Travel on the Cyber Express

Hacktivists claimed breaching the network of Belarusian intelligence agency and allegedly leaked their data in response to the intelligence chief’s recent public remarks accusing the group of plotting attacks on the country’s critical infrastructure, including a nuclear power plant. The hacktivist group known as the Belarusian Cyber-Partisans, purportedly accessed personnel files of over 8,600 employees of the Belarusian Committee for State Security, also known as the Belarus KGB. To substantiate their claim, the Belarusian Cyber-Partisans published a list of the website’s administrators, alongside its database and server logs, on their Telegram channel. Yuliana Shemetovets, the group’s spokesperson based in New York, asserted that the attack on the KGB network was prompted by the agency chief Ivan Tertel’s recent public accusation against the group. Tertel accused the Cyber-Partisans of plotting attacks on a nuclear power plant. “We do not. We never have. Because we are working to save the lives of Belarusians, not to destroy them unlike the Lukashenko regime,” the Cyber-Partisans said. More Details on the Belarusian Intelligence Agency Hack Shemetovets told the Associated Press the group had gained access to the KGB network “several years ago” and was attempting to breach its website and database ever since. The hacktivists in a Sunday Telegram post shared more details from the Belarusian intelligence agency hack, publishing excerpts from the 40,000 contact forms filled by informants and whistle-blowers on the Belarus KGB website over the last nine years. The informants’ data published has come from several countries including Poland, Germany, Azerbaijan, Lithuania and Ukraine the hacktivists said. In one such instance a Ukrainian citizen said he had “information about the concept and some technical details of a fundamentally new rifle complex … and the possibility of using a similar system as a modernization of tanks of the T-64, T-72, T-80, T-90 family.” With the help of the data exfiltrated from the Belarusian intelligence agency hack, the Cyber-Partisans launched a Telegram chat bot called “facement_bot” that allows identification of KGB operatives. “Send a good quality photo with single face to the bot, and if there is a KGB officer in the image, the bot will return information on them,” the Cyber-Partisans said. Shemetovets emphasized that the group’s objective is to unveil the truth about political repressions and hold those responsible accountable. While authorities have not issued any official statements regarding the hacktivist claims, the website of the Belarusian KGB said “THE SITE IS UNDER CONSTRUCTION.” The Cyber-Partisans last week claimed infiltration of computers at Belarus’ largest fertilizer plant, Grodno Azot, as part of efforts to pressure the government into releasing political prisoners. The state-run plant has not commented on the claim, but its website has been inaccessible since April 17. The Cyber-Partisans claimed to have deliberately disrupted only the boiler unit of the plant, as there were backup sources for power generation. “We had a good understanding of the internal processes of the plant and knew that this would not lead to dangerous consequences for people. But at the same time, we demonstrated our capabilities that we could really manage [with] the operation on Grodno Azot,” the Cyber-Partisans said. Cyber-Partisans have previously also targeted Belarusian state media and, in 2022, launched attacks on Belarusian Railways, disrupting transit routes for Russian military equipment destined for Ukraine. Belarus has been a close ally of the Kremlin and has supported its eastern neighbour in the Russian invasion of Ukraine. Before the start of the offensive, Belarus allowed the Russian Armed Forces to perform weeks-long military drills on its territory. It also allowed Russian missile launchers to be stationed in its territory, which drew a lot of flak from its own people and Ukraine’s allies. “We’re sending a clear message to the Belarusian authorities,” Shemetovets said. “If they continue political repressions, the consequences will escalate. We will persist with our attacks to undermine the Lukashenko regime.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Okta reported an “unprecedented scale” of credential stuffing attacks targeting its identity and access management solutions, resulting in the breach of some customer accounts. Threat actors employ credential stuffing techniques like password-spraying and brute-forcing to compromise user accounts by systematically trying lists of usernames and passwords in an automated fashion. These lists are often obtained from other data leaks, phishing and infostealer campaigns, or from underground cybercriminal forums where it is sold from a few tens to thousands of dollars. “Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools,” Okta said in a Saturday advisory. The identity and access management provider said the attacks appear to stem from the same infrastructure used in previously reported brute-force and password-spraying attacks targeting VPNs and SSH services identified by Cisco Talos. Use of TOR in Credential Stuffing Attacks Okta noted that in all observed attacks the requests originated from a TOR anonymization network and various residential proxies, such as NSOCKS, Luminati and DataImpulse. Residential