Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Chrome Fixes Fourth ...

 Vulnerability News

Google released a new Chrome update on Thursday to fix the fourth zero-day vulnerability in two weeks and eighth overall in 2024. The high-severity flaw, tracked as CVE-2024-5274, is rooted in a type confusion weakness within the Chrome V8 JavaScript and WebAssembly engine. "Google is aware that an exploit for   show more ...

CVE-2024-5274 exists in the wild," the company said in an advisory. Google did not provide details on the bug or the exploitation but credited Clement Lecigne of Google’s Threat Analysis Group (TAG) and Brendon Tiszka of Chrome Security for reporting the flaw. There is no knowledge of any bug bounty reward for this discovery. "Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user," the Center for Internet Security explained. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights." Chrome vulnerabilities are often targeted by commercial spyware vendors. Google TAG researchers have previously reported several zero-days exploited by spyware vendors, including security defects in Google’s browser. CVE-2024-5274 is the fourth zero-day patched in the last 15 days, following CVE-2024-4671 (use-after-free in Visuals), CVE-2024-4761 (out-of-bounds write in V8), and CVE-2024-4947 (type confusion in V8). So far this year, Google has resolved a total of eight Chrome zero-days. Three of these, CVE-2024-2886, CVE-2024-2887, and CVE-2024-3159, were demonstrated at the Pwn2Own Vancouver 2024 hacking contest in March. Complete list of zero-days published in 2024: CVE-2024-0519: Out-of-bounds memory access in V8 CVE-2024-2886: Use-after-free in WebCodecs (presented at Pwn2Own 2024) CVE-2024-2887: Type confusion in WebAssembly (presented at Pwn2Own 2024) CVE-2024-3159: Out-of-bounds memory access in V8 (presented at Pwn2Own 2024) CVE-2024-4671 - Use-after-free in Visuals CVE-2024-4761 - Out-of-bounds write in V8 CVE-2024-4947 - Type confusion in V8 The latest Chrome version has now been rolled out as 125.0.6422.112 for Linux and 125.0.6422.112/.113 for Windows and macOS. Google also released Chrome for Android versions 125.0.6422.112/.113 with the same security fixes. Opera Rolled-Out Update to Fix Chrome Zero-Day The current version of Opera browser is based on Chromium, the same engine that Google Chrome uses. Opera released a subsequent patch on Friday to fix the same bug. Dear Opera Users! The latest stable release of Opera – 110.0.5130.39, incorporates a crucial 0-day fix for CVE-2024-5274, enhancing user security. This update ensures safer browsing for everyone. Opera is available on Windows, macOS, Linux, Android and iOS. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for An ‘Unwelcome Deve ...

 Data Breach News

Australian cyber chief announced Friday an “unwelcome development” in the recently disclosed MediSecure data breach. A hacker claimed to possess the patient data likely siphoned during the ransomware attack and listed it for sale on a Russian hacking forum for $50,000. “We are aware a dataset purporting to be   show more ...

from the MediSecure breach has been advertised for sale on a dark web marketplace, along with a sample of the data,” said Australia’s National Cyber Security Coordinator, Lieutenant General Michelle McGuinness. She said that all federal agencies involved in the response to the data breach incident “are aware of the advertisement” and “are working with MediSecure to verify the data that has been posted online.” MediSecure, only one of the two providers of electronic prescription services to healthcare professionals in Australia, announced last week that it had fallen victim to a large-scale ransomware attack. Preliminary investigation over the weekend revealed that it was an “isolated” attack and no impact on current e-Prescriptions was observed. However, personal and health data of its customers and providers until November 2023 was likely accessed, the company confirmed. The Australian Federal Police and Australian Signals Directorate are now investigating and responding to the incident under joint standing arrangements of Operation Aquila. The Hacker Claim and Attempted Sale A week after the MediSecure data breach incident became public, a Russian hacking forum member claimed to have 6.5 terabytes of data including personal information of thousands of Australians, available for sale. The post on the forum read, “For sale: Database of an Australian medical prescriptions company MedSecure [sic].” It detailed the information available, including citizens' insurance numbers, phone numbers, addresses, full names, supplier and contractor information, emails, username and passwords for the MediSecure website, prescription details and IP addresses of site visitors. The forum member stated they would sell the information to only one buyer. Hacktivist tracker CyberKnow group indicated that their research suggested the forum post was likely legitimate. They noted the threat actor created this Russian hacker forum account on May 15, likely for the sole purpose of selling the stolen MediSecure data. CyberKnow group said the actor’s pivot to the new forum could also be due to the recent seizure of BreachForums. The threat actor has not posted anything else to the forum. “It appears from the limited information that this is not a traditional ransomware extortion shakedown and it begs to wonder if there was any negotiation or extorting attempt between the threat actor and Medisecure,” CyberKnow group said. “Australians should recognize that the cyberthreat landscape is diverse, and groups and actors can impact businesses regardless of their capability, organization, or structure,” it added. The cyber chief McGuinness warned Australians against searching for this alleged MediSecure data set. “Accessing stolen sensitive or personal information on the dark web only feeds the business model of cybercriminals,” she said. “While this is an unwelcome development, I want to again assure Australians that if individuals are at risk of serious harm through the publication of their information, then we will work with MediSecure to make sure that individuals are appropriately informed, so they may take steps to protect themselves from any further risk to their personal information.” Hack Calls for Stricter Legislative Reforms Earlier this week, Australian Privacy Commissioner Carly Kind accepted there are ongoing challenges in how organizations collect and protect customer data. She said, “any major data breach reinforces the reality of today’s world: there are increasing cyber threats and continual challenges to digital defenses.” Kind advised organizations to prioritize protecting individuals' personal information, review and improve their practices and only collect necessary information. She urged, “Know what information you hold. And if that information is not necessary to your business, delete it.” She also called for urgent legislative reforms to ensure all Australian organizations build the highest levels of security into their operations. “The coverage of Australia’s privacy legislation lags behind the advancing skills of malicious cyber actors. Reform of the Privacy Act is urgent, to ensure all Australian organizations build the highest levels of security into their operations and the community’s personal information is protected to the maximum extent possible,” Kind said. The OAIC’s office is additionally investigating whether MediSecure complied with federal laws requiring companies to notify authorities of a data breach. Media Disclaimer: This article is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Courtroom Recording ...

