Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for TCE Cyberwatch: Brea ...

 Cybersecurity News

This week on TCE Cyberwatch, we report on significant breaches affecting both prominent companies and universities, with thousands of individuals impacted. In addition, TCE Cyberwatch explores the evolving landscape of cybersecurity legality, highlighting Australia's ongoing court case against X. TCE Cyberwatch   show more ...

also delves into advancements in corporate cybersecurity, such as Apple’s upcoming announcement of their very own password management app. Keep reading to find out more! Akira Ransomware Group Targets Panasonic Australia The Akira ransomware group has reportedly compromised Panasonic Australia's data, claiming to have exfiltrated sensitive project information and business agreements. The authenticity and full impact of this breach are still unverified. In response, Singapore's Cyber Security Agency (CSA) and Personal Data Protection Commission (PDPC) have advised organizations to report such attacks rather than paying ransoms. This recommendation follows confirmation by law firm Shook Lin & Bok that they paid Akira $1.4 million in Bitcoin. The CSA has warned that paying ransoms does not guarantee data recovery and could potentially encourage further attacks. They recommend implementing robust security measures, including strong password policies, multi-factor authentication, reputable antivirus software, regular vulnerability scans, network segregation, routine backups, incident response exercises, and minimizing data collection. Additionally, the FBI and CISA had previously included Akira in their #StopRansomware campaign, emphasizing the importance of these preventive measures. Read More Xbox One Kernel Exploit Discovered: Tinkering with Game Script App An individual known as carrot_c4k3 has discovered a kernel-level exploit for Xbox One consoles using an app called ‘Game Script’ from the Microsoft Store. This exploit is not a jailbreak but allows users to gain control over virtual machine (vm) homebrews without enabling pirated software. The method involves two components: initial code execution in UWP applications and a kernel exploit granting full read/write permissions. A proof of concept has been shared on GitHub, currently limited to UWP apps. The exploit bypasses developer mode fees and modifies game save data but does not alter actual games. It may also allow running simple emulators. However, Microsoft could potentially detect this exploit, so using an offline console is recommended. It is also possible that the exploit has already been patched in the latest firmware update, version 10.0.25398.4478. Read More Over 8,000 at VIT Bhopal University Potentially Exposed in Data Breach VIT Bhopal University in India has reportedly experienced a major data breach, impacting more than 8,000 students and faculty members. The breach, first revealed on June 10, 2024, on BreachForums, involves the alleged leak of sensitive information, including unique identification numbers, usernames, full names, email addresses, passwords, and user activation keys. This compromised data could potentially allow unauthorized access to personal and university accounts, raising significant concerns about phishing attacks and other malicious activities. VIT Bhopal, established in 2017 and ranked 65th in India by the National Institutional Ranking Framework, offers programs in engineering, technology, management, and architecture. As of now, the university has not commented on the breach or disclosed the full extent of the compromised data. Read More Energy Giant Potentially Breached: Hacker Selling Alleged SGCC Data A hacker named Desec0x claims to have breached the State Grid Corporation of China (SGCC) and is selling the stolen data on BreachForums for $1,000. The data reportedly includes user account information, employee details, and department roles in SQL and XLSX formats. SGCC, the world's largest utility company, serves over 1.1 billion people in China and owns assets in several countries. If confirmed, this breach could have serious implications for SGCC and its stakeholders. Cyberattacks on the energy sector are increasing, with notable incidents in 2023 and 2024 targeting companies like Consol Energy and Petro-Canada. SGCC has not yet confirmed the breach, and its website appears to be unaffected. Read More Deepfakes Target Australian Politicians in Investment Scams Australian politicians, including Finance Minister Katy Gallagher and Foreign Minister Penny Wong, have been targeted in AI-generated deepfake investment scam videos. The scam also used images of Nationals senator Bridget McKenzie and former Prime Minister Scott Morrison, among others. These videos, promoted via Facebook ads, falsely depict the politicians endorsing fraudulent investment schemes. Federal Minister Stephen Jones warned that AI could amplify fraud and proposed reforms to make social media companies more accountable. Gallagher stressed that neither she nor other politicians would promote products online, urging people to report such scams. The government is considering measures like mandatory AI image watermarking to combat misuse. Read More Get Ready to Switch? Apple Unveils Passwords Manager at WWDC At Apple's Worldwide Developer Conference next week, the company is expected to unveil its own standalone password manager, named Passwords, which will rival apps like 1Password and LastPass. According to Bloomberg News, Passwords will offer features surpassing those of iCloud and Mac Keychain, enabling users to save Wi-Fi passwords, store passkeys, and categorize login credentials. The app is also anticipated to be compatible with Windows machines, though its availability for Android users remains uncertain. Read More Monti Ransomware Targets West After Conti's Demise The Monti ransomware group, which bears similarities to the defunct Conti ransomware, has recently changed ownership and shifted its focus towards Western targets. The new owners are revamping its infrastructure for future operations. Recent attacks in the South of France disrupted the Pau-Pyrénées airport, the Pau business school, and a digital campus, compromising sensitive data and raising significant cybersecurity concerns. Monti exploits vulnerabilities like Log4Shell to infiltrate networks, encrypt desktops, and disrupt servers. Analysts believe the group leverages Conti’s leaked data for its operations. The cybersecurity community emphasizes the need for strengthened defenses and collaboration to combat such evolving threats. The Monti group’s activities highlight the critical need for robust cybersecurity measures to protect essential infrastructures.Read More TCE Cyberwatch: Wrap Up . Recent events have shown that even large, well-protected companies can fall victim to cyberattacks. Therefore, it's always wise to stay proactive and ensure your defenses are up-to-date. Stay safe, stay informed, and take steps to safeguard your digital security.