proxies are a network of proxy servers that use IP addresses from residential users. They are useful for anonymous browsing, bypassing geo-restrictions and accessing secure websites. Providers rent access to real users’ devices to anonymize traffic sources. They don’t usually disclose how they build these networks, sometimes enrolling users knowingly or via malware, “what we would typically describe as a botnet,” Okta said. This results in traffic appearing to originate from everyday users’ devices, not VPS providers. FBI had earlier warned of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks. Okta observed that the attacks were notably effective against organizations using the Okta Classic Engine with ThreatInsight configured in Audit-only mode, rather than Log and Enforce mode. Additionally, organizations failing to block access from anonymizing proxies experienced a higher success rate in these attacks. The attacks, however, succeeded for only a small percentage of Okta’s customers, the IAM provider said. To counter these threats, Okta recommended: Enabling of ThreatInsight in Log and Enforce Mode to proactively block IP addresses associated with credential stuffing attempts before authentication is attempted. Denying access from anonymizing proxies to preemptively block requests originating from suspicious anonymizing services. Transition to enhanced security features such as CAPTCHA challenges for risky sign-ins and password-less authentication. Implementing Dynamic Zones to manage access based on criteria like geolocation and selectively block or allow certain IPs. Why Credential Stuffing Attacks are Still Effective Credential stuffing attacks traditionally have a very low success rate, which is estimated at around 0.1%, according to Cloudflare. Despite this, it remains profitable due to the vast number of credentials attackers possess. Collections contain millions or billions of credentials, with even a small fraction leading to profitable data. The prevalence of password or credential reuse, observed in up to 85% of digital users, also facilitates the recurrence and the effectiveness of these attacks. Adding to this the advancements in bot technology enables attackers to circumvent security measures like time delays and IP bans. Credential stuffing accounts for 24.3% of all login attempts in 2023, as per Okta. Retail and e-commerce companies account for more than half (51.3%) of all credential-stuffing incidents, the findings stated. It is likely due to the value associated with accounts in that industry, Okta said. Geographically, the Americas region has the highest rate of credential-stuffing attacks at 28%, which aligns with previous findings as some of the largest retail and media companies are based in the United States. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The threat actor USDoD claimed that they had published the Personally Identifiable Information (PII) of about 2 million members of the Communist Party of China on their new content delivery network (CDN). If the threat actors claims are true, the alleged China data leak might hold significant consequences for the party, given its reputation as being highly secretive and restrictive with regards to the flow of information to the outside world. The Chinese Communist Party (CCP) is the political party responsible for leading modern-day China, officially known as the People’s Republic of China since 1949. The leak is stated to include several bits of sensitive and identifiable data that could be used to facilitate identity theft, social engineering, or targeted attacks on individuals. However, the leak remains unconfirmed and it is difficult to ascertain the veracity of the claims. There have been no official statements or responses regarding the alleged leak. USDoD Creates New CDN to Publish Alleged China Data Leak The alleged publication of the Communist Party of China member data leak on the CDN site was accompanied by related posts on X (Twitter) and BreachForums. In the BreachForums post description, USDoD claimed to have held onto the leaked data for several months and cited the alleged leaked database as the first to be hosted on their new content delivery network (CDN). The threat actor further stated that they do not support any government, claiming the published alleged data leak as a wider message and as a gesture of good faith. The threat actor stated on an X(Twitter) post that their content delivery network (CDN) was ‘ready and operational’ and had been built through the help of a ‘secret friend’, while upload rights would be private and solely and for their own usage. The site was stated to have an upload limit of 500GB per file. Source: X(Twitter) Source: X(Twitter) However, in a later post on their X account, they claimed the CDN was down after they messed with the files. While the goals of the threat actor remain unclear, the new CDN will likely be used to upload and link leaked files to be shared for posts on BreachForums (as suggested by this incident). Source: X(Twitter) While the breach remains unconfirmed, a Cyble researcher stated, “Our preliminary analysis indicates that this data has 2 million records from 2020 with the following data fields: ID, Name, Sex, Ethnicity, Hometown, Organization, ID card number, Address, Mobile number, Phone number and Education. USDoD Recently Announced Retirement on BreachForums