Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for New Threat Group Voi ...

 Cybersecurity News

A new threat actor group called Void Arachne is conducting a malware campaign targeting Chinese-speaking users. The group is distributing malicious MSI installer files bundled with legitimate software like AI tools, Chinese language packs, and virtual private network (VPN) clients. During installation, these files   show more ...

also covertly install the Winos 4.0 backdoor, which can fully compromise systems. Void Arachne Tactics Researchers from Trend Micro discovered that the Void Arachne group employs multiple techniques to distribute malicious installers, including search engine optimization (SEO) poisoning and posting links on Chinese-language Telegram channels. SEO Poisoning: The group set up websites posing as legitimate software download sites. Through SEO poisoning, they pushed these sites to rank highly on search engines for common Chinese software keywords. The sites host MSI installer files containing Winos malware bundled with software like Chrome, language packs, and VPNs. Victims unintentionally infect themselves with Winos, while believing that they are only installing intended software. Targeting VPNs: Void Arachne frequently targets Chinese VPN software in their installers and Telegram posts. Exploiting interest in VPNs is an effective infection tactic, as VPN usage is high among Chinese internet users due to government censorship. [caption id="attachment_77950" align="alignnone" width="917"] Source: trendmicro.com[/caption] Telegram Channels: In addition to SEO poisoning, Void Arachne shared malicious installers in Telegram channels focused on Chinese language and VPN topics. Channels with tens of thousands of users pinned posts with infected language packs and AI software installers, increasing exposure. Deepfake Pornography: A concerning discovery was the group promoting nudifier apps generating nonconsensual deepfake pornography. They advertised the ability to undress photos of classmates and colleagues, encouraging harassment and sextortion. Infected nudifier installers were pinned prominently in their Telegram channels. Face/Voice Swapping Apps: Void Arachne also advertised voice changing and face swapping apps enabling deception campaigns like virtual kidnappings. Attackers can use these apps to impersonate victims and pressure their families for ransom. As with nudifiers, infected voice/face swapper installers were shared widely on Telegram. Winos 4.0 C&C Framework The threat actors behind the campaign ultimately aim to install the Winos backdoor on compromised systems. Winos is a sophisticated Windows backdoor written in C++ that can fully take over infected machines. The initial infection begins with a stager module that decrypts malware configurations and downloads the main Winos payload. Campaign operations involve encrypted C&C communications that use generated session keys and a rolling XOR algorithm. The stager module then stores the full Winos module in the Windows registry and executes shellcode to launch it on affected systems. [caption id="attachment_77949" align="alignnone" width="699"] Source: trendmicro.com[/caption] Winos grants remote access, keylogging, webcam control, microphone recording, and distributed denial of service (DDoS) capabilities. It also performs system reconnaissance like registry checks, file searches, and process injection. The malware connects to a command and control server to receive further modules/plugins that expand functionality. Several of these external plugins were observed providing functions such as collecting saved passwords from programs like Chrome and QQ, deleting antivirus software and attaching themselves to startup folders. Concerning Trend of AI Misuse and Deepfakes Void Arachne demonstrates technical sophistication and knowledge of effective infection tactics through their usage of SEO poisoning, Telegram channels, AI deepfakes, and voice/face swapping apps. One particularly concerning trend observed in the Void Arachne campaign is the mass proliferation of nudifier applications that use AI to create nonconsensual deepfake pornography. These images and videos are often used in sextortion schemes for further abuse, victim harassment, and financial gain. An English translation of a message advertising the usage of the nudifier AI uses the word "classmate," suggesting that one target market is minors: Just have appropriate entertainment and satisfy your own lustful desires. Do not send it to the other party or harass the other party. Once you call the police, you will be in constant trouble! AI takes off clothes, you give me photos and I will make pictures for you. Do you want to see the female classmate you yearn for, the female colleague you have a crush on, the relatives and friends you eat and live with at home? Do you want to see them naked? Now you can realize your dream, you can see them naked and lustful for a pack of cigarette money. [caption id="attachment_77953" align="alignnone" width="437"] Source: trendmicro.com[/caption] Additionally, the threat actors have advertised AI technologies that could be used for virtual kidnapping, a novel deception campaign that leverages AI voice-alternating technology to pressure victims into paying ransom. The promotion of this technology for deepfake nudes and virtual kidnapping is the latest example of the danger of AI misuse.  

image for Researchers Deep Div ...

 Espionage

After unearthing a malware campaign targeting ESXi hypervisors two years ago, researchers have now revealed extensive details into their investigation of UNC3886, a suspected China-nexus cyberespionage group targeting strategic global organizations. In January 2023, Google-owned cybersecurity firm Mandiant identified   show more ...

