Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Chinese Hackers Comp ...

 Cybersecurity News

Researchers that were called to investigate a cyberattack on a large organization in late 2023 have traced the activity to a sophisticated Chinese-linked threat actor group dubbed 'Velvet Ant,' based on tactics and infrastructure. The investigation found that Velvet Ant infiltrated the company’s network at   show more ...

least three years prior to the incident using the remote access trojan PlugX, which granted the threat actors access to sensitive systems across the enterprise environment. Velvet Ant Campaign Used Evasive Tactics Researchers from Sygnia disclosed that the attack began with the compromise of the organization's internet-facing F5 BIG-IP appliances, which were running on vulnerable OS versions. These appliances usually occupy a trusted position within network architecture, allowing potential attackers significant control over network traffic while evading most forms of detection. These appliances were used within the organization to manage its firewall, WAF (web application firewall), load balancing, and local traffic . [caption id="attachment_77649" align="alignnone" width="1802"] Source: sygnia.co[/caption] The attackers used known remote code execution flaws to install custom malware on the compromised F5 appliances. To obscure the execution chain, the attackers manipulated file-creation times and used three different files (‘iviewers.exe’, ‘iviewers.dll’ and ‘iviewers.dll.ui’) for deployment of the PlugX malware on affected systems. Once installed, PlugX harvested credentials and executed reconnaissance commands to map the internal network. The hackers then used the open-source tool Impacket for lateral movement across the network. [caption id="attachment_77647" align="alignnone" width="1872"] Source: sygnia.co[/caption] During the initial compromise, the threat actor compromised both modern workstations and legacy Windows Server 2003 systems. On modern endpoints, the hackers routinely tampered with the installed antivirus prior to deploying additional tools. This careful targeting of security controls demonstrates Velvet Ant’s operational maturity. However, the focus on legacy platforms ultimately assisted the hackers in evading detection. The researchers identified the placement of 4 additional malware programs on compromised F5 appliances: VELVETSTING - This program was configured to connect to a remote server located in China to check for encoded commands on an hourly basis. Once commands were received, the program would execute them via a Unix shell. VELVETTAP - Malware seems to have been monitoring and capturing data from the F5 internal network interface. SAMRID - This software has been identified as a publicly available tunneling program that had previously been utilized by Chinese state-sponsored groups. While dormant during the researcher's investigation, it may have provided the attackers remote access. ESRDE - This backdoor works similarly to VELVETSTING, running commands delivered from an external server. It was also inactive at the time of analysis. The VELVET programs were set up to restart upon reboot of compromised F5 appliances. These additional malware payloads were likely intended to provide attackers with multiple backdoors even after the discovery and removal of the initial malware. Each infection had been carefully established to resist removal various and facilitate additional infiltration. Organizations Systems Were Reinfected Upon Malware Removal After an extensive incident response operation apparently eliminated the threat actor’s access, researchers detected a PlugX reinfection on clean hosts again a few days later. Further analysis found that the new version of PlugX lacked an external command and control server. Instead, the malware was configured to use an internal file server for command and control. This adaptation blended malicious traffic with normal internal communications, helping Velvet Ant operate undetected. While the attack was eventually contained, its sophistication and persistence highlight the challenges defenders face against advanced persistent threats (APTs). The researchers stated that they could not rule out the possibility of the campaign being a ‘false-flag’ operation by a different APT group. However, the PlugX malware has previously been associated with other China-linked APTs. The researchers have shared several recommendations as well as indicators of compromise (IOCs) on their blog. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Akira Ransomware Cla ...

 Firewall Daily

TETRA Technologies, Inc., a diversified oil and gas services company operating through divisions including Fluids, Production Testing, Compression, and Offshore, has reportedly fallen victim to the Akira ransomware group. This TETRA Technologies cyberattack has put crucial data at risk, including personal documents   show more ...

like passports, birth certificates, and driver’s licenses, as well as confidential agreements and NDAs. The threat actor responsible for the attack has indicated their intention to release approximately 40GB of sensitive data. Despite these claims, TETRA Technologies has not yet issued an official statement confirming or denying the breach. Decoding the TETRA Technologies Cyberattack Claim by Akira Ransomware [caption id="attachment_77529" align="alignnone" width="716"] Source: Dark Web[/caption] The Cyber Express has reached out to the organization to learn more about this TETRA Technologies cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for the TETRA Technologies cyberattack unconfirmed. While the company’s public-facing website appears to be operational, it is speculated that the attack may have targeted internal systems or backend infrastructure rather than causing a visible disruption like a DDoS attack or website defacement. The threat actor behind this attack, Akira ransomware, has emerged as a significant threat in cybersecurity, highlighted by the Cybersecurity and Infrastructure Security Agency (CISA) warning and its widespread impact across various industries worldwide. Known for a dual extortion tactic involving data exfiltration and encryption, Akira ransomware demands ransom payments to prevent data publication on their dark website and to receive decryption keys. The group's name references a 1988 anime film, and they use specific strings like "*.akira" and "akira_readme.txt" for detection.  TETRA Technologies Releases New Processes for Managing Cybersecurity Risks and Governance In their recent regulatory filings, specifically the 10-K filed on 2024-02-27, TETRA Technologies detailed their cybersecurity risk management and governance processes. These include ongoing risk assessments, incident response planning, and the implementation of cybersecurity training programs for employees. The company acknowledges the persistent evolution of cyber threats and emphasizes the importance of maintaining robust defenses against potential attacks. The Vice President of Information Technology leads TETRA Technologies’ cybersecurity initiatives, supported by a comprehensive framework to assess, identify, and manage cybersecurity risks across their operations. Regular updates and enhancements to their security protocols are integral to adapting to emerging threats and complying with regulatory standards. The Board of Directors and Audit Committee of TETRA Technologies provide oversight on cybersecurity matters, receiving periodic updates on the company’s cybersecurity risk profile and incident response capabilities. Management highlighted its commitment to safeguarding sensitive information and maintaining operational continuity despite the challenges posed by cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Cybersecurity Expert ...

 Firewall Daily

Cybersecurity researchers have uncovered a disturbing trend in malware delivery tactics involving sophisticated social engineering techniques. These methods exploit user trust and familiarity with PowerShell scripts to compromise systems.  Among these threat actors, the two highlighted, TA571 and ClearFake campaign,   show more ...

were seen leveraging social engineering for spreading malware. According to researchers, the threat actors associated with TA571 and the ClearFake cluster have been actively using a novel approach to infiltrate systems.  This technique involves manipulating users into copying and pasting malicious PowerShell scripts under the guise of resolving legitimate issues. Understanding the TA571 and ClearFake Campaign  [caption id="attachment_77553" align="alignnone" width="1402"] Example of a ClearFake attack chain. (Source: Proofpoint)[/caption] The TA571 campaign, first observed in March 2024, distributed emails containing HTML attachments that mimic legitimate Microsoft Word error messages. These messages coerce users to execute PowerShell scripts supposedly aimed at fixing document viewing issues.  Similarly, the ClearFake campaign, identified in April 2024, employs fake browser update prompts on compromised websites. These prompts instruct users to run PowerShell scripts to install what appears to be necessary security certificates, says Proofpoint. Upon interaction with the malicious prompts, users unwittingly copy PowerShell commands to their clipboard. Subsequent instructions guide them to paste and execute these commands in PowerShell terminals or via Windows Run dialog boxes. Once executed, these scripts initiate a chain of events leading to the download and execution of malware payloads such as DarkGate, Matanbuchus, and NetSupport RAT. The complexity of these attacks is compounded by their ability to evade traditional detection methods. Malicious scripts are often concealed within double-Base64 encoded HTML elements or obscured in JavaScript, making them challenging to identify and block preemptively. Attack Variants, Evolution, and Recommendations Since their initial observations, Proofpoint has noted the evolution of these techniques. TA571, for instance, has diversified its lures, sometimes directing victims to use the Windows Run dialog for script execution instead of PowerShell terminals. Meanwhile, Clearlake has incorporated blockchain-based techniques like "EtherHiding" to host malicious scripts, adding a layer of obfuscation. These developments highlight the critical importance of user education and better cybersecurity measures within organizations. Employees must be trained to recognize suspicious messages and actions that prompt the execution of PowerShell scripts from unknown sources. Organizations should also deploy advanced threat detection and blocking mechanisms capable of identifying malicious activities embedded within seemingly legitimate web pages or email attachments. While the TA571 and ClearFake campaigns represent distinct threat actors with varying objectives, their utilization of advanced social engineering and PowerShell exploitation techniques demands heightened vigilance from organizations worldwide. By staying informed and implementing better cybersecurity practices, businesses can better defend against these online threats.

image for NoName Carries Out R ...

 Cybersecurity News

Several pro-Russia hacker groups have allegedly carried out a massive Distributed Denial-of-Service (DDoS) attack in Romania on June 18, 2024. The Romania Cyberattack has affected critical websites, including the official site of Romania and portals of the country’s stock exchange and financial institutions. The   show more ...

attack was allegedly conducted by NoName in collaboration with the Russian Cyber Army, HackNet, and CyberDragon and Terminus. The extent of the damage, however, remains unclear. Details About Romania Cyberattack According to NoName, the cyberattack was carried out on Romania for its pro-Ukraine stance in the Russia-Ukraine war. In its post on X, NoName claimed, “Together with colleagues shipped another batch of DDoS missiles to Romanian government websites.” The threat actor claimed to have attacked the following websites: The Government of Romania: This is not the first time that the country’s official site was hacked. In 2022, Pro-Russia hacker group Killnet claimed to have carried out cyberattacks on websites of the government and Defense Ministry. However, at that time, the Romania Government claimed that there was no compromise of data due to the attack and the websites were soon restored. National Bank of Romania: The National Bank of Romania is the central bank of Romania and was established in April 1880. Its headquarters are in the capital city of Bucharest. Aedificium Bank for Housing: A banking firm that provides residential lending, home loans, savings, and financing services. It was founded in 2004 and has branches in the European Union (EU), and Europe, Middle East, and Africa (EMEA). Bucharest Stock Exchange: The Bucharest Stock Exchange is the stock exchange of Romania located in Bucharest. As of 2023, there were 85 companies listed on the BVB. Despite the bold claims made by the NoName group, the extent of the Romania cyberattack, details of compromised data, or the motive behind the attack remain undisclosed. A visual examination of the affected organizations’ websites shows that all the listed websites are experiencing accessibility issues. These issues range from “403 Forbidden” errors to prolonged loading times, indicating a probable disruption or compromise. The situation is dynamic and continues to unravel. It is imperative to approach this information cautiously, as unverified claims in the cybersecurity world are not uncommon. The alleged NoName attack highlights the persistent threat of cyberattacks on critical entities, such as government organizations and financial institutions. However, official statements from the targeted organizations have yet to be released, leaving room for skepticism regarding the severity and authenticity of the Romania cyberattack claim. Until official communication is provided by the affected organizations, the true nature and impact of the alleged NoName attack remain uncertain. Romania Cyberattacks Are Not Uncommon This isn’t the first instance of NoName targeting organizations in Romania. In March this year, NoName attacked the Ministry of Internal Affairs, The Service of Special Communications, and the Central Government. In February, Over a hundred Romanian healthcare facilities were affected by a ransomware attack by an unknown hacker, with some doctors forced to resort to pen and paper. How to Mitigate NoName DDoS attacks Mitigation against NoName’s DDoS attacks require prolonged cloud protection tools and specialized software and filtering tools to detect the flow of traffic before it can hit the servers. In some cases, certain antivirus software can be successful in detecting threats that can be used by organizations to launch DDoS attacks. A robust and essential cyber hygiene practice to avoid threats includes patching vulnerabilities and not opening phishing emails that are specially crafted to look like urgent communications from legitimate government organizations and other spoofed entities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Chinese Citizens Tar ...

 Research

Researchers from Cyble Research and Intelligence Labs (CRIL) have discovered a QR code-based phishing campaign that uses malicious Word documents masquerading as official documents from the Ministry of Human Resources and Social Security of China. Users are tricked into providing bank card details and passwords under   show more ...

the guise of identity verification and authentication processes. QR Code-Based Phishing Campaign QR code phishing attacks have escalated significantly this year, with cybercriminals leveraging this technology to steal personal and financial information. Threat actors (TAs) are embedding QR codes in office documents and redirecting users to fraudulent websites designed to harvest sensitive data. In the ever-evolving cyber threat landscape, a new vector has emerged: QR code-based phishing campaign. Cybercriminals are increasingly embedding QR codes in malicious documents, which when scanned direct users to fraudulent websites. This tactic has seen a marked rise in 2024 following a trend that started during the COVID-19 pandemic, when QR codes became widely adopted for contactless transactions and information sharing. The Hoxhunt Challenge highlighted a 22% increase in QR code phishing during late 2023, and research by Abnormal Security indicates that 89.3% of these attacks aim to steal credentials. The growing familiarity with QR codes has created a false sense of security, making it easier for cybercriminals to exploit them. QR codes can mask destination URLs, preventing users from easily verifying the legitimacy of the site they are being redirected to. Recent QR Code Campaigns and Techniques Recently, Cyble Research and Intelligence Labs uncovered a sophisticated phishing campaign targeting individuals in China. This campaign saw the use of Microsoft Word documents embedded with QR codes, which are distributed via spam email attachments. The documents were designed to appear as official notices from the Ministry of Human Resources and Social Security of China, offering labor subsidies above 1000 RMB to lure victims. [caption id="attachment_77666" align="aligncenter" width="769"] MS Word file containing QR code (Source: Cyble)[/caption] The documents are meticulously crafted to look authentic, complete with official logos and language that mimics government communications. Once the QR code in the document is scanned, it redirects the user to a phishing site designed to collect sensitive information. This particular campaign stands out due to its use of a Domain Generation Algorithm (DGA), which generates a series of seemingly random domain names. DGA is a program that generates large numbers of new domain names. Cybercriminals and botnet operators generally use it to frequently change the domains used to launch malware attacks. This technique enables hackers to avoid malware-detection solutions that block specific domain names and static IP addresses. The latest campaign isn't an isolated incident. A similar phishing operation was documented in January 2023 by Fortinet, where cybercriminals impersonated another Chinese government agency. This resurgence in QR code phishing attacks indicates a persistent threat targeting Chinese citizens, with malicious actors continually refining their tactics to evade detection. The QR Code Phishing Process The phishing process begins with the user scanning the QR code from the malicious Word document. This action takes them to the phishing site, which initially displays a dialogue box promising a labor subsidy. The site is designed to appear official, complete with government logos and formal language to enhance credibility. The phishing site instructs the user to provide personal information, starting with their name and national ID. This step is presented as a necessary part of the application process for the subsidy. Once the user enters this information, they are directed to a second page that requests detailed bank card information, including the card number, phone number, and balance. This information is ostensibly required for identity verification and to process the subsidy. After collecting the bank card details, the phishing site asks the user to wait while their information is "verified." This waiting period is a tactic used to add a sense of legitimacy to the process. Following this, the site prompts the user to enter their bank card password, under the guise of further verification. This password is suspected to be the same as the payment password used for domestic credit card transactions. By obtaining this password along with the card details, the threat actors can perform unauthorized transactions, leading to significant financial losses for the victim. Phishing Activity Technical IoCs The phishing activity begins when the user scans the QR code embedded in the Word document. This action directs them to the link “hxxp://wj[.]zhvsp[.]com”. This initial URL then redirects to a subdomain, “tiozl[.]cn”, created using a DGA. The use of a DGA means the phishing URLs are constantly changing, making them harder to block preemptively. [caption id="attachment_77670" align="aligncenter" width="1024"] Landing page of phishing site (Source: Cyble)[/caption] The domain “tiozl[.]cn” is hosted on the IP address “20.2.161[.]134”. This IP address is associated with multiple other domains, suggesting a large-scale phishing operation. The domains linked to this campaign are: - 2wxlrl.tiozl[.]cn - op18bw[.]tiozl.cn - gzha31.tiozl[.]cn - i5xydb[.]tiozl.cn - hzrz7c.zcyyl[.]com Further investigation revealed that the SHA-256 fingerprint of an SSH server host key associated with the IP address “20.2.161[.]134” is linked to 18 other IPs, all within the same Autonomous System Number (ASN), AS8075, and located in Hong Kong. These IPs host URLs with similar patterns, indicating a coordinated effort to deploy numerous phishing sites. The rise in QR code phishing attacks underscores the increasing sophistication and adaptability of cybercriminals. By exploiting the widespread use of QR codes - especially in a post-pandemic world - these attacks effectively lure users into divulging sensitive financial information. The recent campaign targeting Chinese citizens highlights the severity of this threat, as malicious actors use seemingly official documents to gather card details and passwords, leading to significant financial losses. This trend emphasizes the need for heightened vigilance and robust security measures to protect against such evolving threats. Recommendations for Mitigation To mitigate the risk of QR code phishing attacks, CRIL said it is crucial to follow these cybersecurity best practices: 1. Scan QR codes from trusted sources only: Avoid scanning codes from unsolicited emails, messages, or documents, especially those offering financial incentives or urgent actions. 2. Verify URLs before proceeding: After scanning a QR code, carefully check the URL for legitimacy, such as official domains and secure connections (https://). 3. Install reputable antivirus and anti-phishing software: These tools can detect and block malicious websites and downloads. 4. Stay informed about phishing techniques: Educate yourself and others about the risks associated with QR codes to prevent successful phishing attacks. 5. Use two-factor authentication (2FA): This adds an extra layer of security, making it harder for attackers to gain unauthorized access. 6. Keep software up to date: Ensure your operating systems, browsers, and applications are updated with the latest security patches to protect against known vulnerabilities. 7. Use secure QR code scanner apps: Consider apps that check URLs against a database of known malicious sites before opening them. 8. Monitor financial statements regularly: Review your bank and credit card statements for unauthorized transactions and report any suspicious activity immediately.

