Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Singapore MOE Order ...

 Cybersecurity News

The Ministry of Education (MOE) of Singapore announced on August 5 the removal of the Mobile Guardian app from all personal learning devices of students. This decision comes after a Mobile Guardian data breach that affected 13,000 students across 26 secondary schools in Singapore. The breach, which occurred on August   show more ...

4, was characterized by unauthorized access to Mobile Guardian’s platform, resulting in the remote wiping of affected students’ devices. The Mobile Guardian app, primarily used by parents to manage and restrict their children’s screen time and access to specific websites and applications, had its security compromised on a global scale. Mobile Guardian Data Breach: An Overview Late on the night of August 4, schools alerted MOE Singapore that students using iPads or Chromebooks as personal learning devices were experiencing significant disruptions. Students reported being unable to access applications and information stored on their devices. Immediate investigations by Mobile Guardian revealed unauthorized access to their platform, affecting customers worldwide, including those in Singapore. Preliminary checks, however, indicated that the perpetrator did not access user files. This Mobile Guardian data breach incident is distinctly separate from a technical glitch that affected over 1,000 students from at least five secondary schools at the end of July. Mobile Guardian’s investigations have revealed that the July incident, which led to some students across numerous schools experiencing issues connecting to the Internet and/or receiving error messages, was due to a human error in configuration by Mobile Guardian," informed MOE. That issue, which began around July 30, involved students encountering problems such as being unable to turn their iPads on or off, connect to Wi-Fi, or receiving error messages stating, 'Guided Access app unavailable'. MOE’s Response In response to the cybersecurity breach, MOE has decided to remove the Mobile Guardian app from all iPads and Chromebooks as a precautionary measure. "As a precautionary measure, MOE will remove the Mobile Guardian Device Management Application from all iPads and Chromebooks," reads MOE's official release. Efforts are currently underway to safely restore these devices for normal use. The Ministry is also exploring other measures to regulate device usage to ensure continuous support for students’ learning needs during this period. “We understand that students are naturally concerned and anxious about the incident,” MOE stated. To address these concerns, the Ministry is collaborating with schools to support affected students by deploying additional IT roving teams and providing supplementary learning resources. The Cyber Express team has reached out to both MOE and Mobile Guardian for further updates on the situation but has not yet received a response. Meanwhile, MOE continues to prioritize the restoration of normalcy for the affected students. By removing the compromised app and enhancing support measures, the Ministry aims to mitigate the impact of the Mobile Guardian data breach and prevent future incidents.

image for Keytronic Reveals $1 ...

 Cybersecurity News

Electronics manufacturing services firm Keytronic has revealed that a recent ransomware attack has resulted in additional expenses and lost revenue totaling over $15 million. The financial impact of this Keytronic cyberattack was disclosed in a preliminary U.S. Securities and Exchange Commission (SEC) financial report   show more ...