 Cybersecurity News

Hackers compromised a popular courtroom recording platform used across jails and prisons around the globe, to gain full control of systems through a backdoor implanted in a software update. Justice AV Solutions (JAVS) software records events like lectures, court hearings and council meetings, with over 10,000   show more ...

installations worldwide. Users can download it through the vendor's website as a Windows-based installer package. This week, the company announced it had identified a security issue with a previous version of its JAVS Viewer software. The company stated on Thursday, “Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file.” JAVS removed all versions of Viewer 8.3.7 from its website, reset all passwords and conducted a full internal audit of its systems. The company confirmed that all currently available files on the JAVS website are genuine and malware-free. It also verified that no JAVS source code, certificates, systems, or other software releases were compromised. The malicious file containing malware did not originate from JAVS or any associated third party. As a precautionary measure, the company urged users to verify any JAVS software they install is digitally signed by the company. “Manually check for file 'fffmeg.exe': If the malicious file is found or detected, we recommend a full re-image of the PC and a reset of any credentials used by the user on that computer.” If Viewer 8.3.7.250 is the version currently installed, but no malicious files are found, JAVS advised uninstalling the Viewer software and performing a full Anti-Virus/malware scan. “Please reset any passwords used on the affected system before upgrading to a newer version of Viewer 8,” the company recommended. Cybersecurity firm Rapid7 analyzed the issue and found that the corrupted JAVS Viewer software, which opens media and logs files, included a backdoored installer that gives attackers full access to affected systems. Based on the open-source intelligence, Rapid7 determined that the binary fffmpeg.exe is associated with the GateDoor and Rustdoor malware family. These malwares perform malicious actions such as collecting information, downloading additional files, and executing commands. RustDoor focuses on backdoor functions, but GateDoor has many loader functions. “The infrastructure used by the two malware appears to be related to a RaaS affiliate called ShadowSyndicate, and the possibility that they are cybercrime collaborators who specialize in providing infrastructure cannot be ruled out,” said S2W, the company who first observed the backdoors earlier in February. Rapid7 tracked the issue as CVE-2024-4978 and coordinated the disclosure with the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Rapid7 noted that the malicious versions of the software were signed by "Vanguard Tech Limited," allegedly based in London. In its advisory, Rapid7 urged users to reimage all endpoints where the software was installed and reset credentials on web browsers and for any accounts logged into affected endpoints, both local and remote. “Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate,” Rapid7 advised. The issue first surfaced on platform X (formerly Twitter) in April when a threat intelligence researcher claimed that “malware is being hosted on the official website of JAVS.” On May 10, Rapid7 responded to an alert on a client's system and traced an infection back to an installer downloaded from the JAVS website. The malicious file downloaded by the victim was no longer available on the website, and it's unclear who removed it. A few days later, researchers found a different installer file containing malware on the JAVS website, confirming the vendor site as the source of the initial infection. JAVS did not comment on the discrepancy between their findings and Rapid7's analysis. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Researcher Indicates ...

 Firewall Daily

An independent researcher claims that commercial grade spyware tool PCTattletale was found to leak live-screen recordings/screenshots to the internet, making it accessible by anyone and not just the app's intended users. The PCTattletale stalkerware sees wide usage and has been discovered on hotel guest check-in   show more ...

computers, corporate systems and computers employed by law firms across the United States. The app promotes itself with parents, spouses/partners and enterprises with the promise of discrete instant real-time monitoring and easy installation. PCTattletale Stalkerware Reportedly Leaks Screen Recordings The PCTattletale spyware tool primarily focuses on advertising itself towards parents concerned over the social media usage of their children and businesses aiming to monitor employees, claiming to offer a window into the online world of children and disruptions to the daily workflow of employees. The tool is available for installation on both Windows and Android operating systems. While the site claims this tracking is safe, Eric Daigle, an independent security researcher claims to have discovered a flaw in the spyware's API that allows attackers to obtain the most recent screen capture on devices with the tool installed. Reached by the Cyber Express Team, Daigle shed some additional details on the purported vulnerability. The researcher said the tool allows users to sign up on the website, after which they are granted custom .exe or .apk files to install on the target's device. The customized file is hardcoded with the users' credentials, Daigle said, simplifying the installation process to essentially two clicks, with the only real other input the acceptance of permission requests required to successfully capture the screen. After the installation process, the spyware's user can access their accounts on the website to trigger or access screen captures. However, Daigle said the recordings he observed weren't a video file but static screenshots taken a few seconds apart, which are stitched together and played in the form of .GIF file to produce the desired recording of the target. Daigle said many U.S. hotels, corporate computers and at least two law firms appeared to be compromised and vulnerable to the flaw. However, the researcher expressed his desire to keep further details about victims anonymous for privacy purposes, along with details on exploiting the flaw to prevent potential attackers from taking advantage. However, the researcher was unclear if the software was installed by corporate owners, as advertised as a use case on the PCTattletale website, or if the installation was done by other actors. The researcher highlighted the serious consequences and potential impact of leaking live screen recordings, such as the leak of sensitive personal information, financial information, or the capture of passwords. The researcher said he had contacted the spyware vendor about the vulnerability but was ignored. He indicated that he would be ready to do a full write-up of the flaw once it had been patched. The PCTattletale site appeared to be down at the time of publishing this article Spyware/Stalkerware Tools Remain a Major Concern Spyware tools pose serious inherent risks aside from their intended purposes, as they could be exploited to violate the privacy of all kinds of individuals or groups. In 2023, researchers observed a Spanish spyware vendor's tools employing multiple zero-days and n-days in its exploit chain, and delivering the spyware module through the use of one-time links in SMS messages. These tools were used against targets in the United Arab Emirates (UAE). Last month, Apple issued notifications to users in 92 different countries to alert them of mercenary spyware attacks. In the same month, the United States government issued several visa restrictions on individuals identified with being connected to or profiting from the usage/proliferation of commercial spyware. In its notice, the U.S. government cited its concerns over the usage of these apps to facilitate human rights abuses or counter-intelligence efforts as justification for the issue of these restrictions. Several of these concerns are also shared by privacy-advocating individuals, groups such as the Coalition Against Stalkerware and non-profit organizations such as the U.S. National Cybersecurity Alliance. The National Cybersecurity Alliance defines the use of these tools against targets as a form of abuse on its Stay Safe Online website. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Optus Faces Legal Ac ...

 Firewall Daily

Australian telco Optus faces legal battle with the country's communications and media watchdog over the 2022 data breach. The Optus data breach resulted in the theft of personal information of over 10 million - about 40% of the population - current and former customers. The Australian Communications and Media   show more ...