that UNC3886 had exploited a now-patched FortiOS vulnerability. In March 2023, further analysis revealed a custom malware ecosystem affecting Fortinet devices with compromised VMware technologies facilitating access to guest virtual machines. Persistent and Evasive Techniques of UNC3886 Group UNC3886 demonstrated sophisticated and cautious approaches by employing multiple layers of persistence across network devices, hypervisors and virtual machines to maintain long-term access, Mandiant said in its detailed analysis. The threat group's strategies include: Using publicly available rootkits like REPTILE and MEDUSA for long-term persistence. Deploying malware that leverages trusted third-party services for command and control (C2) communications. Installing Secure Shell (SSH) backdoors to subvert access and collect credentials. Extracting credentials from TACACS+ authentication using custom malware. [caption id="attachment_77918" align="aligncenter" width="1024"] UNC3886 Attack Lifecycle (Source: Mandiant)[/caption] Initial Access through Zero-Days Mandiant's earlier findings detailed UNC3886's exploitation of CVE-2023-34048, an out-of-bounds write vulnerability in the implementation of the DCERPC protocol in VMware's vCenter Server. This critical-rated flaw allowed unauthenticated malicious actor remote command execution on vCenter servers. Additional zero-day vulnerabilities exploited included: CVE-2022-41328 in FortiOS for executing backdoors on FortiGate devices. CVE-2022-22948 in VMware vCenter to access encrypted credentials in vCenter's postgres DB. CVE-2023-20867 in VMware Tools for unauthenticated guest operations from ESXi host to virtual machines. Rootkits and Malware The deeper investigation into UNC3886's operations also revealed their expansive malware arsenal that includes customized open-source variants. REPTILE Rootkit REPTILE, an open-source Linux rootkit, was heavily utilized by UNC3886 for its backdoor and stealth functionalities, enabling the threat actor to maintain undetected access to compromised systems. Key components include: REPTILE.CMD: A user-mode component for hiding files, processes, and network connections. REPTILE.SHELL: A reverse shell backdoor activated by specific network packets. Kernel-Level Component: A loadable kernel module (LKM) for achieving rootkit functionality. LKM Launcher: A custom launcher for loading the kernel module into memory. UNC3886 modified REPTILE for persistence and stealth using unique keywords and customized scripts to evade detection. MEDUSA Rootkit MEDUSA employs dynamic linker hijacking to log user credentials and command executions, which complements UNC3886’s strategy of using valid credentials for lateral movement. Deployment on MEDUSA involved a customized installer  called "SEAELF" and modified configuration files. Malware Leveraging Trusted Third-Party Services MOPSLED is a modular backdoor that communicates over HTTP or a custom binary protocol, retrieving plugins from its C2 server. It was shared among Chinese cyberespionage groups and used by UNC3886 primarily on vCenter servers. RIFLESPINE is a backdoor that uses Google Drive for command and control communication and executes commands from encrypted files. It relied on "systemd" for persistence but was less favored due to its detectable nature. Network Reconnaissance and Lateral Movement UNC3886 has employed internal reconnaissance and lateral movement techniques using custom tools like LOOKOVER to capture TACACS+ credentials. Backdoored TACACS+ binaries further facilitated unauthorized access and credential logging. VMCI Backdoors UNC3886 also used VMCI backdoors for communication between guest and host systems, enhancing their control over compromised environments. Notable VMCI backdoors included: VIRTUALSHINE: Provided access to a bash shell via VMCI sockets. VIRTUALPIE: A Python-based backdoor supporting file transfer, command execution and reverse shell capabilities. Mandiant observed UNC3886 using valid credentials for lateral movement between guest VMs on compromised VMware ESXi. The threat actor deployed backdoored SSH clients and daemons to intercept and collect credentials stored in XOR-encrypted files. Backdoored SSH Executables The threat group modified SSH client (/usr/bin/ssh) and daemon (/usr/sbin/sshd) to harvest and store credentials. The SSH client stored credentials in "/var/log/ldapd<unique_keyword>.2.gz," while the SSH daemon stores them in "/var/log/ldapd<unique_keyword>.1.gz." To persist the malicious SSH components, the threat actor used yum-versionlock to prevent OpenSSH package upgrades. Custom SSH Server UNC3886 also used the MEDUSA rootkit to deploy a custom SSH server. They employed executables (/usr/sbin/libvird and /usr/bin/NetworkManage) to hijack SSH connections and redirect them to a Unix socket for credential collection. SELinux contexts ensured socket accessibility. Additional tools (sentry and sshdng-venter-7.0) were used on another endpoint for similar injection and redirection operations. Indicators of Compromise (IOCs) Mandiant has published IOCs to aid in detecting UNC3886 activities. These IOCs, along with detection and hardening guidelines, help organizations protect against sophisticated threats posed by UNC3886.

image for ViLe: Two Men Plead ...

 Firewall Daily

Two Rhode Island men pleaded guilty to hacking into a confidential federal law enforcement database and using the sensitive information to threaten and extort a victim. Sagar Steven Singh, 20, and Nicholas Ceraolo, 26, were members of a hacking group called “ViLe” that collected victims’ personal data to harass,   show more ...

threaten or extort them in a practice known as “doxxing,” prosecutors said. Victims could pay to have their information removed from or kept off ViLe’s public website. Breach and Abuse of Federal Law Enforcement Portal According to the press release, on May 7, 2022, Singh used a stolen password belonging to a police officer to access a non-public, password-protected federal law enforcement portal. The portal, maintained by the U.S. Drug Enforcement Administration (DEA), holds detailed records on narcotics and currency seizures as well as law enforcement intelligence reports with respective state and local agencies. [caption id="attachment_77700" align="alignnone" width="1954"] Source:archive.org[/caption] The next day, Singh told Ceraolo in an online chat that he shouldn’t have accessed the portal and was “no gov official.” Ceraolo then shared the stolen login credentials with others in the ViLe hacking group. Shortly after, Singh used the database to obtain personal information on an individual. He messaged the victim, referred to in court documents as Victim-1, threatening to harm their family if they did not provide login credentials to their Instagram accounts. To prove he had access to sensitive information, Singh included Victim-1’s Social Security number, driver’s license number and home address. He told Victim-1 that through the database portal, “i can request information on anyone in the US doesn’t matter who, nobody is safe.” Singh instructed Victim-1 to sell access to the Instagram accounts and give him the money. His messages implied he would use the information to harm Victim-1’s parents if demands were not met. [caption id="attachment_77699" align="alignnone" width="2186"] Source: dea.gov[/caption] While the court documents focus on the case of Victim-1, the duo also threatened other individuals whose information they had access to for financial gains. According to an earlier report from Vice, the portal that was used by the duo is the EPIC(El Paso Intelligence Center) Portal. Guilty Pleas Over Actions Singh and Ceraolo were charged in March 2023 with computer intrusion conspiracy and aggravated identity theft. Singh pleaded guilty to both counts on June 17, while Ceraolo had done so May 30, the U.S. Attorney’s Office in the Eastern District of New York announced. U.S. Attorney Breon Peace condemned the men’s actions as “ViLe,” a reference to the hacking group’s disturbing logo depicting a hanging girl. He stated, “They hacked into a law enforcement database and had access to sensitive personal information, then threatened to harm a victim’s family and publicly release that information unless the defendants were ultimately paid money. Our Office is relentless in protecting victims from having their sensitive information stolen and used to extort them by cybercriminals.” He thanked the HSI's El Dorado Task Force, the Federal Bureau of Investigation and the New York Police Department for assistance in the case. HSI New York Special Agent in Charge Ivan J. Arvelo stated, “The defendants, along with their co-conspirators, exploited vulnerabilities within government databases for their own personal gain. These guilty pleas send a strong message to those that would seek illicit access to protected computer systems." He added, "HSI New York's El Dorado Task Force will continue to work with law enforcement partners to uncover evidence until every member of the ViLe group and similar criminal organizations are brought to justice.” The defendants face two to seven years in federal prison upon sentencing for the case in charges related to conspiring to commit computer intrusion and aggravated identify theft. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Over 70% of Business ...

