Data Breaches

Cost of Data Breach in 2024: $4.88 Million, Says Latest IBM Study

Posted on August 4, 2024 - August 4, 2024 by Maq Verma

The bald figure of $4.88 million tells us little about the state of security. But the detail contained within the latest IBM Cost of Data Breach Report highlights areas we are winning, areas we are losing, and the areas we could and should do better.

“The real benefit to industry,” explains Sam Hector, IBM’s cybersecurity global strategy leader, “is that we’ve been doing this consistently over many years. It allows the industry to build up a picture over time of the changes that are happening in the threat landscape and the most effective ways to prepare for the inevitable breach.”

IBM goes to considerable lengths to ensure the statistical accuracy of its report (PDF). More than 600 companies were queried across 17 industry sectors in 16 countries. The individual companies change year on year, but the size of the survey remains consistent (the major change this year is that ‘Scandinavia’ was dropped and ‘Benelux’ added). The details help us understand where security is winning, and where it is losing. Overall, this year’s report leads toward the inevitable assumption that we are currently losing: the cost of a breach has increased by approximately 10% over last year.

While this generality may be true, it is incumbent on each reader to effectively interpret the devil hidden within the detail of statistics – and this may not be as simple as it seems. We’ll highlight this by looking at just three of the many areas covered in the report: AI, staff, and ransomware.

AI is given detailed discussion, but it is a complex area that is still only nascent. AI currently comes in two basic flavors: machine learning built into detection systems, and the use of proprietary and third party gen-AI systems. The first is the simplest, most easy to implement, and most easily measurable. According to the report, companies that use ML in detection and prevention incurred an average $2.2 million less in breach costs compared to those who did not use ML.

The second flavor – gen-AI – is more difficult to assess. Gen-AI systems can be built in house or acquired from third parties. They can also be used by attackers and attacked by attackers – but it is still primarily a future rather than current threat (excluding the growing use of deepfake voice attacks that are relatively easy to detect).

Nevertheless, IBM is concerned. “As generative AI rapidly permeates businesses, expanding the attack surface, these expenses will soon become unsustainable, compelling business to reassess security measures and response strategies. To get ahead, businesses should invest in new AI-driven defenses and develop the skills needed to address the emerging risks and opportunities presented by generative AI,” comments Kevin Skapinetz, VP of strategy and product design at IBM Security.

But we don’t yet understand the risks (although nobody doubts, they will increase). “Yes, generative AI-assisted phishing has increased, and it’s become more targeted as well – but fundamentally it remains the same problem we’ve been dealing with for the last 20 years,” said Hector.

Part of the problem for in-house use of gen-AI is that accuracy of output is based on a combination of the algorithms and the training data employed. And there is still a long way to go before we can achieve consistent, believable accuracy. Anyone can check this by asking Google Gemini and Microsoft Co-pilot the same question at the same time. The frequency of contradictory responses is disturbing.

The report calls itself “a benchmark report that business and security leaders can use to strengthen their security defenses and drive innovation, particularly around the adoption of AI in security and security for their generative AI (gen AI) initiatives.” This may be an acceptable conclusion, but how it is achieved will need considerable care.

Our second ‘case-study’ is around staffing. Two items stand out: the need for (and lack of) adequate security staff levels, and the constant need for user security awareness training. Both are long term problems, and neither are solvable. “Cybersecurity teams are consistently understaffed. This year’s study found more than half of breached organizations faced severe security staffing shortages, a skills gap that increased by double digits from the previous year,” notes the report.

Security leaders can do nothing about this. Staff levels are imposed by business leaders based on the current financial state of the business and the wider economy. The ‘skills’ part of the skills gap continually changes. Today there is a greater need for data scientists with an understanding of artificial intelligence – and there are very few such people available.

User awareness training is another intractable problem. It is undoubtedly necessary – and the report quotes ‘employee training’ as the #1 factor in decreasing the average cost of a beach, “specifically for detecting and stopping phishing attacks”. The problem is that training always lags the types of threat, which change faster than we can train employees to detect them. Right now, users might need additional training in how to detect the greater number of more compelling gen-AI phishing attacks.

Our third case study revolves around ransomware. IBM says there are three types: destructive (costing $5.68 million); data exfiltration ($5.21 million), and ransomware ($4.91 million). Notably, all three are above the overall mean figure of $4.88 million.

The biggest increase in cost has been in destructive attacks. It is tempting to link destructive attacks to global geopolitics since criminals focus on money while nation states focus on disruption (and also theft of IP, which incidentally has also increased). Nation state attackers can be hard to detect and prevent, and the threat will probably continue to expand for as long as geopolitical tensions remain high.

But there is one potential ray of hope found by IBM for encryption ransomware: “Costs dropped dramatically when law enforcement investigators were involved.” Without law enforcement involvement, the cost of such a ransomware breach is $5.37 million, while with law enforcement involvement it drops to $4.38 million.

These costs do not include any ransom payment. However, 52% of encryption victims reported the incident to law enforcement, and 63% of those did not pay a ransom. The argument in favor of involving law enforcement in a ransomware attack is compelling by IBM’s figures. “That’s because law enforcement has developed advanced decryption tools that help victims recover their encrypted files, while it also has access to expertise and resources in the recovery process to help victims perform disaster recovery,” commented Hector.

Our analysis of aspects of the IBM study is not intended as any form of criticism of the report. It is a valuable and detailed study on the cost of a breach. Rather we hope to highlight the complexity of finding specific, pertinent, and actionable insights within such a mountain of data. It is worth reading and finding pointers on where individual infrastructure might benefit from the experience of recent breaches. The simple fact that the cost of a breach has increased by 10% this year suggests that this should be urgent.

