Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for ONNX Store Phishing ...

 Cybersecurity News

Researchers have discovered a new phishing campaign that relies on a phishing-as-a-service platform called ONNX Store, available for purchase over Telegram. ONNX Store appears to be a rebranded version of an already existing phishing kit called Caffeine. The kits share infrastructure and are advertised on the same   show more ...

Telegram channels. The phishing campaign targets financial institutions with QR codes embedded in PDF attachments. When victims scan these codes with their phones, they are redirected to fake login pages designed to collect login credentials and two-factor authentication keys. ONNX Store Enables Theft of Credentials in Real Time [caption id="attachment_77987" align="alignnone" width="1179"] Source: blog.eclecticiq.com[/caption] ONNX Store offers a  variety of powerful phishing tools designed to support cybercriminals, including custom phishing pages, webmail servers, 2FA cookie stealers, and "fully undetectable" referral services that use trusted domains to direct victims to phishing landing pages. Researchers from EclecticIQ have noticed that threat actors using the ONNX Store phishing kit tend to distribute PDF files as attachments in phishing emails. Impersonating a reputable service, these documents contain a QR code that directs victims to malicious phishing landing pages. This tactic, known as "quishing," takes advantage of the lack of detection or prevention present on employee's personal mobile devices, which are usually left unprotected. The lack of protection on mobile devices also makes it challenging to monitor these threats. The phishing landing pages aim to steal sensitive credentials using the Adversary-in-The-Middle (AiTM) method, which allows for real-time capture and transmission of stolen data without the need for frequent HTTP requests. This makes the phishing operation more efficient and harder to detect. The ONNX Store Phishing Kit uses encrypted JavaScript code that decrypts itself upon page load and includes a basic anti-JavaScript debugger. This adds a layer of protection against phishing scanners and complicates detection. The decrypted JavaScript code then collects the victims' network metadata, including details such as browser name, IP address, and location. The decrypted JavaScript code is designed to steal 2FA tokens entered by the victims. This allows attackers to bypass typical 2FA protection and gain unauthorized access to the victim's account before it expires. Researchers identified similarities in domain registrant and SSL issuer across various infrastructures deployed by the ONNX Store phishing kit. These similarities indicated the use of bulletproof hosting services to host the campaign. Researchers Believe ONNX Store is Rebranding of Caffeine Kit Researchers have assessed that the ONNX Store phishing kit is likely a rebranding of the Caffeine phishing kit. This assessment is based on the significant overlaps in infrastructure and advertising on the same Telegram channels. This overlap includes the involvement of the Arabic-speaking threat actor MRxC0DER as the likely developer and maintainer behind the Caffeine kit. [caption id="attachment_77989" align="alignnone" width="1393"] Source: blog.eclecticiq.com[/caption] The rebranding of the platform appears to be focused on improving operational security for malicious actors. The ONNX Store service enables threat actors to control operations through Telegram bots with an additional support channel to assist clients rather than a single web server. This shift in infrastructure and management makes it more challenging to take down the platform's phishing domains. To further increase its resilience, ONNX Store uses Cloudflare services to delay the removal process of its phishing domains. This abuse of Cloudflare's CAPTCHA feature and IP proxy helps attackers avoid detection through the use of phishing web crawlers and URL sandboxes. This practice also hides the original host and makes it more difficult to take down phishing domains. Advertised with slogans like "Anything is allowed" and "Ignore all reports of abuse", these services are designed to support a wide range of illegal activities without the risk of being blocked, creating a safe haven for cybercriminals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Kraken vs Certik: A ...

 Bug Bounty & Rewards

In a high-stakes clash within the crypto verse, Kraken, a leading U.S. cryptocurrency exchange, has accused blockchain security firm Certik of illicitly siphoning $3 million from its treasury and attempting extortion. The dispute shows the significant tensions between ethical hacking practices and corporate responses   show more ...

and underscores the complexities and challenges within the bug bounty ecosystem. Accusations from Kraken Nick Percoco, Kraken's chief security officer, took to social media platform X (formerly known as Twitter) to accuse an unnamed security research firm of misconduct. According to Percoco, the firm - later revealed to be Certik - breached Kraken’s bug bounty program rules. Instead of adhering to the established protocol of promptly returning extracted funds and fully disclosing bug transaction details, Certik allegedly withheld the $3 million and sought additional compensation, Percoco claimed. Percoco claimed that "the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets." He said that after contacting the researchers, instead of returning the funds they "demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!" Percoco said that in the decade-long history of Kraken’s bug bounty program, the company had never encountered researchers who refused to follow the rules. The program stipulates that any funds extracted during bug identification must be immediately returned and accompanied by a proof of concept. The researchers are also expected to avoid excessive exploitation of identified bugs. The dispute escalated as Certik reportedly failed to return the funds and accused Kraken of being “unreasonable” and unprofessional. Percoco responded that such actions by security researchers revoke their “license to hack” and classify them as criminals. “As a security researcher, your license to “hack” a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your “license to hack”. It makes you, and your company, criminals.” Certik's Response to Kraken Following Kraken’s public accusations, Certik disclosed its involvement and countered Kraken’s narrative by accusing the exchange of making unreasonable demands and threatening its employees. Certik claimed Kraken demanded the return of a “mismatched” amount of cryptocurrency within an unfeasible timeframe without providing necessary repayment addresses. The company provided an accounting of its test transactions to support its claims. Certik shared its intent to transfer the funds to an account accessible to Kraken despite the complications in the requested amount and lack of repayment addresses. “Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.” - CertiK CertiK’s Take on Kraken’s Defense Systems Certik defended its actions and instead highlighted the inadequacy of Kraken’s defense systems. The firm pointed out that the continuous large withdrawals from different testing accounts, which were part of their testing process, should have been detected by Kraken’s security measures. Certik questioned why Kraken’s purportedly robust defense systems failed to identify such significant anomalies. “According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.” - CertiK The blockchain security firm said the fact behind their white hat operation is that “millions dollars of crypto were minted out of air, and no real Kraken user’s assets were directly involved” in these research activities. The firm also said that the dispute with the cryptocurrency exchange is actually shifting focus away from a more severe security issue at Kraken. “For several days, with many fabricated tokens generated and withdrawn to valid cryptos, no risk control or prevention mechanisms were triggered until reported by CertiK,” it said. “The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions.” Regarding the money siphoned, Certik said, “Continuous large withdrawals from different testing accounts was a part of our testing.” With an aim of transparency, the security firm disclosed details of all testing deposit transactions and the timeline of how the bug bounty saga played out on X. [caption id="attachment_78192" align="aligncenter" width="698"] Timeline of the Kraken vs CertiK zero-day and bug bounty dispute (Source: CertiK on platform X)[/caption] Disclosure of Product Flaws Treads a Fine Line The news of the escalated dispute comes on the heels of another incident where a white hat hacker - after following bug bounty ethics - was threatened by the legal team of the company to “cease and desist.” Andrew Lemon, an offensive security expert, responsibly reported a critical vulnerability to an unnamed company that manufactured and sold a traffic control system. The vulnerability allowed a remote unauthenticated attacker to bypass security and gain full control of a traffic controller, giving them the ability to changing stoplights and modify traffic flow, Lemon explained in a LinkedIn post. But to Lemon’s surprise, instead of acknowledging and addressing the bug with the engineering team, its legal team threatened to sue him under the Computer Fraud and Abuse Act. “I Received a letter from a company's legal team instead of engineering after responsibly disclosing a critical vulnerability in a traffic control system I purchased from eBay,” he said. “The company's response? In order for them to acknowledge the vulnerability, hardware must be purchased directly from them or tested with explicit authorization from one of their customers, they threatened prosecution under the Computer Fraud and Abuse Act, and labeled disclosure as irresponsible, potentially causing more harm.” Security Engineer Jake Brodsky responded saying, “Legally they're not wrong for writing such a letter or even bringing a court case against the researcher. However, ethically, because it pits professional organizations against each other for no good reason, it is problematic.” Disclosure of product flaws treads a very fine line. On the one hand, nobody likes the publicity that follows. On the other hand, if nobody says anything, the only way we can improve is in the aftermath of an investigation where fortunes are lost and people get hurt. Implications for the Bug Bounty Ecosystem The Kraken-Certik dispute and the one highlighted by Andrew Lemon raises critical questions about the operational dynamics and ethical boundaries within bug bounty programs. These programs are designed to incentivize security researchers to identify and report vulnerabilities, offering financial rewards for their efforts. However, these cases reveal potential pitfalls when communication and mutual understanding between parties break down. The ethical framework of bug bounty programs relies on clear rules and mutual trust. Researchers must adhere to the program’s guidelines, including the immediate return of any extracted funds and full disclosure of their findings. On the other hand, companies must provide clear instructions and maintain professional interactions with researchers. There is a need for well-defined protocols and communication channels between companies and researchers. Ensuring transparency and clarity in expectations can prevent misunderstandings and conflicts, fostering a more cooperative environment for cybersecurity improvements.

image for Europe Union Tighten ...

 Cybersecurity News

The European Union has introduced two critical regulatory frameworks: the Network and Information Security (NIS) Directive and the Digital Operational Resilience Act (DORA). These measures aim to ensure that businesses of all sizes implement strong cybersecurity practices to protect sensitive information. However,   show more ...

industry experts suggest that the regulations’ full potential might only be realized with the involvement of third-party cybersecurity specialists. The Growing Cyber Threat Landscape As businesses increasingly depend on digital infrastructure to connect with clients, customize products, and enhance customer experiences, they simultaneously face heightened risks of cyberattacks. Cybercrime is projected to cost the global economy $9.5 trillion in 2024, escalating by 15% annually to reach $10.5 trillion by 2025, according to Cybersecurity Ventures. Even the most advanced cybersecurity systems can be compromised, as evidenced by a recent data breach of the United Kingdom’s Ministry of Defence payroll system, exposing the names and banking details of both current and former armed forces members. European Union's Response: NIS and DORA Recognizing the urgent need for stronger cybersecurity measures, the Europe Union has implemented the NIS Directive and DORA. These regulations aim to standardize and enhance cybersecurity practices across member states. NIS Directive: The NIS Directive focuses on establishing high-level, common cybersecurity best practices. It strengthens system security requirements, addresses supply chain vulnerabilities, streamlines reporting, and introduces stringent supervisory measures with potential sanctions for non-compliance. The directive was initiated in the fall of 2021 and formalized in May 2022, and businesses were given until October 2024 to comply with the new standards. DORA: DORA targets the financial sector, mandating periodic digital operational resilience testing and the implementation of management systems to monitor and report significant ICT-based incidents to relevant authorities. This regulation aims to ensure that financial entities like banks, insurance companies, and investment firms can maintain operational resilience during severe disruptions. The development of DORA involved three European Supervisory Authorities: the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). They established mandatory incident reporting requirements and encouraged cooperation and information sharing among financial entities and regulators to respond effectively to cybersecurity threats. The Importance of Third-Party Assessments Darren Humphries, Group CISO & CTO-Partner at Acora, emphasizes the need for continuous measurement of cybersecurity practices. “Risk management is moving away from art to science,” Humphries explains, highlighting the importance of metrics and documentation in meeting regulatory guidelines. He criticizes the effectiveness of self-attestation, noting that the Ministry of Defence breach partly occurred due to reliance on self-service attestation from suppliers. Instead, Humphries advocates for third-party cybersecurity specialists to evaluate and verify processes, minimizing the risk of oversight. The evolving threat landscape demands that corporations, especially those in the financial sector, become proactive in addressing potential security vulnerabilities. The new EU regulations push businesses in this direction, but they also need to leverage third-party expertise to thoroughly examine and fortify their cybersecurity frameworks. By doing so, they can better protect network transactions and comply with regulatory requirements, reducing the likelihood of cyber incidents. Conclusion The new EU regulations, NIS and DORA, represent a significant step forward in enhancing cybersecurity practices across Europe. However, to maximize their impact and truly safeguard against evolving cyber threats, businesses must incorporate third-party assessments and expertise. By doing so, they can ensure robust protection of sensitive information and compliance with regulatory standards, ultimately reducing their cybersecurity risks in an increasingly digital world.

image for Beware! Deepfakes of ...

 Firewall Daily

A new deepfake investment scam has emerged on the internet, misusing prominent Indian figures like Asia's richest person, Mukesh Ambani, and former captain of the Indian national cricket team, Virat Kohli. These deepfake scam videos falsely depict the billionaire and cricket star endorsing betting apps, leading   show more ...

unsuspecting viewers into potential scams. Using advanced deepfake techniques, the video manipulates their appearances and voices to make it seem like they are endorsing the app. This deceptive tactic exploits the trust and influence these figures hold. The Strange Case of Deepfake Scams This deepfake investment scam also targets well-known TV journalists, manipulating footage to create a false impression of authenticity. These altered videos imply endorsements from reputable sources, exploiting public trust for illicit gains. In the video, which is widely being circulated online, Ambani is falsely quoted as saying, “Our honest app has already helped thousands of people in India earn money. There is a 95% chance of winning here.” https://www.facebook.com/watch/?v=2401849440205008 Meanwhile, Kohli is shown endorsing the app, stating, "Aviator is an investment game where you can make huge profits. For example, if you have 500 Rupees, that will be enough because when the airplane flies your stake will automatically multiply by the number that the airplane reaches. Your investment can multiply 10 times. I personally recommended this app.” Both individuals seem to be discussing the game and promising high returns, claiming minimal investments can lead to significant profits. Such false promises prey on the aspirations of viewers seeking easy financial gains, ultimately leading to financial losses for many who fall victim to these deepfake investment scams. The Cyber Express has investigated these Aviator game scams and found out most of these apps have been banned on platforms like Google Play Store and Apple App Store due to their deceptive practices. Despite this, scammers continue to circulate these apps through alternate channels, using deepfake investment scams to lend a spirit of legitimacy. The Aviator Game Scams Leveraging Deepfake Technology  Similar incidents involving other public figures have also come to light, including cricket legend Sachin Tendulkar. Fake videos were created to deceive the public, and Tendulkar himself spoke out against such misuse of technology. In one deepfake video, Tendulkar is depicted talking about his daughter Sara playing a particular game, falsely quoting him as saying, “I am surprised how easy it is to earn well these days." [caption id="attachment_78100" align="alignnone" width="720"] Sachin Tendulkar Deepfake Scam (Source: X)[/caption] Following this, Sachin Tendulkar himself posted a tweet explaining the deepfake investment scam behind the deepfake videos. Tendulkar tweeted, “These videos are fake. It is disturbing to see rampant misuse of technology. Request everyone to report videos, ads & apps like these in large numbers. Social Media platforms need to be alert and responsive to complaints. Swift action from their end is crucial to stopping the spread of misinformation and deepfakes.” Previously, the Indian media company The Quint decoded another instance of deepfake videos involving Mukesh Ambani's son, Anant Ambani, and Virat Kohli promoting gaming apps in viral clips circulating on social media. Concerns arose about Ambani's video due to discrepancies in lip-sync and mechanical movements, suggesting a potential deepfake. [caption id="attachment_78102" align="alignnone" width="720"] Anant Ambani Deepfake (Source: The Quint)[/caption] Investigation revealed the original context of Ambani's video related to an animal rescue program launch. Similarly, Kohli's video was traced back to a different context involving discussions on religious harmony, debunking claims of both videos promoting gaming applications as false. In all the cases combined, a single app that was heavily promoted by social media pages and deepfake videos was the Aviator game. Aviator, an online casino game developed by Spribe, has become the most controversial game on the internet. The game’s unique, “easy to make money” has been tried and tested to be too good to be true. Inside the game, players engage by flying planes to earn money, influencing outcomes through their actions—a unique feature in online gaming. The game includes bonus rounds and mini-games, accessible on desktop, mobile, and tablet platforms to reach a broad audience. However, despite its popularity, the Aviator game has garnered notoriety for its misleading promises and unfair practices. Users have reported massive financial losses after investing in what turned out to be a fraudulent scheme. Reviews and user experiences highlight consistent patterns of manipulation and rigged outcomes designed to benefit the operators at the expense of trusting players. To top it all off, these fake deepfake videos of celebrities endorsing the app adds more questions about the authenticity of the app and the intent behind this aggressive marketing strategy.  The proliferation of deepfake videos exploiting the reputations of public figures like Mukesh Ambani and Virat Kohli highlights the urgent need for stringent measures against digital deception. As consumers, vigilance and skepticism are essential in understanding an increasingly complex technological era with potential scams and misinformation.

image for Apparent Ransomware ...

 Ransomware News

Crown Equipment, a global top five forklift manufacturer, was hit by a cyberattack that has disrupted its manufacturing operations for nearly two weeks. The company yesterday attributed the attack to an "international cybercriminal organization," raising speculation of a ransomware gang's involvement. The   show more ...

cyberattack has affected Crown's IT systems, employee workflows and overall business continuity for the second week running. Crown Equipment Cyberattack Overview Since approximately June 8th, Crown's employees reported a breach in the company's IT systems. This breach led to a complete shutdown of systems, preventing employees from clocking in their hours, accessing service manuals, and in some cases delivering machinery. In an internal email sent to employees, the heavy machinery manufacturer confirmed the cyberattack and advised employees to ignore multifactor authentication (MFA) requests and to be cautious of phishing emails. "I currently work there. Everyone is scrambling, can't order parts except for TVH and that's strictly for emergencies. The company hasn't officially announced that it's been hacked but they keep pushing the importance of MFA. We can read between the lines." - Reddit User (Williams2242) The company in its press release revealed that the breach necessitated the shutdown of their operating systems to investigate and resolve the issue without giving details on the hackers and their ransom demand, if any. Crown Equipment Attack Details Crown disclosed that many of their security measures were effective in limiting data access by the criminals. However, the breach likely occurred due to an employee not adhering to data security policies that resulted in unauthorized access to their device, according to a Reddit post. "I heard someone got a call from a hacker pretending to be IT. They installed a fake VPN on their computer and got access to everything. They created a privileged account on the network that gave them access all the systems. The network went down Sunday and it's been down since with no ETA." - Reddit User (DragonflyJust2223) This speculation suggests a social engineering attack where the threat actor installed remote access software on the employee's computer. BornCity, a website maintained by a German-speaking digital observer, first reported the possibility of a hack nearly a week ago. Citing a distant source who used to work at the manufacturing plant of Crown, BornCity said the problems were likely due to a 'coding bug.' "This had sent the Crown 360 (a service likely based on the Microsoft Cloud and Office 365) solution downhill – but I take that information not as reliable." Crown Equipment, however, did not confirm the speculation and thus the claims remain unverified. Impact on Crown Equipment's Employees Initially, Crown told employees they would need to file for unemployment or use their paid time off (PTO) and vacation days to receive pay for missed days. Last weekend, this directive was updated and the employees were asked to file for unemployment, after which several took to Reddit to vent their discontent. "The fact that their not paying people for their mistake is straight bu****it. Crown pretends to be a family company but as soon as they need to support their "family" they shaft them. People need this money to live, while the owner can just sit back and chill with his multi-millions in the bank. Crown needs to take the hit and do the right thing." - Reddit User Another said: [caption id="attachment_78309" align="aligncenter" width="1024"] Source: Reddit[/caption] However, Crown later decided to provide regular pay as an advance, allowing employees to compensate for the lost hours later. Despite this adjustment, employees expressed frustration over the lack of transparency and communication from the company during the incident. Crown Equipment has reportedly engaged some of the world’s top cybersecurity experts and the FBI to analyze the affected data and manage the aftermath of the attack. The company emphasized that there were no indications that employee personal information or data that could facilitate identity theft was targeted. The company is now in the process of restoring systems and transitioning back to normal business operations. They are also working closely with customers to minimize the disruption's impact on their operations. Although Crown did not specify the type of cyberattack, their description suggests a ransomware attack by an international cybercriminal organization. If confirmed, this implies that corporate data was likely stolen and could be leaked if the ransom demands are not met. As Crown continues to recover from this significant disruption, the incident serves as a reminder for companies worldwide to strengthen their cybersecurity protocols, including isolating critical workloads, invest in employee training to prevent social engineering attacks, and establish effective communication strategies for managing cyber incidents.

image for CISA Releases 2024 S ...

 Firewall Daily

CISA has released the new version of the SAFECOM Guidelines. This exclusive guideline talks about the Emergency Communications Grants in cooperation with SAFECOM and NCSWIC. The new version aims to give the correct information to businesses globally. The National Council of Statewide Interoperability Coordinators   show more ...

(NCSWIC) and the Cybersecurity and Infrastructure Security Agency (CISA) work closely together to develop and maintain the SAFECOM Guidelines. According to the guidelines, the collaboration between the agencies goes into great detail about financial requirements, eligibility requirements, and technical requirements. The New CISA SAFECOM Guidelines The new SAFECOM guidelines help state, local, tribal, and territory governments secure federal money for crucial emergency communications projects is its main goal. Billy Bob Brown, Jr., Executive Assistant Director for Emergency Communications at CISA, stated: "The SAFECOM Guidance on Emergency Communications Grants is an essential resource that supports our collective efforts to strengthen the resilience and interoperability of emergency communications nationwide."  The guidance aims to provide a seamless experience to governments and agencies while also receiving new updates every year. These updates include new developments in technology and online risk management. It guarantees that grantees have access to the most recent guidelines and specifications required to construct reliable, safe, and compatible communication networks. By adhering to these standards, recipients can maximize government funding by ensuring that investments align with both national and community interests. "Incorporating SAFECOM Guidance into project planning not only enhances funding prospects but also strengthens the overall emergency response capabilities of our communities," Brown said. The document encourages stakeholders to adopt best practices in the planning, organizing, and execution of emergency communications projects to foster a uniform strategy across all governmental levels and public safety groups. SAFECOM and Federal Agencies Federal organizations such as the Office of Management and Budget and the Department of Homeland Security have acknowledged the SAFECOM Guidance as a vital resource since its establishment.  Grant candidates are encouraged to utilize the SAFECOM Guidance to ensure that their projects are in line with state, local, tribal, or territorial emergency communications strategies. To address the diverse needs of public safety organizations and communities, the research places a strong emphasis on the integration of new technologies, cybersecurity measures, and interoperable communication systems. Through the SAFECOM website, CISA offers resources and information on comprehending federal grant criteria to further assist stakeholders. The team is still dedicated to helping applicants create thorough plans that both satisfy funding requirements and improve emergency infrastructure's overall resilience.

image for Chris Pashley Joins ...

 Appointments

The Advanced Research Projects Agency for Health (ARPA-H) has appointed Chris Pashley as its Chief Information Security Officer (CISO). Pashley, formerly the Deputy Chief Information Security Officer at the Cybersecurity and Infrastructure Security Agency (CISA), announced his new role through a LinkedIn post. ARPA-H,   show more ...

part of the U.S. Department of Health and Human Services, is dedicated to tackling the most challenging problems in health through innovative research programs grounded in urgency, excellence, and honesty. The agency aims to accelerate breakthroughs that enable every American to realize their full health potential, transforming the seemingly impossible into the possible and the actual. [caption id="attachment_78081" align="aligncenter" width="838"] Source: Chris Pashley's LinkedIn Post[/caption] Pashley’s appointment comes at a crucial time for ARPA-H as it seeks to develop and launch an agency-wide initiative to implement strong cybersecurity measures. His extensive experience and proven track record in cybersecurity make him an ideal fit for this pivotal role. Chris Pashley's Background and Experience Before joining ARPA-H, Pashley played a key role at CISA, where he supported efforts to strengthen the agency’s internal cybersecurity program. He worked closely with CISA’s CISO and Chief Information Officer to enhance the agency’s cybersecurity posture, ensuring that its systems and data were well-protected against the ever-evolving landscape of cyber threats. Prior to his tenure at CISA, Pashley led the Cyber Threat Intelligence (CTI) team within the Security Operations Division at U.S. Customs and Border Protection (CBP). In this capacity, he focused on establishing the foundational elements of the CTI team, including its vision, mission, structure, and performance management. He also improved the team’s integration with and support to CBP’s Security Operations Center (SOC), providing senior leadership with critical updates on cyber threat activity. Pashley’s move to the government sector in 2017 was preceded by a nearly seven-year stint at Booz Allen Hamilton, where he served as an associate. His work there laid the groundwork for his subsequent roles in government cybersecurity, equipping him with the skills and experience needed to navigate the complex and high-stakes environment of federal cybersecurity operations. Pashley’s expertise will be instrumental in developing and implementing comprehensive cybersecurity measures across ARPA-H. His approach will likely involve a combination of proactive threat intelligence, rigorous security protocols, and continuous monitoring to protect the agency’s digital assets. .With his extensive background in cybersecurity and proven leadership, Pashley is well-equipped to guide ARPA-H in protecting its vital research and operations. As the agency continues to push the boundaries of health innovation, robust strong cybersecurity measures will be crucial in ensuring the success and integrity of its groundbreaking work.

image for Several Chinese APTs ...

 Firewall Daily

Researchers have discovered that various threat actors groups associated with Chinese state-linked espionage have been conducting a sustained hacking campaign targeting telecommunications operators in an unnamed Asian country since at least 2021. The attackers relied on custom malware and tactics tied to several   show more ...

China-linked espionage groups, suggesting Chinese state sponsorship. Malware Variants Used in Chinese Espionage Campaign Researchers from Symantec observed the use of several custom malware linked to China-based threat actors, including: Coolclient: A backdoor used by the Fireant group that logs keystrokes and communicates with command servers. The campaign utilized a version delivered via a trojanized VLC media player. It is linked to the Fireant group, also known as Mustang Panda or Earth Preta. Quickheal: A backdoor associated with the Needleminer group, also known as RedFoxtrot or Nomad Panda. The variant used in the campaign was nearly identical to those documented in 2021. It communicated with a command server at swiftandfast[.]net. Rainyday: A backdoor tied to the Firefly group, also known as Naikon. Multiple variants were deployed using trojanized executables to sideload malicious loaders and decrypt payloads. At least one loader variant matched those linked to Firefly in 2021. The attackers also used a variety of tactics, techniques, and procedures (TTPs) to compromise targets. These included keylogging malware that were possibly custom-developed, and port scanning tools to identify vulnerable systems. They also employed credential theft through the dumping of registry hives and exploited the Remote Desktop Protocol (RDP). Additionally, they used a publicly available tool, Responder, to act as a Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS) and multicast DNS (mDNS) poisoner. Nearly all victims in the campaign were telecoms operators, along with a services company that caters to the telecoms sector and a university in a different country in Asia. The researchers suggested that the campaign may even date as far back as the year 2020. Campaign Motives and Attribution The custom malware exclusively used by Fireant, Needleminer and Firefly provides strong evidence that this campaign involves Chinese state-sponsored groups. Firefly has been linked to a Chinese military intelligence unit by the U.S.-China Commission. The level of coordination between the groups involved is unclear but possibilities include independent action, personnel/tool sharing, or active collaboration. The ultimate motives behind the hacking campaign remain uncertain. Potential objectives include intelligence gathering on the telecommunications sector, eavesdropping on voice and data communications, or developing disruptive capabilities against critical infrastructure. To protect against these threats, telecom operators and other organizations should ensure they have the latest protection updates and implement robust security measures to detect and block malicious files. The researchers shared several Indicators of compromise and file hashes to help defenders detect against the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for CDK Global Hit by Cy ...

 Cybersecurity News

CDK Global, a provider of software solutions to auto dealerships across the United States, has fallen victim to a significant cyberattack. This CDK Global cyberattack has forced the company to temporarily shut down most of its systems, effectively bringing sales operations at approximately 15,000 car dealerships to a   show more ...

standstill. The cyberattack on CDK Global has had a profound impact on major clients of CDK Global, including General Motors dealerships, Group 1 Automotive, and Holman, which operates dealerships across eight U.S. states. These dealerships rely heavily on CDK's software to manage their daily operations, from sales transactions to inventory management. "We are actively investigating a cyber incident. Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible", a CDK spokesperson told CBS News. According to the news reports, CDK reported that they had restored some of their systems after conducting extensive tests and consulting with third-party experts. "With the work done so far, our core dealer management system and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications and will provide updates as we bring those applications back online," CDK stated in a communication to CBS MoneyWatch. CDK Global’s dealer management system (DMS) serves as a central hub that allows dealerships to monitor their operations from a single interface. Their retail tools enable dealerships to conduct transactions both online and in showrooms. These tools are essential for managing payroll, inventory, and various office operations. CDK also prides itself on offering robust cybersecurity solutions, as stated on its website: "CDK Cybersecurity Solutions provide a three-tiered cybersecurity strategy to prevent, protect, and respond to cyberattacks so you can defend your dealership. Dealerships' Response to the CDK Global Cyberattack The sudden outage has caused widespread disruption among car dealerships. Many have been forced to find creative solutions to continue their operations. Dealership employees took to Reddit to discuss the challenges they were facing. They reported relying on spreadsheets and sticky notes to handle small parts sales and repairs, while larger transactions were effectively halted. One employee questioned others on Reddit, asking, "How many of you are standing around because your whole shop runs on CDK?" Responses from users in Wisconsin and Colorado confirmed that their dealership systems were offline, causing significant operational delays. The CDK Global Cyberattack has left many employees with little to do, with some dealerships sending staff home due to the inability to conduct normal business operations. "We are almost to that point… no parts, no ROs, no times… just dead vehicles with nothing to show for them or parts to fix them," lamented one dealership employee on Reddit. Another employee shared, "Excel spreadsheets and post-it notes for any parts we're handing out. Any big jobs are not happening," highlighting the extent to which the disruption has impacted their workflow. Potential Ransomware Attack While CDK Global has not released an official statement on the nature of the cyberattack, rumors and reports suggest that the company may have suffered a ransomware attack that also impacted its backups.  If it indeed was a ransomware attack, the outages could persist for several days, potentially stretching into the next week or longer. The Cyber Express Team tried to reach out to CDK Global to get an official statement and know more details about the cyberattack, however, as of writing this news report no response has been received.

image for Association of Texas ...

 Firewall Daily

The Association of Texas Professional Educators (ATPE) is notifying more than 414,000 of its members that their personal information may have been compromised in a data breach incident that occurred earlier this year. ATPE is largest community of educators in Texas, and aims to elevate public education in the state.   show more ...

The association advocates for Texas educators and provides affordable, high-quality products and services, including legal and educational services. The professional organization for educators said in a recent letter that it detected suspicious activity on its network on Feb. 12 and launched an investigation with the help of a cybersecurity firm. Association of Texas Professional Educators Data Breach On February 12, 2024, ATPE detected abnormal activity on its network, which led to a comprehensive forensic investigation. The investigation concluded on March 20, 2024, and found evidence that some of ATPE's systems had been accessed by an unauthorized user. Based on this finding, ATPE reviewed the affected systems to identify the specific individuals and types of information that may have been compromised. The accessed information varied depending on when members joined: For those who became members before May 15, 2021, the breach may have exposed names, addresses, dates of birth, Social Security numbers and medical records. Tax Identification Numbers could also possibly have been accessed if employers used them as identifiers. For members who received payments from ATPE via ACH transactions, financial account information could also have been accessed. ATPE said that while it has no evidence that anyone's information has been misused, it is notifying members "out of an abundance of caution and for purposes of full transparency." Response to Breach Incident and Credit Offering Since discovery of the breach, ATPE stated that it has taken several steps to secure its systems, including: Disconnecting all access to its network. Change of administrative credentials. Installation of enhanced security safeguards on ATPE's environment and endpoints. Restoration of ATPE's website in a Microsoft Azure hosted environment. The organization said it will continue efforts to mitigate potential harm in the future. ATPE is providing affected members with free credit monitoring and identity protection services for one year through Cyberscout, a company specializing in fraud assistance. Members must enroll by Sept. 15, 2024. Details on how to activate the free services are included in the notification letters sent to members' homes. The association has also advised individuals to remain vigilant for possible incidents of identity theft and fraud, review account statements, and monitor credit reports for suspicious or unauthorized activity. ATPE said it sincerely regrets any concern or inconvenience caused by the incident but remains committed to safeguarding users' personal information. Law firm Federman & Sherwood has announced that it would conduct a separate investigation into the Association of Texas Professional Educators data breach. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Alleged AMCOM Data B ...

 Firewall Daily

The U.S. Army Aviation and Missile Command (AMCOM), based at Redstone Arsenal, Alabama, has been spotlighted following an alleged data breach claimed by a prolific dark web hacker. The AMCOM data breach, announced by the threat actor on June 16, 2024, but occurring in August 2023, involved the unauthorized release of   show more ...

critical documents related to key military aircraft. The US Army Aviation and Missile Command (AMCOM) plays a pivotal role in supporting the U.S. Army by managing the development, acquisition, and sustainment of aviation and missile systems. It ensures the operational readiness of these systems, provides logistical support and maintains the supply chain critical for defense operations. Decoding the AMCOM Data Breach Claims The AMCOM data leak, disclosed on BreachForums by a user known as IntelBroker, exposed detailed technical documents and images about the Boeing CH-47F Chinook and Sikorsky H-60 Black Hawk helicopters. IntelBroker, a moderator on the platform, claimed responsibility for the leak, stating, "Today, I'm releasing the U.S. Army Aviation and Missile Command data breach." The Cyber Express reached out to the U.S. Army Aviation and Missile Command to learn more about the authenticity of the AMCOM data breach. However, at the time of writing this, no official statement or response has been received, leaving the claims for the AMCOM data leak unconfirmed right now.  Moreover, the AMCOM website appears operational, suggesting the breach may have targeted specific backend systems rather than impacting public-facing services like DDoS attacks or website defacements. IntelBroker and the Recent Exploits  IntelBroker, a notorious threat actor known for orchestrating multiple high-profile data breaches, recently claimed responsibility for infiltrating Apple's security infrastructure. This assertion follows their previous claims of breaching organizations like Advanced Micro Devices (AMD), where sensitive data such as customer databases and source code was compromised. The cybercriminal has a track record of targeting prominent entities such as government agencies like Europol and the U.S. State Department, as well as major corporations including Barclays Bank, Facebook Marketplace, and Home Depot. In the latest incident, IntelBroker purportedly accessed the source code of three internal tools utilized by Apple: AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin. While Apple has not confirmed the breach, reports from tech news outlets detailed claims made on BreachForums suggesting a June 2024 data breach on Apple.com facilitated by IntelBroker. The threat actor's activities highlight the ongoing challenges in cybersecurity, highlighting vulnerabilities across diverse sectors and institutions globally. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Advance Auto Parts C ...

 Cybersecurity News

Advance Auto Parts, Inc., one of the big suppliers of automobile aftermarket components in America, has reported a data breach to the US Securities and Exchange Commission (SEC).  Advance Auto Parts data breach was first reported by The Cyber Express on June 6, 2024. In its report to the SEC, the company said that a   show more ...

data breach from its third-party cloud storage had resulted in unauthorized access to consumer and policyholder information. In a June 14 filing to the SEC, the company said, “On May 23, 2024, Advance Auto Parts, Inc. identified unauthorized activity within a third-party cloud database environment containing Company data and launched an investigation with industry-leading experts. On June 4, 2024, a criminal threat actor offered what it alleged to be Company data for sale. The Company has notified law enforcement.” A threat actor going by the handle “Sp1d3r” had claimed to have stolen three terabytes of data from the company’s Snowflake cloud storage. The stolen information was allegedly being sold for US$1.5 million on dark web. [caption id="attachment_78143" align="alignnone" width="815"] (Source: X)[/caption] According to the threat actor, the stolen data included 380 million customer profiles, containing names, emails, mobile numbers, phone numbers, addresses; information on 358,000 employees, 44 million Loyalty/Gas card numbers, the company’s sales history, among other details. Details of Advance Auto Parts SEC Filing In its declaration to the SEC, auto parts seller said that “There has been no material interruption to the Company's business operations due to the incident. “Based on the review of files determined to have been impacted, the Company believes that some files contain personal information, including but not limited to social security numbers or other government identification numbers of current and former job applicants and employees of the Company,” the filing said. Advance Auto Parts said that the company would share information about the data breach and would offer free credit monitoring and identity restoration services to the impact parties. The company noted that though it was covered by insurance, the cyberattack could cost damages up to $3 million. “The Company has insurance for cyber incidents and currently expects its costs related to response and remediation to be generally limited to its retention under such policy. The Company currently plans to record an expense of approximately $3 million for the quarter ending July 13, 2024, for such costs,” it said to the SEC. Advance Auto Parts currently operates 4,777 stores and 320 Worldpac branches primarily within the United States, with added locations in Canada, Puerto Rico, and the U.S. Virgin Islands. The Advance Auto Parts data breach is part of a recent series of attacks targeting customers of the cloud storage company Snowflake. These attacks have been taking place since at least mid-April 2024. Snowflake acknowledged the issue in a statement, informing a limited number of customers who they believe may have been impacted by the attacks. Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers.  Many of Snowlflakes’ clients had reportedly taken down their databases after the series of cyberattacks. Infact, a comprehensive report revealed that 165 customers were impacted by the Snowflake data breach. It was on July 26, 2023 that the US Securities and Exchange Commission directed companies to mandatorily declare material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

image for KrebsOnSecurity Thre ...

 A Little Sunshine

On March 8, 2024, KrebsOnSecurity published a deep dive on the consumer data broker Radaris, showing how the original owners are two men in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites. The subjects of that piece   show more ...

are threatening to sue KrebsOnSecurity for defamation unless the story is retracted. Meanwhile, their attorney has admitted that the person Radaris named as the CEO from its inception is a fabricated identity. Radaris is just one cog in a sprawling network of people-search properties online that sell highly detailed background reports on U.S. consumers and businesses. Those reports typically include the subject’s current and previous addresses, partial Social Security numbers, any known licenses, email addresses and phone numbers, as well as the same information for any of their immediate relatives. Radaris has a less-than-stellar reputation when it comes to responding to consumers seeking to have their reports removed from its various people-search services. That poor reputation, combined with indications that the true founders of Radaris have gone to extraordinary lengths to conceal their stewardship of the company, was what prompted KrebsOnSecurity to investigate the origins of Radaris in the first place. On April 18, KrebsOnSecurity received a certified letter (PDF) from Valentin “Val” Gurvits, an attorney with the Boston Law Group, stating that KrebsOnSecurity would face a withering defamation lawsuit unless the Radaris story was immediately retracted and an apology issued to the two brothers named in the story as co-founders. That March story worked backwards from the email address used to register radaris.com, and charted an impressive array of data broker companies created over the past 15 years by Massachusetts residents Dmitry and Igor Lubarsky (also sometimes spelled Lybarsky or Lubarski). Dmitry goes by “Dan,” and Igor uses the name “Gary.” Those businesses included numerous websites marketed to Russian-speaking people who are new to the United States, such as russianamerica.com, newyork.ru, russiancleveland.com, russianla.com, russianmiami.com, etc. Other domains connected to the Lubarskys included Russian-language dating and adult websites, as well as affiliate programs for their international calling card businesses. A mind map of various entities apparently tied to Radaris and the company’s co-founders. Click to enlarge. The story on Radaris noted that the Lubarsky brothers registered most of their businesses using a made-up name — “Gary Norden,” sometimes called Gary Nord or Gary Nard. Mr. Gurvits’ letter stated emphatically that my reporting was lazy, mean-spirited, and obviously intended to smear the reputation of his clients. By way of example, Mr. Gurvits said the Lubarskys were actually Ukrainian, and that the story painted his clients in a negative light by insinuating that they were somehow associated with Radaris and with vaguely nefarious elements in Russia. But more to the point, Mr. Gurvits said, neither of his clients were Gary Norden, and neither had ever held any leadership positions at Radaris, nor were they financial beneficiaries of the company in any way. “Neither of my clients is a founder of Radaris, and neither of my clients is the CEOs of Radaris,” Gurvits wrote. “Additionally, presently and going back at least the past 10 years, neither of my clients are (or were) officers or employees of Radaris. Indeed, neither of them even owns (or ever owned) any equity in Radaris. In intentional disregard of these facts, the Article implies that my clients are personally responsible for Radaris’ actions. Therefore, you intentionally caused all negative allegations in the Article made with respect to Radaris to be imputed against my clients personally.” Dan Lubarsky’s Facebook page, just prior to the March 8 story about Radaris, said he was from Moscow. We took Mr. Gurvits’ word on the ethnicity of his clients, and adjusted the story to remove a single mention that they were Russian. We did so even though Dan Lubarsky’s own Facebook page said (until recently) that he was from Moscow, Russia. KrebsOnSecurity asked Mr. Gurvits to explain precisely which other details in the story were incorrect, and replied that we would be happy to update the story with a correction if they could demonstrate any errors of fact or omission. We also requested specifics about several aspects of the story, such as the identity of the current Radaris CEO — listed on the Radaris website as “Victor K.” Mr. Gurvits replied that Radaris is and always has been based in Ukraine, and that the company’s true founder “Eugene L” is based there. While Radaris has claimed to have offices in Massachusetts, Cyprus and Latvia, its website has never mentioned Ukraine. Mr. Gurvits has not responded to requests for more information about the identities of “Eugene L” or “Victor K.” Gurvits said he had no intention of doing anyone’s reporting for them, and that the Lubarskys were going to sue KrebsOnSecurity for defamation unless the story was retracted in full. KrebsOnSecurity replied that journalists often face challenges to things that they report, but it is more than rare for one who makes a challenge to take umbrage at being asked for supporting information. On June 13, Mr. Gurvits sent another letter (PDF) that continued to claim KrebsOnSecurity was defaming his clients, only this time Gurvits said his clients would be satisfied if KrebsOnSecurity just removed their names from the story. “Ultimately, my clients don’t care what you say about any of the websites or corporate entities in your Article, as long as you completely remove my clients’ names from the Article and cooperate with my clients to have copies of the Article where my clients’ names appear removed from the Internet,” Mr. Gurvits wrote. MEET THE FAKE RADARIS CEO The June 13 letter explained that the name Gary Norden was a pseudonym invented by the Radaris marketing division, but that neither of the Lubarsky brothers were Norden. This was a startling admission, given that Radaris has quoted the fictitious Gary Norden in press releases published and paid for by Radaris, and in news media stories where the company is explicitly seeking money from investors. In other words, Radaris has been misrepresenting itself to investors from the beginning. Here’s a press release from Radaris that was published on PR Newswire in April 2011: A press release published by Radaris in 2011 names the CEO of Radaris as Gary Norden, which was a fake name made up by Radaris’ marketing department. In April 2014, the Boston Business Journal published a story (PDF) about Radaris that extolled the company’s rapid growth and considerable customer base. The story noted that, “to date, the company has raised less than $1 million from Cyprus-based investment company Difive.” “We live in a world where information becomes much more broad and much more available every single day,” the Boston Business Journal quoted Radaris’ fake CEO Gary Norden, who by then had somehow been demoted from CEO to vice president of business development. A Boston Business Journal story from April 2014 quotes the fictitious Radaris CEO Gary Norden. “We decided there needs to be a service that allows for ease of monitoring of information about people,” the fake CEO said. The story went on to say Radaris was seeking to raise between $5 million and $7 million from investors in the ensuing months. THE BIG LUBARSKY In his most recent demand letter, Mr. Gurvits helpfully included resumes for both of the Lubarsky brothers. Gary/Dmitry Lubarsky’s resume states he is the owner of Difive.com, a startup incubator for IT companies. Recall that Difive is the same company mentioned by the fake Radaris CEO in the 2014 Boston Business Journal story, which said Difive was the company’s initial and sole investor. Difive’s website in 2016 said it had offices in Boston, New York, San Francisco, Riga (Latvia) and Moscow (nothing in Ukraine). Meanwhile, DomainTools.com reports difive.com was originally registered in 2007 to the fictitious Gary Norden from Massachusetts. Archived copies of the Difive website from 2017 include a “Portfolio” page indexing all of the companies in which Difive has invested. That list, available here, includes virtually every “Gary Norden” domain name mentioned in my original report, plus a few that escaped notice earlier. Dan Lubarsky’s resume says he was CEO of a people search company called HumanBook. The Wayback machine at archive.org shows the Humanbook domain (humanbook.com) came online around April 2008, when the company was still in “beta” mode. By August 2008, however, humanbook.com had changed the name advertised on its homepage to Radaris Beta. Eventually, Humanbook simply redirected to radaris.com. Archive.org’s record of humanbook.com from 2008, just after its homepage changed to Radaris Beta. Astute readers may notice that the domain radaris.com is not among the companies listed as Difive investments. However, passive domain name system (DNS) records from DomainTools show that between October 2023 and March 2024 radaris.com was hosted alongside all of the other Gary Norden domains at the Internet address range 38.111.228.x. That address range simultaneously hosted every domain mentioned in this story and in the original March 2024 report as connected to email addresses used by Gary Norden, including radaris.com, radaris.ru, radaris.de, difive.com, privet.ru, blog.ru, comfi.com, phoneowner.com, russianamerica.com, eprofit.com, rehold.com, homeflock.com, humanbook.com and dozens more. A spreadsheet of those historical DNS entries for radaris.com is available here (.csv). Image: DomainTools.com The breach tracking service Constella Intelligence finds just two email addresses ending in difive.com have been exposed in data breaches over the years: dan@difive.com, and gn@difive.com. Presumably, “gn” stands for Gary Norden. A search on the email address gn@difive.com via the breach tracking service osint.industries reveals this address was used to create an account at Airbnb under the name Gary, with the last four digits of the account’s phone number ending in “0001.” Constella Intelligence finds gn@difive.com was associated with the Massachusetts number 617-794-0001, which was used to register accounts for “Igor Lybarsky” from Wellesley or Sherborn, Ma. at multiple online businesses, including audiusa.com and the designer eyewear store luxottica.com. The phone number 617-794-0001 also appears for a “Gary Nard” user at russianamerica.com. Igor Lubarsky’s resume says he was the manager of russianamerica.com. DomainTools finds 617-794-0001 is connected to registration records for three domains, including paytone.com, a domain that Dan Lubarsky’s resume says he managed. DomainTools also found that number on the registration records for trustoria.com, another major consumer data broker that has an atrocious reputation, according to the Better Business Bureau. Dan Lubarsky’s resume says he was responsible for several international telecommunications services, including the website comfi.com. DomainTools says the phone number connected to that domain — 617-952-4234 — was also used on the registration records for humanbook.net/biz/info/mobi/us, as well as for radaris.me, radaris.in, and radaris.tel. Two other key domains are connected to that phone number. The first is barsky.com, which is the website for Barsky Estate Realty Trust (PDF), a real estate holding company controlled by the Lubarskys. Naturally, DomainTools finds barsky.com also was registered to a Gary Norden from Massachusetts. But the organization listed in the barsky.com registration records is Comfi Inc., a VOIP communications firm that Igor Lubarsky’s resume says he managed. The other domain of note is unipointtechnologies.com. Dan Lubarsky’s resume says he was the CEO of Wellesley Hills, Mass-based Unipoint Technology Inc. In 2012, Unipoint was fined $179,000 by the U.S. Federal Communications Commission, which said the company had failed to apply for a license to provide international telecommunications services. PATENTLY REMARKABLE The 2011 Radaris press release quoting their fake CEO Gary Norden said the company had four patents pending from a team of computer science PhDs. According to the resume shared by Mr. Gurvits, Dan Lubarsky has a PhD in computer science. The U.S. Patent and Trademark Office (PTO) says Dan Lubarsky/Lubarski has at least nine technology patents to his name. The fake CEO press release from Radaris mentioning its four patents was published in April 2011. By that time, the PTO says Dan Lubarsky had applied for exactly four patents, including, “System and Method for a Web-Based People Directory.” The first of those patents, published in 2009, is tied to Humanbook.com, the company Dan Lubarsky founded that later changed its name to Radaris. If the Lubarskys were never involved in Radaris, how do they or their attorney know the inside information that Gary Norden is a fiction of Radaris’ marketing department? KrebsOnSecurity has learned that Mr. Gurvits is the same attorney responding on behalf of Radaris in a lawsuit against the data broker filed earlier this year by Atlas Data Privacy. Mr. Gurvits also stepped forward as Radaris’ attorney in a class action lawsuit the company lost in 2017 because it never contested the claim in court. When the plaintiffs told the judge they couldn’t collect on the $7.5 million default judgment, the judge ordered the domain registry Verisign to transfer the radaris.com domain name to the plaintiffs. Mr. Gurvits appealed the verdict, arguing that the lawsuit hadn’t named the actual owners of the Radaris domain name — a Cyprus company called Bitseller Expert Limited — and thus taking the domain away would be a violation of their due process rights. The judge ruled in Radaris’ favor — halting the domain transfer — and told the plaintiffs they could refile their complaint. Soon after, the operator of Radaris changed from Bitseller to Andtop Company, an entity formed (PDF) in the Marshall Islands in Oct. 2020. Andtop also operates the aforementioned people-search service Trustoria. Mr. Gurvits’ most-publicized defamation case was a client named Aleksej Gubarev, a Russian technology executive whose name appeared in the Steele Dossier. That document included a collection of salacious, unverified information gathered by the former British intelligence officer Christopher Steele during the 2016 U.S. presidential campaign at the direction of former president Donald Trump’s political rivals. Gubarev, the head of the IT services company XBT Holding and the Florida web hosting firm Webzilla, sued BuzzFeed for publishing the Steele dossier. One of the items in the dossier alleged that XBT/Webzilla and affiliated companies played a key role in the hack of Democratic Party computers in the spring of 2016. The memo alleged Gubarev had been coerced into providing services to Russia’s main domestic security agency, known as the FSB. In December 2018, a federal judge in Miami ruled in favor of BuzzFeed, saying the publication was protected by the fair report privilege, which gives news organizations latitude in reporting on official government proceedings. Radaris was originally operated by Bitseller Expert Limited. Who owns Bitseller Expert Limited? A report (PDF) obtained from the Cyprus business registry shows this company lists its director as Pavel Kaydash from Moscow. Mr. Kaydash could not be reached for comment.

 Feed

Ubuntu Security Notice 6842-1 - It was discovered that gdb incorrectly handled certain memory operations when parsing an ELF file. An attacker could possibly use this issue to cause a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599. This issue only affected Ubuntu 22.04 LTS. It was   show more ...

discovered that gdb incorrectly handled memory leading to a heap based buffer overflow. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.

 Feed

Debian Linux Security Advisory 5716-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

 Feed

Ubuntu Security Notice 6841-1 - It was discovered that PHP could early return in the filter_var function resulting in invalid user information being treated as valid user information. An attacker could possibly use this issue to expose raw user input information.

 Feed

Red Hat Security Advisory 2024-4015-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-4014-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2024-4004-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-4003-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2024-4001-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

CVE-2024-27815 is a buffer overflow in the XNU kernel that was reported in sbconcat_mbufs. It was publicly fixed in xnu-10063.121.3, released with macOS 14.5, iOS 17.5, and visionOS 1.2. This bug was introduced in xnu-10002.1.13 (macOS 14.0/ iOS 17.0) and was fixed in xnu-10063.121.3 (macOS 14.5/ iOS 17.5). The bug affects kernels compiled with CONFIG_MBUF_MCACHE.

 Feed

Cybersecurity researchers have uncovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns targeting Chinese organizations. AT&T LevelBlue Labs, which first observed the malware in late April 2024, said it incorporates features that are designed to thwart static and dynamic analysis and ultimately evade detection. Attack chains leverage phishing emails that

 Feed

A new Rust-based information stealer malware called Fickle Stealer has been observed being delivered via multiple attack chains with the goal of harvesting sensitive information from compromised hosts. Fortinet FortiGuard Labs said it's aware of four different distribution methods -- namely VBA dropper, VBA downloader, link downloader, and executable downloader -- with some of them using a

 Feed

Highlights Complex Tool Landscape: Explore the wide array of cybersecurity tools used by MSPs, highlighting the common challenge of managing multiple systems that may overlap in functionality but lack integration.Top Cybersecurity Challenges: Discuss the main challenges MSPs face, including integration issues, limited visibility across systems, and the high cost and complexity of maintaining

 Feed

Cyber espionage groups associated with China have been linked to a long-running campaign that has infiltrated several telecom operators located in a single Asian country at least since 2021. "The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News

 Feed

Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors. Tracked as CVE-2024-0762 (CVSS score: 7.5), the "UEFIcanhazbufferoverflow" vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform

 Feed

State-sponsored actors with ties to Russia have been linked to targeted cyber attacks aimed at French diplomatic entities, the country's information security agency ANSSI said in an advisory. The attacks have been attributed to a cluster tracked by Microsoft under the name Midnight Blizzard (formerly Nobelium), which overlaps with activity tracked as APT29, BlueBravo, Cloaked Ursa, Cozy Bear,

 Apple

There's a wee data breach with unhealthy implications in Scotland, privacy has gone off the rails in the UK, and a cheater blames Apple for his expensive divorce. All this and much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole   show more ...

Theriault, joined this week by Lianne Potter of the "Compromising Positions" podcast. Plus don't miss our featured interview with Abhishek Agrawal, CEO of Material Security.

 Data loss

Newly-released research indicates that ransomware attacks reached a record high in May, with the surge primarily fueled by a massive increase in the number of attacks perpetrated by the LockBit ransomware group and its affiliates. Read more in my article on the Exponential-e blog.

 Guest blog

Qilin (also known as Agenda) is a ransomware-as-a-service criminal operation that works with affiliates, encrypting and exfiltrating the data of hacked organisations and then demanding a ransom be paid. Read more in my article on the Tripwire State of Security blog.

2024-06
Aggregator history
Thursday, June 20
SAT
SUN
MON
TUE
WED
THU
FRI
JuneJulyAugust