Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Women Take Center St ...

 Firewall Daily

The 2024 World CyberCon META Edition, a resounding success held at Al Habtoor Palace in Dubai, featured a prominent all-women panel discussion titled "Strategic Investments in Cybersecurity: Leveraging AI and ML for Enhanced Threat Detection." The panel, moderated by Jo Mikleus, Senior Vice President of Cyble   show more ...

Inc., featured contributions from an array of distinguished experts including Sithembile (Nkosi) Songo, Chief Information Security Officer at ESKOM; Dina Alsalamen, VP and Head of Cyber and Information Security at Bank ABC; Afra Mohammed Almansoori, Business Analyst at Digital Dubai; and Irene Corpuz, Co-Founder of Women in Cyber Security Middle East. The session commenced with exploring how AI and machine learning (ML) are revolutionizing threat detection and response in cybersecurity. Afra Mohammed Almansoori highlighted the transformative impact of these technologies: "AI isn't just a substitute; it's a game-changer for cybersecurity. By harnessing AI and machine learning, we enhance threat detection capabilities, allowing us to focus on strategic security initiatives. World CyberCon META Edition: Transforming Threat Detection and Response AI and ML are redefining the landscape of cybersecurity through various applications. Behavioral analytics, anomaly detection, and automated incident response are now integral to modern cybersecurity strategies. AI's ability to analyze vast datasets and identify patterns that elude traditional methods enables organizations to preemptively address potential threats. Irene Corpuz reinforced this notion, stating, "AI isn't a replacement, it's a force multiplier for cybersecurity. Leveraging AI and machine learning strengthens our defenses by automating threat detection, freeing us to focus on strategic security initiatives." [caption id="attachment_71219" align="aligncenter" width="1024"] (L-R: Sithembile (Nkosi) Songo – Chief Information Security Officer, ESKOM; Afra Mohammed Almansoori – Business Analyst, Digital Dubai; Dina Alsalamen, VP, Head of Cyber and Information Security Department, Bank ABC; Irene Corpuz – Co-Founder, Women in Cyber Security Middle East and Jo Mikleus – Senior Vice President, Cyble Inc.)[/caption] Enhanced Accuracy and Speed The panel discussed notable use cases where AI and ML have significantly enhanced the accuracy and speed of threat detection. In one instance, Bank ABC utilized AI-driven analytics to thwart a sophisticated phishing attack that traditional security measures failed to detect. By rapidly identifying and responding to anomalies, AI systems have proven to be a vital asset in the fight against cybercrime. However, the integration of AI and ML into cybersecurity is not without challenges. The panel emphasized the importance of adopting applicable policies and standards to mitigate risks associated with these technologies. Regulatory frameworks must evolve to address issues such as data privacy, ethical use of AI, and the potential for AI-generated threats. Integration with Existing Infrastructure Integrating AI and ML capabilities with existing security infrastructure is another critical consideration. Organizations must ensure seamless integration to maximize the benefits of AI without disrupting their current operations. This involves upgrading legacy systems, training staff on new technologies, and continually assessing the performance of AI tools. Best practices in reorienting strategic investments were also discussed. Companies are increasingly allocating resources towards AI capabilities to stay ahead of emerging threats. By investing in AI and ML, businesses can enhance their threat detection and response mechanisms, thereby safeguarding their digital assets more effectively. Overcoming Implementation Challenges The panel acknowledged the challenges and limitations of implementing AI and ML in cybersecurity, especially for small and medium-sized enterprises (SMEs). Resource constraints, lack of expertise, and integration issues are common hurdles. To overcome these challenges, organizations should consider collaborative approaches, such as partnering with cybersecurity firms and leveraging cloud-based AI solutions. A key theme was the envisioned collaboration between humans and machines in cybersecurity operations. AI and ML technologies can augment the capabilities of human analysts by handling routine activities, thus allowing experts to focus on more strategic tasks. This symbiotic relationship enhances overall security posture and operational efficiency. The reception from key stakeholders, including Boards, CEOs, and CFOs, was noted as increasingly positive. As cyber threats become more sophisticated, there is growing recognition of the need for enhanced cybersecurity measures. Business leaders are supporting CISOs in making the necessary investments to protect their organizations. Delivering ROI Finally, the panel discussed how to position business cases for AI in cybersecurity to deliver ROI. Demonstrating the tangible benefits of AI investments, such as reduced incident response times and minimized breach impact, is crucial for securing buy-in from stakeholders. [caption id="attachment_71215" align="aligncenter" width="1024"] Jo Mikleus, Senior Vice President at Cyble Inc.[/caption] Jo Mikleus summed up the session by stating, "It was a privilege to moderate the World CyberCon panel, discussing AI as a critical strategic investment for cybersecurity and managing threat intelligence." The Middle East's Cybersecurity Imperative As digitalization surges across the Middle East, the importance of strong cybersecurity measures cannot be overstated. The region's rapid technological advancement necessitates a proactive approach to combat the escalating cyber threat landscape. Leveraging AI and ML to complement traditional cybersecurity defenses is advantageous, but proactive measures are essential to mitigate AI-related risks. Shadow AI in the workplace is growing, with an alarming 156% increase in employees inputting sensitive corporate data into chatbots like ChatGPT and Gemini. The World CyberCon Meta Edition 2024 underlines the critical role of AI and ML in modern cybersecurity strategies. As cyber threats continue to evolve, strategic investments in these technologies will be pivotal in safeguarding the digital future.

image for Hacker Claims Ticket ...

 Firewall Daily

A cybercriminal going by the alias "SpidermanData" has claimed to breach and advertise a massive database purportedly linked to Ticketmaster Entertainment, LLC. The claim of the Ticketmaster data breach, dated May 27, 2024, was posted on the cybercrime forum Exploit and shares threatening information about   show more ...