DuckDuckGo blocked in Indonesia over porn, gambling search results

Posted on August 4, 2024 - August 4, 2024 by Maq Verma

Privacy-focused search engine DuckDuckGo has been blocked in Indonesia by its government after citizens reportedly complained about pornographic and online gambling content in its search results.

The government’s choice to block DuckDuckGo isn’t surprising considering the cultural and religious context, with Indonesia being a Muslim country where gambling is prohibited and porn is viewed as morally unacceptable.

In January 2024, Indonesia announced it blocked nearly 600,000 online gambling portals and took action against 5,000 bank accounts that engaged with them.

The government has previously blocked numerous pornography sites, Reddit, and Vimeo, and imposed temporary or partial restrictions on Tumblr, Telegram, TikTok, Netflix, and Badoo.

DuckDuckGo has now confirmed to BleepingComputer that Indonesia blocked its search engine in the country and that it has no means to respond to it.

“We can confirm that DuckDuckGo has been blocked in Indonesia due to their censorship policies. Unfortunately, there is no current path to being unblocked, similar to how we’ve been blocked in China for about a decade now,” DuckDuckGo told BleepingComputer.

At the same time, Google Search remains accessible in Indonesia, which suggests that either the tech giant has implemented effective self-censorship mechanisms for its local search engine or its size makes blocking too disruptive for internet usage in the country.

Indonesians have resorted to using VPN software to bypass the government’s restrictions. However, the Indonesian government plans to block free VPNs, making gaining access to blocked sites costly.

Free VPNs next

Virtual Private Network (VPN) tools are commonly used to bypass censorship imposed by governments and internet service providers.

When using VPNs, users can make connections from other countries to once again access DuckDuckGo, but free offerings may soon be removed.

Minister of Communication and Information Budi Arie Setiadi stated that the government intends to restrict access to free VPN tools, as they know these are used to access blocked online gambling portals.

“Yesterday, Mr. Hokky (Ministry’s Director General of Informatics Applications) had a meeting with Mr. Wayan (Ministry’s Director General of Postal and Information Technology Operations), and we will shut down free VPNs to reduce access to networks for the general public to curb the spread of online gambling,” stated Setiadi on June 31, 2024.

“I specifically have to include the issue of online gambling to make it clear that this is the darkest side of digitalization.”

The same ministry announcement highlighted the risks of free VPN services, underlining personal data theft, malware infections, and making internet connectivity slow or unreliable.

CrowdStrike sued by investors over massive global IT outage

Posted on August 4, 2024 - August 4, 2024 by Maq Verma

Cybersecurity company CrowdStrike has been sued by investors who say it provided false claims about its Falcon platform after a bad security update led to a massive global IT outage causing the stock price to tumble almost 38%.

The plaintiffs claim that the massive IT outage that occurred on July 19, 2024, proves CrowdStrike’s claims that their cybersecurity platform is thoroughly tested and validated are false.

As a result of this incident and its aftermath, CrowdStrike’s stock price has tumbled almost 38% from $343 on July 18 to $214, causing significant financial losses to investors.

The class action lawsuit submitted by the Plymouth County Retirement Association in the U.S. District Court of Austin, Texas, seeks compensatory damages for these losses.

A bad update causes a global IT outage

On July 19, Crowdstrike pushed out a faulty Falcon sensor update to Windows devices running the security software. The update slipped past Crowdstrike’s internal tests due to a bug in its content validator and inadequate testing procedures.

The update was received by 8,500,000 Windows devices, if not more, causing an out-of-bounds memory read when processed by Falcon, leading to the operating system crashing with Blue Screen of Death (BSOD).

CrowdStrike is widely used in enterprises, including airports, hospitals, government organizations, the media, and financial firms, causing catastrophic, costly, and even dangerous IT outages.

As restoring systems required staff to remove the faulty update manually, it took days for some companies to resume normal operations, leading to extended outages and delays.

While most have returned to normal operations, the fallout from the incident continues to unfold on multiple levels, including elevated cybercrime activity, loss of trust, and litigation threats.

According to the plaintiffs, the faulty Falcon update proved that contrary to CrowdStrike’s assurances around the diligence in its procedures and the efficacy and reliability of the Falcon platform, updates were inadequately tested and controlled, and the risk of outages is high.

The class action alleges that stockholders were defrauded by CrowdStrike’s knowingly false statements about the quality of its products and procedures.

“Because of their positions and access to material, nonpublic information, the Individual Defendants knew or recklessly disregarded that the adverse facts specified herein had not been disclosed to and were being concealed from the investing public and that the positive representations that were being made were false and misleading.” – Class action document.

To reflect the extent of the losses, the lawsuit mentions that the CrowdStrike stock price fell by 11% on the day of the incident, then another 13.5% on July 22, when Congress called CEO George Kurtz for a testimony, and another 10% on July 29 following news that Delta Airlines, one of the impacted entities, hire an attorney to seek damages.

The plaintiff alleges violations of Sections 10(b) and 20(a) of the Exchange Act and seeks compensation.

Financial impact

The IT outage caused by the CrowdStrike Falcon update has caused massive financial losses to impacted organizations, with many of them exploring litigation pathways to get some of it back.

Delta Airlines CEO Ed Bastian previously stated that the outage forced the cancellation of 2,200 flights for the company, resulting in losses estimated at $500,000,000.