The alleged Communist Party of China member data leak comes abruptly as just last week, the threat actor announced retirement on BreachForums in a post about an alleged attack on Bureau van Dijk, claiming to have stolen confidential company and consumer data from the firm. However, after being reached out for confirmation by The Cyber Express, a spokesman from the parent company (Moody’s) seemingly refuted the threat actor’s earlier claims. It is unknown what persuaded the threat actor to remain and continue making posts within BreachForums despite the stated intent towards retirement and suspension of activities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor purports to be selling the database of the Central Bank of Argentina on a hackers’ forum. The potential Central Bank of Argentina data breach, if proven true, poses serious implications for the financial security and privacy of countless individuals. According to the dark web post, the database allegedly contains sensitive information, including full customer names, CUIL/DNI(ID) numbers, cities, and phone numbers. Such data, if compromised, could expose individuals to identity theft, financial fraud, and other malicious activities, leading to devastating consequences for both customers and the Central Bank of Argentina. However, amidst the claims, crucial details remain shrouded in mystery. The extent of the cyberattack on Central Bank of Argentina and the motive behind it have not been disclosed by the threat actor. Without clarity on these critical aspects, the true nature and severity of the Central Bank of Argentina data breach remains uncertain. Source: X Adding to the uncertainty is the apparent functionality of the Central Bank of Argentina’s official website. Despite the allegations made by the threat actor, the website remains operational, casting doubt on the authenticity of the claim. This discrepancy raises questions about the credibility of the purported database sale and highlights the complexity of navigating the murky waters of cyber threats and disinformation. Potential Ramifications on Central Bank of Argentina Data Breach If the claim of a database data breach at the Central Bank of Argentina is indeed verified, the ramifications could be far-reaching. Beyond the immediate financial and reputational damage to the bank itself, the fallout may extend to the broader economy and society at large. The compromised data, containing the personal and financial information of individuals, could be exploited by cybercriminals for various nefarious purposes. From identity theft and fraudulent transactions to targeted phishing scams and extortion attempts, the potential threats are manifold and alarming. Moreover, the integrity and trustworthiness of financial institutions, particularly central banks, are paramount for maintaining stability and confidence in the banking system. Any breach or perceived vulnerability could undermine public trust, erode investor confidence, and destabilize financial markets, with ripple effects reverberating across the economy. The absence of concrete evidence and corroborating details complicates efforts to assess the veracity of the threat actor’s claims and formulate an effective response. Other Cyberattack Claims on Argentina This claim follows a series of cyber threats targeting Argentina’s institutions. In April 2024, a dark web actor allegedly proposed the sale of Telecom Argentina access for $100 on a hacking forum. According to the threat actor’s post, interested buyers could acquire access enabling them to query personal information tied to individuals in Argentina. This included details on services registered under their names, such as routers, with access to data like Public IP and Private IP addresses. Moreover, in February 2024, the Córdoba Judiciary in Argentina fell victim to the PLAY Ransomware attack. The ransomware impacted its websites and databases, making it one of the worst computer hacks on public institutions in the Argentine Republic. The hacker left the websites inaccessible, and to date, there have been no improvements on the compromised systems. Police and cybersecurity specialists are assisting with the investigation to identify the incident’s perpetrators. Local sources claim that the ransomware strain “PLAY” infected the government organization’s computers. This ransomware is a well-known threat actor (TA) specifically made to encrypt computer user data and demand ransom payments to unlock it. Understanding Argentina’s Vulnerability Argentina’s susceptibility to cyber threats stems from various factors. Firstly, the country’s heavy reliance on digital infrastructure for its financial and administrative operations makes it a prime target for cybercriminals. Institutions like the Central Bank, with vast databases containing sensitive customer information, are particularly attractive to threat actors seeking to exploit vulnerabilities. Additionally, the emergence of dark web forums and marketplaces has facilitated the sale and exchange of stolen data, providing cybercriminals with an avenue to profit from their illicit activities. The recent claims regarding the sale of the Central Bank’s database and Telecom Argentina access underscore the growing sophistication of cyber threats facing the country. In the absence of definitive information, vigilance and caution are imperative. Heightened cybersecurity measures, including enhanced monitoring, threat detection, and incident response protocols, are essential for mitigating risks and safeguarding critical infrastructure and sensitive data. Furthermore, collaboration and information sharing within the cybersecurity community, both domestically and internationally, are vital for staying abreast of emerging threats, sharing intelligence, and coordinating responses to cyber incidents effectively. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious Hunters group has allegedly added two new victims to their dark web portal: Rocky Mountain Sales in the United States and SSS Australia. While the extent of the cyberattack, data compromise, and motive behind the attack remain undisclosed by the ransomware group, the implications of such an attack on these prominent organizations could be far-reaching. Rocky Mountain Sales, Inc., with a revenue of US$5 million, is an outsourced sales and service organization committed to providing leading customer service, sales, and support to all strategic partners. Meanwhile, SSS Australia, boasting a revenue of US$17 million, has been synonymous with the highest standards of quality and value in medical supplies for over 45 years. Given the vastness of these organizations, if the cyberattack on Rocky Mountain Sales and cyberattack on SSS Australia claim is proven true, the consequences could be severe. Not only could it disrupt their operations, but it could also result in substantial financial losses, tarnishing their reputations and undermining customer trust. The potential compromise of sensitive data, such as customer information, financial records, and proprietary business data, could have long-lasting repercussions for both organizations. However, as of now, no foul play can be sensed upon accessing the official websites of both organizations, as they were fully functional. To verify the claim further, The Cyber Express team reached out to officials, but as of writing this news report, no official response has been received, leaving the claim unverified. Hunters International Ransomware Group’s Previous Claims This recent incident follows a string of cyberattacks by the Hunters International group. In April, SpaceX, the aerospace manufacturer and space transport services company founded by Elon Musk, allegedly suffered a cybersecurity incident involving a data breach by the Hunters group, who reportedly posted samples of the breached data. Prior to that, Central Power Systems & Services, a major distributor of industrial and power generation products in Kansas, Western Missouri, and Northern Oklahoma, fell victim to the notorious ransomware group. Before these incidents, the group targeted various organizations across different sectors and countries. In 2024 alone, the Hunters International group claimed responsibility for cyberattacks on the Dalmahoy Hotel & Country Club in the UK, Double Eagle Energy Holdings IV, LLC in the US, and Gallup-McKinley County Schools in New Mexico, among others. The cyberattacks by the Hunters International group highlight the need for organizations to prioritize cybersecurity measures and invest in strong defense mechanisms to safeguard their digital assets. Moreover, international cooperation and information sharing among cybersecurity agencies are crucial in combating such threats effectively. Unverified Hunters Group Claims While the Hunters International group has claimed responsibility for the cyberattacks on Rocky Mountain Sales and SSS Australia, the lack of verified information about the extent of the attacks emphasizes the challenges in responding to such incidents. Without official confirmation or detailed information from the targeted organizations, the full impact of the cyberattacks remains uncertain. As cybersecurity threats continue to evolve and ransomware attacks become increasingly sophisticated, organizations must remain vigilant and proactive in protecting their networks and data. The recent incidents involving Hunters International serve as a reminder of the potential consequences of inadequate cybersecurity measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious NoName ransomware group this time has allegedly set its sights on Moldova, targeting key government websites in what appears to be a strategic cyberattack. The recent alleged cyberattack on Moldova digital infrastructure has raised concerns over cybersecurity and geopolitical tensions in the region. The reportedly affected entities in Moldova include vital governmental organs such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry, among others. The Moldova cyberattack has left these websites inaccessible, displaying the ominous message, “This Site Can’t be Reached. Political Motives Behind the Cyberattack on Moldova Although the extent of the cyberattack and the motive behind it have not been explicitly disclosed by the NoName group, a message left by the hackers hints at a political agenda. We continue to send DDoS greetings to the State website of Moldova in order to discourage the local government from craving for Russophobia,” the message reads. This suggests a possible attempt to influence Moldova’s foreign policy by targeting its digital infrastructure. Source: X The implications of such cyberattacks on Moldova could be profound, affecting not only the government’s operations but also the country’s