image for The Snowballing of t ...

 Resources

With companies coming forward every day announcing impacts from their third-party cloud data storage vendor, the Snowflake data breach seems to be snowballing into one of the biggest data breaches of the digital age. Here's everything to know about the Snowflake breach; we'll update this page as new   show more ...

information becomes available. Why the Snowflake Breach Matters Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform. Ongoing Investigation and Preliminary Results in Snowflake Breach On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware. Compromised Employee Account Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards. Test Environments Targeted Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention. Attack Path The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER. Possible Reasons for the Breach Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations. Unconfirmed Threat Actor Claims The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings. Affected Customers from Snowflake Breach The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach: Santander Group: The company confirmed a compromise without mentioning Snowflake. Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached. TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved. Impact: 560 Million TicketMaster user details and card info potentially at risk. LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard. Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information. Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft. Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees. Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number. Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million. Tech Crunch discovered over 500 login credentials and web addresses for Snowflake environments on a website used by attackers to search for stolen credentials. These included corporate email addresses found in a recent data dump from various Telegram channels. Security Measures and Customer Support Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments. Key Recommendations for Snowflake Customers: Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access. Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks. Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access. Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly. Snowflake has also published indicators of compromise and steps for detecting and preventing unauthorized user access here. Cloud security firm Permiso has developed an open-source tool dubbed "YetiHunter" to detect and hunt for suspicious activity in Snowflake environments based on the IoCs shared by Snowflake, Mandiant, DataDog, and its own intelligence. Editor's Note: This blog will be updated as additional breach information from Snowflake and its customers becomes available or is claimed by threat actors on underground forums for sale. Links and data to any additional IoCs related to the Snowflake breach will be published here too.

image for Strengthening the Sh ...

 Cybersecurity News

By: Abhilash R., Head of Cybersecurity at OQ Trading In a progressively digital world, small and medium sized enterprises (SMEs) are not immune to cyber threats. Despite their size, SMEs are prime targets for cyberattacks due to their limited resources and perceived vulnerability. Therefore, implementing robust   show more ...