for the fourth quarter of fiscal 2024. "Due to this event, the Company incurred approximately $2.3 million of additional expenses and believes that it lost approximately $15 million of revenue during the fourth quarter. Most of these orders are recoverable and are expected to be fulfilled in fiscal year 2025. Partially offsetting these additional expenses was an insurance gain in the amount of $0.7 million that was also recorded during the quarter," reads the SEC financial Report. Financial Impact of the Keytronic Cyberattack The ransomware attack, detected on May 6, 2024, significantly disrupted Keytronic’s operations at its Mexico and U.S. sites. The company's financial report details the severe impact on their bottom line: Additional Expenses: Keytronic incurred approximately $2.3 million in additional expenses due to the attack. These costs included deploying new IT infrastructure and engaging cybersecurity experts to mitigate the incident. Lost Revenue: The company estimates a loss of around $15 million in revenue during the fourth quarter. Despite this setback, most of these orders are expected to be recoverable and fulfilled in fiscal year 2025. Insurance Gain: Partially offsetting these expenses was an insurance gain of $0.7 million recorded during the quarter. As a result of these disruptions, Keytronic anticipates reporting approximately $125 million in revenue for the fourth quarter of fiscal 2024, with a net loss of around $0.00 per share, both falling short of previous guidance. Operational Resumption and Future Outlook Keytronic remains optimistic about its recovery and future performance. Production has resumed across its facilities, and the company is beginning to see operational efficiencies from headcount reductions announced in the third quarter of fiscal 2024. Additionally, a favorable weakening of the Mexican Peso to the US dollar by approximately 10% in June is expected to positively impact the company’s financial performance. For the first quarter of fiscal year 2025, Keytronic projects: Revenue: Between $140 million and $150 million. Earnings: Between $0.10 and $0.20 per diluted share. "For the first quarter of 2025, the Company expects to report revenue in the range of $140 million to $150 million and earnings in the range of $0.10 to $0.20 per diluted share," reads Filling. These estimates reflect a positive outlook as the company recovers from the ransomware attack and capitalizes on new programs while aligning inventories with current revenue levels. Keytronic Cyber Incident Details and Response The Keytronic cybersecurity incident on May 6, 2024, caused substantial disruptions, limiting access to business applications essential for operations and corporate functions, including financial and operating reporting systems. Keytronic is a leading contract manufacturer providing value-added design and manufacturing services from its facilities in the United States, Mexico, China, and Vietnam. The company offers a comprehensive range of services, including full engineering support, materials management, manufacturing, assembly, in-house testing, and worldwide distribution. Keytronic’s clientele includes some of the world’s leading original equipment manufacturers. Despite these challenges, Keytronic ensured continued wage payments in accordance with statutory requirements. The company swiftly deployed new IT infrastructure and engaged cybersecurity experts to remediate the incident, demonstrating a robust response to the attack. Looking Ahead The revenue and earnings estimates for the fourth quarter of fiscal 2024 and the first quarter of fiscal 2025, along with the finalization of financial results for the fourth quarter of 2024, are subject to the completion of the company’s ongoing quarterly close and review procedures. Keytronic plans to report its complete results and host its earnings conference call for the fourth quarter of fiscal 2024 on August 13, 2024. While the financial impact has been significant, Keytronic’s swift response and strategic adjustments position the company for a strong recovery.

image for Immediate Action Req ...

 Cybersecurity News

The Apache InLong project, a widely used data integration framework designed for managing large-scale data streams, has issued an urgent security advisory regarding a critical vulnerability in its TubeMQ component. This flaw, tracked as CVE-2024-36268, presents a significant risk as it allows remote attackers to   show more ...

