Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Multi-Year Cyberatta ...

 Cybersecurity News

Volkswagen, the automotive giant, finds itself at the center of a large-scale cyber operation, with suspicions pointing toward hackers operating from China. The Volkswagen cyberattack, which occurred over a decade ago but continues to reverberate today, sheds light on Chinese hackers and their espionage activities.    show more ...

The stolen data from the multiple-year Volkswagen cyberattack, described as "explosive," includes sensitive information on Volkswagen's internal workings, ranging from development plans for gasoline engines to crucial details about e-mobility initiatives. Investigations led by ZDF frontal and "Der Spiegel" unveiled more than 40 internal documents implicating Chinese hackers in the sophisticated operation. Multi-year Volkswagen Cyberattack by Chinese Hackers The timeline of the cyberattacks on Volkswagen, spanning from 2010 to 2015, highlights the meticulous planning and execution by the perpetrators. Reports suggest that the hackers meticulously analyzed Volkswagen's IT infrastructure before breaching its networks, leading to the exfiltration of approximately 19,000 documents.  Among the stolen intellectual property were coveted insights into emerging technologies like electric and hydrogen cars, areas crucial for Volkswagen's competitiveness in the global market. While China is not directly accused, evidence points to its involvement, with IP addresses traced back to Beijing and the timing of the attacks aligning with the Chinese workday.  Moreover, the hacking tools employed, including the notorious "China Chopper," further implicate Chinese origins, though conclusive proof remains elusive. The Implications of Volkswagen Data Breaches The implications of these Volkswagen data breaches extend beyond corporate espionage, raising concerns about the integrity of fair competition in the automotive industry. Professor Helena Wisbert of Ostfalia University emphasizes the strategic advantage gained by those privy to competitors' plans, highlighting the significance of stolen data in shaping market dynamics. Volkswagen's acknowledgment of the incident highlights the gravity of the situation, with reassurances of bolstered IT security measures. However, the Federal Office for Information Security (BSI) warns of ongoing threats, stressing the attractiveness of German expertise as a target for espionage. As German companies gear up for the "Auto China" trade fair, the cyberattack on Volkswagen questions the intent of Chinese hackers and their targets in the automobile industry. The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the alleged attacks or any updates from Volkswagen.  Cyberattacks on the Automotive Industry As automotive technology advances, vehicles are increasingly vulnerable to cyberattacks, particularly with the rise of electronics, software, and internet connectivity. Experts warn that even electric vehicles (EVs) are at heightened risk due to their intricate electronic systems. Ransomware attacks could target critical functions like steering and braking systems, posing significant safety concerns.  The abundance of software codes in modern vehicles creates ample opportunities for cyber threats, not only affecting the cars themselves but also their entire ecosystem. While cybersecurity defenses are improving, the automotive industry faces challenges in managing software lifecycles and ensuring end-to-end risk management.  Collaboration between industry stakeholders, government, and private players is essential to address these challenges. As the global automotive cybersecurity market grows, the need for robust cybersecurity measures becomes increasingly critical, prompting software solution providers to offer localized and cost-effective solutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Avoid Using Unregist ...

 Cybersecurity News

The FBI in a Thursday warning emphasized the financial risks associated with using unregistered cryptocurrency transfer services, especially considering potential law enforcement actions against these platforms. The focus of this public service announcement is on crypto transfer platforms that operate without proper   show more ...

registration as Money Services Businesses (MSB) and fail to comply with anti-money laundering regulations mandated by the U.S. federal law. Such platforms are frequent targets of law enforcement operations, particularly when criminals exploit them for transferring or laundering unlawfully acquired funds, like in the case of ransomware payments. FBI’s PSA, released on its Internet Crime Complaint Center, cautioned Americans that, Using a service that does not comply with its legal obligations may put you at risk of losing access to funds after law enforcement operations target those businesses. The FBI said it had recently conducted law enforcement operations against unregistered cryptocurrency transfer services “that purposely break the law or knowingly facilitate illegal transactions.” It added that these services will continue to be investigated by law enforcement. Steps to Avoid Using Unregistered Cryptocurrency Transfer Services For individuals considering the use of cryptocurrency transfer services, “a few simple steps can prevent unintentional use of non-compliant services,” the FBI said. The agency advised the following security tips: Checking the registration status as an MSB with the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN). Exercising caution with financial services that do not request KYC information (such as name, date of birth, address, and ID) before facilitating money or cryptocurrency transfers. Understanding that the presence of an app in an app store does not necessarily signify its legality or compliance with federal requirements. Refraining from using services that openly advertise themselves for illegal purposes. Exercising vigilance when using cryptocurrency services known to be utilized by criminals for money laundering. Samourai Wallet’s Unlicensed Money Transmitting Business Busted The FBI's warning comes in the wake of the recent crackdown on Samourai, an illicit cryptocurrency transfer platform that offered a crypto mixer service facilitating the laundering of funds obtained through criminal activities. The Icelandic law enforcement authorities seized Samourai's domains (samourai[.]io and samouraiwallet[.]com) and web servers. The Google Play Store also removed the Samourai Wallet Android mobile app that was downloaded over 100,000 times, before the seizure was initiated. The U.S. Department of Justice charged Keonne Rodriguez and William Lonergan Hill, the platform's founders and operators, with laundering over $100 million from various criminal enterprises through Samourai's crypto mixing services, accruing approximately $4.5 million in fees. According to the superseding indictment, "Since the start of the Whirlpool service in or about 2019 and of the Ricochet service in or about 2017, over 80,000 BTC (worth over $2 billion applying the BTC-USD conversion rates at the time of each transaction) has passed through these two services operated by Samourai." The DOJ stated, "While offering Samourai as a 'privacy' service, the defendants knew that it was a haven for criminals to engage in large-scale money laundering and sanctions evasion. “Indeed, as the defendants intended and well knew, a substantial portion of the funds that Samourai processed were criminal proceeds passed through Samourai for purposes of concealment,” the unsealed indictment said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Thoma Bravo Acquires ...

