unity and objectives. These efforts range from social media manipulation by "troll farms" to the coordinated leaking of stolen information.

In fact, on the same day as Mandiant released this report, the U.S. Department of Justice disrupted a Russia-run AI-enabled Twitter disinformation bot farm. Almost 1,000 accounts were seized. These bots masqueraded as Americans and promoted Russian government narratives.

Countering such campaigns requires collaboration between governments and the private sector, with tech giants like Google actively removing malicious content and disrupting information operations.

A Collective Defense is Paramount

A senior NATO official on Tuesday during the NATO Summit said Russia can sustain its war economy for 3-4 more years. "Ultimately, we all have to be prepared to continue to support Ukraine well beyond 2025. This is certainly something that we all understand very well," the official added.

The cyber threat landscape facing NATO is vast and ever-evolving. Unlike traditional warfare, cyberattacks can persist irrespective of broader geopolitical tensions. The war in Ukraine has undoubtedly emboldened reckless cyber activity against NATO allies, highlighting the need for a collective defense strategy. To effectively counter these threats, NATO must leverage the technological expertise of the private sector and foster strong partnerships with its member states. Only through a united front can the Alliance seize the initiative in cyberspace and secure its future.

The Alabama State Department of Education (ALSDE) narrowly avoided a crippling ransomware attack on June 17, but not before hackers breached sensitive data, raising concerns about the security of student and employee information.

While ALSDE officials successfully prevented a complete system lockdown, they acknowledged in a statement earlier this week that the attackers gained access to some data before being stopped. The department is currently working with federal law enforcement to investigate the scope of the breach and determine what information was compromised.

Education Ransomware Attacks Soar

The incident comes amidst a wave of cyberattacks targeting educational institutions across the United States. In fact, 2023 was the worst ransomware year on record for the education sector, with a 92% spike.

Although the attacks were carried out by several ransomware gangs, LockBit and Rhysida (a rebrand of Vice Society) had the lion’s share of 2023 attacks, with half credited to them. While ransomware attacks against education are a global phenomenon, the U.S. education sector has faced 80% of known attacks.

Scope of Alabama Education Department Breach Unknown

The exact nature of the stolen data remains unclear. ALSDE has not confirmed the type of information compromised, but at a press conference, State Superintendent Eric Mackey warned that student and employee data, including "some personally identifiable information," may have been accessed. The department has set up a dedicated webpage, alabamaachieves.org/databreach, to provide updates on the investigation.

While ALSDE has taken steps to mitigate the damage, several questions remain unanswered. The investigation into the attack is ongoing, and the department has not responded to requests for further details about the compromised data. The potential impact on students, families, and school employees will depend on the nature and volume of the information accessed by the attackers.

The department reiterated its firm stance against negotiating with cybercriminals. We have taken the position not to negotiate with foreign actors and extortionists," the department's statement said, reflecting growing law enforcement guidance against feeding the ransomware ecosystem.

Importance of Data Backups for Ransomware Protection

Despite the breach, ALSDE was able to restore its systems and data using clean backups, highlighting the importance of robust data backup and recovery strategies for organizations of all sizes.

The incident underscores the need for educational institutions to invest in cybersecurity measures to protect sensitive student and staff data, and serves as a stark reminder of the growing cybersecurity threats faced by educational institutions. As schools continue to collect and store sensitive student data, robust cybersecurity protocols and incident response plans are critical to safeguard this valuable information.

American video game giant Roblox has reported a data breach stemming from a third-party service provider that helps host its annual Developer Conference. Result? Data related to its in-person and online attendees registered through the third-party's platform in the last two years leaked. Roblox Corp. is an American video game developer based in San Mateo, California. Founded in 2004 by David Baszucki and Erik Cassel, the company is the developer of Roblox, which was released in 2006. As of December 2023, the company employs over 2,400 people. The gaming company has an average monthly user base of 214 million players and makes around $7 million per day from a user base that is primarily youngsters below the age of 16 years. In fact, 21% of its users are aged between 9 and 12 years.

Roblox Developers Conference Data Leak

Security researchers are scrambling to assess the fallout from a massive leak of stolen passwords, dubbed "RockYou2024." Uploaded to a notorious cybercrime forum, the database allegedly contains nearly 10 billion unique passwords – a staggering figure that dwarfs previous records.

Unprecedented Scale of RockYou2024 Password Leak

According to Cybernews researchers, the RockYou2024 compilation appears to be the largest collection of leaked credentials ever discovered. The data offered by a hacker using the alias "ObamaCare" reportedly consists of 9.948 billion unique passwords in plain text format. This builds upon the RockYou2021 database, which exposed 8.4 billion passwords, with an additional 1.5 billion entries added from 2021 to 2024. Researchers estimate the trove originates from at least 4,000 separate data breaches spanning two decades.

Credential Stuffing Bonanza

Security experts warn that RockYou2024 presents a significant risk for credential stuffing attacks. These automated assaults use stolen login credentials against multiple online services, often succeeding when users employ the same password across different accounts.

The researchers emphasize the danger that "revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks." Attackers could potentially gain unauthorized access to a vast array of targets, including personal accounts, internet-connected devices, and even industrial control systems. Furthermore, when combined with other leaked data like email addresses – readily available on hacker forums – RockYou2024 could fuel a wave of data breaches, financial fraud, and identity theft.

Mitigating the RockYou2024 Threat

Chris Bates, chief information security officer at SandboxAQ, said, “Companies should assume all passwords are compromised and build the correct mitigating controls. This include phishing resistant MFA, passwordless authentication, and behaviour-based detection and response programs to detect malicious use.”

Adding to this advice, these are the steps users can take to mitigate the risks associated with RockYou2024. Services like the "AmIBreached" data leak checker from Cyble allow individuals to verify if their credentials have been compromised. More importantly, adopting strong, unique passwords for every online account is crucial.

Password managers like LastPass, Password1 and Enpass can be invaluable tools for generating and storing complex passwords, ensuring each account has a unique login.

Finally, identity theft protection services can provide an extra layer of security, assisting with recovery efforts in the event of fraud or identity theft.

The Road Ahead

The RockYou2024 leak serves as a stark reminder of the ever-evolving cyber threat landscape.

Marc Manzano, general manager at SandboxAQ, said, “It's imperative for organizations to implement and enforce stringent password policies, educate users about the risks of password reuse, and put into action multi-factor authentication widespread adoption.” He added, “Enhancing overall IT systems security by deploying modern cryptography management platforms will be crucial in defending against large-scale threats leveraging stolen passwords.”

Organizations and individuals alike must prioritize robust password security practices to stay ahead of malicious actors. As investigations into the leak continue, security professionals remain vigilant, anticipating the potential consequences of this colossal data breach.

The Ethereum Foundation (EF) this week disclosed a phishing campaign that targeted its email subscribers. The attack that took place on June 23, saw a malicious email sent to over 35,794 recipients from the compromised email account of ethereum - "updates@blog.ethereum.org".

[caption id="attachment_80450" align="aligncenter" width="1024"] Phishing mail sent on 23-06-2024, 00:19 AM UTC, to 35,794 email addresses from updates@blog.ethereum.org[/caption]

The phishing email sent from this address leveraged social engineering tactics, luring users with the promise of a high annual percentage yield (APY) through a fake collaboration between Ethereum and Lido DAO. Clicking the embedded "Begin staking" button led victims to a well disguised website designed to steal cryptocurrency from unsuspecting users' crypto wallets.

Dissecting the Ethereum Mailing List Attack

Investigators discovered the attacker used a combined email list, incorporating both their own addresses and a subset of 3,759 addresses harvested from the Ethereum blog's mailing list. Fortunately, only 81 of the obtained addresses were new to the attacker.

The phishing email advertised a lucrative 6.8% APY on staked Ethereum. Upon clicking the malicious link and attempting to connect their wallets, users would unknowingly initiate a transaction that would drain their crypto holdings straight into the attacker's wallet.

[caption id="attachment_80452" align="aligncenter" width="1024"] Fake website where crypto drainers were masqueraded[/caption]

Swift Response and Ongoing Measures

The Ethereum Foundation's security team swiftly responded to the incident. They identified and blocked the attacker from sending further emails, while simultaneously alerting the community via Twitter about the malicious campaign. Additionally, the team submitted the fraudulent link to various blocklists, effectively hindering its reach and protecting users of popular Web3 wallet providers and Cloudflare.

While on-chain analysis revealed no successful thefts during this specific campaign, the EF emphasizes the importance of vigilance. They have implemented additional security measures and are migrating some email services to mitigate future risks.

Similar Incidents

This incident highlights the evolving tactics of cybercriminals who exploit trust in reputable organizations to target cryptocurrency users. In February, crypto scammers devised a new tactic to deceive owners of Ethereum Name Service (ENS) domains, commonly recognized by their “.eth” extension. The ENS email phishing scam involved sending emails to ENS owners, purportedly alerting them about the expiration of their domains. But, as seen in the latest campaign victims were directed to fraudulent platforms designed to siphon their funds.

Nick Bax, a prominent figure in cryptocurrency analysis, first reported the crypto scam, suggesting that attackers could be exploiting the extensive data leaked from previous data breaches. This leak potentially provides scammers with access to genuine email addresses associated with [.]eth accounts, facilitating the targeting of ENS owners.

Security professionals and crypto enthusiasts alike should remain vigilant against phishing attempts and prioritize verifying information before interacting with suspicious links or investment opportunities.

In a move that tightens Russia's grip on internet control, Apple has removed several Virtual Private Network (VPN) applications from the App Store in response to a request by Roskomnadzor, the country's federal media watchdog.

The deleted VPN apps belonging to ProtonVPN, Red Shield VPN, NordVPN, and Le VPN were popular tools used by Russians to bypass government-imposed internet censorship. Red Shield VPN and Le VPN confirmed the removals, sharing messages from Apple stating the apps were deleted per "demand from Roskomnadzor" for containing "content considered illegal in Russia."

VPNs creates encrypted tunnels for internet traffic, allowing users to access blocked websites and applications anonymously.

Apple offered little explanation, suggesting developers contact Roskomnadzor directly. Red Shield VPN, in turn, advised users to switch their Apple ID country to access the app and updates elsewhere. But the suggestion came not before it used some stern wordings against the Cupertino giant. It said:

"Apple's actions, motivated by a desire to retain revenue from the Russian market, actively support an authoritarian regime. This is not just reckless but a crime against civil society. The fact that a corporation with a capitalization larger than Russia's GDP helps support authoritarianism says a lot about the moral principles of that corporation." - Red Shield VPN

Red Shield said its services aims to provide free access to information and improving the world. But in the notification, Apple refers to Roskomnadzor's request to remove the app and claims that its app "solicits, promotes, or encourages criminal or clearly reckless behavior," which it strongly disagrees with.

A similar notice was sent to LeVPN as seen in the image below:

[caption id="attachment_80371" align="aligncenter" width="1024"] Apple Notice to LeVPN (Source: LeVPN)[/caption]

Banning and Removal of VPN Apps Not New

This is just the latest chapter in Russia's escalating efforts to control online information. The crackdown on VPN Apps and their services predates the Ukraine war but has intensified significantly since. Roskomnadzor executed large-scale blocks targeting VPN protocols like WireGuard, OpenVPN, and IPSec in August and September 2023.

According to Sergei Khutortsev, Director of Roskomnadzor's Public Communications Network Monitoring and Management Centre, 167 "malicious" VPN services and 84 applications have been blocked in just two years.

This aggressive censorship push extends beyond VPNs. Roskomnadzor is reportedly developing an AI-powered system to maintain a vast register of banned information, further solidifying its control over the Russian online landscape. Additionally, the agency compels telecom operators to block roughly 300,000 unregistered SIM cards weekly.

While Apple's compliance with Roskomnadzor's demands raises concerns about corporate responsibility in the face of authoritarian restrictions, it's a tactic with limited effectiveness. Tech-savvy users will undoubtedly explore alternative methods to access VPN services. The bigger worry lies with Roskomnadzor's growing arsenal of censorship tools and its potential to stifle free speech and the flow of information within Russia.

Australia’s eSafety Commissioner has given key online industry players six months to develop "enforceable codes" to shield children from exposure to pornography and other harmful content. The codes will aim to prevent young children from encountering explicit material that is deemed unsuitable for their age. They will also seek to empower Australian internet users with options to manage their exposure to various online materials. While the primary focus is on pornography, the codes will also cover other high-impact content, including themes of suicide, self-harm, and disordered eating. The regulations will apply to app stores, apps, websites (including porn sites), search engines, social media, hosting services, ISPs, messaging platforms, multiplayer games, online dating services, and device providers. The European Union calls these large digital platforms “gatekeepers.”

Why 'Enforceable Codes' are Important

eSafety Commissioner Julie Inman Grant noted the pervasive and invasive nature of online pornography. She said children often encounter explicit material accidentally and at younger ages than before.

“Our own research shows that while the average age when Australian children first encounter pornography is around 13, a third of these children are actually seeing this content younger and often by accident,”  - eSafety Commissioner Julie Inman Grant

She clarified that these measures focus on preventing young children’s unintentional exposure to explicit content that revolves around such a sensitive topic. Social media plays a significant role in unintentional exposure, with 60% of young people encountering pornography on platforms like TikTok, Instagram, and Snapchat, according to Inman Grant. “The last thing anyone wants is children seeing violent or extreme pornography without guidance, context or the appropriate maturity levels because they may think that a video showing a man aggressively choking a woman during sex on a porn site is what consent, sex and healthy relationships should look like,” she added. Parents and caregivers are crucial in protecting children, but the industry must also implement effective barriers, Inman Grant stressed. These could include age verification, default safety settings, parental controls, and tools to filter or blur unwanted sexual content. Such measures should apply across all technology layers, from connected devices to app stores, messaging services, social media platforms, and search engines, providing multi-layered protection, the eSafety Commissioner said.

Draft Due Oct. 3, Final Versions by Dec. 19

Industry bodies are required to submit a preliminary draft of the codes by October 3, with final versions due at the end of the year on December 19. Public consultations in the process of defining "enforceable codes" is also a requirement from the eSafety commissioner. eSafety has released a Position Paper to help industry develop these codes and clarify expectations.

“We want industry to succeed here and we will work with them to help them come up with codes that provide meaningful protections for children.” - eSafety Commissioner Julie Inman Grant

eSafety Commissioner Can Set Rules if Efforts Fail

But if any code falls short, then the eSafety commissioner can set the rules for them, under the Online Safety Act provisions. eSafety has also published an Age Assurance Tech Trends Paper examining recent developments in age verification technology to provide additional context. These new codes will complement existing protections under the Online Safety Act, including the Restricted Access System Declaration, Basic Online Safety Expectations Determination, and initial industry codes addressing illegal content like online child sexual abuse material. Additionally, the codes align with broader initiatives such as the Government’s Age Assurance Trial, Privacy Act reforms, the statutory review of the Online Safety Act, and efforts under the National Plan to End Violence Against Women and Children 2022-2032. Last year, the eSafety commissioner had also issued notices to online platforms like Twitter, Meta, and others concerning their approaches to combatting online child abuse. This was followed by a similar action from Inman Grant against online hate over social media platforms.

In a coordinated takedown, law enforcement and cybersecurity firms joined forces to cripple cybercriminals' misuse of a legitimate security tool – Cobalt Strike. The week-long operation, codenamed MORPHEUS and spearheaded by UK's National Crime Agency, targeted unlicensed versions of Cobalt Strike used to infiltrate victim networks.

Europol, which helped coordinate the operation involving authorities from six other countries, said a total of 690 IP addresses linked to criminal activity were flagged. By the end of the week, over 85% (593) of these addresses associated with unlicensed Cobalt Strike instances were disabled by internet service providers (ISPs) in 27 countries.

Cobalt Strike: Double-Edged Sword

Cobalt Strike, a commercially available tool by Fortra, is used by ethical hackers for penetration testing – simulating cyberattacks to identify vulnerabilities in a network's defenses. However, in the hands of malicious actors, unlicensed versions of Cobalt Strike transform into a powerful weapon.

"Since the mid 2010’s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyberattack, allowing them to deploy ransomware at speed and at scale." - UK's NCA

Cybercriminals typically deploy Cobalt Strike through spear phishing emails, tricking victims into clicking malicious links or opening infected attachments. Once a victim clicks, a "Beacon" is installed, granting the attacker remote access to the compromised system. This access allows them to steal data, through infostealers, or launch further attacks.

Criminals also exploit these cracked copies to establish backdoors on compromised systems, and deploy malware. Notably, investigations into ransomware strains like Ryuk, Trickbot, and Conti have linked them to the use of unlicensed Cobalt Strike, Europol said.

Paul Foster, director of threat leadership at the National Crime Agency, said, “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes. Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise." Foster warned  that such attacks could cost companies millions in terms of losses and recovery.

Public-Private Partnership: A Winning Formula

The success of Operation MORPHEUS hinges on the unprecedented cooperation between law enforcement and the private sector. Key industry partners like BAE Systems Digital Intelligence, Trellix, Spamhaus, and The Shadowserver Foundation provided crucial support. Their expertise in threat intelligence, network scanning, and data analysis proved instrumental in identifying malicious activities and pinpointing cybercriminal infrastructure.

This collaboration is a direct consequence of Europol's recent regulatory amendments, empowering the agency to work more effectively with private entities. This novel approach grants Europol access to real-time threat intelligence and a broader understanding of cybercriminal tactics. This translates to a more coordinated and comprehensive response, ultimately strengthening the overall cybersecurity posture across Europe.

Europol's European Cybercrime Centre (EC3) played a pivotal role throughout the investigation, offering analytical and forensic support while facilitating seamless information exchange between all partners, while the FBI, Australian Federal Police, and other national agencies provided critical support.