Authority (ACMA) has taken action against the country's second-largest telecommunications company, alleging negligence in safeguarding customer data as mandated by the Telecommunications (Interception and Access) Act 1979 (Cth). Parent company Singtel, Faces Legal Action Following the Optus Data Breach The Cyber Express has reached out to Optus to learn more about this legal action by the Australian Communications and Media Authority (ACMA). In response, a Optus spokesperson stated that they are aware of the proceedings in the Federal Court of Australia in relation to the cyberattack in September 2022. "At this stage, Optus Mobile is not able to determine the quantum of penalties, if any, that could arise. Optus has previously apologised to its customers and has taken significant steps, including working with the police and other authorities, to protect them. It also reimbursed customers for the cost of replacing identity documents. Optus intends to defend these proceedings. As the matter is now before the courts, Optus is unable to make any further comment", denoted the Optus spokesperson. In the Optus cyberattack, which occurred between September 17 and 20, 2022, hackers infiltrated Optus's security measures, gaining unauthorized access to sensitive customer information. ACMA's move to file Federal Court proceedings signifies a significant step in holding Optus accountable for the breach, highlighting the regulatory emphasis on data protection and privacy. “The ACMA has filed proceedings in the Federal Court against Optus Mobile Pty Ltd (Optus). We allege that during a data breach that occurred between 17 to 20 September 2022, Optus failed to protect the confidentiality of its customers’ personal information from unauthorized interference or unauthorized access as required under the Telecommunications (Interception and Access) Act 1979 (Cth)”, ACMA's statement read.  Optus, owned by Singaporean company Singtel, has expressed its intention to defend itself against the allegations while acknowledging the severity of the incident. “At this stage, Optus Mobile is not able to determine the quantum of penalties, if any, that could arise,” a spokesperson told local media. The company has previously issued apologies to affected customers and taken proactive measures, including collaboration with law enforcement agencies, to mitigate further risks. Moreover, Optus has reimbursed customers for expenses incurred in replacing compromised identity documents, reflecting its commitment to addressing the aftermath of the breach. Optus on the Road to Recovery but Legal Headache Ensues Following the cyberattack, Optus disclosed that approximately 2.1 million Australians had their identification numbers compromised, including details from driver's licenses and passports. Additionally, around 10,000 customers had their information exposed on the dark web, exacerbating concerns regarding the extent of the breach's impact on individuals' privacy and security. Financially, the repercussions of the cyberattack have been substantial for Optus and its parent company, Singtel. The latter reported cyberattack-related costs amounting to 142 million Singapore dollars ($159 million) for the fiscal year ending March 31, 2023. These costs encompass various expenses, including regulatory investigations and potential litigation. The telecommunications company even on the back of the challenges faced post the cyberattack, reported stable earnings and mobile growth in FY24. Optus added 116,000 subscribers to its mobile customer base including growth of 108,000 prepaid customers. Interim CEO and CFO Michael Venter said the results demonstrated a solid performance in a difficult environment, as Optus remained focussed on enhancing customer experience. “Optus is working hard to rebuild the trust of customers after a challenging 18 months and these results demonstrate we are on the right track,” Venter said. “We’re listening to our customers and in the year ahead we’ll be continuing to prioritise what we know is important to them – a resilient network that delivers seamless connectivity, great value products and services, and simple, efficient customer service.” This strong performance, however, does not lessen the legal woes for Optus. Legal proceedings have further intensified with the commencement of class action proceedings by law firm Slater and Gordon on behalf of affected individuals. The lawsuit alleges Optus's violation of privacy, telecommunication, and consumer laws, signaling a broader legal battle over accountability and corporate responsibility in safeguarding customer data. In response to escalating cyber threats, the Australian government has ramped up investments in cybersecurity initiatives, imposing stricter penalties for companies failing to address privacy breaches adequately. The Office of the Australian Information Commissioner (OAIC) has been empowered with enhanced authority to expedite breach resolutions and notify affected individuals promptly, signaling a concerted effort to enhance data protection measures nationwide. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for FIRST Heritage Co-op ...

 Firewall Daily

FIRST Heritage Co-operative Credit Union is updating its customers regarding any irregular financial activities in the coming weeks following a recent FHC cyberattack that disrupted its database. The credit union disclosed in a member advisory issued on Wednesday that it had been grappling with resolving a system   show more ...

disruption since April 3, 2024. This cyberattack on the credit union had hampered FHC's access to certain information, causing delays in processing members' financial requests. Understanding the FHC Cyberattack According to FHC, personal data such as member contact details and other documents submitted to facilitate transactions may have been affected by the attack. Despite this, investigations suggest that the credit union's IT security measures effectively mitigated the risk of unauthorized access to its core systems. Fortunately, assessments have shown no compromise to the integrity of members' financial accounts or those of affiliated organizations. FHC acted swiftly upon detecting the breach, collaborating with technology partners to investigate and contain the threat. Subsequent steps included activating data backup and recovery protocols alongside implementing additional security measures. “However, our investigations so far indicate that our IT security mechanisms were helpful in significantly minimising the risk of access to data on our core systems,” reads the statement by FHC, as reported by Jamaica Observer. Mitigation Against Fraudulent Activities As part of its ongoing efforts to upgrade security practices, FHC has initiated a password reset prompt for users of its iTransact banking platform. Additionally, automated tools are being employed to detect and prevent any suspicious activities across accounts and IT infrastructure. The credit union is actively cooperating with cybersecurity and law enforcement authorities in response to the incident. Members are advised to remain vigilant for any suspicious financial activities and are encouraged to regularly update their iTransact banking passwords. FHC highlighted the importance of using unique passwords for online services and urged caution against phishing emails or unsolicited communications that may follow a data breach. The cyberattack on FHC coincided with a report by global cybersecurity firm Fortinet, which highlighted Jamaica's exposure to 43 million attempted cyberattacks in 2023. The Latin American and Caribbean region collectively faced 200 billion attempted attacks, with Mexico, Brazil, and Colombia topping the list. The Cyber Express has reached out to FIRST Heritage Co-operative Credit Union to learn more about this FHC cyberattack. However, at the time of writing this, no official statement or response has been shared, leaving additional information about the incident pending verification. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Association of Calif ...

 Cybersecurity News

An unknown ransomware actor has compromised the personally identifiable data of more than 50,000 Californian school administrators, their association told Maine's Attorney General in a breach notice. The Association of California School Administrators (ACSA), the largest association for school leaders in the   show more ...

United States, said it spotted the data breach in September 2023, when an unauthorized actor accessed and potentially exfiltrated sensitive data. Association of California School Administrators Ransomware Attack Investigation The association's notice to the Maine Attorney General revealed that it had first detected "encryption activity" indicative of a ransomware attack in it's computer environment on September 24, last year. No threat group has yet claimed responsibility for the attack. This detection was followed by an investigation, aided by third-party cybersecurity experts who confirmed unauthorized access to various ACSA systems over two days after the initial access. The threat actor was found to have potentially accessed and stolen sensitive data from the compromised systems. The association also worked to validate the results of the investigation and locate missing address information. After ACSA completed the process of validating and identifiying affected individuals on May 3, 2024, it then took up the task of notifying all potentially affected individuals on May 22. ACSA informed the Maine Attorney General that approximately 54,600 individuals were impacted by the incident, including 14 Maine residents. Individuals impacted by the breach were provided with specific details about the incident and the steps they could take to protect their personal information. The compromised files were found to contain sensitive data such as names, addresses, dates of birth, Social Security numbers, driver's license numbers, payment card information, medical information, health insurance details, tax IDs, student records (report cards and test scores), employer-assigned identification numbers, and online account credentials. Recommendations and Additional Resources to Affected Individuals In response to the breach, ACSA began notifying federal law enforcement, implemented additional security measures such as training of its employees, and provided relevant guidance to the affected individuals on protecting themselves from associated risks such as identity theft and fraud. The association stated that there was no evidence of identity theft or fraud resulting from the event. However, as a precautionary measure, it is offering credit monitoring services for 12 months to the affected individuals at no cost. These services include credit and CyberScan monitoring, a million-dollar insurance reimbursement policy, and fully managed identity theft recovery services. ACSA encouraged affected individuals to opt for enrolment into these services before the deadline set for August 22, 2024. ACSA advises all affected individuals to monitor their accounts and credit reports for any unauthorized activity, stating that it took the privacy and security of sensitive information within its care seriously and regretted any inconvenience stemming from the incident to individuals. The guidance also offered instructions on reporting suspicious activity to banks and credit card companies, placing fraud alerts and credit freezes on credit files, and obtaining free credit reports available under U.S. law. ACSA is also encouraging individuals to contact the Federal Trade Commission, state attorneys general, and law enforcement to report any incidents of identity theft. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for CISA Says 4-Year-Old ...