The firm has already hired a law firm that will seek compensation from CrowdStrike and Microsoft, which is now in the crosshairs despite not being responsible for the incident.

Market analysts estimate that the outage has caused big enterprises $5.4 billion in losses.

A report by Guy Carpenter projects the estimated insured losses resulting from the bad Falcon update to be between $300 million and $1 billion, while CyberCube have raised the figure to $1.5 billion.

Google Chrome bug breaks drag and drop from Downloads bubble

Posted on August 4, 2024 - August 4, 2024 by Maq Verma

A recent Google Chrome update has broken the drag-and-drop feature in the Downloads bubble that previously allowed you to drag and drop downloaded files onto any website or tab in the browser.

Google Chrome’s downloads menu originally appeared in a bar at the bottom of the browser, but this changed last year when it was replaced with a downloads bubble, which appears within the toolbar.

**Google Chrome download bubble**
*Source: BleepingComputer*

As first reported by BleepingComputer, hundreds of users are now saying that the drag-and-drop feature no longer works after recent Google Chrome updates.

“Specifically files can’t be dragged into another chrome window, or be used to open a new chrome window (opening the file with chrome),” reads a post in the Google support forums.

“Dragging onto local desktop or into other programs seems to work fine. The downloads page, also works fine. Only the downloads bubble. I was able to recreate the issue by updating chrome, my current version is: 127.0.6533.73 (Official Build) (64-bit).”

In a Chromium issue found by BleepingComputer, Google Chrome engineers say reports about this bug began on July 29th and affect versions 127.0.6533.73 and 126.0.6478.185.

Google determined it was caused by a new performance-enhancing feature, ‘UIPumpImprovementsWin,’ which was rolled out to 50% of the Chrome Stable users on Sunday night.

A fix has been created by rolling back the UIPumpImprovementsWin change, which should be rolled out to users soon.

Get Certified in Platform Engineering, Starting Aug. 6

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

As platform engineering continues to grow in popularity inside enterprises, an all-new training curriculum is being launched that will provide one of the first platform engineering certifications in the industry.

The training and certification, offered by the global platform engineering developer’s community PlatformEngineering.org, will begin on Aug. 6 and include two courses and a certification exam that will help IT administrators gain new skills in this burgeoning field.

The courses include an eight-week Platform Engineering Fundamentals class and an MVP (Minimum Viable Platform) to IDP (Internal Development Platform) course, followed by a certification exam combining platform engineering theory with hands-on tasks. Each of the courses will be held for eight to 10 weeks with live, interactive, online meetup sessions taught by platform engineering experts and some of the top platform architects in the industry, according to the group. The live nature of the courses will provide instant feedback, back-and-forth Q&As and an up-to-the-minute feel for the instruction. The live sessions are expected to run for up to 2.5 hours per class module.

IT admins can still sign up for the certification courses through Monday, Aug. 5, on the organization’s website.

“The number-one question from the community is ‘How do I become a platform engineer?’” Luca Galante, the lead instructor and vice president of product and growth for platform engineering vendor, Humanitec, told The New Stack. “So, we wanted to create a resource for IT admins [based on] the three or four years of really good content we have under our belt.”

ngrok is a secure unified ingress platform for developers. It combines reverse proxy, firewall, API gateway and global load balancing to deliver apps and APIs. Over 5 million developers use ngrok for testing webhooks and previewing apps, including the world’s top technology brands.

Learn More

The latest from ngrok

MicroK8s and ngrok: Easy ingress at the edge

25 July 2024
It’s about time: Format timestamps and time zones in the ngrok dashboard
24 July 2024
How to build connectors to on-premise services for workflow automation
24 July 2024

The certification course will be a combination of theory and hands-on internal developer platform building. The first course, the fundamentals instruction, is ready to go for the students and includes eight weekly modules on topics from an introduction to platform engineering to how to build an internal developer platform. Other modules include getting started with reference architectures, designing golden paths for developers, finding the right abstractions, infrastructure platform engineering, how to build minimum viable platforms and selling your minimum viable platforms to key stakeholders inside enterprises.

The second course is still being developed, but it will go beyond the basics to teach full rollout strategies and adoption paths across multiple workflows and teams, according to the group.

The fundamentals course is priced at $2,149, but registrants can use the code EARLYBIRD20 when registering to drop the price by 20% to $1,720. Once the development of the second course is completed, Galante said he expects that a special bundle price will be available for the combined courses and the exam for the students in the program.

The curriculum is being built to ensure that students who successfully complete the courses and exam will be able to demonstrate an elevated level of understanding and knowledge of platform engineering, from its theory to firsthand skills and expertise.

At least one other platform engineering course is also available today in the tech marketplace, from training vendor Pluralsight.

What Is Platform Engineering?

Platform engineering is becoming more common as more companies find that it empowers their software developers and accelerates their operational efficiencies. Platform engineering allows IT systems administrators to choose and assemble proven, curated and regularly maintained development applications, and then deliver them to a company’s developers via an all-in-one self-service portal.

By using one of these custom, standardized internal developer platforms (IDPs) and tools inside a company, developers are freed to do their core work activities, rather than spending valuable time searching for applications they need to create and test their code. These IDPs provide developers with the best code-building tools in an easy-to-use environment built to provide automation, standardization and flexibility for busy application developers.

Who Is Interested in Platform Engineering?

Many of the first students coming into the new certification program are individuals who want to learn the skills and fundamentals for their own edification, said Galante. “They are DevOps engineers or some junior engineers that want to have these skills. But we are already seeing teams purchasing the course. And we are getting applicants from large companies where they have systems administrators or IT admins who they want to upskill to become platform engineers or upskill their existing platform team to educate them around best practices.”

The guest lecturers who will participate in the courses include experts like Manuel Pais, co-author of the book, Team Topologies, and Ajay Chankramath, former head of platform engineering at the technology consultancy Thoughtworks.

An Enrollee Shares Why He Is Taking the Certification Course

Giovanny Velez, a platform engineering technical lead for a cloud-based applications vendor in Colombia, told The New Stack that he is taking the certification coursework to gain more experience and understanding of this still-emerging technology from a reliable and knowledgeable source.

“This platform engineering course and certification will significantly boost my professional growth and career prospects and will validate my expertise, increasing my credibility and making me a stronger candidate for advanced roles,” Velez wrote in an email. “It will open new career opportunities and potentially accelerate my path to senior positions.”

Velez said the courses will also teach him industry best practices and innovative tools that will improve his problem-solving abilities and help him stay current with the latest trends in platform engineering. “This knowledge is essential in our team as we are starting to implement the practice, and it helps us to streamline the process,” he said.

Velez, who is paying for the course himself, said he learned of the program after seeing announcements on the PlatformEngineering.org webpage and in its Slack channel.

“The program will also provide valuable networking opportunities, connecting me with other professionals in the field,” he said. “These connections can lead to knowledge sharing and future collaborations. Overall, I think that I will be more prepared to tackle the challenges of modern, cloud native environments and deliver increased value in my role. I see this field growing constantly and I see more job offers in the market.”

As lead for his company’s recently formed platform engineering team, Velez said the company is working to establish communication channels and that he will share his experiences with the course at his company “so the rest of the teams know what we will be doing and how.”

Analyst Reactions to Platform Engineering Training

Two analysts contacted by The New Stack said they believe that platform engineering training and certifications are a smart move for enterprises.

“Training is always smart, particularly if it is done by a company that offers related products and services because they will be up to date on the kind of unique, new and changing problems that IT is dealing with,” said Rob Enderle, principal analyst with the Enderle Group.

Enderle said he often hears from IT managers that employees are learning on the job rather than getting advanced training, which is creating huge deployment and operational problems.

“They need training like this to reduce those problems,” he added. “Learning on the job or from some obsolete lesson plan continues to be problematic. I recommend training from current practitioners so that those learning can hit the ground running and become immediately able to do the job right. It makes for better implementations, and it makes employees more valuable and less likely to get laid off.”

Another analyst, Dan Olds, CEO of Olds Research, agrees.

“The concept of platform engineering is what the hyperscale organizations — think Amazon, Google, and Meta — pioneered to allow them to efficiently operate at vast scale,” said Olds. “The idea behind it is to have a specific set of development tools — and only that set — which pays dividends when it comes to scalability, reliability, support and troubleshooting, to name a few. This is something that is catching on with other large organizations that have lots of applications in flight all the time as it simplifies the development, deployment and support functions.”

Such an approach simplifies the overall application development/deployment and life-cycle management processes for companies, said Olds. “In many organizations today, developers are able to pick and choose from a huge slate of development tools, which can lead to problems down the road when it comes to deployment, troubleshooting and the inevitable changes — unless those functions are performed by the engineer or engineers who actually developed the app. Standardizing development tools ensures that everyone is using the same size building blocks and understands how they fit together.”

Olds said he recommends that enterprise IT shops should investigate platform engineering, along with their counterparts in a company’s business units.

“I can see where this approach would increase the speed of application development and result in smoother deployments,” he said. But at the same time, while this holistic platform engineering approach can be beneficial for organizations, a potential problem could be getting all developers on board with it.

“I think that it might be a hard sell to some developers,” said Olds. “They are experts at the set of tools they use and have reasons why they do not use alternatives. It might take some work to get them out of their comfort zones and get them on board with this new approach.”

AWS Discontinues Git-Hosting Service CodeCommit

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

As part of an apparent effort to clean house, Amazon Web Services will pull the plug on its git-based source control service, AWS CodeCommit.

“After giving it a lot of thought, we made the decision to discontinue new access to a small number of services, including AWS CodeCommit,” AWS Chief Evangelist Jeff Barr wrote, sharing a prepared message on the X social media service Tuesday.

Although existing customers can continue to use CodeCommit for the time being, AWS has stopped accepting new customers. And it has not given a date on when the service would be shuttered.

“While we are no longer onboarding new customers to these services, there are no plans to change the features or experience you get today, including keeping them secure and reliable,” Barr wrote in an extended Tweet. “We also support migrations to other AWS or third-party solutions better aligned with your evolving needs.”

The company has posted instructions on how to migrate a codebase from AWS to Microsoft’s GitHub, GitLab and other code repositories.

How to delete a CodeCommit repository — after migrating to another service (AWS)

“After migration, you have the option to continue to use your current AWS CodeCommit repository, but doing so will likely require a regular sync operation between AWS CodeCommit and the new repository provider,” the cloud giant provider advised.

Market Impact of CodeCommit

Launched in 2015, AWS CodeCommit provided a managed revision control service to host git repositories. It was designed to work with Git-based tools as well as with other AWS tools such as the CloudGuru code analysis software.

Nonetheless, the service had trouble gaining a foothold in the competitive code repository market, despite the natural appeal for AWS shops to stick with AWS for additional services.

TNS Analyst Lawrence Hecht noted that, in last year’s JetBrains survey, 3.2% of the developers surveyed used CodeCommit. Even among developers whose company primarily uses AWS for the cloud, only 9% used AWS CodeCommit.

Those same AWS-centric accounts were much more likely to say their company was using BitBucket (39%), GitLab (45%) and GitHub (63%)

“That is not a large user base, but it will be interesting to see where those people will migrate to,” noted Hecht in a Slack message.

https://datawrapper.dwcdn.net/p0BfG/1

One place where AWS CodeCommit has a strong userbase was Japan. In the JetBrains survey, 11% of developers said their company uses it, a larger user base than BitBucket in that market.

Despite the marginal use of CodeCommit, many observers still had feelings about the matter.

“Given AWS is a competitor to Azure, it’s so odd to see AWS making a business case for their customers to move” to Microsoft, wrote Gergely Orosz, author of the Pragmatic Engineer newsletter, in an X thread.

“To me, this is a clear sign to not adopt any dev-related tooling from AWS. It’s not the business they want to be in,” replied Acorn Labs chief architect and co-founder Darren Shepherd.

For GitLab, AWS shuttering CodeCommit is a sign that the market for code hosting has matured.

“The market has moved from point solutions to platforms that address the entire software development lifecycle,” wrote Emilio Salvador, GitLab vice president for strategy and developer relations, in a statement. “Buyers are now looking to platforms that provide one workflow that unifies developer, security, and operations teams with integrated native security.”

GitLab has set up two options for migrations from CodeCommit, using either self-managed GitLab or through the GitLab.com hosted service.

“Self-managed customers can install, administer, and maintain their GitLab instance on bare metal, VMs, or containers. GitLab.com requires no installation,” Salvador explained.

Other companies in the space are focusing on how their products can help in the transition.

“Migration to a new source code management tool is always challenging, The right considerations and migration strategies can significantly help with the process,” wrote Patrick Wolf, principal product manager at Harness, a DevOps software provider, in an e-mail to TNS. “Some important considerations for selecting a new Source Code Manager are integration with a DevOps platform, security and governance features, and developer productivity features.”

Other AWS services being discontinued are S3 Select, CloudSearch, Cloud9, SimpleDB, Forecast, and Data Pipeline. Earlier this month, the company also gave the axe to its Quantum Ledger Database.

Fortune 50 Co. Pays Record-Breaking $75M Ransomware Demand

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

A Fortune 50 company paid $75 million to its cyberattackers earlier this year, greatly exceeding any other confirmed ransom payment in history. The beneficiary of the payout is an outfit called Dark Angels. And Dark Angels isn’t just effective — in some ways, the gang turns so much of what we thought we knew about ransomware on its head.

Sure, there have been other big amounts forked over in the past: In 2021, Illinois-based CNA Financial was reported to have paid a then unprecedented $40 million ransom in order to restore its systems after a ransomware attack (the company never confirmed that figure). Later that year, the meat manufacturer JBS admitted to paying $11 million to end a disruption affecting its factories. Caesars Palace last year paid $15 million to make its ransomware disruption problems go away.

But those figures pale in comparison against the $75 million in equivalent Bitcoin paid by the aforementioned large organization, which Zscaler chose to keep anonymous in its 2024 annual ransomware report, where the payout was first recorded. The dollar amount has also been corroborated by Chainalysis.

Meet the Dark Angels

Dark Angels first appeared in the wild in May 2022. Ever since, its specialty has been defeating fewer but higher-value targets than its ransomware brethren. Past victims have included multiple S&P 500 companies spread across varied industries: healthcare, government, finance, education, manufacturing, telecommunications, and more.

For example, there was its headline-grabbing attack on the megalith Johnson Controls International (JCI) last year. It breached the company’s VMware ESXi hypervisors, freezing them with Ragnar Locker and stealing a reported 27 terabytes worth of data. The ransom demand: $51 million. It’s unclear how Johnson Controls responded but, considering its $27 million-plus cleanup effort, it’s likely that the company did not cave.

$27 million would have been the second-largest ransom payment in recorded history at the time (after the reported CNA payment). But there’s evidence to suggest that this wasn’t just some outlandish negotiating tactic — that Dark Angels has good reason to think it can pull off that kind of haul.

Dark Angels Does Ransomware Differently

Forget everything you know about ransomware, and you’ll start to understand Dark Angels.

Against the grain, the group does not operate a ransomware-as-a-service business. Nor does it have its own malware strain — it prefers to borrow encryptors like Ragnar Locker and Babuk.

Its success instead comes down to three primary factors. First: the extra care it can take by attacking fewer, higher-yielding targets.

Second is its ability to exfiltrate gobs of sensitive data. As Brett Stone-Gross, senior director of threat intelligence at Zscaler explains, “If you look at a lot of these other ransomware groups, their affiliates are stealing maybe a few hundred gigabytes of data. Sometimes even less than 100 gigabytes of data. They usually top out around, maybe, one terabyte or so. In contrast, Dark Angels are stealing tens of terabytes of data.”

In that, Dark Angels differs only in degree, not in kind. Where it really separates itself from other groups is in its subtlety. Its leak site isn’t flashy. It doesn’t make grand pronouncements about its latest victims. Besides the obvious operational security benefits to stealth (it’s largely escaped media scrutiny in recent years, despite pulling off major breaches), its aversion to the limelight also helps it earn larger returns on investment.

For example, the group often avoids encrypting victims’ data, with the express purpose of allowing them to continue to operate without disruption. This seems to defy common wisdom. Surely the threat of downtime and media scrutiny are effective tools to get victims to pay up?

“You would think that, but the results say otherwise,” Stone-Gross suggests.

Dark Angels makes paying one’s ransom easy and quiet — an attractive prospect for companies that just want to put their breaches behind them. And avoiding business disruption is mutually beneficial: Without the steep bills associated with downtime, companies have more money to pay Dark Angels.

Can Dark Angels’ Wings Be Clipped?

In its report, Zscaler predicted “that other ransomware groups will take note of Dark Angels’ success and may adopt similar tactics, focusing on high value targets and increasing the significance of data theft to maximize their financial gains.”

If that should come to pass, companies will face much steeper, yet more compelling ransom demands. Luckily, Dark Angels’ approach has an Achilles’ heel.

“If it’s a terabyte of data, [a hacker] can probably complete that transfer in several days. But when you’re talking terabytes — you know, tens of terabytes of data — now you’re talking weeks,” Stone-Gross notes. So, companies that can catch Dark Angels in the act may be able to stop them before it’s too late.

DOJ and FTC Sue TikTok for Violating Children’s Privacy Laws

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

The U.S. Department of Justice (DoJ), along with the Federal Trade Commission (FTC), filed a lawsuit against popular video-sharing platform TikTok for “flagrantly violating” children’s privacy laws in the country.

The agencies claimed the company knowingly permitted children to create TikTok accounts and to view and share short-form videos and messages with adults and others on the service.

They also accused it of illegally collecting and retaining a wide variety of personal information from these children without notifying or obtaining consent from their parents, in contravention of the Children’s Online Privacy Protection Act (COPPA).

TikTok’s practices also infringed a 2019 consent order between the company and the government in which it pledged to notify parents before collecting children’s data and remove videos from users under 13 years old, they added.

COPPA requires online platforms to gather, use, or disclose personal information from children under the age of 13, unless they have obtained consent from their parents. It also mandates companies to delete all the collected information at the parents’ request.

“Even for accounts that were created in ‘Kids Mode‘ (a pared-back version of TikTok intended for children under 13), the defendants unlawfully collected and retained children’s email addresses and other types of personal information,” the DoJ said.

“Further, when parents discovered their children’s accounts and asked the defendants to delete the accounts and information in them, the defendants frequently failed to honor those requests.”

The complaint further alleged the ByteDance-owned company subjected millions of children under 13 to extensive data collection that enabled targeted advertising and allowed them to interact with adults and access adult content.

It also faulted TikTok for not exercising adequate due diligence during the account creation process by building backdoors that made it possible for children to bypass the age gate aimed at screening those under 13 by letting them sign in using third-party services like Google and Instagram and classifying such accounts as “age unknown” accounts.

“TikTok human reviewers allegedly spent an average of only five to seven seconds reviewing each account to make their determination of whether the account belonged to a child,” the FTC said, adding it will take steps to protect children’s privacy from firms that deploy “sophisticated digital tools to surveil kids and profit from their data.”

TikTok has more than 170 million active users in the U.S. While the company has disputed the allegations, it’s the latest setback for the video platform, which is already the subject of a law that would force a sale or a ban of the app by early 2025 because of national security concerns. It has filed a petition in federal court seeking to overturn the ban.

“We disagree with these allegations, many of which relate to past events and practices that are factually inaccurate or have been addressed,” TikTok said. “We offer age-appropriate experiences with stringent safeguards, proactively remove suspected underage users, and have voluntarily launched features such as default screen time limits, Family Pairing, and additional privacy protections for minors.”

The social media platform has also faced scrutiny globally over child protection. European Union regulators handed TikTok a €345 million fine in September 2023 for violating data protection laws in relation to its handling of children’s data. In April 2023, it was fined £12.7 million by the ICO for illegally processing the data of 1.4 million children under 13 who were using its platform without parental consent.

The lawsuit comes as the U.K. Information Commissioner’s Office (ICO) revealed it asked 11 media and video-sharing platforms to improve their children’s privacy practices or risk facing enforcement action. The names of the offending services were not disclosed.

“Eleven out of the 34 platforms are being asked about issues relating to default privacy settings, geolocation or age assurance, and to explain how their approach conforms with the [Children’s Code],” it said. “We are also speaking to some of the platforms about targeted advertising to set out expectations for changes to ensure practices are in line with both the law and the code.”

Cybercriminals Are Selling Access to Chinese Surveillance Cameras

Posted on July 31, 2024 - July 31, 2024 by Maq Verma

Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulnerable to an 11 month-old command injection flaw.

Hikvision – short for Hangzhou Hikvision Digital Technology – is a Chinese state-owned manufacturer of video surveillance equipment. Their customers span over 100 countries (including the United States, despite the FCC labeling Hikvision “an unacceptable risk to U.S. national security” in 2019).

Last Fall, a command injection flaw in Hikvision cameras was revealed to the world as CVE-2021-36260. The exploit was given a “critical” 9.8 out of 10 rating by NIST.

Despite the severity of the vulnerability, and nearly a year into this story, over 80,000 affected devices remain unpatched. In the time since, the researchers have discovered “multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability,” specifically in Russian dark web forums, where leaked credentials have been put up for sale.

The extent of the damage done already is unclear. The authors of the report could only speculate that “Chinese threat groups such as MISSION2025/APT41, APT10 and its affiliates, as well as unknown Russian threat actor groups could potentially exploit vulnerabilities in these devices to fulfill their motives (which may include specific geo-political considerations).”