 Cybersecurity News

Titania, specialists in continuous network security and compliance assurance solutions, announced the release of compelling new research that highlights a significant shift in cybersecurity spending towards proactive security measures. The report, "Emerging Best Practice in the Use of Proactive Security   show more ...

Solutions," indicates a marked increase in investments aimed at preemptively mitigating cyber threats. According to the study, over 70% of businesses reported increased spending on proactive security solutions, such as attack surface management and risk-based vulnerability management, over the past year. This growth notably outpaces investments in both preventative and reactive measures. Strategic Implementation and Cybersecurity Industry Trends Conducted in partnership with Omdia, a global analyst and advisory leader, the study surveyed over 400 security decision-makers across North America, the UK, France, and Germany. The findings highlight a rapid adoption of proactive security measures driven by three key objectives: Reducing the opportunity for cyber threats Reducing the mean time to remediate known vulnerabilities Minimizing the attack surface. These proactive solutions are becoming an essential layer of protection, providing a comprehensive understanding of the threat landscape and attack surface to enhance organizational resilience and readiness. Geographic and Sectoral Insights The trend towards proactive security is particularly pronounced in the EMEA region, where 74% of respondents increased their budgets compared to 67% in North America. The financial services sector (54%) and critical infrastructure organizations, including energy and utilities companies (53%), show a strong inclination towards these investments. Nearly half (47%) of the respondents reported that their top cybersecurity goals for the next 12-24 months include reducing the opportunity for threats through proactive security. In contrast, only 27% of organizations plan to focus on improving tactical outcomes such as better threat prevention, detection, and response. Enhancing Security Posture Organizations are increasingly recognizing the need to improve their security posture through proactive security tools, which significantly enhance attack surface management and security control optimization. Many organizations reported limited visibility into the security posture of their network assets, such as firewalls, switches, and routers. Approximately half of the surveyed organizations check their network devices at most monthly, and some only monitor devices in critical segments or a sample of devices across their networks. Critical infrastructure organizations reported lower confidence than other industries in their ability to maintain adequate network segmentation and prevent unauthorized network access. Anticipated Organizational Impact Almost half (48%) of all respondents anticipate a high level of organizational disruption due to the broader adoption of proactive security solutions, highlighting the transformative impact these measures are expected to have. “This research vividly illustrates a widespread and rapid shift towards proactive security to improve operational readiness and resilience,” said Tom Beese, Executive Chairman of Titania. “Organizations recognize the critical need to stay ahead of known threats and shut down attacks by investing in solutions that offer real-time visibility of their security posture and remediation actions that continuously minimize their exposure.” Businesses emphasized the importance of consolidating proactive security tools, with 65% highlighting better visibility and management of the attack surface, 60% focusing on improved security control optimization, and 54% noting manpower productivity improvements. Critical Proactive Security Capabilities The survey identified several critical proactive security capabilities: The ability to view risks through different attack frameworks (61%). Full asset context (60%). Integration with existing security fabric to implement temporary mitigations (57%). Andrew Braunberg, Principal Analyst at Omdia, explained, “While the cybersecurity industry has clung to the 'assume breach' mantra with its preventative and reactive solutions, organizations are awakening to a smarter strategy: proactively understanding attack surfaces, mapping attack paths, and plugging vulnerabilities to prevent breaches. Network device configurations are crucial to security posture management, and the adoption of proactive security solutions that automate configuration assessments could have a transformative impact.” The report highlights a gap in industry guidance on best practices for building a proactive security strategy. It notes that the US Defense Department’s Command Cyber Readiness Inspection program (CORA) and the EU’s Digital Operational Resilience Act (DORA) requirements align well with the need for proactive security solutions.

image for Irish Hacker Avoids ...

 Cybersecurity News

An Irish hacker, who was involved in cyberattacks at the age of 13, has now walked free from court after his sentence was suspended. Aaron Sterritt, now 24, of Brookfield Gardens in Ahoghill, was part of an international computer hacking gang in 2016 and became notoriously famous for attacking multinational companies.   show more ...

Aaron walked free on Tuesday after the Antrim Crown Court suspended his 26-month jail sentence for three years. Why Was Irish Hacker Arrested? Aaron was charged for carrying out a Distributed Denial of Service (DDoS) attacks that occurred between December 2, 2016 and December 21, 2016. He was part of a gang known as “starpatrol” whose DDoS cyberattacks targeted Flowplay Incorporated, Microsoft Corporation (XBox live), Ottawa Catholic School Board, Rockstar Games Incorporated and Tumblr Incorporated.  Aaron was using the pseudonyms ‘Victor’ and ‘Vamp’ while being part of the gang. [caption id="attachment_77746" align="alignnone" width="960"] Aaron Sterritt walks out of court. Source: Belfast Telegraph[/caption] The first company targeted by the gang was Flowplay Inc., who had 75 million online gamers across the world in 2016, according to a report by the Northern Ireland World. The attack by “starpatrol” gang between December 3 and 11 in that year caused their servers to “lock up” for the entire duration of the attack. Customers were unable to access their accounts or play online due to the attack and thus, Flowplay had to refund tens of thousands of dollars of purchases and subscription fees. The company was also forced to shell out “hundreds of thousands of dollars” to migrate their services to a new server. Similarly, there was a series of similar attacks on Microsoft’s Xbox live and Rockstar games between December 3 and 21 while in the offences relating to Ottawa Catholic School Board, a school in Ontario experienced many DDoS attacks between 2015 and 2016. While suspending the sentence, Justice Roseanne McCormick warned Aaron that any repeat of such acts would attract imprisonment. Irish Hacker’s Cyberattack Cost Millions According to a BBC report, Aaron was also charged for not disclosing the passwords for his laptop, hard drives and iPhone between December 2017 and June 2020. He was tied to the charges through association, communication, device activity, and by a forensic speech investigator who could connect him to YouTube videos. The self-confessed criminal, now a reformed computer expert, was sentenced by Judge Roseanne McCormick KC. She observed that most of the offences were committed while Aaron was on bail for a similar offence in 2015 that targeted telecom behemoth TalkTalk, costing £77m. While working on a pre-sentencing report, the court noted that Aaron was diagnosed with ADHD, required assessment for autism as a child, and used to face issues at home. Hearing that he is low-risk to reoffend and has undergone a cyber-awareness program, the court decided to suspend his sentence. Judge McCormick KC said that considering the above factors, the length of Aaron’s trial and his attempts at starting to change for the better allowed her to suspend the sentence even given the gravity of the offenses. After the trial, the Police Service of Northern Ireland (PSNI) said the case warranted two investigations, one by the PSNI and the other by the National Crime Agency. Detective Chief Inspector Paul Woods shared that the cyberattacks involving Aaron in 2016 were massive and affected websites and services in the US. “Aaron was 16 years old during the incident and was one of the suspects, being the only individual from Northern Ireland in the group. PSNI’s investigation focused on Aaron’s role in the creation of malicious software for global network attacks and Ethereum cryptocurrency mining work. Steve Laval of The National Cyber Crime Unit underlined grave consequences of DDoS attacks that are easy to conduct, pointing out that basic degree of technical skill is sufficient.

image for Lack of MFA Implemen ...

 Compliance

Two weeks after the Australian privacy watchdog filed a lawsuit against Medibank for failure to protect personal information of its citizens in a 2022 data breach, the Information Commissioner's office this week made public a comprehensive analysis of the security failures that led to the incident. Medibank, a   show more ...

prominent Australian health insurance provider, faced a devastating cyberattack in October 2022 that compromised the personal data of 9.7 million current and former customers. According to the report from the Office of the Australian Information Commissioner (OAIC), the attack was likely caused by a lack of basic cybersecurity measures like requiring its workers to use multi-factor authentication to log onto its VPN. The Sequence of Events in the Medibank Breach The attack on Medibank began when an IT service desk operator at a third-party contractor used his personal browser profile on a work computer and inadvertently synced his Medibank credentials to his home computer. This home device was infected with information-stealing malware, which allowed hackers to obtain these credentials, including those with elevated access permissions. The attackers first breached Medibank’s Microsoft Exchange server using these credentials on August 12, 2022, before logging into Medibank’s Palo Alto Networks Global Protect VPN. Incidentally, the VPN did not require multi-factor authentication (MFA), making it easier for the attackers to gain access. It was only in mid-October that Medibank brought in a threat intelligence firm to investigate a Microsoft Exchange ProxyNotShell incident, when they discovered data was previously stolen in a cyberattack. "During the Relevant Period, the Admin Account had access to most (if not all) of Medibank's systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases)." - the OAIC report. Security Failures and Missed Alerts Lack of Multi-Factor Authentication (MFA) One of the critical failures in the Medibank breach was the health insurer’s neglect to implement MFA for VPN access. The OAIC report said that during the relevant period, the VPN was configured to allow access with just a device certificate or a username and password. It did not require the additional security layer provided by MFA. This oversight significantly lowered the barrier for unauthorized access. Operational and Alert Management Failures Despite receiving several security alerts from their Endpoint Detection and Response (EDR) software about suspicious activities on August 24 and 25, these alerts were not appropriately triaged or escalated. This delay allowed the attackers to continue their operations undetected for an extended period, which ultimately led to the exfiltration of approximately 520 gigabytes of sensitive data from the company's MARS Database and MPLFiler systems. Data Compromised and Consequences The stolen data included highly sensitive information such as customers' names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers and extensive health-related data. The exposure of such information has severe implications for the affected individuals, ranging from identity theft to potential misuse of medical data in various frauds and scams. The attackers linked to the ransomware gang BlogXX, which is believed to be an offshoot of the notorious REvil group, leaked the data on the dark web. This incident not only caused significant distress to millions of Australians but also highlighted the grave consequences of inadequate cybersecurity measures. Legal and Regulatory Actions Follow The OAIC said that Medibank was aware “of serious deficiencies in its cybersecurity and information security,” prior to the hack. For example, citing an Active Directory Risk Assessment report from Datacom in June 2020, OAIC said Medibank had an excessive number of individuals who had access to Active Directory (being the Microsoft directory service used for management of all Medibank users, group policies and domains). "A number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and nonprivileged users which was described as a “critical” defect." Given the nature and the volume of the data Medibank stores and collects, “it was reasonable” for the company to adopt the security measures recommended by Australia’s privacy regulator, but “these measures were not implemented, or, alternatively, not properly implemented or enforced, by Medibank,” OAIC said. Thus, in response to the breach and the negligence that led to it, Australia's data protection regulator OAIC, announced legal action against Medibank for failing to protect personal information. The company faces potential fines exceeding AU$2 million. A spokesperson for the health insurer did not detail the plan of action against the lawsuit but earlier told The Cyber Express that ”Medibank intends to defend the proceedings.” Medibank Hacker Sanctioned and Arrested Earlier this year, the U.S., Australia, and the U.K. sanctioned Aleksandr Gennadievich Ermakov, believed to be behind the 2022 Medibank hack. Ermakov, also known by aliases such as AlexanderErmakov and JimJones, was subsequently arrested by Russian police along with two others for violating Article 273, which prohibits creating or spreading harmful computer code. Extradition of Ermakov is unlikely given the current political climate. Lessons and Recommendations The Medibank breach underscores several critical lessons for organizations regarding cybersecurity: 1. Implementation of Multi-Factor Authentication: Utilizing MFA for all access points, especially VPNs, is essential. MFA adds an additional layer of security, making it significantly harder for attackers to exploit stolen credentials. 2. Proper Alert Management: Organizations must ensure that security alerts are promptly and effectively managed. Implementing robust procedures for triaging and escalating suspicious activities can prevent prolonged unauthorized access. 3. Regular Security Audits: Conducting regular security audits to identify and rectify vulnerabilities is crucial. These audits should include evaluating the effectiveness of existing security measures and compliance with best practices. 4. Employee Training: Continuous training for employees on cybersecurity best practices, including safe browsing habits and the importance of using corporate credentials responsibly, is vital to minimize the risk of breaches originating from human error.

image for Maxicare Confirms Da ...

 Cybersecurity News

Maxicare, one of the leading health maintenance organizations, has reported a security incident involving unauthorized access to personal information. The Maxicare data breach affects approximately 13,000 members, accounting for less than 1% of Maxicare's total member population. The compromised information   show more ...

pertains to booking requests made through Lab@Home, a third-party home care provider. Maxicare assures its members that no sensitive medical information has been exposed. The data breach at Maxicare has not impacted Maxicare's business operations, network, or customer data. Lab@Home's booking platform, where the breach occurred, operates on a separate database that is not integrated with Maxicare's main systems. "At this point, what we can confirm is that the business operations, network, and customer data of Maxicare have not been impacted in any way. Lab@Home maintains a separate database for booking requests, which is not integrated with Maxicare's system," reads Maxicare's official statement. Maxicare Data Breach: Immediate Response and Investigation Upon learning of the potential security breach, Maxicare promptly initiated emergency measures to safeguard the privacy and security of the affected members. The company has launched a comprehensive investigation in collaboration with data security professionals and an industry-leading cybersecurity firm. "We launched an investigation together with a team of data security professionals and in partnership with an industry-leading cybersecurity firm," said a spokesperson from Maxicare. "Our team is fully adhering to all regulatory requirements by the National Privacy Commission. We will continue to communicate with our valued members on this matter." Background on the Maxicare Security Breach The security breach specifically involved the booking platform of Lab@Home, which facilitates home care services for Maxicare members. The information compromised includes details used for booking requests. Importantly, no sensitive medical records were accessed or compromised during this incident. Lab@Home's database is entirely separate from Maxicare's primary systems, which helps contain the breach and prevents it from spreading to other parts of Maxicare’s infrastructure. Maxicare is taking proactive steps to address the recent security incident involving unauthorized access to member information. Through immediate action, rigorous investigation, and ongoing communication, the company aims to ensure the continued trust and safety of its members. TCE will provide further updates as the situation evolves and more information becomes available.

image for FBI Investigates Cyb ...

 Cybersecurity News

The FBI's Baltimore Field Office is actively seeking to identify potential victims of Richard Michael Roe, who has recently been indicted on charges of cyberstalking under federal law. The charges allege that Roe engaged in a campaign of harassment through phone calls, text messages, and emails, targeting multiple   show more ...

victims over the course of a year. The FBI's investigation uncovered that Roe used spoofed phone numbers and email accounts to conduct this harassment. The indictment against Richard Michael Roe is a significant step in addressing the cyberstalking activities that allegedly took place from December 2019 until January 2021. It is important to note that an indictment is merely an allegation, and Roe is presumed innocent until proven guilty beyond a reasonable doubt. According to the charges, Roe's cyberstalking involved making numerous phone calls and sending multiple text messages daily to his victims. The FBI believes that approximately six individuals and two businesses were targeted during this period. FBI's Call for Public Assistance The FBI is reaching out to the public for assistance in identifying additional victims who may have been harassed by Roe. “If you and/or anyone you know were victimized by Roe, or if you have information relevant to this investigation, please fill out this short form,” reads the FBI release. The agency has set up a dedicated email, RoeVictims@fbi.gov, and a short form for individuals to provide information. Your responses are voluntary but could be crucial in furthering the federal investigation and identifying additional victims. The FBI is legally required to identify victims of federal crimes it investigates. Victims of such crimes may be eligible for various services, restitution, and rights under federal and/or state law. Identifying victims is not only a legal mandate but also an essential part of ensuring that those affected by Roe's alleged cyberstalking receive the support and justice they deserve. The FBI assures that all identities of victims will be kept confidential. “Based on the responses provided, you may be contacted by the FBI and asked to provide additional information. All identities of victims will be kept confidential.” The Impact of Cyberstalking Cyberstalking is a serious offense that can have profound effects on the lives of victims. It involves the use of digital means to harass, intimidate, and threaten individuals, leading to emotional distress, fear, and disruption of daily life. The use of spoofed phone numbers and email accounts, as alleged in Roe's case, can make it challenging for victims to trace the source of harassment, adding to their anxiety and sense of vulnerability. How to Recognize Cyberstalking Victims of cyberstalking often experience repeated, unwanted contact through digital communication methods. This can include: Frequent and persistent phone calls, often from unknown or spoofed numbers. Harassing text messages that may contain threats or abusive language. Unwanted emails that may be difficult to trace back to the sender. If you have experienced such behaviors, it is crucial to report them to authorities. The FBI's current efforts to identify victims of Roe underline the importance of addressing and combating cyberstalking.

image for CISA Releases Guide ...

 Cybersecurity News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified numerous vulnerabilities in traditional virtual private network (VPN) solutions that have been exploited in recent high-profile cyber attacks, leading the agency to recommend that organizations adopt new approaches to network access   show more ...

security. CISA has urged businesses to switch to modern approaches like Secure Access Service Edge (SASE) and Secure Service Edge (SSE) to integrate enhanced identity verification, adaptive access controls, and cloud-delivered security. This move would help advance their way on their zero trust journey. Vulnerabilities in Traditional VPN Systems CISA has identified several different vulnerabilities in legacy VPN systems can enable broad network compromise if exploited, given their typical lack of granular access controls. While VPNs provide ease of access for employees to connect to remote company applications and external data servers, they also make organizations more susceptible to compromise through various vulnerabilities inherent to typical network design. Recent examples of successful exploitation of VPNs include: Vulnerabilities affecting Ivanti Connect Secure gateways (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) allowed threat actors to reverse tunnel from the VPN device, hijack sessions, and move laterally across victim networks while evading detection. The Citrix Bleed vulnerability (CVE-2023-4966) enabled bypassing of multifactor authentication, allowing threat actors to impersonate legitimate users, harvest credentials, and conduct ransomware attacks. Compromised user devices connected via VPNs also introduce risks from poor cyber hygiene. And third-party vendors granted VPN access may lack sufficient network segmentation controls and least privilege protections. While some VPNs can enforce firewall policies, not all provide the identity-based adaptive access controls central to zero trust. Software-based VPNs also carry inherent vulnerabilities lacking in hardware-based solutions. Modern Solutions to Network Access Security Modern alternatives to VPN-based network access control includes zero trust architecture, SSE, SASE and identity-based adaptive access policies. These solutions provide access to applications and services based on continuous, granular validation of user identity and authorization - rejecting those not explicitly authenticated for specific resources. Zero Trust is a collection of different concepts and ideas that help organizations enforce accurate per-request access decisions based on the principles of least privilege. SSE is a comprehensive approach that combines networking, security practices, policies and services within a single platform. Key capabilities like multi-factor authentication, endpoint security validation, and activity monitoring better secure data in network transit while reducing attack surfaces. Tighter access controls also help secure data at rest by limiting exposure of internal applications. Effectiveness relies heavily on aligning network and infrastructure with zero trust principles like least privilege. Implementing zero trust even partially can greatly enhance protections against threats and data loss. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for IntelBroker Claims A ...

 Cybersecurity News

Threat actor IntelBroker, notorious for a series of daring cyberattacks, has resurfaced with claims of orchestrating a data breach of Apple’s website. The TA allegedly has gained access to internal source code of three popular tools of Apple.com. This claim comes just a day after IntelBroker claimed to have   show more ...

orchestrated a data breach of another tech giant, Advanced Micro Devices (AMD). Decoding Apple Data Breach Claims Per the available information, IntelBroker allegedly breached Apple’s security in June 2024 and has managed to lay hands on the internal source code of three commonly used Apple tools, namely, AppleConnect-SSO, Apple-HWE-Confluence-Advanced and AppleMacroPlugin. The information was posted by the threat actor on BreachForums, a high-profile platform for trading stolen data and hacking tools. “I'm releasing the internal source code to three of Apple's commonly used tools for their internal site, thanks for reading and enjoy!” the TA posted. AppleConnect is the Apple-Specific Single Sign-On (SSO) and authentication system that allows a user to access certain applications inside Apple's network. Apple-HWE-Confluence-Advanced might be used for team projects or to share some information inside the company, and AppleMacroPlugin is presumably an application that facilitates certain processes in the company. Apple has not yet responded to the alleged data breach by IntelBroker or the leaked code. However, if the data breach occurred as claimed, it may lead to the exposure of important information that could be sensitive to the workings and operations of Apple. If legitimate, this breach could compromise Apple's internal operations and workflow. Leaked source code could expose vulnerabilities and inner workings of these tools. The Cyber Express has reached out to Apple to learn more about the potential data breach. However, at the time of publication, no official statement or response has been received, leaving the claims for the Apple data leak unconfirmed for now. The article will be updated as soon as we receive a response from the tech giant. Previous Attacks by IntelBroker The alleged data breach at Apple could prove significant considering the history of the threat actor. IntelBroker is believed to be a mature threat actor and is known to have been responsible for high-profile intrusions in the past. On June 18th, 2024, chipmaker AMD acknowledged that they were investigating a potential data breach by IntelBroker. The attacker claimed to be selling stolen AMD data, including employee information, financial documents, and confidential information. Last month, the threat actor is believed to have breached data of European Union’s law enforcement agency, Europol’s Platform for Experts (EPE). Some of the other organizations that the attacker is believed to have breached data include Panda Buy, Home Depot, and General Electric. The hacker also claimed to have targeted US Citizenship and Immigration Services (USCIS) and Facebook Marketplace. Apple's Security Posture Apple prides itself on its robust security measures and user privacy. However, the company has faced security threats in the past. In December 2023, Apple released security updates to address vulnerabilities in various Apple products, including iOS, iPadOS, macOS, tvOS, watchOS, and Safari. One critical vulnerability patched allowed attackers to potentially inject keystrokes by mimicking a keyboard. This incident highlights the importance of keeping software updated to mitigate security risks. In November 2023, there were reports of a state-sponsored attack targeting Apple iOS devices used in India. While details about this attack remain scarce, it serves as a reminder that even Apple devices are susceptible to cyberattacks. Looking Ahead The situation with IntelBroker's claims is ongoing. If the leak is verified, Apple will likely need to take steps to mitigate the potential damage. This could involve patching vulnerabilities in the leaked code and improving internal security measures. It is important to note that these are unconfirmed reports at this stage. However, they serve as a stark reminder of the ever-evolving cyber threat landscape. Apple, and all tech companies for that matter, must constantly work to stay ahead of determined attackers like IntelBroker. For users, it is a reminder to be vigilant about potential phishing attempts or malware that could exploit these alleged vulnerabilities. Keeping software updated and practicing good cyber hygiene are crucial steps for protecting yourself online.

image for MEDUSA Ransomware Ta ...

 Cybersecurity News

AJE Group, a prominent company in the manufacture, distribution, and sale of alcoholic and nonalcoholic beverages, has allegedly fallen victim to a MEDUSA ransomware attack. Founded in 1988 and headquartered in Lima, Peru, AJE Group employs 2,896 people. The unconfirmed ransomware attack on AJE Group has allegedly   show more ...

resulted in a significant data breach, putting allegedly 646.4 GB of data at risk. Ransomware Attack on AJE Group: Ransom Demand and Countdown The ransomware group has set an ominous countdown of eight days, 21 hours, 20 minutes, and 30 seconds for the company to comply with their demands. The attackers have placed a hefty price tag of US$1,500,000 to prevent unauthorized distribution of the compromised data. Additionally, for every day that passes without payment, the ransom amount increases by US$100,000. However, these claims remain unconfirmed as AJE Group has yet to release an official statement regarding the incident. [caption id="attachment_77719" align="aligncenter" width="1024"] Source: X[/caption] A preliminary investigation into AJE Group’s official website revealed no apparent disruptions; the site was fully operational, casting doubt on the authenticity of the ransomware group’s claims. Nevertheless, without an official statement from AJE Group, it is premature to conclude whether the ransomware attack on AJE Group has genuinely occurred. If the ransomware attack on AJE Group is confirmed, the implications for the Group could be extensive and severe. Data breaches can lead to significant financial losses, reputational damage, and operational disruptions. The compromised data may include sensitive information that, if leaked, could affect the company's competitive standing and expose its employees and customers to further risks. MEDUSA Ransomware: A Rising Threat Earlier, The Cyber Express (TCE) reported that Threat Actors (TAs) associated with the notorious MEDUSA ransomware have escalated their activities, allegedly targeting two institutions in the USA. The first target is Tri-Cities Preparatory High School, a public charter middle and high school located in Prescott, Arizona. The threat actors claim to have access to 1.2 GB of the school’s data and have threatened to publish it within seven to eight days. The second target is Fitzgerald, DePietro & Wojnas CPAs, P.C., an accounting firm based in Utica, New York. The attackers claim to have access to 92.5 GB of the firm’s data and have threatened to release it within eight to nine days. History and Modus Operandi of MEDUSA MEDUSA first emerged in June 2021 and has since launched attacks on organizations across various countries and industries, including healthcare, education, manufacturing, and retail. Despite its global reach, most victims have been based in the United States. MEDUSA operates as a Ransomware-as-a-Service (RaaS) platform, offering malicious software and infrastructure to would-be attackers. This model enables less technically skilled criminals to launch sophisticated ransomware attacks. MEDUSA's TAs often utilize a public Telegram channel to post stolen data, leveraging public exposure as an extortion tactic to pressure organizations into paying the ransom. The Broader Impact of Ransomware Attacks The reported MEDUSA ransomware attack on AJE Group highlights the growing threat posed by ransomware groups. Ransomware attacks have become increasingly prevalent, targeting critical sectors and causing widespread disruption. The healthcare industry, for instance, has seen hospitals forced to shut down operations, delaying critical medical procedures and compromising patient care. Educational institutions have faced similar disruptions, with students' data at risk and academic schedules thrown into disarray. The manufacturing and retail sectors, too, have not been spared. Companies in these industries have experienced production halts, supply chain disruptions, and significant financial losses due to ransomware attacks. These incidents highlight the importance of enhanced cybersecurity measures and prompt incident response protocols to mitigate the impact of such attacks. Additionally, organizations must prioritize cybersecurity awareness and preparedness to defend against ransomware attacks. Regular employee training, stringent access controls, and up-to-date security software are essential components of a robust cybersecurity strategy. Further, organizations should have a well-defined incident response plan to quickly address and contain any breaches. Conclusion While the authenticity of the ransomware attack on AJE Group remains unconfirmed, the potential consequences are significant. TCE will continue to monitor this ongoing situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for FTC Sues Adobe for ...

 Cybersecurity News

The Federal Trade Commission (FTC) has launched legal action against software giant Adobe and two of its top executives, Maninder Sawhney, and David Wadhwani, for allegedly deceiving consumers about early termination fees and making it difficult to cancel subscriptions. The Department of Justice (DOJ), following a   show more ...

referral from the FTC, has filed a complaint in a federal court, charging Adobe with pushing consumers toward its “annual paid monthly” subscription plan without adequately disclosing the costly cancellation fees associated with it. “Adobe trapped customers into year-long subscriptions through hidden early termination fees and numerous cancellation hurdles,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Americans are tired of companies hiding the ball during subscription signup and then putting up roadblocks when they try to cancel. The FTC will continue working to protect Americans from these illegal business practices.” Details of the FTC Complaint Against Adobe According to the complaint, Adobe has been steering consumers towards its "annual paid monthly" subscription plan by pre-selecting it as the default option on its website. While the monthly cost is prominently displayed, the early termination fee (ETF) is not. The ETF, which amounts to 50 percent of the remaining monthly payments if the subscription is canceled within the first year, is buried in small print or hidden behind small icons on the website. Consumers have complained to the FTC and the Better Business Bureau, stating they were unaware of the ETF or that the plan required a year-long commitment. Adobe's Practices Adobe shifted primarily to a subscription model in 2012, which now accounts for most of its revenue. The complaint alleges that despite knowing about consumer confusion regarding the ETF, Adobe continues to obscure the fee and make it difficult to cancel subscriptions. When consumers try to cancel their subscriptions through Adobe’s website, they must navigate through numerous pages. Those who seek help from customer service face resistance, delays, and additional obstacles, such as dropped calls, chats, and multiple transfers. Some consumers who believed they had canceled their subscriptions later found that Adobe continued to charge them. The FTC charges that Adobe's practices violate the Restore Online Shoppers’ Confidence Act. The Commission voted unanimously (3-0) to refer the civil penalty complaint to the DOJ, which then filed it in the U.S. District Court for the Northern District of California. Adobe's Response to FTC Complaint In response to the FTC's complaint, Adobe released a statement through Dana Rao, General Counsel and Chief Trust Officer: “Subscription services are convenient, flexible, and cost-effective to allow users to choose the plan that best fits their needs, timeline, and budget. Our priority is to always ensure our customers have a positive experience. We are transparent with the terms and conditions of our subscription agreements and have a simple cancellation process. We will refute the FTC’s claims in court.” Adobe Shift to the Subscription Model Adobe's transition to a subscription model over a decade ago was driven by the digital and cloud-based evolution of the industry. This model was designed to deliver continuous innovation, including cloud-based features and services, more affordably to customers. Subscription-based software and services have become integral to the digital economy, offering numerous benefits such as: Continuous Innovation: Subscriptions allow Adobe to deliver ongoing improvements and new features, including those that require cloud computation, without additional cost to customers. For example, Photoshop's Generative Fill feature. Multi-Device Usage: Products can be used on multiple devices and across groups of collaborators, providing automatic updates and enhanced security. Access to Cloud-Only Services: Subscribers gain access to services like artificial intelligence (AI) tools and other cloud-based functionalities. Consumer Choice: Adobe offers various plans, giving consumers the flexibility to choose between lower upfront costs and maximum flexibility. The FTC's complaint against Adobe brings to light the critical issue of transparency in subscription services. As digital subscriptions become more prevalent, it is essential for companies to be upfront about fees and provide straightforward cancellation processes. This case serves as a reminder that consumer protection agencies will continue to hold companies accountable for deceptive practices, ensuring that consumers are treated fairly in the marketplace. The ongoing legal battle will be closely watched, with significant implications for both Adobe and the wider industry.

image for How phishing using p ...

 Threats

A security researcher known as mr.d0x has published a post detailing a new technique that can be used for phishing and potentially other malicious activities. The technique exploits so-called progressive web apps (PWAs). In this post, we discuss what these applications are, why they can be dangerous, how attackers can   show more ...

use them for their own purposes, and how to [placeholder Kaspersky Premium]protect yourself[/placeholder] against this threat. What are progressive web apps? PWAs are applications developed using web technologies. Essentially, theyre websites that look and function just like native applications installed on your operating system. The general idea is similar to applications built on the Electron framework, with one key difference. Electron apps are like a sandwich of a website (the filling) and a browser (the bread) dedicated to running that site; that is, each Electron application has a built-in browser. In contrast, PWAs utilize the engine of the browser already installed on the users system to display the same website – like a sandwich without the bread. All modern browsers support PWAs, with Google Chrome and Chromium-based browsers (including the Microsoft Edge browser that comes with Windows) offering the most comprehensive implementation. Installing a PWA (if the respective website supports it) is very simple. Just click an inconspicuous button in the browsers address bar and confirm the installation. Heres how its done, using the Google Drive PWA as an example: Installing PWAs only takes two clicks After that, the PWA appears on your system almost instantly, looking just like a real application — with an icon, its own window, and all the other attributes of a fully-fledged program. Its not easy to tell from the PWA window that its actually a browser displaying a website. The Google Drive PWA looks just like a real native application PWA-based phishing One crucial difference between a PWA and the same website opened in a browser is evident in the screenshot above: the PWA window lacks an address bar. This very feature forms the foundation of the phishing method discussed in this post. With no address bar in the window, attackers can simply draw their own — displaying an URL that serves their phishing goals. For example, this one: With a PWA, you can convincingly mimic any site — for example, the Microsoft account login page. Source Attackers can further enhance the deception by giving the PWA a familiar icon. The only remaining hurdle is convincing the victim to install the PWA. However, this can be easily achieved with persuasive language and cleverly designed interface elements. Its important to note that during the PWA installation dialog, the displayed app name can be anything the attacker desires. The true origin is only revealed by the website address in the second line, which is less noticeable: The malicious PWA installation dialog displays a name that aids the attackers goals. Source The process of stealing a password using a PWA generally unfolds as follows: The victim opens a malicious website. The website convinces the victim to install the PWA. Installation occurs almost instantly, and the PWA window opens. A phishing page with a fake address bar displaying a legitimate-looking URL opens in the PWA window. The victim enters their login credentials into the form — handing them directly to the attackers. What phishing using a malicious PWA looks like. Source Of course, convincing the victim to install a native application is just as straightforward, but there are a couple of nuances. PWAs install significantly faster and require much less user interaction compared to traditional app installations. Additionally, developing PWAs is simpler, as theyre essentially phishing websites with minor enhancements. These factors make malicious PWAs a powerful tool for cybercriminals. How to protect yourself from PWA phishing Incidentally, the same mr.d0x previously gained recognition for devising the browser-in-the-browser phishing technique, which we wrote about a couple of years ago. Since then there have been several reported instances of attackers employing this technique not only for stealing account passwords but also for spreading ransomware. Given this precedent, its highly probable that cybercriminals will adopt malicious PWAs and devise novel ways to exploit this technique beyond phishing. What can you do to protect against this threat? Exercise caution when encountering PWAs, and refrain from installing them from suspicious websites. Periodically review the list of PWAs installed on your system. For instance, in Google Chrome, type chrome://apps into the address bar to view and manage installed PWAs. To view or remove installed PWAs in Google Chrome, type chrome://apps in the address bar Use a reliable security solution with protection against phishing and fraudulent sites, which will promptly warn you of potential dangers.

 Feed

Sysdig Falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about Falco as a mix between snort, ossec and strace.

 Feed

Debian Linux Security Advisory 5715-1 - Two vulnerabilities have been discovered in Composer, a dependency manager for PHP, which could result in arbitrary command execution by operating on malicious git/hg repositories.

 Feed

Ubuntu Security Notice 6840-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions,   show more ...

cross-site tracing, or execute arbitrary code. Luan Herrera discovered that Thunderbird did not properly validate the X-Frame-Options header inside sandboxed iframe. An attacker could potentially exploit this issue to bypass sandbox restrictions to open a new window.

 Feed

Ubuntu Security Notice 6839-1 - A security issue was discovered in MariaDB and this update includes new upstream MariaDB versions to fix the issue. MariaDB has been updated to 10.6.18 in Ubuntu 22.04 LTS and to 10.11.8 in Ubuntu 23.10 and Ubuntu 24.04 LTS. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

 Feed

CrowdStrike discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow an attacker to perform Cross-Side Scripting (XSS) attacks.

 Feed

Ubuntu Security Notice 6818-4 - Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service. It was discovered that the Intel Data Streaming and Intel   show more ...

Analytics Accelerator drivers in the Linux kernel allowed direct access to the devices for unprivileged users and virtual machines. A local attacker could use this to cause a denial of service.

 Feed

Ubuntu Security Notice 6793-2 - USN-6793-1 fixed vulnerabilities in Git. The CVE-2024-32002 was pending further investigation. This update fixes the problem. It was discovered that Git incorrectly handled certain submodules. An attacker could possibly use this issue to execute arbitrary code. This issue was fixed in Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.

 Feed

Red Hat Security Advisory 2024-3889-03 - Red Hat OpenShift Container Platform release 4.15.18 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-3885-03 - Red Hat OpenShift Container Platform release 4.13.44 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

 Feed

Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances. Both shortcomings impact all versions of the software prior to version 2024-04, which was released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024. The flaws

 Feed

Are your tags really safe with Google Tag Manager? If you've been thinking that using GTM means that your tracking tags and pixels are safely managed, then it might be time to think again. In this article we look at how a big-ticket seller that does business on every continent came unstuck when it forgot that you can’t afford to allow tags to go unmanaged or become misconfigured.  Read the

 Feed

Chinese-speaking users are the target of a never-before-seen threat activity cluster codenamed Void Arachne that employs malicious Windows Installer (MSI) files for virtual private networks (VPNs) to deliver a command-and-control (C&C) framework called Winos 4.0. "The campaign also promotes compromised MSI files embedded with nudifiers and deepfake pornography-generating software, as well as

 Feed

A threat actor who goes by alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft. The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC,

 Feed

Crypto exchange Kraken revealed that an unnamed security researcher exploited an "extremely critical" zero-day flaw in its platform to steal $3 million in digital assets and refused to return them. Details of the incident were shared by Kraken's Chief Security Officer, Nick Percoco, on X (formerly Twitter), stating it received a Bug Bounty program alert about a bug that "allowed them to

 Feed

The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available

2024-06
Aggregator history
Wednesday, June 19
SAT
SUN
MON
TUE
WED
THU
FRI
JuneJulyAugust