the organization, including database of “560M Users + Card Details”. The threat actor has also claimed to have access to 1.3TB of stolen data and is currently selling it for $500k. The post, accompanied by sample data, suggests that the data indeed belongs to Ticketmaster Entertainment. However, the American ticket sales and distribution company has yet to share any information about this alleged Ticketmaster data breach.  Additionally, apart from the Ticketmaster data breach, the company is also facing a lawsuit from The Justice Department for anti-competitive practices, limiting venue options, and threatening financial consequences. The lawsuit follows public outcry, including ticketing issues during Taylor Swift's tour. High prices, fueled by post-pandemic demand, have intensified scrutiny. Live Nation denies monopolistic behavior, but the lawsuit contends their dominance drives up prices. The Ticketmaster data breach poses another threat to the organization since databases of this caliber are usually the hot-selling items on the dark web.  Ticketmaster Data Breach: The Worst Time to Have a Cybersecurity Incident SpidermanData claims to have access to a staggering 560 million records brimming with personally identifiable information (PII) of customers, including sensitive payment card details. This breach couldn't have come at a worse time for Ticketmaster, coinciding with the onset of several major music festivals scheduled between May 2024 and January 2025.  Among these highly anticipated events is the FOREIGNER concert, featuring legendary rock acts led by Mick Jones and Kelly Hansen. The musical act will begin on June 11, 2024, in the United States and will conclude on November 9, 2024. Following suit is the iconic band HEART, set to perform across the United States from July to November 2024, culminating in an international concert in Calgary, AB, Canada. Meanwhile, Allison Russell and Hozier are primed to perform from May to August 2024. Adding to this list of bands performing this year, artists like Ian Munsick, Prateek Kuhad, and Kathleen Hanna will also go on tours across North America between 2024 and 2025. However, the jubilant atmosphere surrounding these events is now overshadowed by the threat of, one of the biggest data breaches, threatening millions of users globally.  The purportedly compromised data, amounting to a staggering 1.3 terabytes, has been divided into 15 parts, with the hacker offering samples from two segments. One dataset, extracted from a 'PATRON' database, contains a plethora of personal information, including names, addresses, emails, and phone numbers. Meanwhile, the other dataset includes information about customer sales, encompassing crucial details like event IDs and payment methods. The Aftermath and Industry Implications SpidermanData has listed the entire dataset for sale, quoting a hefty price tag of USD 500,000, and restricting the sale to a single buyer. The gravity of this situation cannot be overstated, with the compromised data posing significant risks of identity theft, financial fraud, and other criminal activities - something we've already seen in previous data breaches like the MOVEit File Transfer incident.  Live Nation Entertainment, the parent company of Ticketmaster, stands as a global juggernaut in the live entertainment domain, organizing and promoting thousands of shows annually across more than 40 countries. Meanwhile, Ticketmaster's pivotal role in facilitating ticket sales for musical and non-musical events highlights its significance within the industry, making it a prime target for cybercriminals seeking to exploit vulnerabilities for personal gain. The current Ticketmaster data breach is not the first time that the organization has faced a cyberattack. In November 2020, the company faced a hefty £1.25 million fine from the Information Commissioner's Office (ICO) following a payment data breach in 2018. The breach, stemming from a vulnerability in a third-party chatbot, compromised the personal and payment details of over nine million customers in Europe, triggering widespread fraud and financial losses. Whether the current data breach represents a resurgence of previously compromised data or the acquisition of freshly stolen data, the premise origin of the information about the databases remains unclear. Nevertheless, The Cyber Express will be closely monitoring the situation and we’ll update this post once we have more information on the Ticketmaster data leak or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Cencora Data Breach ...

 Data Breach News

The impact of the Cencora data breach is far more widespread than earlier thought as more than a dozen pharmaceutical giants including Novartis and GlaxoSmithKline disclose personal and health information data leaks stemming from the February breach incident. Cencora Inc., formerly recognized as AmerisourceBergen, and   show more ...

its Lash Group affiliate announced in a February filing with the Securities and Exchange Commission (SEC) that the company faced a cybersecurity incident where “data from its information systems had been exfiltrated.” Cencora is a major pharmacy company with over 46,000 employees and approximately $262.2 billion in revenue in 2023. Based in Pennsylvania, it operates in around 50 countries globally. The popular American drug wholesaler did not disclose the extent of the data breach in its February SEC filing but did confirm at the time that some of the data exfiltrated in the attack could contain personal information. Last week, however, Cencora and The Lash Group clients began notifying state Attorneys General about a data breach that stemmed from the February cybersecurity incident at Cencora. At least 15 pharmaceutical companies reported that the personal data of hundreds of thousands of individuals were compromised. Notifications identified the following affected companies: AbbVie Inc. Acadia Pharmaceuticals Inc. Bayer Corporation Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation Dendreon Pharmaceuticals LLC Endo Pharmaceuticals Inc. Genentech, Inc. GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation Incyte Corporation Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc. Novartis Pharmaceuticals Corporation Pharming Healthcare, Inc. Regeneron Pharmaceuticals, Inc. Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc. Tolmar State Attorneys General often announce data breaches without specifying the number of affected people but AG’s office in Texas does disclose the number impacting the state residents. Based on these partial numbers, at least 542,000 individuals seem to be impacted from the Cencora data breach, till date. The Cyber Express reached out to Cencora for confirming the total number of individuals impacted to understand the full extent of the data breach but did not receive any communication till the time of publishing the article. Cyber Forensic Findings from the Cencora Data Breach Cencora detected the cyberattack on February 21, and took immediate action to contain and prevent further unauthorized access. Based on the investigation that likely concluded in April, Cencora said personal information including first name, last name, address, date of birth, health diagnosis, and medications and prescriptions was compromised in the attack. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said Friday the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. Further details on how the supply program was exploited remain unclear. U.S. has been rocked by a host of cybersecurity breaches linked to the healthcare industry in recent days. While Change Healthcare cyberattack was one of the most notable ones, the Medstar and Ascension breaches have displayed the vulnerability of the healthcare sector to cyberattacks. The latest in the list of healthcare data breaches is the Sav-Rx data breach that compromised the health data of more than 2.8 million people. Cencora’s investigation, however, found no connection with other major healthcare cyberattacks and, in its notifications, said they were unaware of any actual or attempted misuse of the stolen data. The company said it has not seen any public disclosure of the stolen data, till date. The affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost and steps have also been taken to harden defenses to prevent such security breaches in the future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for OpenAI Announces Saf ...

 Cyber Essentials

OpenAI announced a new safety and security committee as it begins training a new AI model intended to replace the GPT-4 system that currently powers its ChatGPT chatbot. The San Francisco-based startup announced the formation of the committee in a blog post on Tuesday, highlighting its role in advising the board on   show more ...

crucial safety and security decisions related to OpenAI’s projects and operations. The creation of the committee comes amid ongoing debates about AI safety at OpenAI. The company faced scrutiny after Jan Leike, a researcher, resigned, criticizing OpenAI for prioritizing product development over safety. Following this, co-founder and chief scientist Ilya Sutskever also resigned, leading to the disbandment of the "superalignment" team that he and Leike co-led, which was focused on addressing AI risks. Despite these controversies, OpenAI emphasized that its AI models are industry leaders in both capability and safety. The company expressed openness to robust debate during this critical period. OpenAI's Safety and Security Committee Composition and Responsibilities The safety committee comprises company insiders, including OpenAI CEO Sam Altman, Chairman Bret Taylor, and four OpenAI technical and policy experts. It also features board members Adam D’Angelo, CEO of Quora, and Nicole Seligman, a former general counsel for Sony. "A first task of the Safety and Security Committee will be to evaluate and further develop OpenAI’s processes and safeguards over the next 90 days."  The committee's initial task is to evaluate and further develop OpenAI’s existing processes and safeguards. They are expected to make recommendations to the board within 90 days. OpenAI has committed to publicly releasing the recommendations it adopts in a manner that aligns with safety and security considerations. The establishment of the safety and security committee is a significant step by OpenAI to address concerns about AI safety and maintain its leadership in AI innovation. By integrating a diverse group of experts and stakeholders into the decision-making process, OpenAI aims to ensure that safety and security remain paramount as it continues to develop cutting-edge AI technologies. Development of the New AI Model OpenAI also announced that it has recently started training a new AI model, described as a "frontier model." These frontier models represent the most advanced AI systems, capable of generating text, images, video, and human-like conversations based on extensive datasets. The company also recently launched its newest flagship model GPT-4o ('o' stands for omni), which is a multilingual, multimodal generative pre-trained transformer designed by OpenAI. It was announced by OpenAI CTO Mira Murati during a live-streamed demo on May 13 and released the same day. GPT-4o is free, but with a usage limit that is five times higher for ChatGPT Plus subscribers. GPT-4o has a context window supporting up to 128,000 tokens, which helps it maintain coherence over longer conversations or documents, making it suitable for detailed analysis. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Anatsa Banking Troja ...