 Cybersecurity News

American private equity firm Thoma Bravo has inked an agreement to acquire British cybersecurity giant Darktrace for $4.6bn. This all-cash transaction between Thoma Bravo and Darktrace, valued at $5.3bn, marks a pivotal moment for both companies and the cybersecurity sector at large. The Darktrace acquisition, though   show more ...

pending shareholder approval, has already received the green light from the boards of both Darktrace and Thoma Bravo, signaling a strong vote of confidence in the deal's potential. Immediately following the announcement, Darktrace's shares surged by over 19%, showcasing investor enthusiasm for the partnership. Tech Titans Thoma Bravo and Darktrace Seal $4.6 Billion Cybersecurity Deal Under the terms of the Darktrace acquisition, Darktrace shareholders stand to benefit substantially, receiving $7.75 (620p) for each share they hold. This represents a remarkable 44.3% premium compared to Darktrace's recent stock performance. Darktrace's board has expressed its belief that the company's operational and financial successes have not been adequately reflected in its valuation. Thus, the acquisition offer presents shareholders with an opportunity to realize fair value for their cash investments. Gordon Hurst, Chair of Darktrace, emphasized the attractiveness of the proposed offer, stating that it provides shareholders with certainty and fair value. Additionally, he highlighted the potential benefits of partnering with Thoma Bravo, a financial powerhouse with deep expertise in the software sector. The proposed acquisition will provide Darktrace access to a strong financial partner in Thoma Bravo, with deep software sector expertise, who can enhance the Company's position as a best-in-class cyber AI business headquartered in the UK", says Gordon Hurst. Darktrace, known for its cutting-edge artificial intelligence-driven cybersecurity solutions, has experienced a surge in demand for its services, leading to an upgrade in its revenue forecast for the fiscal year 2024. Accelerating Cybersecurity Preparedness in the UK  The potential takeover of Darktrace by Thoma Bravo has drawn attention to the state of the UK's tech industry. Analysts suggest that such acquisitions highlights the need for governmental action to retain tech companies within the UK market. If the Thoma Bravo and Darktrace deal is approved by shareholders, the acquisition is slated to be finalized in the third or fourth quarter of 2024. Andrew Almeida, Partner at Thoma Bravo, expressed admiration for the deal between Thoma Bravo and Darktrace, highlighting the cybersecurity technology, and emphasizing the firm's commitment to supporting Darktrace's growth and development as a global leader in the field. "Darktrace is driven by a culture of innovation and we are excited by the opportunity to work alongside Darktrace's team and accelerate its development into a scaled, global leader, further strengthening its capability and offer to customers. Thoma Bravo has been investing exclusively in software for over twenty years and we will bring to bear the full range of our platform, operational expertise and deep experience of cybersecurity in supporting Darktrace's growth", says Almeida. Thoma Bravo's extensive experience in software investment, coupled with its substantial financial resources, positions Darktrace for accelerated expansion and innovation in the cybersecurity domain. With Thoma Bravo's backing, Darktrace aims to reinforce its position as a pioneering cybersecurity firm while contributing to the UK's technological advancement. Thoma Bravo's acquisition of Darktrace represents not only a strategic move for both entities but also a significant development in the cybersecurity sector.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for SpaceX Data Breach B ...

 Dark Web News

SpaceX, the aerospace manufacturer and space transport services company founded by Elon Musk, has allegedly met with a cybersecurity incident, involving a data breach with Hunters International, a notorious hacking group that reportedly posted samples of SpaceX data breach. The Space X data breach seems to involve   show more ...

relatively old data from SpaceX, with Hunters International employing name-dropping tactics to exert extortion pressure. Interestingly, these same samples were involved in an earlier data breach that SpaceX faced in early 2023, attributed to the LockBit ransomware group. Hunters International shared samples and databases supposedly linked to SpaceX, including access to 149.9 GB of data. This database, originally associated with the initial SpaceX data breach linked to LockBit, was traced back to a third-party supplier within SpaceX's supply chain, specifically a manufacturing contractor based in Texas. Through infiltration of the vendor's systems, LockBit allegedly gained control of 3,000 drawings or schematics verified by SpaceX engineers. SpaceX Data Breach Resurfaces on the Dark Web [caption id="attachment_65258" align="alignnone" width="1170"] Source: X[/caption] Interestingly, the threat actor sheds light on the SpaceX data breach's infiltration including an undisclosed GoPro development environment. Adding another layer to the intrigue, recent events in April 2024 reveal the Cactus ransomware group's purported targeting of Aero Dynamic Machining, Inc., a US-based aerospace equipment manufacturer.  The group alleges to have extracted a staggering 1.1 TB of data, encompassing confidential, employee, and customer information from industry giants like Boeing, SpaceX, and Airbus. Subsequently, the group leaked 5.8 MB of compressed data, containing agreements, passports, shipping orders, and engineering drawings, further intensifying the gravity of the situation. The Cyber Express has reached out to SpaceX to learn more about the data breach claims made by the Hunters International group. However, at the time of writing this, no official statement or response has been received, leaving the claims for the SpaceX data breach stand unverified.  Moreover, the website for SpaceX seems to be operational at the moment and doesn’t show any immediate sign of the attack or data breach suggesting a likelihood that the data shared by Hunters International may indeed stem from the breach of 2023. How LockBit Ransomware Group Breached SpaceX? In March 2023, the LockBit Ransomware group infiltrated a third-party manufacturing contractor in Texas, part of SpaceX's supply chain, seizing 3,000 certified drawings and schematics created by SpaceX engineers.  LockBit directly addressed SpaceX CEO Elon Musk, demanding ransom payment within a week under the threat of selling the stolen blueprints. The gang's audacious move aimed to profit from the sensitive data, regardless of the vendor's response. Despite concerns over compromised national security and the potential for identity theft, SpaceX has not confirmed the breach, leaving the claims unresolved.  This breach, along with the reappearance of leaked data from previous incidents, highlights the persistent threat of cyberattacks on critical infrastructure. It sheds light on the urgent need for robust cybersecurity measures to safeguard against such breaches, as the ramifications extend beyond financial loss to encompass broader security implications.  The reappearance of data from last year's SpaceX data breach is raising significant concerns. This recurrence poses a serious threat to the personal and financial security of millions, potentially exposing them to the risks of identity theft and fraud. Notably, despite the breach being initially reported last year and now resurfacing, SpaceX has yet to confirm the incident, leaving the claims unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for CISA Launches Ransom ...

 Cybersecurity News

In response to this growing threat, the Cybersecurity and Infrastructure Security Agency (CISA) has launched the Ransomware Vulnerability Warning Pilot (RVWP). This initiative focuses on proactive risk reduction through direct communication with the federal government, state, local, tribal, territorial (SLTT)   show more ...

government, and critical infrastructure entities. The goal is to prevent threat actors from accessing and deploying ransomware on their networks. Ransomware, a persistent threat to critical services, businesses, and communities worldwide, continues to evolve, causing costly and disruptive incidents. Recent industry reports estimate that businesses spend an average of $1.85 million to recover from a ransomware attack. Moreover, a staggering 80% of victims who paid a ransom were targeted again by these criminals. The economic, technical, and reputational impacts of ransomware incidents pose significant challenges for organizations large and small. CISA's Ransomware Vulnerability Warning Pilot  Aligned with the Joint Ransomware Task Force, RVWP provides timely notifications to critical infrastructure organizations, allowing them to mitigate vulnerabilities and protect their networks and systems. By leveraging existing services, data sources, technologies, and authorities, CISA aims to reduce the attack surface and impact of ransomware attacks. A key component of Pilot is the Cyber Hygiene Vulnerability Scanning service, which monitors internet-connected devices for known vulnerabilities. This service, available to any organization, has proven highly effective in reducing risk and exposure. Organizations typically see a 40% reduction in risk within the first 12 months, with most experiencing improvements within the first 90 days. By identifying exposed assets and vulnerabilities, Cyber Hygiene Vulnerability Scanning helps organizations manage risks that would otherwise go unnoticed. Specifically for Pliot, this service notifies organizations of vulnerabilities commonly associated with ransomware exploitation. The Success of RVWP in 2023 In Calendar Year (CY) 2023, RVWP completed 1,754 notifications to entities operating vulnerable internet-connected devices. Following these notifications, CISA conducted regular vulnerability scans to assess mitigation efforts. Of the 1,754 notifications, 49% of vulnerable devices were either patched, implemented compensating controls, or taken offline after CISA's intervention. CISA's regional teams collaborate closely with notified entities to ensure timely mitigation efforts, enhancing the overall effectiveness of the Ransomware Vulnerability Warning Pilot. RVWP enables organizations across critical infrastructure sectors to strengthen their networks against known ransomware vulnerabilities. By reducing the effectiveness of ransomware tools and procedures, Pliot increases operational costs for ransomware gangs and contributes to deterrence by denial. Taking Action to #StopRansomware CISA urges organizations to take proactive measures to protect against ransomware. These measures can include: Enroll in CISA Cyber Hygiene Vulnerability Scanning: This no-cost service helps organizations raise their cybersecurity posture and reduce business risk by identifying and mitigating vulnerabilities. Review the #StopRansomware Guide: Utilize the valuable checklist on how to respond to a ransomware incident and protect your organization. Report Ransomware Activity: Always report observed ransomware activity, including indicators of compromise and tactics, techniques, and procedures (TTPs), to CISA and federal law enforcement partners. By partnering with CISA and implementing these measures, organizations can effectively combat ransomware and safeguard their digital assets and future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for CISA Warns of High-R ...

 Cybersecurity News

CISA (Cybersecurity & Infrastructure Security Agency) has shared an ICS (Industrial Control Systems) advisory regarding several vulnerabilities present in Honeywell products, including Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC. The advisory outlines multiple   show more ...

vulnerabilities which could lead to remote code execution, privilege escalation, and sensitive information disclosure. The Honeywell product vulnerabilities are described as affecting the chemical, critical manufacturing, energy, water and wastewater systems critical-infrastructure industries worldwide. Honeywell has released updates addressing these vulnerabilities, and CISA advises users to upgrade to the recommended versions to mitigate risks. CISA-Listed Honeywell Product Vulnerabilities of High Severity The ICS (Industrial Control Systems) Advisory listed vulnerabilities of varying types of medium to high severity: Exposed Dangerous Method or Function (CWE-749): CVE-2023-5389 (CVSS v4 Base Score: 8.8) could be exploited to allow attackers to modify files on Experion controllers or SMSC S300, potentially leading to unexpected behavior or execution of malicious applications. Absolute Path Traversal (CWE-36): CVE-2023-5390 (CVSS v4 Base Score: 6.9) allows attackers to read files from Experion controllers or SMSC S300, exposing limited information from the device. Stack-based Buffer Overflow (CWE-121): CVE-2023-5407 (CVSS v4 Base Score: 8.3) could enable attackers to induce denial-of-service conditions or perform remote code execution on Experion controllers, ControlEdge PLC, Safety Manager, or SMSC S300 through crafted messages. CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403 (CVSS v4 Base Score: 9.2) could be used for similar attacks on Experion Servers and Stations. Binding to an Unrestricted IP Address (CWE-1327): CVE-2023-5398 (CVSS v4 Base Score: 8.7) in Experion Servers or Stations could attackers attacker to induce a denial-of-service condition using specially crafted messages over the host network. Debug Messages Revealing Unnecessary Information (CWE-1295): CVE-2023-5392 (CVSS v4 Base Score: 8.7) could be exploited to allow for further extraction of information than required from memory over the network. Out-of-bounds Write (CWE-787): CVE-2023-5406 (CVSS v4 Base Score: 8.2) could lead to attacker controlled manipulation of messages from controllers for denial-of-service or remote code execution over host networks. CVE-2023-5405 (CVSS v4 Base Score: 6.9) exploitation of this vulnerability in Experion Servers or Stations could result in information leaks during error generation. Heap-based Buffer Overflow (CWE-122): CVE-2023-5400, CVE-2023-5404 (CVSS v4 Base Score: 9.2) both vulnerabilities present in Experion Servers or Stations, could allow for denial-of-service attacks or remote code execution via crafted messages. Improper Input Validation (CWE-20): CVE-2023-5397 (CVSS v4 Base Score: 9.2) enables denial-of-service or remote code execution via specially crafted messages. Buffer Access with Incorrect Length Value (CWE-805): CVE-2023-5396 (CVSS v4 Base Score: 8.3) enables denial-of-service or remote code execution via specially crafted messages. Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119): CVE-2023-5394 (CVSS v4 Base Score: 8.3) in Experion servers or stations enables denial-of-service or remote code execution via specially crafted messages. Improper Handling of Length Parameter Inconsistency (CWE-130): CVE-2023-5393 (CVSS v4 Base Score: 9.2) in Experion servers or stations allows for denial-of-service or remote code execution via specially crafted messages. CISA Shares Mitigations for Honeywell Product Vulnerabilities CISA has advised affected Honeywell customers to immediately upgrade to the fixed versions of the software referenced in the official Security Notice. CISA additionally recommends users to take action to mitigate the risk of exploitation of the Honeywell product vulnerabilities, such as ensuring proper user privilege restrictions, minimizing network exposure or segmenting networks and remote devices behind firewalls to isolate them from enterprise networks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for St-Jerome Company Ta ...