stability and security. The ongoing tension between Moldova and Russia adds another layer of complexity to the situation, raising concerns about the potential involvement of state-sponsored actors behind the cyber assault. Source: X NoName Ransomware Group Track Record This is not the first time NoName has launched such attacks. In March 2024, the group claimed responsibility for targeting multiple websites in Denmark, including key entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January of the same year, NoName targeted high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. Moreover, NoName’s recent cyber onslaught on Finland has further escalated concerns. The Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, The Agency for Regulation and Development of Transport and Communications Infrastructure of Finland, and several subdomains of the Finnish Road Agency, faced temporary inaccessibility due to DDoS attacks. The sophistication and scale of NoName’s operations, combined with their apparent political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The rising frequency of cyberattacks targeting governmental institutions across Europe demands a coordinated response from both national and international cybersecurity agencies. Furthermore, these incidents serve as a wake-up call for governments worldwide to prioritize cybersecurity and invest in strong defense mechanisms to safeguard their digital assets. The increasing sophistication of cybercriminals, coupled with geopolitical tensions, highlights the need for proactive measures to protect critical infrastructure and ensure the integrity of government operations. As the investigation into the recent cyberattack on Moldova unfolds, the international community will be closely monitoring the situation, with a keen eye on the implications for regional security and the broader cybersecurity landscape. In an era where cyberspace knows no borders, collective action and cooperation are essential to effectively combat the growing threat of cyber warfare and ransomware attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CRIL Researchers observed a new android banking trojan ‘Brokewell,’ being distributed through a phishing site disguised as the official Chrome update page. The malicious Android Banking Trojan comes equipped with various functionalities such as screen recording, keylogging and over 50 different remote commands. Upon further investigation, researchers were able to trace the trojan back to its developer, who described the trojan as capable of bypassing permission restrictions on the latest versions of the Android operating system. Developer Behind Android Banking Trojan Found Distributing Other Spyware Tools CRIL researchers identified the trojan being distributed through the domain “hxxp://makingitorut[.]com” which disguises itself as the official Chrome update website and bears several striking similarities. Source: Cyble The site deceives the user into thinking that an update is required, describing it as being necessary “to secure your browser and fix important vulnerabilities. A download button on the site leads users to download the malicious APK file “Chrome.apk” on to their systems. Upon examination, the downloaded APK file was discovered to be a new android banking trojan, incorporated with over 50 different remote commands such as collecting telephony data, collecting call history, waking the device screen, location gathering, call management, screen and audio recording. The trojan communicated through a remote command and control (C&C) server operating through the “mi6[.]operationanonrecoil[.]ru” domain and hosted on the IP address “91.92.247[.]182”. Source: Cyble The malware was further linked to a git repository, where it was described as being capable of circumventing permission-based restrictions on Android versions 13, 14, and 15. The git repository contained links to profiles on underground forums, a Tor page, and a Telegram channel. The Tor page directed to the malware developers’s personal page, where they took steps to introduce themselves and linked to a site listing various other projects they had developed such as checkers, validators, stealers, and ransomware. Since CRIL researchers did not observe any mentions of the android banking trojan on the site, it is assumed that the trojan is a very recent development which might be listed within the upcoming days. Technical Capabilities of Android Banking Trojan “Brokewell” Source: Shutterstock Researchers note that the Brokewll Banking Trojan is likely in its initial stages of development and thus possesses limited functionalities for the time period. The current attack techniques primarily involves the screen overlay attack, screen/audio capturing or keylogging techniques. However, researchers warn that future versions of the android banking trojan may incorporate additional features. The malware is observed conducting a pre-emptive check to determine whether the host system has been rooted. This stage involves checking for package names of a root check application, network traffic analysis tool and an .apk parsing tool. Once the device is detected to not be rooted, it proceeds with normal execution, first prompting the victim for accessibility permissions. The accessibility service is then abused to grant the application other permissions such as “Display over other apps” “Installation