 Cybersecurity News

Researchers have observed a significant increase in attempts to spread the Anatsa Banking Trojan under the veil of legitimate-looking PDF and QR code reader apps on the Google Play store. Also known as TeaBot, the malware employs dropper applications that appear harmless to users, deceiving them into unwittingly   show more ...

installing the malicious payload, said researchers at cybersecurity firm Zscaler. Once installed, Anatsa extracts sensitive banking credentials and financial information from various global financial applications. It achieves this through overlay and accessibility techniques, allowing it to discreetly intercept and collect data. Distribution and Impact of Anatsa Banking Trojan Two malicious payloads linked to Anatsa were found in the Google Play store, distributed by threat actors. The campaign impersonated PDF reader and QR code reader applications to attract numerous installations. The high number of installations, which had surpassed 70,000 at the time of analysis, further convinced victims of the applications' legitimacy. Anatsa employs remote payloads retrieved from Command and Control (C&C) servers to perform additional malicious activities. The dropper application contains encoded links to remote servers, from which the subsequent stage payload is downloaded. Along with the payload, the malware fetches a configuration file from the remote server to execute the next stage of the attack. Anatsa Infection Steps The Anatsa banking trojan works by employing a dropper application and executing a payload to launch its malicious activities. Dropper Application: The fake QR code application downloads and loads the DEX file. The application uses reflection to invoke code from the loaded DEX file. Configuration for loading the DEX file is downloaded from the C&C server. Payload Execution: After downloading the next stage payload, Anatsa performs checks on the device environment to detect analysis environments and malware sandboxes. Upon successful verification, it downloads the third and final stage payload from the remote server. Malicious Activities: The malware injects uncompressed raw manifest data into the APK, deliberately corrupting the compression parameters in the manifest file to hinder analysis. Upon execution, the malware decodes all encoded strings, including those for C&C communication. It connects with the C&C server to register the infected device and retrieve a list of targeted applications for code injections. Data Theft: After receiving a list of package names for financial applications, Anatsa scans the device for these applications. If a targeted application is found, Anatsa communicates this to the C&C server. The C&C server then supplies a counterfeit login page for the banking operation. This fake login page, displayed within a JavaScript Interface (JSI) enabled web view, tricks users into entering their banking credentials, which are then transmitted back to the C&C server. [caption id="attachment_71735" align="aligncenter" width="1038"] Anatsa Banking Trojan Attack Chain (Source: Zscaler)[/caption] The Anatsa banking trojan is increasing in prevalence and infiltrates the Google Play store disguised as benign applications. Using advanced techniques such as overlay and accessibility, it stealthily exfiltrates sensitive banking credentials and financial data. By injecting malicious payloads and employing deceptive login pages, Anatsa poses a significant threat to mobile banking security. Best Practices to Stop the Anatsa Trojan To protect against such threats, Cyble's Research and Intelligence Labs suggests following essential cybersecurity best practices: Install Software from Official Sources: Only download software from official app stores like the Google Play Store or the iOS App Store. Use Reputable Security Software: Ensure devices, including PCs, laptops, and mobile devices, use reputable antivirus and internet security software. Strong Passwords and Multi-Factor Authentication: Use strong passwords and enable multi-factor authentication whenever possible. Be Cautious with Links: Be careful when opening links received via SMS or emails. Enable Google Play Protect: Always have Google Play Protect enabled on Android devices. Monitor App Permissions: Be wary of permissions granted to applications. Regular Updates: Keep devices, operating systems, and applications up to date. By adhering to these practices, users can establish a robust first line of defense against malware and other cyber threats, Cyble researchers said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Industry Leaders at ...

 Firewall Daily

The grandeur of Al Habtoor Palace in Dubai set the stage for one of the most significant cybersecurity events in the Middle East: the World CyberCon 3.0 META Cybersecurity conference. This prestigious event brought together leading cybersecurity professionals and industry experts from around the world to discuss   show more ...

pressing issues and emerging trends in the field. Among the various World CyberCon META Edtion sessions, a panel discussion on cyber risk scoring drew substantial attention, underling its critical importance in today's digital landscape. During the session, Waqas Haider, the CISO of HBL Microfinance Bank, served as the moderator and steered the conversation among the panelists that featured Beenu Arora, Co-founder and CEO of Cyble; Azhar Zahiruddin, Director of Data Protection and Group DPO at Chalhoub Group; Ankit Satsangi, Director at Beeah Group; and Suhaila Hareb, ISR Auditor at Dubai Electronic Security Center. Understanding Cyber Risk Scoring at World CyberCon META Cybersecurity Conference Beenu Arora, the CEO of Cyble, delivered a global perspective that resonated profoundly with the audience. He highlighted the staggering statistics regarding data breaches over the past few years. According to statistics, over the past thousand days, more than 50,000 companies worldwide have fallen victim to data breaches. “In the last two and a half years, let’s say, the last thousand days. Can anybody guess how many companies have reportedly been breached? The number we have exactly at the moment is 50 thousand! So 50 thousand companies, globally, have been breached, in the last thousand days”, said Beenu Arora at The Cyber Express META Cybersecurity Conference in Dubai. Azhar Zahiruddin emphasized the importance of understanding the evolving nature of cyber threats and the necessity of robust data protection frameworks. He stressed that organizations must stay ahead of threat actors by continuously updating their security measures and protocols. Suhaila Hareb provided insights into the regulatory landscape and the role of compliance in enhancing cybersecurity defenses. She highlighted the significance of adhering to international standards and the need for regular audits to ensure that security measures are effective and up-to-date. Ankit Satsangi discussed practical strategies for improving cyber risk scoring mechanisms. He recommended a multi-layered approach to cybersecurity that integrates advanced technologies, employee training, and proactive threat intelligence. The panelists collectively underline the importance of cyber risk scoring as a tool for organizations to assess and manage their cybersecurity risks. Effective risk scoring enables companies to identify vulnerabilities, prioritize their security investments, and respond more swiftly to potential threats. Moreover, throughout the discussion, a common theme emerged: the need for better defense mechanisms to fight against online threats. The experts agreed that while technological advancements are crucial, human factors such as employee awareness and training play an equally vital role in maintaining enhanced cybersecurity. [caption id="attachment_71349" align="aligncenter" width="2800"] (L-R: Suhaila Hareb - ISR Auditor, Dubai Electronic Security Center; Ankit Satsangi - Director, Beeah Group; Waqas Haider - CISO, HBL Microfinance Bank (Moderator), Azhar Zahiruddin - Director of Data Protection - Group DPO, Chalhoub Group and Beenu Arora - Co-founder and CEO, Cyble)[/caption] A Call for Enhanced Defense Mechanisms The World CyberCon 3.0 META Cybersecurity conference showcased the latest advancements and strategic insights in the field of cybersecurity. The panel on cyber risk scoring highlighted the critical role of this practice in helping organizations navigate the complex threat landscape. As cyber threats continue to evolve, the insights shared by these industry leaders provide valuable guidance for organizations seeking to bolster their cybersecurity defenses. By adopting comprehensive risk scoring mechanisms and staying informed about emerging threats, businesses can better protect their digital assets and maintain resilience in an increasingly interconnected world. Apart from this, the META edition of World CyberCon holded several interesting sessions on cybersecurity in the Middle East. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Greek PDPA Fines Min ...

 Cybersecurity News

The Greek Personal Data Protection Authority (PDPA) has imposed significant fines on the Greek Ministry of Interior and New Democracy MEP Anna-Michelle Asimakopoulou for their roles in violating data protection regulations in the 'email-gate' scandal. The fines come after an investigation into the   show more ...