cybersecurity strategies is imperative to safeguard sensitive data, maintain customer trust, and ensure business continuity. This article delves into five essential cybersecurity strategies tailored to SMEs, emphasizing their importance, and providing cost effective solutions. Employee Education and Training One of the most critical cybersecurity strategies for SMEs is ensuring that employees are educated and trained in cybersecurity best practices. Human error remains a significant factor in cyber incidents, making cybersecurity awareness training indispensable. Employees should be educated on recognizing phishing attempts, creating strong passwords, and understanding the importance of software updates. Importance: Employees serve as the first line of defence against cyber threats, they are also the weakest links in cybersecurity. By educating them, SMEs can significantly reduce the risk of successful cyberattacks. Solutions: Implement regular cybersecurity training sessions for all employees, covering topics such as identifying suspicious emails, safe internet browsing practices, and responding to security incidents. Utilize online training resources and simulations to reinforce learning effectively. You can develop internal cybersecurity awareness materials using free or low cost presentation tools such as Google Slides or Microsoft PowerPoint. Create engaging presentations covering topics like identifying phishing emails, password best practices, and responding to security incidents. Additionally, leverage free online resources such as cybersecurity blogs, webinars, and tutorials to supplement employee training efforts. Encourage participation in online courses offered by reputable cybersecurity organizations, some of which may be available at no cost. Implementing Multi-Factor Authentication (MFA) Multifactor authentication (MFA) adds an extra layer of security by requiring users to provide multiple forms of verification before accessing sensitive data or systems. This strategy helps mitigate the risk of unauthorized access, even if passwords are compromised. Importance: Passwords alone are no longer sufficient to protect against cyber threats. MFA significantly enhances security by requiring additional authentication factors, such as biometric data or one-time codes. Solutions: Implement MFA for all accounts with access to sensitive information or critical systems. Many cloud-based services and software applications offer built-in MFA capabilities, making implementation relatively straightforward and cost effective. Utilize built-in MFA features provided by cloud-based services and software applications, many of which offer MFA functionality at no additional cost. Implement open source MFA solutions that can be customized to fit the organization's specific needs without incurring licensing fees. Alternatively, explore low-cost MFA options offered by third-party providers, ensuring compatibility with existing systems and scalability as the business grows. Regular Data Backups Data loss can have devastating consequences for SMEs, ranging from financial losses to reputational damage. Regularly backing up data is essential for mitigating the impact of ransomware attacks, hardware failures, or accidental deletions. Importance: Data backups serve as a safety net, allowing SMEs to recover quickly in the event of a cyber incident. Without backups, businesses risk permanent loss of valuable information. Solutions: Automate regular backups of critical data to secure cloud storage or offline storage devices. Utilize backup solutions that offer versioning capabilities, allowing businesses to restore data to previous states if necessary. Utilize cloud based backup solutions that offer affordable storage options and automated backup scheduling. Leverage free or low cost backup software with basic features for backing up critical data to secure cloud storage or external hard drives. Implement a combination of full and incremental backups to optimize storage space and minimize backup times. Explore open source backup solutions that provide flexibility and customization options without the need for expensive proprietary software. Network Security Measures Securing the network infrastructure is crucial for protecting against external threats and unauthorized access. SMEs should implement robust network security measures, such as firewalls, intrusion detection systems (IDS), and virtual private networks (VPNs). Importance: Networks are prime targets for cyberattacks, making network security measures essential for preventing unauthorized access and data breaches. Solutions: Deploy firewalls to monitor and control incoming and outgoing network traffic. Implement IDS to detect and respond to suspicious activities within the network. Utilize VPNs to encrypt data transmissions and establish secure connections for remote workers. Implement open source firewall solutions that provide robust network protection without the high cost associated with commercial firewalls. Utilize free or low cost intrusion detection system (IDS) software that offers essential features such as real time monitoring and threat detection. Explore cost effective virtual private network (VPN) solutions tailored to SMEs' needs, such as subscription based services with affordable pricing plans and easy deployment for remote workers. Regular Security Assessments and Updates Cyber threats are constantly evolving, requiring SMEs to stay vigilant and proactive in their cybersecurity efforts. Regular security assessments and updates help identify vulnerabilities and ensure that systems and software are up to date with the latest security patches. Importance: Cyber threats are continuously evolving, making regular security assessments and updates essential for maintaining strong cybersecurity posture. Solutions: Conduct regular security assessments to identify potential vulnerabilities in systems, networks, and applications. Develop and implement a patch management strategy to ensure that software and firmware updates are applied promptly. Conduct internal security assessments using free or low cost vulnerability scanning tools to identify potential weaknesses in systems and networks. Utilize open source penetration testing frameworks to simulate cyberattacks and assess the effectiveness of existing security measures. Implement a systematic approach to applying security patches and updates, leveraging free tools provided by software vendors or community driven initiatives. Additionally, establish internal processes for monitoring security advisories and alerts issued by relevant authorities to stay informed about emerging threats and vulnerabilities. In conclusion, cybersecurity is a critical concern for SMEs in today's digital landscape. By implementing the strategies explained above, SMEs can significantly enhance their cybersecurity posture without breaking the bank. Investing in cybersecurity is not only essential for protecting sensitive data and maintaining business operations but also for safeguarding the long-term viability and reputation of SMEs in an increasingly interconnected world. About Author: Abhilash Radhadevi, a seasoned cybersecurity leader, serves as the Head of Cybersecurity at OQ Trading, bringing over two decades of comprehensive experience in the Banking, Financial, Oil and Energy sectors. Widely recognized for his adept leadership, Abhilash has effectively steered international organizations through intricate security challenges. His illustrious career includes spearheading pioneering cybersecurity strategies, resulting in prestigious awards and acclaim. Beyond his professional achievements, Abhilash maintains a global influence and demonstrates unwavering commitment to mentoring, showcasing his dedication to shaping the future landscape of cybersecurity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Don’t Be a Sitting ...

 Features

A cybersecurity checklist is essential for strengthening the security of both personal devices and corporate networks in today's digital landscape. While primarily geared towards businesses ensuring cyber safety for their employees and workplaces, these measures are equally crucial for individual device security.   show more ...

This checklist outlines fundamental practices to safeguard against evolving cyber threats, ensuring proactive defense strategies are in place. Must-have Cybersecurity Checklist 1. Data Encryption Data encryption converts sensitive information into a coded format, rendering it unreadable to unauthorized users. This security measure ensures confidentiality and compliance with privacy regulations. Even if attackers gain access to encrypted data, they cannot decipher it without the correct decryption key, thereby maintaining data integrity. 2. Disaster Recovery Policy A disaster recovery policy is vital for organizations to respond to and recover from cyberattacks or system failures swiftly. It includes procedures for data restoration, minimizing downtime, and ensuring business continuity. Regular updates and drills ensure readiness to handle emergencies effectively. 3. External Hard Drive Backup Maintaining backups on an external hard drive provides an offline data redundancy solution. This practice safeguards critical data independently from primary systems. In scenarios like ransomware attacks or network failures, offline backups facilitate quick data restoration, complementing cloud-based backups. 4. Updated Software Regularly updating software is critical to patch known vulnerabilities that cybercriminals exploit. Updates not only enhance security but also improve software functionality and performance. Neglecting updates leaves systems vulnerable to cyber threats and compromises overall system integrity. 5. Cybersecurity Insurance Cybersecurity insurance offers financial protection against losses resulting from cyber incidents. It covers expenses such as investigation costs, legal fees, and mitigation efforts. This insurance serves as a safety net, ensuring businesses can recover and resume operations following significant cybersecurity events. 6. Antivirus Updates Frequent updates to antivirus software are essential to defend against emerging malware threats. Updated antivirus solutions detect and block malicious activities, enhancing overall system security. Continuous updates ensure systems are protected against evolving cyber threats. 7. Principle of Least Privilege Implementing the principle of least privilege limits user access rights to only what is necessary for their roles. This mitigates the risk of insider threats and unauthorized access, maintaining control over system configurations and enhancing overall security posture. 8. Secure Connections Secure connections, often facilitated by VPNs (Virtual Private Networks), encrypt data during transmission over public or unsecured networks. This practice prevents interception and unauthorized access to sensitive information, ensuring data confidentiality and integrity. 9. Robust Firewall A robust firewall acts as a barrier between trusted internal networks and external networks, filtering incoming and outgoing traffic. It blocks malicious traffic and unauthorized access attempts, safeguarding network infrastructure and sensitive data from cyber threats. 10. Cybersafety Policies Establishing comprehensive cybersafety policies is crucial for promoting cybersecurity awareness and best practices among employees. These policies cover password guidelines, internet usage protocols, and email security measures. Regular training reinforces these policies, reducing vulnerabilities to phishing attacks and unauthorized access attempts. Conclusion This cybersecurity checklist encompasses essential measures to prepare against potential cyber threats. It emphasizes proactive strategies both online and physically, including the use of external hard drives for backups and the implementation of robust cybersecurity policies. By adopting these practices, individuals and organizations can enhance their resilience against the evolving landscape of cyber threats. In a world where cybersecurity threats are increasingly prevalent, implementing these checklist points is crucial. We at The Cyber Express hope this guide has been informative and encourages widespread adoption of these cybersecurity best practices for a safer digital environment.

image for Understanding Cyberc ...

 Cybersecurity News

By Hoda Alkhzaimi The technological prowess of small nations is increasingly recognized as a significant driver of global economic power. This is because technology is a great equalizer; it can enable small nations to leapfrog development stages and compete on a global scale. For instance, the UNCTAD Technology and   show more ...

Innovation Report 2021 highlights that frontier technologies like AI, robotics, and biotechnology have the potential to significantly boost sustainable development, while also posing the risk of widening the digital divide. Small nations, by embracing these technologies, can foster innovation, improve productivity, and create high-value industries that contribute to global trade and economic growth. Moreover, the digital transformation allows for the democratization of information and resources, enabling smaller economies to participate in markets traditionally dominated by larger countries. The OECD also emphasizes the role of SMEs in adapting to a more open and digitalized environment, which is essential for inclusive globalization. Therefore, the technological development of small nations is not just about national progress; it's about contributing to and shaping the global economic landscape. By investing in technology and innovation, small nations can assert their presence on the world stage, influencing global trends and economic policies. Cyber conflicts have emerged as a significant factor in international relations, influencing the dynamics of power in the digital age. The Atlantic Council's Cyber Statecraft Initiative highlights the shift from traditional deterrence strategies to more proactive measures like Defend Forward and Persistent Engagement, reflecting the evolving nature of cyber threats. Research published in Armed Forces & Society suggests that cyber conflicts, termed 'cool wars', are reshaping interactions between states, with denial-of-service attacks and behaviour-changing tactics significantly affecting state relations. Moreover, the ICRC has raised concerns about the protection of civilians from cyber threats during armed conflicts, emphasizing the need for legal and policy frameworks to address the digital risks in warfare. The CyberPeace Institute's analysis of cyberattacks in the context of the Ukraine conflict provides valuable data on the harm to civilians and the evolution of cyber threats. Additionally, the European Repository of Cyber Incidents offers an extensive database of cyber incidents, which can serve as a resource for understanding the scope and impact of cyber warfare. These insights underscore the importance of cyber capabilities in asserting influence and the need for robust cyber defence mechanisms to safeguard national security and civilian welfare in the face of digital threats. The interplay between cyber operations and political power is complex, and as technology continues to advance, the implications for international stability and power hierarchies will likely become even more pronounced The Role of Misinformation and Disinformation in Cyberconflict Misinformation and disinformation play a critical role in the landscape of cyberconflict, shaping public perception and influencing the dynamics of geopolitical tensions. A report by Full Fact highlights the detrimental impact of false information on democratic societies, emphasizing the need for informed citizenship to combat the spread of such information. Similarly, data from UNESCO underscores the pervasive risk of encountering disinformation across various media platforms, with statistics indicating a significant trust deficit in media and an increase in the manipulation of news consumption. The cybersecurity sector also recognizes disinformation as a substantial threat, with a study by the Institute for Public Relations revealing that 63% of Americans view disinformation as a major societal issue, and nearly half of cybersecurity professionals consider it a significant threat to security. These concerns are echoed globally, as a survey found that over 85% of people worry about the impact of online disinformation on their country's politics. The intertwining of misinformation, disinformation, and cyberconflict presents a complex challenge that requires a multifaceted approach, including media literacy, regulatory frameworks, and international cooperation to mitigate its effects and safeguard information integrity. The Role of Big Tech in Cyberconflict Interplay The role of big tech companies in cyber conflict is a complex and evolving issue. These companies often find themselves at the forefront of cyber conflict, whether as targets, mediators, or sometimes even participants. For instance, during civil conflicts, digital technologies have been used to recruit followers, finance activities, and control narratives, posing additional challenges for peacemakers. The explosive growth of digital technologies has also opened new potential domains for conflict, with state and non-state actors capable of carrying out attacks across international borders, affecting critical infrastructure and diminishing trust among states. In response to the invasion of Ukraine, big tech companies played crucial roles in addressing information warfare and cyber-attacks, showcasing their significant influence during times of conflict. Moreover, the technological competition between major powers like the United States and China further highlights the geopolitical dimension of big tech's involvement in cyber conflict. These instances underscore the need for a robust framework to manage the participation of big tech in cyber conflict, ensuring that their capabilities are harnessed for peace and security rather than exacerbating tensions. Hedging the Risks of Using AI and Emerging Tech To Scaleup Misinformation and Global Cyberconflicts In response to the growing threat of election misinformation, various initiatives have been undertaken globally. The World Economic Forum has identified misinformation as a top societal threat and emphasized the need for a concerted effort to combat it, especially in an election year with a significant global population going to the polls. The European Union has implemented a voluntary code of practice for online platforms to take proactive measures against disinformation, including the establishment of a Rapid Alert System and the promotion of fact-checking and media literacy programs. In the United States, the Brennan Center for Justice advocates for active monitoring of false election information and collaboration with internet companies to curb digital disinformation. Additionally, the North Carolina State Board of Elections (NCSBE) provides guidelines for the public to critically assess the credibility of election news sources and encourages the use of reputable outlets. These initiatives represent a multifaceted approach to safeguarding the integrity of elections by enhancing public awareness, improving digital literacy, and fostering collaboration between governments, tech companies, and civil society. In the ongoing battle against election misinformation, several key alliances and actions have been formed. Notably, the AI Elections Accord was proposed for public signature at the Munich Security Conference on February 16, 2024. This accord represents a commitment by technology companies to combat deceptive AI content in elections. In a similar vein, Meta established a dedicated team on February 26, 2024, to address disinformation and the misuse of AI leading up to the European Parliament elections. Furthermore, the Federal Communications Commission (FCC) in the United States took a decisive step by making AI-generated voices in robocalls illegal on February 8, 2024, to prevent their use in misleading voters. These measures reflect a growing recognition of the need for collaborative efforts to safeguard the integrity of elections in the digital age. The alliances and regulations are pivotal in ensuring that the democratic process remains transparent and trustworthy amidst the challenges posed by advanced technologies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for BreachForums Returns ...

 Cybersecurity News

The on-again, off-again saga of BreachForums took another twist in recent days with the news that the data leak forum apparently has a new owner. ShinyHunters – who had reportedly retired after tiring of the pressure of running a notorious hacker forum – returned on June 14 to announce that the forum is now under   show more ...

the ownership of a threat actor operating under the new handle name “Anastasia.” It’s not yet clear if the move will quell concerns that the forum has been taken over by law enforcement after a May 15 FBI-led takeover, but for now, BreachForums is up and running under its .st domain. ShinyHunters Alludes to BreachForums Issues ShinyHunters alluded to those issues in a post announcing the forum’s new owner (screenshot below). “It's hard to maintain motivation when you're constantly getting accused of being a honeypot and at this point I'm burned out, hollow is burned out and we just want to move on to bigger things rather than the constant onslaught of users complaining about how we ran our forum,” ShinyHunters wrote. “Baphomet has done an incredible job of building new features for everyone, keeping everything together and maintaining the forum. Couldn't have done it without him. We hope the forum can live on without us for a long time. Thank you all for your support. Goodbye.” [caption id="attachment_77484" align="alignnone" width="750"] The announcement of a new BreachForums owner[/caption] While “User-Anastasia” is a new account, ShinyHunters referred to the new owner as “an OG some of you may remember.” Cyble threat researchers reported that Anastasia also goes by “Anastasia Belshaw.” BreachForums Returns, Hackers Raise Suspicions BreachForums was seized by the FBI and the U.S. Department of Justice in mid-May, with help from international law enforcement agencies, and Baphomet was allegedly arrested in that action. However, just two weeks later, the forum returned, leading to suspicion among some threat actors that the site was operating as a “honeypot” or a sting operation under the control of the FBI. To further complicate matters, the site went down again last week, possibly due to technical issues, and its associated Telegram channels disappeared too amid reports that ShinyHunters was retiring. A few days later came the announcement that Anastasia would take over the forum. It remains to be seen what direction the forum will take under new ownership, but given the site’s volatile history, whatever is in store is certain to be eventful.

image for AridSpy Malware Targ ...

 Firewall Daily

A new wave of cyberattacks targeting Android users in the Middle East has surfaced, with a focus on both Palestine and Egypt. Dubbed AridSpy, this multistage Android malware is allegedly orchestrated by the notorious Arid Viper APT group, a name synonymous with cyber espionage in the region. The malicious software,   show more ...

discovered being distributed through five dedicated websites, is ingeniously disguised within seemingly legitimate applications, marking a dangerous evolution in cyber threats. The modus operandi of these campaigns, initiated as early as 2022 and persisting to this day, revolves around the deployment of trojanized apps designed to infiltrate unsuspecting users' devices. These applications, ranging from messaging platforms to job opportunity portals, harbor the insidious AridSpy spyware within their code, allowing the attackers to remotely control the infected devices and extract sensitive information with alarming efficiency. Arid Viper APT group Leveraging AridSpy to Target Victims A key element of AridSpy's strategy lies in its ability to camouflage itself within genuine apps, thus bypassing traditional security measures. By leveraging existing applications and injecting them with malicious code, the perpetrators exploit the trust users place in familiar software, amplifying the reach and impact of their cyber offensive. ESET's investigation into these activities uncovered various instances of AridSpy infiltration, with the majority of cases centered around the distribution of the malicious Palestinian Civil Registry app. This tactic, coupled with the impersonation of reputable messaging platforms like StealthChat and Voxer Walkie Talkie Messenger, underscores the group's sophisticated approach to cyber warfare. Lukáš Štefanko, a researcher at ESET, sheds light on the mechanics of AridSpy's infiltration, detailing how unsuspecting users are lured into installing the tainted applications. “In order to gain initial access to the device, the threat actors try to convince their potential victim to install a fake, but functional, app. Once the target clicks the site’s download button, myScript.js, hosted on the same server, is executed to generate the correct download path for the malicious file,” explains Štefanko. Through deceptive download buttons and carefully crafted scripts, the attackers exploit vulnerabilities in users' trust and familiarity with popular apps, paving the way for the silent installation of AridSpy on their devices. Reverse-Engineering Apps  Moreover, Arid Viper's ingenuity extends beyond mere app impersonation, as evidenced by their manipulation of legitimate app servers to facilitate data exfiltration. By reverse-engineering existing apps and utilizing their infrastructure, the group orchestrates a seamless data extraction process, further complicating detection and mitigation efforts. AridSpy's capabilities are not limited to data espionage alone; the spyware boasts a sophisticated feature set aimed at evading detection and maximizing information extraction. Through a combination of network evasion tactics and event-triggered data exfiltration mechanisms, AridSpy operates stealthily, siphoning off a plethora of sensitive data including call logs, text messages, media files, and even location information. As the online threats continue to target victims globally, users and organizations alike must remain vigilant against hackers groups and ransomware gangs. By staying informed and adopting robust security measures, individuals can mitigate the risks posed by malicious actors such as the Arid Viper group, safeguarding their digital assets and personal information from exploitation.

image for Vulnerabilities of Z ...

 Business

Organizations are adopting biometric authentication to optimize access control and to add a primary or auxiliary authentication factor for accessing corporate information systems. Biometrics are perfect for the job: such data cant be forgotten like a password, or lost like a keypass, and is very hard to forge.   show more ...

Security no longer has to deal with lost or forgotten cards, and the IT security team doesnt need to come up with OTP systems. However, there are a number of buts to consider when evaluating such implementations: Risks associated with storing and processing biometric information (regulated by law in many countries); Practical difficulties related to false positives and negatives (strongly dependent on the type of biometrics and means of verification); Risks of authentication bypass; Risks of cyberattacks through vulnerabilities in the biometric terminal. The first two points are usually covered by security personnel, but the rest are often underestimated. Yet, as our in-depth study of popular ZKTeco biometric terminals shows, by no means are they far-fetched. These terminals were found to harbor 24 vulnerabilities that allow threat actors to effortlessly bypass authentication, hijack the device, read or modify the list of users, download their photos and other data, and exploit access to the device to develop an attack on the corporate network. Heres how attackers can use these vulnerabilities. ZKTeco terminal QR code instead of a face The biometric terminal model studied by our experts can store a database of users locally and authenticate them in one of several ways: password, QR code, face photo biometrics, or electronic pass. As it turned out, simply scanning a QR code containing the trivial SQL injection is enough to validate authentication on the device and open the doors. And if too much data is embedded in the QR code, the terminal reboots. To carry out these attacks, an attacker only needs to approach the device with a phone or even a paper card. Insecure network access The terminal can be managed either locally or over the network using SSH or a proprietary network protocol using the TCP port 4370. The protocol requires authentication, but the procedures implementation contains serious errors. The password is an integer from 0 to 999999, which is easy to brute-force, and its default value is, of course, zero. The message authentication code (MAC) uses reversible operations, making it easy to analyze network traffic and, if necessary, recover the password through it. SSH access is available to root and zkteco users whose passwords could be recovered through accessing the device memory. Device hijacking The manufacturer provides the ability to access user data remotely, download photos, upload new users, and so on. Given the insecure implementation of the proprietary protocol, this creates a risk of personal data leakage, including biometrics. Threat actors can also add third parties to the database and exclude legitimate employees. On top of that, errors in processing protocol commands give attackers even more options, such as injecting Unix shell system commands into image processing commands and reading arbitrary system files on the terminal, right down to the password-containing /etc/shadow. Whats more, buffer overflow vulnerabilities in the firmware update command allow arbitrary code execution on the device. This creates attractive opportunities for attackers to expand their presence in the network. Since the biometric terminal will have no EDR agent or other security tools, its well suited for reconnaissance operations and routing traffic between compromised devices — if, of course, the terminal itself is connected to the internal network without additional restrictions. How to reduce the risks of attacks through biometric terminals ZKTeco devices are used worldwide under different brand names. If the devices in the illustration look like those in your office, its worth updating the firmware and scrutinizing the settings to make them more secure. Either way, various flaws in biometric terminals need to be taken into account regardless of the specific manufacturer. We recommend the following measures: Choose a biometric terminal supplier carefully. Conduct preliminary analysis of previously known vulnerabilities in its equipment and the time taken to eliminate them. Request information about the suppliers software engineering practices, giving preference to manufacturers that use a secure development lifecycle (SDL). Also request a detailed description of how information is stored, including biometrics. Master the equipment settings and use the most secure configuration. We recommend disabling unnecessary and insecure authentication methods as well as unused services and features. Change all default credentials to strong and unique passwords for all biometric terminal administrators and users. Physically block unnecessary connectors and interfaces on the terminal to eliminate certain attack vectors. Include terminals in update and vulnerability management processes. Isolate the network. If terminals are connected to the local network and linked to a management server, we recommend moving them to a separate physical or virtual subnet (VLAN) to rule out access to terminals from regular computers and servers, and vice versa. To configure access, we advise using a privileged access workstation isolated from regular network activity. Consider telemetry from terminals as a source of information for the SIEM system and other deployed monitoring tools.

image for Space: The Final Fro ...

 Feed

A failure to imagine — and prepare for — threats to outer-space related assets could be a huge mistake at a time when nation-states and private companies are rushing to deploy devices in a frantic new space race.

 Feed

Ubuntu Security Notice 6838-1 - It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If a user or automated system were tricked into parsing a specially crafted .rdoc_options file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that the Ruby regex   show more ...

compiler incorrectly handled certain memory operations. A remote attacker could possibly use this issue to obtain sensitive memory contents.

 Feed

Debian Linux Security Advisory 5713-1 - A buffer overflow was discovered in libndp, a library implementing the IPv6 Neighbor Discovery Protocol (NDP), which could result in denial of service or potentially the execution of arbitrary code if malformed IPv6 router advertisements are processed.

 Feed

Ubuntu Security Notice 6836-1 - It was discovered that SSSD did not always correctly apply the GPO policy for authenticated users, contrary to expectations. This could result in improper authorization or improper access to resources.

 Feed

Debian Linux Security Advisory 5712-1 - Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

 Feed

Ubuntu Security Notice 6837-1 - It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Rack incorrectly parsed certain media   show more ...

types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service.

 Feed

Debian Linux Security Advisory 5710-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

 Feed

Ubuntu Security Notice 6821-4 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Atheros 802.11ac wireless   show more ...

driver did not properly validate certain data structures, leading to a NULL pointer dereference. An attacker could possibly use this to cause a denial of service.

 Feed

Ubuntu Security Notice 6818-3 - Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service. It was discovered that the Intel Data Streaming and Intel   show more ...

Analytics Accelerator drivers in the Linux kernel allowed direct access to the devices for unprivileged users and virtual machines. A local attacker could use this to cause a denial of service.

 Feed

Ubuntu Security Notice 6817-3 - Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Zheng Wang discovered that the Broadcom   show more ...

FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service.

 Feed

Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.

 Feed

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. "The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German

 Feed

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet. The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office. "Due to the nature of crack programs, information sharing amongst

 Feed

A suspected China-nexus cyber espionage actor has been attributed as behind a prolonged attack against an unnamed organization located in East Asia for a period of about three years, with the adversary establishing persistence using legacy F5 BIG-IP appliances and using it as an internal command-and-control (C&C) for defense evasion purposes. Cybersecurity company Sygnia, which responded to

 Feed

Traditional application security practices are not effective in the modern DevOps world. When security scans are run only at the end of the software delivery lifecycle (either right before or after a service is deployed), the ensuing process of compiling and fixing vulnerabilities creates massive overhead for developers. The overhead that degrades velocity and puts production deadlines at risk.

 Feed

ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication. Tracked as CVE-2024-3080, the vulnerability carries a CVSS score of 9.8 out of a maximum of 10.0. "Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device,"

2024-06
Aggregator history
Monday, June 17
SAT
SUN
MON
TUE
WED
THU
FRI
JuneJulyAugust