from unknown sources”. Source: Cyble After obtaining permissions, the application prompts the user to enter the device pin through a fake PIN screen with German localization. The PIN is then stored to a text file for subsequent usage. The German localization along with several samples of the malware being uploaded to VirusTotal from the German region lead researchers to believe that it is primarily targeting Germany. In addition to German, several strings in Chinese, French, Finnish, Arabic, Indonesian, Swedish, Portuguese, and English were also spotted. These strings suggest that the malware could expand its targets with the emergence of subsequent iterations incorporating additional features. Researchers anticipate increased promotion of the tool on underground forums and through the malware developer’s product portal, underscoring the progressive stage of banking trojans and the need for continuous monitoring over such developments. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hackers have honed in on a critical WP-Automatic plugin vulnerability, aiming to infiltrate WordPress websites by creating unauthorized admin accounts, according to recent reports. The flaw, identified in versions preceding 3.9.2.0 of the WP Automatic plugin, has prompted cybersecurity experts to issue urgent warnings to website owners and administrators. The vulnerability, flagged under the identifier “CVE-2024-27956,” has been characterized as a high-severity issue with a CVSS score of 9.8. It pertains to a SQL injection flaw within the plugin’s user authentication mechanism, which essentially enables threat actors to circumvent security measures and gain administrative privileges.  Decoding WP-Automatic Plugin Vulnerability Source: WordPress Exploiting this vulnerability grants hackers the ability to implant backdoors within websites, ensuring prolonged unauthorized access. Reports indicate that hackers have been actively exploiting this vulnerability, capitalizing on the widespread use of the WP Automatic plugin across more than 30,000 websites. The exploit allows them to execute various malicious activities, including the creation of admin accounts, uploading of corrupted files, and executing SQL injection attacks. Cybersecurity researchers have observed a surge in exploit attempts, with over 5.5 million recorded attacks since the vulnerability was publicly disclosed. The threat landscape escalated rapidly, peaking on March 31st, underscoring the urgency for website owners to take immediate action to secure their online assets. The Technical Side of the WP-Automatic Plugin Vulnerabilities The Automatic Plugin, developed by ValvePress, faces an challenge beyond comprehension since the vulnerability effects thousands of users who downloaded the plugin through WordPress and other WP plugin markets. The vulnerability stemmed from the inc/csv.php file, which allowed unauthenticated users to supply and execute arbitrary SQL queries. Despite initial checks using wp_automatic_trim() function, bypassing them was feasible by providing an empty string as the authentication parameter ($auth) and crafting the MD5 hash of the SQL query to subvert integrity checks. Furthermore, the vulnerability lied within the downloader.php file, where unauthenticated users could provide arbitrary URLs or even local files via the $_GET[‘link’] parameter for fetching through cURL. This flaw facilitated server-side request forgery (SSRF) attacks. To mitigate the vulnerabilities, the vendor enacted several measures. For the SQL Execution vulnerability, the entire inc/csv.php file was removed. For the File Download and SSRF vulnerability, a nonce check was implemented, coupled with validation checks on the $link variable. Mitigation Against the WP-Automatic Plugin Vulnerability To safeguard against potential compromises, cybersecurity analysts recommend the following measures, including regularly updating the WP-Automatic plugin to its latest version is crucial to patch known vulnerabilities and bolster security measures. Regular audits of WordPress user accounts help identify and remove unauthorized or suspicious admin users, reducing the risk of unauthorized access. Employing robust security monitoring tools aids in detecting and responding promptly to malicious activities, improving threat detection capabilities. It’s essential to maintain up-to-date backups of website data to enable swift restoration in case of compromise, minimizing downtime and data loss. Website administrators should watch out for indicators of compromise, including admin accounts with names starting with “xtw,” renamed vulnerable file paths, and dropped SHA1 hashed files in the site’s filesystem. The exploitation of WP-Automatic plugin vulnerabilities highlights the ongoing cybersecurity threats within WordPress ecosystems. By promptly implementing suggested mitigations and staying alert for potential indicators of compromise, website owners can strengthen their defenses against malicious actors aiming to exploit these vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