"email-gate" scandal, in which Asimakopoulou was accused of sending unsolicited emails to Greeks living abroad ahead of the European Parliament elections in June. Ministry of Interior Violations and Consequences The authority found that a file of 25,000 voters registered for the June 2023 elections had been leaked between June 8 and 23, 2023. The list, which included voter emails, was sent to New Democracy's then Secretary for Diaspora Affairs, Nikos Theodoropoulos, by an unknown individual. Theodoropoulos forwarded the file to MEP Asimakopoulou, who used it to send mass campaign emails in violation of data protection laws and basic principles of legality. [caption id="attachment_71501" align="alignnone" width="1000"] Source: Shutterstock (MEP Anna-Michelle Asimakopoulou)[/caption] On receiving the unsolicited emails to their private accounts, several Greek diaspora voters living abroad expressed their surprise on social media and accused the New Democracy MEP of violating the European Union’s General Data Protection Regulation (GDPR). The expats questioned how the addresses were obtained by the MEP for use in the email campaigns. Asimakopoulou earlier attempted to refute allegations of violating these data protection laws but was found to provide contradictory explanations regarding the source from which these addresses were obtained for usage in the mass email campaign. As a result, the Ministry of Interior faces a 400,000-euro fine, while Asimakopoulou faces a 40,000-euro fine. The authority also postponed its verdict on Theodoropoulos and the New Democracy party  to examine new claims related to the investigation. The PDPA stated in its investigation that the use of the emails, “was in violation of the basic principle of legality, objectivity and transparency of processing, as it was in violation of a series of provisions of the electoral legislation and furthermore could not reasonably be expected.” The ministry said it will "thoroughly study" the authority's decision to consider further legal actions. The "email-gate" scandal has led to significant consequences, including the resignation of the general secretary of the Interior Ministry, Michalis Stavrianoudakis, and the dismissal of Theodoropoulos by New Democracy. Asimakopoulou has announced she will not run in the European Parliament elections. Asimakopoulou is also facing 75 lawsuits by citizens and over 200 lawsuits from the Interior Ministry, over the scandal. Reaction of Opposition Parties to the Investigation Results Opposition parties are now demanding the resignation of Interior Minister Niki Kerameos following the outcome of the investigation into the unsolicited emails. [caption id="attachment_71241" align="alignnone" width="1000"] Source: Shuttertock (Interior Minister Niki Kerameos)[/caption] The main opposition party SYRIZA released a statement asserting that “private data were being passed around for months among the Interior Ministry, ND, and at least one election candidate,” questioning whether the email list had been leaked to other New Democracy candidates by the Interior Ministry. While the Interior Minister might not have been directly involved, SYRIZA claimed that “Kerameos did not have the guts to show up at the Committee on Institutions and Transparency.” The Socialist PASOK Party also demanded Kerameos’ resignation, adding that the violation demonstrates the government as “incapable of fulfilling the self-evident, as proven by the high fines.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Decathlon Hit by Maj ...

 Firewall Daily

A recent data breach has reportedly compromised the personal information of Decathlon employees in Spain. The threat actor known as 888 has taken responsibility for the Decathlon data leak, which allegedly involves a database containing sensitive details of 6,644 employees of the popular sporting goods retailer.     show more ...

This database reportedly includes employees' email addresses, headquarters information, and transportation activities. The claim was disseminated through multiple posts on social media platform X (formerly Twitter), suggesting that not only employee information but also potentially sensitive customer data may have been exposed. Moreover, the threat actor also provided a sample of the Decathlon leaked database.  Earlier this month, a significant data breach involving the retailer Decathlon in Spain was made public. The compromised data was subsequently published on a popular hacking forum, raising concerns about the security of employee information.  [caption id="attachment_71535" align="aligncenter" width="1117"] Source: X[/caption] [caption id="attachment_71537" align="aligncenter" width="1169"] Source: X[/caption] As of the time of this writing, Decathlon has not issued an official statement regarding the alleged data breach. The Cyber Express has contacted the retailer for verification of the breach and will provide updates as soon as a response is received.  Decathlon Could Face Repercussions if Breach is Confirmed  There is a critical need for large retailers to implement strong security measures. Data protection regulations, like the General Data Protection Regulation (GDPR) in Europe, enforce strict penalties on companies that fail to protect customer data.  A confirmed data breach could erode customer trust in Decathlon, potentially impacting its sales and overall market position. If the data breach is confirmed, Decathlon could also be hit with significant legal and financial penalties.  Stakeholders to Take Precautions  Following the allegations of Decathlon Data Leak, the company’s stakeholders including customers should take immediate steps to safeguard their personal information. This includes changing passwords for both Decathlon accounts and any other accounts that use the same password. Additionally, customers should monitor bank and credit card statements closely for any suspicious transactions.  They should be cautious of emails or messages that appear to be from Decathlon but might be phishing attempts trying to capitalize on this situation.  As the situation unfolds, it remains to be seen how Decathlon will address these serious allegations. The company needs to conduct a comprehensive investigation to determine the scope of the breach and implement stronger security measures to prevent similar incidents in the future.  In the meantime, customers and stakeholders will be looking for updates and reassurances from Decathlon regarding these developments.  Second Major Decathlon Data Leak After 2021  This is not the first time that Decathlon is in the firing line for data breach. A data leak of around 8,000 Decathlon global employees was previously discovered and reported in 2021. The personal information of these employees was then shared on the dark web and was reported in October 2023. This revelation was discovered by the firm’s research team in an online forum post that surfaced on September 7, 2023.  The forum user uploaded a 61-MB database purportedly linked to Decathlon. As per the post, this database is said to include personally identifiable information (PII) of approximately 8,000 Decathlon employees.  The data that was exposed in the Decathlon data breach also reportedly contained a range of sensitive information, such as full names, usernames, phone numbers, email addresses, details of countries and cities of residence, authentication tokens, and even photographs. The data leak also featured information from Bluenove, a technology and consulting firm as well.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information. 

image for RansomHub Claims Res ...

 Firewall Daily

The notorious ransomware gang RansomHub has claimed responsibility for a recent cyberattack on Christie's auction house, disrupting its website just days before its marquee spring sales and leaking data to back up its claims. The group posted a message on its dark web leak site claiming to have gained access to   show more ...

