Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Toshiba America Data ...

 Cybersecurity News

Toshiba America Business Solutions has reached out to customers to inform them of a potential data security incident that may have compromised some personal information. The company, an American subsidiary of the Toshiba TEC Corporation, also shared details of the attack with regulatory authorities. The company said   show more ...

it is committed to protecting the confidentiality and security of personal data, and offered credit monitoring services to affected individuals. Toshiba America Data Breach Toshiba's preliminary investigation revealed that an attacker may have compromised its email environment and obtained unauthorized access to sensitive personally identifiable information, including names and Social Security numbers. The breach impacted numerous individuals, prompting Toshiba to notify those affected by the incident. The company has urged customers to remain vigilant and regularly review their credit reports, financial account statements, and payment card statements for any unauthorized activity. Upon detection of unauthorized charges or activity, customers are advised to contact those providers immediately. Toshiba apologized for any inconvenience or concern that may stem from the incident and said additional measures have been implemented to enhance the security of its email environment to prevent similar occurrences in the future. To assist affected individuals in safeguarding their personal information, Toshiba has arranged for a complimentary, two-year membership of identity monitoring services through Kroll. The membership offer includes triple bureau credit monitoring, fraud consultation, and identity theft restoration. The fraud consultation option offers affected individuals unlimited access to a Kroll fraud specialist for advice and assistance in protecting their identity, understanding their legal rights, and investigating suspicious activity. The identity theft restoration option would provide individuals with the services of a licensed Kroll investigator working on the customer's behalf to resolve issues if they become a victim of identity theft. The services would be provided free to the affected individuals and would not negatively impact their credit scores. Affected individuals were encouraged to use the services as well as to contact Toshiba or Kroll for additional assistance. Law Firm Announces Investigation Strauss Borrelli PLLC, a data breach law firm, announced on its website that it would be investigating Toshiba American Business Solutions, Inc. with regard to the recent data breach that exposed sensitive personally identifiable information. While the full extent of the data breach is unknown, the Toshiba America Business Solutions division operates offices across the U.S. and Latin America. The law firm encouraged customers who received a breach notification letter from Toshiba American Business Solutions to contact Strauss Borrelli PLLC to discuss their rights and potential legal remedies in response to the incident. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for New ‘SpiderX’ Ra ...

 Firewall Daily

A threat actor known as "phant0m" is promoting a new Ransomware-as-a-Service (RaaS) on OnniForums, a notorious dark web forum. The new ransomware, named "SpiderX," is designed for Windows systems and boasts a suite of advanced features that make it a formidable successor to the previously infamous   show more ...

Diablo ransomware. Phant0m introduced SpiderX in a detailed post titled "Introduction to the SpiderX Ransomware," claiming that after months of development, this new ransomware is ready to take the place of Diablo. The post highlighted SpiderX's ransomware-enhanced capabilities and the improvements over its predecessor. Phant0m described SpiderX as incorporating all the features of Diablo, with additional functionalities designed to make it more effective and harder to detect and remove. After a few months of hard work, | would like to announce the release of my brand new Spiderx Ransomware. It will be the successor of my Diablo which served its purpose really well but itis finally time to upgrade things to a whole new level," reads the threat actor post. Key Features and Capabilities of SpiderX Ransomware SpiderX is written in C++, a choice that phant0m claims offers faster execution compared to other languages like C# and Python. This language choice, combined with the ransomware's small payload size (500-600 KB, including an embedded custom wallpaper), ensures quick and efficient deployment. ChaCha20-256 Encryption Algorithm: One of the standout features of SpiderX is its use of the ChaCha20-256 encryption algorithm. Known for its speed, this algorithm allows SpiderX to encrypt files much faster than the commonly used AES-256, thereby reducing the time it takes for the ransomware to render a victim's files inaccessible. Offline Functionality: Like Diablo, SpiderX does not require an internet connection to execute its primary functions. Once initiated, it can encrypt files on the victim’s computer and connect external devices (such as USB drives) without needing to communicate with a remote server. This makes SpiderX particularly stealthy and difficult to detect during its initial attack phase. Comprehensive Targeting: SpiderX extends its reach beyond the main user folders on the Windows drive. It targets all external partitions and drives connected to the system, ensuring comprehensive encryption. This includes USB drives and other external storage devices that may be connected post-attack, which will also be encrypted, amplifying the attack's impact. Built-in Information Stealer: A new feature in SpiderX is its built-in information stealer. Once the ransomware is executed, this component exfiltrates data from the target system, compresses it into a zip file, and uploads it to MegaNz, a file transfer and cloud storage platform. This stolen data can include sensitive information, which the attacker can then exploit or sell. The process is designed to leave no traces, covering its tracks to avoid detection. Persistence and Silent Operation: SpiderX is designed to be fully persistent, running silently in the background to continue encrypting any new files added to the system. This persistence ensures that the ransomware remains active even if the victim tries to use the system normally after the initial attack. [caption id="attachment_72924" align="aligncenter" width="1263"] Source: Dark Web[/caption] Marketed to Cybercriminals Phant0m is marketing SpiderX to other cybercriminals at a price of US$150, accepting payments in Bitcoin and Monero, which are favored for their anonymity. The affordable price and powerful features make SpiderX an attractive tool for malicious actors looking to carry out ransomware attacks with minimal effort. Implications and Threat Assessment The introduction of SpiderX on the dark web marks a significant escalation in the capabilities of ransomware available as a service. Its advanced features, such as the ChaCha20-256 encryption algorithm and built-in information stealer, coupled with its ability to operate offline, make it a highly effective and dangerous tool. The persistent nature of the ransomware and its comprehensive targeting of connected devices further increase its potential impact. As ransomware continues to evolve, tools like SpiderX represent a growing threat to cybersecurity. What is most concerning is the potential widespread use of SpiderX due to its low cost and high efficiency. The capabilities and ease of deployment of SpiderX ransomware highlight the need for vigilance and advanced security measures to protect against increasingly sophisticated cyber threats. Organizations and individuals are advised to enhance their cybersecurity measures, including regular data backups, updating software and systems, and employing enhanced security protocols to mitigate the risk of such attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Seattle Public Libra ...

 Firewall Daily

Amid the setbacks from the SPL cyberattack, the Seattle Public Library has managed to restore some digital services. Patrons can now access the event calendar and online versions of major newspapers like the New York Times, Wall Street Journal, and Washington Post. Additionally, Hoopla, a digital media borrowing   show more ...

service, is operational, though users may need to log out and back in or reinstall the app if they encounter issues. However, access to e-books remains disrupted. Patrons can choose to delay the delivery of their Libby holds, which offers a workaround to maintain access to held items when the service resumes fully. The Seattle Public Library (SPL) faced a ransomware attack that crippled its computer systems this week. On May 28, libraries across South Seattle were noticeably quiet, with signs informing patrons that all computer services were down. This included not only the physical computer terminals and printing services but also the in-building Wi-Fi, crucial for many library users. The SPL Cyberattack and Immediate Response The ransomware attack was detected early in the morning of Saturday, May 25, just one day before planned maintenance on a server over the Memorial Day weekend. The SPL cyberattack impacted several critical services, including staff and public computers, the online catalog and loaning system, e-books and e-audiobooks, and the library’s website. Upon discovering the attack, SPL quickly engaged third-party forensic specialists and contacted law enforcement. The library took all its systems offline to prevent further damage and assess the situation. “We are working as quickly and diligently as we can to confirm the extent of the impacts and restore full functionality to our systems,” library officials said. Ensuring the privacy and security of patron and employee information remains a top priority, and systems will stay offline until their security can be guaranteed. SPL officials have been transparent about the ongoing nature of the investigation and restoration efforts. Although they have not provided an estimated time for when all services will be fully restored, they have promised regular updates. “Securing and restoring our systems is where we are focused,” they emphasized, expressing regret for the inconvenience and thanking the community for its patience and understanding. The Broader Impact of Library Cyberattacks Ransomware attacks on public libraries have become increasingly common, posing severe operational challenges. The London Public Library's December attack forced the closure of three branches—Carpenter, Lambeth, and Glanworth—until January 2. This incident highlighted the vulnerability of public institutions to cyber threats and the significant disruption such attacks can cause to community services. Similarly, the National British Library faced a major outage in October 2023 that initially seemed like a technical glitch but rapidly escalated into a widespread disruption. This affected online systems, including the website and onsite services such as public Wi-Fi and phone lines. The library’s operational challenges were compounded by the extent of the services impacted, which underscored the critical nature of cybersecurity for public knowledge institutions. Moving Forward As SPL works to recover from the ransomware attack, the incident highlights the importance of enhanced cybersecurity measures for public libraries. These institutions are pivotal in providing access to information and services to the community, and disruptions can have far-reaching consequences. Library officials continue to prioritize restoring full functionality and ensuring the security of their systems. The community awaits further updates, hopeful for a swift resolution to regain full access to the valuable resources the Seattle Public Library offers. In the meantime, patrons are encouraged to use the limited digital services available and to stay informed through the library’s updates on their website and social media channels.

image for Malicious Firmware U ...

 Firewall Daily

In one of the largest mass bricking events in history, at least 600,000 routers belonging to subscribers of the same ISP service were essentially destroyed last October. The incident has been dubbed "Pumpkin Eclipse," with researchers still unclear on how the routers became infected. The affected devices   show more ...

displayed a steady red light and were unresponsive to troubleshooting attempts, and had to be replaced. Now new research is shedding light on the attack, which involved unusually sophisticated and stealthy attack methods. 'Pumpkin Eclipse' Router Attack The attack began on October 25, 2023, as the ISP's subscribers began reporting their ActionTec T3200 and Sagemcom routers had suddenly stopped working. Users described the devices as unresponsive, with a steady red light on the front panel. Many blamed the ISP for the mass "bricking" of the routers, alleging the company had pushed faulty firmware updates. However, according to new research by Black Lotus Labs, the incident was in fact the result of a deliberate, malicious act. The researchers reported that over a 72-hour period, a malware known as "Chalubo" had infected over 600,000 routers connected to a single autonomous system number (ASN) belonging to an unnamed ISP. While the researchers avoided naming the ISP affected in the attack, the description of the attack matches frustrations expressed months ago by subscribers of the Windstream ISP, such as the router affected and its resulting behavior. The Chalubo malware, a commodity remote access trojan (RAT) first identified in 2018, employed sophisticated tactics to cover its tracks. It removed all files from the infected devices' disks, ran entirely in memory, and assumed random process names already present on the routers. The researchers believe the malware downloaded and ran code that permanently overwrote the router's default device firmware, rendering them permanently inoperable. The researchers state that while the motives behind the attack are unknown, its implications are troubling. Researchers Unsure Over Initial Attack Vector but Theorize Possibilities Although the researchers identified the malware's multi-chain attack process and its spread across the ISP's network, they have been unable to determine the initial infection vector employed by the threat actor. They theorize that it could have possibly resulted from the exploit of an inherent vulnerability, exploit of weak credentials, or compromise of the routers' administrative panels. The researchers said the attack is highly concerning, as it represents a new precedent for malware capable of mass-bricking consumer networking devices. The researchers could only recall one prior similar event - the 2022 discovery of the AcidRain malware, which knocked out over 10,000 satellite internet modems in Ukraine and Europe during the start of the Russian invasion. The researchers said the impact of "Pumpkin Eclipse" attack was particularly severe, as the affected ISP's service area covers many rural and underserved communities. Residents may have lost access to emergency services, farmers could have been cut off from remote crop monitoring, and healthcare providers may have been unable to access patient records or provide telehealth services. "At this time, we do not assess this to be the work of a nation-state or state-sponsored entity," the Lumen researchers wrote. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon, or SeaShell Blizzard. Nonetheless, they speculated that usage of a commodity malware family may have been a deliberate move to obscure the perpetrator's potential identity. Recovery from such a supply chain disruption is always more challenging in isolated or vulnerable regions, the researchers added. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for 7 New Pegasus Infect ...

 Espionage

Seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe were targeted or infected with NSO Group’s proprietary Pegasus spyware. A joint investigation by Citizen Lab and Access Now detailed incidents from August 2020 to January 2023 and concluded that a single NSO Group   show more ...

customer might be responsible for at least five of these cases. Threats Against Critics of Russian and Belarusian Regimes In September 2023, Citizen Lab and Access Now reported the hacking of exiled Russian journalist Galina Timchenko, CEO and publisher of Meduza, with Pegasus spyware. Building on these findings, the investigation, in collaboration with digital security expert Nikolai Kvantiliani, now reveals the targeting of seven additional Russian and Belarusian-speaking civil society members and journalists. Many of these individuals, living in exile, have vocally criticized the Russian government, including its invasion of Ukraine, and have faced severe threats from Russian and Belarusian state security services. Critics of the Russian and Belarusian governments typically face intense retaliation, including surveillance, detention, violence, and hacking. The repression has escalated following Russia’s 2022 invasion of Ukraine, with laws severely curtailing the operations of media and civil society organizations. An example of this is the Russian government designating the Munk School of Global Affairs & Public Policy at the University of Toronto, home to the Citizen Lab, as an “Undesirable Organization,” in March 2024. Many opposition activists and independent media groups have relocated abroad to continue their work. Despite the geographic distance, these exiled communities face ongoing threats, including violent attacks, surveillance, and digital risks. For instance, Meduza reported a significant Distributed Denial of Service (DDoS) attack on their website during Russia’s 2024 presidential elections. Investigation Confirmed Pegasus Spyware Targeting The investigation confirmed that the following individuals were targeted or infected with Pegasus spyware. Their names are published with their consent. [caption id="attachment_73182" align="aligncenter" width="1532"] Table Showing Individuals Identified in the Latest Pegasus Spyware Infections (Credit: Citizen Lab)[/caption] Access Now and Citizen Lab confirmed that five victims' phones had Apple IDs used by Pegasus operators in hacking attempts. Exploits leveraging bugs in HomeKit can leave the attacker's Apple ID email address on the victim's device. Citizen Lab believes each Apple ID is tied to a single Pegasus operator, although one operator may use multiple IDs. The same Apple ID was found on the phones of Pavlov, Radzina, and a second anonymous victim. A different email account targeted both Erlikh and Pavlov’s phones on November 28, 2022. Artifacts from Andrei Sannikov and Natallia Radzina’s phones contained another identical email. This indicates that a single Pegasus spyware operator may have targeted at least three of the victims, possibly all five. [caption id="attachment_73184" align="aligncenter" width="1024"] Credit: Citizen Lab[/caption] The investigators could not attribute the attacks to a specific operator but certain trends pointed to Estonia’s involvement. Based on previous investigation, Poland, Russia, Belarus, Lithuania, and Latvia are all known to be customers of the NSO Group’s spyware, but the likeliness of their involvement is low as they do not target victims outside their borders, the investigators said. Estonia, however, is known to use Pegasus extensively beyond its borders, including in multiple European countries. Concerns Over Digital Transnational Repression This pattern of targeting raises serious concerns about the legality and proportionality of such actions under international human rights law. The attacks occurred in Europe, where the targeted individuals sought safety, prompting questions about host states’ obligations to prevent and respond to these human rights violations. The ongoing investigation highlights the persistent threats faced by exiled Russian and Belarusian journalists and activists. As digital transnational repression continues, it underscores the urgent need for robust international measures to protect freedom of expression and privacy for these vulnerable groups. “Access Now [urged] governments to establish an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are put in place to regulate such practices, and to ban the use of spyware technologies such as Pegasus that have a history of enabling human rights abuses.” Apple recently issued notifications to users in more than 90 countries alerting them of possible mercenary spyware attacks. The tech giant replaced the term "state-sponsored" in its alerts with "mercenary spyware attacks," drawing global attention. Previously, Apple used "state-sponsored" for malware threats, but now it highlights threats from hacker groups. Apple noted that while these attacks were historically linked to state actors and private entities like the NSO Group’s Pegasus, the new term covers a broader range of threats.

image for Operation Endgame ...

 Cybersecurity News

In a joint international law enforcement action dubbed “Operation Endgame,” the agencies and judicial authorities dismantled major botnet infrastructure, targeting notorious malware droppers like IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and TrickBot. In a Thursday announcement Europol said that between   show more ...

May 27 and 29, Operation Endgame led to four arrests and the takedown of over 100 servers worldwide. “This is the largest ever operation against botnets, which play a major role in the deployment of ransomware,” Europol said. Botnets are used for different types of cybercrime including ransomware, identity theft, credit card scams, and several other financial crimes. “The dismantled botnets consisted of millions of infected computer systems,” a joint press statement from the Operation Endgame team said. Led by France, Germany, and the Netherlands, and supported by Eurojust, the operation involved countries including Denmark, the United Kingdom, the United States, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine. Operation Endgame resulted in: 4 arrests - 1 in Armenia and 3 in Ukraine. 16 location searches - 1 in Armenia, 1 in the Netherlands, 3 in Portugal, and 11 in Ukraine. Over 100 servers dismantled or disrupted in countries such as Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the UK, the US, and Ukraine. Over 2,000 domains seized and brought under law enforcement control. 8 summons were also served against other suspects. Targeting the Cybercrime Infrastructure Operation Endgame focused on high-value targets, their criminal infrastructure behind various malware and the freezing of illicit proceeds. “The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software,” according to Europol. One primary suspect, the Europol said, earned at least €69 million in cryptocurrency by renting out sites for ransomware deployment. Authorities are closely monitoring these transactions and have secured permissions to seize the assets. The infrastructure and financial seizures had a global impact on the dropper ecosystem, the authorities believe. Key Dropper Malware Dismantled in Operation Endgame - SystemBC: Facilitated anonymous communication between infected systems and command-and-control servers. - Bumblebee: Delivered via phishing campaigns or compromised websites, enabling further payload execution. - Smokeloader: Used primarily to download and install additional malicious software. - IcedID (BokBot): Evolved from a banking trojan to a multi-purpose tool for various cybercrimes. - Pikabot: Enabled ransomware deployment, remote takeovers, and data theft through initial system access. “All of them are now being used to deploy ransomware and are seen as the main threat in the infection chain,” Europol said. [caption id="attachment_72953" align="aligncenter" width="1920"] Operation Endgame seizure notice (Credit: Europol)[/caption] The Role of Dropper Malware in Cyberattacks Droppers are essential tools in cyberattacks, acting as the initial vector to bypass security and install harmful software such as ransomware and spyware. They facilitate further malicious activities by enabling the deployment of additional malware on compromised systems. How Droppers Operate Infiltration: Enter systems through email attachments, compromised websites, or bundled with legitimate software. Execution: Install additional malware on the victim's computer without the user's knowledge. Evasion: Avoid detection by security software through methods like code obfuscation and running in memory. Payload Delivery: Deploy additional malware, potentially becoming inactive or removing itself to evade detection. The success of the operation was bolstered by private partners such as Bitdefender, Sekoia, Shadowserver, Proofpoint, and Fox-IT, among others. Their support was crucial in disrupting the criminal networks and infrastructure, the authorities said. Wait for Operation Endgame Season 2 Operation Endgame signifies a major victory, but this is not really the end of it. Taking cue from the Marvel cinematic movie ‘Avengers – Endgame,’ the law enforcement is set to to release a part two of this operation in a few hours from now as they said their efforts continue. “This is Season 1 of operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways,” the authorities said. “Feel free to get in touch, you might need us. Surely, we could both benefit from an openhearted dialogue. You would not be the first one, nor will you be the last. Think about (y)our next move.” Future actions will be announced on the Operation Endgame website, possibly targeting suspects and users, and ensuring accountability. The news of this massive botnet takedown operation comes a day after the announcement of the dismantling of “likely the world’s largest botnet ever” – the 911 S5 botnet. The botnet’s alleged administrator Yunhe Wang, was arrested last week and a subsequent seizure of infrastructure and assets was announced by the FBI. The recent law enforcement actions represent a historic milestone in combating cybercrime, dealing a significant blow to the dropper malware ecosystem that supports ransomware and other malicious activities. The operation's success underscores the importance of international cooperation and the need for robust cybersecurity measures to tackle evolving threats.

image for Klein ISD Student Fa ...

 DDoS Attacks News

An 18-year-old high school student from Texas has found himself at the center of a significant cybercrime investigation. Keontra Kenemore is facing a third-degree felony charge of electronic access interference, accused of launching a Klein ISD cyberattack that disrupted state-mandated testing for thousands of   show more ...

students. The implications of this digital cyberattack have rippled across the Klein Independent School District (Klein ISD), affecting more than 24,000 students and raising serious concerns about cybersecurity in educational institutions. Klein ISD Cyberattack: Disruption During Critical Testing Period The cyberattack, known as a Distributed Denial of Service (DDoS) attack, was carried out using Kenemore’s school-issued Chromebook. According to court documents, Kenemore allegedly accessed websites that initiated the DDoS attack, overwhelming the district's network services during the crucial STARR testing period in April. The impact was immediate and widespread, with students at all campuses within the district experiencing significant disruptions. On the first day of testing, about 3,000 students attempting the English Language Arts test were locked out of the system, forced to stop and restart their exams. The chaos continued the following day, affecting another 700 students. Investigation reveals that Kenemore admitted to using websites to launch DDoS attacks on multiple occasions. The district’s IT department discovered the DDoS attack when the testing coordinator at Kenemore’s high school reported internet issues during the testing period. The disruptions not only interrupted the testing process but also posed a threat to the district’s accountability rating with the Texas Education Agency, potentially impacting future funding and evaluations. When questioned by school administrators, Kenemore reportedly admitted to accessing the websites used to send the DDoS attacks. However, a family member told Houston NBC affiliate KPRC 2 that Kenemore claimed it was an accident, asserting that he was expelled and unable to graduate as a result of the incident. District's Response and Future Implications Despite Kenemore’s expulsion and the ongoing legal proceedings, Klein ISD has remained tight-lipped about the incident. The silence from Klein ISD leaves many questions unanswered, particularly concerning their cybersecurity measures and how they plan to prevent similar incidents in the future. The case against Kenemore highlights the growing vulnerabilities in school district networks and the ease with which they can be exploited. As the investigation continues, the full extent of the damage caused by the DDoS attack remains to be seen. For the students affected, the disruption to their testing period has been a significant setback, one that may have lasting consequences on their academic records. For Keontra Kenemore, the legal ramifications of his actions will likely shape his future in profound ways. This Klein ISD cyberattack serves as a reminder of the potential dangers posed by cyber assault in our increasingly connected world. It calls for heightened awareness and more robust cybersecurity protocols within educational institutions to protect against such disruptive and damaging actions. As the case unfolds, it will undoubtedly contribute to the broader dialogue on digital security and the measures necessary to protect vulnerable systems from malicious interference. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Johnson & Johnson Re ...

 Cybersecurity News

Pharmaceutical giant Johnson & Johnson recently announced a data breach that may stem from a larger data breach affecting Lash Group, a division of Cencora. In February, Cencora reported a data breach incident to the U.S. Securities and Exchange Commission (SEC) after learning that data had been exfiltrated from   show more ...

its information systems, some of which contained personal information. The breach may have compromised some sensitive information of patients registered with Johnson & Johnson Patient Assistance Foundation, Inc. Johnson & Johnson Data Breach Notice On May 29, Johnson & Johnson filed a notice of data breach with the Attorney General of Texas, indicating that an unauthorized party accessed confidential patient information. The breach affected approximately 175,000 Texans, but the total number of victims nationwide could be much higher. The breach affects two Johnson & Johnson entities: Johnson & Johnson Patient Assistance Foundation, Inc., and Johnson & Johnson Services, Inc. The following data was compromised in the attack: Name of individual, Address, Medical Information, and Date of Birth. Data breach notification letters have been sent to all the affected individuals, while limited information is available on the Texas Attorney General's data breach reports page. The incident is potentially linked to a much larger breach involving Cencora, which has affected over a dozen major pharmaceutical companies so far. Link to Cencora Data Breach The Johnson & Johnson data breach bears several similarities to other large third-party pharmaceutical company data breaches affected by the Cencora/Lash Group data breach, which was first discovered on February 21. Cencora’s Lash Group division aids pharmaceutical companies in running patient support programs that try to ensure that costly medication is available to disadvantaged patients, regardless of their ability to pay for them. At least 15 clients of Cencora/Lash Group have notified state authorities of data breach incidents, with databreaches.net listing the following victims: AbbVie: 54,344 Texans affected Acadia Pharmaceuticals: 753 Texans affected Bayer: 8,822 Texans affected Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire residents affected Dendreon: 2,923 Texans affected Endo: no numbers provided Genentech: 5,805 Texans affected GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: no numbers provided Incyte Corporation: 2,592 Texans affected Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire residents affected Novartis Pharmaceuticals: 12,134 Texans affected Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire residents affected Regeneron Pharmaceuticals: 91,514 Texans affected Sumitomo Pharma America, Inc.: 24,102 Texans affected Tolmar: 1 New Hampshire resident Data breach notices have also been filed with California officials too. While the full extent of the damage has yet to be determined, it has affected over 540,000 patients so far. Cencora stated in its notification to the Securities and Exchange Commission that it had not yet been able to determine if the incident had a material impact on its operations. In in a notice on its website, the Leash Group indicated that personal information as well as personal health information had been potentially affected, including first name, last name, date of birth, health diagnosis, and/or medications and prescriptions. The Leash Group said in a statement that no personal data appears to have been exposed because of the incident: “There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.” The Leash Group is offering free credit monitoring and remediation services to affected individuals, and additional guidance on dealing with suspected breaches of personal information. No perpetrator has been identified or named as being responsible for the attack, and the potential impact of the breach is still being assessed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Internet Archive Def ...

 Firewall Daily

Internet Archive, one of the oldest online directories of websites, movies, books, software and more, is facing a cyberattack that has disrupted its services for over three days. The Internet Archive cyberattack, identified as a distributed denial-of-service (DDoS) assault, has besieged the service and inundated its   show more ...

servers with repeated requests. While the organization is reassuring users that its collections remain secure, the accessibility of its Wayback Machine, a tool allowing users to explore historical web pages, has been compromised. Internet Archive Cyberattack Targets Multiple Systems According to a blog post shared by Internet Archive on May 28, intermittent service disruptions have been reported over the past few days, confirmed by updates shared by Archive officials on social media platforms. Despite efforts to mitigate the attack, the exact source remains undisclosed. In response to the DDoS attack, Brewster Kahle, the founder and digital librarian of the Internet Archive, expressed gratitude for the outpouring of support while reaffirming the organization's commitment to fortify its defenses. Kahle characterized the attack as "sustained, impactful, targeted, adaptive, and importantly, mean" in the blog post. Mitigation Against the Internet Archive DDoS Attack The Internet Archive serves as a valuable resource for users seeking access to a diverse range of media content, both historical and contemporary, free of charge. However, its mission to democratize access to knowledge has encountered legal challenges, with the organization facing lawsuits from the U.S. book publishing and recording industry associations in the last year. The legal actions alleged copyright infringement and sought significant damages, casting a shadow over the future operations of libraries worldwide. The cyberattack on the Internet Archive echoes a troubling trend of attacks targeting libraries and knowledge institutions globally. Recent victims include the British Library, the Solano County Public Library in California, the Berlin Natural History Museum, Ontario’s London Public Library, and just this week, the Seattle Public Library. In light of the ongoing cyberattack and legal battles, Kahle emphasized the broader implications for libraries everywhere. He warned that the actions of publishing and recording industries threaten to undermine the very existence of libraries, posing a grave concern for patrons worldwide. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Internet Archive cyberattack or any further communication from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for LockBit Ransomware G ...

 Firewall Daily

The LockBit ransomware group has targeted Heras UK, a prominent European provider of end-to-end perimeter protection solutions. The threat actor claimed the Heras cyberattack and shared a website status displaying the downtime alongside a countdown, ticking away the time until the data breach is potentially exploited.   show more ...

Heras, operating across 24 countries with a workforce of over 1100 skilled professionals, reportedly faces a data breach.  The Cyber Express, in pursuit of clarity on the attack, reached out to the organization for comments. However, at the time of writing this, no official statement has been issued, leaving the alleged Heras data breach unconfirmed. Despite the claims, Heras' website remains functional, showing no immediate signs of the cyber attack. It's plausible that the attackers targeted the website's backend, opting for stealth over a frontal assault like DDoS or defacement. Alleged Heras Cyberattack Surfaces on Dark Web [caption id="attachment_72935" align="alignnone" width="422"] Source: Dark Web[/caption] The cyberattack on Heras comes amidst a spree of cyber attacks orchestrated by the LockBit ransomware group. Notably, the group targeted Allied Telesis, Inc., a leading American telecommunication equipment supplier. While the Heras data breach purportedly occurred on May 27, 2024, the authenticity of the claims and the leaked data remains unverified.  In a bold move earlier this year, the United States imposed sanctions on affiliates of the Russia-based LockBit ransomware group. This decisive action, led by the U.S. Department of Justice and the Federal Bureau of Investigation, signals a unified stance against cyber threats. LockBit, notorious for its Ransomware-as-a-Service (RaaS) model, employs double extortion tactics to extort hefty ransoms from its victims. Who is the LockBit Ransomware Group? The LockBit ransomware group is a sophisticated cybercrime organization that targets enterprises and government organizations. Formerly known as "ABCD" ransomware, LockBit operates as a crypto-virus, demanding financial payment in exchange for the decryption of encrypted files. Unlike some ransomware that targets individuals, LockBit primarily focuses on large entities, seeking hefty sums from viable targets. Since its inception in September 2019, LockBit has targeted organizations globally, including those in the United States, China, India, Indonesia, Ukraine, France, the UK, and Germany. It strategically selects targets likely to have both the financial means and the urgency to resolve the disruption caused by the attack. Notably, LockBit avoids attacking systems within Russia and the Commonwealth of Independent States, possibly to evade prosecution. As for the Heras data breach, this is an ongoing story and The Cyber Express will be closely monitoring the situation and we'll update this post once we have more information on the attack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Fortinet FortiSIEM V ...

 Firewall Daily

Multiple vulnerabilities have recently been discovered in Fortinet FortiSIEM, raising concerns over potential remote code execution exploits. FortiSIEM, renowned for its real-time infrastructure and user awareness capabilities facilitating precise threat detection, analysis, and reporting, faces significant risks due   show more ...

to this FortiSIEM vulnerability. The identified vulnerabilities, if successfully exploited, could grant remote attackers the ability to execute code within the context of the affected service account. This could lead to a range of malicious activities, including the installation of unauthorized programs, manipulation of data, or even the creation of new accounts with extensive user rights.  Understanding the Fortinet FortiSIEM Vulnerability The severity of the Fortinet FortiSIEM vulnerability varies based on the privileges associated with the compromised service account, with administrative accounts posing the highest risk. According to SingCERT, proof of concept exploits are already available for CVE-2024-23108 and CVE-2023-34992, indicating an immediate threat to vulnerable systems. Fortinet FortiSIEM versions 7.1.0 through 7.1.1, 7.0.0 through 7.0.2, 6.7.0 through 6.7.8, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, and 6.4.0 through 6.4.2 are all affected by the vulnerabilities.  The risks associated with these vulnerabilities vary across different sectors, with large and medium government entities and businesses facing high risks, while small government entities and businesses face a medium level of risk. Home users, however, are considered to have a low-risk exposure. Technical Analysis of FortiSIEM Vulnerability Technical analysis of these FortiSIEM vulnerabilities reveals that the flaw primarily exploits the execution tactic, specifically targeting the Command and Scripting Interpreter technique. Multiple instances of improper neutralization of special elements used in OS Command have been identified in the FortiSIEM supervisor. These vulnerabilities could be exploited by remote, unauthenticated attackers via specially crafted API requests. To mitigate the risks associated with these FortiSIEM vulnerabilities, it is recommended to promptly apply patches provided by FortiNet after thorough testing. Other measures, include establishing and maintaining a documented vulnerability management process for enterprise assets, performing regular automated application updates, enforcing network-based URL filters to limit access to potentially malicious websites, implementing the Principle of Least Privilege for privileged account management, blocking unauthorized code execution through application control, and script blocking, establishing and maintaining a secure configuration process for enterprise assets and software, and address penetration test findings according to the enterprise's remediation policy. By adhering to these recommendations, organizations can effectively mitigate the vulnerabilities in Fortinet FortiSIEM, safeguarding their systems against potential remote code execution exploits. Stakeholders must prioritize these actions to ensure the security and integrity of their IT infrastructure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for BBC Data Breach: Ove ...

 Firewall Daily

The British Broadcasting Corporation (BBC) is investigating a data breach that exposed sensitive information belonging to over 25,000 present and past employees. The BBC data breach, which occurred within the corporation's pension scheme, has triggered a reaction from authorities regarding cybersecurity protocols.   show more ...

The pension scheme, in an email dispatched to its members, highlighted the gravity of the BBC employee data breach, emphasizing that the incident is being treated with the utmost seriousness. Approximately 25,290 individuals have been impacted by this breach, according to statements made by scheme representatives. Talking about this cybersecurity incident and its legal repercussions with The Cyber Express, Lauren Wills-Dixon, data privacy expert at law firm Gordons, stated that data breaches that lead to "unauthorised access to personal data is classed as a personal data breach under data protection laws". BBC Data Breach Impacts Current and Former Employees According to Birmingham Live, the security incident is being taken "extremely seriously” by the BBC and there is “no evidence of a ransomware attack.” Despite speculation of a possible ransomware attack, the British public service broadcaster has dispelled any conjecture, asserting that there is currently no evidence supporting this theory. The BBC clarified that the breach stemmed from private records being illicitly accessed from an online data storage service. Catherine Claydon, Chair of the BBC Pension Trust, assured employees that swift action had been taken to address the breach and secure the affected data source, The Guardian reported.  In an email sent to the staff, Claydon reassured the employees that “BBC have taken immediate steps to assess and contain the incident.” Talking about the mitigation strategies, the organization stated “We are working at pace with specialist teams internally and externally to understand how this happened and take appropriate action. As a precaution, we have also put in place additional security measures and continue to monitor the situation.”  The legal obligation of this data breach are far reaching and in cases where the incident impacts individual rights and freedoms, "this comes with a regulatory obligation to notify the Information Commissioner, and where people are at "high risk" the affected organisation must notify those individuals too without undue delay", said Lauren. BBC Employee Data Breach and Ongoing Investigation Despite assurances from the BBC, concerns linger regarding the potential misuse of the compromised information. Employees have been advised to remain vigilant and report any suspicious activity promptly. The breach, though attributed to a third party cloud storage provider, threatens the security of the impacted individuals, and "BBC - and any ‘data controller’ under data protection laws - remains primarily responsible for the security measures it adopts and external providers it engages to store and protect its personal data", added Lauren. Moreover, no passwords or bank details "appear to have been compromised, but the advice for those individuals involved is to be vigilant of any unusual activity or requests". Acknowledging the severity of the breach, a spokesperson for the BBC pension scheme issued a sincere apology to affected members. Reassurances were offered regarding the swift response and containment of the breach, coupled with ongoing efforts to upgrade security measures and monitor the situation closely. Inquiries into the incident are ongoing, with external cybersecurity experts collaborating with internal teams to dissect the breach and its implications thoroughly. However, as of now, no official statement has been issued regarding the involvement of ransomware groups in the breach. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the BBC employee data breach or any official response from the organization.

image for TRAM Barcelona Hit b ...

 Firewall Daily

The website of Barcelona tram services, a central component of Spain's transportation network, was reportedly the target of a Distributed Denial-of-Service (DDoS) cyberattack. The TRAM Barcelona cyberattack has been claimed by the pro-Russian hacker group called "NoName," in collaboration with the Cyber   show more ...

Army of Russia. In a post, the group, which claims to be "NoName057(16)", made the announcement which read, "Supporting the attack by our friends from the People's Cyber Army, we are taking down one of Spain's transport websites." Since first emerging in March 2022, the pro-Russian hacker group NoName has been increasingly active, taking responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe. Decoding the Tram Barcelona Cyberattack [caption id="attachment_72970" align="aligncenter" width="530"] Source: X[/caption] TRAM Barcelona, with its origins dating back to 1872, was one of Europe's earlier tram systems. After services were discontinued in 1971, the tram was reintroduced in 2004 with the new Trambaix and Trambesòs lines, which have since become a popular mode of transportation throughout Spain’s Catalonia region. [caption id="attachment_73002" align="alignnone" width="1642"] The hacker group declared the attack on May 29, 2024, and as of the time of this report, the website remains offline.[/caption] The specifics of the cyberattack on Tram Barcelona, including potential data breaches and the attackers' motives, have not been fully disclosed. The hacker group announced the attack on May 29, 2024, and as of this report, the website is still down. The company has not yet acknowledged the incident or issued any official statement about the status of the website and its services. The claimed cyberattack on Tram Barcelona highlights the persistent threat of security incidents on crucial entities, such as banks and government organizations. However, the absence of an official statement raises questions about the severity and credibility of the NoName cyberattack claim. TRAM Barcelona Cyberattack: Latest in Series of Assaults This isn’t the first instance of NoName targeting organizations. In January 2024, the group claimed responsibility for a series of cyberattacks across the Netherlands, Ukraine, Finland, and the USA. NoName has previously targeted a range of organizations, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), PrivatBank 24, Credit Agricole Bank, MTB BANK, Accordbank, Matek Systems in China, Pixhawk in Switzerland, SpetsInTech, and Kvertus. Incidentally, just like Tram Barcelona, OV-chipkaart too is involved in the public transportation system offering a contactless smart card system widely used in for public transportation in the Netherlands. Until an official statement is released by the affected organization, the full scope and impact of the alleged NoName cyberattack remain unclear. As the cybersecurity landscape continues to evolve, these incidents highlight the importance of bolstering security protocols and adopting proactive measures to mitigate the increasing threat of cyberattacks. This is an ongoing story, and we will provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Family-Owned Woodwor ...

 Firewall Daily

The notorious Akira ransomware group has added another victim to its growing list of targeted organizations, striking at Western Dovetail, a prominent woodworking company founded in 1993 by Maxfield Hunter, its president, and CEO, along with support from his father, George Hunter, and brother, Josh Hunter. The   show more ...

family-owned business, known for its dedication to woodworking craftsmanship, has become the latest casualty of cybercrime. The Akira ransomware group took to online forums to announce their latest Western Dovetail data breach, proclaiming the availability of "a few GB of their data" for public access. The compromised data reportedly includes sensitive employee information such as addresses, emails, phone numbers, and even details of relatives, along with tax and payment information, and a snippet of medical records. Western Dovetail Cyberattack: Verification Efforts and Official Response Despite this disclosure, Akira has remained tight-lipped about their motives behind targeting Western Dovetail. Upon investigating Western Dovetail's official website, no signs of foul play were immediately evident, as the website appeared to be fully functional. To corroborate further, The Cyber Express Team reached out to Western Dovetail officials for comment. However, at the time of compiling this report, no official response had been received, leaving the claim of the Western Dovetail data breach unverified. [caption id="attachment_72947" align="aligncenter" width="850"] Source: X[/caption] Akira Ransomware Trail of Cyber Destruction The latest cyberattack on Western Dovetail adds to a growing list of cyber onslaughts orchestrated by the Akira ransomware group. In April 2024, the group was identified as the mastermind behind a series of devastating cyberattacks targeting businesses and critical infrastructure entities across North America, Europe, and Australia. According to the U.S. Federal Bureau of Investigation (FBI), Akira has breached over 250 organizations since March 2023, raking in a staggering $42 million in ransom payments. Initially focusing on Windows systems, Akira has expanded its tactics to include Linux variants, raising alarm bells among global cybersecurity agencies. Before targeting Western Dovetail, the ransomware group had set its sights on prominent entities such as DENHAM the Jeanmaker, a renowned denim brand based in Amsterdam, and TeraGo, a Canada-based provider of secure cloud services and business-grade internet solutions. Conclusion and Awaited Response In the wake of the Western Dovetail cyberattack, the cybersecurity landscape remains fraught with uncertainty. While the company's official response is eagerly awaited, the incident serves as a reminder of the ever-present threat posed by cybercriminals. As organizations strive to protect themselves against such cyberattacks, collaboration between cybersecurity experts, law enforcement agencies, and affected entities becomes increasingly crucial in combating the pervasive menace of ransomware. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Japanese Man Arreste ...

 Cybersecurity News

A 25-year-old man from Kawasaki, Japan was arrested this week for allegedly using generative AI tools to create ransomware in an AI jailbreaking case that may be the first of its kind in Japan. The arrest of Ryuki Hayashi, widely reported in Japan, is the latest example of an attacker defeating AI guardrails, which   show more ...

has become something of an obsession for hackers and cybersecurity researchers alike. Just this week, researchers from Germany’s CISPA Helmholtz Center for Information Security reported on their efforts to jailbreak GPT-4o, the latest multimodal large language model (MLLM) released by OpenAI a little more than two weeks ago. Concerns raised by those researchers and others led OpenAI to establish a safety and security committee this week to try to address AI risks. AI Jailbreak Tools and Methods Unclear News reports on Hayashi’s arrest have been lacking in details on the tools and methods he used to create the ransomware. The Japan Times reported that Hayashi, a former factory worker, “is not an expert on malware. He allegedly learned online how to ask AI tools questions that would elicit information on how to create malware.” Hayashi came under suspicion after police arrested him in March “for allegedly using fake identification to obtain a SIM card registered under someone else's name,” the paper reported. The Japan News, which reported that Hayashi is unemployed, said police found “a homemade virus on a computer” following the March arrest. The News said police suspect he “used his home computer and smartphone to combine information about creating malware programs obtained after giving instructions to several generative AI systems in March last year.” Hayashi “allegedly gave instructions to the AI systems while concealing his purpose of creating the virus to obtain design information necessary for encrypting files and demanding ransom,” the News reported. “He is said to have searched online for ways to illegally obtain information.” Hayashi reportedly admitted to charges during questioning, and told police, “I wanted to make money through ransomware. I thought I could do anything if I asked AI.” There have been no reports of damage from the ransomware he created, the News said. LLM Jailbreak Research Heats Up The news comes as research on AI jailbreaking and attack techniques has grown, with a number of recent reports on risks and possible solutions. In a paper posted to arXiv this week, the CISPA researchers said they were able to more than double their attack success rate (ASR) on GPT-4o’s voice mode with an attack they dubbed VOICEJAILBREAK, “a novel voice jailbreak attack that humanizes GPT-4o and attempts to persuade it through fictional storytelling (setting, character, and plot).” Another arXiv paper, posted in February by researchers at the University of California at Berkeley, looked at a range of risks associated with GenAI tools such as Microsoft Copilot and ChatGPT, along with possible solutions, such as development of an “AI firewall” to monitor and change LLM inputs and outputs if necessary. And earlier this month, OT and IoT security company SCADAfence outlined a wide range of AI tools, threat actors and attack techniques. In addition to general use case chatbots like ChatGPT and Google Gemini, the report looked at “dark LLMs” created for malicious purposes, such as WormGPT, FraudGPT, DarkBERT and DarkBART. SCADAfence recommended that OT and SCADA organizations follow best practices such as limiting network exposure for control systems, patching, access control and up to date offline backups. GenAI uses and misuses is also expected to be the topic of a number of presentations at Gartner’s Security and Risk Management Summit next week in National Harbor, Maryland, just outside the U.S. capital.

image for KVRT for Linux: malw ...

 Business

Modern-day cybercriminals arent ignoring Linux-based operating systems. Recently, we published a series of posts about malicious code in the open source set of utilities XZ Utils, which managed to find its way into several popular Linux builds; wrote about a Linux implant for the DinodasRAT malware — also known as   show more ...

XDealer; and warned about a backdoor in the Trojanized version of Free Download Manager. Despite all this, the myth that Linux is mostly immune to cyberthreats persists: companies rarely devote funds to protecting machines running this operating system. Therefore, weve released a dedicated free product that allows you to check Linux computers for modern threats — Kaspersky Virus Removal Tool (KVRT) for Linux. What is Kaspersky Virus Removal Tool for Linux and what does it do? KVRT for Linux cant monitor attacks on your computer or server in real time — its a free application for scanning computers running a Linux-based OS and cleaning them of detected threats. It can detect both malware and adware, as well as legitimate programs that can be used for attacks. Using KVRT for Linux you can scan 64-bit operating systems for x86_64 architecture. The list of distributions on which the application is guaranteed to work is listed here; however, if the system youre using isnt on the list, its still worth trying — theres still a good chance it will work. Our application can scan system memory, startup objects, boot sectors, and all files in the operating system for known malware. It scans files of all formats — including archived ones. How to use KVRT for Linux Lets start with the fact that KVRT for Linux doesnt have an automated antivirus-database updating mechanism. If you want our product to be able to recognize the latest threats, youd need to download the fresh version of the program from our website each time. The package hosted there is updated several times a day. The application can be run via graphical interface or via a command line. But you can only run it manually — its impossible to set up a scheduled scan. The distribution is provided as a portable application, so it doesnt require installation. However, it must be granted execute permission before use. To ensure that the application has access rights to system memory, boot sectors and other important areas, and can also cure or remove detected threats, its recommended to run it under a superuser account (root). However, KVRT for Linux can also work under a regular user account, but in this case its functionality may be limited. You can read more about how to launch the application and give it the necessary rights on our technical support website. In general, there you can find all the information you may need to use KVRT.

image for Transatlantic Cable ...

 News

Episode 349 of the Transatlantic Cable podcast kicks off with a discussion on Microsofts newly announced Copilot+ feature for personal computers. This feature, touted to give PCs a photographic memory, raises significant privacy concerns as it can log everything a user does by taking screenshots every few seconds.   show more ...

Privacy advocates fear the potential for exploitation by hackers and the implications of such extensive data collection. Next, the podcast discusses the recent floods in Rio Grande do Sul, Brazil, and the rise of AI-generated misinformation during the disaster. The team highlights how false images and videos have been spreading on social media, complicating rescue efforts and public awareness. The episode then delves into the vulnerabilities of high-end car keyless entry systems. Despite advancements like ultra-wideband communications, a recent demonstration by Chinese researchers showed that the latest Tesla Model 3 is still susceptible to relay attacks, allowing thieves to unlock and steal the vehicle with minimal equipment. To wrap up, the team discusses the arrest of Lin Rui-siang, who was living a double life as an IT specialist and a dark web drug market operator. Lin, under the alias Pharoah, ran the Incognito Market, which facilitated over $100 million in narcotics sales before executing an exit scam and attempting to extort users. His arrest at JFK airport by the FBI brought an end to his criminal activities. If you liked what you heard, please consider subscribing. Microsofts AI screenshot function is being called a privacy nightmare. Brazils flood disaster set off a torrent of AI misinformation. Teslas can still be stolen with a cheap radio hack despite new keyless tech. He Trained Cops to Fight Crypto Crime—and Allegedly Ran a $100M Dark-Web Drug Market.

image for ‘Operation Endgame ...

 Ne'er-Do-Well News

Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. Dubbed “the largest ever operation against botnets,” the international effort is being   show more ...