By Lakshmi Mittra, SVP and Head, Clover Academy In the rapidly changing and dynamic tech environment of today, future-proofing the workforce is more essential than ever. With industries constantly innovating and adapting to new technologies, the demand for next-gen tech talent professionals capable of leading change and driving innovation is on the rise. This is where skilling steps in, acting as a key player in nurturing the next generation of tech talent. The concept of future-proofing the workforce revolves around equipping employees with the necessary skills and knowledge to adapt to new technologies and industry trends. With rapid advancements in technology, traditional job roles are evolving, and new roles are emerging. Therefore, it is essential for organizations to invest in continuous learning and development to ensure their workforce remains relevant and competitive. The Role of Skilling in Cultivating Next-gen Tech Talent Skilling plays a pivotal role in nurturing the next-gen tech talent through its tailored learning paths and hands-on experience. It offers industry-relevant courses and collaborates with experts to ensure up-to-date and practical training. Here’s how skilling equips learners to meet the demands of the evolving tech landscape and drive innovation: Tailored Learning Paths One of the key strengths of skilling is its ability to offer tailored learning paths that cater to the unique needs and aspirations of each learner. Whether it’s data science, artificial intelligence, cybersecurity, or software development, skilling provides a range of courses and programs designed to develop the specific skills required in today’s tech-driven world. Hands-on Experience: Skilling emphasizes hands-on learning, allowing learners to gain practical experience and apply their skills in real-world scenarios. Through projects, case studies, and practical assignments, learners not only acquire theoretical knowledge but also develop problem-solving and critical thinking skills essential for success in the tech industry. Industry Collaboration Skilling collaborates with industry leaders and experts to develop up-to-date and relevant content that is aligned with industry standards and practices. Fostering Innovation and Growth By empowering learners with hands-on and industry-relevant training, skilling promotes a culture of continuous learning. It provides learners with the tools and resources to explore and develop creative solutions, cultivating a workforce capable of driving innovation and sustainable growth. Enhanced Employability Skilling enhances the employability of learners by equipping them with industry-relevant skillsets and knowledge. This increased employability not only benefits the learners by opening up new career opportunities but also provides organizations with access to a pool of skilled and qualified talent. Conclusion Future-proofing your workforce is essential in today’s rapidly evolving tech landscape. It benefits not only the employees but also provides organizations with a competitive edge by ensuring they have a skilled and adaptable workforce capable of driving innovation and growth. In this digital age, skilling is not just about acquiring new skills, but fostering a culture of continuous learning, adaptability, and achieving sustainable growth. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. 

By Roman Faithfull, Cyber Intelligence Lead, Cyjax 2024 will see more elections than any other year in history: the UK, the US, Russia, India, Taiwan and more. According to AP, at least 40 countries will go to the polls this year, and some of these contests will have ramifications way beyond their national borders. This will also make 2024 a year of misinformation, as groups both within and outside these countries look to exert their influence on the democratic process. As the US presidential election draws near, specialists caution that a combination of factors domestically and internationally, across conventional and digital media platforms, and amidst a backdrop of increasing authoritarianism, profound mistrust, and political and social turbulence, heightens the severity of the threats posed by propaganda, disinformation, and conspiracy theories. There are two terms that are frequently conflated. Disinformation is deliberately false content crafted to inflict harm, whereas misinformation is inaccurate or deceptive content shared by individuals who genuinely believe it to be true. It can be difficult to establish if people are acting in good faith or not, so the terms are often used interchangeably—and misinformation often starts out as carefully crafted disinformation. The overall outlook appears bleak, with governments already experiencing the effects of misinformation. The groundwork has been laid, evidenced by past initiatives that aimed to influence elections in favor of certain parties. In 2022, the BBC launched an investigative project, creating fake accounts to follow the spread of misinformation on platforms such as Facebook, Twitter, and TikTok, and its potential political impact. Despite attempts by social media platforms to tackle this problem, it was found that false information, particularly from far-right viewpoints, remains prevalent. Today, just two years on, the techniques and tools to manipulate information are even more advanced. The Deceptive Side of Tech AI is dominating every discussion of technology right now, as its uses are explored for good and ill. Spreading fake news and disinformation is one of those uses. In its 2024 Global Risks report, the World Economic Forum noted that the increasing worry regarding misinformation and disinformation primarily stems from the fear that