compromised information about the world's wealthiest art collectors. Christie's officials downplayed the seriousness of the breach, however, and said that no financial or transactional data was compromised in the attack. RansomHub Claims Cyberattack on Christie's Auction House The attack, which occurred two weeks ago, had brought down Christie's official website, forcing the auction firm to switch to methods such as an alternative domain to reach potential buyers and sellers ahead of its highly anticipated spring sales after the company announced it would proceed with the sales despite setbacks. The sales were scheduled to occur at multiple locations such as New York and Geneva, and estimated to fetch 850 million dollars from buyers. The RansomHub ransomware gang has now claimed responsibility for the attack on its leak site, stating that it had compromised about 2GB of data from the the auction giant during the initial network compromise. The details were said to include BirthPlace, MRZFull, DocumentNumber, BirthDate, ExpiryDate, FirstName, LastName, IssueDate, IssuingAuthority, DocumentCategory, DocumentType and NationalityName. [caption id="attachment_71548" align="alignnone" width="751"] Source: X.com (@AlvieriD)[/caption] The threat actor group said they had attempted to come to a "reasonable solution," but that Christie's had ceased communications midway and failed to pay the demanded ransom. The threat group shared an alleged sample of the stolen data. [caption id="attachment_71550" align="alignnone" width="725"] Source: X.com (@AlvieriD)[/caption] The hackers warned that Christie's would face heavy fines under the EU's General Data Protection Regulation (GDPR) and face reputation damage among its clients. The General Data Protection Regulation (GDPR) mandates that EU companies disclose security incidents that compromise client data, with non-compliance potentially leading to fines up to $22 million. Cybersecurity experts describe RansomHub as a powerful ransomware group with possible ties to ALPHV, a network of Russian-speaking extortionists. Christie's Auction House Downplays Data Leak Christie’s acknowledged the cyberattack on Christie's Auction House and unauthorized access, with spokesman Edward Lewine stating that the auction house is investigating the incident. The preliminary findings indicate that the hackers obtained a limited amount of personal client data but stopped short of compromising financial or transactional records. Christie CEO Guillaume Cerutti also stated in a recent interview with CNBC that there was no evidence that any transaction or financial data has been impacted or leaked in the incident. The company appeared to downplay the impact of the incident earlier, describing it as a "technology security incident." However, employees privately reported a sense of panic, with limited information shared about the breach by top leaders. Several prominent buyers and sellers also indicated to the New York Times that they were in the dark about the impact, and were not alerted to the hack until a reporter had reached out to them. Lewine stated that the auction house was now in the process of notifying privacy regulators and government agencies, and would also be notifying affected clients shortly. Despite the attack, the spring sales concluded with $528 million in revenue, suggesting the incident did not significantly deter bidding activities. Following the sales, Christie's regained control of its website. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Check Point VPN Fix ...

 Cybersecurity News

Check Point researchers have observed a surge in threat actor groups targeting remote-access VPN environments as an entry point for gaining access to enterprise networks. In response to these threats, Check Point has been monitoring unauthorized access attempts on Check Point VPNs and has released a preventative   show more ...

solution to address the issue. While the researchers suggested that the issue is broader than Check Point VPNs, the fix applies solely to Check Point environments. Identification of Unauthorized Access Attempts to Check Point VPN On May 24, Check Point identified a small number of login attempts using old VPN local accounts that relied on an unrecommended password-only authentication method. The company assembled special teams of Incident Response, Research, Technical Services, and Products professionals to thoroughly investigate these attempts and any other potentially related incidents. Within 24 hours, the teams identified several potential customers who were subject to similar attempts and notified them accordingly. The teams consider password-only authentication methods insecure and more susceptible to the compromise of network infrastructure, recommending against solely relying on these methods when logging into network infrastructure. Several points were advised by the teams as preventative measures, such as: Reviewing and disabling unused local accounts. Implementing an additional layer of authentication, such as certificates, to password-only accounts. Deploying additional solutions on Security Gateways to automatically block unauthorized access. Contacting the Check Point technical support team or a local representative for additional guidance and assistance. In case of suspected unauthorized access attempts, Check Point researchers recommend that organizations analyze all remote access connections of local accounts with password-only authentication, monitor connection logs from the past 3 months, and verify the familiarity of user details, time, source IP address, client name, OS name, and application based on configured users and business needs. Check Point has also released a hotfix to prevent users with password-only authentication from connecting to Security Gateways. After implementation, password-only authentication methods for local accounts will be prevented from logging into the Check Point Remote Access VPN. If any connections or users are not validated, invoking the incident response playbook or contacting Check Point Support or a local Check Point representative is advised. The company stated that it witnessed the compromise of several VPN solutions, including those of various cybersecurity vendors. Implementing Check Point VPN Hotfix Check Point released a script to identify potential risks of compromise in its VPN environment. Enterprises can download the VPNcheck_v2.zip archive file and follow the steps mentioned on the solution page. If the script identifies local accounts with password-only authentication, users can proceed with the installation of the Security Gateway Hotfix as an option. The hotfix is available via the Check Point Upgrade Service Engine (CPUSE) or through manual download. The Hotfix implements a new command, blockSFAInternalUsers, to the Security Gateway, allowing admins to block or grant access to internal users with password-only authentication. The default value is set to block internal users from connecting with password-only authentication. After installing the hotfix, users who attempt to connect using the weak password-only authentication method will receive a security log indicating the blocked attempt as failed. As remote operations and online threats rise, organizations must prioritize the implementation of tougher VPN authentication methods while monitoring for unauthorized attempts to access these environments. Failure to do so can lead to compromised network infrastructure or assets, data breaches, and significant financial and reputational damage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for TP-Link Resolves Hig ...

 Firewall Daily

In a recent disclosure by ONEKEY Research Lab, a critical vulnerability in the TP-Link Archer C5400X gaming router was exposed, leading to remote command execution. The TP-Link Archer C5400X is a gaming router, with integrated malware defense, and has compatibility with Alexa voice commands and IFTTT applets. This   show more ...

TP-Link Archer C5400X vulnerability, tracked as CVE-2024-5035, was rooted in command injection, a format string vulnerability, and buffer overflows within components such as rftest and libshared.  The vulnerability, known to affect versions before 1_1.1.7, posed a grave risk to users, potentially allowing malicious actors to execute arbitrary commands remotely with elevated privileges. While the format string vulnerability requires specific conditions for exploitation, the focus of this revelation centered around the rftest binary, integral to the device's wireless functionality. In the patch update by TP-Link, the Archer C5400X vulnerability has been fixed in version 1_1.1.7. The Timeline of TP-Link Archer C5400X Vulnerability Exposure According to ONEKEY Research Lab, the TP-Link Archer C5400X vulnerability was initially reported on February 16, 2024, with the submission of a detailed report to TP-Link's PSIRT. Following the report, TP-Link promptly initiated a case on February 19. [caption id="attachment_71171" align="alignnone" width="1096"] Source: ONEKEY[/caption] After collaborative efforts and validation processes, TP-Link shared a beta version of 1.1.7p1 on April 10 for further testing, culminating in the confirmation and release of the patch by ONEKEY on May 27, 2024. The vulnerability exposed a critical flaw in the TP-Link Archer C5400X gaming router, rendering it susceptible to remote command execution. This exploit granted unauthorized users the ability to execute arbitrary commands on the device, posing security risks to users' data and network integrity. “It seems the need to provide a wireless device configuration API at TP-Link had to be answered either fast or cheap, which ended up with them exposing a supposedly limited shell over the network that clients within the router could use as a way to configure wireless devices”, said OneKey in the advisory.  Understanding the TP-Link Archer C5400X Vulnerability [caption id="attachment_71174" align="alignnone" width="822"] Source: TP-Link[/caption] Central to this TP-Link Archer C5400X vulnerability is the rftest binary, launched during the device's initialization sequence. This binary, responsible for wireless interface self-assessment, inadvertently exposes a network service vulnerable to unauthenticated command injection. Attackers can leverage this vulnerability to remotely execute commands with elevated privileges, potentially compromising the device and its connected network. To mitigate the risk posed by this vulnerability, users are strongly advised to upgrade their devices to version 1_1.1.7. TP-Link has implemented fixes to prevent command injection through shell meta-characters, thereby enhancing the security posture of affected devices. However, users must remain vigilant and proactive in ensuring their devices are up to date with the latest firmware releases to safeguard against emerging threats. Exposing Recent Vulnerabilities in Routers The TP-Link Archer C5400X router vulnerability is just one of the cases where a flaw was exploited without a third-party breach. Previously, CISA flagged two end-of-life D-Link routers, adding them to their Known Exploited Vulnerabilities catalog.  The router vulnerabilities, CVE-2014-100005 and CVE-2021-40655, affected three main products, DIR-600, DIR-605, and DIR-605L. Exploitation of these vulnerabilities allowed unauthorized configuration changes and the theft of usernames and passwords.  The Cyber Security Agency of Singapore also stressed these two vulnerabilities, stating that the mitigation strategy to avoid exploitation is to “retire and replace their devices with products that are supported by the manufacturer.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Alleged Cyberattack ...