 Cybersecurity News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a four-year-old security flaw affecting Apache Flink to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation. The flaw, tracked as CVE-2020-17519, poses significant risks due to improper access   show more ...

control, allowing unauthorized access to sensitive information. Researchers Observed Active Exploitation of Apache Flink Vulnerability CISA describes vulnerabilities such as the Apache Flink Vulnerability which have been added to its Known Exploited Vulnerabilities catalog as "frequent attack vectors for malicious cyber actors" and as posing significant risks to the federal enterprise. The catalog serves as a critical resource for identifying and mitigating vulnerabilities actively in use. CVE-2020-17519 is a critical vulnerability in Apache Flink, an open-source framework for stream-processing and batch-processing. The flaw arises from improper access control in versions 1.11.0, 1.11.1, and 1.11.2 of the framework, potentially enabling remote attackers to access files specific to the local JobManager filesystem through the use of specially crafted directory traversal requests, leading to unauthorized access. While precise details of ongoing campaigns exploiting the Apache Flink Vulnerability remain unclear, the bug has existed for at least four years and has been acknowledged by a project maintainer. The project Apache Flink thread states: A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. The discovery of the vulnerability was credited to "0rich1" from Ant Security FG Lab, with working exploit code of the vulnerability available on the public web. In the same year, researchers from Palo Alto Networks had observed the vulnerability among the most commonly exploited vulnerabilities during the Winter 2020 period using information collected between November 2020 and January 2021. Mitigation Measures and Binding Directives The Apache Software Foundation addressed this issue in January 2021 with the release of Flink versions 1.11.3 and 1.12.0 to the master branch of the project. Users running affected versions are strongly urged to upgrade to these versions to secure their systems. CISA has mandated federal agencies to apply necessary patches by June 13, 2024. This directive operates under the Binding Operational Directive (BOD) which requires Federal Civilian Executive Branch (FCEB) agencies to implement fixes for listings in the Known Exploited Vulnerabilities Catalog to protect agency networks against active threats. Although the directive only applies to FCEB agencies, CISA has urged all organizations to reduce their exposure to cyberattacks through applying the mitigations in the catalog as per vendor instructions or to discontinue the use of affected products if mitigations are unavailable. In 2022, a critical vulnerability discovered in Apache Commons Text potentially granted threat actors access to remote servers. While fixes were soon released for both vulnerabilities, these incidents highlight the importance of timely updates and patches for vulnerabilities present in widely deployed open-source projects, frameworks and components. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Stark Industries Sol ...

 A Little Sunshine

The homepage of Stark Industries Solutions. Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial   show more ...

targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia. At least a dozen patriotic Russian hacking groups have been launching DDoS attacks since the start of the war at a variety of targets seen as opposed to Moscow. But by all accounts, few attacks from those gangs have come close to the amount of firepower wielded by a pro-Russia group calling itself “NoName057(16).” This graphic comes from a recent report from Arbor NETSCOUT about DDoS attacks from Russian hacktivist groups. As detailed by researchers at Radware, NoName has effectively gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia. That program allows NoName to commandeer the host computers and their Internet connections in coordinated DDoS campaigns, and DDoSia users with the most attacks can win cash prizes. The NoName DDoS group advertising on Telegram. Image: SentinelOne.com. A report from the security firm Team Cymru found the DDoS attack infrastructure used in NoName campaigns is assigned to two interlinked hosting providers: MIRhosting and Stark Industries. MIRhosting is a hosting provider founded in The Netherlands in 2004. But Stark Industries Solutions Ltd was incorporated on February 10, 2022, just two weeks before the Russian invasion of Ukraine. PROXY WARS Security experts say that not long after the war started, Stark began hosting dozens of proxy services and free virtual private networking (VPN) services, which are designed to help users shield their Internet usage and location from prying eyes. Proxy providers allow users to route their Internet and Web browsing traffic through someone else’s computer. From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are also massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source. What’s more, many proxy services do not disclose how they obtain access to the proxies they are renting out, and in many cases the access is obtained through the dissemination of malicious software that turns the infected system in a traffic relay — usually unbeknownst to the legitimate owner of the Internet connection. Other proxy services will allow users to make money by renting out their Internet connection to anyone. Spur.us is a company that tracks VPNs and proxy services worldwide. Spur finds that Stark Industries (AS44477) currently is home to at least 74 VPN services, and 40 different proxy services. As we’ll see in the final section of this story, just one of those proxy networks has over a million Internet addresses  available for rent across the globe. Raymond Dijkxhoorn operates a hosting firm in The Netherlands called Prolocation. He also co-runs SURBL, an anti-abuse service that flags domains and Internet address ranges that are strongly associated with spam and cybercrime activity, including DDoS. Dijkxhoorn said last year SURBL heard from multiple people who said they operated VPN services whose web resources were included in SURBL’s block lists. “We had people doing delistings at SURBL for domain names that were suspended by the registrars,” Dijkhoorn told KrebsOnSecurity. “And at least two of them explained that Stark offered them free VPN services that they were reselling.” Dijkxhoorn added that Stark Industries also sponsored activist groups from Ukraine. “How valuable would it be for Russia to know the real IPs from Ukraine’s tech warriors?” he observed. CLOUDY WITH A CHANCE OF BULLETS Richard Hummel is threat intelligence lead at Arbor NETSCOUT. Hummel said when he considers the worst of all the hosting providers out there today, Stark Industries is consistently near or at the top of that list. “The reason is we’ve had at least a dozen service providers come to us saying, ‘There’s this network out there inundating us with traffic,'” Hummel said. “And it wasn’t even DDoS attacks. [The systems] on Stark were just scanning these providers so fast it was crashing some of their services.” Hummel said NoName will typically launch their attacks using a mix of resources from rented from major, legitimate cloud services, and those from so-called “bulletproof” hosting providers like Stark. Bulletproof providers are so named when they earn or cultivate a reputation for ignoring any abuse complaints or police reports about activity on their networks. Combining bulletproof providers with legitimate cloud hosting, Hummel said, likely makes NoName’s DDoS campaigns more resilient because many network operators will hesitate to be too aggressive in blocking Internet addresses associated with the major cloud services. “What we typically see here is a distribution of cloud hosting providers and bulletproof hosting providers in DDoS attacks,” he said. “They’re using public cloud hosting providers because a lot of times that’s your first layer of network defense, and because [many companies are wary of] over-blocking access to legitimate cloud resources.” But even if the cloud provider detects abuse coming from the customer, the provider is probably not going to shut the customer down immediately, Hummel said. “There is usually a grace period, and even if that’s only an hour or two, you can still launch a large number of attacks in that time,” he said. “And then they just keep coming back and opening new cloud accounts.” MERCENARIES TEAM Stark Industries is incorporated at a mail drop address in the United Kingdom. UK business records list an Ivan Vladimirovich Neculiti as the company’s secretary. Mr. Neculiti also is named as the CEO and founder of PQ Hosting Plus S.R.L. (aka Perfect Quality Hosting), a Moldovan company formed in 2019 that lists the same UK mail drop address as Stark Industries. Ivan Neculiti, as pictured on LinkedIn. Reached via LinkedIn, Mr. Neculiti said PQ Hosting established Stark Industries as a “white label” of its brand so that “resellers could distribute our services using our IP addresses and their clients would not have any affairs with PQ Hosting.” “PQ Hosting is a company with over 1,000+ of [our] own physical servers in 38 countries and we have over 100,000 clients,” he said. “Though we are not as large as Hetzner, Amazon and OVH, nevertheless we are a fast growing company that provides services to tens of thousands of private customers and legal entities.” Asked about the constant stream of DDoS attacks whose origins have traced back to Stark Industries over the past two years, Neculiti maintained Stark hasn’t received any official abuse reports about attacks coming from its networks. “It was probably some kind of clever attack that we did not see, I do not rule out this fact, because we have a very large number of clients and our Internet channels are quite large,” he said. “But, in this situation, unfortunately, no one contacted us to report that there was an attack from our addresses; if someone had contacted us, we would have definitely blocked the network data.” DomainTools.com finds Ivan V. Neculiti was the owner of war[.]md, a website launched in 2008 that chronicled the history of a 1990 armed conflict in Moldova known as the Transnistria War and the Moldo-Russian war. An ad for war.md, circa 2009. Transnistria is a breakaway pro-Russian region that declared itself a state in 1990, although it is not internationally recognized. The copyright on that website credits the “MercenarieS TeaM,” which was at one time a Moldovan IT firm. Mr. Neculiti confirmed personally registering this domain. DON CHICHO & DFYZ The data breach tracking service Constella Intelligence reports that an Ivan V. Neculiti registered multiple online accounts under the email address dfyz_bk@bk.ru. Cyber intelligence firm Intel 471 shows this email address is tied to the username “dfyz” on more than a half-dozen Russian language cybercrime forums since 2008. The user dfyz on Searchengines[.]ru in 2008 asked other forum members to review war.md, and said they were part of the MercenarieS TeaM. Back then, dfyz was selling “bulletproof servers for any purpose,” meaning the hosting company would willfully ignore abuse complaints or police inquiries about the activity of its customers. DomainTools reports there are at least 33 domain names registered to dfyz_bk@bk.ru. Several of these domains have Ivan Neculiti in their registration records, including tracker-free[.]cn, which was registered to an Ivan Neculiti at dfyz_bk@bk.ru and referenced the MercenarieS TeaM in its original registration records. Dfyz also used the nickname DonChicho, who likewise sold bulletproof hosting services and access to hacked Internet servers. In 2014, a prominent member of the Russian language cybercrime community Antichat filed a complaint against DonChicho, saying this user scammed them and had used the email address dfyz_bk@bk.ru. The complaint said DonChicho registered on Antichat from the Transnistria Internet address 84.234.55[.]29. Searching this address in Constella reveals it has been used to register just five accounts online that have been created over the years, including one at ask.ru, where the user registered with the email address neculitzy1@yandex.ru. Constella also returns for that email address a user by the name “Ivan” at memoraleak.com and 000webhost.com. Constella finds that the password most frequently used by the email address dfyz_bk@bk.ru was “filecast,” and that there are more than 90 email addresses associated with this password. Among them are roughly two dozen addresses with the name “Neculiti” in them, as well as the address support@donservers[.]ru. Intel 471 says DonChicho posted to several Russian cybercrime forums that support@donservers[.]ru was his address, and that he logged into cybercrime forums almost exclusively from Internet addresses in Tiraspol, the capital of Transnistria. A review of DonChicho’s posts shows this person was banned from several forums in 2014 for scamming other users. Cached copies of DonChicho’s vanity domain (donchicho[.]ru) show that in 2009 he was a spammer who peddled knockoff prescription drugs via Rx-Promotion, once one of the largest pharmacy spam moneymaking programs for Russian-speaking affiliates. Mr. Neculiti told KrebsOnSecurity he has never used the nickname DonChicho. “I may assure you that I have no relation to DonChicho nor to his bulletproof servers,” he said. Below is a mind map that shows the connections between the accounts mentioned above. A mind map tracing the history of the user Dfyz. Click to enlarge. Earlier this year, NoName began massively hitting government and industry websites in Moldova. A new report from Arbor Networks says the attacks began around March 6, when NoName alleged the government of Moldova was “craving for Russophobia.” “Since early March, more than 50 websites have been targeted, according to posted ‘proof’ by the groups involved in attacking the country,” Arbor’s ASERT Team wrote. “While NoName seemingly initiated the ramp of attacks, a host of other DDoS hacktivists have joined the fray in claiming credit for attacks across more than 15 industries.” CORRECTIV ACTION The German independent news outlet Correctiv.org last week published a scathing investigative report on Stark Industries and MIRhosting, which notes that Ivan Neculiti operates his hosting companies with the help of his brother, Yuri. Image credit: correctiv.org. The report points out that Stark Industries continues to host a Russian disinformation news outlet called “Recent Reliable News” (RRN) that was sanctioned by the European Union in 2023 for spreading links to propaganda blogs and fake European media and government websites. “The website was not running on computers in Moscow or St. Petersburg until recently, but in the middle of the EU, in the Netherlands, on the computers of the Neculiti brothers,” Correctiv reporters wrote. “After a request from this editorial team, a well-known service was installed that hides the actual web host,” the report continues. “Ivan Neculiti announced that he had blocked the associated access and server following internal investigations. “We very much regret that we are only now finding out that one of our customers is a sanctioned portal,” said the company boss. However, RRN is still accessible via its servers.” Correctiv also points to a January 2023 report from the Ukrainian government, which found servers from Stark Industries Solutions were used as part of a cyber attack on the Ukrainian news agency “Ukrinform”. Correctiv notes the notorious hacker group Sandworm — an advanced persistent threat (APT) group operated by a cyberwarfare unit of Russia’s military intelligence service — was identified by Ukrainian government authorities as responsible for that attack. PEACE HOSTING? Public records indicate MIRhosting is based in The Netherlands and is operated by 37-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age. DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia. This is interesting because according to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously. Responding to questions from KrebsOnSecurity, Mr. Nesterenko said he couldn’t say whether his network had ever hosted the StopGeorgia website back in 2008 because his company didn’t keep records going back that far. But he said Stark Industries Solutions is indeed one of MIRhsoting’s colocation customers. “Our relationship is purely provider-customer,” Nesterenko said. “They also utilize multiple providers and data centers globally, so connecting them directly to MIRhosting overlooks their broader network.” “We take any report of malicious activity seriously and are always open to information that can help us identify and prevent misuse of our infrastructure, whether involving Stark Industries or any other customer,” Nesterenko continued. “In cases where our services are exploited for malicious purposes, we collaborate fully with Dutch cyber police and other relevant authorities to investigate and take appropriate measures. However, we have yet to receive any actionable information beyond the article itself, which has not provided us with sufficient detail to identify or block malicious actors.” In December 2022, security firm Recorded Future profiled the phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by a group dubbed Blue Charlie (aka TAG-53), which has targeted email accounts of nongovernmental organizations and think tanks, journalists, and government and defense officials. Recorded Future found that virtually all the Blue Charlie domains existed in just ten different ISPs, with a significant concentration located in two networks, one of which was MIRhosting. Both Microsoft and the UK government assess that Blue Charlie is linked to the Russian threat activity groups variously known as Callisto Group, COLDRIVER, and SEABORGIUM. Mr. Nesterenko took exception to Recorded Future’s report. “We’ve discussed its contents with our customer, Stark Industries,” he said. “We understand that they have initiated legal proceedings against the website in question, as they firmly believe that the claims made are inaccurate.” Recorded Future said they updated their story with comments from Mr. Nesterenko, but that they stand by their reporting. Mr. Nesterenko’s LinkedIn profile says he was previously the foreign region sales manager at Serverius-as, a hosting company in The Netherlands that remains in the same data center as MIRhosting. In February, the Dutch police took 13 servers offline that were used by the infamous LockBit ransomware group, which had originally bragged on its darknet website that its home base was in The Netherlands. Sources tell KrebsOnSecurity the servers seized by the Dutch police were located in Serverius’ data center in Dronten, which is also shared by MIRhosting. Serverius-as did not respond to requests for comment. Nesterenko said MIRhosting does use one of Serverius’s data centers for its operations in the Netherlands, alongside two other data centers, but that the recent incident involving the seizure of servers has no connection to MIRhosting. “We are legally prohibited by Dutch law and police regulations from sharing information with third parties regarding any communications we may have had,” he said. A February 2024 report from security firm ESET found Serverius-as systems were involved in a series of targeted phishing attacks by Russia-aligned groups against Ukrainian entities throughout 2023. ESET observed that after the spearphishing domains were no longer active, they were converted to promoting rogue Internet pharmacy websites. PEERING INTO THE VOID A review of the Internet address ranges recently added to the network operated by Stark Industries Solutions offers some insight into its customer base, usage, and maybe even true origins. Here is a snapshot (PDF) of all Internet address ranges announced by Stark Industries so far in the month of May 2024 (this information was graciously collated by the network observability platform Kentik.com). Those records indicate that the largest portion of the IP space used by Stark is in The Netherlands, followed by Germany and the United States. Stark says it is connected to roughly 4,600 Internet addresses that currently list their ownership as Comcast Cable Communications. A review of those address ranges at spur.us shows all of them are connected to an entity called Proxyline, which is a sprawling proxy service based in Russia that currently says it has more than 1.6 million proxies globally that are available for rent. Proxyline dot net. Reached for comment, Comcast said the Internet address ranges never did belong to Comcast, so it is likely that Stark has been fudging the real location of its routing announcements in some cases. Stark reports that it has more than 67,000 Internet addresses at Santa Clara, Calif.-based EGIhosting. Spur says the Stark addresses involving EGIhosting all map to Proxyline as well. EGIhosting did not respond to requests for comment. EGIhosting manages Internet addresses for the Cyprus-based hosting firm ITHOSTLINE LTD (aka HOSTLINE-LTD), which is represented throughout Stark’s announced Internet ranges. Stark says it has more than 21,000 Internet addresses with HOSTLINE. Spur.us finds Proxyline addresses are especially concentrated in the Stark ranges labeled ITHOSTLINE LTD, HOSTLINE-LTD, and Proline IT. Stark’s network list includes approximately 21,000 Internet addresses at Hockessin, De. based DediPath, which abruptly ceased operations without warning in August 2023. According to a phishing report released last year by Interisle Consulting, DediPath was the fourth most common source of phishing attacks in the year ending Oct. 2022. Spur.us likewise finds that virtually all of the Stark address ranges marked “DediPath LLC” are tied to Proxyline. Image: Interisle Consulting. A large number of the Internet address ranges announced by Stark in May originate in India, and the names that are self-assigned to many of these networks indicate they were previously used to send large volumes of spam for herbal medicinal products, with names like HerbalFarm, AdsChrome, Nutravo, Herbzoot and Herbalve. The anti-spam organization SpamHaus reports that many of the Indian IP address ranges are associated with known “snowshoe spam,” a form of abuse that involves mass email campaigns spread across several domains and IP addresses to weaken reputation metrics and avoid spam filters. It’s not clear how much of Stark’s network address space traces its origins to Russia, but big chunks of it recently belonged to some of the oldest entities on the Russian Internet (a.k.a. “Runet”). For example, many Stark address ranges were most recently assigned to a Russian government entity whose full name is the “Federal State Autonomous Educational Establishment of Additional Professional Education Center of Realization of State Educational Policy and Informational Technologies.” A review of Internet address ranges adjacent to this entity reveals a long list of Russian government organizations that are part of the Federal Guard Service of the Russian Federation. Wikipedia says the Federal Guard Service is a Russian federal government agency concerned with tasks related to protection of several high-ranking state officials, including the President of Russia, as well as certain federal properties. The agency traces its origins to the USSR’s Ninth Directorate of the KGB, and later the presidential security service. Stark recently announced the address range 213.159.64.0/20 from April 27 to May 1, and this range was previously assigned to an ancient ISP in St. Petersburg, RU called the Computer Technologies Institute Ltd. According to a post on the Russian language webmaster forum searchengines[.]ru, the domain for Computer Technologies Institute — ctinet[.]ru — is the seventh-oldest domain in the entire history of the Runet. Curiously, Stark also lists large tracts of Internet addresses (close to 48,000 in total) assigned to a small ISP in Kharkiv, Ukraine called NetAssist. Reached via email, the CEO of NetAssist Max Tulyev confirmed his company provides a number of services to PQ Hosting. “We colocate their equipment in Warsaw, Madrid, Sofia and Thessaloniki, provide them IP transit and IPv4 addresses,” Tulyev said. “For their size, we receive relatively low number of complains to their networks. I never seen anything about their pro-Russian activity or support of Russian hackers. It is very interesting for me to see proofs of your accusations.” Spur.us mapped the entire infrastructure of Proxyline, and found more than one million proxies across multiple providers, but by far the biggest concentration was at Stark Industries Solutions. The full list of Proxyline address ranges (.CSV) shows two other ISPs appear repeatedly throughout the list. One is Kharkiv, Ukraine based ITL LLC, also known as Information Technology Laboratories Group, and Integrated Technologies Laboratory. The second is a related hosting company in Miami, called Green Floid LLC. Green Floid featured in a 2017 scoop by CNN, which profiled the company’s owner and quizzed him about Russian troll farms using proxy networks on Green Floid and its parent firm ITL to mask disinformation efforts tied to the Kremlin’s Internet Research Agency (IRA). At the time, the IRA was using Facebook and other social media networks to spread videos showing police brutality against African Americans in an effort to encourage protests across the United States. Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark’s network. “Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477),” Madory said. “Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran.”

 Expert Blogs and Opinion

Development teams need to plan ahead and create shareable SBOMs that are standardized in a format that's readily consumable while also establishing scalable systems for attestation, access management, and data verification, among other factors.

 Govt., Critical Infrastructure

The research program will be led by researcher Shahar Avin at the government’s AI Safety Institute and delivered in partnership with UK Research and Innovation and The Alan Turing Institute.

 Companies to Watch

Bolster, an AI startup, has raised $14 million in funding led by Microsoft's M12 to combat malicious phishing emails. Their flagship product, CheckPhish, offers brand and URL verification services to businesses.

 Companies to Watch

Bugcrowd CEO Dave Gerry said their acquisition of Brighton, England-based Informer will fuel the adoption of Bugcrowd's penetration testing technology and prompt clients to expand the scope of their bug bounty programs.

 Threat Intel & Info Sharing

An improper access control bug in Apache Flink that was fixed in January 2021 has been added to the US government's Known Exploited Vulnerabilities Catalog, meaning criminals are right now abusing the flaw in the wild to compromise targets.

 Identity Theft, Fraud, Scams

“Rather than scam or phish everyday people directly for gift card-based payments, Storm-0539 infiltrates large retailers and fraudulently issues gift card codes to themselves, virtually printing their own money,” Microsoft’s Vasu Jakkal explained.

 Feed

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

 Feed

Ubuntu Security Notice 6785-1 - Matthias Gerstner discovered that GNOME Remote Desktop incorrectly performed certain user validation checks. A local attacker could possibly use this issue to obtain sensitive information, or take control of remote desktop connections.

 Feed

Debian Linux Security Advisory 5696-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

 Feed

Ubuntu Security Notice 6784-1 - It was discovered that cJSON incorrectly handled certain input. An attacker could possibly use this issue to cause cJSON to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.10. Luo Jin discovered that cJSON incorrectly handled certain   show more ...

input. An attacker could possibly use this issue to cause cJSON to crash, resulting in a denial of service.

 Feed

Debian Linux Security Advisory 5695-1 - Manfred Paul discovered that an attacker with arbitrary read and write capability may be able to bypass Pointer Authentication in the WebKitGTK web engine.

 Feed

Red Hat Security Advisory 2024-3354-03 - Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include HTTP request smuggling, bypass, denial of service, deserialization, and traversal vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3339-03 - An update for glibc is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer overflow, null pointer, and out of bounds write vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3338-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3323-03 - An update for pcp is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

 Feed

Malicious actors have backdoored the installer associated with courtroom video recording software developed by Justice AV Solutions (JAVS) to deliver malware that's associated with a known backdoor called RustDoor. The software supply chain attack, tracked as CVE-2024-4978, impacts JAVS Viewer v8.3.7, a component of the JAVS Suite 8 that allows users to create, manage, publish,

 Feed

Cybersecurity researchers have discovered that the malware known as BLOODALCHEMY used in attacks targeting government organizations in Southern and Southeastern Asia is in fact an updated version of Deed RAT, which is believed to be a successor to ShadowPad. "The origin of BLOODALCHEMY and Deed RAT is ShadowPad and given the history of ShadowPad being utilized in numerous APT

 Feed

Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. "Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices

 Feed

Don't be fooled into thinking that cyber threats are only a problem for large organizations. The truth is that cybercriminals are increasingly targeting smaller businesses, and they're getting smarter every day. Join our FREE webinar "Navigating the SMB Threat Landscape: Key Insights from Huntress' Threat Report," in which Jamie Levy — Director of Adversary Tactics at Huntress, a renowned

 Feed

Introduction The infamous Colonial pipeline ransomware attack (2021) and SolarWinds supply chain attack (2020) were more than data leaks; they were seismic shifts in cybersecurity. These attacks exposed a critical challenge for Chief Information Security Officers (CISOs): holding their ground while maintaining control over cloud security in the accelerating world of DevOps.

 Feed

Google on Thursday rolled out fixes to address a high-severity security flaw in its Chrome browser that it said has been exploited in the wild. Assigned the CVE identifier CVE-2024-5274, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of

 Feed

The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the actor creating rogue virtual machines (VMs) within its VMware environment. "The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access," MITRE

 A Little Sunshine

Source: krebsonsecurity.com – Author: BrianKrebs The homepage of Stark Industries Solutions. Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed   show more ...

denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into […] La entrada Stark Industries Solutions: An Iron Hammer in the Cloud – Source: krebsonsecurity.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 anthropic

Source: www.techrepublic.com – Author: Megan Crouse Because large language models operate using neuron-like structures that may link many different concepts and modalities together, it can be difficult for AI developers to adjust their models to change the models’ behavior. If you don’t know what neurons   show more ...

connect what concepts, you won’t know which neurons to change. […] La entrada Anthropic’s Generative AI Research Reveals More About How LLMs Affect Security and Bias – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 banking trojan

Source: www.techrepublic.com – Author: Cedric Pernet A new report from IBM X-Force exposes changes in the Grandoreiro malware landscape. The banking trojan is now capable of targeting more than 1,500 global banks in more than 60 countries, and it has been updated with new features. Also, Grandoreiro’s   show more ...

targeting has become wider, as it initially only […] La entrada IBM X-Force Report: Grandoreiro Malware Targets More Than 1,500 Banks in 60 Countries – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Big Data

Source: www.techrepublic.com – Author: The European Union’s General Data Protection Regulation requires every business enterprise and public authority that collects personal data from EU customers and clients to protect that data from unauthorized access. Finding ideal candidates for the GDPR data protection   show more ...

compliance officer position will require thorough vetting, and potential candidates may be difficult […] La entrada Hiring Kit: GDPR Data Protection Compliance Officer – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Artificial Intelligence

Source: www.schneier.com – Author: Bruce Schneier Microsoft is trying to create a personal digital assistant: At a Build conference event on Monday, Microsoft revealed a new AI-powered feature called “Recall” for Copilot+ PCs that will allow Windows 11 users to search and retrieve their past activities on   show more ...

their PC. To make it work, Recall records […] La entrada Personal AI Assistants and Privacy – Source: www.schneier.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Apache

Source: go.theregister.com – Author: Team Register An improper access control bug in Apache Flink that was fixed in January 2021 has been added to the US government’s Known Exploited Vulnerabilities Catalog, meaning criminals are right now abusing the flaw in the wild to compromise targets. Plus, its   show more ...

inclusion in the catalog means federal agencies need […] La entrada Three-year-old Apache Flink flaw under active attack – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: go.theregister.com – Author: Team Register Yet more ransomware is using Microsoft BitLocker to encrypt corporate files, steal the decryption key, and then extort a payment from victim organizations, according to Kaspersky. The antivirus maker’s Global Emergency Response team spotted the malware,   show more ...

dubbed ShrinkLocker, in Mexico, Indonesia, and Jordan, and said the code’s unnamed operators […] La entrada Here’s yet more ransomware using BitLocker against Microsoft’s own users – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Casino

Source: go.theregister.com – Author: Team Register Interview The cyberattacks against Las Vegas casinos over the summer put a big target on the backs of prime suspects Scattered Spider, according to Mandiant CTO Charles Carmakal. The Google-owned security biz has been tracking the loosely knit crew –   show more ...

believed to be teens and twenty-somethings located in the […] La entrada Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: go.theregister.com – Author: Team Register A Google security bigwig has had enough of federally mandated phishing tests, saying they make colleagues hate IT teams for no added benefit. Matt Linton leads Google’s security response and incident management division. Tasked with rolling out phishing   show more ...

exercises every year, he believes tests should be replaced by the […] La entrada Google guru roasts useless phishing tests, calls for fire drill-style overhaul – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Critical

Source: go.theregister.com – Author: Team Register Veeam says the recent critical vulnerability in its Backup Enterprise Manager (VBEM) can’t be used by cybercriminals to delete an organization’s backups. Rated 9.8 out of a possible 10, exploiting CVE-2024-29849 could allow attackers the chance to   show more ...

log into the VBEM web interface without the need for authentication. The […] La entrada Veeam says critical flaw can’t be abused to trash backups – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: PRESS RELEASE SAN MATEO, Calif., May 23, 2024 — Concentric AI, a leading vendor of intelligent AI-based solutions for autonomous data security posture management (DSPM), announced today it will demonstrate the latest in autonomous data security at Infosecurity Europe   show more ...

2024 in its stand No. B130 in the Discovery Zone, including showcasing its new remediation and compliance […] La entrada Concentric AI to Unveil Data Security Remediation and Compliance Reporting Capabilities at Infosecurity Europe 2024 – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 control

Source: www.darkreading.com – Author: Michael Bargury 3 Min Read Source: JLBvdWOLF via Alamy Stock Photo The image of a cockpit always struck me as overwhelming. So many knobs and whistles of different shapes and sizes. Do pilots really need all those options at arm’s length? On every flight? And how do   show more ...

they verify that they’re […] La entrada Seizing Control of the Cloud Security Cockpit – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: PRESS RELEASE NEWARK, Del., May 22, 2024 /PRNewswire/ — SOCRadar, a leading provider of enterprise-grade, end-to-end threat intelligence and brand protection, today announced the successful completion of its Series B funding round, raising $25.2 million. The round   show more ...

was led by PeakSpan Capital, with participation from Oxx, reflecting investor confidence in SOCRadar’s innovative approach to cybersecurity. External cybersecurity […] La entrada SOCRadar Secures $25.2M in Funding to Combat Multibillion-Dollar Cybersecurity Threats – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 acquires

Source: www.darkreading.com – Author: PRESS RELEASE SAN FRANCISCO, May 23, 2024 — Bugcrowd, a leading provider of crowdsourced security, today announced it has acquired Informer, a leading provider of external attack surface management (ASM) and continuous penetration testing. This acquisition widens   show more ...

Bugcrowd’s innovation lead in providing crowdsourced security to customers of all sizes, and in all industries, […] La entrada Bugcrowd Acquires Informer to Enhance Attack Surface Management, Penetration Testing – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: Becky Bracken, Senior Editor, Dark Reading Source: David R. Frazier Photolibrary, Inc. via Alamy Stock Photo A Windows version of the RustDoor installer is spreading via a compromised audiovisual software package hosted and distributed by an audio-visual recording platform   show more ...

used in courtrooms, jails, prisons, council, hearing, and lecture halls across nationwide. […] La entrada Courtroom Recording Platform JAVS Hijacked in Supply Chain Attack – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 charged

Source: www.darkreading.com – Author: Robert Lemos, Contributing Writer Source: Carlos Castilla via Shutterstock Many cryptocurrency traders play fast and loose with the systems in place to empower decentralized finance (DeFi), using a variety of hacks to gain an advantage in their trades — from sandwich   show more ...

attacks to rug pull scams — and losses typically run into […] La entrada MIT Brothers Charged With Exploiting Ethereum to Steal $25 Million – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: Dark Reading Staff 1 Min Read Source: Brian Jackson via Alamy Stock Photo A spyware app called pcTattletale was recently discovered tapping into the systems of several Wyndham hotels in the US. The app is described as “simple stalkerware” by Eric Daigle, who   show more ...

discovered it in the hotel chain’s check-in systems […] La entrada Stalkerware App With Security Bug Discovered on Hotel Systems – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: Nate Nelson, Contributing Writer Source: Zoonar GmbH via Alamy Stock Photo A Moroccan threat group has upgraded the classic gift card scam by targeting not retail customers but the systems that register the cards, allowing them to “print” money at will. Scammers   show more ...

have been using social engineering tactics to convince regular […] La entrada New Gift Card Scam Targets Retailers, Not Buyers, to Print Endless $$$ – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.cyberdefensemagazine.com – Author: News team By Stephen de Vries, CEO, IriusRisk In 2023, we saw governments and global cybersecurity agencies begin to put the building blocks in place for secure design and take cyber defense to the software and system vendors. The US took significant strides in   show more ...

developing legislation and guidance for software manufacturers, […] La entrada 2024: The Year of Secure Design – Source: www.cyberdefensemagazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.cyberdefensemagazine.com – Author: News team Don’t Settle for Less | Make an Informed Decision By Krunal Mendapara, Chief Technology Officer, Sattrix Group In today’s world, cyber threats are more rampant than ever before. It’s no wonder that organizations are looking for ways to monitor   show more ...

their network activity for any signs of malicious activity. And […] La entrada 6 Factors to Consider When Choosing a SIEM Solution – Source: www.cyberdefensemagazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-05
Aggregator history
Friday, May 24
WED
THU
FRI
SAT
SUN
MON
TUE
MayJuneJuly