image for NHS Dumfries and Gal ...

 Cybersecurity News

NHS Dumfries and Galloway health authorities have warned that confidential patient data from its systems had been accessed and copied by cybercriminals in February before being published online in early May. The cybercriminals attempted to force the health authorities of the Scottish region to cede to their demands,   show more ...

sharing sensitive details online after failing to extort money. NHS Dumfries and Galloway Breach NHS Dumfries and Galloway’s computer systems were breached by hackers in February 2024. The threat actors had accessed and copied confidential patient data including X-rays, test results and communications between health care providers and patients. However, the stolen data had not been deleted or altered on NHS systems and patient care has not been impacted. [caption id="attachment_77683" align="alignnone" width="1084"] Source: nhsdg.co.uk[/caption] On May 6, the criminals made good on threats to publish the data online after NHS Dumfries and Galloway did not meet undisclosed demands. The leaked data includes millions of small, individual files on NHS patients. Authorities said they are prioritizing notifications to vulnerable patient groups that may be at higher risk due to the breach. The NHS Dumfries and Galloway has been working alongside national agencies like Police Scotland, The National Crime Agency, The National Cyber Security Centre and The Scottish Government for advice and direction in investigating the incident. "On behalf of NHS Dumfries and Galloway, I would like to apologise for the anxiety which may have been caused to you due to this situation. We have sought to be as open as possible while adhering to the very explicit guidance we have received from Police Scotland and partner agencies," stated Julie White, Chief Executive of NHS Dumfries and Galloway. Risks and Recommendations The Chief Executive of NHS Dumfries and Galloway stated that patients should assume some personal data was likely copied and published. The health authority identified potential risks including identity theft, extortion attempts and anxiety stemming from the data breach. Patients are advised to remain vigilant. NHS recommends patients refrain from opening suspicious emails, clicking unknown links or providing personal information over the phone to unverified parties. Suspicious communications should be reported to Police Scotland immediately. The health authority also advises patients to frequently update passwords and to make them as strong as possible. A helpline and website have been set up to provide information and support relating to the cyber attack. Psychological services are available for those experiencing anxiety regarding stolen personal data. The criminal investigation remains ongoing alongside technology partners to secure NHS systems against future attacks. Patients with additional questions can visit www.nhsdg.co.uk/cyberattack or call the helpline at 01387 216 777, open 9 a.m. to 6 p.m. weekdays and 9 a.m. to 1 p.m. Saturdays. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for META Stealer Enhance ...

 Firewall Daily

META stealer v5.0 has recently launched, heralding a new phase of advanced and heightened features for the infostealer. This latest version introduces TLS encryption between the build and the C2 panel, a significant enhancement similar to recent updates in other leading stealers like Lumma and Vidar. The update   show more ...

announcement (screenshot below) emphasizes several key improvements aimed at enhancing functionality and security. This includes integration with TLS encryption, ensuring secure communication channels between the build and the control panel. This upgrade highlights the malware developer's commitment to enhance the stealer's capabilities and reach. [caption id="attachment_77605" align="alignnone" width="450"] META stealer 5.0 details (source: X)[/caption] Decoding the New META Stealer v5.0: Features and Capabilities The new META Stealer v5.0 update introduces a new build system allowing users to generate unique builds tailored to their specific requirements. This system is supported by the introduction of "Stub token" currency, enabling users to create new Runtime stubs directly from the panel. This feature enhances flexibility and customization options for users. Another notable addition is the "Crypt build" option, enhancing security by encrypting builds to avoid detection during scans. This feature ensures that builds remain undetected at scan time, reinforcing the stealer's stealth capabilities, thus creating the perfect hindering plan for the information stealer. Additionally, the update includes improvements to the panel's security and licensing systems. The redesigned panel incorporates enhanced protection measures, while the revamped licensing system aims to reduce operational disruptions for users. Previous META Stealer Promises and Upgrades  The makers of META Stealer released the new update on June 17th, 2024 with a special focus on implementing a new system for generating unique stubs per user. This approach enhances individualized security and also highlights the stealer's commitment to continuous improvement and user satisfaction. Previously, in February 2023, META Stealer underwent significant updates with version 4.3. This update introduced features such as enhanced detection cleaning, the ability to create builds in multiple formats (including *.vbs and *.js), and integration with Telegram for build creation. These enhancements demonstrate META stealer's commitment to target unsuspecting victims.  META stealer continues to evolve with each update, reinforcing its position as a versatile and robust information stealer designed to meet the diverse needs of its user base while continuing targeting victims globally. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for MEDUSA Ransomware Gr ...

 Cybersecurity News

Threat Actors (TAs) associated with the notorious MEDUSA ransomware have escalated their activities and have allegedly targeted two institutions in the USA. In a scenario mirroring all of its previous attacks, the group has not divulged critical information, such as the type of compromised data. It has, however,   show more ...

demanded a bounty of US $120,000 from Fitzgerald, DePietro & Wojnas CPAs, P.C and $100,000 from Tri-City College Prep High School to stop leaking internal data of the concerned organizations. Understanding the MEDUSA Ransomware Attack One of the two institutions targeted by MEDUSA is Tri-Cities Preparatory High School, a public charter middle and high school located in Prescott, Arizona, USA. The threat actor claimed to have access to 1.2 GB of the school's data and has threatened to publish it within 7-8 days. The other organization that the group has claimed to have targeted is Fitzgerald, DePietro & Wojnas CPAs, P.C. It is an accounting firm based in Utica, New York, USA. The group claims to have access to 92.5 GB of the firm's data and has threatened to publish it within 8–9 days. Despite the tall claims made by the ransomware group, the official websites of the targeted companies seem to be fully functional, with no signs of any foul activity. The organizations, however, have not yet reacted to the alleged cyberattack, leaving the claims made by the ransomware group unverified.  The article would be updated once the respective organizations respond to the claims. The absence of confirmation raises the question of the authenticity of the ransomware claim. It remains to be seen if the tactic employed by MEDUSA group is to garner attention or if there are any ulterior motives attached to their actions. Only an official statement by the affected organizations can reveal the true nature of the situation. However, if the claims made by the MEDUSA ransomware group do turn out to be true, then the consequences could be sweeping. The potential leak of sensitive data could pose a significant threat to the affected organizations and their staff, students and employees. Who is the MEDUSA Ransomware Group? MEDUSA first came into limelight in June 2021 and has since launched attacks on organizations in many countries targeting multiple industries, including healthcare, education, manufacturing, and retail. Most of the victims, though, have established their base in the United States of America. MEDUSA carries out its attacks as a Ransomware-as-a-Service (RaaS) platform. It provides would-be target organizations with malicious software and infrastructure required to carry out disrupting ransomware attacks. The ransomware group also runs a public Telegram channel that TAs utilize to post data that might be stolen, which could be an attempt to extort organizations and demand ransom. History of MEDUSA Ransomware Attacks Last week, the Medusa group took ownership of the cyberattack on Australia’s Victoria Racing Club (VRC). To provide authenticity, Medusa shared thirty documents from the club and demanded a ransom of US$700,000 from anyone who wanted to either delete the data or else download it. The leaked data included financial details of gaming machines, prizes won by VRC members, customer invoices, marketing details, names, email addresses, and mobile phone numbers. The VRC confirmed the breach, with its chief executive Steve Rosich releasing a statement: "We are currently communicating with our employees, members, partners, and sponsors to inform them that the VRC recently experienced a cyber incident.” In 2024, MEDUSA had targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains constant, with announcements being made on their dark web forum accompanied by deadlines and ransom demands. As organizations grapple with the fallout of cyberattacks by groups like MEDUSA, it becomes critical to remain cautious and implement strategic security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Phishing Attack at L ...

 Cybersecurity News

The Los Angeles County Department of Public Health (DPH) has disclosed a significant data breach impacting more than 200,000 individuals. The data breach at Los Angeles County DPH, occurring between February 19 and 20, 2024, involved the theft of sensitive personal, medical, and financial information. The data breach   show more ...

was initiated through a phishing attack, where an external threat actor obtained the login credentials of 53 DPH employees. “Between February 19, 2024, and February 20, 2024, DPH experienced a phishing attack,” reads the official notice. Data Breach at Los Angeles County DPH: What Happened The phishing email, designed to appear legitimate, tricked employees into divulging their credentials by clicking on a malicious link. This unauthorized access led to a wide-ranging compromise of data, affecting various individuals associated with DPH, including clients, employees, and others. The compromised email accounts contained a wealth of sensitive data. The potentially exposed information includes: First and last names Dates of birth Diagnosis and prescription details Medical record numbers/patient IDs Medicare/Med-Cal numbers Health insurance information Social Security numbers Other financial information It is important to note that not all of the above data elements were present for every affected individual. Each individual may have been impacted differently based on the specific information contained in the compromised accounts. “Affected individuals may have been impacted differently and not all of the elements listed were present for each individual,” Los Angeles County DPH informed.  Data Breach at Los Angeles County DPH Notification  DPH is taking extensive steps to notify all potentially affected individuals. Notifications are being sent via post to those whose mailing addresses are available. For individuals without a mailing address, DPH also posts a notice on its website to provide necessary information and resources. The department has advised impacted individuals to review the content and accuracy of their medical records with their healthcare providers. However, on delay in notification, Los Angeles County DPH said, “Due to an investigation by law enforcement, we were advised to delay notification of this incident, as public notice may have hindered their investigation.” To assist in protecting against potential misuse of their information, DPH is offering one year of free identity monitoring services through Kroll, a global leader in risk mitigation and response. “To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll, a global leader in risk mitigation and response, to provide identity monitoring for one year at no cost to affected clients,” reads the notice. Response and Preventive Measures Upon discovering the Los Angeles County DPH data breach, DPH took immediate action to mitigate further risks. The department disabled the affected email accounts, reset and re-imaged the users’ devices, blocked the websites involved in the phishing campaign, and quarantined all suspicious incoming emails. Additionally, DPH has implemented numerous security enhancements to prevent similar incidents in the future. Awareness notifications have been distributed to all workforce members, reminding them to be vigilant when reviewing emails, especially those containing links or attachments. These measures aim to bolster the department’s defense against phishing attacks and other cyber threats. The incident was promptly reported to law enforcement authorities, who investigated the breach. The US Department of Health and Human Services’ Office for Civil Rights and other relevant agencies are also notified, as required by law and contractual obligations. Steps for Individuals to Protect Themselves While DPH cannot confirm whether any information has been accessed or misused, affected individuals are encouraged to take proactive steps to protect their personal information. These steps include: Reviewing Medical Records: Individuals should review their medical records and Explanation of Benefits statements for any discrepancies or unauthorized services. Any irregularities should be reported to their healthcare provider or health plan. Requesting Credit Reports: Individuals should remain vigilant against identity theft and fraud by regularly reviewing their financial statements and credit reports. Under US law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian, and TransUnion. Free credit reports can be requested at www.annualcreditreport.com or by calling 1-877-322-8228. Placing Fraud Alerts: Individuals can place a fraud alert on their credit files, which notifies creditors to take additional steps to verify identity before granting credit. Fraud alerts can be set up by contacting any of the major credit bureaus. Security Freezes: A security freeze can also be placed on credit reports, which prevents credit bureaus from releasing any information without written authorization. This measure can help prevent unauthorized credit activity but may delay the approval of new credit requests. The Los Angeles County Department of Public Health continues to cooperate with law enforcement and other agencies to protect the privacy and security of its clients, employees, and other stakeholders.

image for Duo Charged with Ope ...

 Cybersecurity News

Two suspected administrators of a $430 million dark web marketplace are facing the possibility of life sentences in the United States. The U.S. Department of Justice (DOJ) has charged Thomas Pavey, 38, and Raheim Hamilton, 28, with managing "Empire Market" from 2018 to 2020, and for previously selling   show more ...

counterfeit U.S. currency on AlphaBay, a now-defunct criminal market. The Justice Department alleges that Pavey and Hamilton facilitated nearly four million transactions on Empire Market, which involved drugs such as heroin, methamphetamine and cocaine, as well as counterfeit currency and stolen credit card information. Pavey is from Ormond Beach, Florida, and Hamilton is from Suffolk, Virginia. The indictment claims that they initially collaborated on selling counterfeit U.S. currency on AlphaBay. After AlphaBay was shut down in a global law enforcement operation in July 2017, Hamilton and Pavey launched Empire Market on February 1, 2018. Operation of Empire Market Empire Market featured categories such as Fraud, Drugs & Chemicals, Counterfeit Items, and Software & Malware. The indictment mentions at least one instance where counterfeit U.S. currency was sold to an undercover law enforcement agent on the platform. Transactions were conducted using cryptocurrency and the platform allowed users to even rate the sellers. Hamilton and Pavey allegedly managed Empire Market until August 22, 2020. During the investigation, the DOJ seized $75 million worth of cryptocurrency, along with cash and precious metals, though it remains unclear if these were obtained through raids on the suspects' properties. New Dark Web Marketplaces Spring Up This case is part of a broader trend where former users of one dark web marketplace create new platforms following law enforcement crackdowns. For example, after AlphaBay's closure, some vendors moved to create new marketplaces or tools like Skynet Market. Another notable cybercriminal forum - BreachForums - has encountered issues recently while attempting to resume operations after law enforcement actions. ShinyHunters – who had reportedly retired after tiring of the pressure of running a notorious hacker forum – returned on June 14 to announce that the forum is now under the ownership of a threat actor operating under the new handle name “Anastasia.” It’s not yet clear if the move will quell concerns that the forum has been taken over by law enforcement after a May 15 FBI-led takeover, but for now, BreachForums is up and running under its .st domain. The arrests of Pavey and Hamilton underscore the ongoing efforts by law enforcement to dismantle dark web marketplaces that facilitate illegal activities and highlight the significant legal consequences for those involved in such operations. Pavey and Hamilton are currently in custody, awaiting arraignment in a federal court in Chicago. They face numerous charges, including drug trafficking, computer fraud, counterfeiting and money laundering. Each charge carries a potential life sentence in federal prison.

image for CISA & EAC Release G ...

 Cybersecurity News

In a joint effort to enhance election security and public confidence, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Election Assistance Commission (EAC) have released a comprehensive guide titled “Enhancing Election Security Through Public Communications.” This guide on election security   show more ...

is designed for state, local, tribal, and territorial election officials who play a critical role as the primary sources of official election information. Why Communication is Important in Election Security Open and transparent communication with the American public is essential to maintaining trust in the electoral process. State and local election officials are on the front lines, engaging with the public and the media on numerous election-related topics. These range from election dates and deadlines to voter registration, candidate filings, voting locations, election worker recruitment, security measures, and the publication of results. The new guide aims to provide these officials with a strong framework and practical tools to develop and implement an effective, year-round communications plan. “The ability for election officials to be transparent about the elections process and communicate quickly and effectively with the American people is crucial for building and maintaining their trust in the security and integrity of our elections process,” stated CISA Senior Advisor Cait Conley. The election security guide offers practical advice on how to tailor communication plans to the specific needs and resources of different jurisdictions. It includes worksheets to help officials develop core components of their communication strategies. This approach recognizes the diverse nature of election administration across the United States, where varying local contexts require customized solutions. EAC Chairman Ben Hovland, Vice Chair Donald Palmer, Commissioner Thomas Hicks, and Commissioner Christy McCormick collectively emphasized the critical role of election officials as trusted sources of information. “This resource supports election officials to successfully deliver accurate communication to voters with the critical information they need before and after Election Day,” they said. Effective and transparent communication not only aids voters in casting their ballots but also helps instill confidence in the security and accuracy of the election results. How Tailored Communication Enhances Election Security The release of this guide on election security comes at a crucial time when trust in the electoral process is increasingly under scrutiny. In recent years, the rise of misinformation and cyber threats has posed significant challenges to the integrity of elections worldwide. By equipping election officials with the tools to communicate effectively and transparently, CISA and the EAC are taking proactive steps to safeguard the democratic process. One of the strengths of this guide is its emphasis on tailoring communication strategies to the unique needs of different jurisdictions. This is a pragmatic approach that acknowledges the diverse landscape of election administration in the U.S. It recognizes that a one-size-fits-all solution is not feasible and that local context matters significantly in how information is disseminated and received. Furthermore, the guide’s focus on year-round communication is a noteworthy aspect. Election security is not just a concern during election cycles but is a continuous process that requires ongoing vigilance and engagement with the public. By encouraging a year-round communication plan, the guide promotes sustained efforts to build and maintain public trust. However, while the guide is a step in the right direction, its effectiveness will largely depend on the implementation by election officials at all levels. Adequate training and resources must be provided to ensure that officials can effectively utilize the tools and strategies outlined in the guide. Additionally, there needs to be a concerted effort to address potential barriers to effective communication, such as limited funding or technological challenges in certain jurisdictions. To Wrap UP The “Enhancing Election Security Through Public Communications” guide by CISA and the EAC is a timely and necessary resource for election officials across the United States. As election officials begin to implement the strategies outlined in the guide, it is imperative that they receive the support and resources needed to overcome any challenges. Ultimately, the success of this initiative will hinge on the ability of election officials to engage with the public in a clear, accurate, and transparent manner, thereby reinforcing the security and integrity of the election process.

image for Linux Malware Campai ...

 Cybersecurity News

Cybersecurity researchers are tracking a novel Linux malware campaign that makes use of Discord emojis for command and control (C2) communication with attackers. The campaign’s unusual combination of Linux malware and phishing lures suggests an attack aimed at Linux desktop users, the researchers from Volexity said.   show more ...

“Volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards government entities in India, who use a custom Linux distribution named BOSS as their daily desktop,” they wrote. Threat Actor ‘UTA0137’ Linked to Campaign Volexity researchers connected the campaign to a Pakistan-based threat actor they call UTA0137. The researchers said they have “high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful.” The researchers say they have “moderate confidence” that UTA0137 is a Pakistan-based threat actor because of the group’s targets and a few other reasons: The Pakistani time zone was hardcoded in one malware sample. There are weak infrastructure links to SideCopy, a known Pakistan-based threat actor. The Punjabi language was used in the malware. The malware used by the threat group uses a modified version of the discord-c2 GitHub project for its Discord command and control (C2) communication. The malware, dubbed DISGOMOJI by the researchers, is written in Golang and compiled for Linux systems. The threat actors also use the DirtyPipe (CVE-2022-0847) privilege escalation exploit against “BOSS 9” systems, which remain vulnerable to the exploit. Attack Starts With DSOP PDF The malware is delivered via a DSOP.pdf lure, which claims to be a beneficiary document of India’s Defence Service Officer Provident Fund (screenshot below). [caption id="attachment_77503" align="alignnone" width="750"] The DSOP lure that downloads the malware[/caption] The malware then downloads the next-stage payload, named vmcoreinfo, from a remote server, clawsindia[.]in. The payload is an instance of the DISGOMOJI malware and is dropped in a hidden folder named .x86_64-linux-gnu in the user’s home directory. DISGOMOJI, a UPX-packed ELF written in Golang, uses Discord for C2. “An authentication token and server ID are hardcoded inside the ELF, which are used to access the Discord server,”  they wrote. “The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim. The attacker can then interact with every victim individually using these channels.” On startup, DISGOMOJI sends a check-in message in the channel that contains information like the internal IP, the user name, host name, OS and current working directory. The malware can survive reboots through the addition of a @reboot entry to the crontab, and it also downloads a script named uevent_seqnum.sh to copy files from any attached USB devices. Discord Emojis Used for C2 Communication C2 communication uses an emoji-based protocol, “where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable.” A Clock emoji in the command message lets the attacker know a command is being processed, while a Check Mark emoji confirms that the command was executed. The researchers summarized the emoji commands in a table: [caption id="attachment_77505" align="alignnone" width="750"] The Discord emojis used to communicate with attackers (source: Volexity)[/caption] Post-exploitation activities include use of the Zenity utility to display malicious dialog boxes to socially engineer users into giving up their passwords. Open source tools such as Nmap, Chisel and Ligolo are also used, and the DirtyPipe exploit suggests increasing sophistication of the atacker's methods, the researchers said. Indicators of compromise (IoCs) can be downloaded from the Volexity GitHub page: YARA rules Single value indicators

image for Guidehouse and Nan M ...

 Cybersecurity News

Guidehouse Inc., based in McLean, Virginia, and Nan McKay and Associates, headquartered in El Cajon, California, have agreed to pay settlements totaling $11.3 million to resolve allegations under the False Claims Act. The settlements came from their failure to meet cybersecurity requirements in contracts aimed at   show more ...

providing secure online access for low-income New Yorkers applying for federal rental assistance during the COVID-19 pandemic. What Exactly Happened? In response to the economic hardships brought on by the pandemic, Congress enacted the Emergency Rental Assistance Program (ERAP) in early 2021. This initiative was designed to offer financial support to eligible low-income households in covering rent, rental arrears, utilities, and other housing-related expenses. Participating state agencies, such as New York's Office of Temporary and Disability Assistance (OTDA), were tasked with distributing federal funding to qualified tenants and landlords. Guidehouse assumed a pivotal role as the prime contractor for New York's ERAP, responsible for overseeing the ERAP technology and services. Nan McKay acted as Guidehouse's subcontractor, entrusted with delivering and maintaining the ERAP technology used by New Yorkers to submit online applications for rental assistance. Admission of Violations and Settlement Critical to the allegations were breaches in cybersecurity protocols. Both Guidehouse and Nan McKay admitted to failing their obligation to conduct required pre-production cybersecurity testing on the ERAP Application. Consequently, the ERAP system went live on June 1, 2021, only to be shut down twelve hours later by OTDA due to a cybersecurity breach. This data breach exposed the personally identifiable information (PII) of applicants, which was found accessible on the Internet. Guidehouse and Nan McKay acknowledged that proper cybersecurity testing could have detected and potentially prevented such breaches. Additionally, Guidehouse admitted to using a third-party data cloud software program to store PII without obtaining OTDA’s permission, violating their contractual obligations. Government Response and Accountability Principal Deputy Assistant Attorney General Brian M. Boynton of the Justice Department’s Civil Division emphasized the importance of adhering to cybersecurity commitments associated with federal funding. "Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments,” said Boynton. “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.” U.S. Attorney Carla B. Freedman for the Northern District of New York echoed these sentiments, highlighting the necessity for federal contractors to prioritize cybersecurity obligations. “Contractors who receive federal funding must take their cybersecurity obligations seriously,” said Freedman. “We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.” Acting Inspector General Richard K. Delmar of the Department of the Treasury emphasized the severe impact of these breaches on a program crucial to the government’s pandemic recovery efforts. He expressed gratitude for the partnership with the DOJ in addressing this breach and ensuring accountability. “These vendors failed to meet their data integrity obligations in a program on which so many eligible citizens depend for rental security, which jeopardized the effectiveness of a vital part of the government’s pandemic recovery effort,” said Delmar. “Treasury OIG is grateful for DOJ’s support of its oversight work to accomplish this recovery.” New York State Comptroller Thomas P. DiNapoli emphasized the critical role of protecting the integrity of programs like ERAP, vital to economic recovery. He thanked federal partners for their collaborative efforts in holding these contractors accountable. “This settlement sends a strong message to New York State contractors that there will be consequences if they fail to safeguard the personal information entrusted to them or meet the terms of their contracts,” said DiNapoli. “Rental assistance has been vital to our economic recovery, and the integrity of the program needs to be protected. I thank the United States Department of Justice, United States Attorney for the Northern District of New York Freedman and the United States Department of Treasury Office of the Inspector General for their partnership in exposing this breach and holding these vendors accountable.” Initiative to Address Cybersecurity Risks In response to such breaches, the Deputy Attorney General announced the Civil Cyber-Fraud Initiative on October 6, 2021. This initiative aims to hold accountable entities or individuals who knowingly endanger sensitive information through inadequate cybersecurity practices or misrepresentations. The investigation into these breaches was initiated following a whistleblower lawsuit under the False Claims Act. As part of the settlement, whistleblower Elevation 33 LLC, owned by a former Guidehouse employee, will receive approximately $1.95 million. Trial Attorney J. Jennifer Koh from the Civil Division's Commercial Litigation Branch, Fraud Section, and Assistant U.S. Attorney Adam J. Katz from the Northern District of New York led the case, with support from the Department of the Treasury OIG and the Office of the New York State Comptroller. These settlements highlight the imperative for rigorous cybersecurity measures in federal contracts, particularly in safeguarding sensitive personal information critical to public assistance programs. As the government continues to navigate evolving cybersecurity threats, it remains steadfast in enforcing accountability among contractors entrusted with protecting essential public resources.

image for EU Chat Control Prop ...

 Regulations

Experts slammed the latest European Union proposals for chat control to prevent child sexual abuse, calling the proposals a front for mass surveillance that will undermine encryption standards. Meredith Whittaker, president of the Signal foundation that operates the end-to-end encrypted (E2EE) messaging application,   show more ...

criticized the latest European Union proposals for chat control to prevent child sexual abuse, calling it “an old wine repackaged in new bottle.” “For decades, experts have been clear: there is no way to both preserve the integrity of end-to-end encryption and expose encrypted contents to surveillance. But proposals to do just this emerge repeatedly,” Whittaker said. “Either end-to-end encryption protects everyone, and enshrines security and privacy, or it’s broken for everyone.” – Meredith Whittaker The Chat Control Proposal Her statement comes in response to the European Council’s proposal for chat control, which lays down rules to monitor E2EE under the veil of preventing and combating child sexual abuse. “While end-to-end encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society, the European Union needs to ensure the effective prevention of and fight against serious crime such as child sexual abuse,” the proposal says. “It is crucial that services employing end-to-end encryption do not inadvertently become secure zones where child sexual abuse material can be shared or disseminated. Therefore, child sexual abuse material should remain detectable in all interpersonal communications services through the application of vetted technologies.” The proposal suggests that chat control could work in way that when any visual content is uploaded, the users be required to give explicit consent for a detection mechanism to be applied to that particular service. “Users not giving their consent should still be able to use that part of the service that does not involve the sending of visual content and URLs,” it said. “This ensures that the detection mechanism can access the data in its unencrypted form for effective analysis and action, without compromising the protection provided by end-to-end encryption once the data is transmitted.” What Experts Say However, Whittaker said that what the EU is proposing isn't possible without fundamentally undermining encryption and creating “a dangerous vulnerability in core infrastructure” that can have global implications beyond Europe. She called the proposal a “rhetorical game” of some European countries that have come up with the same idea under a new banner. Whittaker was referring to previous proposals under the name of “client-side scanning,” which is now being called “upload moderation.” “Some are claiming that ‘upload moderation’ does not undermine encryption because it happens before your message or video is encrypted. This is untrue. We can call it a backdoor, a front door, or “upload moderation.” But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability." Whittaker reiterated that mandating mass scanning of private communications fundamentally undermines encryption, “Full stop.” Chaos Computer Club, German MP Also Opposed The Chaos Computer Club (CCC) and Patrick Dreyer, Member of European Parliament for the German and the European Pirate Party, argued along similar lines. The proposal stipulates that users must actively agree to chat control, but the refusal to do so comes with a punishment: Those who do not agree are no longer allowed to send any pictures or videos at all, a severe restriction of the service. “There can be no talk of voluntary participation here,” commented Linus Neumann, spokesman for the Chaos Computer Club. [caption id="attachment_77633" align="aligncenter" width="1024"] Source: Patrick Dreyer[/caption] Dreyer urged Europeans to take immediate action against the Chat Control proposal and said the EU countries pushing the proposal are exploiting the short period after the European Elections during which there is less public attention and the new European Parliament is not yet formed. “If Chat Control is endorsed by Council now, experience shows there is a great risk it will be adopted at the end of the political process,” he said. Dreyer said the silver lining in the current situation is the fact that many EU governments have not yet decided whether to go along with this final Belgian push for Chat Control mass surveillance. The countries still considering the proposal are Italy, Finland, Czech Republic, Sweden, Slovenia, Estonia, Greece and Portugal. Only Germany, Luxembourg, the Netherlands, Austria and Poland are relatively clear that they will not support the proposal, but this is not sufficient for a “blocking minority,” Dreyer said. The proposal for chat control searches of private communications could be greenlighted by EU governments as early as Wednesday, June 19. Dreyer urged Europeans to press their governments to vote against this. “Demand a firm ‘No.’ Time is pressing. This may be our last chance to stop Chat Control!” Dreyer said.

image for Intelbroker Advertis ...

 Firewall Daily

The notorious threat actor known as Intelbroker claims to have orchestrated a massive data breach of AMD, a top player in the semiconductor industry. The unconfirmed AMD data breach, disclosed on the notorious BreachForums site, shared details into the intrusion, with multiple data samples shared to the dark web   show more ...

forum users.  Intelbroker claims the AMD data leak encompasses a vast array of sensitive information from AMD's databases. This includes detailed data on future AMD products, specification sheets, customer databases, property files, ROMs, source code, firmware, financial records, and comprehensive employee data such as user IDs, full names, job functions, phone numbers, and email addresses. Decoding the AMD Data Breach Claims by Intelbroker [caption id="attachment_77588" align="alignnone" width="926"] Source: Dark Web[/caption] Samples of the stolen data shared by Intelbroker highlight the potential severity of the AMD data leak. Screenshots and snippets from AMD's internal systems, allegedly obtained by the threat actor, provide a glimpse into the breadth and depth of the compromised information. Such disclosures not only highlight the possible extent of the intrusion but also highlight potential vulnerabilities within AMD's cybersecurity infrastructure. The incident is not the first time AMD has faced a cybersecurity challenge. In 2022, the company was reportedly targeted by the RansomHouse hacking group, which claimed responsibility for extracting data from AMD's networks. The 2022 breach, similar to the current incident, prompted AMD to launch an extensive investigation to assess the breach's impact and fortify its defenses against cyber threats. Intelbroker's Modus Operandi Intelbroker, the alleged perpetrator behind the new AMD data breach, has gained notoriety for a series of high-profile cyber intrusions targeting diverse organizations. Operating as a lone actor, Intelbroker has a documented history of penetrating critical infrastructure, major tech corporations, and government contractors. The hacker's actions suggest a sophisticated approach to exploiting vulnerabilities and accessing sensitive information. In previous instances, the hacker has claimed responsibility for breaches at institutions like the Los Angeles International Airport and Acuity, a U.S. federal technology consulting firm. Data Samples and Technical Details The data shared by Intelbroker includes technical specifications, product details, and internal communications purportedly from AMD's secure servers. These samples, posted on breach forums, reportedly reveal intricate details about AMD's upcoming products, financial documents, and proprietary software codes. Such disclosures not only could compromise AMD's competitive advantage but also raise concerns about intellectual property theft and corporate espionage. Technical codes and alphanumeric sequences, allegedly extracted from AMD's databases, have been posted alongside screenshots on BreachForums. These snippets, though cryptic to the untrained eye, contain critical information about AMD's internal systems and operational protocols. The exposure of such technical data could pose significant risks to AMD's reputation and operational integrity. Response and Investigation The Cyber Express has reached out to AMD to learn more about the potential data breach. However, at the time of publication, no official statement or response has been received, leaving the claims for the AMD data leak unconfirmed for now. Moreover, the official AMD website seems to be operational at the moment and doesn’t show any immediate sign of a cyberattack. The hacker could possibly have targeted the backend of the website or the databases instead of launching a front-end assault like a DDoS or a website defacement. AMD's response strategy will likely involve comprehensive forensic analysis, collaboration with cybersecurity agencies, and the implementation of enhanced security measures to mitigate future risks. Previous Cyber Incidents Linked to Intelbroker Intelbroker has demonstrated massive cyber operations beyond the alleged AMD data breach, targeting multinational corporations, government entities, and prominent tech firms globally. Notable breaches attributed to Intelbroker include infiltrations at Los Angeles International Airport (LAX), compromising millions of records encompassing personal and flight details. The hacker also accessed sensitive data from U.S. federal agencies via Acuity, exposing vulnerabilities in government IT systems. Furthermore, Intelbroker claimed responsibility for a cyberattack on Shoprite, Africa's largest retailer, highlighting their widespread impact. These incidents highlight Intelbroker's skill at exploiting security vulnerabilities to extract valuable data, posing significant challenges to affected organizations and cybersecurity professionals. The motivations driving Intelbroker's cyber activities range from financial gain through selling stolen data on dark web platforms to potential geopolitical agendas aimed at disrupting critical infrastructure and corporate operations. The Cyber Express will update readers as we get more information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Hackers can crack 59 ...

 Privacy

Although World Password Day, held annually on the first Thursday in May, has passed, our — and we hope your — fascination with password security continues. Instead of analyzing artificial test-tube passwords created for lab studies, we stayed in the real world — examining actual passwords leaked on the dark web.   show more ...

The results were alarming: 59% of these passwords could be cracked in less than an hour — and all it takes is a modern graphics card and a bit of know-how. Todays post explains how hackers crack passwords and how to counter it (spoiler alert: use reliable protection and automatically check your passwords for leaks). The usual way to crack passwords First, lets clarify what we mean by cracking a password. Were talking about cracking the passwords hash — a unique sequence of characters representing the password. Companies typically store user passwords in one of three ways: This is the simplest and clearest way: if a users password is, say, qwerty12345, then its stored on the company server as qwerty12345. If a data breach occurs, the hacker needs only enter the password with the corresponding username to log in. That is, of course, if theres no two-factor authentication (2FA), but even then, cybercriminals can sometimes intercept one-time passwords. This method utilizes hashing algorithms like MD5 and SHA-1 to transform each password into a unique hash value in the form of a fixed-length string of characters, which is stored on the server. When the user enters their password, the system converts the input sequence of characters into a hash, and compares it to the one stored on the server. If they match, the password is correct. Heres an example: if your password is that same qwerty12345, then translated into SHA-1, it looks like this: 4e17a448e043206801b95de317e07c839770c8b8. Hackers obtaining this hash would need to decrypt it back to qwerty12345 (this is the password cracking part), for example, by using rainbow tables. A cracked password can then be used to access not only the compromised service but potentially other accounts where the password was reused. Hashed with salt. Nothing to do with a tasty dish from a takeaway, this method adds a random sequence of data, known as a salt, to each password before hashing. A salt can be static or generated dynamically. A password+salt sequence is fed into the algorithm, which results in a different hash. Thus, pre-computed rainbow tables become useless to hackers. Using this method of storing passwords makes them much more difficult to crack. For our study, we formed a database of 193 million leaked passwords in plaintext. Where did we get them all from? You have to know where to look. We found them on the dark web, where such treasures are often freely available. We used this database to check user passwords for possible leaks — but rest assured we dont store or even see any passwords. You can read more about the internal structure of the password vault in our Kaspersky Password Manager and how, without knowing your passwords, we match them against leaked ones. The cost of password cracking Modern GPUs are the best tool for analyzing a passwords strength. For example, the RTX 4090 paired with the password recovery tool hashcat achieves a rate of 164 billion hashes per second (GH/s) for salted MD5 hashes. Lets imagine an 8-character password using both Latin letters (either all lowercase or all uppercase) and digits (36 possible characters per position). The number of possible unique combinations is 2.8 trillion (calculated by raising 36 to the power of eight). A powerful CPU boasting processing power of 6.7 GigaHashes per second (GH/s), could brute-force such a password in seven minutes. But the aforementioned RTX 4090 manages it in just 17 seconds. While such a hi-end GPU costs slightly south of US$2,000, even attackers unable to get hold of one can easily rent computing power for just a few dollars per hour. But what if they rent a dozen RTX 4090s all at once? That would pack enough power to process massive hash database leaks with ease. 59% of passwords crackable in under an hour We tested password strength using both brute-force and smart-guessing algorithms. While brute force iterates through all possible combinations of characters in order until it finds a match, smart guessing algorithms are trained on a passwords data-set to calculate the frequency of various character combinations and make selections first from the most common combinations and down to the rarest ones. You can read more about used algorithms in the full version of our research on Securelist. The results were unnerving: a staggering 45% of the 193 million real-world passwords we analyzed (that is, 87 million passwords!) could be cracked by the smart algorithm in less than a minute, 59% within an hour, 67% within a month, and a mere 23% of passwords could be considered truly strong — needing more than a year to crack. Cracking time Percentage of passwords crackable using the given method Brute force Smart guessing Under a minute 10% 45% 1 minute to 1 hour +10% (20%) +14% (59%) 1 hour to 1 day +6% (26%) +8% (67%) 1 day to 1 month +9% (35%) +6% (73%) 1 month to 1 year +10% (45%) +4% (77%) Over 1 year +55% (100%) +23% (100%) Its important to note that cracking all passwords in the database doesnt take much more time than cracking just one (!). At each iteration, having calculated the hash for the next combination of characters, the attacker checks whether the same one exists in the general database. If it does, the password in question is marked as cracked, after which the algorithm continues to guess other passwords. Why smart guessing algorithms are so effective Humans are predictable. We rarely choose truly random passwords, and our attempts at generating them pale in comparison to machines. We rely on common phrases, dates, names, and patterns – precisely what smart cracking algorithms are designed to exploit. Moreover, the human brain is such that if you ask a sample of folks to pick a number between one and a hundred, most will choose the same numbers! The YouTube channel Veritasium surveyed more than 200,000 people and found the most popular numbers to be 7, 37, 42, 69, 73, and 77. Results of the Veritasium survey. Source Even when attempting random character strings, we tend to favor keys in the middle of the keyboard. Around 57% of all the passwords we analyzed were found to contain a dictionary word or frequent symbol combination. Worryingly, 51% of these passwords could be cracked in less than a minute, 67% in under an hour, and only 12% took more than a year. However, at least just a few passwords consisted of a dictionary word only (which could be cracked within a minute). See the Securelist post for more about the password patterns we encountered. Smart algorithms make short work of most passwords that contain dictionary sequences. And they even catch character substitutions — so writing pa$$word instead of password or @dmin instead of admin wont make the password much stronger. Using popular words and number sequences is equally risky. In 4% of the passwords we examined, the following cropped up somewhere: 12345 123456 love 12345678 123456789 admin team qwer 54321 password Recommendations The takeaways from our hands-on study: Many user passwords arent strong enough; 59% of them can be cracked in an hour. Using meaningful words, names, and standard character sequences in your password significantly reduces password guessing time. The least secure password is one that consists entirely of numbers or only words. To keep your accounts safe, consider the following simple recommendations: Generate strong passwords using Kaspersky Password Manager. If you decide to create a password yourself, use mnemonic passphrases rather than meaningful word combinations, names, or dictionary sequences. Never reuse passwords across different sites, because not all companies store user data securely. Never save passwords in browsers. Keep your passwords safely stored in a password manager and create a crack-proof primary password for it. Check how crack-resistant your password is with Password Checker or directly in your Kaspersky Password Manager. It will identify weak and duplicate passwords, check all your passwords against compromised databases, and alert you if a match is found. Utilize Kaspersky Premium to continually monitor in the background all accounts linked to your and family members phones or email addresses for data leaks. Enable 2FA wherever possible. Incidentally, Kaspersky Password Manager also lets you save 2FA tokens and generate one-time codes.

 Feed

This Metasploit module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a   show more ...

dash (0x2D) character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch), and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches. XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.

 Feed

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

 Feed

Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in turn allows for remote code execution in the context of the user running the application.

 Feed

Ubuntu Security Notice 6835-1 - It was discovered that Ghostscript did not properly restrict eexec seeds to those specified by the Type 1 Font Format standard when SAFER mode is used. An attacker could use this issue to bypass SAFER restrictions and cause unspecified impact. This issue only affected Ubuntu 20.04 LTS,   show more ...

Ubuntu 22.04 LTS, and Ubuntu 23.10. Thomas Rinsma discovered that Ghostscript did not prevent changes to uniprint device argument strings after SAFER is activated, resulting in a format-string vulnerability. An attacker could possibly use this to execute arbitrary code.

 Feed

Red Hat Security Advisory 2024-3972-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3963-03 - An update for flatpak is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

 Feed

Red Hat Security Advisory 2024-3958-03 - An update for Firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3953-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3952-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3950-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-3949-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

VMware has released updates to address critical flaws impacting Cloud Foundation, vCenter Server, and vSphere ESXi that could be exploited to achieve privilege escalation and remote code execution. The list of vulnerabilities is as follows - CVE-2024-37079 & CVE-2024-37080 (CVSS scores: 9.8) - Multiple heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol that could

 Feed

The Singapore Police Force (SPF) has announced the extradition of two men from Malaysia for their alleged involvement in a mobile malware campaign targeting citizens in the country since June 2023. The unnamed individuals, aged 26 and 47, engaged in scams that tricked unsuspecting users into downloading malicious apps onto their Android devices via phishing campaigns with the aim of stealing

 Feed

Threat actors are luring unsuspecting users with free or pirated versions of commercial software to deliver a malware loader called Hijack Loader, which then deploys an information stealer known as Vidar Stealer. "Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe)," Trellix security

 Feed

Seventy percent of enterprises are prioritizing investment in SaaS security by establishing dedicated teams to secure SaaS applications, as part of a growing trend of maturity in this field of cybersecurity, according to a new survey released this month by the Cloud Security Alliance (CSA). Despite economic instability and major job cuts in 2023, organizations drastically increased investment in

 Feed

Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads. Included among the tools deployed is a remote access tool that's capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH, cloud analytics platform Datadog

 Feed

A controversial proposal put forth by the European Union to scan users' private messages for detection child sexual abuse material (CSAM) poses severe risks to end-to-end encryption (E2EE), warned Meredith Whittaker, president of the Signal Foundation, which maintains the privacy-focused messaging service of the same name. "Mandating mass scanning of private communications fundamentally

 Business email compromise

A US court has found a Nigerian national guilty of charges related to a US $1.5 million business email compromise (BEC) scam and could face the rest of his life in prison as a consequence. Read more in my article on the Hot for Security blog.

2024-06
Aggregator history
Tuesday, June 18
SAT
SUN
MON
TUE
WED
THU
FRI
JuneJulyAugust