billed as the opening salvo in an ongoing campaign targeting advanced malware “droppers” or “loaders” like IcedID, Smokeloader and Trickbot. A frame from one of three animated videos released today in connection with Operation Endgame. Operation Endgame targets the cybercrime ecosystem supporting droppers/loaders, slang terms used to describe tiny, custom-made programs designed to surreptitiously install malware onto a target system. Droppers are typically used in the initial stages of a breach, and they allow cybercriminals to bypass security measures and deploy additional harmful programs, including viruses, ransomware, or spyware. Droppers like IcedID are most often deployed through email attachments, hacked websites, or bundled with legitimate software. For example, cybercriminals have long used paid ads on Google to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader and Discord. In those cases, the dropper is the hidden component bundled with the legitimate software that quietly loads malware onto the user’s system. Droppers remain such a critical, human-intensive component of nearly all major cybercrime enterprises that the most popular have turned into full-fledged cybercrime services of their own. By targeting the individuals who develop and maintain dropper services and their supporting infrastructure, authorities are hoping to disrupt multiple cybercriminal operations simultaneously. According to a statement from the European police agency Europol, between May 27 and May 29, 2024 authorities arrested four suspects (one in Armenia and three in Ukraine), and disrupted or took down more than 100 Internet servers in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, United States and Ukraine. Authorities say they also seized more than 2,000 domain names that supported dropper infrastructure online. In addition, Europol released information on eight fugitives suspected of involvement in dropper services and who are wanted by Germany; their names and photos were added to Europol’s “Most Wanted” list on 30 May 2024. A “wanted” poster including the names and photos of eight suspects wanted by Germany and now on Europol’s “Most Wanted” list. “It has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware,” Europol wrote. “The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained.” There have been numerous such coordinated malware takedown efforts in the past, and yet often the substantial amount of coordination required between law enforcement agencies and cybersecurity firms involved is not sustained after the initial disruption and/or arrests. But a new website erected to detail today’s action — operation-endgame.com — makes the case that this time is different, and that more takedowns and arrests are coming. “Operation Endgame does not end today,” the site promises. “New actions will be announced on this website.” A message on operation-endgame.com promises more law enforcement and disruption actions. Perhaps in recognition that many of today’s top cybercriminals reside in countries that are effectively beyond the reach of international law enforcement, actions like Operation Endgame seem increasingly focused on mind games — i.e., trolling the hackers. Writing in this month’s issue of Wired, Matt Burgess makes the case that Western law enforcement officials have turned to psychological measures as an added way to slow down Russian hackers and cut to the heart of the sweeping cybercrime ecosystem. “These nascent psyops include efforts to erode the limited trust the criminals have in each other, driving subtle wedges between fragile hacker egos, and sending offenders personalized messages showing they’re being watched,” Burgess wrote. When authorities in the U.S. and U.K. announced in February 2024 that they’d infiltrated and seized the infrastructure used by the infamous LockBit ransomware gang, they borrowed the existing design of LockBit’s victim shaming website to link instead to press releases about the takedown, and included a countdown timer that was eventually replaced with the personal details of LockBit’s alleged leader. The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools. The Operation Endgame website also includes a countdown timer, which serves to tease the release of several animated videos that mimic the same sort of flashy, short advertisements that established cybercriminals often produce to promote their services online. At least two of the videos include a substantial amount of text written in Russian. The coordinated takedown comes on the heels of another law enforcement action this week against what the director of the FBI called “likely the world’s largest botnet ever.” On Wednesday U.S. Department of Justice (DOJ) announced the arrest of YunHe Wang, the alleged operator of the ten-year-old online anonymity service 911 S5. The government also seized 911 S5’s domains and online infrastructure, which allegedly turned computers running various “free VPN” products into Internet traffic relays that facilitated billions of dollars in online fraud and cybercrime.

 Feed

Aquatronica Control System version 5.1.6 has a tcp.php endpoint on the controller that is exposed to unauthenticated attackers over the network. This vulnerability allows remote attackers to send a POST request which can reveal sensitive configuration information, including plaintext passwords. This can lead to   show more ...

unauthorized access and control over the aquarium controller, compromising its security and potentially allowing attackers to manipulate its settings.

 Feed

This Metasploit module abuses a feature of the sudo command on Progress Flowmon. Certain binary files are allowed to automatically elevate with the sudo command. This is based off of the file name. This includes executing a PHP command with a specific file name. If the file is overwritten with PHP code it can be used to elevate privileges to root. Progress Flowmon up to at least version 12.3.5 is vulnerable.

 Feed

Sysdig Falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about Falco as a mix between snort, ossec and strace.

 Feed

Ubuntu Security Notice 6798-1 - It was discovered that GStreamer Base Plugins incorrectly handled certain EXIF metadata. An attacker could possibly use this issue to execute arbitrary code or cause a crash.

 Feed

Ubuntu Security Notice 6796-1 - Fergus Dall discovered that TPM2 Software Stack did not properly handle layer arrays. An attacker could possibly use this issue to cause TPM2 Software Stack to crash, resulting in a denial of service, or possibly execute arbitrary code. Jurgen Repp and Andreas Fuchs discovered that TPM2   show more ...

Software Stack did not validate the quote data after deserialization. An attacker could generate an arbitrary quote and cause TPM2 Software Stack to have unknown behavior.

 Feed

Ubuntu Security Notice 6799-1 - It was discovered that the debugger in Werkzeug was not restricted to trusted hosts. A remote attacker could possibly use this issue to execute code on the host under certain circumstances.

 Feed

Red Hat Security Advisory 2024-3479-03 - Updated container images are now available for director Operator for Red Hat OpenStack Platform 16.2 for RHEL 8.4. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-3475-03 - An update is now available for Red Hat OpenShift GitOps v1.11.5 to address the CVE-2024-31989, Unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Red Hat Product Security has rated this update as having a security   show more ...

impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

 Feed

Red Hat Security Advisory 2024-3467-03 - An update for etcd is now available for Red Hat OpenStack Platform 16.1 on Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-3466-03 - An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3331-03 - Red Hat OpenShift Container Platform release 4.14.27 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3327-03 - Red Hat OpenShift Container Platform release 4.15.15 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2024-2728-03 - Updated container images are now available for director Operator for Red Hat OpenStack Platform 17.1 for RHEL 9.2. Issues addressed include a denial of service vulnerability.

 Feed

The U.S. Department of Justice (DoJ) on Wednesday said it dismantled what it described as "likely the world's largest botnet ever," which consisted of an army of 19 million infected devices that was leased to other threat actors to commit a wide array of offenses. The botnet, which has a global footprint spanning more than 190 countries, functioned as a residential proxy service known as 911 S5.

 Feed

Okta is warning that a cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential stuffing attacks orchestrated by threat actors. "We observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers," the Identity and access management (IAM) services provider said. The

 Feed

Security leaders are in a tricky position trying to discern how much new AI-driven cybersecurity tools could actually benefit a security operations center (SOC). The hype about generative AI is still everywhere, but security teams have to live in reality. They face constantly incoming alerts from endpoint security platforms, SIEM tools, and phishing emails reported by internal users. Security

 Feed

Europol on Thursday said it shut down the infrastructure associated with several malware loader operations such as IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot as part of a coordinated law enforcement effort codenamed Operation Endgame. "The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Linux kernel to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2024-1086 (CVSS score: 7.8), the high-severity issue relates to a use-after-free bug in the netfilter component that permits a local attacker to elevate privileges

 Feed

Cloudflare on Thursday said it took steps to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor called FlyingYeti targeting Ukraine. "The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures," Cloudflare's threat intelligence team Cloudforce One

 Feed

A previously undocumented cyber espionage-focused threat actor named LilacSquid has been linked to targeted attacks spanning various sectors in the United States (U.S.), Europe, and Asia as part of a data theft campaign since at least 2021. "The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to

 Feed

The threat actors behind the RedTail cryptocurrency mining malware have added a recently disclosed security flaw impacting Palo Alto Networks firewalls to its exploit arsenal. The addition of the PAN-OS vulnerability to its toolkit has been complemented by updates to the malware, which now incorporates new anti-analysis techniques, according to findings from web infrastructure and security

 Feed

Cybersecurity researchers have warned that multiple high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to create rogue administrator accounts for follow-on exploitation. "These vulnerabilities are found in various WordPress plugins and are prone to unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization

 Data loss

Microsoft gets itself into a pickle with a privacy-popping new feature on its CoPilot+ PCs, the FTC warns of impersonated companies, and is your company hiring North Korean IT workers? All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by author, journalist, and podcaster Geoff White.

2024-05
Aggregator history
Thursday, May 30
WED
THU
FRI
SAT
SUN
MON
TUE
MayJuneJuly