Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cyber attack. Show all posts
Smishing Scam
Automotive Industry Cyber cyber attack IRS phishing Ransomware Smishing Scam

IRS Warns Car Dealers of New Phishing and Smishing Threats


 

The Internal Revenue Service (IRS) has issued an urgent warning to car dealers and sellers across the United States, highlighting a surge in sophisticated phishing and smishing scams targeting the automotive industry. These cyber threats pose a significant risk to the daily operations of businesses, potentially leading to severe disruptions.

The warning follows a recent ransomware attack on CDK Global, a software provider for car dealerships. This cyberattack affected approximately 15,000 dealerships nationwide, crippling their scheduling, sales, and order systems. Some dealers were forced to revert to manual processes to continue their operations. In response to the attack, CDK Global reportedly paid a $25 million ransom to regain control of their systems.

According to the IRS, scammers are increasingly impersonating the agency to extract sensitive financial and personal information. These fraudulent communications often come in the form of emails or text messages, urging recipients to click on suspicious links, download malicious files, or provide confidential details. The IRS emphasised that such tactics are a "favourite" among cybercriminals.


Recommendations for Protection

To safeguard against these scams, the IRS provided several recommendations for both businesses and individuals:

1. Stay Alert to Fake Communications: Be cautious of unsolicited messages that appear to come from legitimate organisations, friends, or family. These messages may impersonate banks or other financial entities to deceive recipients into clicking harmful links.

2. Avoid Clicking Unsolicited Links: Never click on links in unsolicited emails or text messages, as they may lead to identity theft or malware installation.

3. Verify the Sender: If you receive a suspicious message, verify its authenticity by contacting the sender through a different communication method. Do not use contact information provided in the unsolicited message.

4. Do Not Open Attachments: Avoid opening attachments in unsolicited emails, as they can contain malicious code that can infect your computer or mobile device.

5. Delete Suspicious Emails: To prevent potential harm, delete any unsolicited emails immediately.


Vigilance is Key

The IRS stressed the importance of vigilance in the face of these evolving cyber threats. By following the recommended precautions, car dealers and sellers can reduce their risk of falling victim to phishing and smishing scams. As cybercriminals continue to refine their tactics, staying informed and cautious remains crucial for protecting sensitive information and maintaining business continuity.


Read more »
MediSecure
Australia cyber attack Data financial strain Hacking Healthcare MediSecure

Massive Cyber Attack Hits MediSecure, Impacting Millions of Australians

 



In a shocking revelation, MediSecure, an eprescription provider, has confirmed that approximately 12.9 million Australians have been affected by a cyberattack that occurred in April. This incident has surpassed previous notable breaches, including the Optus and Medibank data breaches in 2022, in terms of the number of individuals impacted.

The administrators of MediSecure, FTI Consulting, disclosed that the compromised data includes individuals' healthcare identifiers. However, due to the complexity and sheer volume of the data involved, identifying the specific individuals whose data was stolen is financially unfeasible for the company. This inability to pinpoint affected individuals prevents MediSecure from notifying them about the breach.

Data Complexity and Financial Constraints

The compromised server contained 6.5 terabytes of data, equivalent to billions of pages of text. This data was stored in a mix of semi-structured and unstructured formats, making it extremely difficult to analyse without incurring substantial costs. The encrypted nature of the server further complicates efforts to determine the exact information accessed by the malicious actors. MediSecure's financial limitations have left the company unable to afford the extensive resources needed to sift through the massive amount of data.

Notification Delays and Administrative Actions

Despite the hack occurring in April, MediSecure did not make the incident public until May. The delayed notification has raised concerns about the company's crisis management and communication strategies. Subsequently, the company entered administration in June, and its subsidiary, Operations MDS, went into liquidation. This subsidiary was identified as the main trading entity of the corporate group, highlighting the severe impact of the cyberattack on the company's operational capabilities.

Impact on Healthcare Services

MediSecure had provided a crucial service that allowed healthcare professionals, such as general practitioners, to send electronic prescriptions to patients. However, this service has not been used for new electronic prescriptions since November 15, following a decision by the federal Health Department to designate eRx as the sole e-script provider. This shift has left many healthcare providers scrambling to adapt to the new system, further complicating the ecosystem for electronic healthcare services in Australia.

The MediSecure cyberattack highlights the growing threat of data breaches and the challenges companies face in managing and mitigating such incidents. With 12.9 million Australians potentially affected and the company unable to notify them, the breach underscores the need for robust cybersecurity measures and the financial resilience to respond effectively to such crises. This incident serves as a stark reminder of the vulnerabilities that exist in the digital age and the critical importance of safeguarding sensitive information.


Read more »
US Healthcare
Ascensions Health System cyber attack Cyber Attacks Personal Data Sensitive data US Healthcare

Ascension Health System Hit by Cyberattack, Personal Data Likely Compromised

 



In a recent cybersecurity incident, Ascension, a major health system, has disclosed that cybercriminals stole files potentially containing personal information. This comes about a month after Ascension initially reported falling victim to a ransomware attack.

Ascension revealed that the attackers managed to extract files from seven of its 25,000 file servers. While the investigation is ongoing, preliminary findings suggest that these files may include protected health information and personally identifiable information. However, Ascension has yet to determine the exact data compromised or the specific patients affected.

Despite the breach, Ascension reported no evidence indicating that data from its electronic health records were stolen. The attack was traced back to an employee inadvertently downloading a malicious file, mistaking it for a legitimate document.

In response to the attack, Ascension is offering free credit monitoring and identity theft protection services to patients and employees. Those interested in these services can call 1-888-498-8066 to enrol. 

The attack, discovered on May 8, caused paradigm altering disruptions across Ascension’s network. Some elective surgeries and appointments were postponed, and one hospital in Illinois temporarily redirected ambulances to other facilities. Nurses at several hospitals faced challenges, such as difficulties in accessing doctors’ orders for medications and tests, and issues with their standard procedures for medication administration.

Ascension Illinois has recently restored its primary technology for electronic patient documentation, allowing hospitals and doctors' offices to resume electronic documentation, charting, and order sending. This restoration marks a crucial step in returning to normal operations.

This incident at Ascension is part of a troubling trend of cyberattacks targeting healthcare institutions. Earlier this year, Lurie Children’s Hospital in Chicago and the University of Chicago Medical Center also faced cyber incidents. Healthcare systems are prime targets for cybercriminals due to their size, reliance on technology, and the vast amounts of sensitive data they handle, according to the U.S. Department of Health and Human Services.

As cyber threats expand their territory, healthcare systems must remain vigilant and enhance their cybersecurity measures to protect sensitive patient information. The Ascension attack underscores the critical need for robust security protocols and employee awareness to prevent future breaches.


Read more »
Ransomware
cyber attack Cyber Attacks Digital Security Finland NATO Ransomware

NoName Ransomware Group Allegedly Targets Denmark and Finland Over NATO Support


 

The ransomware group NoName has reportedly launched cyberattacks against key institutions in Denmark and Finland, citing their support for NATO as the provocation. The alleged attacks targeted Denmark’s digital identification system MitID, the Finland Chamber of Commerce, and Finland’s largest financial services provider, OP Financial Group.

On a dark web forum, NoName announced these attacks, positioning them as a reaction to Denmark and Finland's recent military and infrastructural actions favouring NATO. The group specifically called out Denmark for training Ukrainian specialists in F-16 fighter jet maintenance:

"Denmark has trained the first 50 Ukrainian specialists in servicing F-16 fighter jets. Most of the specialists have already returned to Ukraine to prepare for the reception of F-16s at local air bases. The training of the first group of Ukrainian pilots continues in Denmark.”

They also criticised Finland for infrastructure upgrades intended to support NATO troops:

“Finland has begun repairing roads and bridges in Lapland to prepare for the deployment of NATO troops on its territory. ERR.EE reports on its change of stance on NATO forces and planned infrastructure work.”

NoName concluded their message with a warning, suggesting that Denmark and Finland's governments had not learned from past mistakes and threatened further actions.

Potential Impact on Targeted Entities

MitID: Denmark's MitID is a crucial component of the country's digital infrastructure, enabling secure access to various public and private services. An attack on this system could disrupt numerous services and damage public trust in digital security.

Finland Chamber of Commerce: The Chamber plays a vital role in supporting Finnish businesses, promoting economic growth, and facilitating international trade. A cyberattack could destabilise economic activities and harm business confidence.

OP Financial Group: As the largest financial services group in Finland, OP Financial Group provides a range of services from banking to insurance. A successful cyberattack could affect millions of customers, disrupt financial transactions, and cause significant economic damage.

Despite the claims, the official websites of MitID, the Finland Chamber of Commerce, and OP Financial Group showed no immediate signs of being compromised. The Cyber Express Team has reached out to these institutions for confirmation but has not received any official responses as of the time of writing, leaving the allegations unconfirmed.

The timing of these alleged cyberattacks aligns with recent military and infrastructural developments in Denmark and Finland. Denmark's initiative to train Ukrainian specialists in F-16 maintenance is a significant support measure for Ukraine amidst its ongoing conflict with Russia. Similarly, Finland's infrastructure enhancements in Lapland for NATO troops reflect its strategic alignment with NATO standards following its membership.

The NoName ransomware group's alleged cyberattacks on Danish and Finnish institutions highlight the increasing use of cyber warfare for political and military leverage. These attacks aim to disrupt critical infrastructure and send a strong message of deterrence and retaliation. The situation remains under close scrutiny, with further updates expected as more information or official responses become available.


Read more »
Patient Data
American Hospital Association Ascension Ascensions Health System cyber attack Healthcare Patient Data

Cyberattacks Threaten US Hospitals: Patient Care at Risk


 

A severe cyberattack on Ascension, one of the largest healthcare systems in the United States, has disrupted patient care significantly. The ransomware attack, which began on May 8, has locked medical providers out of critical systems that coordinate patient care, including electronic health records and medication ordering systems. This disruption has led to alarming lapses in patient safety, as reported by health care professionals across the nation.

Marvin Ruckle, a nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, highlighted the chaos, recounting an incident where he almost administered the wrong dose of a narcotic to a baby due to confusing paperwork. Such errors were unheard of when the hospital’s computer systems were operational. Similarly, Lisa Watson, an ICU nurse at Ascension Via Christi St. Francis, narrowly avoided giving a critically ill patient the wrong medication, emphasising the risks posed by the shift from digital to manual systems.

The attack has forced hospitals to revert to outdated paper methods, creating inefficiencies and increasing the potential for dangerous mistakes. Watson explained that, unlike in the past, current systems for timely communication and order processing have disappeared, exacerbating the risk of errors. Melissa LaRue, another ICU nurse, echoed these concerns, citing a close call with a blood pressure medication dosage error that was fortunately caught in time.

Health care workers at Ascension hospitals in Michigan reported similar issues. A Detroit ER doctor shared a case where a patient received the wrong medication due to paperwork confusion, necessitating emergency intervention. Another nurse recounted a fatal delay in receiving lab results for a patient with low blood sugar. These incidents highlight the dire consequences of prolonged system outages.

Justin Neisser, a travel nurse at an Indiana Ascension hospital, chose to quit, warning of potential delays and errors in patient care. Many nurses and doctors fear that these systemic failures could jeopardise their professional licences, drawing parallels to the high-profile case of RaDonda Vaught, a nurse convicted of criminally negligent homicide for a fatal drug error.

The health sector has become a prime target for ransomware attacks. According to the FBI, health care experienced the highest share of ransomware incidents among 16 critical infrastructure sectors in 2023. Despite this, many hospitals are ill-prepared for prolonged cyberattacks. John Clark, an associate chief pharmacy officer at the University of Michigan, noted that most emergency plans cover only short-term downtimes.

Ascension's response to the attack included restoring access to electronic health records by mid-June, but patient information from the outage period remains temporarily inaccessible. Ascension has asserted that its care teams are trained for such disruptions, though many staff members, like Ruckle, reported receiving no specific training for cyberattacks.

Federal efforts to enhance health care cybersecurity are ongoing. The Department of Health and Human Services (HHS) has encouraged improvements in email security, multifactor authentication, and cybersecurity training. However, these measures are currently voluntary. The Centers for Medicare & Medicaid Services (CMS) are expected to release new cybersecurity requirements, though details remain unclear.

The American Hospital Association (AHA) argues that cybersecurity mandates could divert resources needed to combat attacks. They contend that many data breaches originate from third-party associates rather than hospitals themselves. Nevertheless, experts like Jim Bagian believe that health systems should face consequences for failing to implement basic cybersecurity protections.

The cyberattack on Ascension calls for robust cybersecurity measures in health care. As hospitals consolidate into larger systems, they become more vulnerable to data breaches and ransomware attacks. Health care professionals and patients alike are calling for transparency and improvements to ensure safety and quality care. The situation at Ascension highlights the critical nature of cybersecurity preparedness in protecting patient lives.


Read more »
Scotland
cyber attack Cyber Attacks FBI Ransomware Scattered Spider Scotland

Young Hacker Linked to Scattered Spider Group Detained


 

Spanish police, aided by the FBI, have made a major breakthrough in combating cybercrime by arresting a 22-year-old man in Palma de Mallorca. The suspect, Tyler Buchanan from Dundee, Scotland, is believed to be a leading figure in the notorious hacking group Scattered Spider. Authorities apprehended Buchanan on June 15 while he was trying to board a flight to Italy. At the time of his arrest, he reportedly controlled $27 million in bitcoin.

Scattered Spider has been responsible for several major cyberattacks over the past two years. These include a significant attack on MGM Resorts in 2023 and breaches affecting companies like Twilio, LastPass, GitLab, Apple, and Walmart. Buchanan is suspected to have played a crucial role in these incidents. He is listed among the top SIM swappers, which is a technique used to take over phone numbers and access sensitive information.

This arrest follows the detention of another key Scattered Spider member, Michael Noah Urban, earlier this year. Urban was charged with stealing over $800,000 in cryptocurrency from multiple victims between 2022 and 2023. Both Buchanan and Urban are part of a broader group of young hackers, usually between 19 and 22 years old, known as 'the Community' or 'the Com'. This global network of hackers often shares their techniques and boasts about their exploits.

In May 2024, the FBI announced a crackdown on Scattered Spider, which had been targeting insurance companies since April. The arrests of Buchanan and Urban show that these efforts are making an impact. However, experts believe that the group's activities are unlikely to stop completely. Cybersecurity specialist Javvad Malik from KnowBe4 explained that cybercriminal groups are often decentralised, meaning they can quickly replace arrested members and continue their operations.

Malik pointed out that groups like Scattered Spider are resilient due to their decentralised nature. The knowledge and tools they use, such as SIM swapping, are widely shared within the cybercrime community. Online tutorials, forums, and dark web marketplaces ensure that these methods continue to spread, even when key individuals are arrested. This means that the group can persist and even grow despite law enforcement efforts.

Although the recent arrests may temporarily disrupt Scattered Spider's activities, experts predict the group will soon resume its operations with new leaders. The capture of Tyler Buchanan is a victory for law enforcement but also a reminder of the ongoing and evolving threat posed by cybercriminal organisations.


Read more »
Sandworm
cyber attack ICC Legal Implications Russia Sandworm

ICC Investigates Russian Cyberattacks on Ukraine as War Crimes

 



The International Criminal Court (ICC) is conducting an unprecedented investigation into alleged Russian cyberattacks on Ukrainian civilian infrastructure, considering them possible war crimes. This marks the first time international prosecutors have delved into cyber warfare, potentially leading to arrest warrants if sufficient evidence is gathered.

Prosecutors are examining cyberattacks on infrastructure that jeopardised lives by disrupting power and water supplies, cutting connections to emergency responders, or knocking out mobile data services that transmit air raid warnings. An official familiar with the case, who requested anonymity, confirmed the ICC's focus on cyberattacks since the onset of Russia’s full-scale invasion in February 2022. Additionally, sources close to the ICC prosecutor's office indicated that the investigation might extend back to 2015, following Russia's annexation of Crimea.

Ukraine is actively collaborating with ICC prosecutors, collecting evidence to support the investigation. While the ICC prosecutor's office has declined to comment on ongoing investigations, it has previously stated its jurisdiction to probe cybercrimes. The investigation could set a significant legal precedent, clarifying the application of international humanitarian law to cyber warfare.

Among the cyberattacks being investigated, at least four major attacks on energy infrastructure stand out. Sources identified the hacker group "Sandworm," believed to be linked to Russian military intelligence, as a primary suspect. Sandworm has been implicated in several high-profile cyberattacks, including a 2015 attack on Ukraine's power grid. Additionally, the activist hacker group "Solntsepyok," allegedly a front for Sandworm, claimed responsibility for a December 2022 attack on the Ukrainian mobile provider Kyivstar.

The investigation raises questions about whether cyberattacks can constitute war crimes under international law. The Geneva Conventions prohibit attacks on civilian objects, but there is no universally accepted definition of cyber war crimes. Legal scholars, through the Tallinn Manual, have attempted to outline the application of international law to cyber operations. Experts argue that the foreseeable consequences of cyberattacks, such as endangering civilian lives, could meet the criteria for war crimes.

If the ICC prosecutes these cyberattacks as war crimes, it would provide much-needed clarity on the legal status of cyber warfare. Professor Michael Schmitt of the University of Reading, a key figure in the Tallinn Manual process, believes that attacks like the one on Kyivstar meet the criteria for war crimes due to their foreseeable impact on human lives. Ukraine’s intelligence agency, the SBU, has provided detailed information about the incident to ICC investigators.

Russia, which is not an ICC member, has dismissed accusations of cyberattacks as attempts to incite anti-Russian sentiment. Despite this, the ICC has issued four arrest warrants against senior Russian figures since the invasion began, including President Vladimir Putin. Ukraine, while not an ICC member, has granted the court jurisdiction to prosecute crimes on its territory.

The ICC's probe into Russian cyberattacks on Ukrainian infrastructure could redefine the boundaries of international law in cyberspace. As the investigation unfolds, it may establish a precedent for holding perpetrators of cyber warfare accountable under international humanitarian law.


Read more »
Repository
cyber attack Cyber Attacks Data Extortion GitHub Gitloker Repository

New Extortion Scheme Targets GitHub Repositories


 

A new wave of cyberattacks is targeting GitHub repositories, wiping their contents, and demanding ransom from victims. This alarming campaign, first identified on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity firm CronUp, is being orchestrated by a threat actor using the handle "Gitloker" on Telegram.

The attackers are reportedly compromising GitHub accounts using stolen credentials. Once they gain access, they delete the contents of the repositories and create a backup of the data, which they claim can restore the deleted information. The compromised repositories are then renamed, and a single README.me file is added, instructing victims to contact the attackers via Telegram for further details.

Victims receive a ransom note that reads, "I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup." This message is intended to coerce the victims into engaging with the attackers in hopes of recovering their lost data.

GitHub has yet to release an official statement regarding the Gitloker extortion campaign. However, the platform has previously advised users to take several precautionary measures to secure their accounts. These include changing passwords, enabling two-factor authentication, adding a passkey for secure, passwordless login, and reviewing account security logs to track any changes in the repositories.

Security Recommendations

To protect against such malicious activities, GitHub users are encouraged to:

Enable Two-Factor Authentication: This adds an extra layer of security to prevent unauthorised access.

Review and Revoke Unauthorised Access: Regularly check for and remove any unauthorised SSH keys, deploy keys, and integrations.

Verify Email Addresses: Ensure all email addresses associated with the account are verified.

Monitor Security Logs: Keep an eye on account security logs to detect any suspicious activities.

Manage Webhooks and Deploy Keys: Regularly review and manage webhooks and deploy keys on repositories.

Review Recent Commits and Collaborators: Continuously check recent commits and collaborators for each repository to identify any unauthorised changes.

Previous Attacks on GitHub

This is not the first time GitHub users have faced such threats. In March 2020, hackers compromised Microsoft's GitHub account, stealing over 500GB of files from private repositories. While the stolen data primarily consisted of code samples and test projects, there was concern that private API keys or passwords might have been exposed.

Phishing Campaigns

In September 2020, GitHub users were targeted by a phishing campaign that used fake CircleCI notifications to steal GitHub credentials and two-factor authentication codes. Once compromised, attackers quickly exfiltrated data from private repositories and added new user accounts to maintain access.




Read more »
Ransomware
Arctic Wolf cyber attack Cyber Attacks Data Theft Fog Ransomware Ransomware

New Ransomware Variant "Fog" Targets U.S. Education and Recreation Sectors

Arctic Wolf Labs has identified a new, sophisticated ransomware variant named "Fog," which has been aggressively targeting organizations in the United States, particularly within the education and recreation sectors. This variant came to light following several incident response cases in May and was publicly disclosed in June, raising considerable concerns due to the intricate nature of the attacks. 

Fog ransomware typically infiltrates victim networks using compromised VPN credentials, exploiting vulnerabilities in remote access systems from two different VPN gateway vendors. The attackers gain unauthorized access by leveraging stolen VPN credentials. 

Once inside the network, the attackers employ various techniques, including: Pass-the-hash activity, Credential stuffing, and Deployment of PsExec across multiple systems. The group also utilizes RDP/SMB protocols to reach targeted hosts and disable Windows Defender on Windows Servers to maintain their foothold. Working of Fog Ransomware Fog ransomware operates using a JSON-based configuration block that orchestrates activities both pre- and post-encryption. They deploy PsExec, disable Windows Defender, and systematically query system files, volumes, and network resources before commencing the encryption. 

Additionally, Fog ransomware targets VMDK files in Virtual Machine storage, deletes backups from Veeam object storage, and Windows volume shadow copies. It employs an embedded public key for encryption and appends unique extensions (.FOG and .FLOCKED) to the encrypted files. Unlike many other ransomware types, Fog does not engage in data exfiltration; instead, it focuses on quickly encrypting VM storage data, demanding ransoms for decryption. 

The encryptor binary of the Fog ransomware employs several well-known techniques. First, it creates a log file named DbgLog.sys in the %AppData% directory. Next, it utilizes the NT API to gather system information via the NtQuerySystemInformation function, such as the number of logical processors, to enhance its encryption efficiency. The encryption itself uses outdated Windows APIs like CryptImportKey and CryptEncrypt. After the encryption process is completed, the attackers leave a ransom note, typically called 'readme.txt,' providing instructions for contacting them to obtain decryption keys. 

An analysis of these ransom notes shows that the Fog ransomware group demands ransom payments that can reach hundreds of thousands of dollars, offering decryption keys and assurances of data deletion in return.Organizations, particularly in the education and recreation sectors, should prioritize enhancing their cybersecurity defenses by implementing robust security measures, ensuring the protection and proper management of VPN credentials, and maintaining up-to-date and secure backups to mitigate the potential impact of ransomware attacks.
Read more »
Sensitive data
cyber attack Cyber Attacks Labrador NTV Station Ransomware Sensitive data

Newfoundland TV Station Hit by Ransomware Attack


 


ST. JOHN’S – The Newfoundland Broadcasting Company Limited, owner of a popular independent TV station in Newfoundland and Labrador, has been targeted by a ransomware attack.

Attack Details and Immediate Impact

The cyberattack, claimed by the Play ransomware group, has breached some of the company's systems. However, the incident has not disrupted the on-air operations of NTV or its radio counterpart, OZFM. The attackers are now threatening to leak sensitive company data online.

Data Compromised

According to Play's site on the dark web, the stolen data includes budget details, payroll information, and client documents from NTV. Play typically encrypts victims' data, rendering it inaccessible, and demands payment to release and delete the stolen information.

Expert Advice on Ransom Demands

Brett Callow, a cybersecurity analyst based in British Columbia, advises against paying the ransom. He emphasises that payment does not guarantee the data's destruction. “Paying the demand in these cases simply elicits a pinky promise from the criminals that the stolen data will be destroyed, and there is ample evidence that gangs don’t always do that,” Callow explained. He added that some organisations have been extorted multiple times with the same data.

Recent Targets of Play Group

The Play ransomware group has recently targeted other organisations, including U.S.-based loan and tax agency Credit Central and the Anchorage Daily News in Alaska.

Company Response and Investigation

In response to the breach, the Newfoundland Broadcasting Company has informed the police and enlisted the help of cybersecurity experts to investigate. Lindsey Andrews, the company’s chief operating officer, assured that they are working hard to understand the extent of the data breach and how it occurred. “We have a dedicated internal and external team, but this process will take some time,” Andrews said.

The Newfoundland Broadcasting Company continues to address the fallout from this attack, focusing on safeguarding their systems and data. This incident underscores the growing risk of ransomware attacks on media organisations and the critical need for robust cybersecurity measures. Readers are encouraged to stay alert and protect their own data from similar threats. The company’s efforts to mitigate the impact of this cyberattack will be ongoing.



Read more »
unauthorized disclosures
China cyber attack Cyber Security cyber threat Data Breach data incidents government data breaches MoD data breaches Russia UK national security unauthorized disclosures

400% Increase in MoD Data Breaches Sparks Fears of Cyber Threats from Russia and China

 

Data breaches within the Ministry of Defence (MoD) have surged nearly fivefold over the past five years, raising concerns about the UK's resilience against cyber threats from nations like Russia and China. MoD figures reveal 550 data incidents last year, up from 117 in 2017-18.

Ministers also disclosed that the Information Commissioner’s Office (ICO) is currently investigating three personal data incidents at the MoD. Both the Conservative and Labour parties have prioritized national security in their election campaigns amid global instability and threats from Russia, China, North Korea, and Iran.

Recent warnings suggest the upcoming UK general election could be targeted by cyber attacks and AI deep fakes from hostile states. Many breaches involve unauthorized disclosures by MoD staff, exacerbating concerns about security in a department recently hit by a suspected Chinese cyber attack.

Labour criticized the Conservative government for its “lax approach to cyber security,” promising that a Keir Starmer administration would prioritize the UK's security. However, Prime Minister Rishi Sunak countered by questioning Labour’s national security stance, highlighting Starmer’s past support for Jeremy Corbyn as a potential risk.

Earlier this month, it was revealed that the MoD’s payroll system, managed by contractor SSCL, suffered a major hack attributed to China. Deputy Prime Minister Oliver Dowden, in a letter to shadow Cabinet Office minister Pat McFadden, stated that the Government has enhanced security measures in its procurement processes following this breach.

In 2017-18, the MoD reported 117 data breaches, including unauthorized disclosures, lost equipment or documents, and insecure document disposal. By 2022-23, breaches had risen to 550, with unauthorized disclosures making up the majority. In 2023, the ICO fined the MoD £350,000 after 265 individuals' details were compromised in email breaches following the Taliban’s takeover of Afghanistan.

Defence Minister Andrew Murrison recently confirmed that the ICO has three ongoing investigations into personal data incidents at the MoD. Shadow Defence Secretary John Healey criticized the MoD’s worsening data security record, noting that breaches have tripled over five years, and vowed that a Labour government would enhance the UK’s cyber-security.

Defence Secretary Grant Shapps announced an urgent investigation into the recent MoD payroll cyber attack and a broader review of SSCL’s contracts with the MoD and other Whitehall departments. Dowden emphasized the importance of strengthening domestic cyber resilience to achieve national and international security goals. The Cabinet Office has implemented measures to ensure robust data security requirements in procurement contracts with third-party contractors across Whitehall.
Read more »
Ransomware
cyber attack Cyber Attacks LockBit London Drugs Pharmacy Ransomware

LockBit Ransomware Gang Claims Responsibility for London Drugs Cyberattack






In a recent turn of events, the LockBit ransomware gang has claimed responsibility for the cyberattack on Canadian pharmacy chain London Drugs, which occurred in April. The cybercriminals are now threatening to release sensitive data online after reportedly unsuccessful negotiations with the company.

London Drugs, which employs over 9,000 people across 80 stores in Alberta, Saskatchewan, Manitoba, and British Columbia, was forced to shut down all its retail locations following the April 28 cyberattack. At the time, the company assured the public that there was no evidence indicating that customer or employee data had been compromised.

Despite these reassurances, the LockBit gang has now listed London Drugs on its extortion portal, threatening to publish stolen data unless a $25 million ransom is paid. London Drugs, however, has stated that they are both unwilling and unable to meet this ransom demand.

On May 9, Clint Mahlman, London Drugs' President and Chief Operating Officer, reiterated that a forensic investigation conducted by third-party cybersecurity experts found no evidence of compromised customer databases, including health data. Nevertheless, as a precautionary measure, the company has notified all current employees and offered 24 months of complimentary credit monitoring and identity theft protection services.

The company’s website remains down, displaying an error message indicating an internal server issue. London Drugs has acknowledged that the ransomware gang's claims about stealing files from its corporate head office could potentially include employee information, although they have not provided specifics on the nature or extent of the data possibly impacted.

LockBit, a ransomware-as-a-service operation that surfaced in September 2019, has a notorious history of targeting high-profile organisations worldwide. Despite a significant law enforcement operation in February 2024 that dismantled part of their infrastructure and seized numerous decryption keys, the gang continues to be active. They have moved to new servers and dark web domains, continuing to launch attacks and release stolen data.

The ransomware group has stated that negotiations with London Drugs initially involved an offer of $8 million from the company, a claim for which they provided no evidence. London Drugs maintains that they did not offer any ransom and continues to take all available steps to mitigate the impact of the cyberattack.

Shawnigan Lake-based threat analyst Brett Callow noted that his cybersecurity company, Emsisoft, was immediately aware of LockBit's listing due to their dark net tracking tools. He emphasised the real risk that LockBit might follow through on their threat to release the stolen data.

Authorities have highlighted that LockBit, dominated by Russian-speaking individuals, has no known connections to state-sponsored activities. The ransomware group has previously been linked to several high-profile attacks, including those on Boeing, the Continental automotive giant, and the UK Royal Mail.

London Drugs continues to investigate the extent of the breach and is in contact with relevant authorities. The company has also reassured that it will notify affected individuals in compliance with privacy laws should any customer or employee data be found compromised.

The ongoing saga of LockBit's attacks is a telling marker of the persistent threat of ransomware, stressing upon the importance of robust cybersecurity measures and proactive responses to such incidents.


Read more »
Toronto
City of Hamilton Computers cyber attack Library Ransomware Toronto

Hamilton Library Struggles to Restore Services After Cyberattack

 




Hamilton Public Library's services have been severely disrupted for three months following a ransomware attack on the City of Hamilton's computer systems. Public computers remain offline at all 23 library branches, and there's no clear timeline for when these services will be restored.


The cyberattack occurred on February 25, forcing the library to shut down various services to prevent further damage. Chief librarian and CEO Paul Takala explained that this was a necessary precaution to ensure the safety of the library's systems. Although some services, like free WiFi, have been restored, the process of building a more secure network to safely reintroduce public computer access is still ongoing.


The uncertainty surrounding the timeline for full restoration is a major concern. "Speculating isn't helpful," said Takala. "We hope it will be soon, but we must be careful and can't make any commitments."


The prolonged outage has had a significant impact on library patrons like Deepthi Jayatunge, who relies on the library's computers for various tasks. Jayatunge, who is studying for a certificate at McMaster University, typically prints lecture materials and uses the library's reliable internet to connect with family in Sri Lanka. The absence of these services has created difficulties, especially for those who do not have alternative access.


Jayatunge, who also works at a Salvation Army emergency shelter, has observed the struggles faced by homeless individuals who depend on the library's computers to search for housing and employment. "Their lives are on hold," he noted.


Prior to the attack, the public heavily relied on library computers, averaging over 750 hours of use per day across all branches in early 2024. This heavy reliance underlines the critical role these services play in the community.


Currently, the library is unable to offer several key services, including public computers, printing, scanning, online holds, self-check kiosks, virtual programming, some Makerspace services, extended access at rural branches, and technical help with devices. However, patrons can still check out books in person, browse the library's website, and access e-books and audiobooks. WiFi remains available at all branches except Ancaster.


The Hamilton library's approach mirrors that of the Toronto Public Library, which experienced a similar cyberattack last year. Toronto faced over four months of disrupted services and chose to rebuild its system rather than pay the ransom demanded by the attackers. Hamilton is taking a similar path, gradually restoring services while enhancing the security of its systems.


Hamilton Mayor Andrea Horwath confirmed that the city did not pay the ransom demanded by the hackers, although she did not disclose the amount. Efforts to restore and rebuild the city's systems are ongoing, but officials have not provided a specific timeline for when normal operations will resume.


As the library works to rebuild, it aims to create a more resilient system that can continue to serve the community during future emergencies, such as power outages or severe weather events. "The library is not only a shelter for people, but also a place where they can contact family to say, 'I'm OK,'" said Takala.


The ongoing disruption of library services surfaces the immense need for secure and resilient public infrastructure to support community needs, especially for those who rely heavily on these services, for studying and otherwise. 



Read more »
Networks
Active Directory Cloud Computing Credential Theft cyber attack Cyber Attacks Networks

Why Active Directory Is A Big Deal?

 


In a cutting-edge study by XM Cyber and the Cyentia Institute, a comprehensive analysis has unveiled a startling reality: a staggering 80% of cybersecurity vulnerabilities within organisations stem from issues related to Active Directory. This might sound like tech jargon, but basically, it's a crucial part of how computers in a company talk to each other.

Active Directory functions as the central nervous system of an organisation's digital environment. Its vulnerabilities, often stemming from misconfigurations and attempts to compromise user credentials, pose significant risks. Tools like Mimikatz further exacerbate these vulnerabilities, enabling malicious actors to exploit weaknesses and gain unauthorised access.

Cloud Computing: New Risks, Same Problems

Even though we talk a lot about keeping things safe in the cloud, it turns out that's not always the case. More than half of the problems affecting important assets in companies come from cloud services. This means attackers can jump between regular computer networks and the cloud, making it harder to keep things safe.

Different Industries, Different Worries

When it comes to who's facing the most trouble, it depends on the industry. Some, like energy and manufacturing, have more issues with things being exposed on the internet. Others, like healthcare, deal with way more problems overall, which makes sense since they have a lot of sensitive data. Tailored strategies are essential, emphasising the importance of proactive measures to mitigate risks effectively.

What We Need to Do

Zur Ulianitzky, Vice President of Security Research at XM Cyber, emphasises the need for a holistic approach to exposure management. With a mere 2% of vulnerabilities residing in critical 'choke points,' organisations must broaden their focus beyond traditional vulnerability patching. Prioritising identity management, Active Directory security, and cloud hygiene is vital in making sure our cloud services are safe.

We need to be smarter about how we protect our computer systems. We can't just focus on fixing things after they've gone wrong. We need to be proactive and think about all the ways someone could try to break in. By doing this, we can make sure our businesses stay safe from cyber threats. Only through concerted efforts and strategic investments in cybersecurity can organisations stay ahead of the curve and protect against the ever-present spectre of cyber threats.



Read more »
USA
cyber attack Email Attacks email spam Fake Emails FBI USA

FBI Investigates Thousands of Fake Emails Warning of Cyber Threat You Must Do 1 Thing

 

Over the weekend, an alarming incident unfolded as thousands of fake emails flooded in, purportedly from the US Department of Homeland Security. The messages, titled "Urgent: Threat actor in systems," raised concerns about a cyber threat allegedly posed by a group called the Dark Overlord. According to reports, recipients were warned of a sophisticated chain attack targeting them, adding to the sense of urgency and anxiety. 

What made matters worse was the apparent authenticity of these emails, originating from FBI infrastructure. The scale of the operation was staggering, with over 100,000 of these deceptive emails sent out, causing widespread disruption and confusion among recipients. 

Additionally, it was discovered that the North Korean military intelligence agency, along with a hacking group called APT43 or Kimsuky, carried out a sophisticated cyber attack. They tricked people into giving away important information by pretending to be journalists, researchers, or academics through fake emails. To protect against this, experts suggest updating email security settings, like DMARC, which can help prevent such attacks. 

Let’s Understand Everything About DMARC

DMARC, DKIM, and SPF are like a triple defense system for emails. They work together to stop bad guys from pretending to send emails from places they should not. It is like having three guards at the gate, making sure only the right people get through. Picture your email as a package you are sending out into the world. DKIM and SPF are like seals of approval on the package, showing it is genuine and not tampered with. 

Now, DMARC is your extra security measure. It is like a set of instructions you attach to your package, telling the delivery person what to do if something seems fishy. "If the seal is broken, handle with care!" If you do not have DKIM, SPF, and DMARC set up properly, it is like sending out your package without those stamps and instructions. It might get lost, or worse, someone might try to copy your package and send out fake ones. 

So, by having these protections in place, you ensure your emails are delivered safely and are not mistaken for spam. This warning is a way to stop APT43 from stealing more data and giving it to North Korea. It is important for everyone to act fast and secure their email systems. These steps are crucial because cyber threats like this are always changing and can be really damaging. So, it is essential to stay alert and protect yourself from these kinds of attacks. 

Despite the gravity of the situation, the FBI has remained tight-lipped about further details, leaving many questions unanswered. As investigations unfold, concerns persist about the potential ramifications of such a large-scale deception. The incident serves as a stark reminder of the ever-present threat of cyber attacks and the importance of remaining vigilant in the face of such challenges. Stay tuned for updates as the investigation progresses.
Read more »
Outabox
Australia cyber attack Cyber Attacks Facial Recognition System Outabox

Facial Recognition System Breach Sparks Privacy Concerns in Australia

A significant privacy breach has shaken up the club scene in Australia, as a facial recognition system deployed across multiple nightlife venues became the target of a cyberattack. Outabox, the Australian firm responsible for the technology, is facing intense scrutiny in the aftermath of the breach, sparking widespread concerns regarding personal data security in the era of advanced surveillance. Reports indicate that sensitive personal information, including facial images and biometric data, has been exposed, raising alarms among patrons and authorities. 

As regulators rush to assess the situation and ensure accountability, doubts arise about the effectiveness of existing safeguards against such breaches. Outabox has promised full cooperation with investigations but is under increasing pressure to address the breach's repercussions promptly and decisively. Initially introduced as a safety measure to monitor visitors' temperatures during the COVID-19 pandemic, Outabox's facial recognition kiosks evolved to include identifying individuals in self-exclusion programs for gambling, showcasing the company's innovative use of technology. 

However, recent developments have revealed a troubling scenario with the emergence of a website called "Have I Been Outaboxed." Claiming to be created by former Outabox employees based in the Philippines, the site alleges mishandling of over a million records, including facial biometrics, driver's licenses, and various personal identifiers. This revelation highlights serious concerns regarding Outabox's security and privacy practices, emphasizing the need for robust data protection measures and transparent communication with both employees and the public. 

Allegations on the "Have I Been Outaboxed" website suggest that the leaked data includes a trove of personal information such as facial recognition biometrics, driver's licenses, club memberships, addresses, and more. The severity of this breach is underscored by claims that extensive membership data from IGT, a major supplier of gaming machines, was also compromised, although IGT representatives have denied this assertion. 

This breach has triggered a robust reaction from privacy advocates and regulators, who are deeply concerned about the significant implications of exposing such extensive personal data. Beyond the immediate impact on affected individuals, the incident serves as a stark reminder of the ethical considerations surrounding the deployment of surveillance technologies. It underscores the delicate balance between security imperatives and the protection of individual privacy rights.
Read more »
USB Tactics
cyber attack Cyber Attacks Honeywell Report Industrial Cyberattack USB Tactics

Industrial Cyberattackers Reverting to USB Tactics, Says Honeywell Report

 

In a surprising turn of events, the use of removable media, particularly USB devices, has resurged as a favoured tactic among industrial cyber attackers. Honeywell's recently released "2024 USB Threat Report" sheds light on this concerning trend, emphasizing its prevalence within Operational Technology (OT) networks. 

The report reveals a clear shift in the strategies employed by threat actors, who are now bypassing sophisticated exploitation techniques and zero-day vulnerabilities in favour of leveraging old tools and bugs. Rather than relying on novel malware, attackers are exploiting the inherent capabilities of OT control systems to gain a foothold in industrial networks. 

This resurgence of USB-based attacks underscores the critical importance of robust cybersecurity measures within industrial environments. With threat actors exploiting vulnerabilities that may have been overlooked or underestimated, organizations must remain vigilant and implement comprehensive defense strategies to safeguard their OT infrastructure. 

Let's Understand Why USBs?

USBs possess a unique advantage that sets them apart from even the most cutting-edge attack methods: the ability to breach air gaps. In high-risk industries like nuclear, military, and finance, air gaps act as physical barriers between Operational Technology (OT) and Information Technology (IT) networks, ensuring no malicious activity can cross over. 

Matt Wiseman, director of OT product marketing at OPSWAT, elaborates, "Many operational facilities maintain strict air gaps. Traditional network-based attacks, such as those via email, are ineffective when OT systems are isolated from the internet. To breach such defenses, you need unconventional tactics. USBs and removable media are particularly intriguing because they're the only threat that can be carried across the air gap in your pocket." 

Additionally, in a recent report released by Mandiant, alarming details have emerged regarding two separate USB-delivered malware campaigns observed in the current year. The first campaign, dubbed 'Sogu,' has been attributed to the Chinese espionage threat group 'TEMP.HEX.' 

Meanwhile, the second campaign, named 'Snowydrive,' has been linked to UNC4698 and specifically targets oil and gas firms in Asia. Notably, Mandiant's report also references a prior incident in November 2022, where a China-nexus campaign utilized USB devices to infect entities in the Philippines with four distinct malware families. This earlier discovery serves as a precedent, highlighting the recurrence of similar tactics by cyber threat groups with geopolitical motivations.
Read more »
North Korea Hackers
cyber attack Financial Exploit Laundering Lazarus Group Linkedin North Korea Hackers

North Korean Hackers Exploit LinkedIn in Targeted Attacks

 


The North Korean hacker group Lazarus has once again made headlines, this time for exploiting LinkedIn in their cyber operations. According to a report by blockchain security analytics firm SlowMist, Lazarus hackers are leveraging the professional networking platform to target unsuspecting users and pilfer their assets through malware attacks.


LinkedIn Used as a Trojan Horse

This involves Lazarus members masquerading as blockchain developers seeking employment opportunities in the cryptocurrency industry. By posing as job seekers, they lure in vulnerable targets, enticing them to share access to their code repositories under the guise of collaborative work. However, the innocuous-seeming code snippets provided by the hackers contain malicious elements designed to syphon off confidential information and assets from the victims' systems.


History of Innovation in Cybercrime

This tactic isn't new for Lazarus, as they previously employed a similar strategy in December 2023, posing as recruiters from Meta. Back then, they convinced victims to download malware-infected coding challenges, which, when executed, granted remote access to their computers.


Lazarus: A Cyber Threat

Lazarus has earned a notorious reputation in the cybersecurity realm since its emergence in 2009. The group is infamous for orchestrating some of the largest cryptocurrency heists, including the 2022 Ronin Bridge hack, which saw a staggering $625 million being stolen.


Laundering Techniques

Once they've plundered their ill-gotten gains, Lazarus employs sophisticated techniques, such as crypto mixing services, to launder the funds back to North Korea. Reports suggest these funds are funnelled into financing the country's military endeavors.


Industry Response and Countermeasures

In response to persistent cyber threats, crypto companies are advocating for heightened security measures and conducting awareness seminars to educate employees about potential risks. The industry's proactive stance has led to the implementation of robust security protocols and increased investment in cybersecurity to safeguard against data breaches and financial theft.


The recent exploits by Lazarus serve as a stark reminder of the ever-present dangers lurking in the digital realm. As cyber threats continue to expand, it's imperative for individuals and organisations alike to remain careful and adopt proactive measures to mitigate risks and be digitally secured.


By staying informed and proactive, investors, traders, and social media users can collectively work towards thwarting cyber threats and safeguarding digital assets in an increasingly interconnected world.


Read more »
Identity Theft
Customer Information cyber attack Data Breach Data Leak data security Experian Identity Theft

Wells Fargo Data Breach: Safeguarding Customer Information in a Digital Age

 

In a digital age where data breaches have become all too common, the recent disclosure of a data breach at Wells Fargo, a prominent multinational financial services corporation, has once again brought cybersecurity concerns to the forefront. The breach, impacting the personal information of two clients, underscores the challenges faced by financial institutions in safeguarding sensitive data and maintaining customer trust. 

The breach exposed clients' names and mortgage account numbers, raising significant concerns about the security of personal information within the financial services sector. According to Wells Fargo, the breach was not the result of a cyberattack but rather an employee breaching company policy by transferring information to a personal account. While the exact timeline and duration of unauthorized access remain unclear, Wells Fargo has taken swift action to address the situation and mitigate risks to affected individuals. 

In response to the breach, Wells Fargo has prioritized the welfare of its customers and has taken proactive steps to assist those impacted. The company has offered complimentary two-year subscriptions to Experian IdentityWorks5M, a comprehensive identity theft detection service. This includes daily monitoring of credit reports, internet surveillance to monitor identity-related activity, and full-service identity restoration in the event of theft. Affected individuals are encouraged to activate their subscriptions within 60 days from the date printed on the notification letter, either online or by phone. The team is available via phone during specified hours and offers language assistance services for non-English speakers, as well as support for individuals with hearing or speech difficulties. 

While the specifics of the data breach are still under investigation, Wells Fargo remains committed to enhancing security measures and preventing similar incidents in the future. The breach serves as a stark reminder of the evolving nature of cyber threats and the importance of remaining vigilant in protecting sensitive information. This incident also highlights a recurring issue within the banking industry, as Wells Fargo is not the only financial institution to experience a data breach in recent months. 

In February 2024, Bank of America, another one of the Big Four Banks in North America, announced a data breach affecting its customers. The Bank of America data breach was attributed to a cyberattack targeting one of its service providers, Infosys McCamish Systems. 

As investigations into the breach continue, Wells Fargo reassures its customers of its unwavering commitment to security and vows to implement additional measures to safeguard customer information. Despite the challenges posed by cyber threats, Wells Fargo remains dedicated to maintaining customer trust and protecting sensitive data in an increasingly interconnected world.
Read more »
Retail Industry
Carpetright cyber attack Cyber Attacks Essex Hacking Retail Industry

Cyber Attack Hits UK's Carpetright, Affecting Customer Orders

 



Carpetright, an eminent flooring retailer in the UK, has fallen victim to a cyber attack, causing disruption to its operations and affecting hundreds of customer orders. Last week, hackers targeted the flooring specialist’s head office in Purfleet, Essex, by sending malware to gain unauthorised access. As a result, customers have been unable to place orders on the company's website or in any of its 400 shops since last Thursday, when systems were taken offline. A spokesperson for the retailer expressed regret for any inconvenience caused, stating, “We are not aware of any customer or colleague data being impacted by this incident and are currently conducting tests and resetting systems, with investigations ongoing.”

The malware infiltration prompted a response from Carpetright's IT security team, who took the drastic measure of taking the entire network offline to contain the threat and prevent further spread. As a result, essential systems crucial for day-to-day operations, including payroll information and employee booking portals, became inaccessible.

The consequences of the attack extended beyond the company's internal operations, as phone lines remained down, leaving customers unable to reach support. Despite the disruption, company officials assured stakeholders that no customer or colleague data had been compromised.


Rising Threat of Cyber Attacks

The cyber attack on Carpetright comes amidst a concerning trend, with recent surveys indicating a sharp increase in cyber attacks targeting British businesses. According to the findings, half of British businesses reported experiencing a cyber attack within the past year, marking a terrific uptick from previous years.


NHS Dumfries and Galloway and British Library Targeted

The incident at Carpetright follows similar cyber attacks on critical institutions, including NHS Dumfries and Galloway and the British Library. Last month, NHS Dumfries and Galloway fell victim to a ransomware attack orchestrated by the INC Ransom group, resulting in the unauthorised access of patient data. The breach raised concerns about patient confidentiality and highlighted the vulnerability of healthcare infrastructure to cyber threats.


In a separate incident, the British Library suffered a major technology outage following a cyber attack by the Rhysida ransomware group. The attack disrupted operations at the renowned research library and underlined the institution of cyber criminals targeting high-profile institutions.


Challenges Faced by Carpetright

The cyber attack compounds the challenges faced by Carpetright in contemporary times, as the company navigates a downturn in demand and heightened competition. Founded in 1988 by Philip Harris, Carpetright has weathered various storms over the years, including its delisting from the London Stock Exchange in 2019 following its acquisition by Meditor, a British hedge fund.


As Carpetright seeks to recover from the cyber attack and adapt to the unfolding market dynamics, its resilience and ability to innovate will be critical in ensuring its long-term viability amidst ongoing uncertainties, including the cost of living crisis impacting consumer behaviour.


Read more »
Subscribe to: Posts (Atom)