Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Vimal Mani on Managi ...

 Cybersecurity News

In the rapidly evolving world of cybersecurity, staying ahead of emerging threats and leveraging cutting-edge technologies is paramount. Vimal Mani, the Head of Information Security, Data Privacy & Protection, and IT GRC Programs (CISO/DPO/CPO) at one of the leading commercial banks in the UAE, exemplifies   show more ...

leadership and innovation in this critical field. With a wealth of experience in implementing robust cybersecurity frameworks and integrating advanced technologies, Vimal has been at the forefront of utilizing Artificial Intelligence (AI) to enhance the bank's security posture. In this exclusive interview with The Cyber Express, Vimal shares his insights on the transformative role of AI in cybersecurity, particularly within the banking sector. He discusses the effective deployment of AI-driven technologies for threat detection and response, the essential AI Governance, Risk, and Compliance (GRC) standards, and the significant challenges faced while incorporating AI into cybersecurity practices. Furthermore, Vimal delves into the ethical considerations, the balance between data privacy and security, and the future trends in AI that are set to impact the industry. His strategic approach and practical solutions offer a comprehensive understanding of how AI can be harnessed to create a secure banking environment. TCE: How do you see the role of AI evolving in cybersecurity, particularly in the banking sector?   The global banking sector is in transitional stage now which will be analytically and ultimately AI-fueled. The global banking sector has started using AI driven technologies such as advanced analytics, cognitive analytics in enhancing cyber security risk management, operational efficiency and in providing wealth management advice for their HNI clients.  TCE: What specific AI-driven technologies have you found most effective in enhancing threat detection and response?  Operational Cyber Threat Intelligence (CTI) is a relatively new AI driven technology helps organizations in effective cyber threat detection and prevention. Also, AI Technologies support digital forensic teams in digital data analysis, pattern recognition kind of complex cyber security engineering activities.   TCE: Can you elaborate on the AI Governance, Risk, and Compliance (GRC) standards that you consider essential for integrating AI into your cybersecurity framework? How do you ensure adherence to these standards?  AI like any other new age technologies, can be used for both good and bad purposes. Bias and prejudices in AI algorithms will add the woe. As more and more adoption of AI Technologies start happening, data privacy will become more and more of a concern for people and companies adopting the AI Technologies. In addition to this significant amount of legal issues are also possible. There are no specific GRC Frameworks in place now for regulating AI Technology driven systems which are being addressed through other GRC frameworks such as data or consumer protection. Now gradually global countries and developed nations such as U.S, China have started putting in new GRC Acts and regulations to ensure that AI Technology usage triggered risks are identified and mitigated appropriately.  TCE: What are some of the most significant challenges you have faced in incorporating AI into your cybersecurity practices? How have you mitigated these challenges to ensure successful implementation?  Challenges such as Algorithmic Bias and Fairness Concerns, Explainability Issues, Interpretability Issues, Accountability and Ethical Issues, Lack of transparency, False positives and false negatives in threat detection are some of the critical challenges faced while trying to incorporate AI technologies into our Cyber Defence mechanism.  To address these challenges the following techniques are being used as appropriate and as feasible:  1) Usage of diverse and representative training data to avoid biases  2) Usage of Fairness-aware model architectures and optimization  3) Continuous monitoring and auditing of bias  4) Developing inherently interpretable AI models (GenAI)  5) Usage of Post-hoc explanations and visualizations  6) Usage of Human-in-the-loop approaches for interpretability such as Interactive machine learning, Collaborative decision-making etc  7)  Defining roles and responsibilities for GenAI Models deployment  TCE: In your experience, how does AI contribute to balancing the stringent requirements of data privacy and cybersecurity within the banking industry? Can you provide specific examples of this balance?  Using AI Technologies in cybersecurity will help in shaping up the contemporary cybersecurity practices and policies though there are concerns of biases. AI Technology driven information systems can help the individuals in protecting their sensitive data activities from hacking attempts targeted on them. However, the following interventions need to be considered for striking a balance between the risks and rewards potential due to the usage of AI Technology driven systems:  Building adequate amount of awareness on risks & rewards of using AI Technologies  Developing robust GRC standards and supporting guidelines for the development and deployment of AI Technology in cyber security practice.  Promoting participation of the people in improving and shaping up the future of AI-powered cybersecurity through various innovative interventions  Continuously monitoring the impacts of deployment of AI Technologies in cybersecurity and ensuring that these AI technologies are fully aligned with the business objectives  TCE: How do you approach the task of regularly evaluating and auditing AI systems to ensure they remain impartial, transparent, and effective in threat detection and response?  Carrying out periodic audits to assess the performance, fairness of the AI Models deployed and challenging the decisions arrived with the help of these AI Models will help in shaping up the reliability and performance of these AI Models to come up with more precise accurate predictions and be impartial, transparent and effective in threat detection. Conducting bias and fairness audits such as disparate impact analysis, sensitivity analysis, and ethical matrix analysis could be useful in this.  TCE: What future trends in AI do you anticipate will impact cybersecurity in the banking sector the most? How are you preparing to integrate these emerging technologies into your current cybersecurity strategy?  I foresee the following as upcoming AI Driven Cybersecurity Trends in global Banking sector:   Real Time Fraud Detection  AI driven Endpoint Security  Predictive Cyber Security Analytics  Chatbots Security  Automated Incident Response (EDR/MDR)  Behavioral Biometrics  In ongoing basis, we keep revisiting the existing Cyber Security Architecture of our Bank by doing Proof of Concept Studies of various AI Driven Cyber Security Technologies.  TCE: Can you share specific benefits and use cases you've observed from implementing AI in your cybersecurity practices, particularly tasks or processes where AI has proven more effective? Additionally, could you provide an example of an incident where AI significantly improved threat detection and mitigation at your bank, and what were the key takeaways from that experience?   The following are the successful AI enabled Cyber Security use cases i can talk about which has the potential of improving the Cyber Resilience of Banking sector:  AI enabled Security Operations Center  AI enabled Expert Systems for enabling cyber security decisions  Deployment of an intelligent agent which is an independent entity which recognizes adversary movement through sensors and follows up  Deployment of AI enabled security expert system which will follow a set of predefined AI algorithms to battle cyber-attacks  Usage of Neural Networks which are known as deep learning AI algorithms  TCE: How do you ensure that your cybersecurity team is adequately trained and prepared to work with AI technologies? What steps do you take to address the human element in this integration?  We keep conducting focused security awareness & training programs for our teams with the objective of acquiring the complete insights of the latest usage of AI Technologies in Cyber Security. Also, we keep sending our team members to Technology Fairs and exhibitions where solution vendors demonstrate the new AI driven cyber security solutions that can be used by Banking sector.  TCE: What ethical considerations are crucial when implementing AI in cybersecurity, particularly regarding data privacy and protection? How do you ensure that your AI systems uphold these ethical standards?  We are mindful of the legal, ethical complications of deploying AI Models and the security & privacy risks it can trigger into our Cyber security operations. We are managing the same with the support of the AI GRC guidelines available for Banking sector and other AI GRC Best Practices. This will include periodic audits of these AI driven Cyber Security Technologies from legal, ethical perspectives.   TCE: For CISOs and DPOs in the banking sector looking to integrate AI into their cybersecurity frameworks, what key factors and best practices would you recommend to ensure a smooth and effective transition?  I recommend the following for budding and veteran CISOs and DPOs:  Understanding contemporary AI regulations, acts of developed nations  Investing in research on AI driven Cyber security operations  Understanding the attack surface and prioritizing AI driven mitigation strategies  Understanding how cybercriminals are using AI in designing their TTPs (Tools/Techniques/Processes)  Implementing Automated and augmented incident response driven by AI  Identifying and mitigating third party risks potential in AI Apps used  Continuous Training & learning around AI driven Cyber security Technologies 

image for New Android RAT Bing ...