Over the past two and a half years, law enforcement utilized the Malware Information Sharing Platform (MISP) to facilitate real-time threat intelligence sharing with the private sector. Nearly 730 intelligence reports containing almost 1.2 million indicators of compromise (IOCs) were exchanged during the investigation. Additionally, EC3 organized over 40 coordination meetings to ensure smooth collaboration between law enforcement and private partners. Europol even established a virtual command post during the takedown week to coordinate global law enforcement activities.

The Fight Continues

While Operation MORPHEUS represents a significant victory, the war against cybercrime is far from over. Law enforcement agencies remain vigilant, prepared to conduct similar disruptive actions as long as criminals continue to exploit vulnerabilities in legitimate security tools.

Fortra, the developer of Cobalt Strike, has also released a new version with enhanced security measures and is committed to working with law enforcement to remove older, vulnerable versions from circulation.

The European Commission has found that Meta's "pay or consent" advertising model breaches the Digital Markets Act (DMA). The preliminary findings highlight concerns about user choice and data control within the social media landscape. The comprehensive investigation will take a year's time, after which a formal decision will be made, the Commission said.

DMA Compliance: A New Benchmark for User Privacy

The Digital Markets Act (DMA) was signed into law by the European Parliament and the Council presidency in September 2022. It became legally effective two months later and most of its regulations took effect on May 2, 2023.

The DMA is a European law that aims to prevent large online platforms from abusing their market power and to ensure fair competition in the digital economy. The law primarily targets "gatekeepers," which are large digital platforms that provide core services like search engines, messaging services, app stores and dominant online platforms like Meta.

Meta's Model Under Fire: Limited Options, Privacy Concerns

Online platforms collect a lot of personal data to power online advertising. Their dominant position allows them to set user agreements that enable vast data collection, giving them a big advantage over competitors.

New EU regulations - DMA Article 5(2) - aim to empower users by requiring platforms to get explicit consent before combining their data across different services. Even if users refuse consent, they must still have access to a basic version of the service, even if it's less personalized. This stops platforms from forcing users to give up their data to use the service entirely.

Meta's "pay or consent" model, launched in response to the DMA, presents EU users with a binary choice, the commission argued. Subscribe for an ad-free version or accept personalized ads in the free version. The Commission said this approach fails to comply with the DMA on two key points:

• Lack of a "Less Personalized" Option: Users are not offered a service with reduced data collection and ad personalization, violating their right to control their data footprint.
• Consent Coercion: The model allegedly coerces consent by making access to certain functionalities conditional on agreeing to data combination.

The Commission asserted that users who choose not to consent should still have access to an equivalent service with less data collection for advertising purposes.

Next Steps: Dialog and Potential Penalties

Meta now has the opportunity to respond to the preliminary findings and defend its practices. The Commission will conclude its investigation within a year, potentially leading to a formal decision against Meta if the concerns are confirmed.

Potential consequences for non-compliance include hefty fines – up to 20% of global turnover for repeated offenses. More drastic measures like forced business divestments are also on the table.

The Commission remains open to discussions with Meta to find a solution that complies with the DMA. This case sets a crucial precedent for how dominant platforms handle user data and privacy in the age of stricter regulations.

French authorities seized servers and proceeds worth millions belonging to the "Coco" chat website, a free-for-all online platform that facilitated child sexual abuse and drug dealing, among other illegal activities.

In a major international cooperative effort, the French authorities, alongside Bulgaria, Germany, Lithuania, Netherlands, and Hungary, dismantled a notorious online platform that facilitated a range of criminal activities.

Under investigation since December 2023, the website called "Coco" has facilitated child pornography, sexual exploitation, drug dealing and violent acts including homicides, said Eurojust, the European Union Agency for Criminal Justice Cooperation.

The details of the seizure were revealed on Monday, a week after the initial announcement from the Paris prosecutor's office that the website was no longer available and only displayed a seizure notice from the French national police.

Platform Served as Hub for Organized Crime

For years, the platform served as a virtual meeting ground for criminals, enabling them to communicate, plan operations, and conduct transactions, said Eurojust. Over 23,000 judicial procedures linked to this platform have been initiated since 2021, with at least 480 victims identified to date.

French authorities launched an investigation in December last year after it received a host of allegations about the abuse faced by some individuals through the platform. The investigation uncovered the platform's role in facilitating activities like human trafficking and child exploitation for organized crime groups, after which the authorities took steps to shut it down.

Coordinated Takedown Nets Servers and Millions

A synchronized operation supported by Eurojust led to the seizure of servers located in Germany, effectively shutting down the platform and displaying a splash page. Lithuanian and Hungarian authorities swiftly executed freezing orders, securing over €5.6 million in suspected criminal funds.

Furthermore, a European Investigation Order (EIO) issued by France was successfully executed in Bulgaria. French magistrates and law enforcement officials, authorized by Bulgarian authorities, conducted bank statement reviews, searches, seizures, and witness interviews.

Coco Chat Site's Links to Violence

Coco was a chat website with a notorious lack of moderation. Rights groups in France have labeled it a "predator's den" due to its alleged links to violence. SOS Homophobie, for instance, called for its closure after a brutal attack on a gay man allegedly planned by Coco users. Child protection groups have also campaigned against Coco since 2013, citing its easy access for criminals. The website, owned by a Bulgarian company and operating outside French jurisdiction with a [.]gg domain, boasted over 850,000 users in France as of 2023. Paris prosecutors connect Coco's anonymity to its appeal for criminals, highlighting a recent murder allegedly set up on the platform.

A data breach at insurance giant Prudential has ballooned far beyond initial estimates, with regulators informed that over 2.5 million individuals may have had personal information compromised. This significant update comes after Prudential downplayed the incident in March, stating only 36,545 customers were affected. Prudential is the second largest life insurance company in the United States, with 40,000 employees worldwide and revenue of $50 billion in 2023.

Initial Claims vs. Updated Numbers

In March 2024, following a February network intrusion, Prudential reported to regulators that hackers accessed a limited dataset, including names, addresses, and driver's license/ID numbers, for 36,545 individuals. However, updated data breach filings submitted to Maine regulators on June 30th paint a much bleaker picture. The revised figures show a staggering 2,556,210 customers potentially impacted by the data leak.

A Prudential spokesperson clarified that the leaked information may vary for each affected individual. While the full scope of the breach is under investigation, the significant increase in reported victims raises concerns about the initial assessment and potential notification delays.

Prudential's Response and Next Steps

Prudential maintains they have completed a "complex analysis" of the affected data and initiated a rolling notification process starting in March. However, the vast increase in impacted individuals begs the question of whether these notifications were comprehensive and timely. The company assures it's offering all affected individuals 24 months of complimentary credit monitoring.

ALPHV Ransomware Gang Claimed Prudential Data Breach

Prudential has yet to disclose details about the attackers behind the February data breach. However, the ALPHV/BlackCat ransomware gang took responsibility for the incident on February 13. The gang is now shut down, but not before running an exit scam and getting a hefty ransom of $22 million from the Change Healthcare breach. The FBI tied ALPHV to over 60 breaches in its first four months, netting at least $300 million from more than 1,000 victims by September 2023.

Notably, this is not Prudential's first major data breach. In 2023, a separate attack involving a compromised file transfer tool exposed the Social Security numbers and other sensitive data of over 320,000 customers.

Prudential's revised data breach figures raise critical questions about incident response protocols, data forensics capabilities, and the potential impact on millions of customers. Regulatory bodies could scrutinize Prudential's handling of the situation as the situation evolves.

The ransomware attack that crippled Synnovis, a key pathology provider for southeast London's NHS Trusts, continues to disrupt critical services nearly a month after the initial attack. While some progress has been made, the slow recovery highlights the fragility of healthcare infrastructure and the potential for wider patient data breaches.

Technical Hurdles Plague Restoration Efforts

The attack that took place on June 3 knocked out most of Synnovis' IT systems, impacting everything from lab analysis equipment to results transmission. With electronic workflows crippled, the lab reverted to manual processes, significantly hindering processing capacity and turnaround times.

The daily blood sampling count in major London hospitals plunged from 10,000 to merely 400 per day after the cyberattack. The biggest challenge that Synnovis is facing is that all its automated end-to-end laboratory processes are offline, since all IT systems have been locked down in response to the ransomware attack.

The ongoing recovery prioritizes critical systems first. New middleware deployed at partner hospitals aims to streamline result reporting, but full restoration remains a distant prospect. Synnovis is collaborating its parent company, SYNLAB, and NHS to ensure a secure and phased recovery.

Mutual Aid Boosts Capacity, But Data Breach Looms Large

To address the backlog of critical tests, Synnovis implemented a "Mutual Aid" program across southeast London boroughs, leveraging partner labs within the NHS network. Additionally, SYNLAB is diverting resources from its wider UK and international network to bolster processing capacity.

However, a more concerning development emerged on June 20. A Russian ransomware group called Qilin claimed responsibility for the attack and leaked data online. Synnovis later confirmed the published data was stolen from its administrative drives.

"This drive held information which supported our corporate and business support activities. Synnovis personnel files and payroll information were not published, but more needs to be done to review other data that has been published relating to our employees." - Synnovis

While a full analysis is ongoing, initial findings suggest the data may contain patient information like full names, NHS numbers, and test codes.

Uncertainties for Synnovis Remain as Investigation Continues

The stolen data appears partial and in a complex format, making analysis and identification of impacted individuals challenging. Synnovis, with assistance from the NCSC and NHS cybersecurity specialists, is investigating the attack's scope and potential data breach. Law enforcement and the Information Commissioner are also kept informed.

Mark Dollar, CEO of Synnovis, acknowledged the disruption and expressed regret for the inconvenience caused.

“We are very aware of the impact and upset this incident is causing to patients, service users and frontline NHS colleagues, and for that I am truly sorry. While progress has been made, there is much yet to do, both on the forensic IT investigation and the technical recovery. We are working as fast as we can and will keep our service users, employees and partners updated.” - Mark Dollar, CEO of Synnovis

However, the timeline for full system restoration and the extent of the potential data breach remain unclear.

The Synnovis attack highlights a broader trend within healthcare IT systems and the potential consequences of third-party cyberattacks. SYNLAB, the parent company of Synnovis, has been targeted by cybercriminals multiple times in the last year. Similar attacks hit their subsidiaries in Italy in April 2024 and a year earlier in France. These incidents underline a concerning rise in third-party vulnerabilities within the healthcare industry.

As Synnovis grapples with recovery, the cybersecurity community awaits further details on the data breach and its potential impact on patients.

Google's Chrome browser is making a significant security move by distrusting certificates issued by Entrust, a prominent Certificate Authority (CA), beginning late 2024. This decision throws a wrench into the operations of numerous websites including those of major organizations like Bank of America, ESPN, and IRS.GOV, among others.

Digital certificates (SSL/TLS) play a vital role in ensuring secure connections between users and websites. These certificates issued by trusted CAs act as a security seal - more like a blue tick for websites - and helps users gauge the legitimacy of the website. It also ensures an encrypted communication to prevent data breaches.

However, Chrome is removing Entrust from its list of trusted CAs due to a concerning pattern of "compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress" over the past six years. Entrust's repeated shortcomings in upholding security standards have led Google to lose confidence in their ability to act as a reliable CA.

"It is our opinion that Chrome’s continued trust in Entrust is no longer justified." - Google Chrome

This move also extends to AffirmTrust, a lesser-known provider acquired by Entrust. While these certificates account for only a small fraction (0.1%) compared to Let's Encrypt (49.7%), the impact is still significant considering organizations like Bank of America, BookMyShow, ESPN and even government websites like IRS.gov, which have high internet traffic volumes, are also certified by Entrust.

[caption id="attachment_79569" align="aligncenter" width="1024"] Bank of America and IRS.gov certificates as displayed on Chrome Certificate Viewer[/caption]

What This Means for Users and Website Owners

Starting November 1, 2024, Chrome users encountering websites with distrusted Entrust certificates will be met with a full-page warning proclaiming the site as "not secure."

[caption id="attachment_79563" align="aligncenter" width="1024"] Sample of how Chrome will display warning for websites having a certificate from Entrust or AffirmTrust (Source: Google)[/caption]

This warning only applies to certificates issued after October 31, 2024, providing a grace period for websites with existing Entrust certificates. However, as certificates have lifespans, website owners must transition to a different CA before expiration. Considering its market share Let's Encrypt, a free and trusted option, comes highly recommended.

This shift is crucial for maintaining a secure web environment. When a CA fails to meet expectations, it jeopardizes the entire internet ecosystem. Chrome's decision prioritizes user protection by eliminating trust in potentially compromised certificates.

Website owners using impacted Entrust certificates should act swiftly to switch to a different CA. The Chrome Certificate Viewer can be used to identify certificates issued by Entrust. While this may seem inconvenient, it's necessary to ensure continued user access without security warnings.

Potential Workaround Only on Internal Networks

Large organizations managing internal networks have some leeway. Chrome allows enterprises to bypass these changes by installing the affected certificates as trusted on their local networks. This ensures internal websites using these certificates function normally.

The Entrust Controversy: A Deeper Look

Further context emerges from discussions on Mozilla's Bug Tracker (Bug 1890685). It reveals a critical issue – Entrust's failure to revoke a specific set of Extended Validation (EV) TLS certificates issued between March 18 and 21, 2024. This violated their own Certification Practice Statement (CPS).

Entrust opted against revoking the certificates, citing potential customer confusion and denying any security risks. However, this decision sparked outrage. Critics emphasized the importance of proper revocation procedures to uphold trust in the CA system. Entrust's prioritization of customer convenience over security raised concerns about their commitment to strict adherence to security best practices.

A detailed post on Google Groups by Mike Shaver sheds further light on the situation. Shaver expresses doubt in Entrust's ability to comply with WebPKI and Mozilla Root Store Program (MRSP) requirements. Despite attempts to address these concerns, Entrust's handling of certificate revocation, operational accountability, and transparency remain under scrutiny.

Shaver points out Entrust's tendency to prioritize customer convenience over strict adherence to security standards. He also criticizes the lack of detailed information regarding organizational changes and Entrust's failure to meet Mozilla's incident response requirements. Until Entrust demonstrates substantial improvements and transparency, continued trust in their certificates poses a significant risk to the overall web PKI and the security of internet users.

But this is not the end of it. In fact it is just the tip of the ice berg. Shaver's comments in the forum are in response to a host of compliance incidents between March and May related to Entrust. Ben Wilson summarized these recent incidents in a dedicated wiki page.

"In brief, these incidents arose out of certificate mis-issuance due to a misunderstanding of the EV Guidelines, followed by numerous mistakes in incident handling including a deliberate decision to continue mis-issuance," Wilson said.

This is a very serious shortcoming on Entrust's behalf considering the stringent norms and root store requirements, he added.

However, Chrome's decision to distrust Entrust certificates sends a strong message – prioritizing user safety requires holding CAs accountable for upholding the highest security standards.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Crypto scammers hijacked Channel 7 News Australia's YouTube account to run a live stream of an Elon Musk deepfake on loop. The AI-generated version of the business tycoon was seen luring users to scan a QR code and invest in a money-doubling scheme through cryptocurrency. The news and media company is investigating claims even as traces of account takeover persist at the time this article was published.

Crypto Scammers Shift to Deepfake Deployment

Crypto scammers hijacking social media accounts of popular brands and celebrities on platforms like YouTube and X is not a novel thing. But what transpired on Thursday could very well be a snippet of things to come as we move towards the Age of AI.

Crypto scammers first took over the YouTube account of Channel 7 News and modified it in a way that it masqueraded the official Tesla channel.

[caption id="attachment_79292" align="aligncenter" width="300"] Hijacked Channel 7 News' YouTube Account Screenshot (Source: Reddit)[/caption]

After making aesthetic changes to the YouTube account, the crypto scammers replaced the videos in the channel with a deepfake live stream of Tesla chief Elon Musk. The AI-generated Musk was seen encouraging viewers to scan a QR code and invest in cryptocurrency.

[caption id="attachment_79296" align="aligncenter" width="600"] Musk's Deepfake Asking Users to Scan or Regret (Source: Reddit)[/caption] As per local media, the Musk deepfake said, "All you need to do is scan the QR code on the screen, go to the website and watch your cryptocurrency double. Today's event is a chance for all crypto enthusiasts and users to double their assets."

"This is an opportunity that cannot be missed." - Elon Musk Deepfake

The deepfake video was made in a way that Musk's AI version even interacted with the audience, where he continued to say that twice as much would return to investors' wallets.

The Channel 7 News has several region- and programming-specific YouTube channels, and most of them seemed to be hijacked at present, with all of them running the same deepfake live stream on loop. The page is no longer accessible via direct links from the company website, but as pointed by a Reddit user, if you go to the YouTube channel via the platform's search, it still displays the changes made by crypto scammers, which is a Tesla logo as seen in the images above.

Experts, Leaders Press for Deep Fake Regulations

Owing to the menace of deepfakes, nearly 1,500 AI and tech experts in February urged global regulation of deepfakes to curb risks like fraud and political disinformation. An open letter recommends that lawmakers criminalize deepfake child pornography, penalize creators and facilitators of harmful deepfakes, and hold software developers accountable.

"The whole deepfake supply chain should be held accountable, just as they are for malware and child pornography." - The Open Letter

Legal experts and technologists have also previously urged the U.S. Congress to regulate the use of deepfake technologies and provide new protections particularly for women and minority communities against the use of digitally manipulated media. Experts warned that the deceptive content is already affecting national security, personal privacy and public trust.

A coordinated international police operation led by Interpol has resulted in the disruption of global online scam networks that carried out phishing, investment fraud, romance and impersonation scams and operated fake online shopping sites. The global operation, codenamed “First Light,” led to the seizure of assets amounting to $257 million and froze more than 6,700 bank accounts linked to the online scam syndicates. Under the banner of Operation First Light 2024, the police also arrested a total of 3,950 suspects and identified another 14,643 as likely members of the global online scam syndicates.

“By confiscating such large amounts of money, and disrupting the networks behind them, we not only safeguard our communities but also deal a significant blow to the transnational organized crime groups that pose such a serious threat to global security.” - Director of Interpol’s Financial Crime and Anti-Corruption Centre (IFCACC), Dr Isaac Kehinde Oginni

Global Online Scam Crackdown Impact

The impact of this police operation against global online scam is “more than just numbers – they represent lives protected, crimes prevented, and a healthier global economy worldwide,” Oginni said. Interpol’s Global Rapid Intervention of Payments (I-GRIP) mechanism traced and intercepted the illicit proceeds from online scams across borders in both, fiat currency cash ($135 million) and cryptocurrency ($2 million). An example of this interception was a business email compromise fraud that involved a Spanish citizen who unwittingly transferred $331,000 to Hong Kong, China, the Interpol said. In another case, the Australian authorities successfully recovered AU$ 5.5 million (approximately $3.7 million) for an impersonation scam victim, after the online scammers fraudulently transferred the funds to Malaysia and Hong Kong-based bank accounts. The global nature of online scams was underscored by the operation’s diverse participants. From rescuing 88 young people forced to work in a Namibian scam ring to preventing a tech support scam targeting a senior citizen in Singapore, Operation First Light 2024 showcased the importance of international cooperation. Operations of First Light have been coordinated since 2014 and are designed to fight social engineering and telecom fraud. The operation is funded by China’s Ministry of Public Security and coordinated by Interpol. [caption id="attachment_79238" align="aligncenter" width="1024"] Operation First Light conclusion meeting in Tianjin, China (Source: Interpol)[/caption] In 2022, First Light saw a coordinated effort between law enforcement of 76 countries that resulted in the seizure of $50 million worth of illicit funds that was defrauded from more than 24,000 victims. “The world is grappling with the severe challenges of social engineering fraud, and organized crime groups are operating from Southeast Asia to the Middle East and Africa, with victims on every continent,” Oginni said.

“No country is immune to this type of crime, and combating it requires very strong international cooperation.” - Dr Isaac Kehinde Oginni

Investment and Phishing Scams Top Threats to U.S.

According to FBI's Internet Crime report (IC3), Investment scams led to the highest reported losses in the United Stated last year. Totaling $4.57 billion, investment scams saw a 38% increase from 2022. Crypto-investment fraud also rose 53% to $3.94 billion. Scammers mainly targeted individuals aged 30-49 in these scam types. Phishing schemes, on the other hand, were the most reported crime in 2023, with over 298,000 complaints, comprising 34% of all complaints received. In the FBI San Francisco division, there were 364 complaints with nearly $1.5 million in losses. Santa Clara County had the most complaints, while Alameda County had the highest losses at $500,000.

Experts are raising eyebrows after OpenAI announced a one-month delay in the rollout of its highly anticipated “Voice Mode” feature for ChatGPT, citing safety concerns. The company said it needs more time to ensure the model can “detect and refuse certain content.”

“We’re improving the model’s ability to detect and refuse certain content. We’re also working on enhancing the user experience and scaling our infrastructure to support millions of users while maintaining real-time responses.” - OpenAI

The stalling of the rollout comes a month after OpenAI announced a new safety and security committee that would oversee issues related to the company’s future projects and operations. It is unclear if this postponement was suggested by the committee or by internal stakeholders.

Features of ChatGPT’s ‘Voice Mode’

OpenAI unveiled its GPT-4o system in May, boasting significant advancements in human-computer interaction. “GPT-4o (‘o’ for ‘omni’) is a step towards much more natural human-computer interaction,” OpenAI said at the time. The omni model can respond to audio inputs at an average of 320 milliseconds, which is similar to the response time of humans. Other salient features of the “Voice Mode” promise real-time conversations with human-like emotional responses, but this also raises concerns about potential manipulation and the spread of misinformation. The May announcement gave a snippet at the model’s ability to understand nuances like tone, non-verbal cues and background noise, further blurring the lines between human and machine interaction. While OpenAI plans an alpha release for a limited group of paid subscribers in July, the broader rollout remains uncertain. The company emphasizes its commitment to a “high safety and reliability” standard but the exact timeline for wider access hinges on user feedback.

The ‘Sky’ of Controversy Surrounding ‘Voice Mode’

The rollout delay of “voice mode” feature of ChatGPT follows the controversy sparked by actress Scarlett Johansson, who accused OpenAI of using her voice without permission in demonstrations of the technology. OpenAI refuted the claim stating the controversial voice of “Sky” - one of the five voice modulation that the Voice Mode offers for responses – belonged to a voice artist and not Johansson. The company said an internal team reviewed the voices it received from over 400 artists, from a product and research perspective, and after careful consideration zeroed on five of them, namely Breeze, Cove, Ember, Juniper and Sky. OpenAI, however, did confirm that its top boss Sam Altman reached out to Johannson to integrate her voice.

“On September 11, 2023, Sam spoke with Ms. Johansson and her team to discuss her potential involvement as a sixth voice actor for ChatGPT, along with the other five voices, including Sky. She politely declined the opportunity one week later through her agent.” - OpenAI

Altman took a last chance of onboarding the Hollywood star this May, when he again contacted her team to inform the launch of GPT-4o and asked if she might reconsider joining as a future additional voice in ChatGPT. But instead, with the demo version of Sky airing through, Johannson threatened to sue the company for “stealing” her voice. Owing to the pressure from her lawyers, OpenAI removed the Sky voice sample since May 19.

“The voice of Sky is not Scarlett Johansson's, and it was never intended to resemble hers. We cast the voice actor behind Sky’s voice before any outreach to Ms. Johansson. Out of respect for Ms. Johansson, we have paused using Sky’s voice in our products. We are sorry to Ms. Johansson that we didn’t communicate better.” – Sam Altman

Although the issue seems to have resolved for the time being, this duel between Johannson and Altman brought to the fore the ethical considerations surrounding deepfakes and synthetic media.

Likely Delays in Apple AI and OpenAI Partnership Too

If the technical issues and the Sky voice mode controversy weren’t enough, adding another layer of complication to OpenAI’s woes is Apple’s recent brush with EU regulators that now casts a shadow over the future of ChatGPT integration into Apple devices. Announced earlier this month, the partnership aimed to leverage OpenAI's technology in Cupertino tech giant’s “Apple Intelligence” system. However, with Apple facing potential regulatory roadblocks under the EU’s Digital Markets Act (DMA), the integration’s fate remains unclear. This confluence of factors – safety concerns, potential for misuse, and regulatory hurdles – paints a complex picture for OpenAI's “Voice Mode.” The cybersecurity and regulatory industry will undoubtedly be watching closely as the technology evolves, with a keen eye on potential security vulnerabilities and the implications for responsible AI development.

A U.S. grand jury has indicted a Russian citizen, Amin Timovich Stigal, for allegedly conspiring with Russia's military intelligence agency (GRU) to launch cyberattacks crippling Ukrainian government systems and data ahead of Russia's full-scale invasion in February 2022.

The indictment, unsealed yesterday in Maryland, sheds light on a coordinated effort to disrupt critical Ukrainian infrastructure and sow panic among the population.

“As alleged, the defendant conspired with Russian military intelligence on the eve of Russia’s unjust and unprovoked invasion of Ukraine to launch cyberattacks targeting the Ukrainian government and later targeting its allies, including the United States.” - Attorney General Merrick B. Garland

Attacker Aimed for 'Complete Destruction' in Cyberattacks Targeting Ukraine

Stigal, 22, who remains at large, was charged for his alleged role in using a deceptive malware strain called "WhisperGate" to infiltrate dozens of Ukrainian government networks, including ministries, state services, and critical infrastructure entities. Disguised as ransomware, WhisperGate reportedly went beyond data encryption, aiming for complete destruction of targeted systems and data.

The attacks coincided with the defacement of Ukrainian websites displaying threatening messages designed to intimidate the public. Sensitive data, including patient health records, was exfiltrated and offered for sale online, further amplifying the chaos.

U.S. Critical Infrastructure Targeted Too

But the malicious campaign wasn't limited to cyberattacks targeting Ukraine. The indictment broadens the scope beyond Ukraine, revealing attempts to probe U.S. government networks in Maryland using similar tactics.

“These GRU actors are known to have targeted U.S. critical infrastructure. During these malicious cyber activities, GRU actors launched efforts to scan for vulnerabilities, map networks, and identify potential website vulnerabilities in U.S.-based critical infrastructure – particularly the energy, government, and aerospace sectors.” - Rewards for Justice

The scope of the malicious campaign highlights the potential wide-ranging objectives of the GRU cyber campaign and the ongoing threat posed by nation-state actors.

Reward Offered for Info Leading to Capture

The Justice Department emphasized its commitment to holding accountable those responsible for Russia's malicious cyber activity. The indictment carries a maximum sentence of five years, but international cooperation remains crucial to apprehend Stigal.

The U.S. Department of State's Rewards for Justice program is offering a significant reward – up to $10 million – for information leading to Stigal's capture or the disruption of his cyber operations. This substantial reward underscores the seriousness of the charges and the international effort to dismantle Russia's cyber warfare apparatus.

This case serves as a stark reminder of the evolving cyber threat landscape. The destructive capabilities of malware like WhisperGate, coupled with the targeting of critical infrastructure necessitates vigilance and collaboration between governments and security professionals to defend against nation-state cyberattacks.

“Malicious cyber actors who attack our allies should know that we will pursue them to the full extent of the law,” said Erek L. Barron, U.S. Attorney for the District of Maryland. “Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals.”

Who is Amin Stigal?

The U.S. linked 22-year-old Amin Stigal to the Russian GRU and labelled him for his involvement in the WhisperGate malware operations. But who is Amin Stigal and what is the extent of his involvement? [caption id="attachment_79079" align="aligncenter" width="947"] Source: Rewards for Justice[/caption] The U.S. authorities, along with the $10 million bounty, released scarce but very important details on Stigal's cyber trail - his aliases or the threat group names with whom he is affiliated. The Cyber Express did an open-source intelligence (OSINT) study on these aliases and found the following details on Amin Stigal's cyber activities:

DEV-0586/Cadet Blizzard

Microsoft first tracked this threat actor as DEV-0586 and observed its destructive malware targeting Ukrainian organizations in January 2022. The tech giant later in April 2023 shifted to a new threat actor-naming taxonomy and thus named the TA "Cadet Blizzard." Cadet Blizzard has been operational since at least 2020 and has initiated a wave of destructive wiper attacks against Ukraine in the lead up to Russia's February 2022 invasion of Ukraine. Specifically, it created and developed WhisperGate, a wiper that deletes the master boot record, Microsoft said.

EMBER BEAR

Crowd Strike tracked this threat actor as EMBER BEAR (aka Lorec Bear, Bleeding Bear, Saint Bear) and linked it to an adversary group that has operated against government and military organizations in eastern Europe since early 2021. The likely motive of this TA is to collect intelligence from target networks, the cybersecurity firm said. EMBER BEAR primarily weaponized the access and data obtained during their intrusions to support information operations (IO), according to CrowdStrike. Their aim in employing this tactic was to create public mistrust in targeted institutions and degrade respective government's ability to counter Russian cyber operations.

UAC-0056

The Computer Emergency Response Team of Ukraine tracked this Russian-linked threat actor/group as UAC-0056 and observed its malicious campaigns targeting Ukraine through phishing campaigns in July 2022. In the discovered attack, threat actors sought to disrupt the integrity and availability of government websites by exploiting several backdoors and deploying Cobalt Strike Beacon malware. The threat actors communicated with the web shell using IP addresses, including those belonging to neighboring devices of other hacked organizations due to their previous account abuse and additional VPN connection to the corresponding organizations. The hackers also applied other malware samples in this campaign including the GOST (Go Simple Tunnel) and Ngrok utilities, to deploy the HoaxPen backdoor.

What is WhisperGate Malware?

WhisperGate is a destructive malware that is seemingly designed like a ransomware, but it is not. Unlike ransomware, which encrypts data and demands a ransom for decryption, WhisperGate aimed to completely destroy data, rendering the infected systems inoperable. It first targeted Ukrainian organizations in January 2022 and ever since continues to remain on the list of top malware variants used to target Kyiv.

Key Points on WhisperGate:

• Multi-stage Attack: It operated in stages, with the first stage overwriting the Master Boot Record (MBR) to prevent the system from booting normally and displaying a fake ransom note.
• Data Wiping: The MBR overwrite made data recovery nearly impossible.
• Motive: Experts believe the goal was data destruction, not financial gain, due to the lack of a real decryption method.
• Deployment: The malware resided in common directories like C:\PerfLogs and used a publicly available tool called Impacket to spread laterally within networks.

In a significant move to bolster data privacy protections, the California Privacy Protection Agency (CPPA) inked a new partnership with France’s Commission Nationale de l'Informatique et des Libertés (CNIL). The collaboration aims to conduct joint research on data privacy issues and share investigative findings that will enhance the capabilities of both organizations in safeguarding personal data. The partnership between CPPA and CNIL shows the growing emphasis on international collaboration in data privacy protection. Both California and France, along with the broader European Union (EU) through its General Data Protection Regulation (GDPR), recognize that effective data privacy measures require global cooperation. France’s membership in the EU brings additional regulatory weight to this partnership and highlights the necessity of cross-border collaboration to tackle the complex challenges of data protection in an interconnected world.

What the CPPA-CNIL Data Privacy Protections Deal Means

The CPPA on Tuesday outlined the goals of the partnership, stating, “This declaration establishes a general framework of cooperation to facilitate joint internal research and education related to new technologies and data protection issues, share best practices, and convene periodic meetings.” The strengthened framework is designed to enable both agencies to stay ahead of emerging threats and innovations in data privacy. Michael Macko, the deputy director of enforcement at the CPPA, said there were practical benefits of this collaboration. “Privacy rights are a commercial reality in our global economy,” Macko said. “We’re going to learn as much as we can from each other to advance our enforcement priorities.” This mutual learning approach aims to enhance the enforcement capabilities of both agencies, ensuring they can better protect consumers’ data in an ever-evolving digital landscape.

CPPA’s Collaborative Approach

The partnership with CNIL is not the CPPA’s first foray into international cooperation. The California agency also collaborates with three other major international organizations: the Asia Pacific Privacy Authorities (APPA), the Global Privacy Assembly, and the Global Privacy Enforcement Network (GPEN). These collaborations help create a robust network of privacy regulators working together to uphold high standards of data protection worldwide. The CPPA was established following the implementation of California's groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA). As the first comprehensive consumer privacy law in the United States, the CCPA set a precedent for other states and countries looking to enhance their data protection frameworks. The CPPA’s role as an independent data protection authority mirror that of the CNIL - France’s first independent data protection agency – which highlights the pioneering efforts of both regions in the field of data privacy. By combining their resources and expertise, the CPPA and CNIL aim to tackle a range of data privacy issues, from the implications of new technologies to the enforcement of data protection laws. This partnership is expected to lead to the development of innovative solutions and best practices that can be shared with other regulatory bodies around the world. As more organizations and governments recognize the importance of safeguarding personal data, the need for robust and cooperative frameworks becomes increasingly clear. The CPPA-CNIL partnership serves as a model for other regions looking to strengthen their data privacy measures through international collaboration.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Monday that a cyberattack in January may have compromised sensitive information related to the nation's chemical facilities. Initially reported in March, the attack exploited a vulnerability in Ivanti products, leading to the temporary shutdown of two systems. In an advisory this week, CISA detailed that the Chemical Security Assessment Tool (CSAT) was specifically targeted by the cyber intrusion, which occurred between January 23 and 26. CSAT contains highly sensitive industrial data, and while all information was encrypted, CISA warned affected participants of the potential for unauthorized access.

Potential Data Compromised in Chemical Facilities' Targeting

CISA's investigation found no direct evidence of data exfiltration but indicated that the hackers might have accessed critical information such as site security plans, security vulnerability assessments (SVAs), and user accounts within CSAT. Additionally, "Top-Screen surveys," which detail the types and quantities of chemicals, their properties, and storage methods at facilities, might have been exposed. High-risk chemical facilities are mandated to submit SVAs outlining their critical assets, cyber and physical security policies, and an analysis of potential vulnerabilities. Other compromised documents could include details on cybersecurity measures, alarms and physical barriers in place at these facilities.

CISA's Response and Recommendations

CISA has informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the potential data exposure. Although no credentials were confirmed to be stolen, CISA advises those with CSAT accounts reset any identical business or personal passwords. They also recommend organizations using Ivanti products review a February advisory about recent vulnerabilities. The agency cannot directly notify individuals submitted for terrorist vetting under the CFATS Personnel Surety Program because it did not collect their contact information. However, identity protection services will be offered to those affected, specifically those vetted between December 2015 and July 2023.

Investigation Findings

The breach was detected on January 26, when CISA discovered hackers installing tools on an Ivanti device. Further investigation revealed multiple accesses to the system over two days. Various departments within CISA and the Department of Homeland Security (DHS) were involved in the investigation, which confirmed no hacker access beyond the initial Ivanti device. Despite the absence of evidence for data exfiltration, the potential risk to numerous individuals and organizations categorized this intrusion as a "major incident" under the Federal Information Security Modernization Act (FISMA). CISA is setting up a call center to assist impacted individuals, although it is not yet operational. The agency did not comment on the perpetrators of the attack, but since 2020, CISA has cautioned organizations about state-sponsored hackers, including those linked to China, exploiting vulnerabilities in Ivanti products.

Experts Say More Transparency Required

Roger Grimes, a data-driven defense evangelist at KnowBe4, lauded CISA's intent and the fact that it publicly accepted the hack but said a bit more transparency would have done no harm.

"I'm a big fan of CISA. I think they do wonderful work. Still, it would be useful to have better, full transparency," Grimes told The Cyber Express. "Was their Ivanti device exploited by an unpatched, but known vulnerability, or exploited by a 0-day? If they were exploited by a known vulnerability where a patch was available, which is more likely, why wasn't the patch installed? Was it simply due to the fact that the exploit happened faster than the patch could be applied? Was the patch missed? If the patch was missed, why? Or was it a 0-day, misconfiguration, or credential compromise?"

"This is not to embarrass CISA, but to learn why one of the best, most aggressive patch-pushing, cyber-defending organizations in the world got compromised," Grimes added. "Sharing what happened and why can help other organizations facing similar problems and challenges learn lessons.

"CISA is always pushing for other industries and vendors to be more transparent about their compromises so that we can all learn from the lessons and mistakes. I expect CISA to do the same and even lead by example when it's their infrastructure involved."

After a 14-year legal battle, WikiLeaks founder Julian Assange walked out of the United Kingdom’s Belmarsh prison Monday morning, where he agreed to a plea deal with the United States. According to court documents, Assange agreed to plead guilty to a single charge of conspiracy to obtain and disclose national defense information, which violates espionage law in the United States. The sole charge carries a sentence of 62 months in prison, but under the plea deal the time he has already served in the UK prison — a little over 62 months — will be counted as time served. Thus, Assange will not be required to spend any more time behind bars in the U.S., the UK or anywhere else.

WikiLeaks and Human Rights Groups Celebrate Assange's Release

In a statement on platform X, WikiLeaks wrote, “Julian Assange is free.”

“He left Belmarsh maximum security prison on the morning of 24 June, after having spent 1901 days there. He was granted bail by the High Court in London and was released at Stansted airport during the afternoon, where he boarded a plane and departed the UK.” – WikiLeaks

Assange is being flown to Saipan, the capital of the Northern Mariana Islands and a U.S. commonwealth in the Western Pacific Ocean. The formal hearing and sentencing is set to take place in the U.S. District Court for the Northern Mariana Islands at 9 a.m. local time Wednesday. Assange was reluctant to fly to the mainland U.S., his prosecutors said, and thus Saipan was decided as an alternative due to its proximity with Australia. If the guilty plea is approved by the judge – as is expected – the WikiLeaks founder will head to Australia after the sentencing. Human rights organization Amnesty International’s Secretary General, Agnès Callamard welcomed the “positive news.”

“We firmly believe that Julian Assange should never have been imprisoned in the first place and have continuously called for charges to be dropped.” - Amnesty International’s Secretary General, Agnès Callamard 

“The years-long global spectacle of the US authorities hell-bent on violating press freedom and freedom of expression by making an example of Assange for exposing alleged war crimes committed by the USA has undoubtedly done historic damage,” Callamard said. “Amnesty International salutes the work of Julian Assange’s family, campaigners, lawyers, press freedom organizations and many within the media community and beyond who have stood by him and the fundamental principles that should govern society’s right and access to information and justice.” The Mexican President Andrés Manuel, sounded a similar sentiment and said:

“I celebrate the release of Julian Assange from prison. At least in this case, the Statue of Liberty did not remain an empty symbol; She is alive and happy like millions in the world.”

Brief Timeline of Julian Assange Espionage Case

Julian Assange, the founder and Editor-in-Chief of WikiLeaks, gained prominence after the site published more than 90,000 classified U.S. military documents on the Afghanistan war and about 400,000 classified U.S. documents on the Iraq war. After the release of these documents via WikiLeaks, Assange was indicted by the U.S. on 18 counts, including 17 espionage charges under the 1917 Espionage Act and one for computer misuse, where he allegedly gained unauthorized access to a government computer system of a NATO country. In 2012, Assange communicated directly with a leader of the hacking group LulzSec (who by then was cooperating with the FBI), and provided a list of targets for LulzSec to hack, the indictment said. With respect to one target, Assange asked the LulzSec leader to look for (and provide to WikiLeaks) mail and documents, databases and PDFs. In another communication, Assange told the LulzSec leader that the most impactful release of hacked materials would be from the CIA, NSA, or the New York Times. WikiLeaks obtained and published emails from a data breach committed against an American intelligence consulting company by an “Anonymous” and LulzSec-affiliated hacker. According to that hacker, Assange indirectly asked him to spam that victim company again. An August 2010 arrest warrant for sexual assault allegations in Sweden was initially dropped but later reopened, leading to an international arrest warrant against him. Assange then sought refuge in the Ecuadorian embassy in London. In 2019, Ecuador revoked his asylum, and he was arrested by London police and sentenced to 50 weeks in prison for breaching bail conditions. Swedish prosecutors dropped their case in 2019 because the passage of time had weakened evidence, but they said they retained confidence in the complainant.

Assange’s Freedom Starts ‘a New Chapter’

Stella Assange, the WikiLeaks founder’s wife, was elated and thanked everyone who stood by her husband. “Throughout the years of Julian’s imprisonment and persecution, an incredible movement has been formed. People from all walks of life from around the world who support not just Julian ... but what Julian stands for: truth and justice,” Stella Assange said. “What starts now with Julian’s freedom is a new chapter.” It will be interesting to see if Assange will be back at the helm of WikiLeaks and if he will keep his fight on against human right exploitations but for now it seems like he would be eager to reunite with his wife Stella Assange, and his children, “who have only known their father from behind bars.” Update* (June 25 1:30 p.m. ET): Added comments from Amnesty International’s Secretary General, Agnès Callamard and President of Mexico, Andrés Manuel.

After the Qilin ransomware gang last week published on its leak site a data subset as a proof of hacking Synnovis’ systems, the London-based pathology services provider has now confirmed its legitimacy saying the data belongs to its storage drive related to administrative work and contains fragments of patient identifiable data. Hackers that are linked to the Russian-linked Qilin ransomware gang published on Friday around 400 gigabytes of sensitive patient data, which they claimed included names, dates of birth, NHS numbers and descriptions of blood tests stolen from Synnovis’ systems. Following the data leak on the dark web, Synnovis confirmed on Monday that the published data was legitimate but noted it was too early to determine the full extent of the compromised information.

“Last week a group claiming responsibility for the cyberattack published data online. We have now been able to confirm that this data was stolen from Synnovis’ systems.” - Synnovis

An initial review from Synnovis over the weekend revealed no evidence that the Laboratory Information Management Systems (LIMS) - the primary databases for patient test requests and results - were posted. However, fragments of patient-identifiable data from an administrative working drive have been published, Synnovis said. The payroll information storage area remains unaffected but further review of employee-related data that appeared in the dataset published on the dark web is underway. Synnovis emphasized the priority of understanding the compromised administrative working drive. The company is working alongside technical experts to ascertain more details and mitigate concerns among service users, employees and partners. The Information Commissioner’s Office (ICO) is investigating the breach, acknowledging the sensitivity of the leaked data and the anxiety it may cause. “While we are continuing to make enquiries into this matter, we recognize the sensitivity of some of the information in question and the worry this may have caused,” the ICO said. The ICO advises concerned individuals to visit its website and NHS England’s site for guidance and support. NHS England continues collaborating with Synnovis and the National Crime Agency to address the ransomware attack. NHS England acknowledged Synnovis’ initial analysis that confirmed the published data originated from their systems. The complex nature of such investigations means it could take weeks to identify all impacted individuals, it said. As the investigation proceeds, NHS England and Synnovis will provide updates and have established a helpline for those affected. Local health systems are working together to manage the impact on patients and have deployed additional resources to ensure urgent blood samples are processed. Laboratories can now also access historical patient records, which aids continuity of care, NHS England said. The cyberattack has significantly delayed blood tests, with some media reports stating NHS patients potentially waiting up to six months for sample collection. Earlier, Synnovis said the ransomware attack had significantly brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day. The Guardian cited a letter to one of the patients from the impacted hospital being told:

“Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again. If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”

The pathology service provider was processing only “clinically critical” blood samples flagged by clinicians. These delays have prompted some patients to seek private clinics for faster testing and analysis that cost significantly high. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this month to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Last week's ransomware attack on software as a service (SaaS) provider CDK Global has had a ripple effect on its customers, as multiple car dealerships serving thousands of locations report disruptions in their filings with the U.S. Securities and Exchange Commission. The CDK ransomware attack has paralyzed thousands of car dealerships across North America, disrupting operations for some of the largest automotive retailers. The attack that began last Tuesday has impacted operations of major players such as Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske, Sonic Automotive, and the number is expected to swell even more in coming days.

Systems Shut Down After Attack

CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.

How CDK Global Cyberattack Impacts Customers

Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.

CDK Customers Move to Manual Methods

Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

CDK May Pay Ransom

Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.

A day after the Biden administration announced a U.S. ban on the sale of Kaspersky Lab products, the U.S. Treasury Department on Friday sanctioned a dozen top executives and senior leaders at the Russian cybersecurity company. Kaspersky took issue with the Biden administration's moves and said, "The decision does not affect the company’s ability to sell and promote cyber threat intelligence offerings and/or trainings in the U.S." The company said the action will instead benefit cybercriminals by restricting international cooperation between cybersecurity experts. The decision to ban Kaspersky is "based on the present geopolitical climate and theoretical concerns," the company said in a scathing response to the Commerce Department's ban. The sanctions represent the latest in a series of punitive measures against the Russian antivirus company, underscoring growing concerns about cybersecurity and national security risks associated with the firm's operations.

Details of the Kaspersky Sanctions

The Treasury Department’s Office of Foreign Assets Control (OFAC) specifically targeted key individuals within Kaspersky Lab, including the chief operating officer, chief legal officer, chief of human resources, and chief business development and technology officers, among others. [caption id="attachment_78565" align="aligncenter" width="588"] Source: U.S. Department of the Treasury[/caption] The Treasury added all the above individuals to its Specially Designated Nationals list. SDN is a list maintained by OFAC that publicly identifies persons determined by the U.S. government to be involved in activities that threaten or undermine U.S. foreign policy or national security objectives. Notably, the sanctions did not extend to Kaspersky Lab itself, its parent or subsidiary companies nor to its CEO Eugene Kaspersky. The sanctions came just a day after the U.S. Commerce Department issued a final determination to ban Kaspersky Lab from operating in the United States. This ban is rooted in longstanding concerns over national security and the potential risks to critical infrastructure. The Commerce Department also added three Kaspersky divisions to its entity list due to their cooperation with the Russian government in cyber intelligence activities. The U.S. government has been wary of Kaspersky Lab's ties to the Russian government, fearing that its software could be used to facilitate cyber espionage. Bloomberg in 2017 first reported it had seen emails between chief executive Eugene Kaspersky and senior Kaspersky staff outlining a secret cybersecurity project apparently requested by the Russian intelligence service FSB. Kaspersky refuted these claims, calling the allegations "false"  and "inaccurate." However, these concerns have led to a broader push to restrict the company's operations within the U.S. and to mitigate any potential threats to national security.

Kaspersky Lab’s Response

Kaspersky Lab has consistently denied any allegations of being influenced or controlled by any government. The company has pledged to explore all legal options in response to the Commerce Department’s ban and the recent sanctions imposed by the Treasury. In a statement, Kaspersky Lab reiterated its commitment to transparency and maintaining the trust of its users worldwide, emphasizing it has never assisted any government in cyber espionage activities. "Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies," it said.

"Kaspersky provides industry-leading products and services to customers around the world to protect them from all types of cyber threats, and has repeatedly demonstrated its independence from any government." - Kaspersky Lab

The antivirus company claimed it has also implemented significant transparency measures that demonstrate its commitment to integrity and trustworthiness. But "the Department of Commerce’s decision unfairly ignores the evidence," Kaspersky said. The company said it also proposed a system in which the security of Kaspersky products could have been independently verified by a trusted third party.

"Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services."

However, Brian Nelson, Treasury’s Undersecretary for Terrorism and Financial Intelligence, stated, “Today’s action against the leadership of Kaspersky Lab underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber threats. The U.S. will take action where necessary to hold accountable those who would seek to facilitate or otherwise enable these activities.”

Implications and Future Actions

The sanctions against Kaspersky Lab’s leadership signal a broader strategy by the U.S. government to address cybersecurity threats posed by foreign entities. This approach is part of a larger effort to strengthen national security and protect critical infrastructure from potential cyberattacks.

Legal and Business Repercussions

Kaspersky Lab’s legal battles and its efforts to counteract these sanctions will be closely watched. The company's ability to operate in the international market could be significantly affected by these measures, impacting its business operations and customer trust.

Global Cybersecurity Landscape

This development also highlights the ongoing tensions in the global cybersecurity landscape, where national security concerns often intersect with business interests. The actions taken by the U.S. government may set a precedent for how other nations address similar concerns with foreign technology firms. The U.S. Treasury Department's decision to sanction senior leaders at Kaspersky Lab marks a pivotal moment in the ongoing scrutiny of the Russian cybersecurity firm. While Kaspersky Lab denies any wrongdoing and prepares to contest the sanctions legally, the actions taken by the U.S. government underscore a determined effort to mitigate potential cyber threats and protect national security. As the situation unfolds, it will have significant implications for both Kaspersky and the broader cybersecurity environment.

One of Australia’s largest telecommunications companies Optus could have averted the massive 2022 data breach that leaked nearly 9.5 million individuals’ sensitive personal information, the Australian telecom watchdog said. The Australian Communications and Media Authority in a filing with the Federal Court said, “[Optus] cyberattack was not highly sophisticated or one that required advanced skills.” Its investigation attributed the 2022 Optus data breach to an access control coding error that left an API open to abuse. The investigation details of ACMA comes weeks after the telecom watchdog took legal action against Optus, in the same court, for allegedly failing to protect customer data adequately.

Coding Error and API Mismanagement Led to Optus Data Breach

The ACMA claimed that Optus had access controls in place for the API but a coding error inadvertently weakened these controls allowing them to be bypassed. This error left the API vulnerable, especially since it was internet-facing and dormant for an extended period. The vulnerability was reportedly introduced through a coding error in September 2018 and was first noticed in August 2021. But this issue was only fixed for the main site – www.optus.com.au – and not the subdomain (likely api.www.optus.com.au) where the vulnerable API endpoint was hosted.

“The coding error was not identified by Optus until after the cyberattack had occurred in mid-September 2022. Optus had the opportunity to identify the coding error at several stages in the preceding four years including: when the coding change was released into a production environment in September 2018; when the Target Domain (and the Main Domain) became internet-facing through the production environment in June 2020; and when the coding error was detected for the main domain in August 2021.” – ACMA

But the company failed to do so causing alleged harm to more than one-third (approximately 36%) of the Australian population. The telco watchdog alleged that Optus’ failure to protect customer data constitutes a breach of its obligations under Australian law.

Optus’ Response to ACMA’s Allegations

Optus, in a statement to The Cyber Express, confirmed the vulnerability and provided details on the cyberattack. “The cyberattack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defenses that arose from a historical coding error,” said Interim CEO of Optus Michael Venter.

“This vulnerability was exploited by a motivated and determined criminal as they probed our defenses, and then exploited and evaded these defenses by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data. The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.” – Michael Venter, Interim CEO of Optus

Venter said following the 2022 Optus data breach, the company has reviewed and updated its systems and processes. It has invested in heightened cyber defenses to address the increased global cyber risk environment. The company expressed regret over the incident and emphasized its commitment to protecting customer data. “Our customers expected their information would remain safe. We accept that this did not happen, and the cyber attacker gained unauthorised access to some of their information,” Venter said. Optus suffered a major customer data breach in 2022 that gave malicious actors access to about 9.5 million former and current customers' sensitive information including names, birth dates, phone numbers, email addresses and, for a subset of customers (2,470,036), addresses and ID document numbers such as driver’s license or passport numbers. Of these, the hacker also released the personally identifiable information (PII) of 10,200 Optus customers on the dark web.

Deloitte Report Handed to the Federal Court

Post the hack, although the privacy commissioner and ACMC held detailed investigations, Optus itself commissioned an independent external review of the cyberattack. Despite attempts to keep the document confidential, the Australian federal court ordered Optus last month to file this report with the court, which is expected to provide crucial insights into the breach. “Optus is working with the ACMA and separately Slater and Gordon with the intention of providing them with a confidential version of the Deloitte Report that appropriately protects our customer data and systems from cybercriminals,” Venter told The Cyber Express. The forensic report prepared by Deloitte detailing the technical aspects of the breach was finally handed over to the federal court on Friday. The details revealed in this report will also be used in a separate class action against Optus.

“Much to do to Fully Regain our Customers’ Trust”

Optus has acknowledged the breach’s impact on customer trust, with Venter expressing deep regret for the incident. Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents. The company is also covering costs incurred by government agencies related to the breach. Optus has pledged to cooperate with the ACMA’s investigation and defend its actions in court, aiming to correct any misconceptions and improve its cybersecurity measures.

“Optus recognizes that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal,” – Michael Venter

The Optus data breach highlights the critical importance of robust access controls and diligent monitoring of cybersecurity vulnerabilities. The incident serves as a cautionary tale for organizations worldwide to ensure comprehensive protection of sensitive data and maintain customer trust through proactive and transparent security practices. As the case progresses, it will provide further insights into the complexities of cybersecurity in the telecommunications sector and the measures necessary to prevent similar breaches in the future.