execute arbitrary code on affected systems, potentially compromising the entire InLong infrastructure. The vulnerability is located in the TubeMQ Client, a vital part of the InLong framework that enables communication with the TubeMQ message queue system. Understanding the Vulnerability- CVE-2024-36268 This component is essential for ensuring the smooth and secure transmission of data within the framework. However, the identified flaw permits code injection, which could be exploited by malicious actors to gain unauthorized control over the system. This could lead to severe breaches of data integrity and confidentiality, impacting the sensitive information processed through InLong. While the InLong development team has labeled the CVE-2024-36268 vulnerability as "Important," a more alarming assessment comes from GitHub’s Common Vulnerability Scoring System (CVSSv3.1), which has assigned it a base score of 9.8. This rating categorizes the flaw as "Critical," emphasizing the urgent need for remediation. The high CVSS score reflects the potential for widespread exploitation and the severe consequences that could ensue from such attacks. The widespread deployment of Apache InLong across diverse sectors, including finance, healthcare, and e-commerce, means that the impact of this vulnerability could be extensive. These industries rely on the robust handling of data streams provided by InLong, and any compromise could disrupt operations, lead to data breaches, and erode trust in data security measures. Mitigation Measures and Recommendations In response to this critical vulnerability, the InLong team has acted swiftly by releasing version 1.13.0 of the framework, which addresses the identified security flaw. Users of Apache InLong are strongly urged to upgrade to this latest version without delay to protect their systems from potential exploitation. The upgrade process involves replacing the current installation with version 1.13.0, ensuring that all components are updated to incorporate the security fixes. For users who are unable to immediately perform the upgrade, the InLong project has also provided a patch that can be applied directly to the source code. This interim measure allows organizations to mitigate the risk while planning and executing the full upgrade to version 1.13.0. Steps to Upgrade or Patch Backup Current Installation: Before making any changes, ensure that you have a complete backup of your current InLong installation to prevent data loss or service disruption. Download Version 1.13.0: Access the official Apache InLong repository to download the latest version. Apply the Patch (if needed): For those who cannot upgrade immediately, follow the provided instructions to apply the patch directly to your current source code. Test the Update: After upgrading or patching, thoroughly test your InLong setup to ensure that all functionalities are working as expected and that the vulnerability has been addressed. Monitor for Updates: Stay informed about any further updates or advisories from the Apache InLong team. Industry-Wide Implications Given the critical nature of CVE-2024-36268 and the reliance on Apache InLong across various industries, the urgency for immediate action cannot be overstated. Organizations in sectors such as finance, healthcare, and e-commerce, where data integrity and confidentiality are paramount, must prioritize patching efforts. The potential for remote code execution attacks poses a substantial threat, and mitigating this risk is essential for maintaining secure data operations.

image for UK Data Privacy Watc ...

 Compliance

British regulators are demanding that 11 social media and video-sharing platforms bolster their protections for children's privacy. The move follows a comprehensive review of 34 platforms that revealed widespread shortcomings in safeguarding young users. The Information Commissioner Office in the UK is stepping up   show more ...

enforcement against companies that fail to comply with the Children’s Code, a regulatory framework designed to protect minors online. Eleven platforms are facing scrutiny over default privacy settings, geolocation data, and age verification measures. Children's Privacy Paramount “Online services catering to children must prioritize privacy,” said Deputy Commissioner Emily Keaney. “We won’t tolerate companies that put young people at risk of harm.” “There is no excuse for online services likely to be accessed by children to have poor privacy practices. Where organisations fail to protect children’s personal information, we will step in and take action.” - Emily Keaney, deputy information commissioner The regulator is also investigating targeted advertising practices aimed at children, seeking to align industry behavior with both the Children’s Code and broader data protection laws. In a bid to gain deeper insights into how social media impacts children’s privacy, the office is launching a call for evidence. They focus on two areas: How children’s personal information is currently being used in recommender systems (algorithms that use people’s details to learn their interests and preferences in order to deliver content to them); and Recent developments in the use of age assurance to identify children under 13 years old. Researchers, industry stakeholders, and civil society organizations are encouraged to contribute their expertise on recommender systems and age assurance technologies. The findings from this research will inform future regulatory actions to strengthen child protections. The tech industry has undergone significant changes in response to the Children’s Code, but the regulator emphasizes the ongoing need for vigilance. “Our world-leading Children’s Code has made a tangible difference in protecting children from targeted advertising,” Keaney added. “But we must continue to push for improvements to ensure a safer online environment for young people.” The ICO did not immediately respond to The Cyber Express' request for response on who these 11 platforms are, how much time do they have to respond to the notice and what if they would be fined if repeatedly found guilty. The latest warning to social media and video-streaming platform comes after last year, the ICO fined TikTok £12.7 million for multiple breaches of data protection laws, which included allowing over one million children under 13 to use its platform without parental consent in 2020, contrary to its own terms of service, at the time.  The U.S. has also taken children's privacy seriously and reprimanded Meta for misleading parents about its children’s data privacy practices. However, Meta vowed to fight the allegations "vigorously" deeming it a "political stunt."

image for Black Hat Preview: 1 ...