 Firewall Daily

The notorious LockBit has claimed an alleged cyberattack on Allied Telesis, Inc., a prominent American telecommunication equipment supplier. The purported Allied Telesis data breach incident involves the infiltration of the company's systems by the ransomware group, known for its sophisticated cyber operations.   show more ...

The claimed breach, dated May 27, 2024, suggests that the Allied Telesis data breach exposed sensitive data about the organization. However, the claims have not been verified nor is the sample data posted by the threat actor.  Alleged Allied Telesis Data Breach Exposes Sensitive Information The information supposedly exfiltrated includes confidential project details dating back to 2005, passport information, and various product specifications. As a demonstration of their intrusion, the threat actors purportedly disclosed blueprints, passport details, and confidential agreements, issuing a deadline of June 3, 2024, for the full release of the compromised data. [caption id="attachment_71414" align="alignnone" width="748"] Source: Dark Web[/caption] Despite the gravity of the allegations, Allied Telesis has yet to confirm or refute the purported cyberattack. The Cyber Express reached out to the company for clarification, but as of this writing, no official statement has been issued. Consequently, the authenticity of the alleged breach remains unverified, leaving the situation shrouded in uncertainty. Interestingly, the timing of these allegations coincides with significant organizational changes within Allied Telesis. On May 27, 2024, the company reportedly relocated its China branch to a new address. Moreover, the recent re-appointment of Jon Wilner as the Vice President of Customer Success highlights some of the big changes within the organization and possibly deciphering the “why” of the alleged data.  Collaborative Ventures Amid Uncertainty In the midst of this alleged security breach, Allied Telesis has been actively engaged in strategic partnerships aimed at upgrading its security features. Just last month, the company announced a collaboration with Hanwha Vision America, integrating cutting-edge video surveillance technology with its networking infrastructure. This alliance aims to deliver secure and scalable surveillance solutions to organizations seeking enhanced security measures. Key highlights of this partnership include interoperability, enhanced security features, scalability, and simplified management of surveillance systems. By leveraging Allied Telesis' expertise in secure networking alongside Hanwha Vision America's advanced surveillance technology, customers can expect comprehensive solutions tailored to their security needs. While the motives behind the alleged Allied Telesis cyberattack remain unclear, previous actions against the LockBit ransomware group shed light on the severity of the hacker group. Law enforcement agencies have previously taken down servers associated with LockBit operations, confiscating crucial details such as admin panel credentials, affiliate network information, and cryptocurrency transactions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for New security and pri ...

 Privacy

At the recent I/O 2024 developer conference in California, Google presented the second beta version of its Android 15 operating system — codenamed Vanilla Ice Cream. The company also gave us a closer look at the new security and privacy features coming with the update. While the final release of Android 15 is still   show more ...

a few months away — slated for the third quarter of 2024 — we can already explore the new security features this operating system has in store for Android users. AI-powered smartphone theft protection The most significant security upgrade (but by no means the only one) is a suite of new features designed to protect against theft of the smartphone and the user data contained within. Google plans to make some of these features available not only in Android 15 but also for older versions of the operating system (starting with Android 10) through service updates. First up is factory reset protection. To prevent thieves from wiping a stolen phone and quickly selling it, Android 15 will let you set up a lock that prevents resetting the device without the owners password. Android 15 will also introduce a so-called private space for apps. Some apps like banking ones or instant messengers can be hidden and protected with an additional PIN code — preventing thieves from accessing sensitive data. Android 15 will feature a private space to hide and protect selected apps with a separate PIN code Furthermore, Google plans to add protection for the most critical settings in case a thief manages to get  hold of an unlocked smartphone. Disabling Find My Device or changing the screen lock timeout will require authentication using a PIN, password, or biometrics. But thats not all: therell also be protection against thieves whove snooped on or otherwise obtained the PIN code. Accessing critical settings like changing the PIN, disabling anti-theft, or using passkeys will require biometric authentication. According to Google, this settings protection will be available on some devices later this year. Additional anti-theft features in Android Now lets talk about the new features that will be available not only in Android 15 but also in versions 10 and above. First, theres AI-powered, accelerometer-based automatic screen locking. The screen will automatically lock if the system detects movements characteristic of someone snatching the phone and quickly running or driving away. Android will automatically lock if it detects movement patterns indicative of smartphone theft Additionally, the smartphone will automatically lock if a thief tries to keep it disconnected it from the internet for a long time. Automatic locking can also be set for other situations — for example, after a significant number of unsuccessful authentication attempts. Finally, Android will feature remote locking — allowing you to lock the phones screen from a different device. Smartphones can also be remotely locked Protection of personal data when screen sharing and recording Android 15 also focuses on protecting user data from scams such as fake tech-support. Attackers might ask the user to share their screen (or record their actions and send a video) and instruct them to perform dangerous actions (such as logging in to an account). This way, scammers can obtain valuable information like login credentials, financial data, and so on. First, screen sharing in Android 15 will (by default) only share the specific app the user is interacting with, and not the system interface (such as the status bar and notifications, which might contain personal information). But switching to full-screen sharing will still be possible if needed. Android 15 will hide notification content during screen sharing Second, regardless of the screen sharing mode, the system will only display notification content if the app developer has provided a special public version for it. Otherwise the content will be hidden. Third, Android 15 will automatically detect and hide windows that contain one-time passwords. If a user opens an app window with a one-time password (for example, Messages) while sharing or recording their screen, the window contents wont be displayed. Additionally, Android 15 will automatically hide login, password, and card data entered during screen sharing. During screen sharing, Android 15 will automatically detect and hide windows containing one-time passwords These measures protect not only against attackers specifically targeting user data, but also against accidental disclosure of personal information during screen sharing or recording. Enhanced Restricted Settings Weve already discussed the so-called Restricted Settings that Android features from version 13 onward. This is additional protection against the misuse of two potentially dangerous features — access to notifications and Accessibility services. You can read about the risks associated with these features at the link above. Here, lets briefly recall the main idea of this protection: Restricted Settings prevent users from granting permission to these features for apps not downloaded from the app store. When a user tries to grant dangerous permissions to an app downloaded from outside the store, a window titled Restricted Settings appears Unfortunately, in both Android 13 and 14, this protective mechanism is very easy to bypass. The problem is that the system determines whether an app was downloaded from the store or not by the method used to install it. This allows a malicious app downloaded from any source using an incorrect method to subsequently install another malicious app using the correct method. As a result of this two-step process, the second app is no longer considered dangerous, isnt subject to restrictions, and can both request and gain access to notifications and Accessibility services. In Android 15, Google plans to use a slightly different mechanism called Enhanced Confirmation Mode. From the users perspective, nothing will change — the interface will function as before. However, under the hood, instead of checking the app installation method, this mechanism will refer to an XML file built into the operating system containing a list of trusted installers. Simply put, Google is going to hardcode a list of safe sources for downloading apps. Apps downloaded from elsewhere will be automatically blocked from accessing notifications and Accessibility services. Whether this will close the loophole, well find out after the official release of Android 15. Protecting one-time codes in notifications In addition to the improved Restricted Settings, Android 15 will feature additional protection against apps intercepting one-time passwords when accessing notifications from other apps. Heres how it works: when an app requests access to a notification, the operating system analyzes the notification and removes the one-time password from its contents before passing it to the app. However, some app categories — for example, apps of wearables connected through the Companion Device Manager — will still have access to the full content of notifications. Therefore, malware creators may be able to exploit this loophole to continue intercepting one-time passwords. Warnings about insecure cellular networks Android 15 will also introduce new features to protect against attackers using malicious cellular base stations to intercept data or spy on smartphone owners. Firstly, the operating system will warn users if their cellular connection is unencrypted — meaning their calls and text messages could be intercepted in plain text. Android 15 will warn about insecure cellular connections Secondly, Android 15 will notify users if a malicious base station or specialized tracking device is recording their location using their device ID (IMSI or IMEI). To do this, the operating system will monitor requests from the cellular network to these identifiers. It should be noted that both these functions must be supported by the smartphones hardware. Therefore, theyre unlikely to appear on older devices upgraded to Android 15. Even among new models initially shipping with Vanilla Ice Cream, probably not all will support these features — itll be up to the smartphone manufacturers whether to implement these functions or not. New app protection features Next up in the Android 15 security enhancements are improvements to the Play Integrity API. This service allows Android app developers to identify fraudulent activity within their apps, as well as instances where the user is at risk, and use various additional security measures in such cases. In particular, in Android 15, app developers will be able to check if another app is running simultaneously with their app and recording the screen, displaying its windows on top of their apps interface, or controlling the device on behalf of the user. If such threats are detected, developers can, for example, hide certain information or warn the user about the threat. Play Integrity API enables app developers to detect malicious activity and take steps to mitigate threats Developers will also be able to check if Google Play Protect is running on the device and if any known malware has been detected in the system. Again, if a threat is detected, the app can restrict certain actions, request additional confirmation from the user, and so on. On-device Google Play Protect Finally, another security innovation in Android 15 is that Google Play Protect will now operate not only within the official Google Play app store but also directly on user devices. Google calls this live threat detection. The operating system (with the help of AI) will analyze app behavior — in particular, the use of dangerous permissions and interaction with other apps and services. If potentially dangerous behavior is detected, the app will be sent to Google Cloud for review. Unsafe app warning from Google Play Protect Does this mean you can now ditch your third-party antivirus for Android? Not so fast, tiger. Ultimately, the effectiveness of anti-malware protection depends on how thoroughly a vendor can search for and study new threats. Automation is certainly important here — thats why we started using machine learning for threat research many years ago, long before it became trendy. But the work of human experts is equally crucial. And on this score, as numerous cases of malware infiltrating Google Play demonstrate, Google is still not doing so well — often lacking the resources to solve this problem. Therefore, we recommend usinga comprehensive security solution on all your Android devices — including those running Android 15. Itll complement perfectly the new privacy and security features. Moreover, much of what will only be introduced in the upcoming update — for example the functions for theft protection, finding your device, or protecting individual apps with a PIN — we implemented a long time ago and support even on older versions of Android. Check out this detailed review of the most interesting features in Kaspersky: Antivirus & VPN. You can also set up your Android privacy and security settings using the Privacy Checker.

