Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Biden Bans Kaspersky ...

 Cybersecurity News

The Department of Commerce's Bureau of Industry and Security (BIS) has announced a Final Determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of the Russian cybersecurity firm, from providing any products or services in the United States. This historic decision of the US banning Kaspersky marks the   show more ...

first Final Determination by the Office of Information and Communications Technology and Services (OICTS). The BIS has set a deadline of September 29, 2024, giving U.S. consumers and businesses time to switch to alternative cybersecurity solutions. Kaspersky will no longer be able to sell its software within the United States or provide updates to software already in use. The prohibition also applies to Kaspersky Lab, Inc.’s affiliates, subsidiaries, and parent companies (together with Kaspersky Lab, Inc., “Kaspersky” The US banning Kaspersky incident highlights rising concerns over national security risks linked to foreign technology companies, especially those from adversarial states. Further, it reflects years of scrutiny and represents a significant escalation in U.S. efforts to safeguard its cyber infrastructure. “This action is the first of its kind and is the first Final Determination issued by BIS’s Office of Information and Communications Technology and Services (OICTS), whose mission is to investigate whether certain information and communications technology or services transactions in the United States pose an undue or unacceptable national security risk,” reads the official BIS announcement. Additionally, BIS has added three entities—AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom)—to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives. This article delves into the timeline and context of U.S. actions against Kaspersky, highlighting the shift from the Trump administration to the Biden administration. US vs Kaspersky: A Timeline of Cybersecurity Actions 2017 September- The Trump Administration’s heightened scrutiny of Kaspersky began. The Department of Homeland Security (DHS) issued a Binding Operational Directive (BOD 17-01) that mandated removing and discontinuing Kaspersky products from all federal information systems. This directive followed mounting evidence suggesting that the Russian government could use Kaspersky’s products to infiltrate U.S. networks. December- The National Defense Authorization Act (NDAA) for Fiscal Year 2018 cemented these concerns into law by prohibiting the use of Kaspersky software across all federal agencies. This legislative action reflected a bipartisan consensus on the potential risks posed by the Russian firm. 2022 March- The Federal Communications Commission (FCC) added Kaspersky to its “List of Communications Equipment and Services that Pose a Threat to National Security.” This action was part of a broader effort to secure the nation’s communications networks from foreign influence and control. 2024 June - Today’s Final Determination by the BIS represents the culmination of a thorough investigation by the Office of Information and Communications Technology and Services (OICTS). This office, established to assess whether certain information and communications technology (ICT) transactions pose unacceptable national security risks, has found Kaspersky’s operations in the U.S. untenable. US Banning Kaspersky: The Context and Implications of BIS’s Final Determination The BIS’s decision comes after a comprehensive investigation revealed that Kaspersky’s operations in the United States posed an undue or unacceptable national security risk. The key concerns highlighted include: Jurisdiction and Control by the Russian Government: Kaspersky is subject to Russian laws requiring cooperation with intelligence agencies. This legal framework gives the Russian government potential access to data managed by Kaspersky’s software. Therefore, Kaspersky is subject to Russian laws, requiring it to comply with requests for information that could compromise U.S. national security. Access to Sensitive Information: Kaspersky’s software has extensive administrative privileges over customer systems, creating opportunities for data exploitation. Potential for Malicious Activities: Kaspersky could theoretically introduce malware or withhold crucial security updates, compromising U.S. cybersecurity. Third-Party Integrations: Integrating Kaspersky products into third-party services further complicates the risk, as the source code might be obscured, increasing vulnerability in critical U.S. systems. Transition Period and Recommendations While users won’t face legal penalties for continued use of Kaspersky products during this period, they assume all associated cybersecurity risks. This grace period is crucial for minimizing disruptions and ensuring a smooth transition to secure alternatives. The Department of Commerce, along with DHS and DOJ, is actively working to inform and assist users in transitioning to alternative cybersecurity solutions. “The actions taken today are vital to our national security and will better protect the personal information and privacy of many Americans. We will continue to work with the Department of Commerce, state and local officials, and critical infrastructure operators to protect our nation’s most vital systems and assets,” said Secretary of Homeland Security Alejandro N. Mayorkas. Historical Background: From Trump to Biden The determination against Kaspersky is part of a broader U.S. strategy to safeguard its information and communications technology infrastructure. The roots of this policy can be traced back to Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” which empowers the Commerce Department to evaluate and act against risks posed by foreign ICTS transactions. The scrutiny of Kaspersky began during the Trump administration, amid growing concerns about Russia's cyber capabilities and potential espionage activities. The Trump-era directives and legislative actions laid the groundwork for stricter controls, reflecting a bipartisan consensus on the threat posed by foreign cyber interference. Under the Biden administration, the approach has evolved into a more comprehensive and coordinated effort. The establishment of the OICTS within BIS and the issuance of the Final Determination represents a significant escalation in the U.S. government's efforts to protect its digital infrastructure. The Biden administration's emphasis on a “whole-of-government” strategy underscores the critical importance of cybersecurity in national defense. The U.S. government has taken a coordinated approach to implementing this determination. Commerce Secretary Gina Raimondo emphasized the commitment to national security and innovation, stating that this action is a clear message to adversaries. “Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people. Today’s action, our first use of the Commerce Department’s ICTS authorities, demonstrates Commerce’s role in support of our national defense and shows our adversaries we will not hesitate to act when they use their technology poses a risk to the United States and its citizens,” said Raimondo. The Future of U.S. Cybersecurity Policy The inclusion of Kaspersky and related entities on the Entity List highlights the U.S. government’s proactive stance. This list, maintained under the Export Control Reform Act of 2018, identifies entities engaged in activities contrary to U.S. national security interests. Additions to this list involve rigorous interagency review, ensuring that actions are based on concrete, specific evidence of risk. “With today’s action, the American cyber ecosystem is safer and more secure than it was yesterday,” said Under Secretary for Industry and Security Alan Estevez. “We will not hesitate to protect U.S. individuals and businesses from Russia or other malign actors who seek to weaponize technology that is supposed to protect its users.” As the September deadline approaches, businesses and individuals alike must stay informed and take necessary steps to secure their digital environments. The U.S. government's decisive action against Kaspersky highlights the critical importance of vigilance and proactive measures in the ever-evolving landscape of cybersecurity.

image for Phoenix SecureCore U ...

 Firewall Daily

A newly discovered vulnerability, CVE-2024-0762, dubbed "UEFIcanhazbufferoverflow," has recently come to light in the Phoenix SecureCore UEFI firmware, impacting various Intel Core desktop and mobile processors. The UEFIcanhazbufferoverflow vulnerability, disclosed by cybersecurity researchers, exposes a   show more ...

critical buffer overflow issue within the Trusted Platform Module (TPM) configuration, potentially allowing malicious actors to execute unauthorized code. Eclypsium, a firm specializing in supply chain security, identified the vulnerability through its automated binary analysis system, Eclypsium Automata. They reported that the flaw could be exploited locally to escalate privileges and gain control over the UEFI firmware during runtime. This exploitation bypasses higher-level security measures, making it particularly concerning for affected devices. Decoding the UEFIcanhazbufferoverflow Vulnerability and its Impact The affected Phoenix SecureCore UEFI firmware is utilized across multiple generations of Intel Core processors, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. Given the widespread adoption of these processors by various OEMs, the UEFIcanhazbufferoverflow vulnerability has the potential to impact a broad array of PC products in the market. According to Eclypsium researchers, the vulnerability arises due to an insecure variable handling within the TPM configuration, specifically related to the TCG2_CONFIGURATION variable. This oversight could lead to a scenario where a buffer overflow occurs, facilitating the execution of arbitrary code by an attacker. Phoenix Technologies, in response to the disclosure, promptly assigned CVE-2024-0762 to the UEFIcanhazbufferoverflow vulnerability and released patches on May 14, 2024, to mitigate the issue. The severity of the vulnerability is reflected in its CVSS score of 7.5, indicating a high-risk threat. The Importance of UEFI Architecture Security  In practical terms, the exploitation of UEFI firmware vulnerabilities like "UEFIcanhazbufferoverflow" highlights the critical role of firmware in device security. The UEFI architecture serves as the foundational software that initializes hardware and manages system runtime operations, making it a prime target for attackers seeking persistent access and control. This incident also highlights the challenges associated with supply chain security, where vulnerabilities in upstream components can have cascading effects across multiple vendors and products. As such, organizations are advised to leverage comprehensive scanning tools to identify affected devices and promptly apply vendor-supplied firmware updates. For enterprises relying on devices with potentially impacted firmware, proactive measures include deploying solutions to continuously monitor and assess device integrity. This approach helps mitigate risks associated with older devices and ensures ongoing protection against active exploitation of firmware-based vulnerabilities.

image for Ticketmaster Data Br ...

 Firewall Daily

The Ticketmaster data breach update is distressing as the threat actors have now released records of 1 million customers for free. The Ticketmaster data leak, earlier confirmed by Live Nation, Ticketmaster's parent company, involves unauthorized access and potential leak of sensitive customer information.   show more ...

According to the threat actor responsible for the breach, the stolen data in this incident includes a vast trove of data belonging to 680 million Ticketmaster customers. Initially demanding $100,000 for the stolen data, the threat actors have since escalated their tactics by publicly releasing records on a popular dark web forum.  The Fallout of Ticketmaster Data Breach This move appears to be an attempt to pressure Ticketmaster into meeting their demands, underlining the severity of the breach and its potential repercussions. [caption id="attachment_78485" align="alignnone" width="1415"] Source: Dark Web[/caption] In its post, the threat actor claims that Ticketmaster is not responding to the request to buy data from the hacker collective. In response, the hackers assert that the organization does not care “for the privacy of 680 million customers, so give you the first 1 million users free.” The compromised data includes a wide array of personal details: names, addresses, IP addresses, emails, dates of birth, credit card types, last four digits of credit cards, and expiration dates. This extensive breach of sensitive information raises serious concerns about the privacy and security of Ticketmaster's user base. The Ticketmaster data breach, which reportedly occurred on May 20, involved a database hosted on Snowflake, a third-party cloud storage provider utilized by Ticketmaster. Live Nation has acknowledged unauthorized activity within this cloud environment but has not provided specific details regarding the breach's origins or the complete extent of data exfiltrated. Live Nation Confirms the Ticketmaster Data Leak Incident Live Nation confirmed the Ticketmaster data leak in a regulatory filing, stating the incident occurred on May 20. They reported that a cybercriminal had offered what appeared to be company user data for sale on the dark web. The affected personal information is believed to be related to customers. “As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing”, reads the official filing.  Ticketmaster and Live Nation are expected to collaborate closely with cybersecurity experts and regulatory authorities to investigate the incident thoroughly. They will likely focus on enhancing security measures to prevent future breaches and mitigate the impact on affected customers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Enhancing Security M ...

 Firewall Daily

In the latest update of "Secure by Design”, the Cybersecurity and Infrastructure Security Agency (CISA) highlighted the critical importance of integrating security practices into basic services for software manufacturers. The paper highlights a notable concern: the imposition of an "SSO tax" where   show more ...

essential security features like Single Sign-On (SSO) are bundled as premium services, potentially hindering their adoption among Small and Medium-sized Businesses (SMBs). Implementing Single Sign-On (SSO) into Small and Medium-sized Businesses (SMBs) SSO simplifies access management by allowing users to authenticate once and gain access to multiple applications—a crucial feature for enhancing security postures across organizations. However, its adoption faces significant hurdles, primarily due to cost implications and perceived operational complexities. One of the primary challenges identified by CISA is pricing SSO capabilities as add-ons rather than including them in the base service. This "SSO tax" not only inflates costs but also creates a barrier for SMBs looking to bolster their security frameworks without incurring substantial expenses. By advocating for SSO to be a fundamental component of software packages, CISA aims to democratize access to essential security measures, positioning them as a customer right rather than a premium feature. Beyond financial considerations, the adoption of SSO is also influenced by varying perceptions among SMBs. While some view it as a critical enhancement to their security infrastructure, others question its cost-effectiveness and operational benefits. Addressing these concerns requires clearer communication on how SSO can streamline operations and improve overall security posture, thereby aligning perceived expenses with tangible returns on investment. Improving User Experience and Support Technical proficiency poses another hurdle. Despite vendors providing training materials, SMBs often face challenges in effectively deploying and maintaining SSO solutions. The complexity involved in integrating SSO into existing systems and the adequacy of support resources provided by vendors are critical factors influencing adoption rates. Streamlining deployment processes and enhancing support mechanisms can mitigate these challenges, making SSO more accessible and manageable for SMBs with limited technical resources. Moreover, the user experience with SSO implementation plays a pivotal role. Feedback from SMBs indicates discrepancies in the accuracy and comprehensiveness of support materials, necessitating multiple interactions with customer support—a time-consuming process for resource-constrained businesses. Simplifying user interfaces, refining support documentation, and offering responsive customer service are essential to improving the adoption experience and reducing operational friction. In light of these updates, there is a clear call to action for software manufacturers. Aligning with the principles of Secure by Design, manufacturers should integrate SSO into their core service offerings, thereby enhancing accessibility and affordability for SMBs. By addressing economic barriers, improving user interfaces, and providing robust technical support, manufacturers can foster a more conducive environment for SSO adoption among SMBs.

image for UK’s Sellafield Nu ...

 Cybersecurity News

The UK's Sellafield nuclear waste site has pleaded guilty to criminal charges related to various cybersecurity failings in the period spanning 2019-2023. Sellafield admitted it had failed "to ensure adequate protection of sensitive nuclear information on its information technology network." The Sellafield   show more ...

nuclear site has the word's largest store of plutonium and has been used to dispose of waste generated from decades of weapons programs and atomic power generation. Concerns over the nuclear site's cyber defenses have existed for well over a decade. Sellafield Nuclear Waste Site's Cybersecurity Failings Concerns over the site's security implementations grew after a 2012 report warned of "critical security vulnerabilities" requiring urgent attention. Due to the extreme sensitivity of the issues, problems were referred to with the codename "Voldemort." While Sellafield stated there has never been a successful cyberattack, revelations of IT failures last year raised alarms. In an investigative report last year, the Guardian uncovered that the site had been attacked by threat actors affiliated with the Russian and Chinese governments. The report found out that the site's authorities were not aware of when Sellafield's systems began to be compromised, but breaches may have gone as far back as the year 2015. In 2015, security experts had realized that Sellafield's computer systems had been compromised by sleeper malware. Sellafield had been earlier forced into “special measures” for regular cybersecurity failings by the UK's Office for Nuclear Regulation (ONR) and security services. The status of the compromised systems are unknown, but may have possibly led to the theft of sensitive information regarding moving of radioactive waste, monitoring for leaks of dangerous material, and fire checks. Sellafield stated that current protections on critical systems are robust, with isolated networks preventing external IT breaches from penetrating operational controls. An ONR spokesperson stated to the Guardian: “We acknowledge that Sellafield Limited has pleaded guilty to all charges," but emphasized that there was no evidence the vulnerabilities led to compromise. A Sellafield spokesman stated in the report, “We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. The charges relate to historic offences and there is no suggestion that public safety was compromised." Concerns of GMB Trade Union With attention now focused on improving cyber resilience, officials are working to prevent sensitive materials or dangerous nuclear operations from potential disruption by hackers. Earlier the GMB trade union, which represents tens of thousands of workers across the energy industry, also expressed concerns over the security of Sellafield, with its national secretary Andy Prendergast noting a “lack of training and competence among staff, inadequate safety procedures and a culture of fear and intimidation.” Prendergast added, “GMB has repeatedly raised concerns over safety and staffing levels, which are mainly due to turnover and the age and demographic of the workforce.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for 2022 Optus Data Brea ...

 Data Breach News

One of Australia’s largest telecommunications companies Optus could have averted the massive 2022 data breach that leaked nearly 9.5 million individuals’ sensitive personal information, the Australian telecom watchdog said. The Australian Communications and Media Authority in a filing with the Federal Court said,   show more ...

“[Optus] cyberattack was not highly sophisticated or one that required advanced skills.” Its investigation attributed the 2022 Optus data breach to an access control coding error that left an API open to abuse. The investigation details of ACMA comes weeks after the telecom watchdog took legal action against Optus, in the same court, for allegedly failing to protect customer data adequately. Coding Error and API Mismanagement Led to Optus Data Breach The ACMA claimed that Optus had access controls in place for the API but a coding error inadvertently weakened these controls allowing them to be bypassed. This error left the API vulnerable, especially since it was internet-facing and dormant for an extended period. The vulnerability was reportedly introduced through a coding error in September 2018 and was first noticed in August 2021. But this issue was only fixed for the main site – www.optus.com.au – and not the subdomain (likely api.www.optus.com.au) where the vulnerable API endpoint was hosted. “The coding error was not identified by Optus until after the cyberattack had occurred in mid-September 2022. Optus had the opportunity to identify the coding error at several stages in the preceding four years including: when the coding change was released into a production environment in September 2018; when the Target Domain (and the Main Domain) became internet-facing through the production environment in June 2020; and when the coding error was detected for the main domain in August 2021.” – ACMA But the company failed to do so causing alleged harm to more than one-third (approximately 36%) of the Australian population. The telco watchdog alleged that Optus’ failure to protect customer data constitutes a breach of its obligations under Australian law. Optus’ Response to ACMA’s Allegations Optus, in a statement to The Cyber Express, confirmed the vulnerability and provided details on the cyberattack. “The cyberattack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defenses that arose from a historical coding error,” said Interim CEO of Optus Michael Venter. “This vulnerability was exploited by a motivated and determined criminal as they probed our defenses, and then exploited and evaded these defenses by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data. The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.” – Michael Venter, Interim CEO of Optus Venter said following the 2022 Optus data breach, the company has reviewed and updated its systems and processes. It has invested in heightened cyber defenses to address the increased global cyber risk environment. The company expressed regret over the incident and emphasized its commitment to protecting customer data. “Our customers expected their information would remain safe. We accept that this did not happen, and the cyber attacker gained unauthorised access to some of their information,” Venter said. Optus suffered a major customer data breach in 2022 that gave malicious actors access to about 9.5 million former and current customers' sensitive information including names, birth dates, phone numbers, email addresses and, for a subset of customers (2,470,036), addresses and ID document numbers such as driver’s license or passport numbers. Of these, the hacker also released the personally identifiable information (PII) of 10,200 Optus customers on the dark web. Deloitte Report Handed to the Federal Court Post the hack, although the privacy commissioner and ACMC held detailed investigations, Optus itself commissioned an independent external review of the cyberattack. Despite attempts to keep the document confidential, the Australian federal court ordered Optus last month to file this report with the court, which is expected to provide crucial insights into the breach. “Optus is working with the ACMA and separately Slater and Gordon with the intention of providing them with a confidential version of the Deloitte Report that appropriately protects our customer data and systems from cybercriminals,” Venter told The Cyber Express. The forensic report prepared by Deloitte detailing the technical aspects of the breach was finally handed over to the federal court on Friday. The details revealed in this report will also be used in a separate class action against Optus. “Much to do to Fully Regain our Customers’ Trust” Optus has acknowledged the breach’s impact on customer trust, with Venter expressing deep regret for the incident. Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents. The company is also covering costs incurred by government agencies related to the breach. Optus has pledged to cooperate with the ACMA’s investigation and defend its actions in court, aiming to correct any misconceptions and improve its cybersecurity measures. “Optus recognizes that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal,” – Michael Venter The Optus data breach highlights the critical importance of robust access controls and diligent monitoring of cybersecurity vulnerabilities. The incident serves as a cautionary tale for organizations worldwide to ensure comprehensive protection of sensitive data and maintain customer trust through proactive and transparent security practices. As the case progresses, it will provide further insights into the complexities of cybersecurity in the telecommunications sector and the measures necessary to prevent similar breaches in the future.

image for After Banning Sales ...

 Cybersecurity News

A day after the Biden administration announced a U.S. ban on the sale of Kaspersky Lab products, the U.S. Treasury Department on Friday sanctioned a dozen top executives and senior leaders at the Russian cybersecurity company. Kaspersky took issue with the Biden administration's moves and said, "The decision   show more ...

does not affect the company’s ability to sell and promote cyber threat intelligence offerings and/or trainings in the U.S." The company said the action will instead benefit cybercriminals by restricting international cooperation between cybersecurity experts. The decision to ban Kaspersky is "based on the present geopolitical climate and theoretical concerns," the company said in a scathing response to the Commerce Department's ban. The sanctions represent the latest in a series of punitive measures against the Russian antivirus company, underscoring growing concerns about cybersecurity and national security risks associated with the firm's operations. Details of the Kaspersky Sanctions The Treasury Department’s Office of Foreign Assets Control (OFAC) specifically targeted key individuals within Kaspersky Lab, including the chief operating officer, chief legal officer, chief of human resources, and chief business development and technology officers, among others. [caption id="attachment_78565" align="aligncenter" width="588"] Source: U.S. Department of the Treasury[/caption] The Treasury added all the above individuals to its Specially Designated Nationals list. SDN is a list maintained by OFAC that publicly identifies persons determined by the U.S. government to be involved in activities that threaten or undermine U.S. foreign policy or national security objectives. Notably, the sanctions did not extend to Kaspersky Lab itself, its parent or subsidiary companies nor to its CEO Eugene Kaspersky. The sanctions came just a day after the U.S. Commerce Department issued a final determination to ban Kaspersky Lab from operating in the United States. This ban is rooted in longstanding concerns over national security and the potential risks to critical infrastructure. The Commerce Department also added three Kaspersky divisions to its entity list due to their cooperation with the Russian government in cyber intelligence activities. The U.S. government has been wary of Kaspersky Lab's ties to the Russian government, fearing that its software could be used to facilitate cyber espionage. Bloomberg in 2017 first reported it had seen emails between chief executive Eugene Kaspersky and senior Kaspersky staff outlining a secret cybersecurity project apparently requested by the Russian intelligence service FSB. Kaspersky refuted these claims, calling the allegations "false"  and "inaccurate." However, these concerns have led to a broader push to restrict the company's operations within the U.S. and to mitigate any potential threats to national security. Kaspersky Lab’s Response Kaspersky Lab has consistently denied any allegations of being influenced or controlled by any government. The company has pledged to explore all legal options in response to the Commerce Department’s ban and the recent sanctions imposed by the Treasury. In a statement, Kaspersky Lab reiterated its commitment to transparency and maintaining the trust of its users worldwide, emphasizing it has never assisted any government in cyber espionage activities. "Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies," it said. "Kaspersky provides industry-leading products and services to customers around the world to protect them from all types of cyber threats, and has repeatedly demonstrated its independence from any government." - Kaspersky Lab The antivirus company claimed it has also implemented significant transparency measures that demonstrate its commitment to integrity and trustworthiness. But "the Department of Commerce’s decision unfairly ignores the evidence," Kaspersky said. The company said it also proposed a system in which the security of Kaspersky products could have been independently verified by a trusted third party. "Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services." However, Brian Nelson, Treasury’s Undersecretary for Terrorism and Financial Intelligence, stated, “Today’s action against the leadership of Kaspersky Lab underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber threats. The U.S. will take action where necessary to hold accountable those who would seek to facilitate or otherwise enable these activities.” Implications and Future Actions The sanctions against Kaspersky Lab’s leadership signal a broader strategy by the U.S. government to address cybersecurity threats posed by foreign entities. This approach is part of a larger effort to strengthen national security and protect critical infrastructure from potential cyberattacks. Legal and Business Repercussions Kaspersky Lab’s legal battles and its efforts to counteract these sanctions will be closely watched. The company's ability to operate in the international market could be significantly affected by these measures, impacting its business operations and customer trust. Global Cybersecurity Landscape This development also highlights the ongoing tensions in the global cybersecurity landscape, where national security concerns often intersect with business interests. The actions taken by the U.S. government may set a precedent for how other nations address similar concerns with foreign technology firms. The U.S. Treasury Department's decision to sanction senior leaders at Kaspersky Lab marks a pivotal moment in the ongoing scrutiny of the Russian cybersecurity firm. While Kaspersky Lab denies any wrongdoing and prepares to contest the sanctions legally, the actions taken by the U.S. government underscore a determined effort to mitigate potential cyber threats and protect national security. As the situation unfolds, it will have significant implications for both Kaspersky and the broader cybersecurity environment.

image for Jollibee Cyberattack ...

 Cybersecurity News

Jollibee, the Philippines’ largest fast-food chain, has allegedly been hit by a massive data breach. The Jollibee cyberattack came to light on June 20, 2024, when a threat actor claimed responsibility for breaching the systems of Jollibee Foods Corporation. The notorious attacker, operating under the alias   show more ...

“Sp1d3r“, claimed to have access to the sensitive data of 32 million customers of the fast food chain and offered to sell the database for $40,000. Details of Jollibee Cyberattack The data breach of the fast-food chain was posted by the threat actor on popular data hack site BreachForums. The threat actor stated that “Jollibee is a Filipino chain of fast-food restaurants owned by Jollibee Foods Corporation. As of September 2023, there were over 1,500 Jollibee outlets worldwide, with restaurants in Southeast Asia, East Asia, the Middle East, North America, and Europe.” [caption id="attachment_78479" align="alignnone" width="1950"] Source: X[/caption] The threat actor claimed to have carried out a cyberattack and had gained access to the data of 32 million Jollibee customers, including their names, addresses, phone numbers, email addresses and hashed passwords. The hacker also allegedly exfiltrated 600 million rows of data related to food delivery, sales orders, transactions and service details. To support these claims, the TA included a sample in tabular data format accessible through spreadsheet programs like Microsoft Excel and Google Sheets. While the exact details of the alleged data breach remains unclear, the potential impact on millions of customers is cause for concern. Jollibee Yet to React to Cyberattack Claims The motive behind the Jollibee cyberattack remains unknown. So far, Jollibee Foods Corporation has not reacted or issued any official statement regarding the alleged data breach. The Cyber Express has reached out to the corporation to verify the claims. This article will be updated once the company responds to the allegations and shares any preventive measures in place to prevent critical data from being misused. The Philippines National Privacy Commission (NPC) has yet to receive any notification from Jollibee Foods Corporation regarding the breach. The NPC regulations require organizations to inform affected individuals and report such incidents within 72 hours of discovery. Jollibee Cyberattack Threat Actor Responsible for Snowflake Breach While Jollibee investigates the claims made by “Sp1d3r”, the threat actor has been responsible for several recent breaches, which includes many customers of third-party cloud data storage vendor Snowflake. On June 1, “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes, and other information. The same threat actor was responsible for the data breach at American automobile aftermarket component supplier Advance Auto Parts, Inc. The attacker “Sp1d3r” claimed to have stolen three terabytes of customer data from the company’s Snowflake cloud storage and was selling the data for US$1.5 million. In its report, the company stated that the cyberattack could create damages up to $3 million. The Jollibee Cyberattack is a stark reminder of the vulnerabilities of the digital world, where even the largest and most established companies could become victims of notorious data hackers. Customers should stay vigilant and follow any further guidance provided by Jollibee and cybersecurity professionals. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for CDK Global Struck By ...

 Cybersecurity News

CDK Global has disclosed that it experienced an additional cyberattack in the course of its investigation into a cyberattack that occurred earlier in the same week. While limited details are known about the new incident, it may place additional strain on the firm's investigations and its efforts to return to usual   show more ...

operations. The second incident forced several auto dealerships in the U.S. and Canada to come to a near-standstill, with staff stating that the outage could last for days. CDK Global is a multinational corporation that provides software to auto dealerships, with at least 15,000 dealers relying on its offering. Incident Extends CDK Global Systems Outage After the initial attack, CDK Global shut down most of its systems on Wednesday, while working to investigate the incident and restore systems. "We are actively investigating a cyber incident.," the company said. "Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible.” Later on the same day, the software firm managed to restore systems involved with its core DMS and Digital Retailing activities. In a statement to the Cyber Express, a spokesman from CDK Global said: “As we’ve communicated previously, we are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing and consulted with external third-party experts. With the work done so far, our core DMS and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications, and we will provide updates as we bring those applications back online. Our first priority is always the security of our customers, and our actions reflect our obligation to them as a trusted partner.” However, this restoration was short-lived, as the firm experienced a subsequent cyberattack on the same day: “Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.” According to CNN, sources appeared to confirm that the outage could last for several days in light of the second cyberattack. The CDK Global outage makes information related to sales deals, negotiations and customer appointments inaccessible by salespeople who work at affected dealerships. Incident Comes Ahead of Summer Sales Season The incident has caused concerns among dealers who anticipate business during the summer months. “This is where we need systems functioning,” stated Jeff Ramsey, an executive with Ourisman Auto Group which operates various dealerships. This had led to dealers switching to alternative methods to handle sales such as hand-written notes of buyer's orders. Brian Benstock, general manager of Paragon Honda and Paragon Acura, stated, “My selling team can hand-write a buyer’s order.” Companies such as Kia, Toyota and Stellantis and Ford have also been working on alternate ways to handle customer services due to the CDK outage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Cyberattack on Ascen ...

 Firewall Daily

A ransomware attack in May against Ascension, one of America's largest hospital chains, has severely disrupted operations and patient care at its more than 140 hospitals across at least 10 states. Doctors, nurses and other clinicians have reported weeks-long outages of key technology systems, medication errors,   show more ...

delays in lab results, and a lack of routine safeguards - lapses they say have put the health of patients at risk. The May 8 cyberattack locked Ascension out of electronic medical records systems, some phones, test and medication ordering platforms, and other tools essential for the coordination of patient care. While Ascension said its clinicians are "trained for these kinds of disruptions," many on the frontlines feel unprepared. Ascension Hospitals Cyberattack Places Strain on Staff "I had no training for this," said Marvin Ruckle, a neonatal ICU nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, who nearly gave a baby the wrong dose of medication. Lisa Watson, a critical care nurse who works at the same hospital, says she almost administered the wrong drug to a critically ill patient because she couldn't scan it electronically. "My patient probably would have passed away," she said. Doctors and nurses across Ascension report relying on paper records, handwritten notes, faxes and basic spreadsheets to deliver care - many cobbled together in real time. An ER doctor in Detroit said a mix-up due to paperwork issues led a patient to receive the wrong narcotic and end up on a ventilator. In Baltimore, ICU nurse Melissa LaRue described narrowly avoiding giving an incorrect blood pressure medication dosage due to confusion from paperwork. Several clinicians said errors could threaten their licenses, but patient privacy laws prevented verifying their accounts. Ascension declined to address specific claims but said in a statement it is "confident that our care providers...continue to provide quality medical care." Ascension Hospitals' Staff Urge Changes While federal regulations require safeguarding patient data, hospitals currently face no cyberattack preparation or prevention mandates. Experts regard health care as the top target for ransomware attacks, which are rising exponentially. Proposed regulations are pending, but timelines and requirements remain unclear. Nurses and doctors urging reforms at Ascension say cyberattacks should be treated similarly to natural disasters, with contingency plans that account for outages lasting weeks or longer. Many also echoed a plea for more staff support to shoulder the additional workload. "We implore Ascension," one Michigan clinician wrote, "to recognize the internal problems that continue to plague its hospitals, both publicly and privately, and take earnest steps toward improving working conditions for all of its staff." While the Biden administration has pushed for stronger cybersecurity standards in health care, the new requirements are still in development. Meanwhile, hospital industry lobbyists argue mandates could divert resources from cybersecurity efforts. These incidents prove that patients may ultimately pay the price when hospitals fall victim to cybercrime, while staff experience additional burden affecting routine practice and judgement. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for From Espionage to Ra ...

 Firewall Daily

Among the diverse array of Android malware available on the dark web markets, Rafel RAT stands out as a particularly potent tool for malicious actors. Rafel RAT, an open-source remote administration tool, enables remote access and control over infected Android devices. Its capabilities include surveillance, data   show more ...

exfiltration, persistence mechanisms, and manipulation of device functionalities. The Relation Between APT-C-35 and Rafel RAT Recent research by Check Point has uncovered instances of APT-C-35, also known as DoNot Team, leveraging Rafel RAT in their espionage operations. This discovery highlights the tool's versatility and effectiveness across different threat actor profiles and operational objectives. The group has been observed using Rafel RAT to conduct extensive espionage campaigns and targeting high-profile organizations, including those in the military sector. Analysis reveals approximately 120 distinct malicious campaigns associated with Rafel RAT, some of which have successfully targeted prominent organizations globally. Victims primarily hail from the United States, China, and Indonesia, with Samsung, Xiaomi, Vivo, and Huawei being the most affected device brands. Notably, a portion of targeted devices runs on unsupported Android versions, exacerbating security vulnerabilities due to the lack of essential security patches. Technical Insights and Modus Operandi Rafel RAT employs sophisticated techniques to evade detection and execute malicious operations discreetly. Upon infiltration, the malware initiates communication with a command-and-control (C&C) server, facilitating remote data exfiltration, surveillance, and device manipulation. Its command set includes capabilities for accessing phone books, SMS messages, call logs, location tracking, and even initiating ransomware operations. Threat actors utilizing Rafel RAT operate through a PHP-based C&C panel, leveraging JSON files for data storage. This streamlined infrastructure enables attackers to monitor infected devices comprehensively, accessing crucial information such as device models, Android versions, geographical locations, and network operator details. Such insights empower threat actors to tailor their malicious activities and campaigns effectively. Emerging Threats and Mitigation Strategies As Rafel RAT continues to evolve and proliferate, robust cybersecurity measures become imperative for Android users and enterprises alike. Effective strategies to mitigate risks include deploying comprehensive endpoint protection, staying updated with security patches, educating users about phishing and malware threats, and fostering collaboration across cybersecurity stakeholders. Rafel RAT exemplifies the nature of Android malware, characterized by its open-source nature, extensive feature set, and widespread adoption in illicit activities. Vigilance and proactive security measures are essential to safeguard against its threats, ensuring continued protection of user privacy, data integrity, and organizational security in an increasingly interconnected digital world.

image for How to exclude your ...

 Technology

Every time someone with a smartphone with GPS enabled passes by near your Wi-Fi access point, the approximate geographic coordinates of your router are uploaded to the databases of Apple, Google and other tech giants. This is an integral part of the Wi-Fi Positioning System (WPS). For your router to end up in this   show more ...

database, you dont even need to have a smartphone yourself — its enough for a neighbor or passer-by to have one. WPS is what enables you to see your location almost immediately when you open a map app. Relying on pure GPS data from satellites would take a few minutes. Your smartphone checks which Wi-Fi access points are nearby, sends the list to Google or Apple, and receives either its calculated coordinates (from Google) or a list of router coordinates (from Apple) to calculate its own position. Even devices without GPS, such as laptops, can also use this type of geolocation. As discovered by researchers at MIT, Apple places minimal restrictions on requests for access point coordinates, making it possible to create your own worldwide router map and use it to find interesting phenomena and patterns, or even track individuals. What are the risks inherent in router surveillance? While the approximate physical location of a router might not seem like particularly confidential data, especially for those living in your area, there are several cases when its best to keep this information hidden. Here are a just a few examples: When using satellite internet terminals, such as Starlink. These provide internet access via Wi-Fi, and tracking the terminal equals tracking the users location. This is particularly sensitive when terminals are used in military conflict or emergency zones. When using mobile hotspots for business and travel. If you find it convenient to share internet from a mobile router to your laptop and other devices, your pocket hotspot likely accompanies you on business trips. This creates opportunities to monitor your travel schedule, frequency and directions. The same applies to hotspots installed in RVs and yachts. When people have moved. Often, a router moves with its owner, revealing their new address to anyone whos previously connected to their Wi-Fi — even just once before. While this is usually harmless, it can be problematic for those relocating to escape harassment, domestic violence or other serious issues. The limitations of WPS tracking These are all valid concerns, but theres good news: WPS tracking is less accurate and slower than other surveillance methods. First of all, for a router to be added to the WPS database, it must be consistently detected in the same area over some time. MIT researchers found that a new router took between two and seven days to appear in the WPS database. If you go somewhere with a mobile router for a short period, this movement is unlikely to be recorded in the database. Secondly, a router must be scanned by several smartphones with activated geolocation services to be included in the WPS database. Therefore, a router installed in an isolated or unpopulated area may never appear on the map. Thirdly, the identification and further tracking of routers relies on a BSSID — an identifier broadcast by the access point. Wi-Fi standards allow for BSSID randomization, and if this feature is enabled, the identifier automatically changes at certain time intervals. This doesnt interfere with the normal operation of devices connected to the access point, but it does make it more difficult to re-identify the router. Just like the private MAC address setting in Android, iOS and Windows reduces the risk of tracking client devices, BSSID randomization makes it much more difficult to track access points. How to protect your router from WPS tracking Both Apple and Google have a little-known tool that allows you to exclude an access point from WPS databases. To do this, add the suffix _nomap to the end of the access point name. For example, the access point MyHomeWifi should be renamed MyHomeWifi_nomap. For home and office routers, an additional security measure is to rent a device from the provider rather than buying your own. Then, whenever you move, you can simply return it and rent a new router at the new location. A more technologically advanced solution, though more complicated to implement, would be to use a router that supports BSSID randomization — such as those from Supernetworks with open-source firmware. The popular alternative firmware for routers, DD-WRT, also allows for BSSID randomization if supported by the hardware. For those using a smartphone as an access point, we recommend reviewing the device settings. On Apple devices, enabling BSSID randomization for your hotspot is not very straightforward — theres no such switch directly in the Personal Hotspot settings. However, if the Private Wi-Fi Address feature is enabled for at least some Wi-Fi networks (Settings -> Wi-Fi -> tap the name of the connected Wi-Fi network -> enable Private Wi-Fi Address), then your hotspot will start randomizing the BSSID of the access point. This feature can also occasionally be found on Android smartphones, although the activation process varies by manufacturer. According to Starlink, their terminals have also gradually been receiving a software update since early 2023 that automatically activates BSSID randomization.

image for Transatlantic Cable ...

 News

Episode 352 of the Transatlantic Cable podcast kicks off with a story concerning generative AI and hackers, with the hackers taking the side of artists (or so it would seem.)  From there discussion turns to the US surgeon general calling for warning labels on social media, mainly in part due to the worrying rise in   show more ...

young peoples mental health. To wrap up, the team look at two stories – the first concerning           ransomware and hospitals, and the second looking at a recent NHS data breach and black binbags. If you liked what you heard, please consider subscribing. Hackers Target AI Users With Malicious Stable Diffusion Tool on GitHub to Protest Art Theft US surgeon general wants social media warning labels Medical-Targeted Ransomware Is Breaking Records After Change Healthcares $22M Payout Students flimsy bin bags blamed for latest NHS data breach

 Feed

Red Hat Security Advisory 2024-4018-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

 Feed

In recent months, North Korean based threat actors have been ramping up attack campaigns in order to achieve a myriad of their objectives, whether it be financial gain or with espionage purposes in mind. The North Korean cluster of attack groups is peculiar seeing there is quite some overlap with one another, and it   show more ...

is not always straightforward to attribute a specific campaign to a specific threat actor. This is no different in what the authors are presenting in this paper today, where they analyze a new threat campaign, initially discovered in late May, featuring multiple layers and which ultimately delivers a seemingly new and previously undocumented backdoor. These actions appear tied to Kimsuky and is specifically focused on Aerospace and Defense companies.

 Feed

The U.S. Department of Commerce's Bureau of Industry and Security (BIS) on Thursday announced a "first of its kind" ban that prohibits Kaspersky Lab's U.S. subsidiary from directly or indirectly offering its security software in the country. The blockade also extends to the cybersecurity company's affiliates, subsidiaries and parent companies, the department said, adding the action is based on

 Feed

A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild. The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine. Affecting all versions of the software prior to and including Serv-U 15.4.2

 Feed

Cybersecurity researchers have shed light on a new phishing campaign that has been identified as targeting people in Pakistan using a custom backdoor. Dubbed PHANTOM#SPIKE by Securonix, the unknown threat actors behind the activity have leveraged military-related phishing documents to activate the infection sequence. "While there are many methods used today to deploy malware, the threat actors

 Feed

A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader). That's according to findings from Rapid7, which identified lookalike websites hosting the malicious payloads that users are redirected to after searching for them on search engines like Google and Bing. The

 Feed

A previously undocumented Chinese-speaking threat actor codenamed SneakyChef has been linked to an espionage campaign primarily targeting government entities across Asia and EMEA (Europe, Middle East, and Africa) with SugarGh0st malware since at least August 2023. "SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries' Ministries

2024-06
Aggregator history
Friday, June 21
SAT
SUN
MON
TUE
WED
THU
FRI
JuneJulyAugust