 Cybersecurity News

The first week of August may be a slow time for much of the world, but for cybersecurity researchers, it means that vulnerability news is about to ramp up thanks to the annual Black Hat USA security conference. This year will be no exception. The Black Hat USA 2024 briefings and keynotes that begin on Wednesday will   show more ...

discuss (and in many cases reveal) vulnerabilities across the IT and technology spectrum, with sessions focusing on bugs and exploits in cloud services, hardware, security tools, quantum computing, AI and LLMs, software, firmware, virtualization, programming languages, developer tools, EV chargers, 5G, browsers, Apple and Android mobile devices, and, of course, lots of research into Microsoft Windows vulnerabilities. The good news is that there are also a handful of sessions on promising cybersecurity defenses, so it’s not all doom and gloom. Here are 15 Black Hat sessions that IT security pros will want to keep an eye on. Cloud Service Providers Under Scrutiny at Black Hat Cloud service providers have a reputation for having some of the best security available (provided users follow proper configuration procedures when connecting to the services). A good cloud security reputation is important for attracting business, of course, and so the biggest providers typically have security controls that a smaller organization might not be able to match – Google, for example, has said it patches as much as 10 times a day in a near-continuous process of plugging security holes. But part of that reputation for good security may also come from the services’ willingness to work with security researchers in bug bounty programs. AWS, Google Cloud Platform (GCP) and Azure will all get some attention at this year’s Black Hat conference, and a common theme is that the vulnerabilities have largely been fixed. Aqua Security researchers will detail six critical vulnerabilities in AWS – “all promptly acknowledged and fixed by AWS” – that could have led to full account takeover, sensitive data exposure, denial of service and privilege escalation. The researchers will detail how they discovered the vulnerabilities, identified commonalities among them, and “how we developed a method to uncover more vulnerabilities and enhance the impact by using common techniques leading to privilege escalation.”  They will also plan to release an open-Source tool to research service internal API calls. Nick Frechette of Datadog will also detail AWS vulnerabilities that have been fixed in access control and authentication, a common source of cloud breaches. Liv Matan of Tenable will discuss GCP vulnerabilities – and how “Cloud security is so complex that even cloud providers get it wrong sometimes.” Matan’s abstract notes that “one simple faulty command argument by Google Cloud Platform (GCP) was enough to enable us to find a critical RCE vulnerability (dubbed 'CloudImposer') in GCP customers' workloads and Google's internal production servers, affecting millions of cloud servers.” He’ll also reveal a GCP privilege escalation vulnerability, discuss cloud supply chain vulnerabilities, and unveil a tool “to find the hidden APIs that are called by the cloud provider when performing an action.” Azure and Microsoft 365 will get some attention from security researchers too. Eric Woodruff of SEMPERIS will discuss “a novel discovery that resulted in privilege escalation to Global Administrator in Entra ID (Azure AD).” Other intriguing sessions will look at look at security weaknesses in deep reinforcement learning agents and quantum computers, OpenVPN vulnerabilities, Microsoft Copilot exploits, a Chrome V8 Sandbox escape technique, a web application firewall evasion technique, immutable backup attacks, and a Windows downgrade attack using Windows update. Security Defenses Get Attention at Black Hat Too Fortunately, Black Hat won’t be all bad news – cybersecurity defenses will get some attention too. In the most intriguing defensive security session, 29 researchers will discuss their successes in applying reinforcement learning to automate cyber defenses. Other promising defensive sessions include a technique for detecting and stopping zero-day exploits in the Linux kernel, Microsoft researchers discussing ways security teams can use LLMs, and NVIDIA Principal Security Architect for AI and ML Richard Harang presenting AI security lessons learned from NVIDIA’s AI Red Team. We’ve presented 15 intriguing Black Hat sessions here, but there are many more than that, and you may find others that better fit your own needs and interests.

image for Authy Desktop App Di ...

 Cybersecurity News

Popular two-factor authentication (2FA) app Authy, has discontinued its desktop application services and will now be available exclusively only on mobile devices. In January 2024, Authy’s parent company Twilio had announced that the Authy desktop apps for Windows, macOS, and Linux would be shut down on March 19,   show more ...

2024, and would ultimately be discontinued in August. Two-factor authentication (2FA) has become an essential security measure for online accounts, adding an extra layer of protection against unauthorized access. While Twilio didn’t publicly disclose the specific reasons behind the decision to shutdown its Authy desktop app, its update suggested that its mobile app “offer similar or better features for securely storing your authenticator account tokens, and are fully supported and regularly updated.” [caption id="attachment_85372" align="aligncenter" width="560"] Source: X[/caption] Cyberattacks Behind Discontinuation of Authy Desktop App Service? Twilio’s decision to shutdown its Authy desktop app could have emerged following a series of cyberattacks on Authy. Last month, a threat actor leaked sensitive information of 33 million phone numbers registered with Authy’s desktop app. Twilio had then warned that cybercriminals could misuse the stolen phone numbers to carry out phishing attacks and other scams. In 2022 too, Twilio became a target of a sophisticated social-engineering phishing attack compromising the accounts of several of its Authy users. Impact on Users of Authy Desktop App Despite its warning in March, users who continued to use Authy for desktop, had realized that their 2FA accounts became redundant, unless they had earlier synced it with a mobile device. Several users in the last two weeks complained that their tokens did not synchronize properly, making their associate accounts inaccessible. Twilio too forcibly logged off users from their Authy desktop accounts and did not allow them to log back in with their phone numbers. [caption id="attachment_85373" align="aligncenter" width="602"] Source: X[/caption] Since users are facing synchronization issues, there is a possibility that they did not have the backup feature enabled which ensures that a user's tokens automatically sync between devices. Twilio has also released a set of instructions for Android, iOS and Windows users to specifically the “Decrypt a 2FA account takeover”. “Your 2FA secured account tokens can be deleted from Authy at any time. Once marked for deletion, a token will be completely removed from Authy in 48 hours. Users can undelete or recover this token before the 48 hours have elapsed, but afterwards it will be gone for good,” Twilio warned its users. Alternatives to Authy Desktop App Users can look into several options when it comes to replacing the Authy desktop app: Mobile App: The most obvious alternative is Twilio's own Authy mobile app, available on iOS and Android. This option offers portability and convenience, allowing users to access their 2FA codes anywhere they have their phone. Authenticator Apps: Several other popular authenticator apps offer similar functionality to Authy. Some well-regarded options include Google Authenticator, Microsoft Authenticator, and LastPass Authenticator. Security Keys: For users seeking the highest level of security, hardware security keys offer a non-phone-based option. These physical devices require physical possession to generate 2FA codes, adding an extra layer of protection against unauthorized access, even if a phone is compromised. Way Forward for 2FA Security Measures The security landscape is constantly evolving, and developers may need to discontinue outdated or vulnerable applications. It's essential to stay informed about updates and be prepared to adapt. While the Authy mobile app offers a convenient alternative, users can explore other options or consider using a combination of methods to achieve the desired level of protection to prevent cyberattacks.

image for New LianSpy spyware ...

 Threats

Spyware is a dangerous tool that can be used to selectively monitor specific victims. Often the victims are employees in a single company, or residents in a single country. The new mobile spyware, which we discovered and dubbed LianSpy, targets — for now — users of Android smartphones in Russia, but the   show more ...