image for Treasury Sanctions C ...

 Other

The U.S. Department of the Treasury today unveiled sanctions against three Chinese nationals for allegedly operating 911 S5, an online anonymity service that for many years was the easiest and cheapest way to route one’s Web traffic through malware-infected computers around the globe. KrebsOnSecurity identified   show more ...

one of the three men in a July 2022 investigation into 911 S5, which was massively hacked and then closed ten days later. The 911 S5 botnet-powered proxy service, circa July 2022. From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as “proxies” that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States. 911 built its proxy network mainly by offering “free” virtual private networking (VPN) services. 911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers. 911 S5’s reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied. In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found the people operating this business had a history of encouraging the installation of their proxy malware by any means available. That included paying affiliates to distribute their proxy software by secretly bundling it with other software. A cached copy of flashupdate dot net, a pay-per-install affiliate program that incentivized the silent installation of 911’s proxy software. That story named Yunhe Wang from Beijing as the apparent owner or manager of the 911 S5 proxy service. In today’s Treasury action, Mr. Wang was named as the primary administrator of the botnet that powered 911 S5. “A review of records from network infrastructure service providers known to be utilized by 911 S5 and two Virtual Private Networks (VPNs) specific to the botnet operation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber to those providers’ services,” reads the Treasury announcement. The sanctions say Jingping Liu was Yunhe Wang’s co-conspirator in the laundering of criminally derived proceeds generated from 911 S5, mainly virtual currency. The government alleges the virtual currencies paid by 911 S5 users were converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Liu. “Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang,” the document continues. “These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats.” The third man sanctioned is Yanni Zheng, a Chinese national the U.S. Treasury says acted as an attorney for Wang and his firm — Spicy Code Company Limited — and helped to launder proceeds from the business into real estate holdings. Spicy Code Company was also sanctioned, as well as Wang-controlled properties Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited. Ten days after the July 2022 story here on 911 S5, the proxy network abruptly closed up shop, citing a data breach that destroyed key components of its business operations. In the months that followed, however, 911 S5 would resurrect itself under a different name: Cloud Router. That’s according to spur.us, a U.S.-based startup that tracks proxy and VPN services. In February 2024, Spur published research showing the Cloud Router operators reused many of the same components from 911 S5, making it relatively simple to draw a connection between the two. The Cloud Router homepage, which according to Spur has been unreachable since this past weekend. Spur found that Cloud Router was being powered by a new VPN service called PaladinVPN, which made it much more explicit to users that their Internet connections were going to be used to relay traffic for others. At the time, Spur found Cloud Router had more than 140,000 Internet addresses for rent. Spur co-founder Riley Kilmer said Cloud Router appears to have suspended or ceased operations sometime this past weekend. Kilmer said the number of proxies advertised by the service had been trending downwards quite recently before the website suddenly went offline. Cloud Router’s homepage is currently populated by a message from Cloudflare saying the site’s domain name servers are pointing to a “prohibited IP.”

 Trends, Reports, Analysis

As digital transformation accelerates, understanding how businesses are preparing for and implementing digital ID technologies is crucial for staying ahead in security and efficiency, according to Regula.

 Feed

Eclipse ThreadX versions prior to 6.4.0 suffers from a missing array size check causing a memory overwrite, missing parameter checks leading to integer wraparound, under allocations, heap buffer overflows, and more.

 Feed

Ubuntu Security Notice 6793-1 - It was discovered that Git incorrectly handled certain submodules. An attacker could possibly use this issue to execute arbitrary code. This issue was fixed in Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. It was discovered that Git incorrectly handled certain cloned repositories. An attacker could possibly use this issue to execute arbitrary code.

 Feed

Ubuntu Security Notice 6791-1 - It was discovered that Unbound could take part in a denial of service amplification attack known as DNSBomb. This update introduces certain resource limits to make the impact from Unbound significantly lower.

