An anonymous reader quotes a report from BleepingComputer: The Securities and Exchange Commission (SEC) has adopted amendments to Regulation S-P that require certain financial institutions to disclose data breach incidents to impacted individuals within 30 days of discovery. Regulation S-P was introduced in 2000 and controls how some financial entities must treat nonpublic personal information belonging to consumers. These rules include developing and implementing data protection policies, confidentiality and security assurances, and protecting against anticipated threats. The new amendments (PDF) adopted earlier this week impact financial firms, such as broker-dealers (funding portals included), investment firms, registered investment advisers, and transfer agents. The modifications were initially proposed in March of last year to modernize and improve the protection of individual financial information from data breaches and exposure to non-affiliated parties. Below is a summary of the introduced changes: - Notify affected individuals within 30 days if their sensitive information is, or is likely to be, accessed or used without authorization, detailing the incident, breached data, and protective measures taken. Exemption applies if the information isn't expected to cause substantial harm or inconvenience to the exposed individuals. - Develop, implement, and maintain written policies and procedures for an incident response program to detect, respond to, and recover from unauthorized access or use of customer information. This should include procedures to assess and contain security incidents, enforce policies, and oversee service providers. - Expand safeguards and disposal rules to cover all nonpublic personal information, including that received from other financial institutions. - Require documentation of compliance with safeguards and disposal rules, excluding funding portals. - Align annual privacy notice delivery with the FAST Act, exempting certain conditions. - Extend safeguards and disposal rules to transfer agents registered with the SEC or other regulatory agencies.

Read more of this story at Slashdot.

The FBI has seized the notorious BreachForums hacking forum that leaked and sold stolen corporate data to other cybercriminals. From a report: The seizure occurred on Wednesday morning, soon after the site was used last week to leak data stolen from a Europol law enforcement portal. The website is now displaying a message stating that the FBI has taken control over it and the backend data, indicating that law enforcement seized both the site's servers and domains. [...] The seizure message also shows the two forum profile pictures of the site's administrators, Baphomet and ShinyHunters, overlaid with prison bars.

Read more of this story at Slashdot.

The Russia-linked ransomware group Black Basta is responsible for Wednesday's cyberattack on St. Louis-based Ascension health system, according to sources reported by CNN. The attack disrupted access to electronic health records, some phone systems and "various systems utilized to order certain tests, procedures and medications," the company said in a statement. From a report: On Friday, the nonprofit group Health-ISAC (Information Sharing and Analysis Center) issued an alert about the group, saying that Black Basta has "recently accelerated attacks against the healthcare sector." HHS said that Black Basta was initially spotted in early 2022, known for its double extortion attack. The group not only executes ransomware but also exfiltrates sensitive data, operating a cybercrime marketplace to publicly release it should a victim fail to pay a ransom. "The level of sophistication by its proficient ransomware operators, and reluctance to recruit or advertise on Dark Web forums, supports why many suspect the nascent Black Basta may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups," the alert from HHS said. According to one report from blockchain analytics firm Elliptic and cybersecurity risk-focused Corvus Insurance, Black Basta in less than two years has won itself more than $100 million via ransomware schemes from 329 organizations. Previous victims of its attacks include Dish Network, the American Dental Association, business process services firm Capita and tech firm ABB.

Read more of this story at Slashdot.

The U.S. FBI is working towards charging hackers from the aggressive Scattered Spider criminal gang who are largely based in the U.S. and western countries and have breached dozens of American organisations, a senior official said. From a report: The young hackers grabbed headlines last year when they broke into the systems of casino-operators MGM Resorts International and Caesars Entertainment locking up the companies' systems and demanding hefty ransom payments. From health and telecom companies to financial services, they have hacked a range of organisations over two years, piling pressure on law enforcement agencies to thwart them. "We are working towards charging individuals where we can with criminal conduct, in this case, largely around the Computer Fraud and Abuse Act," Brett Leatherman, the FBI's cyber deputy assistant director, told Reuters in an interview. The group was a rare alliance of hackers in Western countries with veteran cybercriminals from eastern Europe, he said on the sidelines of the RSA Conference in San Francisco Wednesday. "Often we don't see that mingling of geographical hackers working together outside the confines of like hacktivism, for example," he said. Security researchers have tracked Scattered Spider since at least 2022 and say the group is far more aggressive than other cybercrime gangs - skilled especially at hijacking the identities of IT helpdesk staff to penetrate into company networks. Caesars paid around $15 million to free its systems from the hackers.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Register: Ransomware infections have morphed into "a psychological attack against the victim organization," as criminals use increasingly personal and aggressive tactics to force victims to pay up, according to Google-owned Mandiant. "We saw situations where threat actors essentially SIM swap the phones of children of executives, and start making phone calls to executives, from the phone numbers of their children," Charles Carmakal, Mandiant's CTO, recounted during a Google Security Threat Intelligence Panel at this year's RSA Conference in San Francisco on Monday. "Think about the psychological dilemma that the executive goes through – seeing a phone call from the children, picking up the phone and hearing that it's somebody else's voice? Sometimes, it's caller ID spoofing. Other times, we see demonstrated SIM swapping family members." Either way, it's horrifying. It's the next step in the evolution of ransomware tactics, which have now moved far beyond simply encrypting victims' files and even stealing their data. "There are a few threat actors that really have no rules of engagement in terms of how far [they] try to coerce victims," Carmakal noted, recalling ransomware incidents in which the criminals have directly contacted executives, their family members, and board members at their homes. The criminals have moved from just staging an attack against a company, its customers and their data, and becomes "more against the people," he added. It changes the calculation involved in deciding whether to pay the extortion demand, Carmakal said. "It's less about 'do I need to protect my customers?' But more about 'how do I better protect my employees and protect the families of employees?' That's a pretty scary shift."

Read more of this story at Slashdot.

Google is streamlining the process of setting up two-factor authentication (2FA). From a report: Instead of entering your phone number first to enable 2FA, you can now add a "second step method" to your account such as an authenticator app or a hardware security key to get things set up. This should make it safer to turn on 2FA, as it lets you avoid using less secure SMS verification. You can choose to enter a time-based one-time passcode through apps like Google Authenticator, or you can follow the steps to link a hardware security key.

Read more of this story at Slashdot.

An international coalition of police agencies have resurrected the dark web site of the notorious LockBit ransomware gang, which they had seized earlier this year, teasing new revelations about the group. From a report: On Sunday, what was once LockBit's official darknet site reappeared online with new posts that suggest the authorities are planning to release new information about the hackers in the next 24 hours, as of this writing. The posts have titles such as "Who is LockBitSupp?," "What have we learnt," "More LB hackers exposed," and "What have we been doing?" In February, a law enforcement coalition that included the U.K.'s National Crime Agency, the U.S. Federal Bureau of Investigation, as well as forces from Germany, Finland, France, Japan and others announced that they had infiltrated LockBit's official site. The coalition seized the site and replaced information on it with their own press release and other information in a clear attempt to troll and warn the hackers that the authorities were on to them.

Read more of this story at Slashdot.

An anonymous reader shares a report: Relations between Russia and Germany were already tense, with Germany providing military support to Ukraine in its ongoing war with Russia. German Foreign Minister Annalena Baerbock said Russian state hackers were behind a cyberattack last year that targeted the Social Democrats, the leading party in the governing coalition. "Russian state hackers attacked Germany in cyberspace," she said at a news conference in the Australian city of Adelaide. "We can attribute this attack to the group called APT28, which is steered by the military intelligence service of Russia." "This is absolutely intolerable and unacceptable and will have consequences," she said. The Russian Embassy in Germany on Friday denied Moscow was involved in a 2023 cyberattack. In a statement the embassy said its envoy "categorically rejected the accusations that Russian state structures were involved in the given incident ... as unsubstantiated and groundless." The Council of the EU later said that Czechia's institutions have also been a target of the cyber campaign. In a statement by the EU's top diplomat, Josep Borrell, the bloc's nations said they "strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia." Further reading: EU and NATO Condemn Russian Cyber Attacks Against Germany and Czechia.

Read more of this story at Slashdot.

Dan Goodin reports via Ars Technica: A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January. A change GitLab implemented in May 2023 made it possible for users to initiate password changes through links sent to secondary email addresses. The move was designed to permit resets when users didn't have access to the email address used to establish the account. In January, GitLab disclosed that the feature allowed attackers to send reset emails to accounts they controlled and from there click on the embedded link and take over the account. While exploits required no user interaction, hijackings worked only against accounts that weren't configured to use multi-factor authentication. Even with MFA, accounts remained vulnerable to password resets. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of a possible 10. The vulnerability, classified as an improper access control flaw, could pose a grave threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects or plant backdoors that could infect anyone using software built in the compromised environment. An example of a similar supply chain attack is the one that hit SolarWinds in 2021, infecting more than 18,000 of its customers. Other recent examples of supply chain attacks are here, here, and here. These sorts of attacks are powerful. By hacking a single, carefully selected target, attackers gain the means to infect thousands of downstream users, often without requiring them to take any action at all. According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances. In order to protect your system, you should enable MFA and install the latest patch. "GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits," notes Goodin.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Bloomberg: Dropbox said its digital-signature product, Dropbox Sign, was breached by hackers, who accessed user information including emails, user names and phone numbers. The software company said it became aware of the cyberattack on April 24, sought to limit the incident and reported it to law enforcement and regulatory authorities. "We discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and user names, in addition to general account settings," Dropbox said Wednesday in a regulatory filing. "For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication." Dropbox said there is no evidence hackers obtained user accounts or payment information. The company said it appears the attack was limited to Dropbox Sign and no other products were breached. The company didn't disclose how many customers were affected by the hack. The hack is unlikely to have a material impact on the company's finances, Dropbox said in the filing. The shares declined about 2.5% in extended trading after the cyberattack was disclosed and have fallen 20% this year through the close.

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company's systems that weren't protected by multifactor authentication (MFA), according to the chief executive of its parent company, UnitedHealth Group (UHG). UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system. This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare's systems, during which massive amounts of health data were exfiltrated from its systems. UnitedHealth said last week that the hackers stole health data on a "substantial proportion of people in America." According to Witty's testimony, the criminal hackers "used compromised credentials to remotely access a Change Healthcare Citrix portal." Organizations like Change use Citrix software to let employees access their work computers remotely on their internal networks. Witty did not elaborate on how the credentials were stolen. However, Witty did say the portal "did not have multifactor authentication," which is a basic security feature that prevents the misuse of stolen passwords by requiring a second code sent to an employee's trusted device, such as their phone. It's not known why Change did not set up multifactor authentication on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer's systems. "Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data," said Witty. Witty said the hackers deployed ransomware nine days later on February 21, prompting the health giant to shut down its network to contain the breach. Last week, the medical firm admitted that it paid the ransomware hackers roughly $22 million via bitcoin. Meanwhile, UnitedHealth said the total costs associated with the ransomware attack amounted to $872 million. "The remediation efforts spent on the attack are ongoing, so the total costs related to business disruption and repairs are likely to exceed $1 billion over time, potentially including the reported $22 million payment made [to the hackers]," notes The Register.

Read more of this story at Slashdot.

"South Korea is considering prohibiting the use of iPhones and smart wearable devices inside military buildings," reports the Defense Post, "due to increasing security concerns." But the blog Apple Insider argues the move "has less to do with security and more to do with a poorly crafted mobile device management suite coupled with nationalism..." A report on Tuesday morning claims that the ban is on all devices capable of voice recording and do not allow third-party apps to lock this down — with iPhone specifically named... According to sources familiar with the matter cited by Tuesday's report, the iPhone is explicitly banned. Android-based devices, like Samsung's, are exempt from the ban... The issue appears to be that the South Korean National Defense Mobile Security mobile device management app doesn't seem to be able to block the use of the microphone. This particular MDM was rolled out in 2013, with use enforced across all military members in 2021. The report talks about user complaints about the software, and inconsistent limitations depending on make, model, and operating system. A military official speaking to the publication says that deficiencies on Android would be addressed in a software update. Discussions are apparently underway to extend the total ban downwards to the entire military. The Army is said to have tried the ban as well... Seven in 10 South Korean military members are Samsung users. So, the ban appears to be mostly symbolic. Thanks to Slashdot reader Kitkoan for sharing the news.

Read more of this story at Slashdot.

A now-abandoned USB worm that backdoors connected devices has continued to self-replicate for years since its creators lost control of it and remains active on thousands, possibly millions, of machines, researchers said Thursday. ArsTechnica: The worm -- which first came to light in a 2023 post published by security firm Sophos -- became active in 2019 when a variant of malware known as PlugX added functionality that allowed it to infect USB drives automatically. In turn, those drives would infect any new machine they connected to, a capability that allowed the malware to spread without requiring any end-user interaction. Researchers who have tracked PlugX since at least 2008 have said that the malware has origins in China and has been used by various groups tied to the country's Ministry of State Security. For reasons that aren't clear, the worm creator abandoned the one and only IP address that was designated as its command-and-control channel. With no one controlling the infected machines anymore, the PlugX worm was effectively dead, or at least one might have presumed so. The worm, it turns out, has continued to live on in an undetermined number of machines that possibly reaches into the millions, researchers from security firm Sekoia reported. The researchers purchased the IP address and connected their own server infrastructure to "sinkhole" traffic connecting to it, meaning intercepting the traffic to prevent it from being used maliciously. Since then, their server continues to receive PlugX traffic from 90,000 to 100,000 unique IP addresses every day.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Wired: Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world. On Wednesday, Cisco warned that its so-called Adaptive Security Appliances -- devices that integrate a firewall and VPN with other security features -- had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor. The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored. "This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," a blog post from Cisco's Talos researchers reads. Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests. Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. "The investigation that followed identified additional victims, all of which involved government networks globally," the company's report reads. In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances. Cisco advises that customers apply its new software updates to patch both vulnerabilities. A separate advisory (PDF) from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. "A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself," the advisory reads.

Read more of this story at Slashdot.

Andy Greenberg reports via Wired: More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin's blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers' sensitive medical data. In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. "A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," the statement reads. The company's belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would "cover a substantial proportion of people in America." Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom. Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack -- and the profit AlphV extracted from it -- will lead ransomware gangs to further target health care companies. "It 100 percent encourages other actors to target health care organizations," Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. "And it's one of the industries we don't want ransomware actors to target -- especially when it affects hospitals." Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.

Read more of this story at Slashdot.

North Korean animators have been secretly working on major international TV shows, including an Amazon superhero series and an upcoming HBO Max children's anime, according to a report by cybersecurity researchers. The findings, detailed in a report by the Stimson Center think tank's 38 North Project and Google-owned security firm Mandiant, provide a glimpse into how North Korea can use skilled IT workers to raise funds for its heavily sanctioned regime. Researcher Nick Roy discovered a misconfigured cloud server on a North Korean IP address in December, containing thousands of animation files, including cells, videos, and notes discussing ongoing projects. Some images appeared to be from Amazon's "Invincible" and HBO Max's "Iyanu: Child of Wonder." The server, which mysteriously stopped being used at the end of February, likely allowed work to be sent to and from North Korean animators, according to Martyn Williams, a senior fellow on the 38 North Project. U.S. sanctions prohibit companies from working with North Korean entities, but the researchers say it is unlikely that the companies involved were aware of the animators' origins. The report suggests the contracting arrangement was several steps removed from the major producers.

Read more of this story at Slashdot.

U.S. telecom provider Frontier Communications shut down its systems after a cybercrime group breached some of its IT systems in a recent cyberattack. BleepingComputer reports: Frontier is a leading U.S. communications provider that provides gigabit Internet speeds over a fiber-optic network to millions of consumers and businesses across 25 states. After discovering the incident, the company was forced to partially shut down some systems to prevent the threat actors from laterally moving through the network, which also led to some operational disruptions. Despite this, Frontier says the attackers could access some PII data, although it didn't disclose if it belonged to customers, employees, or both. "On April 14, 2024, Frontier Communications Parent, Inc. [..] detected that a third party had gained unauthorized access to portions of its information technology environment," the company revealed in a filing with the U.S. Securities and Exchange Commission on Thursday. "Based on the Company's investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information." Frontier now believes that it has contained the breach, has since restored its core IT systems affected during the incident, and is working on restoring normal business operations.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Futurism: In a new blog post from LastPass, the password management firm used by countless personal and corporate clients to help protect their login information, the company explains that someone used AI voice-cloning tech to spoof the voice of its CEO in an attempt to trick one of its employees. As the company writes in the post, one of its employees earlier this week received several WhatsApp communications -- including calls, texts, and a voice message -- from someone claiming to be its CEO, Karim Toubba. Luckily, the LastPass worker didn't fall for it because the whole thing set off so many red flags. "As the attempted communication was outside of normal business communication channels and due to the employee's suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency)," the post reads, "our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally." While this LastPass scam attempt failed, those who follow these sorts of things may recall that the company has been subject to successful hacks before. In August 2022, as a timeline of the event compiled by the Cybersecurity Dive blog detailed, a hacker compromised a LastPass engineer's laptop and used it to steal source code and company secrets, eventually getting access to its customer database -- including encrypted passwords and unencrypted user data like email addresses. According to that timeline, the clearly-resourceful bad actor remained active in the company's servers for months, and it took more than two months for LastPass to admit that it had been breached. More than six months after the initial breach, Toubba, the CEO, provided a blow-by-blow timeline of the months-long attack and said he took "full responsibility" for the way things went down in a February 2023 blog post.

Read more of this story at Slashdot.

404 Media: An online service is scraping Discord servers en masse, archiving and tracking users' messages and activity across servers including what voice channels they join, and then selling access to that data for as little as $5. Called Spy Pet, the service's creator says it scrapes more than ten thousand Discord servers, and besides selling access to anyone with cryptocurrency, is also offering the data for training AI models or to assist law enforcement agencies, according to its website. The news is not only a brazen abuse of Discord's platform, but also highlights that Discord messages may be more susceptible to monitoring than ordinary users assume. Typically, a Discord user's activity is spread across disparate servers, with no one entity, except Discord itself, able to see what messages someone has sent across the platform more broadly. With Spy Pet, third-parties including stalkers or potentially police can look up specific users and see what messages they've posted on various servers at once. "Have you ever wondered where your friend hangs out on Discord? Tired of basic search tools like Discord.id? Look no further!" Spy Pet's website reads. It claims to be tracking more than 14,000 servers, 600 million users, and includes a database of more than 3 billion messages.

Read more of this story at Slashdot.