AI, wielded by malicious individuals, could flood worldwide information networks with deceptive stories. And last year, the UK’s Cyber Security Center released a report exploring the potential for nations like China and Russia to employ AI for voter manipulation and meddling in electoral processes. Deepfakes have grabbed a lot of attention, but could they disrupt future elections? It’s not a future problem—we’re already here. Deepfake audio recordings mimicking Keir Starmer, the leader of the Labour Party, and Sadiq Khan, the mayor of London, have surfaced online. The latter of these was designed to inflame tensions ahead of a day of protest in London. One of those responsible for sharing the clip apologized but added that they believed the mayor held beliefs similar to the fake audio. Even when proven false, deepfakes can remain effective in getting their message across. Many would argue that the responsibility now falls on governments to implement measures ensuring the integrity of elections. It’s a cat and mouse game—and unfortunately, the cat is not exactly known for its swiftness. There are myriad ways to exploit technology for electoral manipulation, and stopping all of it could simply be impossible. Regulation is out-of-date (the Computer Misuse Act was passed in 1990, though it has been updated a few times) and the wheels of government turn slowly. Creating and passing new laws is a long process involving consultation, amendment processes, and more. But is it solely the responsibility of governments, or do others need to step up?. Is There a Solution? Combating technology with technology is essential, there is simply too much misinformation out there for people to sift through. Some of the biggest tech companies are taking steps: Two weeks ago, a coalition of 20 tech firms including Microsoft, Meta, Google, Amazon, IBM, Adobe and chip designer Arm announced a collective pledge to tackle AI-generated disinformation during this year’s elections, with a focus on combating deepfakes. Is this reassuring? It’s good to know that big tech firms have this problem on their radar, but tough to know how effective their efforts can be. Right now, they are just agreeing on technical standards and detection mechanisms—starting the work of detecting deepfakes is some way away. Also, while deepfakes are perhaps uniquely disturbing, they are just one method among many, they represent just a fraction of effective disinformation strategies. Sophistication is not always needed for fake news to spread—rumors can be spread on social media or apps like Telegraph, real photos can be put into new contexts and spread disinformation without clever editing, and even video game footage has been used to make claims about ongoing wars. Fighting Misinformation During Election Fighting against misinformation is extremely difficult, but it is possible. And the coalition of 20 big tech firms has the right idea—collaboration is vital. Be proactive A lie can travel halfway around the world while the truth is putting on its shoes, said… someone (it’s a quote attributed to many different people). By the time we react to disinformation, it’s already out there and debunking efforts are not always effective. As Brandolini’s Law states, the amount of energy needed to refute bullshit is an order of magnitude bigger than that needed to produce it. And often, when people read both the misinformation and the debunking, they only remember the lies. Warning people about what to look for in misinformation can help. Where did it originate? If it claims to be from an authoritative source, can you find the original? Is there a source at all? Inoculate Sander van der Linden, a professor of psychology and an expert on misinformation, recommends a similar approach to vaccinations—a weak dose of fake news to head off the incoming virus. By getting people to think about misinformation and evaluate it, and teaching people the tactics behind its creation, they can better deal with fake news stories they later encounter. Could we create a vaccine program for fake news? Perhaps, but it requires a big effort and a lot of collaboration between different groups. Monitor It’s not only governments and public figures that are attacked by fake news, corporations and businesses can find themselves the target or unwitting bystanders. Telecom companies have been the subject of 5G conspiracy theories, and pharmaceutical companies accused of being part of, rather than helping solve, the pandemic. But the problem can get weirder. A pizza restaurant in Washington DC and a furniture retailer have both had to react to being accused of child trafficking thanks to bizarre rumors circulating online. What are people saying about your business? Can you react before things get out of hand? Misinformation works for a number of reasons—people want to know “the story behind the story”, and it gives people a feeling of control when they have access to “facts” others do not—which is why misinformation spreads so fast during a pandemic that took away that feeling of control from so many of us. Those spreading misinformation know how to tap into these fears. In cybersecurity terms, they know the vulnerabilities and how to exploit them. We can’t distribute software patches to stop these attacks, but we can make them less effective by understanding them. Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything.