Search This Blog

Showing posts with label Safety. Show all posts

Cyber-Terrorism In The Skies

 

Prior to 9/11, plane hijackings were thought to be the stuff of Hollywood scriptwriters. Major movie plots frequently reflect current societal themes in character scenarios and, in some cases, technology. 

There are numerous cyber-crime-themed films that accurately predicted our future. If we stop and think about it, nearly everything around us is becoming more digitized than ever before, from car navigation and control systems to Wi-Fi-enabled temperature sensors in backyard grills. You can't avoid it, so it's no surprise to learn how much technology goes into a modern aircraft. Aside from in-flight entertainment, Wi-Fi, and LED lighting, there are intricate sensors, controls, and computing systems that work together to provide the safest, best flights possible.

Unfortunately, in today's world, the general public is well-informed about how terrifying hijacked planes can be. And, as time has passed, the threat of terror in the skies has evolved technologically.
For many years, the terrifying prospect of cyber-attacks on commercial flights has haunted the airline industry. One of the first incidents to garner public attention was when security researcher Chris Robert was detained by the FBI on a domestic flight after claiming to have briefly seized control of the plane.

At the Black Hat cybersecurity conference in Las Vegas, another cybersecurity researcher, Ruben Santamarta, claimed that he had hacked hundreds of aircraft while they were in flight from the ground. The cybersecurity researcher claimed he used flaws in satellite equipment to remotely hack into the planes.

We would be dealing with a very dangerous threat if a plane's technical systems were compromised by malicious hackers. And we've had some close calls. A malware infection, for example, prevented a Spanair flight from taking off several years ago. In that case, the detection occurred before the flight was even possible, but the entire scenario highlights a significant risk and an ever-present threat.

Protection in the air is important, as is protection from potentially malicious passengers-turned-hackers, but what about safeguarding at other points in the flight industry's technology chain? Is it possible that mission-critical IT systems will be as vulnerable as satellites and onboard computers have proven to be?

Consider it from the perspective of a hacker. Nobody attempts to enter a fort through the guarded front gates. They sneak in through an unguarded wall or disguise themselves as the gate maintenance team. In other words, hackers find ways to circumvent perceived barriers and all the costly fortifications or processes in order to find a vulnerable point of entry.

Bugs and malicious software, for example, can infiltrate a simple software update. Although updating software is a good practice, the possibility of something dangerous occurring during these specific times is always present.

Almost like the vulnerable moments when vigilance is low during a guard change. Conditions like these require us to validate versions, and baseline systems and understand how to identify and isolate threats. They compel us to keep an eye out for compromise behavior and metrics. As a result, the security challenges encountered are closely related to enterprise security.

The Real World vs Hollywood

Planes, like any other interconnected IT system, can and probably will be hacked at some point. At this point, the question is not if, but when. Using intelligent precautions, processes, and technologies, we can hopefully predict and prevent whatever that sober incident turns out to be. And, if this terrifying situation occurs, we hope that quick recovery is triggered in accordance with well-planned disaster plans. Even if we are not in the airline industry, we should have the same mindset when it comes to our mission-critical internal IT systems.

Throughout the service lifecycle of our own IT infrastructure, are we sufficiently monitoring and protecting our mission-critical systems from cyber threats? No enterprise IT system is safe if planes can be hacked. The same questions regarding vulnerability mitigation and disaster recovery planning should be directed toward every IT system in every organization.

It is critical to understand that when it comes to commercial flights, the stakes could not be higher because human lives are at stake. Fortunately, industry leaders and government task forces are committed to developing solutions that address cyber threats to the commercial flight industry in a proactive manner. Eventually, their awareness and diligence will ensure that this remains a plot line for Hollywood thrillers rather than a potential opportunity for another devastating terror attack that weaponizes commercial airliners.

Malware Authors Unknowingly Take Down Their Own Botnet

 

It is not often that malware authors go through the difficulties of establishing a malicious tool for botnet assembly, only to discover a way to effectively sabotage it themselves. But that seems to be the case with "KmsdBot," a distributed denial-of-service (DDoS) and crypto mining botnet discovered by Akamai researchers last month infecting systems across multiple industries. 

It has since gone mostly silent due to a single incorrectly formatted command on the part of its author. In DDoS attacks, the malware, written in the Go programming language, infects systems via an SSH connection with weak credentials and employs UDP, TCP, and HTTP POST and GET commands. The malware, according to Kaspersky, is designed to target multiple architectures, including Windows, Arm64, and mips64 systems.

Luxury car manufacturers, gaming companies, and IT firms are among those affected by the malware. The threat actors used KmsdBot to execute DDoS attacks in all of the attacks witnessed by Akamai, despite the malware's cryptomining functionality.

Following Akamai's initial disclosure in November, the company's researchers continued to monitor and analyse the threat. They modified a recent sample of KmsdBot as part of the exercise and decided to test various scenarios related to the malware's command and control (C2) functionality.

Akamai researchers discovered a location in the malware's code that consisted the IP address and port for KmsdBot's C2 server and changed it so that the address pointed to Akamai's IP space.

During the testing, Akamai researchers discovered that the bot abruptly stopped working after obtaining a command to send a large amount of junk information to bitcoin.com in an obvious attempt to DDoS the website. According to Cashdollar, the bot lacks error-checking functionality to ensure that the commands it receives are properly formatted. As a result, the Go binary crashes with the error message "index out of range."

He also claims that Akamai was able to reproduce the problem by sending the bot an incorrectly formatted command of its own.

"This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Akamai noted in its update on the malware this week.

Notably, the bot does not support any kind of persistence mechanism. As a result, the malware authors' only option for rebuilding the KmsdBot botnet is to infect systems from scratch. Cashdollar asserts that almost all of the KmsdBot-related activity tracked by Akamai in recent weeks has ceased. However, there are indications that threat actors are attempting to infect systems again, he says.

Health Insurer Accuro: 30K Customers’ Data Potentially Leaked in a Hack

 

Accuro, a New Zealand health insurer, claims that a cyber hack has compromised Accuro, a New Zealand health insurer, claims that a cyber hack has compromise As per the company, there is no proof of personal health data being compromised at this time, but it cannot be ruled out. 

"Our IT provider is working with their own forensic experts and Government agencies to understand the nature and extent of the impact. We have also notified the relevant regulatory authorities including the Office of the Privacy Commissioner," Accuro said. "At this stage, we have no evidence that any Accuro data has been compromised but we cannot rule out this possibility. Our current focus is working with our IT provider to investigate and understand the situation further."

The company stated once again that it takes its obligations to safeguard customer privacy "very seriously." 

"For the time being, our systems remain offline which will impact services and we request your patience as we work towards a solution," the statement said.

The Accuro hack came in the wake of a similar incident in Australia, where the country's largest health insurer, Medibank, was mistreated by a cybercrime that compromised the personal information of approximately 4 million customers. 

Private patient data stolen in a cyber attack on New Zealand GP provider Pinnacle Health was also posted online in October.

Wipers Are Expanding: Here's Why That Matters

 

In the first half of this year, researchers observed a rise in the use of wiper malware in tandem with the Russia-Ukraine conflict. However, those wipers haven't stayed in one place; they're spreading worldwide, proving that cybercrime has no borders. 

Not only are the numbers increasing; but there's also an increase in variety and sophistication. These wiper variants are growingly aimed at critical infrastructure. The war in Ukraine has undoubtedly fueled significant growth in the use of wiper malware; FortiGuard Labs' research identified at least seven new wiper variants used in campaigns targeting government, military, and private organizations in the first half of 2022.

That's nearly as many wiper variants as have been publicly detected since 2012 when bad actors used the Shamoon wiper to attack a Saudi oil company. These variants include the following variants:

• CaddyWiper: Bad actors used this variant to wiper data and partition information from drives on systems belonging to a select number of Ukrainian organizations shortly after the war began. 
• WhisperGate: Discovered by Microsoft in mid-January being used to target organizations in Ukraine.
• HermeticWiper: Noted in February by SentinelLabs, this tool for triggering boot failures was also found targeting Ukrainian organizations
• IsaacWiper: A malware tool for overwriting data in disk drives and attached storage to render them inoperable.

We also discovered three variants aimed at Ukrainian businesses and organizations: WhisperKill, Double Zero, and AcidRain.

Wipers without borders

The wiper ware campaign is open to more than Ukraine. Since the beginning of the conflict in February, we've detected more wiper malware outside Ukraine than inside. Wiper activity has been detected in 24 countries other than Ukraine.

AcidRain, utilized to target a Ukrainian satellite broadband service provider, was also used in a March attack that knocked out several thousand German wind turbines. What does this mean? It demonstrates that such attacks can cross borders, whether they are between countries or between IT and OT.

Enterprise security teams must be prepared. While the number of detected wipers has been lower than for other types of cyberattacks thus far, the nature of wipers and how they are used make them extremely dangerous. Wiper malware is used by bad actors for a variety of purposes, including financial gain, sabotage, evidence destruction, and cyber war. Shamoon, the original wiper ware, demonstrated clearly how wipers can be used as cyber sabotage weapons - and how the same wiper can rear its ugly head years later.

Variants such as GermanWiper and NotPetya have demonstrated how wipers can be used to extort money from victims, such as "pretending" to be ransomware. And, as you may recall, NotPetya began as a cyber-attack against Ukrainian organizations but quickly spread to become one of the most devastating cyber-attacks of all time.

When it comes to wipers, one factor to think about is whether or not they self-promote. If it's a worm, like NotPetya, it can spread to other machines once released. And once that occurs, it is uncontrollable.

CISA issued a warning about the direct threat wipers pose in February, recommending that "organizations increase vigilance and evaluate their capabilities encompassing wiper attack planning, preparation, detection, and response."

One of the most effective defensive measures for wiper malware is integrated, AI and ML-driven, advanced detection and response capabilities operated by actionable threat intelligence to protect across all edges of hybrid networks.

It can, for example, keep the impact of an attack to a single segment of the network and limit lateral movement.

Deception technology, a strategy in which cyber attackers have diverted away from an enterprise's true assets and instead directed toward a decoy or a trap, should also be considered by organizations. The decoy imitates legitimate servers, applications, and data in order to fool the bad actor into thinking they have infiltrated the real thing.

Furthermore, services like a digital risk protection service (DRPS) can assist with external surface threat assessments, security remediation, and gaining contextual insights on imminent threats.

Don't skimp on incident response: If your company is infected with wiper malware, the speed and quality of incident response are critical. It could determine the outcome of the attack. The importance of incident response and planning cannot be overstated. This should include defined processes for business continuity without IT, as well as a plan for how to restore from backups and handle incident response.

In the future

Wiper ware can and is being used to degrade and disrupt critical infrastructure, as evidenced by the attacks on Ukraine and others. This is done as part of larger cyber warfare operations. Another common technique witnessed is wiper malware samples "pretending" to be ransomware, employing many of the same tactics, techniques, and procedures as ransomware but without the ability to recover files.

The bottom line is that wiper ware is being used for both financial gain and cyber sabotage - and the results can be disastrous.  

Google TAG Alerts on Rising Heliconia Exploit Framework for RCE

 

The Threat Analysis Group (TAG) at Google has discovered Heliconia, a cyberattack framework designed to exploit zero-day and n-day security flaws in Chrome, Firefox, and Microsoft Defender. It is likely linked to Variston IT, a gray-market spyware broker, demonstrating how this shadowy sector is thriving. The Heliconia threat is made up of three modules:
  • Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
  • Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
  • And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.
The threat was discovered after TAG received an anonymous submission to the Chrome bug reporting program. Further investigation revealed that the Heliconia framework's source code includes a script that refers to Variston IT, a Barcelona-based company that claims to provide "custom security solutions."

Commercial spyware is frequently sold by organizations claiming to be legitimate businesses for "law enforcement use." According to a TAG posting on Wednesday, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition, and dissidents.

Researchers noted that Variston IT is firmly in the middle of this rapidly expanding market, which has seen sanctioning by the US and others against organizations such as the infamous NSO Group, creators of the Pegasus spyware.

Vanuatu Officials Resort to Phone Books and Typewriters, One Month After Cyberattack

 

One month after a cyber-attack brought down Vanuatu's government servers and websites, frustrated officials were still using private Gmail accounts, personal laptops, pen and paper, and typewriters to run the government of Prime Minister Ishmael Kalsakau, who took office just a few days after the crash.

Malware attacks on state networks have slowed communication and coordination in the Pacific island nation of 314,000 people spread across 80 islands. To find government phone numbers, people turned to the online Yellow Pages or the hard copy phone directory. Some offices were operating solely through their Facebook and Twitter pages.

According to a financial analyst who works closely with the ministry's cybersecurity teams, the problems began about a month ago, when suspicious phishing activity was first detected in emails to the Ministry of Finance.

Almost all government email and website archives were destroyed by malware. Many departments were still storing data on local computer drives rather than web servers or the cloud. There has been no official word on whether or not the hackers demanded a ransom.

“It is taking longer for payments [from the Ministry of Finance] to get out, but … we are always on Vanuatu time anyway,” stated the financial analyst.

Government departments have struggled to stay connected, frustrating officials, with spontaneous solutions for communication between agencies and departments being implemented. Many government offices on the outer islands are experiencing significant service delays.

“It was chaos during the first few days but the entire government made alternative Gmail accounts or used their private emails. We are all using telephones and mobile phones for communication. But we are resilient in Vanuatu as a small country and can manage this,” said Olivia Finau, a communications officer in the Ministry of Climate Change. “Our department is communicating with the public more now with Facebook and Twitter, and we are actually getting more followers.”

The attack did not cause any disruptions to civilian infrastructures, such as airline or hotel websites. The majority of tourism and business has continued as usual through the busy Christmas and New Year's seasons.

According to the analyst, the current system can be improved by upgrading software and storing files in the cloud for management. However, local officials lack the necessary expertise and "require outside assistance."

The government had previously reported that the attack took place on November 5, but a computer technician at the Office of the Government's Chief Information Officer and a foreign diplomat confirmed to the Guardian that the crash took place on October 30.

In the early days of the crisis, some Vanuatu authorities blamed the problem on bad weather, which damaged the internet infrastructure.

However, the diplomat said: “We noticed there was a problem right away … our team recognized this as having the hallmarks of a cyber-attack, and not being caused by weather.”

Internal communication breakdowns in the days following the attack exacerbated matters. On November 4, Prime Minister Kalsakau formally took office, and on November 5, the government formally acknowledged the problem. 

The Australian government has offered assistance. "We sent a team in to assist with that disgraceful cyber-attack and response, and we are working through the process of bringing the government IT systems back up to speed," Pat Conroy, Australia's minister for international development and the Pacific, told Vanuatu Daily.

Cyber-attacks have wreaked havoc around the world in recent years, and Vanuatu's attack will serve as a warning to small Pacific nations with even weaker cybersecurity than Port Vila. Requests for comment were not returned by the Vanuatu Office of the Government Chief Information Officer (OGCIO).

Cyber Black Market Selling Compromised ATO and MyGov Logins Illustrates Medibank & Optus Only Tip of Iceberg

 

Millions of Australians' highly sensitive data is being openly traded online, including logins for personal Australian Tax Office accounts, medical and personal data of thousands of NDIS recipients, and confidential information of an alleged assault on a Victorian school student by their teacher. 

An ABC investigation discovered large chunks of previously unreported confidential material widely available on the internet, ranging from sensitive legal contracts to individual MyGov account login details being sold for as little as $1 USD. The massive amount of newly discovered data confirms that the high-profile hacks of Medibank and Optus represent only a small portion of the confidential Australian records recently stolen by cybercriminals. 

In the last few months, hackers have exposed the personal information of at least 12 million Australians. It has also been revealed that many of those affected only discovered they had been victims of data theft after being contacted by the ABC.

They claimed that the organizations in charge of protecting their data either failed to notify them adequately or misled them about the severity of the breach. One of the main hubs where stolen data is published is a Google-searchable forum that only appeared eight months ago and has soared in popularity, much to the chagrin of global cyber intelligence experts.

Anonymous users on the forum and similar websites frequently sell stolen databases containing the personal information of millions of Australians. Others were seen offering generous rewards to those brave enough to go after specific targets, such as one post seeking classified intelligence on Australian submarine development. 

CyberCX director of cyber intelligence Katherine Mansted stated, "There's a criminal's cornucopia of information available on the clear web, which is the web that's indexed by Google, as well as in the dark web. There's a very low barrier of entry for criminals … and often what we see with foreign government espionage or cyber programs — they are not above buying tools or buying information from criminals either." 

In one case, law student Zac's medical information was stolen in one of Australia's most heinous cyber breaches and freely published by someone with no discernible motive. Zac suffers from a rare neuromuscular disorder that has rendered him unable to walk and prone to extreme weakness and fatigue. The ABC has agreed not to use his full name because he is concerned that the stolen information could be used to track him down.

His sensitive personal data was stolen in May during a cyber attack on CTARS, a company that provides the National Disability Insurance Scheme with a cloud-based client management system (NDIS). The NDIA, which is in charge of the NDIS, told a Senate committee that it had confirmed with CTARS that all 9,800 affected participants had been notified.

However, ABC Investigations has determined that this is not the case. The ABC interviewed 20 victims of the breach, and all but one — who later discovered a notice in her junk mail — said they had not received a notification or had even heard of the hack. The ABC confirmed that the leaked CTARS database contained Medicare numbers, medical information, tax file numbers, prescription records, mental health diagnoses, welfare checks, and observations about high-risk behavior such as eating disorders, self-harm, and suicide attempts.

"It's really, really violating," said Zac, whose leaked data included severe allergy listings for common food and medicine. "I may not like to think of myself as vulnerable … but I guess I am quite vulnerable, particularly living alone. Allergy records, things that are really sensitive, [are kept] private between me and my doctor and no one else but the people who support me. That's not the sort of information that you want getting into the wrong hands, particularly when ... you don't have a lot of people around you to advocate for you."

The CTARS database is just one of many thousands being traded on the ever-expanding black market for cybercrime. These postings appear on both the clear web, which is accessible through standard web browsers, and the dark web, which requires special software to access. The low prices demanded for confidential data demonstrate the magnitude of the problem.

ABC Investigations discovered users selling personal information and log-in credentials to individual Australian accounts such as MyGov, the ATO, and Virgin Money for as little as $1 to $10 USD.
Two-factor authentication is developed into MyGov and ATO services, which protects accounts with compromised usernames and passwords, but those same login details could be utilized to circumvent less-secure services.

A cyber intelligence expert demonstrated to the ABC a popular hackers forum where remote access to an Australian manufacturing company was auctioned off for up to $500. He refused to name the company. According to Ms. Mansted of CyberCX, the "black economy" in stolen data and hacking services is the world's third-largest economy, trailing only the US and Chinese GDP.

"The cost of buying a person's personal information or buying access to hack into a corporation, that's actually declining over time, because there is so much information and so much data out there," said Ms. Mansted. 

Cyber threat investigator Paul Nevin monitors online forums where hundreds of Australians' login data are traded each week.

"The volume of them was staggering to me," said Mr. Nevin, whose company Cybermerc runs surveillance on malicious actors and trains Australian defense officials.

"In the past, we'd see small scatterings of accounts but now, this whole marketplace has been commoditized and fully automated. The development of that capability has only been around for a few years but it shows you just how successful these actors are at what they do."

Private school information has been leaked

The cyber attack on Medibank last month by the Russian criminal group REvil demonstrated the devastation that cyber crime can cause.

After REvil obtained the data of 9.7 million current and former customers and published highly sensitive medical info online, the country's largest health insurer is now encountering a possible class action lawsuit. Russian and Eastern European criminal groups host sites on the dark web where they publish ransom threats and later leak databases if the ransom is not paid.

The groups conduct research on their targets in order to inflict the most damage. Victims include multinational corporations such as Thales and Accenture, as well as Australian schools.

The Kilvington Grammar School community in Melbourne is reeling after a prolific ransomware gang, Lockbit 3.0, leaked more than 1,000 current and former students' personal data in October. The private school notified parents via email, including one on November 2, which stated that an "unknown third party has published a limited amount of data taken from our systems."

According to correspondence sent to parents, this "sensitive information" included contact information for parents, Medicare details, health information such as allergies, and some credit card information. The cache of information actually published by Lockbit 3.0, on the other hand, was far more extensive than initially suggested.

According to ABC Investigations, the ransomware group published highly confidential documents containing parents' bank account numbers, legal and debt disputes between the school and families, report cards, and individual test results.

The publication of details about an investigation into a teacher accused of assaulting a child and privileged legal advice about a student's death was the most shocking. Kilvington Grammar has been at the center of a coronial inquest into the death of Lachlan Cook, 16, who died in 2019 after suffering complications from Type 1 diabetes while on a school trip to Vietnam.

Lachlan became critically ill and began vomiting, which was misdiagnosed as gastroenteritis rather than a rare diabetes complication. The coroner has indicated that the death was avoidable because neither the school nor the tour operator, World Challenge, provided specific diabetes care for the teenager.
Lachlan's parents declined to comment, but ABC Investigations understands that they were not notified by the school that sensitive legal documents concerning his death had been stolen and published online.

Other parents whose information was compromised told ABC that they were dissatisfied with the school's failure to explain the scope of the breach.

"That's distressing that this type of data has been accessed," said father of two, Paul Papadopoulos.

"It's absolutely more sensitive [than parents were told] and I think any person would want to have known about it." 

Kilvington Grammar did not respond to specific questions about the Cook family tragedy or whether a ransom was demanded or paid in a statement to ABC. Camilla Fiorini, the school's marketing director, admitted that the school's attempt to notify families about the specifics of what personal data was stolen was an "imperfect process."

"We have adopted a conservative approach and contacted all families that may have been impacted," she said.

"We listed — to the best of our abilities —  what data had been accessed ... we also suggested additional steps those individuals can consider taking to further protect their information. The school is deeply distressed by this incident and the impact it has had on our community." 

Lockbit 3.0 recently targeted a law firm, a wealth management firm for high-net-worth individuals and a major hospitality company in Australia. According to correspondence sent to parents, this "sensitive information" included contact information for parents, Medicare details, health information such as allergies, and some credit card information.

The cache of information actually published by Lockbit 3.0, on the other hand, was far more extensive than initially suggested. According to ABC Investigations, the ransomware group published highly confidential documents containing parents' bank account numbers, legal and debt disputes between the school and families, report cards, and individual test results.

The publication of details about an investigation into a teacher accused of assaulting a child and privileged legal advice about a student's death was the most shocking. Kilvington Grammar has been at the centre of a coronial inquest into the death of Lachlan Cook, 16, who died in 2019 after suffering complications from Type 1 diabetes while on a school trip to Vietnam.

Lachlan became critically ill and began vomiting, which was misdiagnosed as gastroenteritis rather than a rare diabetes complication. The coroner has indicated that the death was avoidable because neither the school nor the tour operator, World Challenge, provided specific diabetes care for the teenager. Lachlan's parents refused to comment, but ABC Investigations understands that they were not notified by the school that sensitive legal documents concerning his death had been stolen and published online.

Other parents whose information was affected told the ABC that they were dissatisfied with the school's failure to explain the scope of the breach.

"That's distressing that this type of data has been accessed," said father of two, Paul Papadopoulos. "It's absolutely more sensitive [than parents were told] and I think any person would want to have known about it." 

Kilvington Grammar did not respond to specific questions about the Cook family tragedy or whether a ransom was demanded or paid in a statement to the ABC. Camilla Fiorini, the school's marketing director, admitted that the school's attempt to notify families about the specifics of what personal data was stolen was a "imperfect process."

"We have adopted a conservative approach and contacted all families that may have been impacted," she said. "We listed — to the best of our abilities —  what data had been accessed ... we also suggested additional steps those individuals can consider taking to further protect their information. The school is deeply distressed by this incident and the impact it has had on our community." 

Lockbit 3.0 recently targeted a law firm, a wealth management firm for high-net-worth individuals, and a major hospitality company in Australia.

Victims are left out in the cold as a result of the blame game

Kilvington Grammar's inability to properly notify victims of data theft is not an isolated incident, and its targeting by a ransomware group is representative of a growing apparatus commoditizing stolen personal information.

Personal data is becoming "increasingly valuable to cybercriminals who see it as the information they can exploit for financial gain," according to Australian Federal Police (AFP) Cybercrime Operations Commander Chris Goldsmid.

"Cybercriminals can now operate at all levels of technical ability and the tools they employ are easily accessible online," he warned.

"We suspect there are many more victims but they are too embarrassed to come forward, or they have not realized what has happened to them is a crime," Commander Goldsmid said.

While authorities and the Federal Government have warned Medibank customers to be on the lookout for identity thieves, many other Australians are completely unaware they are victims.

All government agencies, organizations that hold health information, and businesses with an annual revenue of more than $3 million are required by the Privacy Act to notify individuals when their data has been breached if it is deemed "likely to cause serious harm." 

After CTARS was hacked in May, the company issued a statement on its website about the breach but delegated responsibility for informing NDIS recipients to 67 individual service providers affected by the breach. When ABC Investigations asked CTARS why many of the impacted NDIS recipients had not been notified, it stated that the processes were best handled by each provider.

"The OAIC [Office of the Australian Information Commissioner] suggests that notifications are usually best received from the organization who has a relationship with impacted individuals — in this case, the service providers," a CTARS spokesperson said.

"CTARS worked extensively to support the service providers in being able to ... bring the notification to their clients' attention."

However, the NDIA told the ABC this responsibility lay not with those individual providers, but with CTARS.

"The Agency's engagement with CTARS following the breach indicated that CTARS was fulfilling all its obligations under the Privacy Act in relation to the breach," an NDIA spokesperson said.

"The Agency has reinforced with CTARS its obligation to inform users of their services."

This has provided little comfort to Zac and other CTARS victims whose personal information may never be erased from the internet.

"It's infuriating, it's shocking and it's disturbing," said Zac.

"It makes me really angry to know that multiple government agencies and these private support companies, who I would have thought would be duty bound to hold my best interests at heart … especially when my safety is at risk … that they at no level attempted to get in contact with me and assist me in protecting my information."

Zac's former service provider, Southern Cross Support Services, did not respond to the ABC's questions.

Karen Heath was a victim of another hack published on the same forum as the CTARS data.

In the last month, the Victorian woman has been the victim of two hacks, one of Optus customer data and the other of confidential information stored by MyDeal, which is owned by retail giant Woolworths Group. Woolworths told the ABC that since the MyDeal hack, it has "enhanced" its security and privacy practises, and it "unreservedly apologize[d] for the considerable concern the MyDeal breach has caused."

But Ms. Heath stays anxious. 

"You feel a bit helpless [and] you get worried about it," Ms. Heath said.

She further added, "I don't even know that I'll shop at Woolworths again ... they own MyDeal. They have insurance companies, they have all sorts of things. So where does it end?"

Hackers Construct Fraudulent Websites & Steal Data During 'Black Friday' Sales

 

In accordance with a new report, threat actors are hosting websites for malicious campaigns centered on the Black Friday theme, with e-commerce, cryptocurrency, and travel being the top targets. 

Researchers discovered that cybercrime forums in various languages are buzzing with talk about Black Friday. According to CloudSEK researchers, who also discovered an Ethereum giveaway scam website, while some actors promote their malicious services/campaigns, others seek to use them.

“Compromised personal identifiable information (PII) and banking credentials can be used to perform unauthorized transactions and social engineering attacks,” they warned.

CloudSEK's contextual AI digital risk platform 'XVigil' discovered hundreds of registered and operational Black Friday-themed domains. The impersonation of legitimate websites, services for Google/Facebook ads, and the spread of malicious applications were all common types of attacks.

The discovery revealed that website cloning is a common technique used by hackers of all levels of sophistication to host bogus copies of legitimate websites.

"The iconic Black Friday sale has now become a global theme, with cybercriminals of all levels and expertise attempting to launch malicious campaigns." "The majority of these campaigns misrepresent or impersonate popular brands and companies offering sales and services in order to defraud the public," Desai added.

The researchers cautioned against accepting freebies, attractive deals, or third-party solutions that appear suspicious.

New Windows Server Updates Cause Domain Controller Freezes, Restarts

 

Microsoft is looking into LSASS memory leaks (caused by Windows Server updates released during the November Patch Tuesday) that may result in domain controller freezes and restarts. LSASS (Local Security Authority Subsystem Service) is in charge of enforcing security policies on Windows systems and managing access tokens, password changes, and user logins. 

If this service fails, logged-in users lose access to their Windows accounts on the machine and are presented with a system restart error followed by a system reboot. 

"LSASS might use more memory over time and the DC might become unresponsive and restart," Microsoft explains on the Windows Health dashboard.

"Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the uptime of your server and the server might become unresponsive or automatically restart."

Out-of-band Windows updates pushed out to address authentication issues on Windows domain controllers may also be affected by this known issue, according to Redmond. Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 are all affected. Microsoft is working on a solution and promises an update in an upcoming release.

Workaround  Available:

Until a fix for this LSASS memory leak issue is available, the company offers a workaround for IT administrators to work around domain controller instability. This workaround requires admins to set the KrbtgtFullPacSignature registry key (used to gate CVE-2022-37967 Kerberos protocol changes) to 0 using the following command: reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

"Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow," Microsoft added.

"It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967."

Redmond addressed another known issue that caused Windows Server domain controller reboots due to LSASS crashes in March. Microsoft fixed domain controller sign-in failures and other authentication issues caused by November Patch Tuesday Windows updates earlier this month with emergency out-of-band (OOB) updates.

The Need of Identity Security: AI and CyberSecurity Hand-In-Hand

 

Automated processes powered by artificial intelligence (AI) are reshaping society in significant ways, from robotic assembly lines to self-driving cars. However, AI cannot do everything on its own; in fact, many organizations are realizing that automation works best when it collaborates with a human operator. Similarly, when well-trained AI assists them, humans can often operate more efficiently and effectively. Identity security, in particular, is an excellent example of a field where augmenting the human touch with AI has produced extremely positive results.

Consider the sheer number of identities that exist in today's world. Users, devices, applications, servers, cloud services, databases, DevOps containers, and a plethora of other entities (both real and virtual) now require identity management. Furthermore, in order to be productive in enterprise environments, modern employees use a wide range of technologies and data. Together, these two dynamics pose a challenge for identity security — at today's scale, determining which identities require access to which systems are well beyond human capacity.

This is significant because cybercriminals are increasingly targeting identities. According to the most recent "Verizon Data Breach Investigations Report" (DBIR), credential data is now used in nearly half of all breaches, and stolen credentials are one of the most common ways attackers compromise identities. Attackers use a variety of methods to obtain those credentials, the most common of which is social engineering. Hackers have gotten very adept at recognizing ways to trick people into making mistakes. This is a major reason why today's attackers are so difficult to stop: Humans are frequently the weak link, and they cannot be patched. It is simply not possible to create a preventative solution that will stop 100% of attacks.

This is not to say that preventative measures such as employee education, multifactor authentication, and frequent password changes aren't necessary; they are. They are, however, insufficient. A determined attacker will eventually find a vulnerable identity to compromise, and the organization will need to know what systems the attacker had access to and whether those privileges exceeded its actual needs. If an accountant's user identity is compromised, that is a problem — but it should be limited to the accounting department. However, in a company where overprovisioning is common, an attacker who compromises a single identity could gain access to a variety of systems.

This is a more frequent problem than you might think — when an organization has tens of thousands of identities to manage, it is tricky to ensure that each one has privileges that correspond to its essential functions.

It used to be, at least. When applied to identity security, AI-based technologies have enabled enterprises to not only manage identity permissions at scale but also to evolve identity security decisions over time to ensure that they match the changing needs and dynamics of the business. AI can be trained to recognize patterns that normal human users would miss. 

For example, they may look for permissions that are rarely used and recommend that they be revoked — after all, why risk allowing an attacker to exploit them if they aren't being used? These tools can be trained to recognize when the same type of user repeatedly requests access to specific data. They can then report that information to an IT team member, who will determine whether additional permissions are required.

AI-based identity tools can help to develop more appropriate permissions for identities across the organization by identifying these patterns, while also providing IT staff with the information they need to make aware decisions as circumstances change. AI tools ensure that giving up a single identity does not grant an attacker complete control of the system by removing extraneous, unnecessary permissions. They also imply that, rather than impeding productivity, the IT team can boost it. They can ensure that all identities under management have access to the technology and data they require by quickly identifying when it is safe and appropriate to grant additional permissions. None of this would be possible unless humans and AI collaborated.

Gone are the days when managing identities and their permissions could be done manually; today, ensuring that each identity has the appropriate level of access requires significant assistance from artificial intelligence-based technology. Organizations can merge the speed and accuracy of automation with the contextual judgment of human decision-making by augmenting the human touch with AI. Together, they can assist organizations to manage their identities and entitlements more effectively while significantly reducing the impact of any potential attack.

An Online Date Led to an Inquiry into 'Systemic' Failures at American Express

 

Last summer, John Smith* had just returned to Sydney after more than a decade abroad when he met someone online. He began chatting with a man named Tahn Daniel Lee on the dating app Grindr. Lee was undergoing treatment for COVID at the time, so they communicated online for a few weeks before meeting in Sydney's Surry Hills for their first date - a Japanese dinner followed by Messina ice cream. The date would be one of many in a relationship that progressed quickly before taking a dark turn when Smith began to suspect Lee was watching his bank accounts.

The Age and The Sydney Morning Herald can disclose that American Express, one of the world's largest financial companies, would not only dismiss Smith's initial complaint without proper investigation but would also provide misleading information during an external inquiry. It comes after two major ASX-listed companies, Optus and Medibank, revealed sensitive identification and health data to criminals, igniting a national debate about how to best deal with emerging cyber threats.

The "insider threat," according to cybersecurity experts, is a major risk, and the Privacy Commissioner's inability to penalize companies that violate the law has created a culture of impunity among corporate Australia.

“Because, what is the recourse? Businesses just aren’t doing the risk management that’s required. The tone starts from the top, ” says former Australian Federal Police investigator turned cyber expert Nigel Phair.

Smith's first assumption of Lee was that he had a charming smile, and the relationship developed quickly. Lee worked as a relationship manager for American Express Centurion, an exclusive club for black cardholders who spend at least $500,000 per year.

Smith had a platinum American Express card from living in the United States, but Lee suggested he sign up in Australia so he could illustrate how to maximize the benefits. He consented and began using American Express as his primary banking card shortly thereafter. After a series of comments about items Smith had purchased, places he had been, or payments he had made, he became skeptical that Lee was watching his transactions.

“I asked him how he was able to do this without my consent or authority (one-time pin etc), and he replied, ‘because the system is completely open, I have god mode’,” Smith wrote in a complaint later filed with American Express.

Smith has autism, and while he is classified as "high functioning," he occasionally struggles to recognize inappropriate behavior. He noticed "warning signs" about Lee but ignored them while traveling to Hawaii and Hamilton Island with his new partner, he claims.

During one of these trips, Smith became uneasy with the manner in which Lee discussed his clients' affairs, including major food distributor Primo Foods, which he claimed siphoned millions of dollars to the Cayman Islands. Lee later texted, "FYI, everything I tell you about work is highly confidential." 

By April, he had attempted to end the relationship and had warned Lee that he would report his behavior to American Express. Lee reacted negatively to this. He begged Smith to continue the relationship and, at one point, called Smith's close friend out of the blue to persuade her not to file a complaint. This was the breaking point. He was hell-bent on reporting Lee.

Amex: ‘No inappropriate access’

At the same time, another American Express employee noticed unusual activity on Smith's account. Lee was subjected to an internal investigation, which swiftly cleared him of any wrongdoing. On May 26, the company wrote to Smith, claiming Lee was not in a position to access his account and, in any case, there was training and processes in place to protect customer data.

Unconvinced, Smith asked American Express to confirm that Lee's access to his account had been blocked and reported the Primo Foods discussions. Smith claims that the following week, during a phone call, he was told that if Lee had looked at his account, it was no big deal because they were partners, and discussing Centurion's clients was also no cause for concern.

Smith filed a complaint with the Privacy Commissioner, who directed it to the Australian Financial Complaints Authority. AFCA immediately requested a meeting with American Express to verify that Lee had lost the rights to Smith's account.

The company's response was quick, but it turned out to be incorrect.  “We confirm that the employee has no access to [Smith]’s account,” Amex responded.

In subsequent letters between AFCA, Smith, and American Express, the company continued to imply that there had been no inappropriate access or violation of privacy laws. Until the plot shifted. In August, three months after Lee's suspicious activity was discovered, Smith was notified by American Express that Lee had indeed accessed his personal information.  

Lee accessed Smith's private account nine times between February and April of this year, according to digital access logs. American Express then stated that while it was impossible to prevent Lee from accessing the account, he would be disciplined and the account would be monitored to ensure no further intrusions.

“American Express is unable to practically restrict American Express employees from being able to access any specific Card member data. We acknowledge that [Smith] feels uncomfortable with his previous partner access to his personal information and have made every effort to implement controls to further protect his data,” the company wrote in a letter.

In a final decision issued this month, AFCA determined that American Express violated privacy laws by letting Lee to access his accounts without authorization both before and after the relationship. It awarded Smith $2000 in damages but did not order an apology or absolve the company of any wrongdoing.

“I am satisfied the financial firm has investigated the matters raised by the complainant, and in the circumstances, it has responded appropriately,” AFCA found.

American Express declined to answer specific questions about how it investigated Smith's complaint or what action it took against Lee, but stated it maintains the "highest levels of integrity" and has cooperated with AFCA.

“Whilst they made a determination against us, they concluded that American Express had investigated and responded appropriately,” the company said. “We are satisfied that this matter poses no risk to the integrity of our systems. Protecting the privacy of our customers and the integrity of our systems remains our utmost priority.”

Current laws allow for fines of up to $2.2 million for each unauthorized access. The federal government is considering raising the penalty to $50 million per breach, which would mean that American Express could have faced penalties totaling $450 million for the nine breaches.

“Companies need to take this issue around unauthorized access to information more seriously because the penalties are significant,” CyberCX privacy law expert David Batch says. “But in reality, the Privacy Commissioner has historically not handed down those fines.”

Smith was informed in October that AFCA's systemic issues team had agreed to investigate American Express's handling of Smith's case. This team investigates serious violations and systemic issues and has the authority to refer cases to other regulators, such as the Privacy Commissioner, however, its findings are a little transparent. AFCA was unable to comment on whether the promised investigation would be carried out.

According to Nigel Phair, Professor of Cybersecurity at the University of New South Wales, the "insider threat" is a major concern for businesses, where the actions of rogue employees can jeopardize the security of the entire organization.

He claims that the government's failure to implement harsh penalties on companies that mishandle their customers' data fosters a culture of impunity among Australian corporations.

For Smith, American Express and the system designed to hold companies accountable have let him down. He now makes a point of only using the card in ways that do not reveal his location. Requests for comment from Lee and Primo Foods were not returned.

*Not his real name. He asked that his identity be kept confidential.

China-Based Sophisticated Phishing Campaign Utilizes 42K Domains

 

In a widespread phishing campaign, a Chinese hacking group known as "Fangxiao" is using thousands of imposter domains to target victims. Thousands are at risk from the Fangxiao phishing campaign. Thousands of people are at risk as a result of a massive phishing campaign run by the Chinese hacking group "Fangxiao." 

To facilitate phishing attacks, this campaign used 42,000 imposter domains. These bogus domains are intended to direct users to adware (advertising malware) apps, giveaways, and dating websites. The 42,000 phony domains used in this campaign were discovered by Cyjax, a cybersecurity and threat solutions company. The scam was described as sophisticated in a Cyjax blog post by Emily Dennison and Alana Witten, with the ability to "exploit the reputation of international, trusted brands in multiple verticals including retail, banking, travel, pharmaceuticals, travel, and energy".

The scam commences with a nefarious WhatsApp message impersonating a well-known brand. Emirates, Coca-Cola, McDonald's, and Unilever are examples of such brands. This message contains a link to a webpage that has been enticingly designed. The redirection site is determined by the target's IP address as well as their user agent.

For example, McDonald's may advertise a free giveaway. When the victim completes their registration for the giveaway, the Triada Trojan malware can be downloaded. Malware can also be installed through the download of a specific app, which victims are instructed to install in order to continue participating in the giveaway.

Fangxiao's infrastructure is mostly protected by CloudFlare, an American Content Delivery Network, according to Cyjax's blog post about this campaign (CDN). It was also discovered that the imposter domains were registered on GoDaddy, Namecheap, and Wix, with their names shifting on a regular basis.

The majority of these phishing domains were registered with.top, with the rest mostly with.cn,.cyou,.xyz,.tech, and.work.

The Fangxiao Group Is Not a New Concept

The Fangxiao hacking collective has been active for some time. The domains used in this campaign were discovered by Cyjax in 2019 and have been increasing in number since then. Fangxiao added over 300 unique domains in just one day in October 2022.

.The group's location in China is not 100% confirmed, but Cyjax has determined it with high confidence. The use of Mandarin in one of the group's exposed control panels is one indication of this. Cyjax also speculated that the campaign's goal is most likely monetary gain.
 
Phishing is one of the most common cybercrime tactics today, and it can take many different forms. Phishing attacks, especially those that are highly sophisticated, can be difficult to detect. Although spam filters and antivirus software can help to reduce phishing attacks, it's still important to trust your instincts and avoid any communications that don't seem quite right.

'Washing Checks' and 'Mailbox Phishing' Emerge as Popular Crimes

 

Fraudsters attempt to steal paper checks from mailboxes, "washing" them with nail polish remover and filling in new amounts and payees, causing victims and their banks, which usually foot the bill, to suffer indefinitely. The black market for "glass" — pilfered checks sold online with the assurance that they will clear at the bank — is becoming more widespread and sophisticated. 

Criminals are diversifying into the sale of stolen account numbers and identity theft, as well as the "arrow keys" used by mail carriers to open multiple boxes. Following the theft of the checks, a large amount of mail, including mail-in voter ballots, is dumped. Thieves either "fish" letters out of the mail slot or rob postal workers of their mail and arrow keys. 

"We see [sellers] offering $1,000 to $7,000 a key, depending on the number of mailboxes in the ZIP code," states David Maimon, a cybercrime expert at Georgia State University who has been tracking the surge.

As per Maimon, personal checks now "go up to $250" apiece, up from $125 to $175 previously this year. Washed business checks can now fetch up to $650, up from $250.
 
"It's gone berserk," says Frank McKenna, a banking fraud consultant who traces the phenomenon back to the pandemic-era surge in stolen stimulus checks and unemployment benefits.

Maimon's Evidence-Based Cybersecurity Research Group has been monitoring 60 black-market communication channels to study the online fraud ecosystem for more than two years. He claims that most illegal activity occurs on Telegram, though how-to videos on check-washing can also be found on YouTube.
 
While California, New York, New Jersey, and Florida are among the most affected, Maimon tells Axios that "we're seeing this spreading to distant states." And the data sold with a check has changed significantly: fraudsters now offer the check-Social writer's Security number as well as account balances obtained from the dark web.

"We're talking about a very sophisticated supply chain at this point. It's just mind-boggling how things have evolved."The United States Postal Service has placed warning signs on blue mailboxes, advising people to use online bill pay or bring their letters to a post office," he further added.

Because checks written in indelible ink cannot be washed, gel pens are marketed as "fraud prevention." Congress recently held a hearing on "rampant" mail theft, the scope of which is unknown. Banks are staffing up in check processing to combat fraud while blaming staffing cuts at the US Postal Inspection Service, the USPS' law enforcement arm.

"Check fraud has become so widespread due to brazen criminality and mail theft that many banks are struggling to collect on bad checks from other banks," the American Banker reports." Though fraud losses are skyrocketing at all banks, small banks appear to be bearing the brunt of check fraud," the news site said. 

"Banks typically reimburse their customers when a fraudulent or stolen check gets posted against their account, but getting repaid for a bad check has become a long, drawn-out affair."

The Postal Inspection Service is on the hot seat over the issue. The Postal Inspection Service, for its part, claims that it has made "significant security enhancements" to mailboxes and that postal inspectors made 1,511 arrests for mail theft in 2021, with 1,263 convictions.

"It's really frustrating that banks are being held liable because the Postal Service can't secure the mail," says Paul Benda, senior vice president for operational risk and cybersecurity at the American Bankers Association." These numbers may seem impressive at first blush, but they are not," he said in congressional testimony.

The bottom line is that "much more systematic data on this type of fraud is needed to better understand how it works, crack down on the activity, and prevent it from occurring in the first place," according to Maimon.

Hackers Use These Five Common Ways to Hack Websites

 

Cybercriminals frequently target all websites. Data theft, remote access, and malware distribution can all occur through social media platforms, online retailers, file-sharing services, and other types of online services. Hackers employ a variety of techniques to infiltrate websites, the top 5 types of attacks are discussed in this article. 

1. Brute force attacks 

Brute force attacks employ a trial-and-error method of cryptography to allow hackers to force their way into a website. Cryptography allows data to be stored safely, but it also involves the process of code-solving, which is what cybercriminals are interested in. A hacker can use cryptography to guess passwords, login credentials, and decryption keys. This technique can even be used to locate hidden web pages.

2. Keyloggers and Spyware

An attacker can use a keylogger to record all keystrokes made on an infected device or server. It is a type of monitoring software program that is widely used in data theft. For example, if someone enters their payment card information while a keylogger is active, the malicious operator will be able to spend money without the card owner's knowledge. In the case of websites, the attacker may be able to conceal the credentials required to log in and gain access by monitoring a website administrator with a keylogger. Keyloggers are a type of spyware, and spyware can take many forms, such as adware and Trojans.

3.Man-in-the-Middle Attacks

A malicious actor eavesdrops on private sessions in a Man-in-the-Middle (MitM) attack. The attacker will place themselves between a user and an application in order to gain access to valuable data that they can exploit. Instead of simply eavesdropping, the attacker could pretend to be a legitimate party.


Because much of the intercepted data may be encrypted via an SSL or TLS connection, the attacker must find a way to break this connection in order for the data to be interpreted. If the malicious actor is successful in making this data readable, such as through SSL stripping, they can use it to hack websites, accounts, and applications, among other things.

4. Remote Code Execution 

Remote Code Execution (RCE) is a fairly self-explanatory term. It entails the execution of malicious computer code from a remote location through a security flaw. Remote code execution can take place over a local network or the internet. This enables the attacker to gain physical access to the targeted device and infiltrate it.

An attacker can steal sensitive data and perform unauthorized functions on a victim's computer by exploiting an RCE vulnerability. Because this type of attack can have serious consequences, RCE vulnerabilities are (or should be) taken very seriously.

5. Third-Party Exploits

Thousands of businesses around the world rely on third-party vendors, particularly in the digital realm. Many applications act as third-party service providers for online businesses, whether they process payments, authenticate logins, or provide security tools. However, third-party vendors can be used to gain access to their client's websites.

Attackers can take advantage of a security vulnerability, such as a bug, in a third-party vendor. Some third-party applications and services have lax security measures, making them vulnerable to hackers. This exposes sensitive data from a website to the attacker for retrieval. Even if the website has advanced security features, the use of third-party vendors can be a weakness.

Unfortunately, even when we use the proper security measures, websites and accounts are still vulnerable to attacks. As cybercriminals improve their methods, it becomes more difficult to detect red flags and stop an attack in its tracks. However, it is critical to be aware of the tactics used by cybercriminals and to employ the proper security practices to protect yourself as much as possible.


Thales Denies Getting Hacked as Ransomware Group Reveals Gigabytes of Information

 

Overnight, a 9.5-gigabyte archive of information pertaining to [the French company] Thales was published on the website of the cybercrime gang Lockbit. The archive houses information about Thales contracts and partnerships in Italy and Malaysia. When contacted by Le Monde, Thales confirmed that the data had been posted on the hackers' website, but claimed that "no intrusion" had occurred into the company's IT system. 

"Thales' security experts have narrowed down one of two possible sources of the information theft. It was a partner's account on a dedicated exchange portal that led to the disclosure of a limited amount of information," said a company spokesperson, adding that its teams are working to identify the second source. Thales also stated that the data leak has no impact on its business.

The documents published on Lockbit's website mention, among other items, a project announced in 2018 by Thales and Malaysia-based Novatis Resources to implement aerial surveillance tools for Malaysia's Kota Kinabalu airport. The documents, which are dated 2021, indicate the project and the company's monitoring. 

Other files discuss Thales' contracts in Italy, particularly in Florence, to support an automated ticket sales system for public transportation services. The archive appears to include no personal information about the company's employees.

Lockbit announced earlier this month that it had data stolen from Thales and threatened to publish it on its website. The cybercriminal group then announced a November 7 release date. On that day, the site posted a message stating that the data had been published but did not provide access to it, casting doubt on the attack's factuality. The stolen files were eventually discovered on the site during the night of November 10 to 11.

Lockbit has claimed an attack on Thales before: in January, the group announced that it had stolen data from the company. The data released at the time consisted primarily of code repositories from the company's external server, data deemed "not very sensitive" by the French company.

On Thursday, US authorities revealed the arrest of a Canadian citizen suspected of working for the Lockbit group. This citizen, who holds dual Russian and Canadian citizenship, is currently being held in detention awaiting extradition to the United States.

According to court documents, a search conducted by law enforcement agencies in August resulted in the seizure of the suspect's computer, which disclosed traces of logins to the control panel of Lockbit's ransomware, as well as messages exchanged with LockBitSupp, an account used by the cybercriminal group to provide support for its software. 

As per the US Attorney's Office, a file on the suspect's computer contained a list of past and future Lockbit group targets. During a second search, investigators discovered a cryptocurrency wallet belonging to the suspect, which contained 0.8 bitcoin (€13,482 at the time of publication). This bitcoin came from a ransom payment made by one of the Lockbit group's victims. The suspect faces a maximum sentence of five years in prison.

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain

 

GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.