 Cybersecurity News

A new Android Remote Access Tool (RAT) has been discovered by security researchers, who have named it 'BingoMod.' The BingoMod RAT is often disguised in the form of popular security tools, and the associated malware family has been identified as a significant threat to Android users. BingoMod utilizes   show more ...

On-Device Fraud (ODF) to initiate unauthorized money transfers from compromised devices, bypassing traditional banking security measures. BingoMod Exploits Android Accessibility Services BingoMod operates by gaining access to sensitive information such as credentials, SMS messages, and account balances. The Cleafy Threat Intelligence (TIR) team that initially identified the RAT tool in May said it achieves this by exploiting Accessibility Services and employing keylogging and SMS interception techniques on infected Android devices. [caption id="attachment_85017" align="alignnone" width="1674"] Source: www.cleafy.com/cleafy-labs[/caption] The malware's core function is facilitating ODF, allowing threat actors to take control of the infected device and execute fraudulent transactions in real-time. Once installed, BingoMod prompts the user to activate Accessibility Services, disguising the request as necessary for the app to function correctly. If the user grants the requested permissions, the malware begins to unpack itself, executing its malicious payload. BingoMod enables attackers to view and interact with the device remotely, utilizes overlay attacks and fake notifications for phishing purposes and can even allow attackers to send SMS messages from compromised devices, which could be used to distribute the the malware even further. To maintain persistence and hinder analysis on infected devices, BingoMod incorporates several counter-measures. It restricts access to system settings, blocks specific applications, and could even uninstall security apps. As a nuclear option, the malware can also allow the attackers to remotely wipe the device's storage, effectively erasing evidence of their activity. BingoMod establishes a socket-based connection with the command and control infrastructure (C2) to receive commands from the actors. This allows the malware to provide around 40 remote control functions, including real-time screen control, screen interaction, and overlay attacks. The malware uses two separate communication channels: a socket-based channel for command transmission and an HTTP-based channel for image transfer. Evolution and Obfuscation of BingoMod Since its discovery, BingoMod has undergone a notable evolution, focusing primarily on obfuscation techniques to evade detection by antivirus solutions. While the core functionality remains largely unchanged, developers have implemented code-flattening and string obfuscation, significantly lowering its detection rate. This suggests a focus on opportunistic attacks rather than developing more complex features. An interesting addition is an asynchronous callback mechanism in the PingUtil class, which sends "alive" signals to the command and control server, providing information about the bot's status. The developers of BingoMod are in an experimental phase, focusing on app obfuscation and packing processes to reduce detection against AV solutions. The researchers find evidence of this experimental nature in the changes observed between early and newer versions of the malware. While the overall structure and functionality remain the same, the obfuscation employed lowers the overall detection rate. BingoMod's self-destruction mechanism, which wipes the device remotely after a successful fraudulent transfer, is a relatively rare option in the Android device malware landscape, and the developers of BingoMod may be aware of similar methods used by other malware families, such as Brata. As the malware continues to evolve, it is essential for security researchers to monitor its development and adapt strategies to combat its threats.

image for McDowall Affleck Con ...

 Firewall Daily

McDowall Affleck, an Australian engineering firm, has acknowledged being the target of a "cyber incident." While the company has not identified a specific threat actor, the RansomHub ransomware group claimed responsibility for the McDowall Affleck cyberattack on August 1, 2024. The alleged perpetrator behind   show more ...

the attack, RansomHub, is a notorious ransomware group known for high-profile attacks. Details of the McDowall Affleck cyberattack were shared on a dark web site linked to the threat actor. According to RansomHub's own communication, the group claims to have accessed 470 GB of McDowall Affleck’s internal data. The leaked information reportedly includes critical documents, insurance records, tender and contract details, and personal information of both employees and clients.  RansomHub has threatened to release this data publicly within the next 4-5 days unless their demands are met. Decoding the McDowall Affleck Cyberattack by RansomHub A recent update on the RansomHub group's darknet site provided details about the cyberattack on McDowall Affleck. The entry noted the URL “mcdowallaffleck.com.au” and indicated that the data size is 470GB. It also recorded that the page had been visited 11 times, with the last view occurring on August 1, 2024, at 10:31:02. The countdown to potential data release was marked at 4 days, 13 hours, 9 minutes, and 57 seconds. [caption id="attachment_85073" align="alignnone" width="467"] Source: Dark Web[/caption] In an exclusive statement to The Cyber Express, a spokesperson for McDowall Affleck addressed the recent cyberattack, saying, “McDowall Affleck recently experienced a cyber incident. As soon as we detected the issue, we took immediate steps to secure our systems. We engaged forensic experts to investigate the breach and ensure our systems are operational and secure.” The spokesperson continued, “We are currently evaluating the legitimacy of the claims made online. Protecting our employees’ and clients’ information is our top priority. We have reached out to all affected parties and provided guidance on how to secure their information. We’ve reported the incident to the Australian Cyber Security Centre (ACSC) and WA Police and are cooperating fully with law enforcement and privacy regulators.” The Rise of RansomHub Ransomware Group RansomHub, the group behind the cyberattack on McDowall Affleck, is believed to be an evolved variant of the Knight ransomware and has affiliations with the ALPHV group. This ransomware operation utilizes a Ransomware-as-a-Service model, exploiting vulnerabilities like Zerologon to gain initial access. Once inside, they encrypt data and demand a ransom, threatening to release sensitive information if their demands are not met. RansomHub has previously made headlines with attacks on high-profile targets, including Christie’s, the world’s largest auction house. Previously, Christie’s reported taking their website offline due to a similar “technology security incident,” with RansomHub claiming responsibility and threatening to leak data from the auction house. [caption id="attachment_85076" align="alignnone" width="751"] Source: X[/caption] The attack on McDowall Affleck highlights the growing threat posed by sophisticated ransomware groups like RansomHub. As organizations continue to face these types of cyber threats, the importance of robust cybersecurity measures and prompt incident response cannot be overstated. McDowall Affleck’s proactive approach to securing their systems and cooperating with authorities is a crucial step in mitigating the impact of the cyberattack. The firm has assured its stakeholders that it is doing everything possible to address the situation and protect sensitive information.

image for Mastering Heap Explo ...

 Firewall Daily

The realm of heap exploitation has always intrigued security researchers due to its complexity and the potential for high-impact vulnerabilities. The HitconCTF Qualifiers 2024 presented a formidable challenge in this domain, featuring a heap pwn challenge dubbed “setjmp.” The HitconCTF Qualifiers 2024 has been   show more ...

marked as one of the toughest capture the flag events (CTFs) of the year. Among a slew of kernel and VM escape challenges, the setjmp challenge stood out with its seemingly straightforward approach but complex underlying mechanisms. According to Quarkslab’s blog, this challenge involved classic heap exploitation techniques on a system running GLIBC 2.31, the GNU C library. The core difficulty lay in obtaining a libc pointer leak, which was ultimately resolved using scanf() to trigger a substantial memory allocation. Heap Exploitation Techniques Explained Before diving into the specific details of the setjmp challenge, it is crucial to grasp some foundational concepts about GLIBC's malloc internals. Resources such as Azeria Labs’ malloc internals primer and Shellphish’s “how2heap” provide valuable insights. Additionally, the "Malloc Des Malificarum" offers historical context on heap exploitation techniques. Understanding these concepts will lay the groundwork for comprehending how vulnerabilities are exploited in heap management. The heap is a critical component of a process's memory space, utilized for dynamic memory allocation. Managed through functions like malloc() and free(), the heap allows programs to allocate and deallocate memory blocks as needed. When a memory allocation request is made, the heap manager returns a pointer to a chunk of memory of the requested size. When memory is freed, it must be managed efficiently to avoid fragmentation and ensure quick reallocation. Heap management in GLIBC employs various types of bins to efficiently organize memory chunks: Small Bins are doubly linked lists for chunks up to 1024 bytes, while Large Bins handle chunks larger than 1024 bytes with their own doubly linked lists. The Unsorted Bin acts as a cache for chunks that don't fit into other bins immediately. Fast Bins consist of singly linked lists for small chunks expected to be reused soon, and Tcache Bins provide thread-local storage for frequently used chunks to speed up allocation. Each bin type has distinct characteristics and optimizations, which are vital for understanding heap exploitation techniques. For example, while fastbins and tcache bins facilitate rapid allocation and deallocation, they also present vulnerabilities that can be exploited. Heap Exploitation Techniques: Core Concepts Heap exploitation techniques frequently focus on manipulating free lists and bins within memory management systems. Key exploitation primitives include Heap Overflow, which takes advantage of buffer overflows to alter adjacent chunks or bin list pointers; Use After Free (UAF), where a freed chunk is still referenced, allowing attackers to leak or modify memory; and Double-Free, which involves freeing the same chunk twice to cause memory corruption or arbitrary write primitives. In the context of the Setjmp challenge, the use of setjmp and longjmp functions for non-local jumps highlights their role in managing execution contexts and complex control flows. This challenge required handling a doubly linked list of user structures in heap memory, involving operations to create, delete, and modify users. The challenge featured both Use After Free (UAF) and Double-Free vulnerabilities, which were central to the exploitation strategy. In the Use After Free scenario, deleting a user left its reference on the stack, creating a UAF vulnerability that allowed for manipulation of memory structures. The Double-Free vulnerability involved freeing the same user twice, enabling advanced memory manipulation. By exploiting a UAF vulnerability, attackers could circumvent double-free detection in the tcache and gain control over memory. The exploitation strategy involved triggering a double-free condition to perform arbitrary read and write operations within libc. By overwriting the __free_hook with the address of the system(), attackers could execute arbitrary commands. For instance, creating a user with the username /bin/sh and subsequently freeing it would activate the __free_hook, ultimately leading to the execution of a shell command. Practical Steps and Heap Exploitation Techniques The challenge at HitconCTF Qualifiers 2024 involved several critical steps in heap exploitation. The Heap Leak was achieved by deleting a user and then reading the contents of the freed chunk to extract the base address of the heap. This technique allowed the researchers to gain insight into the heap's layout and memory structure. To perform a Libc Leak, a large chunk was strategically forced into the unsorted bin using scanf() for large allocations. This process, which required careful management of chunk placements, revealed the libc base address and facilitated further exploitation. The Final Exploit focused on overwriting the __free_hook with the address of the system() function. This technique enabled the execution of arbitrary commands by leveraging both double-free conditions and heap leaks. By creating a user with the username /bin/sh and then freeing it, the __free_hook was triggered to execute the shell command, effectively demonstrating the exploit's success. In conclusion, the setjmp challenge exemplified the intricate nature of heap exploitation and the detailed understanding required of GLIBC malloc internals. It highlighted the importance of mastering heap structures, free lists, and exploitation primitives to develop sophisticated techniques for identifying and exploiting vulnerabilities. Resources such as Azeria Labs' malloc internals and various online guides are invaluable for gaining hands-on experience and enhancing one’s skills in navigating and overcoming modern security challenges.

image for Healthcare Sector Pr ...

 Firewall Daily

Recent cyberattacks on healthcare facilities in the U.S. have raised the stakes of healthcare cybersecurity — forcing cybersecurity specialists to be on red alert. The massive ransomware attack on UnitedHealth’s Change Healthcare subsidiary, expected to surpass $1 billion in total costs, including a $22 million   show more ...

ransom payment, exemplifying the sector's critical need for enhanced cybersecurity measures. As cybercriminals deploy increasingly sophisticated techniques, healthcare organizations must prioritize attack surface management (ASM) to protect patient data and maintain operational efficiency. Central to this effort is the role of Chief Technology Officers (CTOs), whose responsibilities have increased significantly in response to healthcare sector preparedness. Global Healthcare Cybersecurity Gets Average Ratings A recent report by SecurityScorecard, published on June 25, 2024, provides a snapshot of the healthcare sector’s cybersecurity posture. The report, titled “The Cyber Risk Landscape of the U.S. Healthcare Industry, 2024,” assigns the sector a “B+” security rating for the first half of 2024, reflecting moderate progress but also highlighting significant areas needing improvement. The average score for healthcare organizations stands at 88, indicating that while some progress has been made, there are still substantial gaps that need addressing in the realm of healthcare cybersecurity. The report reveals critical cybersecurity vulnerabilities in the healthcare sector, particularly focusing on supply chain risks. In 2023, healthcare organizations experienced 35% of all third-party breaches, highlighting the sector’s high susceptibility to ransomware targeting supply chains. Medical device companies are notably at higher risk, with a 16% higher breach rate compared to other healthcare sectors.  Application security is another major concern, with 48% of organizations scoring poorly, which can expose systems to significant threats by providing attackers access to sensitive processes and updates. Despite these threats, only 5% of healthcare organizations had publicly reported breaches in the past year, and 6% detected compromised machines on their networks recently. Ryan Sherstobitoff from SecurityScorecard emphasizes the critical need to address these supply chain vulnerabilities, warning that a single failure point, like Change Healthcare, could severely disrupt the entire healthcare ecosystem. He stresses that without vigilant monitoring and management of supply chain risks, similar issues are likely to recur, highlighting the need for a proactive approach to attack surface management in the healthcare industry. How CTOs are Safeguarding Healthcare Cybersecurity The role of the Chief Technology Officer (CTO) in healthcare has evolved dramatically to address modern and complex cyber threats. Traditionally focused on managing technology infrastructure, modern CTOs now play a critical role in strategic decision-making and innovation to bolster healthcare cybersecurity. Today's CTOs are tasked with defining technology roadmaps that align with organizational goals, including integrating new technologies and ensuring compatibility with existing systems. This strategic planning is essential for maintaining robust cybersecurity within the healthcare sector. As the industry moves towards more patient-centric models, CTOs must also ensure seamless interoperability between various systems and platforms to enhance patient and provider experiences while maintaining operational efficiency. Managing both cloud-based and on-premises technology infrastructure falls under the CTO's purview, ensuring that systems are secure, cost-effective, and capable of rapid deployment. This involves maintaining a robust infrastructure that can handle increased demands and potential cyber threats, thereby strengthening overall healthcare cybersecurity. CTOs are also responsible for driving innovation by exploring and implementing transformational technologies such as AI and machine learning. These advancements can significantly improve patient care and operational efficiency while contributing to more effective cybersecurity measures. Collaboration with hospital administration and clinical leaders is crucial for CTOs. They must understand and address the challenges faced by these stakeholders, anticipate future technological needs, and ensure that cybersecurity strategies are aligned with organizational objectives. In the face of rising cyber threats, CTOs play a pivotal role in managing the attack surface, implementing security measures, and ensuring compliance with regulations like HIPAA, which are fundamental to maintaining healthcare cybersecurity. Cybersecurity organizations like Cyble offer advance attack surface management with AI-driven solutions, offering real-time monitoring and vulnerability management. To fight against these healthcare adversaries, schedule a demo today to see how Cyble can strengthen your defenses against healthcare and other types of threats. Rise of Ransomware Groups Hampering Healthcare Cybersecurity Cybersecurity researchers has identified several key trends and threats impacting healthcare cybersecurity. The disruption of BlackCat/AlphV ransomware operations by the FBI in December 2023 highlighted the ongoing threat to healthcare providers. This ransomware group’s affiliate model, which explicitly targets healthcare facilities, underscores the critical need for robust cybersecurity measures in the sector. Similarly, the emergence of BlackSuit ransomware in May 2023, linked to the Royal ransomware family, poses significant risks. BlackSuit's double extortion tactics—encrypting data and threatening to leak it unless a ransom is paid—intensify the challenge of protecting patient confidentiality and ensuring operational continuity. Healthcare organizations should implement regular software updates to patch vulnerabilities and protect against new threats. Network segmentation is essential to limit the impact of breaches and contain potential threats, while incident response planning ensures swift and effective handling of breaches. Advanced security monitoring and anomaly detection tools are crucial for identifying and addressing suspicious activities. Data encryption and secure backups are vital for protecting sensitive information and mitigating the risks of ransomware attacks. Compliance with HIPAA regulations is also necessary to safeguard patient information and avoid penalties. These recommendations stress the need for a proactive, comprehensive cybersecurity strategy. By investing in advanced technologies and maintaining vigilant security practices, healthcare organizations can enhance their resilience and better protect their critical infrastructure from evolving cyber threats. With rising threats like BlackCat and BlackSuit targeting healthcare and other sectors, robust cybersecurity is essential. Cyble offers cutting-edge solutions, including Cyble Vision for real-time threat insights and Cyble Hawk for advanced investigative capabilities. Schedule a demo to see how Cyble’s AI-powered platforms can enhance your defenses. Secure your organization with Cyble today

image for CISA Appoints Lisa E ...

 Firewall Daily

In a move to responsibly incorporating artificial intelligence (AI) into cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) has announced the appointment of Lisa Einstein as its first Chief Artificial Intelligence Officer. Lisa Einstein, who has been leading CISA’s AI initiatives since 2023   show more ...

as the Senior Advisor for AI, brings a wealth of experience to her new position. Since 2022, she has also served as the Executive Director of the CISA Cybersecurity Advisory Committee, playing a pivotal role in shaping the agency’s AI strategy. CISA's Appoints First Chief Artificial Intelligence Officer “I am proud of how our team at CISA has come together in the last two years to understand and respond to rapid advancements in AI—many of which have significant implications for our core missions of cyber defense and critical infrastructure security,” said CISA Director Jen Easterly. “Lisa Einstein has been central to that effort. Beyond her technical expertise, she’s an inspirational leader who has brought together colleagues across the agency around a clear and impactful vision. I could not be more thrilled to have her take on this important new role, which will help us continue to build AI expertise into the fabric of our agency and ensure we are equipped to effectively leverage the power of AI well into the future.” The appointment of Einstein signals CISA’s ongoing commitment to ensuring that AI is used safely and securely, both within the agency and among its critical infrastructure partners. The agency aims to institutionalize responsible AI governance to enhance the security and reliability of systems critical to the daily lives of Americans. Einstein's New Role Signals CISA's Commitment to AI-Driven Cyber Defense “I care deeply about CISA’s mission – if we succeed, the critical systems that Americans rely on every day will become safer, more reliable, and more capable. AI tools could accelerate our progress. But we will only reap their benefits and avoid harms from their misapplication or abuse if we all work together to prioritize safety, security, and trustworthiness in the development and deployment of AI tools,” said Einstein. “It has been a privilege to work with the dedicated and talented CISA team and with our partners across the United States and around the world over the last two years. I am honored to serve in this new role to help CISA tackle this important challenge.” This newly established role shows CISA’s ongoing efforts to incorporate AI into its cyber defense mission and support critical infrastructure owners and operators across the United States. Einstein’s appointment marks a step forward as CISA works to enhance its AI capabilities and integrate them into its broader mission of protecting the nation’s critical infrastructure.

image for Germany Attributes 2 ...

 Cybersecurity News

The Federal Office for Cartography and Geodesy, known as the Bundesamt für Kartographie und Geodäsie (BKG) in Germany, suffered a serious cyberattack in late 2021, which has now been attributed to Chinese state actors. The German government condemned the attack, saying it was likely related to espionage activities.   show more ...

Federal Minister of the Interior Nancy Faeser strongly condemned the attack and told China to refrain from such attacks in the future. Federal Office for Cartography and Geodesy Attack Investigation The Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) supported the BKG in investigating the cyberattack. Their investigation revealed that part of the BKG network had been compromised, though no additional malware was found on the agency's systems. Following the attack, the BKG implemented comprehensive security measures, including improved logging and detection of security-relevant events, enhanced IT risk management, and increased employee awareness of information security. The agency also rebuilt its network in accordance with the BSI's recommendations, ensuring that the attacker was successfully excluded from the BKG networks. Faeser emphasized the severity of the situation and its threat to the digital sovereignty of Germany and Europe as a region in the following statement: This serious cyberattack on a federal authority shows how great the danger is from Chinese cyberattacks and espionage. The Federal Government condemns this cyberattack by state-controlled Chinese actors in the strongest possible terms. We call on China to refrain from and stop such cyberattacks. These cyberattacks threaten the digital sovereignty of Germany and Europe. We are therefore resolutely opposing these threats and have significantly increased protection. Just last week, we in the Federal Cabinet introduced another law to further increase cybersecurity and to better arm ourselves against state and criminal cyberattacks. The investigation into this cyber attack is the result of the excellent, closely networked work of our security authorities. I would like to thank all the authorities involved, especially the Federal Office for the Protection of the Constitution. Ongoing Threat from Chinese Cyber Activities German security authorities report that suspected Chinese state actors continued to target companies, government agencies, and political institutions throughout 2023. These attacks appeared to be aimed at gathering information on political decision-making processes and German foreign policy positions that could impact China. The security agencies note a significant qualitative and quantitative development in Chinese cyber espionage tactics, achieving unprecedented reach and effectiveness. They anticipate China will further intensify its state-run espionage and influence activities as part of an offensive cyber strategy aligned with the country's industrial and geopolitical goals.

image for Exodus Marketplace R ...

 Firewall Daily

The Exodus Marketplace has recently resurfaced, positioning itself as a notable player in the illicit online economy. Cyble Research & Intelligence Labs (CRIL) has been closely monitoring the evolution of this marketplace, revealing its efforts to secure a strong foothold among dark web communities and its   show more ...

attempts to attract customers away from established platforms. The Exodus Marketplace made its initial debut on the Cracked forum on February 10, 2024, when the user "ExodusMarket" announced its launch, which had begun at the end of January 2024. Since then, the marketplace has experienced several significant domain changes. The initial domain was updated twice, first in March 2024 and then again on July 16, 2024, highlighting the platform’s ongoing attempts to solidify its presence and address security concerns. The Resurgence of Exodus Marketplace On July 23, 2024, the threat actor behind Exodus Marketplace promoted a new domain to attract fresh users. To incentivize new registrations, they offered free access through a referral code. This promotional push highlights the platform’s strategic shift to differentiate itself from other dark-web marketplaces, particularly in the wake of users migrating from the now-defunct Genesis Marketplace. [caption id="attachment_85085" align="alignnone" width="981"] advertisement of Exodus Market (Source: Cyble)[/caption] According to CRIL, the frequent domain changes could be attributed to a couple of factors. Firstly, intensified law enforcement actions against botnet infrastructures and dark web forums might have forced the Exodus Marketplace to seek more secure hosting solutions. Alternatively, the changes could signal an attempt to execute an exit scam, a tactic sometimes used by dark web operators to avoid reputation damage while transitioning to a new setup.  Despite these concerns, recent observations in dark web forums and Telegram channels show no significant red flags concerning the platform’s integrity. A July 16 post indicated that users with accounts on the old platform needed to raise support tickets to recover their funds on the new site. A Glimpse into Exodus Market Operations Analysis of Exodus Marketplace operations on the Cracked forum reveals intriguing insights into its origin. The platform is believed to be created by a user known as "Kira3301," who has been active since 2020. Kira3301 is known for its high reputation in web development circles, and its previous projects display similarities to the Exodus Marketplace in terms of design and functionality. [caption id="attachment_85088" align="alignnone" width="1024"] Bots section of Exodus Marketplace (Source: Cyble)[/caption] The Exodus Marketplace itself is relatively straightforward, mirroring features found on other dark web log marketplaces. It claims to manage over 7,000 bots across 192 countries, with bot prices ranging between $3 and $10 each. Transactions are conducted via cryptocurrencies such as Bitcoin, Monero, and Litecoin, which users deposit into the platform’s designated deposit box. The marketplace provides detailed information on its bot listings, including resources accessed, addition dates, data collection timestamps, prices, countries, operating systems, and partial IP addresses. Additionally, Exodus Marketplace offers a ticketing system for customer support and a wiki section intended for general information, although the latter remains incomplete at present. Exodus Marketplace Features to Attract Visitors The Exodus Marketplace has highlighted several features to attract users, including daily updates of over 10,000 new logs, enhanced privacy with increased moderation, and advanced filtering options for better log searches.  [caption id="attachment_85087" align="alignnone" width="1024"] Genesis Marketplace Wiki section (Source: Cyble)[/caption] The platform also plans to introduce new features like a multi-commerce, multi-vendor system, and an antidetect browser for direct log injection. However, despite these enhancements, the Exodus Marketplace’s Telegram channel, which is used for official communications, has low engagement and a modest number of subscribers. Historical data indicates frequent domain changes and past offerings of InfoStealers and Remote Access Trojans (RATs), along with mentoring sessions. Exodus Marketplace is part of a broader history of infostealer platforms that have influenced the dark web. Notable predecessors include Genesis Market, which dominated the scene from February 2018 until its seizure by law enforcement in April 2023. The Russian Market, active since February 2019, continues to operate, offering illicit products including logs at varying prices. 2Easy, which launched in January 2020, saw rapid growth following the takedown of Genesis Market.  Amigos Market, operational from October 2020 to December 2021, sourced logs from RedLine infostealer and competed with the Russian Market before its closure. Additionally, CRIL has noted the rise of decentralized, Russian-speaking markets on Telegram, though these often face issues with reliability and short lifespans. Conclusion and Recommendations Law enforcement operations, such as Operation Endgame, have made significant strides in disrupting cybercriminal networks by targeting major botnets like Bumblebee, IcedID, and Trickbot. These actions not only dismantle illegal operations but also create opportunities for investigators to gather valuable leads through the operational errors of these networks. To protect against infostealers, both individuals and organizations should follow several best practices. It is crucial to avoid downloading pirated software and suspicious files. Ensuring that software is downloaded only from trusted sources can prevent many security issues. Organizations should also restrict access to corporate systems from personal devices and educate employees about their security responsibilities.  Implementing proactive threat intelligence solutions and monitoring dark-web activities for potential threats can provide early warnings of malware campaigns. Additionally, having a robust incident response plan and securing the supply chain by ensuring that vendors and partners follow strong security practices are essential measures. Practicing the principle of least privilege, where access to sensitive information is restricted to necessary personnel, further enhances security.

image for The Dumbest Thing in ...

 Cybersecurity News

The CrowdStrike outage saga managed to turn even uglier this week, and lawyers may be the only ones who are benefiting. Also, we look at security product effectiveness and cybersecurity's dirty secret: information asymmetry. First, the truly petty. CrowdStrike is reportedly trying to take down parodies on Etsy and   show more ...

a parody website. In addition to drawing more attention to the parodies, it’s a bad look for a company that should be more focused on security and availability than anything else right now. CrowdStrike shares (CRWD) have plunged 38% since the July 19 outage that brought down 8.5 million Windows machines around the globe, erasing $28 billion in market cap as investors reassess the company’s growth trajectory in the wake of what may be the biggest-ever cyber incident. Not surprisingly, shareholder lawsuits have begun to appear. CrowdStrike seems to be doing the opposite of what it should be doing – showing humility and reassuring customers that the company is a reliable partner. Delta May Sue CrowdStrike for Outage Damages Delta Airlines – which struggled to recover from the outage to the point that the U.S. Department of Transportation opened an investigation into the matter – estimates its losses from the outage at $500 million and told CNBC that it plans to seek damages. The company has hired prominent attorney David Boies to pursue the case. “If you’re going to be having access, priority access to the Delta ecosystem in terms of technology, you’ve got to test the stuff. You can’t come into a mission critical 24/7 operation and tell us we have a bug,” Bastian told CNBC. CrowdStrike has attributed the outage to a bug in its validation software that allowed a faulty update to slip through. However, Delta took far longer than competitors to recover from the outage, raising the possibility that its recovery processes may have been inadequate. Our prediction: We’ll never know the truth here, because even though software vendors have historically been free from liability for bugs, CrowdStrike and Delta will likely settle the case to avoid publicity and disclosures. Lawyers, Marketers and Shareholders, Oh My! Part of the problem in general here may be the “shareholder first” mentality that has dominated U.S. companies since the Reagan era – the doctrine that companies exist primarily to reward shareholders. That practice has gone into overdrive with the rise of AI, and there's a good chance it won’t end well – how well are shareholders going to be rewarded if customers are unhappy? The ”shareholder first” doctrine means that companies try to get by with minimal investment while pushing employees and productivity as much as possible. That creates fragile systems, and an incident like CrowdStrike-Microsoft-Delta shows just how fragile that chain is, when inadequate testing, a rushed update, a fragile operating system and inadequate recovery processes come together to create a $500 million loss. And that’s just one customer; total outage losses have been estimated at $15 billion by cyber insurer Parametrix, and only 10-20% of that may be covered by cyber insurance. With the “shareholder first” focus on maximum profitability, marketing gets ahead of the technology and companies overpromise and underdeliver, and lawyers are brought in to make sure the company can retain every advantage. So you get onerous terms and conditions like CrowdStrike’s, where damages are limited to refunds and you get curious language like the following that seems incongruent with a company that has carefully built a reputation as a supplier to organizations with high security needs (the caps are CrowdStrike’s): “THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. NEITHER THE OFFERINGS NOR CROWDSTRIKE TOOLS ARE FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE. Customer agrees that it is Customer’s responsibility to ensure safe use of an Offering and the CrowdStrike Tools in such applications and installations.” CrowdStrike is hardly the only security vendor with terms like that, but it sure doesn’t give you confidence in the security of our critical infrastructure. One top industry official – Alex Stamos, SentinelOne’s new CISO – essentially accused CrowdStrike of negligence in a podcast earlier this week, and competitors like Fortinet and Sophos have been revealing how they handle kernel updates to reassure customers. But it’s fair to ask: How secure are our security tools? The answer is murky, in part because there are few industries that suffer from greater “information asymmetry” than cybersecurity, where sellers know much more than buyers about how well these products actually work and there are no standards for efficacy. Information Asymmetry: Cybersecurity’s Big Problem Endpoint detection and response (EDR) products at the heart of CrowdStrike Falcon are some of the better tested security products – the annual MITRE ATT&CK evaluations are some of the toughest tests the industry faces – but even there, EDR tools are subject to missed detections, bypass attacks, and a general murky uncertainty about how well they work in real-world conditions. A Picus Security report published this week found that security tools miss an alarming number of attacks. While prevention effectiveness rose from 59% in the 2023 report to 69% in 2024, detection effectiveness - and alert scores in particular - dropped from 16% to 12%. “This means we are better at preventing some attacks, we are still struggling to detect them promptly,” Picus said. “Real-world data shows that even best-of-breed products that score 100% in controlled settings can exhibit a wide range of prevention and detection effectiveness once deployed,” the report said. Part of the problem is variations in implementation and environments. Another part is the cat-and-mouse game of cybersecurity, where attackers and defenders must continually respond and adapt, leading to occasional advantages for one side or the other. And even tools based on behavior, machine learning and AI must continually adapt to new information. Security products aren’t perfect, which is why organizations have been preaching defense-in-depth and resilience: The more obstacles an attacker faces, the more likely they are to give up and move on to an easier target. But we can still expect – nay, demand – better. Any industry we depend on, be it cybersecurity, airlines, healthcare, food and agriculture, or any other critical sector, must invest adequately in protecting those resources, shareholders notwithstanding. And insisting on adequate protection is a job for lawmakers, regulators, consumers, and sometimes, if the share price falls far enough, shareholders too.

image for Chinese Hackers Targ ...

 Cybersecurity News

Researchers have uncovered a cyber espionage campaign targeting a Taiwanese government-affiliated research institute specializing in computing and related technologies. The researchers assessed with medium confidence that the tactics, techniques, and procedures (TTPs) are associated with the Chinese state-sponsored   show more ...

hacking group known as APT41, which has been listed among the FBI's most wanted in connection with intrusion campaigns against more than 100 victims globally. The campaign, which began as early as July 2023, utilized the notorious ShadowPad malware, Cobalt Strike, and other custom tools for post-compromise activities. Espionage Campaign Evidence Points to APT41 The attack began with the exploitation of an outdated vulnerable version of Microsoft Office IME binary, which served as a loader to launch the second-stage loader for the payload. The ShadowPad malware, known for its remote access trojan (RAT) capabilities, was used to gain access to the system. Additionally, the researchers from Talos observed that APT41 had created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing the Microsoft remote code execution vulnerability to achieve local privilege escalation. The attackers also employed Cobalt Strike, a penetration testing tool, to evade detection by Windows Defender. A unique version of the commonly deployed Cobalt Strike loader, written in GoLang, was used to sideload the malware into the system. [caption id="attachment_85038" align="alignnone" width="1112"] Source: https://blog.talosintelligence.com/[/caption] This loader version was based on an anti-AV loader named CS-Avoid-Killing, hosted on GitHub and written in Simplified Chinese. The repository, promoted in Chinese hacking forums and technical tutorials, indicates that the threat actors were well-versed in the language. The use of Simplified Chinese in the loader's code further strengthens the link to Chinese actors. The attackers compromised three hosts in the targeted environment and exfiltrated some documents from the network. They gained a foothold by executing malicious code and binaries on the machine, installing a webshell to enable discovery and execution, and dropping malware payloads through various approaches such as webshell, RDP access, and reverse shell. Once inside the network, the attackers employed tools like Mimikatz and WebBrowserPassView to steal credentials and exfiltrated sensitive documents using 7zip for compression and encryption. Several key indicators link this attack to APT41 beyond the use of Chinese-language in code and development of a custom loader based on one known in Chinese forums. One indicator is the deployment of ShadowPad by the attackers, a sophisticated modular RAT predominantly used by similar Chinese hacking groups. While the researchers could not retrieve the final ShadowPad payload, the loaders used match those previously attributed to the APT41 group. Also, significant infrastructure overlap exists, including the use of a command-and-control (C2) server previously linked to APT41 in a 2022 report. Finally, the attackers employed a specific side-loading technique leveraging an outdated Bitdefender executable, a tactic repeatedly observed in past APT41 campaigns. Sophisticated Tools and Techniques The attackers demonstrated a high degree of technical proficiency, using a variety of methods to establish a foothold and maintain persistence. They deployed webshells, leveraged RDP access, and established reverse shells to drop malware, including a unique Cobalt Strike loader written in GoLang, likely designed to evade Windows Defender. Chinese APT groups pose special risk to Taiwanese sovereignty and integrity as tensions and disputes between the two states grow.

image for Dark Web Actor Claim ...

 Firewall Daily

A dark web actor has taken responsibility for a data breach involving ADT, the American security firm renowned for its residential and business alarm monitoring services. On August 1, 2024, an individual or group operating under the alias "netnsher" publicly announced their involvement in this significant   show more ...

breach. According to the threat actor post, the ADT data leak has compromised over 30,812 records, including approximately 30,400 unique email addresses. The leaked information encompasses a range of personal details such as customer emails, physical addresses, user IDs, and purchase history. The threat actor "netnsher" not only released these records but also provided a sample as proof of the ADT breach. Decoding the ADT Data Breach Claims [caption id="attachment_85049" align="alignnone" width="1716"] Source: Dark Web[/caption] The ADT data leak was initially reported on July 31, 2024, and became public the following day. Notably, another data leak involving ADT occurred earlier on July 8, 2024, when the threat actor known as "Abu_Al_Sahrif" disclosed internal documents from ADT spanning from 2020 to 2023. It remains unclear whether the recent breach by "netnsher" involved data from this earlier leak or was obtained through a different method. The impact of this ADT data breach is considerable, given that ADT Inc. is a major player in the security industry with a revenue of approximately $5 billion. The exposed records contain sensitive information that could potentially lead to identity theft or phishing attacks if misused. The Cyber Express has contacted ADT Inc. for comments on this incident. In their response, ADT confirmed their awareness of the incident and stated, "ADT is aware of this claim, and it is under investigation." The company is currently evaluating the full extent of the breach and its implications for affected customers. Previous Cyberattacks Linked to netnsher This ADT breach follows a series of similar incidents involving the threat actor "netnsher." On April 26, 2024, this TA was linked to another data breach claim involving Kernel Finance, an Indian GST billing solution, which allegedly exposed over 7,000 bank account numbers and other sensitive data. On the same day, "netnsher" also leaked critical access tokens and files from the Law Firm Banking Trustnota, further highlighting their capabilities and the potential risks posed by their activities, reported by Constella Intelligence.  The threat actor also claimed a cyberattack on RestoreCord last month, selling 840k lines of RestoreCord database, including DiscordID, Discord Name, IP address, and dates. As for the ADT data breach, this is an ongoing story and The Cyber Express will provide updates and further details as they become available. The situation remains fluid, and both ADT and affected customers should remain vigilant in the face of potential misuse of the exposed information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for What is an adversary ...

 Business

The increasing use of both multi-factor authentication (MFA) and cloud services in organizations has forced cybercriminals to update their tools and tactics. On the one hand, they no longer need to penetrate a companys internal network or use malware to steal information and conduct fraudulent schemes. Its enough to   show more ...

gain access to cloud services — such as Microsoft 365 email or MOVEit file storage — through legitimate accounts. On the other hand, stolen or brute-forced credentials are no longer sufficient — MFA must be somehow bypassed. A recent large-scale series of cyberattacks on major organizations, which affected over 40,000 victims, shows that attackers have adapted to the new reality. Theyre using targeted phishing techniques and adversary-in-the-middle tools on a broad scale to target companies. What is adversary-in-the-middle An adversary-in-the-middle (AitM) attack is a variation of the well-known man-in-the-middle attack: the attacker gets access to the communications between legitimate parties (client and server), intercepts client requests, forwards them to the server, and then intercepts the server responses and forwards those to the client. What makes an AitM special is that the attacker doesnt just eavesdrop on communications, but actively interferes with them — modifying the messages to their advantage. Advanced AitM attacks may involve compromising the organizations ISP or Wi-Fi network. Attackers then manipulate network protocols (ARP poisoning, DNS spoofing) and display fake web pages or files when the user accesses legitimate resources. But in the case of spearphishing, such tricks are unnecessary. Its enough to lure the user to a malicious web server, which will simultaneously communicate with both the victim and the legitimate cloud-service servers using a reverse proxy. The attack generally goes like this: The user receives a phishing message and clicks the link. Through a chain of masking redirects, the users browser opens a page of a malicious site that looks like the cloud services login portal. To display this page, the attackers reverse-proxy contacts the legitimate server and transfers the entire login-page content to the users browser, making any changes necessary for the attackers. The user sees the familiar interface and enters their username and password. The malicious server relays the username and password to the legitimate server, imitating the users login. The username and password are also stored in the attackers database. The legitimate server verifies the password and, if correct, requests a one-time code, which is sent to the user or generated in their app, as per the usual MFA procedure. The malicious server displays a page prompting the user to enter the one-time code. The user enters the one-time code from the authenticator app or text message. The malicious server sends the code to the legitimate server, which verifies it and, if correct, lets the user into the system. The legitimate server sends session cookies needed for normal system operation to the browser (which is actually the malicious server). The malicious server forwards the cookies to the attackers, who can then use them to imitate the browser of a user already logged into the system. The attackers dont need to enter passwords or MFA codes anymore — its all been done already! The malicious server redirects the user to another site or to the regular login page of the legitimate service. Additional features of modern AitM attacks Attackers have streamlined the basic attack scenario described above. There are ready-made phishing kits available — usually including reverse proxies like Evilginx or Muraena, which enable out-of-the-box attacks with templates for modifying login pages of popular cloud services and well-oiled MFA-code theft scripts. However, to successfully compromise large organizations, off-the-shelf attacks need to be tailored. Well-resourced attackers can target many organizations at once. In the attack mentioned above, about 500 large companies — all law firms — were targeted within three months. Each received a custom domain within the attackers infrastructure, so the victims (executives of these organizations) were directed to domains with familiar and correct names in the initial part of the URL. The arms race continues. For example, many companies and cloud services are transitioning to phishing-resistant MFA methods such as hardware USB tokens and passwordless logins (passkeys). These authentication methods are generally resistant to AitM attacks, but most cloud systems allow a backup-plan login using older verification methods such as paper envelope one-time codes or one-time codes delivered in text messages. This is intended for cases where the user loses or breaks the second factor physical device. Attackers can exploit this feature: the malicious server shows the victim modified authentication pages of the legitimate server, erasing the more reliable authentication methods. This type of attack has been named Passkey Redaction. How to protect against AitM attacks Protection against spearphishing attacks aimed at gaining access to cloud accounts requires coordinated measures from corporate security services, cloud providers, and the users themselves: Use phishing-resistant MFA tools such as hardware USB tokens. Ideally, these should be used by all employees, but at the very least by management and those responsible for critical business operations and IT. Work with SSO solution providers and cloud services to disable backup-plan authentication methods and take technical measures to make it difficult to steal authentication-token cookies. Educate employees to pay attention to changes in login pages and avoid entering credentials if authentication disappears unexpectedly, or the site name seems unfamiliar. Regularly conduct cybersecurity training tailored to employees responsibilities and experience. Explore and properly configure the cloud providers security tools. Ensure that employee activity logging is sufficiently detailed and that the security team receives these logs promptly. Ideally, they should go directly to the SIEM system. Ensure that all computers and smartphones used to access corporate accounts have an EDR agent Install a reliable protective solution with antiphishing capabilities on the corporate email server.

image for Transatlantic Cable ...

 News

Episode 358 of the Transatlantic Cable Podcast kicks off with news of American Cybersecurity firm KnowBe4 getting duped by a North Korean hacker who successfully when through their HR checks and secured employment!  Deepfake bullying being used by children on Snapchat.  X/Twitters AI bot Grok is now reading your   show more ...

tweets, however there is a fix and we show you how to protect yourself.  We close out the episode with news of a data breach at HealthEquity affecting 4.3 million people. If you liked what you heard, please consider subscribing. North Korean hacker gets employed at US Cybersecurity firm Deepfake bullying Grok AI reading public tweets HealthEquity data breach

image for U.S. Trades Cybercri ...

 Ne'er-Do-Well News

Twenty-four prisoners were freed today in an international prisoner swap between Russia and Western countries. Among the eight Russians repatriated were several convicted cybercriminals. In return, Russia has reportedly released 16 prisoners, including Wall Street Journal reporter Evan Gershkovich and ex-U.S. Marine   show more ...

Paul Whelan. AMong those in the prisoner swap is Roman Seleznev, 40, who was sentenced in 2017 to 27 years in prison for racketeering convictions tied to a lengthy career in stealing and selling payment card data. Seleznev earned this then-record sentence by operating some of the underground’s most bustling marketplaces for stolen card data. Roman Seleznev, pictured with bundles of cash. Image: US DOJ. Once known by the hacker handles “Track2,” “Bulba” and “nCux,” Seleznev is the son of Valery Seleznev, a prominent member of the Russian parliament who is considered an ally of Vladimir Putin. U.S. prosecutors showed that for years Seleznev stayed a step ahead of the law by tapping into contacts at the Russian FSB, the successor agency to the Soviet KGB, and by periodically changing hacker handles. But in 2014 Seleznev was captured by U.S. Secret Service agents, who had zeroed in on Seleznev’s posh vacation spot in The Maldives. At the time, the South Asian island country was a popular destination for Eastern Europe-based cybercriminals, who viewed it as beyond the reach of U.S. law enforcement. In addition to receiving a record prison sentence, Seleznev was ordered to pay more than $50 million in restitution to his victims. That loss amount equaled the total losses inflicted by Seleznev’s various carding stores, and other thefts attributed to members of the hacking forum carder[.]su, a bustling cybercrime community of which Seleznev was a leading organizer. Also released in the prisoner swap was Vladislav Klyushin, a 42-year-old Muscovite sentenced in September 2023 to nine years in prison for what U.S. prosecutors called a “$93 million hack-to-trade conspiracy.” Klyushin and his crew hacked into companies and used information stolen in those intrusions to make illegal stock trades. Klyushin likewise was arrested while vacationing abroad: The Associated Press reported that Klyushin was captured in Switzerland after arriving on a private jet, and just before he and his party were about to board a helicopter to whisk them to a nearby ski resort. A passport photo of Klyushin. Image: USDOJ. Klyushin is the owner of M-13, a Russian technology company that contracts with the Russian government. According to prosecutors, M-13 offered penetration testing and “advanced persistent threat (APT) emulation.” As part of his guilty plea, Klyushin was also ordered to forfeit $34 million, and to pay restitution in an amount that was to be determined. The U.S. government says four of Klyushin’s alleged co-conspirators remain at large, including Ivan Ermakov, who was among 12 Russians charged in 2018 with hacking into key Democratic Party email accounts. Among the Americans freed by Russia were Wall Street Journal reporter Evan Gershkovich, 32, who has spent the last 16 months in a Russian prison on spying charges. Also released was Alsu Kurmasheva, 47, a Russian American editor for Radio Free Europe/Radio Liberty who was arrested last year; and Paul Whelan, 54, a former U.S. Marine arrested in 2018 and accused of spying. The New York Times reports several others freed by Russia were German nationals, including German Moyzhes, a lawyer who was helping Russians obtain residence permits in Germany and other E.U. countries. The Times says Slovenia, Norway and Poland released four people accused of being Russian spies. Reuters reports that Germany released Vadim Krasikov, an FSB colonel serving a life sentence there for murdering an exiled Chechen-Georgian dissident in a Berlin park. Update, 8:47 p.m. ET:An earlier version of this story incorrectly reported that one of the Russian hackers released was the BTC-e co-founder Alexander Vinnik. KrebsOnSecurity was unable to confirm his release. The above story has been edited to reflect that change.

 Malware and Vulnerabilities

The FortiGuard Labs team has discovered a malicious PyPI package that poses a significant risk to individuals and institutions by potentially leaking credentials and sensitive information.

 Malware and Vulnerabilities

A security audit sponsored by the Open Tech Fund in August 2023 revealed 25 vulnerabilities in Homebrew. The audit found issues that could have allowed attackers to execute code, modify builds, control CI/CD workflows, and access sensitive data.

 Expert Blogs and Opinion

Access to timely and accurate threat intelligence is essential for organizations, but it can be overwhelming to navigate the vast amount of available data and feeds. Balancing comprehensive information with relevance is crucial.

 Security Products & Services

Google Chrome has implemented app-bound encryption to enhance cookie protection on Windows and defend against infostealer malware. This new feature encrypts data tied to app identity, similar to macOS's Keychain, to prevent unauthorized access.

 Feed

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged   show more ...

the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.

 Feed

Ubuntu Security Notice 6942-1 - It was discovered that Gross incorrectly handled memory when composing log entries. An attacker could possibly use this issue to cause Gross to crash, resulting in a denial of service, or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 6943-1 - It was discovered that Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore configurations. A remote attacker could possibly use this issue to execute arbitrary code. This issue only affected tomcat8 for Ubuntu 18.04 LTS It was discovered that Tomcat incorrectly   show more ...

handled certain HTTP/2 connection requests. A remote attacker could use this issue to obtain wrong responses possibly containing sensitive information. This issue only affected tomcat8 for Ubuntu 18.04 LTS

 Feed

This is the official vulnerability disclosure report for CVEs CVE-2024-38881 through CVE-2024-38891 by jTag Labs. This report details critical security vulnerabilities found within Caterease Software, a product of Horizon Business Services Inc. These vulnerabilities have significant implications for the   show more ...

confidentiality, integrity, and availability of the software and the sensitive data it handles. The issues include problems like remote SQL injection, command injection, authentication bypass, hard-coded credentials, and more.

 Feed

Ubuntu Security Notice 6909-2 - USN-6909-1 fixed several vulnerabilities in Bind. This update provides the corresponding update for Ubuntu 18.04 LTS. Toshifumi Sakaguchi discovered that Bind incorrectly handled having a very large number of RRs existing at the same time. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service.

 Feed

Ubuntu Security Notice 6926-2 - 黄思聪 discovered that the NFC Controller Interface implementation in the Linux kernel did not properly handle certain memory allocation failure conditions, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service. It was   show more ...

discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel when modifying certain settings values through debugfs. A privileged local attacker could use this to cause a denial of service.

 Feed

Red Hat Security Advisory 2024-4972-03 - An update is now available for Red Hat OpenShift GitOps v1.11.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each   show more ...

vulnerability from the CVE link in the References section. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-4971-03 - An update for emacs is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

 Feed

Red Hat Security Advisory 2024-4970-03 - An update for kpatch-patch-4_18_0-305_120_1 is now available for Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a privilege escalation vulnerability.

 Feed

Red Hat Security Advisory 2024-4858-03 - Red Hat OpenShift Container Platform release 4.16.5 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include deserialization and memory exhaustion vulnerabilities.

 Feed

Red Hat Security Advisory 2024-4848-03 - Red Hat OpenShift Container Platform release 4.13.46 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include deserialization and memory exhaustion vulnerabilities.

 Feed

Red Hat Security Advisory 2024-4846-03 - Red Hat OpenShift Container Platform release 4.13.46 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

 Feed

Ubuntu Security Notice 6922-2 - It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel when modifying certain settings values through debugfs. A privileged local attacker could use this to cause a denial of service. Chenyuan Yang discovered that the Unsorted Block Images flash   show more ...

device volume management subsystem did not properly validate logical eraseblock sizes in certain situations. An attacker could possibly use this to cause a denial of service.

 Feed

In a historic prisoner exchange between Belarus, Germany, Norway, Russia, Slovenia, and the U.S., two Russian nationals serving time for cybercrime activities have been freed and repatriated to their country. This includes Roman Valerevich Seleznev and Vladislav Klyushin, who are part of a group of eight people who have been swapped back to Russia in exchange for the release of 16 people who

 Feed

Cybersecurity companies are warning about an uptick in the abuse of Clouflare's TryCloudflare free service for malware delivery. The activity, documented by both eSentire and Proofpoint, entails the use of TryCloudflare to create a one-time tunnel that acts as a conduit to relay traffic from an attacker-controlled server to a local machine through Cloudflare's infrastructure. Attack chains

 Feed

In today's digital battlefield, small and medium businesses (SMBs) face the same cyber threats as large corporations, but with fewer resources. Managed service providers (MSPs) are struggling to keep up with the demand for protection. If your current cybersecurity strategy feels like a house of cards – a complex, costly mess of different vendors and tools – it's time for a change. Introducing

 Feed

Enterprise Resource Planning (ERP) Software is at the heart of many enterprising supporting human resources, accounting, shipping, and manufacturing. These systems can become very complex and difficult to maintain. They are often highly customized, which can make patching difficult. However, critical vulnerabilities keep affecting these systems and put critical business data at risk.  The

 Feed

Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism. The newly identified malware strain has been codenamed BITSLOTH by Elastic Security Labs, which made the discovery on June 25, 2024, in connection with a cyber attack targeting an

 Feed

A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos. The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed

 Feed

A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace. "The campaign likely targeted diplomats and began as early as March 2024," Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28, which is also referred to as

2024-08
Aggregator history
Friday, August 02
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober