Search This Blog

Showing posts with label United States. Show all posts

FTC: Health App and Device Makers Should Comply With Health Breach Notification Rule


The Federal Trade Commission on 15th September authorized a policy statement reminding makers of health applications and linked devices that gather health-related data to follow a ten-year-old data breach notification rule. The regulation is part of the agency's push toward more robust technology enforcement under Chair Lina Khan, who hinted that more scrutiny of data-based ecosystems related to such apps and devices could be on the way. 

In written remarks, Chair Lina Khan stated, "The Commission will enforce this Rule with vigour." According to the FTC, the law applies to a range of vendors, as well as their third-party service providers, who are not covered by the HIPAA breach notification rule but are held liable when clients' sensitive health data is breached. 

After being charged with studying and establishing strategies to protect health information as part of the American Recovery and Reinvestment Act in 2009, the FTC created the Health Breach Notification Rule. 

The rule requires suppliers of personal health records and PHR-related companies to notify U.S. consumers and the FTC when unsecured identifiable health information is breached, or risk civil penalties, according to the FTC. "In practical terms, this means that entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information," the FTC says. 

Since the rule's inception, there has been a proliferation of apps for tracking anything from fertility and menstruation to mental health, as well as linked gadgets that collect health-related data, such as fitness trackers. 

The FTC's warning comes after the agency and fertility mobile app maker Flo Health reached an agreement in June over data-sharing privacy concerns. According to the FTC, the start-up company misled millions of women about how it shared their sensitive health data with third-party analytics firms like Facebook and Google, in violation of the FTC Act. 

According to privacy attorney Kirk Nahra of the law firm WilmerHale, the FTC's actions on the Health Breach Notification Rule "are an interesting endeavour to widen how that rule has been understood since it was implemented."

"It is focusing attention on a much larger group of health-related companies, and changing how the FTC has looked at that rule and how the industry has perceived it. I expect meaningful challenges to this 'clarification' if it is put into play," he notes. 

Failure to comply might result in "monetary penalties of up to $43,792 per violation per day," according to the new policy statement.

Pakistani Scammer Sentenced to 12 Years in $200 Million Phone-Fraud Scheme


AT&T, the world’s largest telecommunications firm, lost over $200 million after a Pakistani scammer and his partners coordinated a seven-year scheme that led to the fraudulent unlocking of nearly 2 million phones. 

Muhammad Fahd, 35, of Karachi, has been sentenced to 12 years in prison after he bribed several AT&T employees to do his bidding, including unlocking phones, giving him access to their credentials, and installing malware that gave him remote access to the mobile carrier’s servers, the Department of Justice (DOJ) said. 

How it all started?

It all began in the summer of 2012 when Fahd recruited an AT&T employee via Facebook using the false name “Frank Zhang”. He bribed the employee and his co-workers with “significant sums of money” to remove the carrier’s protection that locked cellular phones to its network. 

In April 2013, the scammer was forced to recruit a malware developer to manufacture malicious tools after AT&T launched a new unlocking system that restricted corrupt employees from continuing unlocking phones on his behalf. 

“At Fahd’s request, the employees provided confidential information to Fahd about AT&T’s computer system and unlocking procedures to assist in this process. Fahd also had the employees install malware on AT&T’s computers that captured information about AT&T’s computer system and the network access credentials of other AT&T employees. Fahd provided the information to his malware developer, so the developer could tailor the malware to work on AT&T’s computers,” according to the sentencing documents. 

Fahd and his co-conspirators also used multiple shell companies to cover up their illegal activity, including Swift Unlocks Inc, Endless Trading FZE (aka Endless Trading FZC), Endless Connections Inc, and iDevelopment Co, according to the indictment. 

Millions Lost 

AT&T forensic analysis discovered that 1,900,033 cellular phones were unlocked unlawfully by the scammers behind this scheme, resulting in $201,497,430.94 of losses due to lost payments. 

The company also sued former employees after unearthing they were bribed into illegally unlocking phones and seeding malware and malicious tools on its network. “We’re seeking damages and injunctive relief from several people who engaged in a scheme a couple of years ago to illegally unlock wireless telephones used on our network,” AT&T said in a statement to a local media outlet.

“It’s important to note that this did not involve any improper access of customer information or any adverse effect on our customers.” In 2018 Fahd was arrested in Hong Kong and he was extradited to the US in 2019. He remained in jail until he was sentenced earlier this week to 12 years in prison after pleading to conspiracy to commit wire fraud in September 2020. 

At the sentencing hearing, U.S. District Judge Robert S. Lasnik for the Western District of Washington noted that Fahd had executed a terrible cybercrime over a long period even after he was aware that law enforcement was investigating.

City of Yonkers Refuses to Pay Ransom After Attackers Demand $10 million


The City of Yonkers has refused to pay the ransom after ransomware attackers demanded a ransom of $10 million to revive the disparate modules that overlay the different departments of the city.

Earlier this month, government employees at the City of Yonkers were restricted from accessing their laptops or computers after the city suffered a computer incursion by ransomware attackers. In the meantime, employees were told to restore as much data as possible manually from backups and this often means keeping pen and paper records that are transferred into databases.

The ransomware outbreak 

Ransomware attacks against the local governments are rising with each passing day. Last year, at least 2,354 governments, healthcare facilities, and schools were targeted by ransomware attackers. The local governments are the lucrative targets because they are less equipped in terms of resources and capabilities. 

A 2020 survey of state chief information security officers discovered that 70 percent listed ransomware as a top concern because of funding hurdles and lack of confidence in localities’ abilities to guard state information assets. And after a ransomware event occurs, only 45 percent of local enforcement agencies felt that they “had access to the resources” to analyze digital evidence linked to the crime. This then allows attackers to operate with more confidence, as the third way found that only 3 out of every 1,000 cybercrimes reported to the FBI result in an arrest. 

In 2019, the City of Baltimore was crippled for more than two weeks before the government’s systems were restored, in a delay that cost the city more than $18 million. Although Baltimore followed the instructions given by cyber security experts and the FBI to not pay the ransom, many people questioned the city’s strategy, given the extent of the damage.

“If we paid the ransom, there is no guarantee [the attackers] can or will unlock our system. There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future,” Mayor Bernard C. Jack Young said while responding to the critics.

“Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action,” he added. 

No more ransom payments

When three more local governments were attacked within a space of few months, it sparked a meeting of the United States Conference of Mayors. The meeting of US mayors resulted in a unanimous decision to stop paying ransom demands.

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit. The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,” the mayors wrote.

In the case of the City of Yonkers, the city confirmed that the virus was quarantined on the network, no ransom was paid and the Department of Homeland Security was notified.

Cyber-Attack on Dotty’s Exposed Personal Data of Customers


Customers' personal data was revealed as a result of a cyber-attack on Dotty's, a fast food and gaming franchise in the United States, according to the company. Dotty's has around 300,000 players in its database and runs 120 gambling locations in Nevada. Nevada Restaurant Services (NRS) owns and operates Dotty's, a fast-food franchise with 175 locations that offers gaming services. On January 16, 2021, malware was detected on "some computer systems." 

The investigation found that “an unauthorized person accessed certain systems” on the NRS network, according to the firm. Furthermore, the company admitted that an unauthorized person copied data from those systems on or before January 16 of this year. The NRS discovered that certain users' data may have been impacted after further examination and analysis. 

NRS examined the impacted data thoroughly to establish what sorts of information were implicated and to whom it was linked. Individuals' names, dates of birth, Social Security numbers, driver's license numbers or state ID numbers, passport numbers, financial account and/or routing numbers, health insurance information, treatment information, biometric data, medical records, and taxpayer identification numbers are just some of the data elements that could be involved. 

NRS sent notice letters to those who had proper mailing addresses and had been recognized as possibly affected. Users have told Vital Vegas that they received a letter from Dotty's regarding the breach, but that they just learned about it lately — months after the alleged assault. 

NRS has put in place security measures to secure its systems and the information it holds, and it has worked to improve its environment's technical protections. Following the event, NRS took urgent steps to protect its systems and undertake a thorough investigation into the issue's entire nature and scope. In addition, the firm provided free access to its “credit monitoring and identity theft restoration services, through IDX.” 

According to NRS, this will give an additional layer of protection for consumers who want to utilize it. With that in mind, the NRS emphasized that customers who wish to engage must do it themselves since the business is unable to do so on their behalf. Finally, the NRS expressed regret for any inconvenience or worry that the data breach event may have caused.

Boston Public Library Affected by Cyberattack


The Boston Public Library (BPL) announced on 27th August that its network was compromised on Wednesday, resulting in a system-wide technical outage. BPL stated that the current technical disruption was triggered by a cyberattack on its servers on Wednesday. 

BPL hosts nearly 4 million people each year through its central library and twenty-five nearby branches, as well as millions more online. In terms of an overall number of items, it is the third-largest public library in the United States, following the federal Library of Congress and the New York Public Library. 

"The library is currently experiencing a significant system outage and online library services that require login are unavailable," a notice on the library's site currently reads. 

The library stated, "On Wednesday morning, 8/25, the Boston Public Library experienced a systemwide technical outage due to a cybersecurity attack, pausing public computer and public printing services, as well as some online resources." 

"Affected systems were taken offline immediately, and proactive steps were taken to isolate the problem and shut down network communication." 

An ongoing investigation, conducted in a joint effort with law enforcement and the Mayor's IT specialists, has so far shown no evidence of employee or patron theft of data from the compromised systems. 

IT staff now restoring impacted systems and services: 

BPL's IT staff is actively restoring all affected devices and services, with some physical locations and online services still operational. 

Kurt Mansperger, Chief Technology Officer of the BPL, stated, "We apologize for any inconvenience this outage may have caused patrons. Thank you for your patience as our team and law enforcement officials work to restore our digital services and protect the library from future attacks." 

In an email to employees, Boston Public Library President David Leonard stated that it does not appear that the incident was caused by staff misconduct or error. He noted that some data may be permanently destroyed due to the intrusion and will have to be recreated. 

"The extent of this is still being assessed," he stated. "The attack was indeed that bad."

The FBI has Issued a Warning About the Hive Ransomware Gang


The Federal Bureau of Investigation (FBI) has issued a security alert regarding the Hive ransomware attacks, which provides technical data and indicators of compromise related to the gang's operations. The gang recently targeted Memorial Health System, which was compelled to shut down some of its activities.   

The new Hive ransomware, according to John Riggi, senior advisor for cybersecurity at the American Hospital Association, is of particular concern to healthcare organizations. Hive has targeted at least 28 companies so far, including Memorial Health System, which was infected by ransomware on August 15. Across Ohio and West Virginia, the non-profit operates a number of hospitals, clinics, and healthcare facilities.

The attack, led Memorial, which is situated in Ohio, to stop user access to IT applications. All urgent surgery cases and radiology exams were canceled for August 16th, but all general care visits went through as planned. While systems were restored, staff at Memorial's hospitals - Marietta Memorial, Selby, and Sistersville General Hospital – had to rely on paper records. 

Hive ransomware has been active since June 2021, and it uses a Ransomware-as-a-Service model with a wide range of tactics, techniques, and procedures (TTPs). According to government experts, the gang uses a variety of methods to infiltrate victims' networks, including phishing emails with malicious attachments to acquire access and Remote Desktop Protocol (RDP) to move around once on the network. 

"After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim's system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, 'HiveLeaks,'" the FBI explained. "Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension."

Before directing victims to a link to the group's "sales department" that can be reached through a TOR browser, the alert explains how the ransomware corrupts systems and backups. The link connects victims to a live chat with the perpetrators, but the FBI reports that some victims have been called by the attackers demanding ransom. The majority of victims have a payment deadline of two to six days, however, some have been able to extend their deadlines through negotiation.

The US State Department was Recently Hit by a Cyber Attack


According to a Fox News correspondent, the US State Department was hit by a cyberattack, and the Department of Defense Cyber Command was notified of a potentially significant breach. The date of the breach is unknown, but it is thought to have occurred a few weeks ago, according to the Fox News reporter's Twitter thread. The current mission of the State Department to withdraw Americans and allies from Afghanistan has "not been harmed," according to the reporter. 

Without confirming any incident, a reliable source told Reuters that the State Department has not encountered any substantial disruptions and that its operations have not been hampered in any manner. On Saturday, a State Department official told CNBC that the agency "takes seriously its responsibility to safeguard its information and takes constant steps to ensure it is protected."

“For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time,” the spokesperson said. 

The Senate Committee on Homeland Security and Government Affairs gave the State Department's information security programme a D grade earlier this month, the lowest possible rating given by the government model. The panel found the department to be "ineffective in four of five function areas." 

“Auditors identified weaknesses related to State’s protection of sensitive information and noted the Department did not have an effective data protection and privacy program in place,” it added. The Senate committee also discovered that the department was unable to demonstrate that it had violated data security measures while in transit and at rest. 

According to a cybersecurity report by the Senate Committee, the agency was unable to provide documentation for 60% of the sample employees evaluated who had access to its classified network. On its classified and unclassified networks, the State Department left thousands of employee accounts active even after they had left the agency for significant periods of time—in some cases as long as 152 days after employees quit, retired, or were dismissed. 

“Former employees or hackers could use those unexpired credentials to gain access to State’s sensitive and classified information, while appearing to be an authorized user,” the report stated.

T-Mobile Acknowledged Breach of 100 Million Customers


T-Mobile announced a data breach on Monday after a hacking organization claimed to have gotten records of 100 million T-Mobile customers in the United States and sold some of the information on the dark web. The US wireless carrier said it couldn't say how many users were affected, but that it has started a "deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed."

T-Mobile is the brand name for the mobile communications companies of Deutsche Telekom AG, a German telecommunications firm. In the Czech Republic (T-Mobile Czech Republic), the Netherlands (T-Mobile Netherlands), Poland (T-Mobile Polska), and the United States (T-Mobile US). 

T-Mobile initially stated that it was investigating the hacker group's claim, but eventually admitted that at least some data had been acquired by the hackers. "We have determined that unauthorized access to some T-Mobile data occurred, however, we have not yet determined that there is any personal customer data involved," a company statement said. "We are confident that the entry point used to gain access has been closed."

T-Mobile said it was conducting its own investigation into the incident with the help of digital forensic experts and was collaborating with law enforcement. According to media sources citing postings on dark web forums, the enormous breach allegedly includes sensitive personal information such as social security and driver's license numbers. 

Motherboard was given access to some of the data, and the publication confirmed that it contained correct information on T-Mobile subscribers. The seller told Motherboard that they had hacked into various T-Mobile servers. A subset of the data, containing around 30 million social security numbers and driver's licenses, is being sold on the forum for six bitcoin, while the rest is being sold privately. At current exchange rates, six bitcoins are worth about $280,000. 

The seller told Motherboard, “I think they already found out because we lost access to the backdoored servers.” He was referring to T-Mobile’s potential response to the breach. T-Mobile appears to have thrown them out of the hacked systems, according to the seller, but they had already downloaded the data locally. They stated, "It's backed up in multiple places." 

The firm has also stated that once the situation is more understood, it would “proactively communicate” with customers and stakeholders, but that the investigation will “take some time.”

FBI Told Congress That Ransomware Payments Shouldn't be Prohibited


After meeting with the business sector and cybersecurity experts, the Biden administration backed away from the concept of barring ransomware payments, according to a top cybersecurity official on Wednesday. At an Aspen Security Forum event, Anne Neuberger, deputy national security adviser for cyber and new technology, said, "Initially, I thought that was a good approach. We know that ransom payments are at the heart of this ecosystem.”

A top FBI official told US lawmakers in July that making ransom payments to cybercriminals illegal is not the best way to combat the danger of ransomware. According to Bryan Vorndran, assistant director of the FBI's cyber division, banning ransom payments could unwittingly open the door to more extortion by ransomware gangs. 

"If we ban ransom payments now, you're putting US companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities," Vorndran said at a Senate Judiciary Committee hearing on ransomware. 

The debate over whether or not ransomware payments should be illegal exemplifies the larger issue that policymakers have in trying to combat a crime that takes advantage of a victim's financial incentives. According to cybersecurity experts, paying in the hopes of rapidly fixing an issue is often more appealing than refusing to negotiate, having to recover data from backups, and risking the publishing of sensitive information online. 

“We heard loud and clear from many that the state of resilience is inadequate, and as such, if we banned ransom payments we would essentially drive even more of that activity underground and lose insight into it that will enable us to disrupt it,” Anne said. 

Work to gain transparency into cryptocurrency networks, which have become a popular method of payment for cybercriminals, is one of the disruptive attempts. The National Security Council, according to Neuberger, is working with other members of an interagency task force to review regulations and safeguards that would allow for improved payment monitoring. 

“Our driving goal is rapid tracing and really the strengthening of domestic and international virtual currency regulatory environments to enable that,” she said. “One big part of it is also building in those types of protections in the design of new virtual currencies and addressing that in a way that we can both have the innovation, and not have a broad illicit use that’s driving criminal activity.”

FTC Issued a Warning About Phishing Scams Involving Unemployment Benefits


Americans should be skeptical of text messages appearing to be from their state workforce agency, according to the Federal Trade Commission. Following the discovery of an SMS-based phishing effort targeting users of unemployment insurance benefits, the FTC has raised a red flag. In one year, consumers lost $57 million to phishing schemes, according to the FBI's Internet Crime Complaint Center.

"Identity thieves are targeting millions of people nationwide with scam phishing texts aimed at stealing personal information, unemployment benefits, or both," said Seena Gressin, attorney at the division of consumer and business education at the FTC. As part of the effort, several fraudulent texts are being sent out. One advises the receiver that their unemployment insurance (UI) claim requires "necessary corrections." Another instructs the target to double-check their personal details.

A targeted user who clicks on a link in one of these messages will be directed to a fake website impersonating their state workforce agency, which Gressin described as "looking very real." Instructions on the site ask the user to enter a slew of personal information, including their login credentials and Social Security number. "Fraudsters can use the information to file fraudulent UI benefits claims or for other identity theft," warned Gressin.

Scammers love to target people when they are most vulnerable, knowing that they will be more likely to fall for the trap. That is especially true for people who are unemployed and rely on unemployment benefits to get by. 

The Federal Trade Commission (FTC) disclosed the information of seven different phishing texts that are now circulating. One reads "RI-DLT Labor: This is to notify you that your Rhode Island insurance claim account is currently on hold for verification. Please complete your verification by following the instruction link below to activate your account."

"As we continue to work our way through the pandemic and associated issues, unemployment insurance has become more and more important to people unable to work when jobs that match their skills are not available," said KnowBe4security awareness advocate Erich Kron. "With the recent rise in cases, due to the Delta variant and other factors, stress levels continue to rise for people impacted. This makes them prime candidates for attacks such as this, which threaten their only source of income."

CISA Partners with Leading Technology Providers for New Cybersecurity Initiative


As part of a new campaign aimed at improving the country's cyber defences, the US government has announced partnerships with Amazon, Microsoft, Google, and other major corporations. According to CISA Director Jen Easterly, the Joint Cyber Defense Collaborative, or JCDC, would strive to take a proactive approach to cyber defense in the wake of multiple high-profile breaches that damaged the federal government and the general public. 

The JCDC would initially focus on battling ransomware and other cyberattacks against cloud computing providers, according to a Wall Street Journal report, in order to avoid situations like the recent Kaseya supply-chain ransomware incident that occurred earlier this summer. 

“The industry partners that have agreed to work side-by-side with CISA and our interagency teammates share the same commitment to defending our country’s national critical functions from cyber intrusions, and the imagination to spark new solutions,” Easterly said in the statement. 

CISA will be able to integrate unique cyber capabilities across numerous federal departments, state and local governments, and private sector firms to achieve shared objectives due to the establishment of the JCDC. The new programme will also enable the public and commercial sectors to share information, coordinate defensive cyber operations, and participate in joint exercises to improve cyber defense operations in the United States. 

 Aside from AWS, Microsoft, and Google Cloud, the JCDC will collaborate with AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon. Meanwhile, the Department of Defense (DoD), US Cyber Command, the National Security Agency (NSA), the Department of Justice (DoJ), the FBI, and the Office of the Director of National Intelligence are among the government's partners. 

 Rep. Jim Langevin, D-RI, is a member of the Cyberspace Solarium Commission and a senior member of the House Committee on Homeland Security, said the JCDC is “exactly the kind of aggressive, forward-thinking we need to combat the ever-growing cyber threats that face our nation.” In a statement, Langevin said the JCDC “brings together our [Cyberspace Solarium Commission] recommendations about planning, intelligence fusion and cybersecurity operations in a visionary way.” 

 According to a Langevin aide, the Joint Cyber Defense Collaborative will house the Joint Planning Office, which Congress has authorised, as well as the Joint Collaborative Environment, if passed this year as politicians like Langevin hope.

Widespread Cyber Espionage Attacks Use New Chinese Spyware


According to new research, a threat actor believed to be of Chinese origin was linked to a series of ten attacks from January to July 2021 that involved the deployment of a remote access trojan (RAT) on infected computers and targeted Mongolia, Russia, Belarus, Canada, and the United States. The breaches have been linked to APT31 (FireEye), an advanced persistent threat that has been dubbed Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks) by the cybersecurity community. 

BRONZE VINEWOOD has hidden malicious activity within legal network traffic by using prominent social media and code repository sites. Previous BRONZE VINEWOOD campaigns leveraging DLL search-order hijacking to distribute the HanaLoader downloader malware and other malicious payloads have also been uncovered by Secureworks Counter Threat Unit (CTU) researchers. 

According to researchers, the group is thought to be a Chinese state-sponsored cyberespionage actor attempting to acquire intelligence to aid the Chinese government and state-owned firms. 

In the attacks, a new malware dropper was utilized, which included a downloader for next-stage encrypted payloads from a remote command-and-control server, as well as the ability to decode and execute the malware. The malicious code can download further malware, putting vulnerable victims at risk even more, as well as perform file operations, exfiltrate sensitive data, and even remove itself from the compromised machine. 

Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov discovered the self-delete command fascinating since it employed a bat file to wipe all of the registry keys and files created as a result of running the command. 

The malware's similarities to a trojan known as DropboxAES RAT, which was used by the same threat group last year and relied on Dropbox for command-and-control (C2) communications, are also worth noting, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and delete the espionage tool.

Despite the fact that BRONZE VINEWOOD calls the software DropboxAES RAT, CTU researchers discovered that it does not use the Advanced Encryption Standard (AES). Instead, it uses the ChaCha20 stream cypher to encrypt and decrypt data. When encrypting data, older versions of the malware may have used AES encryption. 

"The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular," the researchers concluded.

Russia's 'Cozy Bear' Breached the Systems of the Republican National Committee


According to two people familiar with the situation, Russian government hackers broke into the Republican National Committee's computer systems last week, at the same time a Russia-linked criminal group launched a huge ransomware attack. According to the sources, the government hackers were members of a group known as APT 29 or Cozy Bear. 

That organization has previously been linked to Russia's foreign intelligence service and has been suspected of hacking the Democratic National Committee in 2016 and a supply-chain cyberattack involving SolarWinds Corp., which infiltrated nine US federal organizations and was revealed in December. It is unclear what data the hackers accessed or took, if any. The RNC has denied being hacked on many occasions. “There is no indication the RNC was hacked or any RNC information was stolen,” spokesman Mike Reed said. 

Chief of Staff Richard Walters claimed in a statement released after this story was posted that the RNC learned over the weekend that a third-party provider, Synnex Corp., had been breached. “We immediately blocked all access from Synnex accounts to our cloud environment,” he said. “Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials, on this matter.”

Microsoft declined to disclose any additional information in a statement. A company spokeswoman responded, “We can’t talk about the specifics of any particular case without customer permission. We continue to track malicious activity from nation-state threat actors -- as we do routinely -- and notify impacted customers.” Dmitry Peskov, a spokesman for the Kremlin, denied that the Russian government was involved. “We can only repeat that whatever happened, and we don’t know specifically what took place here, this had no connection to official Moscow,” he said on a conference call. 

The RNC attack, combined with the recent ransomware incident, is a big provocation to President Joe Biden, who warned Russian President Vladimir Putin about cyberattacks at a summit on June 16. As agreed at the meeting, the two countries have been holding "some contacts" about cybersecurity, according to Peskov, who declined to disclose specifics or comment on whether the recent incident was discussed. 

It is unclear whether the RNC hack is linked to the ransomware strikes, which used a number of previously discovered flaws in software from Miami-based Kaseya Ltd.

Presidential Press Secretary Said Moscow Not Involved in The Cyber Attacks on the Republican National Committee of US

On Wednesday, the press secretary of the President of the Russian Federation Dmitry Peskov told reporters that the cyber attack on the cloud networks of the US Republican National Committee had nothing to do with Moscow.

"We don't know what exactly was there, but it has nothing to do with Moscow," a Kremlin spokesman told reporters.

He stressed that the Russian side "does not have any detailed information on this matter." At the same time, Peskov noted that recently there have been a lot of publications, which appear literally every day, concerning various cyberattacks and their alleged connection to Russia.

On Tuesday, Bloomberg reported that the cloud networks of the National Committee of the Republican Party of the United States, maintained by Microsoft, were subjected to a cyber attack. As noted by journalists, it was hackers from a cybercriminal group known as APT 29 or Cozy Bear.

On July 6, it became known that expert contacts between Moscow and Washington on cybersecurity were continuing after a meeting between Vladimir Putin and Joe Biden. According to White House spokeswoman Jen Psaki, the U.S. side expects a new meeting of experts next week.

During the summit in Geneva on June 16, Putin and Biden agreed to start consultations on cybersecurity. The Russian leader drew attention to the fact that, even according to American sources, the majority of cyberattacks in the world are committed from the United States, as well as from Canada and the United Kingdom.

Putin stressed that Moscow and Washington can agree on rules of conduct in the areas of strategic stability, cybersecurity and regional conflicts. Biden, on the other hand, said that he gave his Russian colleague a list of 16 types of infrastructure facilities, attacks on which should be stopped immediately in the most effective way.

Microsoft said an Attacker had Won Access to its Customer-Service Agents


On Friday, Microsoft revealed that an attacker gained access to one of its customer-service agents and then used the data to begin hacking attempts against customers. The company claimed it discovered the breach while responding to hacks by a group it blames for previous significant breaches at SolarWinds and Microsoft. 

Microsoft stated that the impacted consumers had been notified. According to a copy of one warning seen by Reuters, the attacker belonged to the Microsoft-designated Nobelium group and had access in the second half of May. "A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions," according to the warning. The US government has officially blamed the Russian government for the earlier assaults, which it denies. 

Microsoft claimed it had discovered a breach of its own agent, who it said had limited powers, after commenting on a larger phishing attack it said had affected a small number of businesses. Among other things, the agent might access billing contact information and the services that consumers pay for. "The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign," Microsoft said.

Microsoft advised concerned consumers to be cautious when communicating with their billing contacts and to consider changing their usernames and email addresses, as well as preventing users from logging in with outdated usernames. Three entities have been compromised in the phishing attempt, according to Microsoft. It was unclear whether any of those whose data was viewed through the support agent were among those whose data was viewed through the broader campaign, or if the agent had been duped by the broader campaign. 

Nobelium's recent breach, according to a spokeswoman, was not part of the threat actor's prior successful attempt on Microsoft, in which it stole some source code. In the SolarWinds hack, the organization changed code at the company to get access to SolarWinds clients, which included nine federal agencies in the United States. 

According to the Department of Homeland Security, the attackers took advantage of flaws in the way Microsoft programmes were configured at SolarWinds customers and others. Microsoft eventually revealed that the hackers had hacked into its own employee accounts and taken software instructions that regulate how the company verifies user identities.

Russian Foreign Ministry accused the United States of trying to win back the summit agreements on cybersecurity

According to the Russian Foreign Ministry, the words of White House spokesman Jen Psaki that the United States does not intend to warn Moscow about retaliatory cyber attacks are perplexing.

On Monday Psaki said that at the summit in Geneva, the US president Joe Biden mentioned hacking attacks on American facilities, which are blamed on Russia.

As Russian Foreign Ministry spokeswoman Maria Zakharova noted, Psaki's statement is surprising in the context of the Geneva talks, after which the sides announced their intention to begin consultations on cybersecurity.

"It seems that the United States is still trying to retain the right to launch cyber attacks based on fake Russian accusations of cyber attacks," Zakharova stressed at the briefing.

According to her, if Washington commits a cyber attack without warning, it will be an unannounced attack first.

"We really want Washington to take these words seriously," the Foreign Ministry representative added.

Zakharova recalled that before the meeting in Geneva, the United States had made it clear that the topic of international information security had become strategic for them.

"In this context, we hope that the understanding of the need for a direct, professional and responsible conversation with Russia will prevail. We expect Washington to take appropriate steps," the diplomat concluded.

Russia-US summit was held in Geneva on June 16. Summing up the negotiations, Vladimir Putin said that the sides will start consultations on cybersecurity. The president recalled that Moscow had previously provided all the information on the U.S. requests for cyberattacks, but had received nothing in response from the U.S. intelligence agencies. Putin noted that most of the cyber attacks in the world come from the U.S. and that anti-Russian insinuation must be stopped.

Maryland Officials Found 508,000 “Potentially Fraudulent” Unemployment Claims


Over the last six weeks, more than half a million "potentially fraudulent" jobless claims have been made in Maryland, according to state labour officials. Officials say about 508,000 unemployment claims have been flagged as Maryland Governor Larry Hogan joins a group of 25 other GOP governors who have decided to discontinue federal unemployment payments. According to The Washington Post, approximately 1.3 million bogus claims have been made in Maryland since the beginning of the pandemic.

“As the economy recovers and states across the country continue to opt out of the federal benefits program, bad actors are becoming more brazen and aggressive in their attempts to exploit unemployment insurance programs than ever before,” Maryland Labor Secretary Tiffany Robinson told the Post in a statement. 

Fallon Pearre, a spokeswoman for the Labor Department, declined to say how many of the "potentially fraudulent" claims have been proven to be false or whether any will result in legal action, but she did tell the Washington Post that the claims had been submitted to federal law enforcement. 

Marylanders will lose an additional $300 per week in benefits under Hogan's decision, which comes two months ahead of the Biden administration's original deadline, and gig workers will be without benefits entirely, according to the Post. 

According to the Washington Post, Robinson recently stated that the Labor Department had hired LexisNexis Risk Solutions to assist in the identification of possibly false claims. Over 64% of the nearly 200,000 transactions were detected as fraudulent, according to the business. 

According to the Washington Post, Robinson told the Maryland state House Economic Matters Committee, "Fraud is rampant, so we have to remain on top of it." When pushed by a state senator about the types of fraud that had been discovered, Robison stated that the bulk of the cases involved stolen identities. “We know there are foreign actors across the country and across the world that are using the identities that they have obtained,” she said. 

Maryland officials identified an unemployment fraud operation last year that resulted in $501 million in bogus claims, with over 47,000 phoney claims filed using stolen identities and information obtained from earlier data breaches.

Audi And Volkswagen's Data Breach Affected 3.3 Million Customers


Volkswagen announced that a massive data breach exposed the personal information of over 3.3 million customers after one of its vendors left a cache of customer data unencrypted on the internet. In a letter to customers, Volkswagen said that the vendor utilized by Volkswagen, its subsidiary Audi, and authorized dealers in the United States and Canada had left customer data from 2014 to 2019 unsecured for two years between August 2019 and May 2021. 

Personal information about clients and potential buyers were included in the data, which was collected for sales and marketing purposes. Volkswagen Group of America, Inc. (VWGoA) is the German Volkswagen Group's North American subsidiary, responsible for Volkswagen, Audi, Bentley, Bugatti, Lamborghini, and VW Credit, Inc. operations in the United States and Canada. 

Between August 2019 and May 2021, a vendor left insecure data accessible on the Internet, according to data breach notices submitted with the California and Maine Attorney General's offices. This specific vendor informed the VWGoA in March that an unauthorized person had gained access to the data and may have accessed customer information for Audi, Volkswagen, and some authorized dealers. 

According to VWGoA authorities, the hack affected 3.3 million customers, with almost 97% of those affected being Audi customers or potential buyers. The data breach appears to have exposed information ranging from contact information to more sensitive data including social security numbers and loan numbers. 

"The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages," disclosed VWGoA in a data breach notification. 

"The data also included more sensitive information relating to eligibility for purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers." 

The hackers are demanding between $4,000 and $5,000 for all of the records, claiming that the database contains no social security numbers. The threat actors earlier stated that the database for a VPN service provider with various Android apps on the Google Play Store was on sale for $1,000. 

Volkswagen is offering free credit protection and monitoring services to the 90,000 customers whose personal information was exposed, as well as $1 million in identity theft insurance.

Putin called the accusations of launching a cyber war against the United States unsubstantiated

 Russian President Vladimir Putin said that the US accusations against Russia, including cyber attacks and election interference, are groundless, the US side has never provided any evidence.

"We are accused of a variety of things: interference in elections, cyber attacks, and so on. And they [the accusers] did not bother to provide any evidence. Just baseless accusations," he said, calling statements about Russia's involvement in cyber attacks in the United States a farce.

"The issue of cybersecurity is one of the most important today because all sorts of shutdowns of entire systems lead to very serious consequences, and this is possible," the Russian leader said in an interview with the program "Moscow. The Kremlin. Putin" of the Russia-1 TV channel.

According to Putin, the Russian Federation will be ready to extradite cybercriminals to the United States if the American side also extradites criminals to Russia.

He stressed that such agreements are expressed in the relevant interstate agreements, where the parties undertake certain obligations.

"And they are in the vast majority of cases equivalent. Both sides assume the same obligations," Putin explained.

On June 4, Putin called the accusations of cyber attacks on American companies made against Moscow ridiculous and suggested that the situation could have been provoked to increase disagreements in connection with the upcoming meeting with US President Joe Biden. The press secretary of the Russian leader Dmitry Peskov assured that Moscow will promptly consider the appeals of the American side in connection with the hacker attack on the JBS enterprises if such requests are received. He also stressed that Russia does not have data on the organizers of cyber attacks on JBS.

Putin did not rule out that Western intelligence services, including American ones, may conduct activities against Russia in the cyber sphere.

"I am not afraid of this, but I do not rule out that it may be so," the Russian leader said.

“What the US is afraid of may pose a threat to us. NATO has declared cyberspace a war zone. They are planning something, and this cannot but worry us," the Russian president added.

Suspects Linked to the Clop Ransomware Gang Detained in Ukraine


Following a joint operation by law enforcement agencies from Ukraine, South Korea, and the United States, multiple persons alleged to be affiliated with the Clop ransomware gang have been arrested in Ukraine. Six arrests were made during searches at 21 locations in Kyiv and the surrounding regions, according to the National Police of Ukraine's Cyber Police Department. 

While it's unclear if the defendants are ransomware affiliates or core developers, they're accused of a "double extortion" technique in which victims who fail to pay the ransom are threatened with the leak of data stolen from their networks before their files are encrypted. “It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement. 

The police also seized equipment from the alleged Clop ransomware gang, which is accused of causing $500 million in financial losses. This includes computer equipment, a Tesla and a Mercedes, as well as 5 million Ukrainian Hryvnia (about $185,000) in cash. 

Authorities also claim to have successfully shut down the server infrastructure used by gang members to launch prior operations. “Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added. 

“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit. 

In February 2019, the gang launched an attack on four Korean organizations, encrypting 810 internal services and personal PCs. Clop has since been connected to a slew of high-profile ransomware attacks. These include the attack on ExecuPharm, a US pharmaceutical company, in April 2020, and the attack on E-Land, a South Korean e-commerce company, in November, which prompted the retailer to close over half of its outlets.

Clop is also related to the Accellion ransomware attack and data theft, in which hackers exploited flaws in the IT firm's File Transfer Appliance (FTA) software to steal data from dozens of its clients. Singaporean telecom Singtel, law firm Jones Day, supermarket retail chain Kroger, and cybersecurity firm Qualys are among the victims of this breach.