 Firewall Daily

The infamous Everest ransomware group has struck again, this time targeting Les Miroirs St-Antoine Inc., a longstanding company based in the St-Jérôme region. As of now, the extent of the data breach, the level of data compromise, and the motive behind the cyberattack on Les Miroirs St-Antoine remain undisclosed by   show more ...

the ransomware group. Founded in 1956, Les Miroirs St-Antoine is a family-owned business specializing in the design, manufacturing, installation, and repair of glazing and aluminum products for commercial, industrial, and institutional sectors. However, the company is now facing allegedly the daunting challenge of navigating the aftermath of this Les Miroirs St-Antoine cyberattack. Cyberattack on Les Miroirs St-Antoine Remains Unverified The Everest ransomware group has issued a chilling ultimatum, stating that Les Miroirs St-Antoine Inc. has 24 hours to contact them using the provided instructions. Failure to comply will result in the publication of all stolen data. "Company has the last 24 hours to contact us using the instructions left. In case of silence, all data will be published here," reads the post by Everest ransomware group. This tactic, known as double extortion, is characteristic of the group's modus operandi. [caption id="attachment_65194" align="aligncenter" width="1024"] Source: X[/caption] To investigate further, The Cyber Express Team (TCE) attempted to access Les Miroirs St-Antoine's official website and found it fully functional, indicating no immediate visible signs of compromise. However, this does not discount the possibility of covert access to sensitive company data. TCE has reached out to company officials for clarification but has yet to receive an official response. The Everest ransomware group has been a prominent threat in the cybersecurity landscape since December 2020. Operating primarily in Russian-speaking circles, the group targets organizations across various industries and regions, with high-profile victims including NASA and the Brazilian Government. The Persistent Threat of Everest Ransomware Known for its sophisticated data exfiltration techniques, Everest ransomware often demands a ransom in exchange for not only decrypting the victim's files but also for refraining from releasing stolen information to the public. This approach maximizes pressure on victims to pay up, as the consequences of data exposure can be severe. Experts have linked Everest ransomware to other notorious cyber threats, such as the Everbe 2.0 and BlackByte families. The group employs a range of tactics, including leveraging compromised user accounts and exploiting Remote Desktop Protocol (RDP) for lateral movement within targeted networks. The Everest ransomware's reach extends beyond private corporations, as they have also targeted government offices in various countries, including Argentina, Peru, and Brazil. This demonstrates the group's audaciousness and their willingness to target entities regardless of their size or prominence. The cyberattack on Les Miroirs St-Antoine Inc. highlights the urgent need for organizations to enhance their cybersecurity defenses. This includes implementing strong security measures, conducting regular vulnerability assessments, and providing comprehensive employee training to mitigate the risk of human error. Furthermore, proactive monitoring and threat intelligence sharing among organizations can help identify and respond to potential cyber threats more effectively. Collaboration between the public and private sectors is essential in combating cybercriminals like the Everest ransomware group. In conclusion, the ransomware attack on Les Miroirs St-Antoine Inc. serves as a reminder of the ever-present threat posed by cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Russian State Hacker ...

 Cyber Essentials

With more than 2 billion voters ready to cast a vote this year across 60 plus nations -including the U.S., U.K. and India - Russian state hackers are posing the biggest cyber threat to election security, researchers said. Google-owned Mandiant in a detailed report stated with “high confidence” that Russian   show more ...

state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest. “Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” Mandiant said. Why Russia is the Biggest Cyber Threat to Election Security Russia's approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. State-sponsored cyber threat actors, such as APT44, better known as the cyber sabotage unit Sandworm, and APT28 have a history of targeting elections in the U.S., and Europe. These actors employ hybrid operations, combining cyber espionage with hack-and-leak tactics to achieve their objectives. The 2016 U.S. presidential election is a prime example of Russia's cyber interference capabilities, as per Mandiant. APT28, linked to Russia intelligence unit - the GRU, compromised Democratic Party organizations and orchestrated a leak campaign to influence the election's outcome. Similarly, in Ukraine, APT44 conducted disruptive cyber operations during the 2014 presidential election, aiming to undermine trust in the electoral process. Jamie Collier, Mandiant senior threat intelligence advisor said, “One group to watch out for is UNC5101 that has conducted notable hybrid operations in the past.” Mandiant reports UNC5101 engaging in cyber espionage against political targets across Europe, Palestinian Territories, and the U.S. The actor has also used spoofed Ukrainian government domains to spread false narratives directly to government employees' inboxes. Before Russia's 2023 and 2024 elections, UNC5101 registered domains related to opposition figures like Alexei Navalny and conducted likely information operations to deceive voters. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia's national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said. Beijing’s Interest in Information Operations Collier noted that state threats to elections are far more than just a Russia problem. “For instance, we have seen pro-China information operations campaigns carry out election-related activity in the US, Taiwan, and Hong Kong,” Collier said. China's approach to election cybersecurity focuses on intelligence collection and influence operations that promote narratives favorable to the Chinese Communist Party (CCP). State-sponsored actors like TEMP.Hex have targeted elections in Taiwan, using cyberespionage to gather critical information and using information operations to shape public discourse, Mandiant’s analysis found. In the lead-up to Taiwan's 2024 presidential election, Chinese threat actors intensified cyber espionage activities, targeting government, technology, and media organizations. Concurrently, pro-PRC information operations sought to discredit candidates perceived as unfriendly to China, using fabricated leaks and disinformation campaigns to sway public opinion, which even the Taiwanese government confirmed. Watch-Out for Iran’s Espionage and Influence Campaigns Iranian state hackers are another group of threat actors to keep an eye on for their cyber espionage and influence campaigns, Mandiant noted. “[Irans’s] campaigns will rise as elections approach in key nations of interest to the Islamic Republic, such as counterparts in the currently stalled nuclear negotiations, and countries offering support to Israel during current fighting in Gaza,” Mandiant said. During the 2020 U.S. presidential election, Iran attempted to compromise state voter registration websites and disseminate false information. The U.S. Department of Justice charged two Iranian nationals in 2021 for their involvement in this campaign. Pro-Iranian influence campaigns, including Liberty Front Press and Roaming Mayfly, target global audiences with anti-U.S. and anti-Israeli propaganda, amplifying partisan divisions and fostering distrust in democracies, Mandiant said. Diverse Targets Multiple Vectors Securing elections requires protecting not only voting machines and voter registries but also a wide range of entities involved in the electoral process. Political parties, news media, and social media platforms are frequent targets of cyber operations, which also comes under the attack surface of elections. [caption id="attachment_65433" align="aligncenter" width="551"] Credit: Mandiant[/caption] Cyber threat actors are increasingly employing hybrid operations, combining multiple tactics to amplify their impact. Examples from past elections, such as the Ukrainian presidential election in 2014, illustrate how they are using a combination of cyber intrusions, data leaks, and DDoS attacks to disrupt electoral processes. Owing to this Mandiant detailed likely threat vectors that could be used in the upcoming election season: [caption id="attachment_65432" align="aligncenter" width="819"] Credit: Mandiant[/caption] The threats posed by Russian, Chinese, and Iranian state actors to election cybersecurity are complex and multifaceted. By understanding the tactics and objectives of these actors, election organizations can develop effective mitigation strategies to safeguard democratic processes. However, addressing these threats requires a concerted effort involving international cooperation and a commitment to upholding the integrity of democratic elections worldwide. In-line with this, the U.S. agencies recently released guidance to defending the integrity of democratic processes. The guidance extensively details common tactics seen in foreign malign influence operations, offering real-world instances and suggesting possible countermeasures for stakeholders in election infrastructure. Though many of these tactics aren't new, the widespread use of generative artificial intelligence (AI) has notably amplified adversaries' ability to produce and spread persuasive malicious content, the guidance said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for SubdoMailing campaig ...

 Business

Youve probably received more than a few spam or phishing emails from addresses belonging to seemingly reputable organizations. This may have left you wondering how attackers manage this feat, and perhaps even concerned if anyone out there sends malicious emails under your own companys name. The good news is that   show more ...

several technologies exist to combat emails sent on someone elses behalf: Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting, and Conformance (DMARC). The not-so-good news is that attackers occasionally discover ways to bypass these safeguards. This post looks at one such technique that spammers use to send emails from the addresses of real organizations: domain hijacking. SubdoMailing campaign and corporate domain hijacking Researchers at Guardio Labs have uncovered a large-scale spam campaign that theyve dubbed SubdoMailing. This campaign, ongoing since at least 2022, involves over 8000 domains and 13,000 subdomains previously owned by legitimate companies, along with nearly 22,000 unique IP addresses. The researchers estimate the average volume of spam at around five million emails daily. The SubdoMailing operators are constantly on the lookout for suitable expired corporate domains, and once they find some they re-register them — typically capturing several dozen legitimate domains daily. The record stands at 72 hijacked domains in a single day — back in June 2023. To avoid landing on spam lists, the attackers rotate them constantly. Each domain is used for spam distribution for 1–2 days before going dormant for an extended period while the spammers switch to the next. After a couple of days, this one too is temporarily retired, and another takes its place. Hijacking domains with a custom CNAME So, how exactly do threat actors go about exploiting hijacked domains? One method involves targeting domains with a custom canonical name (CNAME) record. A CNAME is a type of DNS record used to redirect one domain name to another. The simplest example of a CNAME record is the www subdomain, which usually redirects to the main domain, like this: company.com -> company.com However, more complex scenarios exist where a CNAME record redirects a subdomain to a completely separate domain. For example, this could be a promotional website hosted on a different domain but integrated into the companys overall web resource structure with a CNAME record. company.com -> company2020promo.com Large companies with extensive web resources may have multiple CNAME records and corresponding domains. The problem is that administrators cannot always keep track of is all. As such, a situation can arise where a domain has expired but its CNAME record lives on. These are the kind of domains that the cybercriminals behind the SubdoMailing campaign are eager to harvest. They hunt for abandoned domains that still have active CNAME records referencing the large companies that once owned them. Lets take company2020promo.com from our example. Say the company abandoned this domain after a promotional campaign several years ago, but the administrators forgot to remove the CNAME record. This allows threat actors to register the domain to themselves and automatically gain control over the promo.company.com subdomain. That done, they gain the ability to authorize mail servers located at IP addresses they own to send emails from the promo.company.com subdomain — effectively inheriting the reputation of the primary domain, company.com. Exploiting SPF records The second tactic employed by the SubdoMailing attackers involves exploiting SPF records. SPF (Sender Policy Framework — an extension of the SMTP protocol) records list the IP addresses and domains authorized to send emails from a particular domain. Again, its perfectly normal for large organizations to include a multitude of addresses and domains in this list for various purposes. This may include external domains that either do not belong to the company at all, or are used for some specific purpose: temporary projects, mass mailing tools, user survey platforms, and the like. Similar to the CNAME scenario, it may happen that the domain registration has expired, but someone forgot to remove the said domain from the SPF record. Domains like these are also prized by threat actors. For our example company.com, lets say the SPF record also includes some external domain like customersurveytool.com, belonging to a user-survey service. Now, imagine this service no longer exists, the domain registration has expired, and the administrators forgot to update the SPF record. By registering the abandoned customersurveytool.com domain, attackers gain the ability to send emails not just from the subdomain, but from the companys primary domain, company.com. Examples of domain hijacking in the SubdoMailing campaign How such problems can arise can be illustrated by the case of msnmarthastewartsweeps.com. The Microsoft Network (MSN) portal once collaborated with celebrity chef Martha Stewart on a project promoting MSN Messenger (remember that?) through prize giveaways. The projects website used the subdomain marthastewart.msn.com, which redirected to the external domain msnmarthastewartsweeps.com through a CNAME record. Heres what marthastewart.msn.com looked like when it was live. Source As you might guess, the msnmarthastewartsweeps.com domain registration eventually expired, but the MSN administrators failed to remove the corresponding CNAME record. In 2022, attackers discovered this domain, registered it, and gained the ability to send emails from marthastewart.msn.com, leveraging the reputation of none other than the Microsoft Network for their own purposes. How to guard against SubdoMailing To prevent domain hijacking and spamming in your companys name, we recommend the following: Implement SPF, DKIM, and DMARC Regularly inventory your companys web resources, including domains. Ensure timely renewal of active domain registrations. Remove outdated DNS records. Update SPF records by removing unused addresses and domains authorized to send emails on your companys behalf.

image for Transatlantic Cable ...

 News

Episode 344 of the Transatlantic Cable podcast kicks off with news that Grindr is being sued or sharing sensitive user data with third-parties. From there the team talk about news from the U.K, which shows that a third of 5-7 year old children already have their own mobile phones. To wrap up, the team talk about news   show more ...

that Meta AI is now inserting itself into Facebook group chats, but it doesnt always go to plan. If you like what you heard please consider subscribing. Grindr sued for allegedly revealing users HIV status Ofcom: Almost a quarter of kids aged 5-7 have smartphones Metas AI tells Facebook user it has disabled, gifted child in response to parent asking for advice

 Malware and Vulnerabilities

First discovered in 2022, Godfather — which can record screens and keystrokes, intercepts 2FA calls and texts, initiates bank transfers, and more — has quickly become one of the most widespread malware-as-a-service offerings in cybercrime.

 Companies to Watch

The round was led by existing investor General Atlantic, with participation from other major investors StepStone Group and the D. E. Shaw group. The company intends to use the funds to drive product innovation and accelerate its global expansion.

 Malware and Vulnerabilities

The malware is delivered through a fake Google Chrome update that is shown while using the web browser. Brokewell is under active development and features a mix of extensive device takeover and remote control capabilities.

 Feed

Ubuntu Security Notice 6754-1 - It was discovered that nghttp2 incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that   show more ...

nghttp2 incorrectly handled request cancellation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

 Feed

Ubuntu Security Notice 6753-1 - Thomas Neil James Shadwell discovered that CryptoJS was using an insecure cryptographic default configuration. A remote attacker could possibly use this issue to expose sensitive information.

 Feed

Debian Linux Security Advisory 5674-1 - It was discovered that PDNS Recursor, a resolving name server, was susceptible to denial of service if recursive forwarding is configured.

 Feed

Ubuntu Security Notice 6751-1 - It was discovered that Zabbix incorrectly handled input data in the discovery and graphs pages. A remote authenticated attacker could possibly use this issue to perform reflected cross-site scripting attacks.

 Feed

Ubuntu Security Notice 6752-1 - It was discovered that FreeRDP incorrectly handled certain memory operations. If a user were tricked into connecting to a malicious server, a remote attacker could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service.

 Feed

Red Hat Security Advisory 2024-2063-03 - An update for yajl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

 Feed

Red Hat Security Advisory 2024-1899-03 - Red Hat OpenShift Container Platform release 4.12.56 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-1896-03 - Red Hat OpenShift Container Platform release 4.12.56 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

 Feed

Red Hat Security Advisory 2024-1892-03 - Red Hat OpenShift Container Platform release 4.15.10 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-1887-03 - Red Hat OpenShift Container Platform release 4.15.10 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

 Feed

Threat actors are attempting to actively exploit a critical security flaw in the WP‑Automatic plugin for WordPress that could allow site takeovers. The shortcoming, tracked as CVE-2024-27956, carries a CVSS score of 9.9 out of a maximum of 10. It impacts all versions of the plugin prior to 3.9.2.0. "This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as

 Feed

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business’s digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC, 70% of successful breaches start at the endpoint. Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT

 Feed

Fake browser updates are being used to push a previously undocumented Android malware called Brokewell. "Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric said in an analysis published Thursday. The malware is said to be in active development,

 Feed

Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation. The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in

 Feed

Several security vulnerabilities disclosed in Brocade SANnav storage area network (SAN) management application could be exploited to compromise susceptible appliances. The 18 flaws impact all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them. The issues range from incorrect firewall rules,

 Cyber Security News

Source: thehackernews.com – Author: . Apr 25, 2024NewsroomMalware / Cyber Threat The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT as part of attacks targeting specific individuals in the Asia   show more ...

region in summer 2023. The malware could, “aside from […] La entrada North Korea’s Lazarus Group Deploys New Kaolin RAT via Fake Job Lures – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy. Surprisingly, most network attacks are   show more ...

not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools […] La entrada Network Threats: A Step-by-Step Attack Demonstration – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Arrests

Source: thehackernews.com – Author: . Apr 25, 2024NewsroomCryptocurrency / Cybercrime The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal   show more ...

transactions and for laundering more than $100 million in criminal proceeds. To that […] La entrada DOJ Arrests Founders of Crypto Mixer Samourai for $2 Billion in Illegal Transactions – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Apr 25, 2024NewsroomTechnology / Privacy Google has once again pushed its plans to deprecate third-party tracking cookies in its Chrome web browser as it works to address outstanding competition concerns from U.K. regulators over its Privacy Sandbox initiative. The   show more ...

tech giant said it’s working closely with the U.K. Competition and […] La entrada Google Postpones Third-Party Cookie Deprecation Amid U.K. Regulatory Scrutiny – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Apr 25, 2024NewsroomVulnerability / Zero-Day A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor,   show more ...

attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks […] La entrada State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Apr 24, 2024NewsroomCyber Attack / Cyber Espionage The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic   show more ...

Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to […] La entrada U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Apr 24, 2024NewsroomMalware / Endpoint Security Cybersecurity researchers have discovered an ongoing attack campaign that’s leveraging phishing emails to deliver a malware called SSLoad. The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the   show more ...

deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software. “SSLoad is designed to stealthily infiltrate […] La entrada Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 A Little Sunshine

Source: krebsonsecurity.com – Author: BrianKrebs The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked   show more ...

thousands of e-commerce websites. The protection […] La entrada Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme – Source: krebsonsecurity.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-04
Aggregator history
Friday, April 26
MON
TUE
WED
THU
FRI
SAT
SUN
AprilMayJune