 Feed

Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014) expose serial shells on multiple PLCs. A serial interface can be accessed with physical access to the PCB. After connecting to the interface, access to a shell with various debug functions as well as a login prompt is possible. The hardware is no longer produced nor offered to the market.

 Feed

Ubuntu Security Notice 6790-1 - It was discovered that amavisd-new incorrectly handled certain MIME email messages with multiple boundary parameters. A remote attacker could possibly use this issue to bypass checks for banned files or malware.

 Feed

Ubuntu Security Notice 6789-1 - Amel Bouziane-Leblond discovered that LibreOffice incorrectly handled graphic on-click bindings. If a user were tricked into clicking a graphic in a specially crafted document, a remote attacker could possibly run arbitrary script.

 Feed

Ubuntu Security Notice 6788-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

 Feed

Ubuntu Security Notice 6786-1 - It was discovered that Netatalk did not properly protect an SMB and AFP default configuration. A remote attacker could possibly use this issue to execute arbitrary code.

 Feed

Ubuntu Security Notice 6673-3 - USN-6673-1 provided a security update for python-cryptography. This update provides the corresponding update for Ubuntu 24.04 LTS. It was discovered that python-cryptography incorrectly handled memory operations when processing mismatched PKCS#12 keys. A remote attacker could possibly   show more ...

use this issue to cause python-cryptography to crash, leading to a denial of service. This issue only affected Ubuntu 23.10.

 Feed

Red Hat Security Advisory 2024-3369-03 - An update is now available for Red Hat OpenShift GitOps v1.10.6 to address the CVE-2024-31989, Unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Red Hat Product Security has rated this update as having a security   show more ...

impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

 Feed

Red Hat Security Advisory 2024-3368-03 - An update is now available for Red Hat OpenShift GitOps v1.12.3 to address the CVE-2024-31989, Unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Red Hat Product Security has rated this update as having a security   show more ...

impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

 Feed

Unknown threat actors are abusing lesser-known code snippet plugins for WordPress to insert malicious PHP code in victim sites that are capable of harvesting credit card data. The campaign, observed by Sucuri on May 11, 2024, entails the abuse of a WordPress plugin called Dessky Snippets, which allows users to add custom PHP code. It has over 200 active installations.

 Feed

A maximum-severity security flaw has been disclosed in the TP-Link Archer C5400X gaming router that could lead to remote code execution on susceptible devices by sending specially crafted requests. The vulnerability, tracked as CVE-2024-5035, carries a CVSS score of 10.0. It impacts all versions of the router firmware including and prior to 1_1.1.6. It has 

 Feed

An Indian national has pleaded guilty in the U.S. over charges of stealing more than $37 million by setting up a website that impersonated the Coinbase cryptocurrency exchange platform. Chirag Tomar, 30, pleaded guilty to wire fraud conspiracy, which carries a maximum sentence of 20 years in prison and a $250,000 fine. He was arrested on December 20, 2023, upon entering the country. "Tomar and

 Feed

You’re probably familiar with the term “critical assets”. These are the technology assets within your company's IT infrastructure that are essential to the functioning of your organization. If anything happens to these assets, such as application servers, databases, or privileged identities, the ramifications to your security posture can be severe.  But is every technology asset considered

 Feed

The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service (DDoS) attacks. "CatDDoS-related gangs' samples have used a large number of known vulnerabilities to deliver samples," the QiAnXin XLab team 

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Bill Toulas The TP-Link Archer C5400X gaming router is vulnerable to security flaws that could enable an unauthenticated, remote attacker to execute commands on the device. The TP-Link Archer C5400X is a high-end tri-band gaming router designed to provide robust   show more ...

performance and advanced features for gaming and other demanding applications, and […] La entrada TP-Link fixes critical RCE bug in popular C5400X gaming router – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Sergiu Gatlan Threat actors are targeting Check Point Remote Access VPN devices in an ongoing campaign to breach enterprise networks, the company warned in a Monday advisory. Remote Access is integrated into all Check Point network firewalls. It can be configured as   show more ...

a client-to-site VPN for access to corporate networks via VPN clients […] La entrada Hackers target Check Point VPNs to breach enterprise networks – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Sergiu Gatlan ​​A hacker has defaced the website of the pcTattletale spyware application, found on the booking systems of several Wyndham hotels in the United States, and leaked over a dozen archives containing database and source code data. As   show more ...

Vice reported three years ago, this stalkerware app was also found leaking real-time screenshots from Android […] La entrada Hacker defaces spyware app’s site, dumps database and source code – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Sergiu Gatlan Microsoft says the Cortana, Tips, and WordPad applications will be automatically removed on systems upgraded to the upcoming Windows 11 24H2 release. This was shared in a Thursday blog announcing that Windows 11, version 24H2 (Build 26100.712) is now   show more ...

available for Insiders in the Release Preview Channel. The company […] La entrada Microsoft: Windows 24H2 will remove Cortana and WordPad apps – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Mayank Parmar After over a 24-hour outage, Microsoft’s Bing, Copilot, and Copilot in Windows services are back online worldwide, with no information released as to what caused the problem. The massive outage began around 3 AM EST on Thursday and mainly affected   show more ...

users in Asia and Europe, making it impossible for many to […] La entrada Microsoft Copilot fixed worldwide after 24 hour outage – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Bill Toulas Post updated on 5/25 to add three more pharmaceutical firms also impacted by the Cencora security breach. Some of the largest drug companies in the world have disclosed data breaches due to a February 2024 cyberattack at Cencora, whom they partner with for   show more ...

pharmaceutical and business services. Cencora, formerly […] La entrada Cencora data breach exposes US patient info from 11 drug companies – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BLEEPINGCOMPUTER

Source: www.bleepingcomputer.com – Author: Ionut Ilascu A new ransomware strain called ShrinkLocker creates a new boot partition to encrypt corporate systems using Windows BitLocker. ShrinkLocker, named so because it creates the boot volume by shrinking available non-boot partitions, has been used to target a   show more ...

government entity and companies in the vaccine and manufacturing sectors. Creating […] La entrada New ShrinkLocker ransomware uses BitLocker to encrypt your files – Source: www.bleepingcomputer.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: Alex Botting Alex Botting, Senior Director of Global Security and Technology Strategy, Venable & Coordinator of the Coalition to Reduce Cyber Risk May 21, 2024 4 Min Read Source: Skorzewiak via Alamy Stock Photo COMMENTARY Over the past decade, the digital trade policy   show more ...

community has been consumed by battles over data […] La entrada Can Cybersecurity Be a Unifying Factor in Digital Trade Negotiations? – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: Dark Reading Staff 2 Min Read Source: MaximP via Shutterstock The Open Source Security Foundation (OpenSSF) has launched Siren, an email mailing list to share threat intelligence about vulnerabilities in open source software. Siren aims to “aggregate and disseminate   show more ...

threat intelligence” to provide real-time security warning bulletins and deliver a community-driven […] La entrada OpenSSF Siren to Share Threat Intelligence for Open Source Software – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 CISOs

Source: www.darkreading.com – Author: Grant Gross, Contributing Writer Source: Panther Media GmbH via Alamy Stock Photo In an era when chief information security officers (CISOs) can potentially face fraud charges following a security incident, it’s more important than ever that they develop good   show more ...

relationships with C-suite executives and corporate boards. Strong relationships with CEOs, chief […] La entrada Transforming CISOs Into Storytellers – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-05
Aggregator history
Tuesday, May 28
WED
THU
FRI
SAT
SUN
MON
TUE
MayJuneJuly