unconventional approaches it employs could potentially be applied in other regions as well. How it works and how to guard against this new threat is the topic of this post. What is LianSpy? We discovered LianSpy in March 2024. However, our data indicates its been active for at least three years — dating back to July 2021! How did LianSpy remain in the shadows for so long? The attackers meticulously cover their tracks. Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges. This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone. LianSpy disguises itself as system applications and financial services. Interestingly, the attackers arent interested in the victims banking data. This spyware silently and discreetly monitors user activity by intercepting call logs, sending a list of installed applications to the attackers server, and recording the smartphones screen — mainly during messenger activity. How does LianSpy work? Unlike other spyware that exploits zero-click vulnerabilities, LianSpy requires some actions on the part of the victim. Upon launching, the malware checks if it has the necessary permissions to read contacts and call-logs, and use overlays. If not, it requests them. That done, it registers an Android Broadcast Receiver to get information about system events, enabling it to start or stop various malicious tasks. LianSpy uses root privileges in a rather unconventional way. Typically, theyre used to gain complete control over the device. However, in the case of LianSpy, the attackers make use of only a small part of the functionality available to superusers. Interestingly, root privileges are used so as to prevent their detection by security solutions. LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims devices. It remains unclear which vulnerability the attackers might have exploited in the former scenario. Another feature of LianSpy is its combined use of symmetric (one key for both encrypting and decrypting information) and asymmetric (separate public and private keys) encryption. Before being stolen, the data is encrypted with a symmetric algorithm, the key for which is encrypted asymmetrically. Only the attacker possesses the private key. For more details about LianSpy functionality, see our Securelist post. Whos behind LianSpy? Good question. The attackers only utilize public services, not private infrastructure, which makes it difficult to definitively determine which hacker group is behind these attacks on Android smartphone users in Russia. The paymasters identity is also not known, but, as global practice shows, such sophisticated cyberespionage campaigns are often instigated by groups affiliated with a nation-state actor. How to guard against spyware surveillance? Download apps only from official stores and catalogs, but keep in mind that spyware can infiltrate even those. Update your operating system regularly — not all malware can adapt to new security features. Use well-known apps from trusted developers. Avoid alternative clients for instant messengers and other services, as they may contain malicious code (read more about spyware mods for WhatsApp, Telegram and Signal). Use Kaspersky: Antivirus & VPN to detect spyware such as LianSpy in a timely manner. If you still dont have reliable protection, use TinyCheck, a spyware detection tool. Only grant applications the permissions they need to function.

image for Low-Drama ‘Dark An ...

 A Little Sunshine

A ransomware group called Dark Angels made headlines this past week when it was revealed the crime group recently received a record $75 million data ransom payment from a Fortune 50 company. Security experts say the Dark Angels have been around since 2021, but the group doesn’t get much press because they work   show more ...