The Risk in IoT Devices

With stories like this, it’s easy to ascribe laziness to individuals and organizations that leave their software unpatched. But the story isn’t always so simple.

According to David Maynor, senior director of threat intelligence at Cybrary, Hikvision cameras have been vulnerable for many reasons, and for a while. “Their product contains easy to exploit systemic vulnerabilities or worse, uses default credentials. There is no good way to perform forensics or verify that an attacker has been excised. Furthermore, we have not observed any change in Hikvision’s posture to signal an increase in security within their development cycle.”

A lot of the problem is endemic to the industry, not just Hikvision. “IoT devices like cameras aren’t always as easy or straightforward to secure as an app on your phone,” Paul Bischoff, privacy advocate with Comparitech, wrote in a statement via email. “Updates are not automatic; users need to manually download and install them, and many users might never get the message. Furthermore, IoT devices might not give users any indication that they’re unsecured or out of date. Whereas your phone will alert you when an update is available and likely install it automatically the next time you reboot, IoT devices do not offer such conveniences.”

While users are none the wiser, cybercriminals can scan for their vulnerable devices with search engines like Shodan or Censys. The problem can certainly be compounded with laziness, as Bischoff noted, “by the fact that Hikvision cameras come with one of a few predetermined passwords out of the box, and many users don’t change these default passwords.”

Between weak security, insufficient visibility and oversight, it’s unclear when or if these tens of thousands of cameras will ever be secured.

RockYou2024: 10 billion passwords leaked in the largest compilation of all time

Posted on July 31, 2024 by Maq Verma

The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords.

The king is dead. Long live the king. Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.

While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.

The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews’ Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches.

“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers said.

Password leak checker

Has your password been leaked online? Find out with our password leak checker tool in seconds and take action to protect your data today.Check if your password has been leaked

Credential stuffing attacks can be severely damaging for users and businesses. For example, a recent wave of attacks targeting Santander, Ticketmaster, Advance Auto Parts, QuoteWizard, and others was a direct result of credential stuffing attacks against the victims’ cloud service provider, Snowflake.

“Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the team explained.

RockYou2024 post — Post announcing the leak on a hacker forum. Image by Cybernews.

Not the first rodeo

The RockYou2024 compilation did not just fall from the sky. Three years ago, Cybernews published a story about the RockYou2021 password compilation, the largest at the time, with 8.4 billion plain text passwords.

According to the team’s analysis of RockYou2024, attackers developed the dataset by scouring the internet for data leaks, adding another 1.5 billion passwords from 2021 through to 2024 and increasing the dataset by 15 percent.

The RockYou2021 compilation, an expansion of a data breach from 2009, included tens of millions of user passwords for social media accounts. Since then, however, the compilation has ballooned exponentially. Most likely, the latest RockYou iteration contains information collected from over 4,000 databases over more than two decades.

The Cybernews team believes that attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware.

“Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” the team said.

RockYou2024 leak — Attackers’ user profile. Image by Cybernews.

How to protect against RockYou2024?

While there is no silver bullet to protect users who had their passwords exposed, impacted individuals and organizations should take up mitigation strategies. The Cybernews research team advises to:

Immediately reset the passwords for all accounts associated with the leaked passwords. It is strongly recommended to select strong, unique passwords that are not reused across multiple platforms
Enable multi-factor authentication (MFA) wherever possible. This enhances security by requiring additional verification beyond a password
Utilize password manager software to securely generate and store complex passwords. Password managers mitigate the risk of password reuse across different accounts

Cybernews will include data from RockYou2024 in the Leaked Password Checker, allowing anyone to check if their credentials were exposed via the latest record-holding exposed password compilation.

With RockYou2024, we witnessed a second record-breaking compilation leaked online in 2024. Earlier this year, Cybernews discovered the Mother of all breaches (MOAB), comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records.

Exit Scam: BlackCat Ransomware Group Vanishes After $22 Million Payout

Posted on July 31, 2024 - July 31, 2024 by Maq Verma

The threat actors behind the BlackCat ransomware have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner.

“ALPHV/BlackCat did not get seized. They are exit scamming their affiliates,” security researcher Fabian Wosar said. “It is blatantly obvious when you check the source code of the new takedown notice.”

“There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice.”

The U.K.’s National Crime Agency (NCA) told Reuters that it had no connection to any disruptions to the BlackCat infrastructure.

Recorded Future security researcher Dmitry Smilyanets posted screenshots on the social media platform X in which the BlackCat actors claimed that the “feds screwed us over” and that they intended to sell the ransomware’s source code for $5 million.

The disappearing act comes after it allegedly received a $22 million ransom payment from UnitedHealth’s Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the attack.

The company has not commented on the alleged ransom payment, instead stating it’s only focused on investigation and recovery aspects of the incident.

According to DataBreaches, the disgruntled affiliate – who had their account suspended by the administrative staff – made the allegations on the RAMP cybercrime forum. “They emptied the wallet and took all the money,” they said.

This has raised speculations that BlackCat has staged an exit scam to evade scrutiny and resurface in the future under a new brand. “A re-branding is pending,” a now-former admin of the ransomware group was quoted as saying.

Menlo Security, citing HUMINT sources with direct contact to the affiliate, described them as likely associated with Chinese nation-state groups. The affiliate, who goes by the name Notchy, is said to have engaged on ransomware-related topics in the RAMP forum as early as 2021.

BlackCat had its infrastructure seized by law enforcement in December 2023, but the e-crime gang managed to wrest control of their servers and restart its operations without any major consequences. The group previously operated under the monikers DarkSide and BlackMatter.

“Internally, BlackCat may be worried about moles within their group, and closing up shop preemptively could stop a takedown before it occurs,” Malachi Walker, a security advisor with DomainTools, said.

“On the other hand, this exit scam might simply be an opportunity for BlackCat to take the cash and run. Since crypto is once again at an all-time high, the gang can get away with selling their product ‘high.’ In the cybercrime world, reputation is everything, and BlackCat seems to be burning bridges with its affiliates with these actions.”

The group’s apparent demise and the abandonment of its infrastructure come as malware research group VX-Underground reported that the LockBit ransomware operation no longer supports Lockbit Red (aka Lockbit 2.0) and StealBit, a custom tool used by the threat actor for data exfiltration.

LockBit has also tried to save face by moving some of its activities to a new dark web portal after a coordinated law enforcement operation took down its infrastructure last month following a months-long investigation.

It also comes as Trend Micro revealed that the ransomware family known as RA World (formerly RA Group) has successfully infiltrated healthcare, finance, and insurance companies in the U.S., Germany, India, Taiwan, and other countries since emerging in April 2023.

Attacks mounted by the group “involve multi-stage components designed to ensure maximum impact and success in the group’s operations,” the cybersecurity firm noted.

‘Stargazer Goblin’ Creates 3,000 Fake GitHub Accounts for Malware Spread

Posted on July 29, 2024 - July 29, 2024 by Maq Verma

A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year.

The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to share malicious links or malware, per Check Point, which has dubbed it “Stargazers Ghost Network.”

Some of the malware families propagated using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the bogus accounts also engaged in starring, forking, watching, and subscribing to malicious repositories to give them a veneer of legitimacy.

The network is believed to have been active since August 2022 in some preliminary form, although an advertisement for the DaaS wasn’t spotted in the dark until early July 2023.

“Threat actors now operate a network of ‘Ghost’ accounts that distribute malware via malicious links on their repositories and encrypted archives as releases,” security researcher Antonis Terefos explained in an analysis published last week.

“This network not only distributes malware but also provides various other activities that make these ‘Ghost’ accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories.”

Different categories of GitHub accounts are responsible for distinct aspects of the scheme in an attempt to make their infrastructure more resilient to takedown efforts by GitHub when malicious payloads are flagged on the platform.

These include accounts that serve the phishing repository template, accounts providing the image for the phishing template, and accounts that push malware to the repositories in the form of a password-protected archive masquerading as cracked software and game cheats.

Should the third set of accounts be detected and banned by GitHub, Stargazer Goblin moves to update the first account’s phishing repository with a new link to a new active malicious release, thereby allowing the operators to move forward with minimal disruption.

Besides liking new releases from multiple repositories and committing changes to the README.md files to modify the download links, there is evidence to suggest that some accounts part of the network have been previously compromised, with the credentials likely obtained via stealer malware.

“Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected,” Terefos said.

“It’s common to find Link-Repositories containing links to banned Release-Repositories. When this occurs, the Commit account associated with the Link-Repository updates the malicious link with a new one.”

One of the campaigns discovered by Check Point involves the use of a malicious link to a GitHub repository that, in turn, points to a PHP script hosted on a WordPress site and delivers an HTML Application (HTA) file to ultimately execute Atlantida Stealer by means of a PowerShell script.

Other malware families propagated via the DaaS are Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point further noted that the GitHub accounts are part of a larger DaaS solution that operates similar ghost accounts on other platforms such as Discord, Facebook, Instagram, X, and YouTube.

“Stargazer Goblin created an extremely sophisticated malware distribution operation that avoids detection as GitHub is considered a legitimate website, bypasses suspicions of malicious activities, and minimizes and recovers any damage when GitHub disrupts their network,” Terefos said.

“Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts.”

The development comes as unknown threat actors are targeting GitHub repositories, wiping their contents, and asking the victims to reach out to a user named Gitloker on Telegram as part of a new extortion operation that has been ongoing since February 2024.

The social engineering attack targets developers with phishing emails sent from “notifications@github.com,” aiming to trick them into clicking on bogus links under the guise of a job opportunity at GitHub, following which they are prompted to authorize a new OAuth app that erases all the repositories and demands a payment in exchange for restoring access.

It also follows an advisory from Truffle Security that it’s possible to access sensitive data from deleted forks, deleted repositories, and even private repositories on GitHub, urging organizations to take steps to secure against what it’s calling a Cross Fork Object Reference (CFOR) vulnerability.

“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Joe Leon said. “Similar to an Insecure Direct Object Reference, in CFOR users supply commit hashes to directly access commit data that otherwise would not be visible to them.”

In other words, a piece of code committed to a public repository may be accessible forever as long as there exists at least one fork of that repository. On top of that, it could also be used to access code committed between the time an internal fork is created and the repository is made public.

It’s however worth noting that these are intentional design decisions taken by GitHub, as noted by the company in its own documentation –

Commits to any repository in a fork network can be accessed from any repository in the same fork network, including the upstream repository
When you change a private repository to public, all the commits in that repository, including any commits made in the repositories it was forked into, will be visible to everyone.

“The average user views the separation of private and public repositories as a security boundary, and understandably believes that any data located in a private repository cannot be accessed by public users,” Leon said.

“Unfortunately, […] that is not always true. What’s more, the act of deletion implies the destruction of data. As we saw above, deleting a repository or fork does not mean your commit data is actually deleted.”