Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for RansomHouse on the M ...

 Firewall Daily

Hirsh Industries, a leading manufacturer and supplier of metal filing, storage, and organizational products, has been targeted by the RansomHouse ransomware group. The cyberattack on Hirsh Industries, disclosed by the ransomware group, has raised concerns about the safety of sensitive data and the potential impact on   show more ...

the company's operations. Hirsh Industries, LLC, known for its metal filing and storage solutions, caters to both personal and commercial needs. With a revenue of $162.1 million, the company holds a significant position in the industry. Unverified: Cyberattack on Hirsh Industries While the claim by the RansomHouse ransomware group has been made, no further details have been disclosed regarding the extent of the data breach or the motives behind the cyberattack. Upon accessing the official website, no signs of foul play were detected, as the website appeared to be fully functional. To validate the Hirsh Industries cyberattack claim, The Cyber Express Team reached out to company officials, but as of writing this report, no official response has been received. The attack on Hirsh Industries marks yet another addition to the growing list of attacks attributed to the RansomHouse ransomware group. RansomHouse Previous Attacks In April 2024, the group targeted Bank Pembangunan Daerah Banten Tbk, a regional development bank in Indonesia. While the full extent of the cyberattack on the bank remains undisclosed, the implications could be significant, given its focus on micro-enterprises and SMEs. Earlier in the same month, Lopesan Hotels fell victim to a RansomHouse attack, with the group claiming to have obtained 650GB of sensitive data, including hotel revenue and employee information. In February, Webber International University and GCA Nederland were targeted by the RansomHouse group, adding to their list of victims on the dark web portal. The alleged attack on Hirsh Industries by the RansomHouse ransomware group highlights the increasing threat posed by such groups to organizations worldwide. While the authenticity of the claim remains unverified, the incident serves as a wake-up call for businesses to bolster their cybersecurity defenses. With Hirsh Industries being a significant player in the industry, the implications of the cyberattack, if proven true, could be far-reaching. The compromise of sensitive data could not only affect the company's operations but also raise concerns among its clients and partners. Additionally, the potential financial losses and reputational damage could be substantial. As investigations into the Hirsh Industries cyberattack continue, stakeholders await an official response from the company regarding the breach and its impact. Meanwhile, businesses are urged to prioritize cybersecurity measures to mitigate the risk of falling victim to ransomware attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Crypto Crackdown: Sa ...

 Cybersecurity News

The founders and CEO of Samourai Wallet, Keonne Rodriguez, and William Lonergan Hill, have been apprehended and charged with serious offenses related to money laundering and unlicensed money transmitting.  The money laundering charges stem from the alleged operation of Samourai Wallet as an unlicensed   show more ...

money-transmitting business, facilitating over $2 billion in illicit transactions and laundering more than $100 million in criminal proceeds.  Previously, Samourai Wallet was a prominent mobile Bitcoin wallet prioritizing user privacy and security. The crypto app was a popular choice among crypto users that aligns with Bitcoin's core principles of decentralization, financial privacy, transparency, security, and fungibility. Samourai Wallet Operator Arrest and Assets Seized [caption id="attachment_64836" align="alignnone" width="624"] Source: justice.gov[/caption] The announcement of the Samourai Wallet operator arrest was made jointly by Damian Williams, the United States Attorney for the Southern District of New York; Thomas Fattorusso, the Special Agent in Charge of the New York Field Office of the Internal Revenue Service, Criminal Investigation (IRS-CI); and James Smith, the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (FBI). According to the indictment, Rodriguez and Hill were actively involved in developing, marketing, and operating the Samourai Wallet, which served as a conduit for illegal financial activities, including transactions originating from notorious dark web markets like Silk Road and Hydra Market. Rodriguez was arrested in Pennsylvania, while Hill was apprehended in Portugal based on the charges filed in the United States. Efforts are underway to extradite Hill to face trial in the U.S. District Court. The case has been assigned to U.S. District Judge Richard M. Berman. Rodriguez, 35, of Harmony, Pennsylvania, and Hill, 65, were charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money-transmitting business, carrying maximum sentences of 20 years and five years in prison, respectively. The Crackdown of Samourai Wallet Operators The crackdown on Samourai Wallet extends beyond the arrests of its operators. In collaboration with authorities in Iceland, the web servers and domain associated with Samourai Wallet were seized, along with a seizure warrant served on the Google Play Store, preventing further downloads of the Samourai mobile application in the United States. U.S. Attorney Damian Williams emphasized the gravity of the allegations, stating that Rodriguez and Hill knowingly facilitated large-scale money laundering through Samourai Wallet, providing criminals with a platform to conceal the origins of illicit funds.  “Rodriguez and Hill allegedly knowingly facilitated the laundering of over $100 million of criminal proceeds from the Silk Road, Hydra Market, and a host of other computer hacking and fraud campaigns. Together with our law enforcement partners, we will continue to relentlessly pursue and dismantle criminal organizations that use cryptocurrency to hide illicit conduct”, said Williams According to the indictment, Rodriguez and Hill began developing the Samourai Wallet around 2015, offering users a mobile application for managing their cryptocurrency assets. The application, downloaded over 100,000 times, allowed users to store their private keys while employing centralized servers to facilitate transactions. Samourai Wallet offered features such as "Whirlpool," a cryptocurrency mixing service, and "Ricochet," which added unnecessary intermediate transactions to obscure the source of funds. The indictment further alleges that Rodriguez and Hill actively promoted the Samourai Wallet as a tool for criminals to evade detection and launder money. Social media posts and marketing materials indicated their awareness of the illicit use of their platform, with references to servicing individuals engaged in criminal activities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for South Korean Defense ...

 Cybersecurity News

The South Korean National Police Agency sounded an alarm Tuesday for a targeted campaign from the North Korean hacker groups aimed at stealing the country’s defense technology. The announcement disclosed multiple successful breaches of hacking groups Lazarus, Andariel, and Kimsuky, which are all linked to   show more ...

Pyongyang’s stealthy hacking cartel. Exploiting vulnerabilities in both primary targets and their subcontractors, these groups planted malware capable of siphoning off valuable technological data. North Korean hacker groups directly infiltrated defense industry companies, hacked their partners with relatively weak security, stole the company's server account information, and then infiltrated major servers with malware, the police announcement said. The findings came from a joint operation by the National Police Agency and the Defense Acquisition Program Administration, which unearthed a series of compromises dating back to late 2022. Many affected companies were unaware of the breaches until authorities intervened. North Korean hackers have a common goal of stealing defense technology and are conducting an all-out attack by deploying multiple hacking groups in this campaign, making their attack methods more elaborate and diverse, the police agency said. North Korean Hacker Groups Use Diverse Tactics The police report delineates three distinct cases, each illustrating the diverse tactics employed by the hacking groups to pilfer defense-related technology. In one instance the Lazarus hackers breached a defense company's networks in November 2022 by exploiting loopholes in their network management. They targeted an external network server, infected it with malware, and leveraged an open port meant for testing to infiltrate the internal network. This allowed them access to sensitive data stored on employee computers, which they then exfiltrated to an overseas cloud server. The breach affected six computers, and evidence of the data leak was identified through analysis of both the victim company's systems and the overseas servers. [caption id="attachment_64775" align="aligncenter" width="895"] Lazarus hacker group’s attack chain. Credit: National Police Agency of South Korea[/caption] In the second case the Andariel hacker group gained access to defense industry data by compromising an employee account, which maintained servers for a defense industry partner. By injecting malicious code into the partner's servers around October 2022, they were able to extract and leak stored defense technology data. This breach exploited a loophole in how employees used their personal and professional email accounts for official system access. [caption id="attachment_64772" align="aligncenter" width="895"] Andariel hacker group attack chain. Credit: National Police Agency of South Korea[/caption] Lastly, Kimsuky seized upon a vulnerability in a defense subcontractor's email server between April and July 2023. T Over several months, they stole technical data by exploiting a flaw that allowed the download of large files sent via email from external sources without requiring login credentials. This method bypassed security measures, enabling the hackers to access and extract sensitive information undetected. [caption id="attachment_64773" align="alignnone" width="895"] Kimsuky hacker group’s attack chain. Credit: National Police Agency of South Korea[/caption] The National Police Agency said, “It is expected that North Korea’s hacking attempts targeting defense technology will continue, so not only defense companies but also partner companies must separate internal and external networks, change email passwords periodically, and set up account authentication such as two-step authentication.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Researchers Discover ...

 Cybersecurity News

Cyble Research & Intelligence Labs (CRIL) recently discovered evidence suggesting that the threat actors behind the DragonForce ransomware group might have leveraged a leaked LockBit 3.0 (Black) builder to craft their own ransomware builder. Detailed analysis revealed striking similarities between the binaries   show more ...

generated by the leaked LockBit 3.0 builder and DragonForce's own ransomware builder.  The findings come as part of a larger trend where newer threat actor groups are observed relying on previously-existing malware to form their own operational tools to deploy in campaigns. DragonForce Ransomware Binary Likely Based on LockBit 3.0 Build [caption id="attachment_64928" align="alignnone" width="660"] Source: Cyble[/caption] The DragonForce ransomware group began its operations on November 2023, employing double extortion tactics to target victims. The group is potentially linked to the Malaysian hacktivist group 'DragonForce' known for conducting campaigns against various government agencies and organizations present in the Middle East and Asia during 2021 and 2022.  While the group is known to have announced its intention to launch ransomware operations in 2022, proper attribution remains difficult due to limited information. CRIL Researchers recently came across a DragonForce ransomware binary based on a LockBit Black (third-known LockBit variant) binary. The LockBit ransomware builder was known to have been shared on X (Twitter) on September 2022. Ransomware builders allow ransomware operators specific options and customizability while generating ransomware payloads. The builder included a “config.json” file to customize payloads for functionalities such as encryption, filename encryption, impersonation, file/folder exclusion, exclusion based on languages spoken in CIS (Commonwealth of Independent States) countries, and ransom note templates. [caption id="attachment_64931" align="alignnone" width="938"] Source: Cyble[/caption] Comparison between a LockBit builder-generated ransomware binary to that of a DragonForce builder generated ransomware binary revealed several similarities in code structure, functions and process termination. These similarities suggest a strong likelihood that the DragonForce ransomware binary was developed based on the utilisation of the leaked LockBit binary file. DragonForce Ransomware Operations [caption id="attachment_64935" align="alignnone" width="936"] Source: Cyble[/caption] Earlier this year in February 2024, DragonForce listed two American companies, 'Westward360' and 'Compression Leasing Services' as victims on its leak site. Earlier in December 2023, the group claimed responsibility for an attack where over 600 GB of data was stolen from the Ohio Lottery. The stolen data consisted of both player and employee records with sensitive information such as names, addresses, winnings, dates of birth, and social security numbers. The Ohio Lottery confirmed the cyber-incident and stated that it involved significant data theft. In the same month, Yakult Australia fell victim to the DragonForce ransomware gang's operations impacting its Australia and New Zealand divisions with over 95GB of data being stolen in the attack. The Yakult Australia data breach is believed to contain business documents, spreadsheets, credit applications, employee records, and copies of identity documents, including passports. The company later acknowledged the incident and disclosed details relating to the incident to relevant authorities such as the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre. It is notable that in both attacks, the impacted systems continued to operate normally suggesting the group employs stealthy techniques. The discovery of DragonForce's use of a leaked LockBit builder underscores the general conduct of newer ransomware groups employing existing ransomware tools and the interconnected nature of cybercriminal operations. Last year in July 2023, researchers from VMware discovered similarities between the 8Base Ransomware and earlier ransomware groups such as RansomHouse and Phobos. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Qiulong Ransomware G ...

 Data Breach News

The Qiulong ransomware group has taken responsibility for a cyberattack on renowned Brazilian plastic surgeon Dr. Willian Segalin. The alleged Dr Willian Segalin cyberattack was made on April 23, 2024, on their data leak website, where the threat actor confirmed compromising the website associated with Dr. Segalin.   show more ...

The group, known for its sophisticated ransomware tactics, shared its motivations for the attack, stating Dr Willian Segalin as an “outlaw plastic surgeon” who “does not protect patients’ privacy safely”. The cyberattack on Dr Willian Segalin, while not immediately visible on the website's front end, suggests a potential breach in the backend systems.  Dr Willian Segalin Cyberattack Claims Surfaces on Dark Web The ransomware group's post on the dark web revealed sensitive information allegedly extracted from Dr Willian Segalin's website, including images of nude patients, confidential personal data, and financial information. The group's message admonished Dr Willian for purportedly neglecting patient privacy and urged him to take action to safeguard sensitive information. [caption id="attachment_64873" align="alignnone" width="1028"] Source: chum1ng0 on X[/caption] “Dr. Willian, if you care about your patients' data and privacy, stop driving your Mustang around like a negligent doctor and avoid remaining silent”, reads the threat actor post. [caption id="attachment_64877" align="alignnone" width="746"] Source: chum1ng0 on X[/caption] The cyberattack on Dr Willian Segalin is not an isolated incident. Within the same timeframe, the Qiulong ransomware group targeted three other Brazilian organizations including two related to plastic surgery and one car dealership.  The Cyber Express has reached out to the plastic surgeon's office to learn more about the authenticity of the cyberattack on Dr Willian Segalin. However, at the time of writing this, no official statement or response has been received.  Qiulong Ransomware Group Targets Multiple Victims in Brazil  The Qiulong ransomware group's recent cyberattacks extend beyond Dr. Willian Segalin, affecting three other Brazilian entities. The group's posts on the dark web highlight their grievances against these victims, accusing them of neglecting patient privacy and data protection. [caption id="attachment_64880" align="alignnone" width="1074"] Source: chum1ng0 on X[/caption] One victim, Dr. Andrea Rechia, a plastic surgeon, faced criticism for allegedly disregarding patient privacy despite numerous attempts to reach out. The group's post includes sensitive information about the clinic's operations and contact details. Similarly, Dr. Lincoln Graça Neto, another plastic surgeon, was targeted by the ransomware group. The post exposes the clinic's location and amenities but condemns Dr. Lincoln for purportedly neglecting patient data security. The final victim, Rosalvo Automóveis, a car dealership, faced data exposure threats, indicating potential repercussions from the cyberattack. While specific details about the data breach are not provided, the post suggests imminent data exposure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Ransomware Group Bla ...

 Firewall Daily

TRUE Solicitors LLP, a prominent law firm based in the UK specializing in personal injury claims and employment law, has fallen victim to an alleged cyberattack by the notorious BlackBasta ransomware group. The ransomware group announced the cyberattack on TRUE Solicitors but provided no further details regarding the   show more ...

extent of the breach or the compromised data. TRUE Solicitors LLP is renowned for its dedicated team of solicitors who provide high-quality legal representation to clients seeking compensation for personal injuries and assistance with various legal matters. Cyberattack on TRUE Solicitors: Unverified To verify the claim made by the BlackBasta ransomware group, The Cyber Express Team attempted to access the official website of TRUE Solicitors LLP. However, the website was found to be fully operational, casting uncertainty on the authenticity of the ransomware group's announcement. Until an official statement is released by the firm, the truth behind the TRUE Solicitors cyberattack claim remains elusive. This is not the first time the BlackBasta ransomware group has made headlines. In 2024, the group targeted Leonard’s Syrups, a cherished family-owned beverage company in Michigan. The cyberattack on Leonard’s Syrups, announced on a dark web forum, left many questions unanswered, with crucial details about the breach, compromised data, and motives withheld by the cybercriminals. In another incident, the BlackBasta ransomware group claimed two new victims: Southern Water and Asahi Glass Co. While details about the extent of the attacks, compromised data, and motives remain undisclosed, the urgency of the situation is highlighted by the ransomware group's ominous deadline for data exposure. Implications of TRUE Solicitors Cyberattack If the claim made by the BlackBasta ransomware group regarding the cyberattack is proven true, the implications could be significant. The compromise of sensitive legal information and client data could have far-reaching consequences, not only for the firm but also for its clients and partners. As investigations into the cyberattack on TRUE Solicitors LLP continue, stakeholders await an official statement from the firm regarding the breach and its impact. Until then, the industry remains on high alert, bracing for potential fallout from yet another audacious move by the BlackBasta ransomware group. Only time will tell whether the claim is true or if it is another attempt by cybercriminals to sow fear and uncertainty. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Central Power System ...

 Firewall Daily

Central Power Systems & Services, a major distributor of industrial and power generation products in Kansas, Western Missouri, and Northern Oklahoma, has fallen victim to the notorious Hunters Ransomware Group. The cyberattack on Central Power Systems & Services, disclosed by the ransomware group, has raised   show more ...

concerns about the safety of sensitive data and the integrity of critical infrastructure. Central Power Systems & Services, the sole authorized distributor for Allison Transmissions, Detroit Diesel, MTU, Doosan, and Liebherr in the region, has been a stalwart in serving commercial equipment needs since 1954. However, the recent alleged cyberattack may have halted its official website as it displayed a disconcerting message: "Sorry you have been blocked. You are unable to access cpower.com." Uncertainty About Cyberattack on Central Power Systems & Services  The claim by the Hunters Ransomware Group has yet to be officially confirmed, leaving both the company and its clients in a state of uncertainty. While attempts to access the website raise suspicions, the possibility of a technical glitch cannot be ruled out until an official statement is released. If proven true, the implications of this Central Power Systems & Services cyberattack could be significant. The potential compromise of sensitive data poses a serious threat not only to the company but also to its clients and partners. With no details provided by the ransomware group regarding the extent of the breach or the nature of compromised data, the situation remains tense. Previous Incidents This is not the first time the Hunters Ransomware Group has made headlines. Before this, the group targeted various organizations across different sectors and countries. In 2024 alone, the group claimed responsibility for cyberattacks on the Dalmahoy Hotel & Country Club in the UK, Double Eagle Energy Holdings IV, LLC in the US, and Gallup-McKinley County Schools in New Mexico, among others. The modus operandi of the Hunters Ransomware Group involves encrypting files and appending the ".LOCKED" extension, followed by demands for ransom in exchange for decryption keys. Additionally, the group often leaves instructions for negotiation in files named "Contact Us.txt" within compromised directories. The cyberattack on Central Power Systems & Services highlights the growing threat posed by ransomware groups to organizations worldwide. With cybercriminals continuously evolving their tactics and targeting critical infrastructure, businesses must remain vigilant and prioritize cybersecurity measures. As the investigation into this cyberattack continues, stakeholders await an official statement from the company regarding the breach and its impact. Until then, the industry remains on high alert, bracing for potential fallout from yet another audacious move by the Hunters Ransomware Group. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for State Spies Exploite ...

 Cybersecurity News

Networking giant Cisco warned that a group of state-sponsored hackers exploited zero-days in its firewall appliances to spy on government networks over the last several months. Cisco in a Wednesday warning said that two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)   show more ...

firewalls were exploited by a state-backed hacking group since November 2023 to infiltrate government networks globally. Identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, the hackers initiated their cyber-espionage campaign, dubbed “ArcaneDoor,” through targeting of vulnerable edge devices in early November 2023. “This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco Talos said. Discovery and Details of the Two Cisco Zero-Days Despite the absence of an identified initial attack vector, Cisco detected and rectified two security flaws - CVE-2024-20353, a denial-of-service bug and CVE-2024-20359, a persistent local code execution bug - which the threat actors used as zero-days. Cisco became aware of the ArcaneDoor campaign earlier this year but said the attackers had been testing and developing exploits for the two zero-days since at least July 2023. “The investigation that followed identified additional victims, all of which involved government networks globally,” Cisco Talos added. [caption id="attachment_64982" align="aligncenter" width="997"] Cisco Zero-Days Exploitation Timeline. Credit: Cisco Talos[/caption] The exploited vulnerabilities facilitated the deployment of previously unknown malware, allowing threat actors to establish persistence on compromised ASA and FTD devices. One such malware implant dubbed “Line Dancer,” acted as an in-memory shellcode loader, enabling the execution of arbitrary shellcode payloads to disable logging, provide remote access, and exfiltrate captured packets. The second implant, a persistent backdoor known as “Line Runner,” included various defense evasion mechanisms to evade detection and enable the execution of arbitrary Lua code on compromised systems. Perimeter network devices like the ASA and FTD firewall appliances “are the perfect intrusion point for espionage-focused campaigns,” Cisco said. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.” The networking and security giant said it had observed a “dramatic and sustained” increase in the targeting of these devices in the past two years, especially those deployed in the telecommunications and energy sectors as “critical infrastructure entities are likely strategic targets of interest for many foreign governments,” Cisco explained. What Cybersecurity Agencies Said A joint advisory published today by the UK's National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Cyber Security Centre outlined additional activity undertaken by the threat actors: - They generated text versions of the device’s configuration file for exfiltration through web requests. - They controlled the enabling and disabling of the devices syslog service to obfuscate additional commands. - They modified the authentication, authorization, and accounting (AAA) configuration to provide access to specific actor-controlled devices within the impacted environment. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the zero-day bugs to its Known Exploited Vulnerabilities Catalog and encouraged users to apply the necessary updates, hunt for malicious activity, and report any positive findings to the agency. Cisco released security updates on Wednesday to address the two zero-days and recommended all customers to upgrade their devices to the fixed software version to mitigate potential attacks. Cisco asked administrators to monitor system logs for signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity. The company also provided instructions on verifying the integrity of ASA or FTD devices in the advisory. Espionage Actors Increasingly Using Edge Device Zero-Days Although no attribution was made for the ArcaneDoor campaign a recent trends report from Google security firm Mandiant fingered Chinese hackers for increasingly targeting edge devices like VPN appliances, firewalls, routers, and IoT tools in espionage attacks. Mandiant observed a more than 50% growth in zero-day usage compared to 2022, both by espionage groups as well as financially motivated hackers. “China-nexus attackers have gained access to edge devices via exploitation of vulnerabilities, particularly zero-days, and subsequently deployed custom malware ecosystems,“ Mandiant said. The security firm added that it is likely to see continued deployment of custom malware ecosystems from Chinese espionage groups that are tailored for the device and operation at hand. “This approach provides several advantages such as the increased ability to remain undetected, reduced complexity and increased reliability, and a reduced malware footprint.“ Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for BSNL Leaked Data Res ...

 Dark Web News

In late 2023, concerns surfaced regarding a potential data breach at Bharat Sanchar Nigam Limited (BSNL), a major telecommunications provider owned by the Indian government. However, BSNL did not confirm these reports at the time. Recently, the issue has resurfaced after data purportedly from the unconfirmed BSNL data   show more ...

breach has again appeared on the dark web. On April 24, 2024, a known threat actor named 'Perell', who was previously linked to the alleged 2023 BSNL data breach, released a database that reportedly belongs to BSNL. This database contains more than 2.9 million records and was originally part of an extortion scheme. In December last year, Perell claimed to have obtained sensitive BSNL data and threatened to use it against the company on the now-defunct BreachForums. Despite the time elapsed, the threat to user privacy remains significant as Perell has made the supposedly stolen data publicly available, intensifying worries about the security of information and the potential implications for BSNL’s customers. The 2024 BSNL Data Breach Claims Surfaces on BreachForums [caption id="attachment_64986" align="alignnone" width="1747"] Source: Dark Web[/caption] The leaked data, according to Perell's post on the forum, includes sensitive information from BSNL, a major player in India's telecommunications sector. While the exact reason for the resurfacing of data from 2023 is unknown, Perell shared a link on BreachForums for the stolen data, stating that the "following list of databases would be exfiltrated.” Discussions on BreachForums suggest that the recently leaked data, claimed to be from BSNL in 2024, actually dates back to 2023. Despite its age, the data remains a significant concern due to its large volume and sensitive nature. The decision to leak the same data again in 2024 is puzzling and raises questions about the motives behind this move. [caption id="attachment_65015" align="alignnone" width="1701"] The earlier post shared by the threat actor in December 2023.[/caption] The seriousness of the situation is highlighted by the fact that the compromised data from 2023 was posted on the same forum without any clear evidence of communication between the hacker and Bharat Sanchar Nigam Limited (BSNL), and it's uncertain whether a ransom was demanded or paid. Like the current incident, the original post focused solely on revealing the data of 2.9 million users, indicating a deliberate effort to exploit and profit from the breach. The Cyber Express has reached out to the Indian telecommunication giant to learn more about the authenticity of the data being shared by the threat actor. However, at the time of writing this, no official statement or response has been shared, leaving the claims made by the threat actor stand unverified.  The Far-reaching Consequences of the BSNL Database Leak Following initial reports of the BSNL data leak in December last year, experts expressed concerns about the implications of the incident. Saket Modi, CEO of the cyber risk management startup Safe Security, commented to the Economic Times that the nature of the hack suggested it was likely carried out by an individual rather than an organization. Modi pointed out that the claim of approximately 2.9 million records being compromised suggested that the breach might involve a single website. Additionally, Kanishk Gaur, founder of India Future Foundation, spoke to the Indian media about the wider consequences of the breach, emphasizing its significant impact on both BSNL and its customers. The reappearance of data from last year's BSNL data breach raises serious concerns. This leak threatens the personal and financial security of millions, potentially leading to identity theft and fraud. Notably, despite the breach first surfacing last year and reemerging now, BSNL has yet to confirm the incident, leaving the claims unverified. The Cyber Express has contacted BSNL for comment and is currently awaiting their response. Updates to this story will be provided as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Kaspersky Thin Clien ...

 Business

Many companies have long since moved from the traditional workstation model to the virtual desktop infrastructure (VDI). VDI provides a number of advantages — one being better cybersecurity (not least because work data doesnt leave corporate servers; it always lives in a virtual machine). However, despite a popular   show more ...

misconception, VDI alone doesnt mean guaranteed security. It always matters how secure the endpoint device is that connects to the virtual workplace. By and large, there are two options for using VDI. The first is to employ traditional workstations; the second is to use thin clients. Common advantages of a thin client include the following: no moving parts: they dont have active cooling systems or mechanical hard drives, which significantly increases the service life of the thin client (up to 7-10 years); low energy consumption, which leads to direct savings; lower price and cost of ownership (in comparation even with desktops and laptops for office work); ease of maintenance and operation. However, from our point of view, this isnt the main advantage of using a thin client. Any workstation, be it a desktop PC or a laptop, must be provided with additional layers protection. And a thin client can be made secure as-is if its operating system is based on the secure-by-design principle. Its precisely such an operating system — Kaspersky Thin Client 2.0 — that we propose to use in thin clients connected to virtual desktop infrastructure. What is Kaspersky Thin Client, and whats new in version 2.0? Essentially, Kaspersky Thin Client 2.0 is an updated operating system for thin clients, created in accordance with our Cyber Immune approach; as such, it doesnt require additional security measures. Kaspersky Thin Client is based on our KasperskyOS system, which minimizes the risk of its compromise even in the event of complex targeted attacks. The updated Kaspersky Thin Client version 2.0 can connect to remote environments deployed on the Citrix Workspace platform and VMware Horizon infrastructure using HTML5 technology. Kaspersky Thin Client 2.0 also supports connection to individual business applications deployed on the Microsoft Remote Desktop Services infrastructure, Windows Server, and terminal servers running Windows 10/11. Another key change in KTC 2.0 is the increase in performance. We managed to increase both the speed of application delivery and the speed of system updates (due to the compact size of the OS image). Now deployment time of thin clients under KTC 2.0 through automatic connection takes about two minutes. You can learn more about the updated operating system for thin clients on the Kaspersky Thin Client page.

 Malware and Vulnerabilities

Flowon developer Progress Software first alerted about the flaw on April 4, warning that it impacts versions of the product v12.x and v11.x. The company urged system admins to upgrade to the latest releases, v12.3.4 and 11.1.14.

 Incident Response, Learnings

The FTC is sending $5.6 million in refunds to Ring users whose private video feeds were accessed without consent by Amazon employees and contractors, or had their accounts and devices hacked because of insufficient security protections.

 Feed

Ubuntu Security Notice 6750-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions,   show more ...

cross-site tracing, or execute arbitrary code. Bartek Nowotarski discovered that Thunderbird did not properly limit HTTP/2 CONTINUATION frames. An attacker could potentially exploit this issue to cause a denial of service.

 Feed

Ubuntu Security Notice 6657-2 - USN-6657-1 fixed several vulnerabilities in Dnsmasq. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Dnsmasq incorrectly handled validating DNSSEC messages. A remote   show more ...

attacker could possibly use this issue to cause Dnsmasq to consume resources, leading to a denial of service. It was discovered that Dnsmasq incorrectly handled preparing an NSEC3 closest encloser proof. A remote attacker could possibly use this issue to cause Dnsmasq to consume resources, leading to a denial of service. It was discovered that Dnsmasq incorrectly set the maximum EDNS.0 UDP packet size as required by DNS Flag Day 2020. This issue only affected Ubuntu 23.10.

 Feed

Ubuntu Security Notice 6749-1 - It was discovered that FreeRDP incorrectly handled certain context resets. If a user were tricked into connecting to a malicious server, a remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. Evgeny Legerov   show more ...

discovered that FreeRDP incorrectly handled certain memory operations. If a user were tricked into connecting to a malicious server, a remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code.

 Feed

Red Hat Security Advisory 2024-2060-03 - Red Hat OpenShift Virtualization release 4.14.5 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-2042-03 - An update for tigervnc is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

 Feed

Red Hat Security Advisory 2024-2041-03 - An update for tigervnc is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

 Feed

Google has once again pushed its plans to deprecate third-party tracking cookies in its Chrome web browser as it works to address outstanding competition concerns from U.K. regulators over its Privacy Sandbox initiative. The tech giant said it's working closely with the U.K. Competition and Markets Authority (CMA) and hopes to achieve an agreement by the end of the year. As part of the

 Feed

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). "

 Feed

Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy. Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit

 Feed

The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal transactions and for laundering more than $100 million in criminal proceeds. To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been charged

 Feed

The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT. The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from [command-and-control] server," Avast security researcher Luigino

 Data loss

Leicester City Council suffers a crippling ransomware attack, and a massive data breach, but is it out of the dark yet? And as election fever hits India we take a close eye at deepfakery. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

2024-04
Aggregator history
Thursday, April 25
MON
TUE
WED
THU
FRI
SAT
SUN
AprilMayJune