alone and maintain a low profile, picking one target at a time and favoring mass data theft over disrupting the victim’s operations. Image: Shutterstock. Security firm Zscaler ThreatLabz this month ranked Dark Angels as the top ransomware threat for 2024, noting that in early 2024 a victim paid the ransomware group $75 million — higher than any previously recorded ransom payment. ThreatLabz found Dark Angels has conducted some of the largest ransomware attacks to date, and yet little is known about the group. Brett Stone-Gross, senior director of threat intelligence at ThreatLabz, said Dark Angels operate using an entirely different playbook than most other ransomware groups. For starters, he said, Dark Angels does not employ the typical ransomware affiliate model, which relies on hackers-for-hire to install malicious software that locks up infected systems. “They really don’t want to be in the headlines or cause business disruptions,” Stone-Gross said. “They’re about making money and attracting as little attention as possible.” Most ransomware groups maintain flashy victim leak sites which threaten to publish the target’s stolen data unless a ransom demand is paid. But the Dark Angels didn’t even have a victim shaming site until April 2023. And the leak site isn’t particularly well branded; it’s called Dunghill Leak. The Dark Angels victim shaming site, Dunghill Leak. “Nothing about them is flashy,” Stone-Gross said. “For the longest time, they didn’t even want to cause a big headline, but they probably felt compelled to create that leaks site because they wanted to show they were serious and that they were going to post victim data and make it accessible.” Dark Angels is thought to be a Russia-based cybercrime syndicate whose distinguishing characteristic is stealing truly staggering amounts of data from major companies across multiple sectors, including healthcare, finance, government and education. For large businesses, the group has exfiltrated between 10-100 terabytes of data, which can take days or weeks to transfer, ThreatLabz found. Like most ransom gangs, Dark Angels will publish data stolen from victims who do not pay. Some of the more notable victims listed on Dunghill Leak include the global food distribution firm Sysco, which disclosed a ransomware attack in May 2023; and the travel booking giant Sabre, which was hit by the Dark Angels in September 2023. Stone-Gross said Dark Angels is often reluctant to deploy ransomware malware because such attacks work by locking up the target’s IT infrastructure, which typically causes the victim’s business to grind to a halt for days, weeks or even months on end. And those types of breaches tend to make headlines quickly. “They selectively choose whether they want to deploy ransomware or not,” he said. “If they deem they can encrypt some files that won’t cause major disruptions — but will give them a ton of data — that’s what they’ll do. But really, what separates them from the rest is the volume of data they’re stealing. It’s a whole order of magnitude greater with Dark Angels. Companies losing vast amounts of data will pay these high ransoms.” So who paid the record $75 million ransom? Bleeping Computer posited on July 30 that the victim was the pharmaceutical giant Cencora (formerly AmeriSourceBergen Corporation), which reported a data security incident to the U.S. Securities and Exchange Commission (SEC) on February 21, 2024. The SEC requires publicly-traded companies to disclose a potentially material cybersecurity event within four days of the incident. Cencora is currently #10 on the Fortune 500 list, generating more than $262 billion in revenue last year. Cencora did not respond to questions about whether it had made a ransom payment in connection with the February cybersecurity incident, and referred KrebsOnSecurity to expenses listed under “Other” in the restructuring section of their latest quarterly financial report (PDF). That report states that the majority of the $30 million cost in “Other” was associated with the breach. Cencora’s quarterly statement said the incident affected a standalone legacy information technology platform in one country and the foreign business unit’s ability to operate in that country for approximately two weeks. Cencora’s 2024 1st quarter report documents a $30 million cost associated with a data exfiltration event in mid-February 2024. In its most recent State of Ransomware report (PDF), security firm Sophos found the average ransomware payment had increased fivefold in the past year, from $400,000 in 2023 to $2 million. Sophos says that in more than four-fifths (82%) of cases funding for the ransom came from multiple sources. Overall, 40% of total ransom funding came from the organizations themselves and 23% from insurance providers. Further reading: ThreatLabz ransomware report (PDF).

 Laws, Policy, Regulations

The Streamlining Federal Cybersecurity Regulations Act, led by senators Gary Peters and James Lankford, would create an interagency group to synchronize U.S. cyber regulatory regimes and establish a pilot program for testing new frameworks.

 Laws, Policy, Regulations

Australian companies will soon be required to report ransom payments, in line with the upcoming Cyber Security Act in the country. The legislation aims to enhance the response to cyber incidents, similar to CIRCIA in the US.

 Incident Response, Learnings

A tech support fraud leader was sentenced to seven years in prison for scamming over 6,500 victims and making $6 million. The operation targeted elderly victims in the U.S. and Canada by showing fake malware infections on their computers.

 Trends, Reports, Analysis

Airlines are facing challenges with third-party risks in their supply chain. Recent revelations regarding risks in Boeing's supply chain have emphasized the importance of measuring and mitigating these risks, according to SecurityScorecard.

 Threat Intel & Info Sharing

These fraudsters contact victims through phone calls or messages, posing as representatives of legitimate crypto exchanges, and create a sense of urgency by claiming security issues or hack attempts on the victims' accounts.

 Threat Actors

APT28, a Russia-linked threat actor (also known as Fighting Ursa, Fancy Bear, and Sofacy), has been identified in a campaign using a car sale phishing lure to deliver the HeadLace Windows backdoor to target diplomats since March 2024.

 Companies to Watch

Cisco Investments has invested in Halcyon, an anti-ransomware company, to enhance its platform and reduce ransomware risks to zero. The investment amount remains undisclosed, but Halcyon has raised a total of $90 million so far.

 Malware and Vulnerabilities

A new Linux Kernel attack called SLUBStick has a 99% success rate in turning a limited heap vulnerability into a powerful memory read-and-write capability, allowing for privilege escalation and container escape.

 Companies to Watch

Protect AI, a Seattle-based AI and ML security company, raised $60M in Series B funding led by Evolution Equity Partners, with participation from 01 Advisors, StepStone Group, Samsung, and existing investors.

 Trends, Reports, Analysis

The sensitive nature of legal data makes law firms lucrative targets for hackers, who aim to access valuable information for specific purposes. Despite the costly demands, firms face the dilemma of paying the ransom or risking backlash from clients.

 Malware and Vulnerabilities

Unlike other ransomware groups targeting businesses, Magniber focuses on individuals. Victims report their devices getting infected after running software cracks. Ransom demands start at $1,000 and escalate to $5,000 if not paid within three days.

 Govt., Critical Infrastructure

The Senate has confirmed Michael Sulmeyer as the first cyber policy chief at the Defense Department, where he will serve as the assistant secretary of Defense for cyber policy.

 Feed

Debian Linux Security Advisory 5737-1 - If LibreOffice failed to validate a signed macro, it displayed a warning but still allowed execution of the script after printing a warning. Going forward in high macro security mode such macros are now disabled.

 Feed

Ubuntu Security Notice 6944-1 - Dov Murik discovered that curl incorrectly handled parsing ASN.1 Generalized Time fields. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents.

 Feed

Debian Linux Security Advisory 5736-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of Java sandbox restrictions.

 Feed

Ubuntu Security Notice 6895-4 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the HugeTLB file system   show more ...

component of the Linux Kernel contained a NULL pointer dereference vulnerability. A privileged attacker could possibly use this to to cause a denial of service.

 Feed

A high-severity security bypass vulnerability has been disclosed in Rockwell Automation ControlLogix 1756 devices that could be exploited to execute common industrial protocol (CIP) programming and configuration commands. The flaw, which is assigned the CVE identifier CVE-2024-6242, carries a CVSS v3.1 score of 8.4. "A vulnerability exists in the affected products that allows a threat actor to

 Feed

Cybersecurity researchers have discovered a new Android banking trojan called BlankBot targeting Turkish users with an aim to steal financial information. "BlankBot features a range of malicious capabilities, which include customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection," Intel 471 said in an analysis published last week.

 Feed

The China-linked threat actor known as Evasive Panda compromised an unnamed internet service provider (ISP) to push malicious software updates to target companies in mid-2023, highlighting a new level of sophistication associated with the group. Evasive Panda, also known by the names Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group that's been active since at least 2012,

 Feed

Cybersecurity researchers have uncovered design weaknesses in Microsoft's Windows Smart App Control and SmartScreen that could enable threat actors to gain initial access to target environments without raising any warnings. Smart App Control (SAC) is a cloud-powered security feature introduced by Microsoft in Windows 11 to block malicious, untrusted, and potentially unwanted apps from being run

 Feed

Organizations in Kazakhstan are the target of a threat activity cluster dubbed Bloody Wolf that delivers a commodity malware called STRRAT (aka Strigoi Master). "The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis. The cyber attacks employ

 Feed

The Loper Bright decision has yielded impactful results: the Supreme Court has overturned forty years of administrative law, leading to potential litigation over the interpretation of ambiguous laws previously decided by federal agencies. This article explores key questions for cybersecurity professionals and leaders as we enter a more contentious period of cybersecurity law. Background What is

 Feed

Incident response is a structured approach to managing and addressing security breaches or cyber-attacks. Security teams must overcome challenges such as timely detection, comprehensive data collection, and coordinated actions to enhance readiness. Improving these areas ensures a swift and effective response, minimizing damage and restoring normal operations quickly. Challenges in incident

2024-08
Aggregator history
Monday, August 05
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober