Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Modder Discovered Ke ...

 Firewall Daily

While the new-generation Xbox One consoles have been out for a while, until recently there weren't any softmods (software modifications to make a system behave differently) for users. That has seemingly changed, as an individual has revealed the existence of a Kernel-level exploit along with a limited proof of   show more ...

concept. The method uses an easily-available app called 'Game Script' present on the Microsoft store. 'Game Script' Xbox Console Kernel-Level Exploit carrot_c4k3, the individual behind the discovery, disclosed on X that the exploit, which is not a jailbreak, works against the System OS software that exists on newer Xbox consoles such as the Xbox One. System OS exists to enable developers to run a wide variety of applications on these consoles through the use of virtualization technology. Applications downloaded from the Microsoft Store run on this layer. Xbox users can typically gain access to this environment by enabling developer mode on their consoles. However, carrot_c4k3 stated that while the exploit allows full control over vm homebrews on retail Xbox, it did not enable the use of pirated software upon usage. The method currently relies on the Game Script UWA application available on the Microsoft Store, which allows users to run and execute custom languages on the devices. The exploit consists of two components: User mode: Initial steps where the user gains native code execution in the context of UWP (Microsoft Store) applications. Kernel exploit: In this step the user exploits a Kernel vulnerability on these devices to gain full read/write permissions, which would then enable them to elevate the privileges of a particular running process. The proof of concept exploit shared on Github is currently limited within the context of UWP apps, which are more 'locked down.' However, carrot_c4k3 shared their intent to release another exploit for Xbox one/X series consoles by next month that would allow for full Kernel-level access over read/write permissions within the System OS environment. The full exploit is stated to rely on leaks within the 'NtQuerySystemInformation' component, which are not available on UWP apps. Hence, the user is developing an alternative exploit that does not rely on UWP apps. The exploit allows users to bypass the fees required to enable the developer mode on Xbox consoles, as well as grant them the ability to modify game save data on the devices, but does not allow for the modding of the actual games themselves. The modder also discussed the possibility of using the exploit to allow the usage of 'simple emulators' meant to emulate games intended for older devices. carrot_c4k3 admitted that the exploit could potentially be detected by Microsoft, recommending to perform it on a dedicated offline console instead. Exploit Might Have Been Patched In Newer Xbox Firmware Versions A set of steps to be performed for the hack was shared on the Xbox One Research Github page: Ensure your Xbox Live account Login-Type is configured as “No barriers” aka. auto-login with no password prompt Set your console as “Home Console” for this account Download the App Game Script Start the app (to ensure license is downloaded/cached) Take your console offline! To make extra sure it cannot reach the internet, set a manual primary DNS address of 127.0.0.1 Get a device/microcontroller that can simulate a Keyboard (rubber ducky or similar) - otherwise you have to type a lot manually :D The page states that the exploit is "likely to be patched soon (in next System Update)." A thread on GBAtemp.net, a forum for discussing various video game platforms, stated that the latest firmware update for the Xbox One console has reportedly already patched the exploit, making the firmware 10.0.25398.4478 the last exploitable version. While the full consequences of this exploit and the one that will be shared are unknown, it highlights the interest that console players have in bypassing manufacturer-intended device limits. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Breaking Down the Ne ...

 Firewall Daily

ValleyRAT, a notorious remote access trojan (RAT) with origins traced back to early 2023, has resurfaced with a vengeance. Designed with the malicious intent to infiltrate and seize control over systems, this Chinese threat actor-backed malware continues to evolve, presenting new challenges to cybersecurity experts   show more ...

worldwide. According to Zscaler ThreatLabz’s research, a new campaign orchestrated by a China-based threat actor unleashed the latest iteration of ValleyRAT. This threat campaign, characterized by its multi-stage approach, utilizes various tactics to ensnare unsuspecting victims. ValleyRAT and the Intricate Attack Chain [caption id="attachment_76569" align="alignnone" width="1080"] Source: ValleyRAT Infection Chain[/caption] At the heart of this campaign lies ValleyRAT's intricate attack chain. It begins with an initial stage downloader leveraging an HTTP File Server (HFS) to procure essential files for subsequent stages. Employing anti-virus checks, DLL sideloading, and process injection techniques, the downloader and loader meticulously navigate through defenses, ensuring seamless execution. Understanding the intricacies of this RAT and the makers behind it, the campaign's technical analysis unveils the sophisticated mechanisms employed by ValleyRAT. From XOR and RC4 decryption to dynamic API resolving, every step is meticulously crafted to obfuscate its malicious intentions. The malicious DLLs and shellcodes deployed in subsequent stages further attest to the threat actor's ingenuity. Persistence is key for ValleyRAT's longevity on compromised systems. By manipulating autorun keys and concealing file attributes, the malware ensures its survival, ready to execute its nefarious operations at a moment's notice. Evolution of ValleyRAT The latest variant of ValleyRAT boasts significant enhancements. From refined device fingerprinting capabilities to revamped bot ID generation processes, the malware is more adept at blending into its environment and evading detection. Moreover, the introduction of new commands expands its arsenal, empowering threat actors with greater control over infected systems. Mitigating ValleyRAT's threat requires a multi-faceted approach. Leveraging advanced threat detection mechanisms like Zscaler Cloud Sandbox is essential. Additionally, staying vigilant and leveraging threat intelligence to identify and thwart emerging threats is paramount in safeguarding against ValleyRAT's onslaught. As ValleyRAT continues to evolve, so must our defenses. With each iteration, online threats becomes more complex, necessitating proactive measures to counter emerging threats effectively. By staying informed and leveraging cutting-edge cybersecurity solutions, organizations can fortify their defenses and mitigate the risks posed by ValleyRAT and similar threats.

image for Switzerland Walks Ti ...

 Cyber Essentials

Switzerland has seen a notable increase in cyberattacks and disinformation campaigns as it prepares to host a crucial summit aimed at creating a pathway for peace in Ukraine. On Monday, the government reported these developments in a press conference, highlighting the challenges of convening a high-stakes   show more ...

international dialogue amidst rising digital threats. The summit, Summit on Peace in Ukraine is scheduled at a resort near Lucerne from June 15-16, and will gather representatives from 90 states and organizations. About half of the participants come from South America, Asia, Africa, and the Middle East. Notably, absent from the attendee list is Russia which was not invited due to its lack of interest in participating. However, the Swiss government emphasized that the summit’s goal is to "jointly define a roadmap" to eventually include both Russia and Ukraine in a future peace process. Swiss President Viola Amherd addressed the media, acknowledging the uptick in cyberattacks and disinformation efforts leading up to the event. These cyberattacks have targeted various facets of the summit, including personal attacks on President Amherd herself, particularly in Russian media outlets publicized within Switzerland. "We haven't summoned the ambassador," Amherd stated in response to these attacks. "That's how I wanted it because the disinformation campaign is so extreme that one can see that little of it reflects reality." Switzerland Disruption Efforts and Cybersecurity Foreign Minister Ignazio Cassis also spoke at the press conference, noting a clear "interest" in disrupting the talks. However, he refrained from directly accusing any particular entity, including Russia, when questioned about the source of the cyberattacks. This restraint highlights the delicate diplomatic balancing act Switzerland is attempting as host. Switzerland agreed to host the summit at the behest of Ukrainian President Volodymyr Zelenskyy and has been actively seeking support from countries with more neutral or favorable relations with Moscow compared to leading Western powers. This strategic outreach aims to broaden the coalition backing the peace efforts and mitigate the polarized dynamics that have characterized the conflict thus far. Agenda and Key Issues The summit will address several critical areas of international concern, including nuclear and food security, freedom of navigation, and humanitarian issues such as prisoner of war exchanges. These topics are integral to the broader context of the Ukraine conflict and resonate with the international community's strategic and humanitarian interests. Turkey and India are confirmed participants, though their representation level remains unspecified. There is still uncertainty regarding the participation of Brazil and South Africa. Switzerland noted that roughly half of the participating countries would be represented by heads of state or government, highlighting the summit's high profile and potential impact. The summit aims to conclude with a final declaration, which ideally would receive unanimous backing. This declaration is expected to outline the next steps in the peace process. When asked about potential successors to Switzerland in leading the next phase, Foreign Minister Cassis indicated ongoing efforts to engage regions beyond the Western sphere, particularly the Global South and Arabian countries. Such inclusion could foster a more comprehensive and globally supported peace initiative. To Wrap Up The summit represents a significant diplomatic effort to address the Ukraine conflict. However, the surge in cyberattacks on Switzerland and disinformation campaigns, highlights the complexities of such high-stakes international dialogue. In March 2024, Switzerland’s district court in the German-speaking district of March, home to around 45,000 residents, fell victim to a cyberattack. While details are scarce, the court’s website suggests it could potentially be a ransomware attack. As Switzerland navigates these challenges, the outcomes of this summit could set important precedents for future peace efforts and international cooperation.

image for Cisco Welcomes Sean ...

 Business News

Cisco, a global leader in networking and cybersecurity solutions, has announced the appointment of Sean Duca as its new Chief Information Security Officer (CISO) & Practice Leader for the Asia Pacific, Japan, and China (APJC) region. Sean, in his LinkedIn post, expressed his excitement about joining Cisco after   show more ...

taking a six-month break to focus on his health and recharge. He shared his enthusiasm for the new challenge ahead, working within Cisco's Customer Experience (CX) Team for APJC and eventually relocating to Singapore. “After an amazing 6-month break to recharge and focus on my health, I'm thrilled to embark on a new and exciting challenge at Cisco, working in the CX Team for APJC, and will eventually be based in Singapore,” reads the LinkedIn Post. On his first day at Cisco, Sean expressed his eagerness to collaborate with Jacqueline Guichelaar and the broader CX team, as well as reconnecting with former colleagues, including Peter M. Sean's decision to join Cisco was influenced by the opportunity to work with remarkable individuals, such as Jeetu Patel, and to contribute to innovative solutions like Cisco’s Hypershield. “Day 1 is done, and loving it! I am excited to work with Jacqueline Guichelaar and the wider CX team and to reconnect and work alongside Peter M. again,” reads the post. [caption id="attachment_76494" align="aligncenter" width="679"] Source: Sean Duca's LinkedIn Post[/caption] Sean Duca Vast Experience Sean brings over 20 years of experience in cybersecurity to his new role, with a proven track record of driving visionary strategies and practical solutions to enhance digital security. Sean's extensive background includes nearly nine years at Palo Alto Networks, where he served as Vice President and Regional Chief Security Officer (CSO) for the APJ region. Before that, he spent over 15 years at Intel Security, serving as the Chief Technology Officer (CTO) for the Asia Pacific region. His leadership in technology and security has made a significant impact in the industry. Reflecting on his new role at Cisco, Sean emphasized his commitment to helping customers achieve their security and business goals while extracting value from their Cisco investments. He expressed his eagerness to reconnect with partners and contacts in his soon-to-be new country, Singapore, highlighting his dedication to driving cybersecurity excellence across the region. “What drew me to Cisco? I've met incredible people, Jeetu Patel’s visionary strategy, and the innovation behind solutions like Cisco’s Hypershield. I can't wait to reconnect with partners, new and old, and many contacts in my soon-to-be new country when I move up next month. Most importantly, I'm eager to help our customers achieve their security and business goals, proving our value and extracting value from their Cisco investment,” reads the post further. With his renewed focus and energy, Sean's appointment is poised to lead Cisco's efforts to elevate performance in the cybersecurity world across APJC.

image for South Korean Researc ...

 Firewall Daily

Researchers have discovered a new phishing campaign in which threat actors distribute the Remcos RAT malware within UUEncoding (UUE) file attachments in emails purporting to be about importing or exporting shipments. The UUEncoding (UUE) file attachments are compressed with Power Archiver, a proprietary and   show more ...

cross-platform archive utility that supports both Windows and MacOS. Use of UUEncoding (UUE) Files to Distribute Remcos RAT Malware Researchers from AhnLab discovered that the threat actors behind the campaign, use UUEncoding files with a .UUE extension, which are designed to encode binary data in plain text format. These file formats are suitable for attachment in e-mail or Usenet messages. The malicious .UUE files encode a VBS script attached in phishing emails. The threat actors seem to have leveraged the file format and encoding technique as an attempt to bypass detection. [caption id="attachment_76665" align="alignnone" width="1024"] Source: asec.ahnlab.com[/caption] When decoded, the VBS script is obfuscated, making it difficult for researchers to analyze. The script saves a PowerShell script into the %Temp% directory and executes it. The running script then downloads the Haartoppens.Eft file, which executes an additional PowerShell script. This script is also obfuscated and is designed to load a shellcode to the wab.exe process. [caption id="attachment_76666" align="alignnone" width="638"] Source: asec.ahnlab.com[/caption] The shellcode maintains its persistence by adding a registry key to the infected system, and then accesses a remote C&C server to load additional instructions. The instructions ultimately download the Remcos RAT malware for execution on infected systems. Remcos RAT malware The Remcos RAT collects system information from infected systems and stores keylogging data in the %AppData% directory. The malware then sends this data to the remote command-and-control (C&C) server, which is hosted through a DuckDNS domain. [caption id="attachment_76667" align="alignnone" width="894"] Source: asec.ahnlab.com[/caption] Remcos is a commercial remote access tool (RAT) that is advertised as a legitimate tool, but has been observed in numerous threat actor campaigns. Successful loading of Remcos opens a backdoor on targeted systems, allowing for complete control. The researchers have shared the following indicators to help detect and stop this campaign: IOCs (Indicators of Compromise) b066e5f4a0f2809924becfffa62ddd3b (Invoice_order_new.uue) 7e6ca4b3c4d1158f5e92f55fa9742601 (Invoice_order_new.vbs) fd14369743f0ccd3feaacca94d29a2b1 (Talehmmedes.txt) eaec85388bfaa2cffbfeae5a497124f0 (mtzDpHLetMLypaaA173.bin) File Detection Downloader/VBS.Agent (2024.05.17.01) Data/BIN.Encoded (2024.05.24.00) C&C (Command & Control) Servers frabyst44habvous1.duckdns[.]org:2980:0 frabyst44habvous1.duckdns[.]org:2981:1 frabyst44habvous2.duckdns[.]org:2980:0 The researchers also shared the following general recommendations to avoid similar phishing campaigns: Refrain from accessing emails from unknown sources. Refrain from running or enabling macro commands when accessing downloaded attachment files. Users can set programs to highest levels of security, as lower levels may automatically execute macro commands without displaying any notification.  Update anti-malware engines to their latest versions. The UUE file format has previously been used in several malicious campaigns due to its ability to easily evade detection from security tools, with a researcher previously discovering a UUEncode vulnerability in the main Python program. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for NoName Ransomware Cl ...

 Cybersecurity News

The NoName ransomware group has claimed responsibility for yet another cyberattack targeting government websites in Germany. The proclamation of the attack comes just 11 days after the group is said to have targeted German entities such as Energie Baden-Württemberg AG, Leistritz AG, and Aareal Bank AG. In this latest   show more ...

attack, the group allegedly targeted the Federal Office for Logistics and Mobility and the Federal Ministry of the Interior and Community. NoName allegedly carried out a DDos (Distributed Denial-of-Service) attack, preventing other users from accessing the websites. In the message posted on a dark web forum on Tuesday, NoName claimed that the attack on German websites was to condemn the visit of Ukrainian President Volodymyr Zelenskiy to the country to participate in a conference on Ukraine’s post-war recovery. “Ukrainian President Volodymyr Zelenskyy arrived in Germany late in the evening on Monday, June 10, to take part in an international conference on Ukraine's reconstruction. In his message in Telegram, Zelenskyy said that during his visit he had meetings with German Federal President Frank-Walter Steinmeier, Chancellor Olaf Scholz and Bundestag chairwoman Berbel Bas,” NoName said. “We decided to visit the conference too, and crush some websites,” it added. Despite the hack, NoName has not provided elaborate evidence or context of the cyberattack nor has it provided any details of how the German websites would be affected. While many experts had previously warned people not to underestimate thread actors who take out DDoS attacks, their effectiveness remains a big question, as most of the targets suffer only a few hours of downtime before returning to normal operations. As of the writing of this report, there has been no response from officials of the alleged target websites, leaving the claims unverified. Previous Instances of NoName Ransomware Attacks Since first emerging on dark web in March 2022, the pro-Russian hacker group NoName has been increasingly active, shortly after Russia’s invasion of Ukraine. The group has taken responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe. Before making the claim of targeting German websites, NoName had a history of targeting prominent organizations in other countries. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry. These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives. In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks. The ongoing cyberattacks by NoName across several countries serve as a reminder of the perils of the digital landscape. The operations of NoName ransomware, combined with their alleged political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Chinese Hackers ‘M ...

 Firewall Daily

Recent cyber espionage activities have illuminated the pervasive threat posed by the China-linked hacking group Mustang Panda, as it strategically targets Vietnamese entities. Analysis by Cyble Research and Intelligence Labs (CRIL) reveals the sophisticated tactics employed by the Mustang Panda Advanced Persistent   show more ...

Threat (APT) in infiltrating government bodies, nonprofits, and educational institutions, among others. Mustang Panda, with its roots in China, operates with alarming precision, potentially indicating state-affiliated cyberespionage efforts. The group's reach extends beyond Vietnam, targeting organizations across the U.S., Europe, and various Asian regions, including Mongolia, Myanmar, Pakistan, and more. Researchers Unravel Mustang Panda Campaign CRIL's scrutiny of recent attacks in Vietnam uncovers a pattern of deception, with Mustang Panda employing lures centered around tax compliance and the education sector. The campaigns exhibit a multi-layered approach, leveraging legitimate tools like forfiles.exe to execute malicious files hosted remotely. Furthermore, the group harnesses PowerShell, VBScript, and batch files to advance its operations, demonstrating a nuanced understanding of cybersecurity evasion tactics. One notable aspect of Mustang Panda's modus operandi is the ingenious embedding of partial lure documents within malicious LNK files, aimed at thwarting detection measures. By blending elements of the lure directly into the files, the hackers increase their payload's size while evading traditional security protocols. The intricacy of Mustang Panda's attacks is exemplified by its use of DLL sideloading techniques to execute malicious code on victim systems. By exploiting vulnerabilities in legitimate executables, the group establishes persistence and opens pathways for further infiltration. Recent findings also shed light on Mustang Panda's persistent activities since at least 2014, with documented engagements ranging from governmental targets to NGOs. Notably, a campaign in April 2017 targeting a U.S.-based think tank revealed distinctive tactics indicative of the group's extensive reach and operational longevity. Mustang Panda Targets Vietnamese Organizations In the most recent campaign observed in May 2024, Mustang Panda set its sights on Vietnamese entities with lures related to tax compliance, following a similar approach in April 2024, which targeted the education sector. Both campaigns were initiated with spam emails containing malicious attachments, showcasing the group's adaptability in exploiting topical themes to maximize success rates. Technical analysis of the May 2024 campaign unveils the group's sophisticated maneuvering, including the use of double extensions in malicious files to mask their true nature. This campaign's payload, disguised as a PDF document, conceals a series of PowerShell commands aimed at downloading and executing further malicious scripts from remote servers. DLL sideloading emerges as a recurrent theme, with Mustang Panda leveraging legitimate executables to cloak their malicious activities. By camouflaging their actions within routine system processes, the hackers minimize the risk of detection while maintaining access to compromised systems. The Mustang Panda campaigns highlight the growing threat of cybercriminals, characterized by increasingly sophisticated methodologies. By exploiting vulnerabilities in common software and leveraging social engineering techniques, the group demonstrates a formidable capacity to infiltrate and persist within targeted networks.

image for Hawk Eye App Data Br ...

 Cybersecurity News

In a massive breakthrough, an exclusive news report published by The Cyber Express has led to the arrest of a hacker who threatened to sell sensitive data of 200,000 citizens in Telangana State in India. The Hawk Eye App Data Breach was reported by The Cyber Express on May 31, 2024, which stated how a hacker claimed   show more ...

to reveal personal information of users of Hawk Eye, a popular citizen-friendly app of the Telangana State police. [caption id="attachment_73712" align="alignnone" width="720"] Source: Hawk Eye App on Android[/caption] The Telangana Police further acknowledged that the news report on The Cyber Express gave them crucial leads that led to the arrest of the hacker. In the First Information Report (FIR), a written document prepared by the police in India to detail a cognizable offence, the Telangana Police revealed that it was based exclusively on this report by The Cyber Express, that they were also able to verify the data breach on the Hawk Eye app. Background of Hawk Eye App Data Breach The Hawk Eye App was launched by the Telangana Police in December 2014 for both Android and iPhone users as part of its initiative to become a citizen-friendly and responsive police force. Denizens were encouraged to use the app to report on a wide range of activities, including traffic violations, passing on information about criminals, violations by police, and crime against women, and also to pass on suggestions to the lawmen for improved policing and to credit the good work done by them. A key feature of the app is the SOS button for accessing help in case of emergencies. On May 29, 2024, a threat actor, who goes by the name “Adm1nFr1end”, revealed that he had breached the Hawk Eye app. He shared that the stolen database had sensitive data of over 200,000 citizens, including their Personally Identifiable Information (PII), names, email addresses, phone numbers, physical addresses, IMEI numbers, and location coordinates. The threat actor had posted samples of the data breach on hacking website BreachForums and was selling this compromised data for USD $150. [caption id="attachment_73714" align="alignnone" width="1123"] Source: X[/caption] Arrest of Hawk Eye App Data Breach Hacker In the aftermath of the news report published on this website, the Telangana Police registered a suo moto case on June 4. “We have registered a case and are investigating the hacking allegations and suspected data breach,” said Telangana Cyber Security Bureau (TGCSB) Director Shikha Goel. On June 9, the Telangana Police reported that its Cyber Security Bureau has apprehended a hacker involved in the Hawk Eye app data breach. “Acting swiftly, the TGCSB investigators travelled to Delhi, where they identified and arrested the hacker, who had claimed to have posted the compromised data on a public platform for a price,” the police said in a statement. Sharing details of the arrest, Director General of Police of Telangana Police, Ravi Gupta, who is the top cop of the state, said that the police had used advanced tools to successfully unveil the hacker's identity. He, however, refrained from elaborating on the techniques used to arrest the hacker to ensure secrecy. “The hacker had posted details of the breach on databreachforum.st, offering the compromised data for sale at $150 USD. He provided the Telegram IDs “Adm1nfr1end” and “Adm1nfr1ends” for interested buyers to contact him regarding the Hawk Eye data,” Ravi said. The alleged hacker was identified as Jatin Kumar, a 20-year-old student and a resident of Greater Noida, a prominent suburb in Delhi's National Capital Region. The police also shared that he was arrested earlier in a case for cybersecurity fraud. (This is Part 1 of the article. Click here to learn more about the hacker, why he was selling the data and how the police tracked him down)

image for Unmasking the Hacker ...

 Cybersecurity News

In the first part of our series, we disclosed how an exclusive report by The Cyber Express played a pivotal role in the arrest of the hacker responsible for the Hawk Eye app data breach in India. In this second article, we highlight the methods employed by the police to track down the hacker, explore his motives, and   show more ...

discuss the future direction of the investigation. Hawk Eye App Data Breach: Who is the hacker? The breach of the Hawk Eye App, a crime reporting forum for citizens in the Indian state of Telangana, was unearthed after a threat actor, who goes by the name “Adm1nFr1end”, offered the personal data of over 200,000 citizens for sale on the BreachForums online hacker site. The hacker shared sample data containing names, email addresses, phone numbers, physical addresses, and location coordinates. Soon after The Cyber Express reported the incident on May 31, the Telangana Police registered a suo moto case just days later on June 4. In its First Information Report (FIR), a written document prepared by the police in India to detail a cognizable offense, the cops in Telangana acknowledged The Cyber Express report and confirmed that the app had been breached.  Meanwhile, the hacker “Adm1nFr1end” continued his spree of cyberattacks and on June 5, breached another app of the Telangana Police called TSCOP which had data of police officers, criminals and gun license holders. The police quickly got into the act and a team of investigators from the Telangana Cyber Security Bureau (TG-CSB) tracked down the accused hacker in Greater Noida, a prominent suburb close to the nation’s capital, New Delhi.  The accused was identified as Jatin Kumar, a 20-year-old undergraduate student pursuing BCA (Bachelor of Computer Applications).  Hacker Planned Cyberattacks on More Indian Cities An investigating officer from the Telangana Police, who did not wish to be named, told The Cyber Express that, “Accused Jatin had initiated comprehensive monitoring and vulnerability assessment & penetration testing (VAPT) not only from the Telangana Police but also gained access to police data in the external and internal storage networks and mobile apps in Delhi, Mumbai and other metro cities. He planned to carry out cyberattacks on those cities as well.  “As far as Telangana police data is concerned, prima facie, it looks like the accused gained access to certain data on Hawk Eye app due to weak or compromised password. Despite his best efforts to mask his identity, we tracked him down,” the police source stated.  Without revealing much, the source in the Telangana Police said that the TG-CSB traced him by “running a parallel operation using advanced software and social engineering techniques.”  The police added that Jatin used a fake identity and conducted transactions in cryptocurrency using multiple addresses.  Investigation revealed that the accused had reportedly been into hacking since 2019 and had saved the breached data in his system. Jatin had a history of alleged cybercrimes and was previously arrested in 2023 in New Delhi for leaking data on Aadhar (a biometric identity card for Indian citizens) and sensitive data related to other agencies. However, a chargesheet has yet to be filed against him.  Hawk Eye App Data Breach: A Larger Network of Hackers? Despite the arrest of Jatin, the police are now investigating the possible involvement of a larger network of hackers.  “Jatin had posted the breached data on BreachForums and was selling it for $150 USD. He then asked interested buyers to contact him through Telegram IDs ‘Adm1nfr1end’ and ‘Adm1nfr1ends’ to purchase the data for HawkEye and TSCOP apps. But we are not sure if he is the only culprit. We are now probing if the app data was sold and if so, are tracking down the purchasers through data from crypto wallets,” the police official told The Cyber Express.  The Telangana Police are still currently in New Delhi and are completing the paperwork to bring the accused on a transit remand to Hyderabad (the capital of Telangana) for custody and further investigation.

image for Don’t Panic, Take ...

 Cybersecurity News

Recent high-profile data leaks, including incidents involving Santander and Ticketmaster, have highlighted the ongoing issue of data breaches affecting a wide array of industries, from banking and logistics to online stores and entertainment. While companies typically take steps to protect their affected clients,   show more ...

individuals can also enhance their digital security. Kaspersky experts offer advice on what to do if your data has been leaked. Data leaks often involve logins, passwords, addresses, and phone numbers. In some cases, they may include passport details and bank card information. While any data leak is concerning, it’s crucial not to panic. Instead, pause and consider the necessary steps to secure your information. Data Leak? Immediate Actions to Take 1. Change Compromised Account Details: If you suspect your account details have been compromised, immediately change your password and enable two-factor authentication. If cybercriminals have already accessed your account, contact technical support to restore access and determine what other information might have been compromised. 2. Address and Phone Number Leaks: If sensitive data such as your address or phone number is leaked, it is usually not critical but still concerning. A leaked address typically doesn’t pose a threat unless it leads to targeted attacks like stalking. In such rare cases, contact the police promptly. For a leaked phone number, ensure accounts using that number as a login have two-factor authentication, change your password, and remain vigilant for potential fraud calls. 2. Passport or ID Leaks: If your passport or ID details become leaked, stay alert for potential social engineering attacks. Scammers might use your passport details to appear more credible. However, there is usually no need to obtain a new document. Using leaked passport data for fraud, such as taking out a loan, requires additional personal information and substantial criminal expertise. To mitigate future risks, avoid giving away your passport details unnecessarily—they are primarily needed for banking and e-government apps, and occasionally logistics services. 3. Bank Card Details: Act promptly if your bank card details are leaked: monitor bank notifications, reissue the card, and change your bank app or website password. Enable two-factor authentication and other verification methods. Some banks allow setting spending limits for added protection. If account and balance details are leaked, be extra vigilant against phishing emails, SMS, and calls. Cybercriminals might target you based on this information. In unclear situations, contact your bank directly. 4. Organizational Security Measures: Various types of leaked employee data can be used for OSINT (open-source intelligence) to further access internal systems. To counter these threats, organizations are advised to use advanced security solutions, implement strong cybersecurity policies, and conduct employee training. 5. Educating and Protecting Against Social Engineering: Amin Hasbini, Director of META Research Center Global Research and Analysis Team (GReAT) at Kaspersky, emphasizes the importance of being aware of data leakage risks and avoiding oversharing. He advises educating relatives, especially children and the elderly, about the dangers of social engineering attacks. "A crucial thing also is to educate your relatives, especially kids and elderly people. For example, explain that if someone refers to personal information, such as full name and even passport details, by telephone, messengers, social networks or e-mail, it’s not necessarily the bank or social service representatives, but might be scammers. In personal issues it’s advised to have a code word or question that only relatives know, while with organizations if some actions are required it’s better to use official contact information for double checking”, says Amin Hasbini, Director of META Research Center Global Research and Analysis Team (GReAT), at Kaspersky. As data breaches continue to affect various industries, individuals need to take proactive steps to secure their personal information. By following these experts' advice, you can mitigate the risks associated with data leaks and protect yourself from potential cyber threats.

image for Cyberattack on Contr ...

 Firewall Daily

INC Ransom group has targeted the building technology solutions provider, ControlNET LLC. The ControlNET cyberattack on June 10, 2024, allegedly targeted the supply chain factor of the organization and also asserted intrusion on Rockford Public Schools. ControlNET, renowned for its expertise in HVAC, lighting, video   show more ...

surveillance, access control, and power solutions, is now facing an alleged attack by a hacker group. In its post, the group not only infiltrated ControlNET's systems but also exposed sensitive information, including invoice details, building floor plans, email communications, and sample folders of ControlNET and their clientele. Understanding the ControlNET Cyberattack The ramifications of this breach extend beyond ControlNET with operations disrupted and data compromised for the organization. However, the claims for this cyberattack on ControlNET have not been verified. The hacker group’s post on the dark web shed light on their motives, citing ControlNET's alleged negligence in safeguarding customer data.  [caption id="attachment_76431" align="alignnone" width="1357"] Source: Dark Web[/caption] “This company has taken very poor care of the data entrusted to them by its customers. In the course of a successful attack, we stole a huge amount of data. We also attacked the clients of this company ROCKFORD SCHOOL. Which we have access to thanks to CONTROL NET”, reads the threat actor post.  The leaked information highlights the urgent need for enhanced cybersecurity measures, particularly in industries like construction and education, where sensitive data is at stake. Who is the INC Ransom Hacker Group? The Cyber Express has reached out to the organization to learn more about this ControlNET cyberattack and the authenticity of the claims made by the threat actor. However, at the time of writing this, no official statement or response has been received, leaving the claims for the cyberattack on ControlNET unverified.  Moreover, the company's website appears to be operational, suggesting that the attack may have targeted the backend infrastructure rather than the front-end interface. The threat actor in this attack, INC Ransom, is a ransomware group that emerged in August 2023, employing double and triple extortion tactics on victims, leaking data on their blog. Victims, mainly from Western countries, face threats and coercion during negotiations, with evidence packs published to pressure payment. The group's leaked blog includes light and dark UI options, a feedback box, and a Twitter link. While similar to LockBit 3.0's blog, INC Ransom does not charge for leaked data. Victims, spanning private sector businesses, a government organization, and a charity association, hail mostly from the United States and Europe, emphasizing the widespread impact of this cyber threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Cleveland Closes Cit ...

 Cybersecurity News

The City of Cleveland, Ohio, has been hit by a cyberattack that has closed City Hall and other offices, but the city says essential services remain operational. The city hasn’t revealed the nature of the incident, but the Cleveland cyberattack is one of the highest-profile ones to date affecting a major U.S.   show more ...

municipality. In a recent update on X, the city said it is “still investigating the nature and scope of the incident. The City is collaborating with several key partners who provide expert knowledge and deep experience in this work.” Cleveland Essential Services Functioning City Hall and offices at Erieview Plaza are closed to the public and non-essential employees, but the city sought to reassure residents that key services and data remain safe. Emergency services, such as 911, Police, Fire, and EMS are operational, along with other essential services such as water, pollution control, power services, ports and airports. The update said that “certain City data is confirmed to be unaffected, including: - Taxpayer information held by the CCA. - Customer information held by Public Utilities.” That still leaves other data sources that could be affected, however, such as city employees’ personal data. In its initial announcement on X, the city said, “We have shut down affected systems to secure and restore services. Emergency services and utilities are not affected. Updates will be provided as available.” The city hasn’t said whether the incident is ransomware or another cyber attack type, but that will presumably be revealed in later updates. Cleveland itself is home to 362,000 residents, while the surrounding metropolitan area has a population of more than 2 million. Cleveland Cyberattack Follows Wichita Ransomware; Healthcare Network Hit Cleveland isn’t the biggest U.S. city to be hobbled by a cyber attack, as at least a few bigger cities have been hit by cyber incidents. The 394,000-resident city of Wichita, Kansas was hit by a ransomware attack last month in an attack linked to the LockBit ransomware group, but Baltimore was perhaps the biggest U.S. city hit by a cyberattack in a crippling 2019 incident that closely followed an Atlanta cyberattack. All of that pales in comparison to the U.S. government, which got hit by more than 32,000 cybersecurity incidents in fiscal 2023, up 10% from fiscal 2022, according to a new White House report on federal cybersecurity readiness. Threat actors seemingly have no end of targets, as a healthcare network in Texas, Arkansas and Florida is also reporting recent cyber troubles that the BlackSuit ransomware group is claiming responsibility for. The Special Health Resources network posted a notice on its website (copied below) that states, “We are currently experiencing a network incident that has caused a temporary disruption to our phones and computer systems. During this time, we are STILL OPEN and ready to serve our patients and community!” [caption id="attachment_76662" align="alignnone" width="750"] Special Health Resources website notice[/caption] If Special Health’s troubles are linked to a cyberattack, they seem to have fared better than the damage sustained by NHS London recently, as cyber attackers seemingly have abandoned long-standing pledges to avoid attacking healthcare systems.

image for Central Securities C ...

 Firewall Daily

The Underground Team ransomware group has allegedly claimed a cyberattack on Central Securities Corporation, asserting access to a staggering 42.8 GB of sensitive data compromised, spanning decades of company history and containing a trove of confidential information. The scope of the Central Securities Corporation   show more ...

cyberattack is staggering, reportedly encompassing a range of data from historical reports to personal correspondence and even passports of employees and their relatives. Such a comprehensive breach not only threatens the integrity of Central Securities Corporation but also poses a significant risk to the privacy and security of its employees and stakeholders. Underground Team Ransomware Claims Central Securities Corporation Cyberattack [caption id="attachment_76481" align="alignnone" width="1319"] Source: Dark Web[/caption] The aftermath of the Central Securities Corporation cyberattack is evident as the company's website remains inaccessible, leaving concerned parties in the dark about the extent of the damage and the company's response. Efforts to reach out to Central Securities Corporation have been impeded by the website's downtime, exacerbating the sense of urgency surrounding the situation. The cybercriminals behind the Central Securities Corporation cyberattack have brazenly demanded nearly $3 million in ransom, further compounding the company's woes. This incident highlights the ransomware strain like the Underground Team leverages novel approaches to extort money and exploit sensitive data. Researchers Highlight Underground Team Ransomware Group Security experts from Cyble have previously warned of the growing prevalence of targeted attacks, where hackers tailor their strategies to infiltrate specific targets with devastating consequences. The emergence of new ransomware variants highlights the constant battle organizations face in safeguarding their digital assets against evolving threats. One such variant, the Underground Team ransomware, has caught the attention of researchers for its unique ransom note and sophisticated techniques. Offering more than just decryption services, the ransom note promises insights into network vulnerabilities and data recovery assistance, signaling a new level of sophistication in ransomware operations. Technical analysis of the ransomware reveals intricate mechanisms employed to identify and encrypt system files, demonstrating the attackers' proficiency in exploiting vulnerabilities. By selectively targeting files and directories while bypassing certain extensions and folders, the ransomware achieves its malicious objectives with alarming efficiency. As for the cyberattack on Central Securities Corporation, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Central Securities Corporation cyberattack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for BreachForums Down, O ...

 Firewall Daily

Both the clearnet domain as well as the onion darkweb domain of the infamous BreachForums appear to be down in a move that has confused both security researchers and cybercriminals. Attempting to visit these sites leads to a '502- Bad Gateway' error. While the site has suffered several disruptions due to law   show more ...

enforcement attempts to take down the site, no direct connection has been made to law enforcement activities so far. BreachForums Down with '502- Bad Gateway' Error BreachForums had earlier faced an official domain seizure by the FBI in a coordinated effort with various law enforcement agencies. However, shortly after, 'ShinyHunters' managed to recover the seized domains, with allegedly leaked FBI communications revealing they had lost control over the domain while the BreachForums staff claimed that it had been transferred to a different host. However, the site appears to be down again, but with no seizure notice present, leading to speculation over what has struck the site as well as its admin ShinyHunters. On X and LinkedIn, security researcher Vinny Troia claimed that ShinyHunters had made a direct message through Telegram indicating that he was retiring from the forums, as it was 'too much heat' and has shut it down. [caption id="attachment_76597" align="alignnone" width="1164"] Source: X.com[/caption] Both the researcher's X and LinkedIn post attribute this incident to the FBI 'nabbing' ShinyHunters, even congratulating the agency. BreachForums Telegram Channels Deleted Shortly after the official domains went down, several official Telegram accounts that were associated with Breach Forums, including the main announcement channel and the Jacuzzi 2.0 account, were deleted. Forum moderator Aegis stated in a PGP signed message that Shiny Hunters had been banned from Telegram. [caption id="attachment_76580" align="alignnone" width="349"] Source: Telegram[/caption] [caption id="attachment_76582" align="alignnone" width="525"] Source: Telegram[/caption] In a new 'Jacuzzi' Telegram channel created shortly afterwards, a pinned message appears to confirm that the administrator ShinyHunters had quit after wishing to no longer maintain the forum. The message affirms that Shiny had not been arrested, but rather quit, while the forum has not been officially seized but taken down. [caption id="attachment_76604" align="alignnone" width="799"] Source: Telegram[/caption] A while later, a database allegedly containing data from the 'breachforums.is' domain (the previous official domain associated with BreachForums before it shifted to the .st domain) had been circulating among Telegram data leak and sharing channels. Another threat actor stated that the circulating leaks were likely an attempt to gain attention and subscribers in light of recent events, stating that the info is unverified and password-protected. [caption id="attachment_76578" align="alignnone" width="670"] Source: Telegram[/caption] Several threat actors had attempted to use these disruptions to promote their own alternatives such as Secretforums and Breach Nation. However, the administrator Astounded, who owned Secretforums, had himself announced his retirement from involvement from forum activity recently. [caption id="attachment_76590" align="alignnone" width="388"] Source: Telegram[/caption] The threat actor USDoD still appears to be promoting their Breach Nation as an alternative to BreachForums, even appreciating the move as a take down of 'competitors.' [caption id="attachment_76593" align="alignnone" width="1150"] Source: X.com[/caption] These incidents, along with ShinyHunter's disappearance, the deletion/unavailability of official channels as well as the arrests and disruptions associated with the forums, raise uncertainty over the community's future prospects as well as larger implications for data leak sharing. This article will be updated as we gather more information on events surrounding BreachForums. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Ascension Makes Prog ...

 Cybersecurity News

A month after a cyberattack on Ascension, one of the largest nonprofit healthcare systems in the United States, continues to work expeditiously with industry cybersecurity experts to safely restore systems across its network. Ascension Via Christi has announced an update regarding the Ascension cyberattack that it   show more ...

expects to improve efficiencies and reduce wait times for patients. "Please know our hospitals and facilities remain open and are providing patient care. Ascension continues to make progress in our efforts to safely restore systems across our network. Restoring our Electronic Health Record (EHR) system remains a top priority," stated an official Ascension announcement. Ascension cyberattack: What All Have Restored? According to the latest update on the Ascension cyberattack, officials have successfully restored EHR access in Florida, Alabama, Tennessee, Maryland, Central Texas (Ascension Seton and Dell Children's hospitals), and Oklahoma markets. Ascension Via Christi further informed that its hospitals, including St. Francis and St. Joseph hospitals, and Ascension Medical Group clinics in Wichita, have restored the primary technology used for electronic patient documentation in care settings. "This will allow most hospital departments, physician offices, and clinics to use electronic documentation and charting. Patients should see improved efficiencies and shorter wait times. Our team continues to work tirelessly to restore other ancillary technology systems," Ascension Via Christi explained on its website, providing cybersecurity updates for its Kansas facilities. [caption id="attachment_76455" align="aligncenter" width="1024"] Source: Ascension Via Christi Website[/caption] The update for Ascension Via Christi St. Francis followed a national update from Ascension, which reported continued progress in restoring systems across its network. The company aims to have systems fully restored across its ministry by Friday, June 14. Ascension cyberattack: What Happened? On May 10, The Cyber Express reported that Ascension faced disruptions in clinical operations due to a cyberattack that prompted the organization to take some of its systems offline. Operating in 19 states and the District of Columbia, Ascension oversees 140 hospitals and 40 senior care facilities. It also boasts a significant workforce of 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, Ascension’s total revenue amounted to $28.3 billion. Given its substantial revenue and widespread operations, the impact of this cyberattack was significant. The organization detected unusual activity on select technology network systems, prompting an immediate response, investigation initiation, and activation of remediation efforts. Consequently, access to certain systems has been interrupted during the ongoing investigation process. Due to the massive cyberattack, Ascension advised its business partners to temporarily sever connections to its systems as a precautionary measure and stated it would notify partners when it is safe to reconnect. The cyberattack on Ascension disrupted clinical operations, prompting an investigation into the extent and duration of the disruption.

image for Notifications from F ...

 Business

Cybercriminals in the password theft business are constantly coming up with new ways to deliver phishing emails. Now theyve learned to use a legitimate Facebook mechanism to send fake notifications threatening to block Facebook business accounts. We explore how the scheme works, what to pay attention to, and what   show more ...

measures to take to protect business accounts on social networks. Anatomy of the phishing attack on Facebook business accounts It all starts with a message sent by the social network itself to the email address linked to the victims Facebook business account. Inside is a menacing icon with an exclamation mark, and an even more menacing text: 24 Hours Left To Request Review. See Why. Email with a fake warning about account problems, sent by Facebook itself Added to this are other words which, combined with the above text, look odd. But a manager responsible for Facebook may, in haste or in panic, fail to spot these irregularities and follow the link by clicking the button in the email or manually open Facebook in a browser and check for the notifications. Either way, theyll end up on Facebook. After all, the email is real, so the buttons really do point to the social networks site. A notification is waiting there — with the now familiar orange icon and same threatening words: 24 Hours Left To Request Review. See Why. Phishing notification informing the victim their account will be blocked for non-compliance with the terms of service The notification contains more details, alleging that the account and page are to be blocked because someone complained about their non-compliance with the terms of service. The victim is then prompted to follow a link to dispute the decision to block their account. If they do, a website opens (this time, bearing the Meta logo, not Facebook) with roughly the same message as in the notification, but the time granted to resolve the issue has been halved to 12 hours. We suspect that scammers use the Meta logo this time because they try similar schemes on other Meta platforms — we found at least one location on Instagram with the same name: 24 Hours Left To Request Review. See Why. On a phishing page outside Facebook, the victim is prompted to appeal the block After clicking the Start button, through a series of redirects the visitor lands on a page with a form asking initially for relatively innocent data: page name, first and last names, phone number, date of birth. ] The second screen asks the victim to enter certain personal data Its the next screen where things get juicy: here you need to enter the email address or phone number linked to your Facebook account and your password. As you might guess, its this data that the attackers are after. The attackers dont waste any time in requesting your Facebook account credentials How the phishing scheme exploits real Facebook infrastructure Now lets see how threat actors get Facebook to send phishing notifications on their behalf. They do so by using hijacked Facebook accounts. The account name is changed straight away to the most troubling title: 24 Hours Left To Request Review. See Why. They also change the profile pic so that the preview shows an orange icon with the exclamation mark already familiar to us from the email and notification. Attackers change the name and profile picture of the hijacked Facebook account That done, the message about the account block is posted from the account. At the bottom of this message, a mention of the victims page appears after a few dozen empty lines. By default its hidden, but on clicking the See more link in the phishing post, the mention becomes visible. The trick is the hard-to-spot mention of the targeted Facebook business account at the bottom of the post Threat actors post such messages from the hijacked account in bulk all at once, each of which mentions one of the target Facebook business accounts. Hijacked accounts generate a slew of posts, each of which mentions the account of a targeted organization As a result, Facebook diligently sends notifications to all accounts mentioned in these posts, both within the social network itself and to the email addresses linked to these accounts. And because delivery is via the actual Facebook infrastructure, these notifications are guaranteed to reach their intended recipients. How to protect business social media accounts from hijacking We should note that phishing isnt the only threat to business accounts. There exists an entire class of malware specially created for password theft; such programs are known as password stealers. For this same purpose, attackers can also use browser extensions — see our recent post about their use in hijacking Facebook business accounts. Heres what we recommend for protecting the social media accounts of your business: Always use two-factor authentication wherever possible. Pay close attention to notifications about suspicious login attempts. Make sure all your passwords are both strong and unique. To generate and store them, its best to use a password manager. Carefully check the addresses of pages asking for account credentials: if theres even the slightest suspicion that a site is fake, do not enter your password. Equip all work devices with reliable protection that will warn of danger ahead of time and block the actions of both malware and browser extensions.

image for The CEO Is Next ...

 Feed

If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.

 Feed

It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking   show more ...

subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.

 Feed

VSCode when opening a Jupyter notebook (.ipynb) file bypasses the trust model. On versions v1.4.0 through v1.71.1, its possible for the Jupyter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. During   show more ...

testing, the first open of the Jupyter notebook resulted in pop-ups displaying errors of unable to find the payload exe file. The second attempt at opening the Jupyter notebook would result in successful execution. Successfully tested against VSCode 1.70.2 on Windows 10.

 Feed

Ubuntu Security Notice 6822-1 - It was discovered that Node.js incorrectly handled certain inputs when it is using the policy mechanism. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to bypass the policy mechanism. It was   show more ...

discovered that Node.js incorrectly handled certain inputs when it is using the policy mechanism. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a privilege escalation.

 Feed

Ubuntu Security Notice 6817-2 - Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Zheng Wang discovered that the Broadcom   show more ...

FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service.

 Feed

Ubuntu Security Notice 6827-1 - It was discovered that LibTIFF incorrectly handled memory when performing certain cropping operations, leading to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service.

 Feed

Ubuntu Security Notice 6825-1 - It was discovered that the PDO driver in ADOdb was incorrectly handling string quotes. A remote attacker could possibly use this issue to perform SQL injection attacks. This issue only affected Ubuntu 16.04 LTS. It was discovered that ADOdb was incorrectly handling GET parameters in   show more ...

test.php. A remote attacker could possibly use this issue to execute cross-site scripting attacks. This issue only affected Ubuntu 16.04 LTS.

 Feed

Ubuntu Security Notice 6821-2 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Atheros 802.11ac wireless   show more ...

driver did not properly validate certain data structures, leading to a NULL pointer dereference. An attacker could possibly use this to cause a denial of service.

 Feed

Ubuntu Security Notice 6818-2 - Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service. It was discovered that the Intel Data Streaming and Intel   show more ...

Analytics Accelerator drivers in the Linux kernel allowed direct access to the devices for unprivileged users and virtual machines. A local attacker could use this to cause a denial of service.

 Feed

Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3763-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-3756-03 - An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

 Feed

Cybersecurity researchers have uncovered an updated version of malware called ValleyRAT that's being distributed as part of a new campaign. "In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs," Zscaler ThreatLabz researchers Muhammed Irfan V A and Manisha Ramcharan Prajapati said. ValleyRAT

 Feed

As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, indicating the operation has broader implications than previously thought. Google-owned Mandiant, which is assisting the cloud data warehousing platform in its incident response efforts, is tracking the

 Feed

Arm is warning of a security vulnerability impacting Mali GPU Kernel Driver that it said has been actively exploited in the wild. Tracked as CVE-2024-4610, the use-after-free issue impacts the following products - Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) Valhall GPU Kernel Driver (all versions from r34p0 to r40p0) "A local non-privileged user can make improper GPU memory

 Feed

One of the most effective ways for information technology (IT) professionals to uncover a company’s weaknesses before the bad guys do is penetration testing. By simulating real-world cyberattacks, penetration testing, sometimes called pentests, provides invaluable insights into an organization’s security posture, revealing weaknesses that could potentially lead to data breaches or other security

 Feed

Apple has announced the launch of a "groundbreaking cloud intelligence system" called Private Cloud Compute (PCC) that's designed for processing artificial intelligence (AI) tasks in a privacy-preserving manner in the cloud. The tech giant described PCC as the "most advanced security architecture ever deployed for cloud AI compute at scale." PCC coincides with the arrival of new generative AI (

 Feed

Managed service providers (MSPs) are on the front lines of soaring demand for cybersecurity services as cyberattacks increase in volume and sophistication. Cynet has emerged as the security vendor of choice for MSPs to capitalize on existing relationships with SMB clients and profitably expand their client base. By unifying a full suite of cybersecurity capabilities in a simple, cost-effective

 Feed

Cybersecurity researchers have shed more light on a Chinese actor codenamed SecShow that has been observed conducting Domain Name System (DNS) on a global scale since at least June 2023. The adversary, according to Infoblox security researchers Dr. Renée Burton and Dave Mitchell, operates from the China Education and Research Network (CERNET), a project funded by the Chinese government. "These

2024-06
Aggregator history
Tuesday, June 11
SAT
SUN
MON
TUE
WED
THU
FRI
JuneJulyAugust