If the proposed rule is approved, organizations would need to disclose all data breaches, even one that does not cause any harm, to affected customers.

A proposed rule change at the Federal Communications Commission would expand the definition of a data breach for communications carriers. If approved by the agency, the rule would cover any incident that affects the confidentiality of customer information, even if no harm to customers results.

"This \[rule\] means \[communications\] carriers would be required to report any unauthorized access or disclosure of customer information, even if the breach was unintentional or not malicious," says Venkat Gupta, data estate modernization portfolio leader at Sogeti, part of the Capgemini group. "Everyone should care because data breaches can occur in many different ways, and even unintentional breaches can have profound consequences."

The FCC said the rule change aligns with recent developments in federal and state data breach laws covering other industry sectors.

"The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements," said FCC Chairwoman Jessica Rosenworcel in a prepared statement. "This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches."

**Reporting to the FCC and Consumers**

Under the current rule, Gupta says, telecommunications carriers must notify federal law enforcement — the US Secret Service and the FBI — within seven business days of all breaches that involve customer proprietary network information (CPNI), and the carriers may inform affected consumers of such breaches seven days after they notify those agencies.

The proposed rule update requires carriers to notify the FCC contemporaneously with the law enforcement agencies as soon as practicable after discovery of a breach, and it would eliminate the current seven-day waiting period between notifying law enforcement and notifying the consumer.

Part of the incentive of updating the regulation, noted Ali Jessani, a senior associate at the law firm Wilmer Cutler Pickering Hale and Dorr LLP (WilmerHale), is that if the FCC is going to make the definition of a breach broader, companies will reassess their cybersecurity policies and procedures to prevent the breaches in the first place.

When a data breach occurs, such as an individual attack on a cell phone account, the attackers could monetize that attack in a matter of hours or minutes. Such an attack "is exactly why the notification rule exists — to give the consumer the ability to limit potential damage to their personal information being compromised," Jessani says. He cautions, however, that while the carrier might report such breaches to the authorities right away, if law enforcement asks the carrier to not alert the customer at the same time in order to preserve evidence for the investigation, the updated rule still protects the company.

Gupta agrees, noting the delay allows carriers to assess the scope and impact of the breach, including the number of customers affected and the type of information that was compromised. "This information is important for determining the appropriate response to the breach and for assessing the potential harm to customers. The waiting period also enables carriers to take any necessary steps to mitigate the effects of the breach and prevent further damage," he says.

Having carriers notify the FCC, Secret Service, and FBI at the same time will minimize burdens on carriers, eliminate confusion regarding obligations, and streamline the reporting process, allowing carriers to free up resources that can be used to address the breach and prevent further harm, Gupta says.

**A Push to Improve Processes**

The proposed rule change could have a direct impact on the carriers' operations as they are forced to change their processes and procedures. "Carriers will need to implement new procedures for identifying and reporting breaches that affect the confidentiality of customer information. This may include changes to the carrier's incident response plan, which outlines the steps to be taken in the event of a data breach," Gupta notes.

Carriers might also need to invest in new technology or security measures to prevent breaches and detect unauthorized access to customer information. For example, some carriers might need to implement multifactor authentication, encryption, and other controls to protect sensitive customer data.

"Overall," Gupta says, "the proposed rule change will require carriers to take a more proactive approach to data security and breach reporting. This may result in additional costs and resources for carriers, but it is ultimately designed to better protect customer privacy and prevent future breaches in the telecommunications industry."

Public comments on the FCC data breach reporting requirements are due by March 24.

Proposed FCC Rule Redefines Data Breaches for Communications Carriers

New premium service provides all-in-one personal protection beyond device security to include identity restoration and unlimited 24/7 tech support.

**TEMPE, Ariz.** **and** **PRAGUE****,** **March 9, 2023** **/PRNewswire/ --** Avast, a leading digital security and privacy brand of Gen™ (NASDAQ: GEN), today launched Avast One Platinum, the new premium tier of the award-winning Cyber Safety service, Avast One. The new Platinum offering combines the full feature set from Avast One Family with identity monitoring and protection, identity theft resolution and reimbursement\*, and premium technical support, to give people more control and reassurance over their digital lives.

"The new Avast One Platinum tier is a step-change improvement to the award-winning Avast One integrated solution," said Leena Elias, Chief Product Officer at Gen. "Platinum represents the best and most comprehensive Avast offer to date. It combines device protection, privacy, performance, and utilities capabilities and now adds identity theft protection and tech support. With greater protection from new and evolving threats and 24/7 premium technical support for IT issues around the home, every member of the family can have the confidence to embrace the digital world to the fullest."

Avast One Platinum provides a comprehensive protection and restoration service which includes the following key features:

*   **Premium Tech Support**: provides personalized help and remote support for any Avast product as well as all IT issues with phones, laptops, or printers with a dedicated hotline to Avast's tech experts 24/7.
*   **Dark Web Monitoring and Alerts:** monitors for personal and financial data, such as banking information, driver's licenses, IDs, passports, and social security numbers, and notifies if information is found.
*   **Identity Theft Reimbursement:** provides coverage of up to $2 million in reimbursement\* in the event of identity theft, including recovering certain lost wages, stolen funds, and certain out-of-pocket expenses.
*   **Social Media Monitoring:** monitors for bullying and violent, profane, or scam-related posts that indicate account compromise.
*   **3 Bureau Credit Report Monitoring:** monitors credit files from three leading credit bureaus, TransUnion, Equifax, and Experian, and notifies about key changes such as new account openings, credit inquiries, exceeding credit limits, and missed payments.
*   **Lost Wallet Protection:** provides the ability to quickly cancel and replace credit, debit, and ATM cards if a wallet is lost or stolen which helps avoid incurring fraudulent charges and time spent ordering replacement cards.
*   **Restoration Support:** provides access to certified protection experts for troubleshooting and resolving identity theft issues, with assistance also available to initiate a credit freeze or dispute fraudulent credit report activity.

Following its debut in 2021, Avast One has introduced major updates on iOS, Android, Mac, and Windows platforms for both free and paid versions. These updates include Scam Protection, which identifies malicious communications, a cloud-based Email Guardian which blocks malicious links and attachments wherever an email account is accessed, Network Inspector, a home network protection tool, and Online Safety Score, all of which are included in Avast One Platinum.

Avast One Platinum is available now in the US and compatible with iOS, Android, Mac, and Windows platforms, protecting up to six family members and a total of 30 devices. Subscriptions are available for $249.99 per year. To learn more, visit https://www.avast.com/en-us/avast-one.

**About Avast:**

Avast is a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through a family of trusted consumer brands. Avast protects hundreds of millions of users from online threats with a threat detection network that is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of the Coalition Against Stalkerware, No More Ransom and Internet Watch Foundation. Visit: www.avast.com.

Avast Introduces Avast One Platinum

Study underscores the clear and pressing need for real-time physical and cyber threat alerts for effective enterprise risk management and business resilience.

**NEW YORK****,** **March 9, 2023** **/PRNewswire/ --** Dataminr, one of the world's leading AI companies, today released a commissioned study conducted by Forrester Consulting to evaluate the state of enterprise risk management (ERM) at midsize to large enterprises across industries in the North America, Europe, and APAC regions.

Forrester surveyed 500 risk leaders to inform the commissioned study titled _Constant Disruption Is The New Status Quo_, and found that organizations encounter significant organizational, strategic, and technological barriers on their way to implementing an effective ERM strategy. The study also found that nearly 70% of respondents said their organizations experienced at least two separate critical risk events in the past year, while over 40% experienced at least three, and nearly 20% suffered six or more incidents.

"Following the unprecedented events of the past three years, this research illustrates that now, more than ever, it is crucial for businesses to have a system in place to discover and manage major physical and cyber risk events," said Jason Edelboim, President and COO of Dataminr. "These findings have been incredibly valuable to help demonstrate the utility of Dataminr's real-time alerts—ultimately giving clients an earlier line of sight into high-impact events and emerging risks that could impact their organizations."

The survey found that 70% of respondents believed that optimized, real-time alerting would have helped them significantly or totally reduced the harm of the most serious or disruptive events their organization faced last year. At this time, 56% of respondents indicated they don't have real-time alerting solutions in place today, but 62% plan to implement or expand their use of such tools, and 54% plan to increase investment over the next 12 months.

In the research, Forrester Consulting identified four key findings:

*   **Many risk leaders are taking too narrow a view of the systemic risks their organizations face**. Business risk will become more, not less, complicated to manage in the future, and fewer than a third of risk leaders completely agree that risks to their business can come from anywhere.
*   **Risk strategies have significantly advanced over the past few years, but still have a long way to go.** Just 36% of respondents have a C-suite champion leading risk management today.
*   **Cybersecurity and real-time alerting capabilities will be a major area of focus going forward.** Respondents were most likely to cite cyber risk tools and real-time alerting capabilities as the most critical features their next risk management platform must include.
*   **Successful ERM implementations are driven by aligned leadership, vision and technology.** Organizations with highly effective ERM strategies were 27% more likely to have a C-suite leader for ERM, compared to those from lower-maturity organizations. C-suite champions are empowered to work across organizational silos and to coordinate with other business leaders within the organization.

In addition to the above key takeaways, the survey also found that only 18% of respondents reported that their current ERM strategies are effective or very effective across all five capabilities surveyed, including identifying, evaluating, monitoring, responding to, and communicating about risk.

Forrester completed the study in Q3 2022. Participants were decision makers in physical security and security operations, cyber/information security, business continuity, human resources and employee experience, corporate communications, and supply chain roles. Questions focused on how organizations navigate risk strategies, technologies and workflows.

To learn more about the study, _Constant Disruption is The New Status Quo,_ commissioned by Dataminr, visit here.

**ABOUT DATAMINR**

Dataminr delivers the earliest warnings on high impact events and critical information far in advance of other sources. Recognized as one of the world's leading AI businesses, Dataminr enables faster response, more effective risk mitigation and stronger crisis management for public and private sector organizations spanning global corporations, first responders, NGOs, and newsrooms. Most recently valued at $4.1B, Dataminr is one of New York's top private technology companies, with 800+ employees across seven global offices.

Since its founding, Dataminr has created the world's leading real-time information discovery platform, which detects digital patterns of emerging events and critical information from public data signals. Today, Dataminr's advanced AI platform performs trillions of daily computations across billions of public data inputs from over 500,000 unique public data sources. The Company has been recognized for its groundbreaking AI platform and rapid revenue growth by Forbes AI 50 and Deloitte Fast 500, and has been named to Forbes Cloud 100 for six consecutive years.

Alongside Dataminr's corporate product, Dataminr Pulse, the Company provides its First Alert product for first response to public sector organizations, including the United Nations, which relies on First Alert in over 100 countries. Dataminr for News is used by more than 650 newsrooms and over 30,000 journalists worldwide.

Forrester Study Reveals Businesses Are Insufficiently Prepared to Manage Enterprise Risks

**CHICAGO****,** **March 9, 2023** **/PRNewswire/ --** March is an exciting time for diehard and casual college basketball fans alike, but anyone planning to have fun around the tournament should stay vigilant to protect their personal and financial information from cyberthreats. The tournament is an opportune time for cybercriminals to send out phishing scams, steal sensitive information, and scam you out of money. To help fans avoid becoming victims of cybercrime, Keeper Security is providing the following cybersecurity tips.

**#1 Be on the lookout for phishing scams.** Cybercriminals use phishing scams to steal your personal information. During the tournament, cybercriminals may send phishing emails or text messages with malicious links or attachments disguised as updates on games or brackets. To avoid becoming a victim of a phishing attack, do not open attachments or click on links from unknown sources, verify that it's a trusted source requesting the information and check all links to make sure they're not leading you to a malicious site. Scammers also use social engineering to trick people into sending them money using any information they can find about you. They may impersonate a friend or family member claiming to be in urgent need of money to buy tickets or place bets on games. Scammers may even impersonate the athletes themselves or their family members with stories about needing money to get to the game. 

**#2 Create strong, unique passwords for all of your accounts.** When creating accounts to follow the games, create a bracket or take part in the fun of the tournament any other way, it may be tempting to reuse passwords. Make sure you have different, high-strength passwords for all of your accounts. This way, if one account is breached, a cybercriminal does not gain access to all of them. Passwords should be at least 12 characters with a mix of uppercase and lowercase letters, a variety of special characters and a random assortment of numbers. Also, consider using a passphrase rather than a single word. Avoid using easily guessable information such as familiar names, birthdates and addresses. A password manager can generate and securely store strong passwords, which can be especially useful for accounts that are infrequently used. Consider implementing multi-factor authentication for your accounts as an additional layer of security. 

**#3 Be wary of free sports streams.** Cord cutters and fans trying to get around regional blackouts often turn to the internet in search of free streams to watch their favorite teams, but they may end up paying the price with their security. While there are legitimate websites and apps that will stream certain games for free, the websites that host illegal streams may also host ads for questionable content or products and malicious links that could install malware that will harm your system. 

**#4 Don't fall for fake ticket sales or fake brackets.** Fake tickets are abundant during any major sporting event, but if the deal seems too good to be true, it probably is. Only buy tickets from reputable sellers that offer a secure payment system and recourse if the tickets don't come through. The tournament is also a time when more fans are trying to win money on the games, and scammers are ready to take advantage. They may create fake bracket contests promising large prizes to the winners. Once they collect your entry fee or personal information, though, they disappear and the winners never receive their prizes. 

**#5 Be cautious when using public WiFi.** If you're going to watch the tournament at a venue offering WiFi, think twice before connecting. Public WiFi is a key battleground for cybercriminals. Thus, without proper protections, you may be vulnerable to both a cyberattack and eavesdropping. Open public WiFi should not be used to send any personal or financial information. The use of public computers should be avoided for the same reason. Use a trusted network with a strong WiFi password, a VPN when possible, and ensure your home router's software is up to date.

To avoid falling victim to sports-related scams, always be cautious of unsolicited messages or offers, double-check the authenticity of the sender or the website, and never provide personal information or payment without verifying the legitimacy of a transaction. By following these simple tips, fans will be far less likely to fall victim to cybercrime this March.

**About Keeper** 

Keeper Security is transforming how people secure their passwords and confidential information against growing online threats. Forgot your password? That'll never happen again with Keeper's easy-to-use password manager that saves you time, increases your security and streamlines your online experience. Built to the highest zero-trust and zero-knowledge standards, Keeper protects you and your family on every device. Keeper is trusted by millions of people globally with more than 230,000 5-star reviews in the app stores, and is recognized by publications including PCMag and U.S. News & World Report as the leader for password storage, secure sharing and encrypted messaging. Learn more at KeeperSecurity.com.

Keeper Security Issues Top 5 Cybersecurity Tips for 2023 College Basketball Tournament

This strategic partnership highlights the importance of breach prevention and creating a proactive security culture.

Today, ThreatBlockr, the autonomous cyber intelligence and active threat defense platform, and Engaged Security Partners, a firm specializing in human error prevention, have announced a partnership focusing on “left of boom” protection to bring enhanced breach prevention to customers. Engaged Security Partners uses ThreatBlockr’s platform for threat intelligence management and integration into the network. Together, Engaged Security Partners’ customers will benefit from blocking malicious traffic and reducing human error, turning employees into threat hunters and creating a strong first and last line of defense.

“We have been seeking a partner who prioritizes breach prevention, and since ThreatBlockr is the only solution that makes threat intelligence actionable with its patented technology and sits ‘left of boom,’ this is a natural partnership,” said Chad Earwood, CEO of Engaged Security Partners. “With over 95% of breaches caused by human error, which threat actors rely on to carry out attacks, it’s essential to stop threats before they hit the network. We are thrilled to partner with ThreatBlockr and leverage their innovative solution to create a proactive security environment.”

“The best way to eliminate human error is to eliminate bad traffic,” said Brian McMahon, CEO of ThreatBlockr. “We are excited to work with Engaged Security Partners to provide our proactive solution to their customers and continue to monitor, manage and block every threat.”

This partnership comes on the heels of a series of updates to the ThreatBlockr platform, including list consolidation, simplified policy configuration, easier protection of networks and ports, improvements to management systems and simplified access controls. These new enhancements, combined with Engaged Security Partners' innovative Security Intel Filtering (SIFT) service, will provide customers with a unique opportunity to take control of their security and understand the risks their company is facing.

**About ThreatBlockr**

ThreatBlockr is the only active defense cybersecurity platform that fully automates the enforcement, deployment, and analysis of cyber intelligence at a massive scale. As the foundational layer of an active defense strategy, ThreatBlockr’s patented solution blocks known threats from ever reaching customers’ networks. ThreatBlockr utilizes immense volumes of cyber intelligence from over 50 renowned security vendors to provide unparalleled visibility over the threat landscape resulting in a more efficient and effective security posture. Security teams at companies of all sizes use ThreatBlockr to deploy active security, gain real-time network visibility into threats and policy violations, ensure their network is protected, and reduce manual work. Block. Every.Threat. at threatblockr.com.

**About Engaged Security Partners**

Engaged Security Partners is an MSSP focused specifically on preventing human errors in cybersecurity, both technical and non-technical. ESP’s fully-managed solutions reduce noise for technical teams and transform security behavior of all employees to significantly reduce the risk of human errors. ESP serves as a first line of defense and the foundational layer of a proactive security culture for end-customers and partners.

ThreatBlockr Announces Partnership With Engaged Security Partners

IceFire has changed up its OS target in recent cyberattacks, emblematic of ransomware actors increasingly targeting Linux enterprise networks, despite the extra work involved.

In recent weeks, hackers have been deploying the "IceFire" ransomware against Linux enterprise networks, a noted shift for what was once a Windows-only malware.

A report from SentinelOne published today suggests that this may represent a budding trend. Ransomware actors have been targeting Linux systems more than ever in cyberattacks in recent weeks and months, notable not least because "in comparison to Windows, Linux is more difficult to deploy ransomware against, particularly at scale," Alex Delamotte, security researcher at SentinelOne, tells Dark Reading.

But why, if Linux makes their job more difficult, would ransomware actors be moving increasingly toward it?

**The IceFire M.O.**

IceFire, first discovered last March, is standard-fare ransomware aligned with other "'big-game hunting' (BGH) ransomware families," Delamotte wrote. BGH ransomware is characterized by "double extortion, targeting large enterprises, using numerous persistence mechanisms, and evading analysis by deleting log files."

But where IceFire was once an exclusively Windows-based malware, its recent attacks have taken place against Linux-based enterprise networks.

The attack flow is straightforward. Having breached a target network, the IceFire attackers steal copies of any valuable or otherwise interesting data on target machines. Only then comes the encryption. What IceFire primarily looks for are user and shared directories, as these are important yet "unprotected parts of the file system that do not require elevated privileges to write or modify," Delamotte explained.

The attackers are careful, though. "IceFire ransomware doesn't encrypt all files on Linux: It avoids encrypting certain paths, so that critical parts of the system are not encrypted and remain operational."

IceFire tags encrypted files with an ".ifire" extension, as many IT admin have since discovered for themselves. It also automatically drops a no-frills ransom note — "All your important files have been encrypted. Any attempts to restore your files...." The note includes a unique hardcoded username and password the victim can use to log into the attackers' Tor-based ransom payment portal. Once the job is complete, IceFire deletes itself.

Source: SentinelOne

**How IceFire Is Changing**

Most of these details have remained consistent since IceFire's first entry onto the scene. However, some important details have changed in recent weeks, including the victimology.

Where IceFire was once primarily used in campaigns against the healthcare, education, and technology sectors, recent attacks have focused around entertainment and media organizations, primarily in Middle Eastern countries — Iran, Pakistan, Turkey, the United Arab Emirates, and so on.

Other changes to IceFire's M.O. derive from its operating system shift towards Linux. For example, SentinelOne has noted in the past that cyberattackers would distribute IceFire via phishing and spear-phishing emails, then use third-party, pen-test tools like Metasploit and Cobalt Strike to help it spread.

But "many Linux systems are servers," Delamotte points out, "so typical infection vectors like phishing or drive-by download are less effective." So instead, recent IceFire attacks have exploited CVE-2022-47986 — a critical remote code execution (RCE) vulnerability in the IBM Aspera data transfer service, with a CVSS rating of 9.8.

**Why Hackers Are Targeting Linux**

Delamotte posits a few reasons for why more ransomware actors are choosing Linux as of late. For one thing, she says, "Linux-based systems are frequently utilized in enterprise settings to perform crucial tasks such as hosting databases, Web servers, and other mission-critical applications. Consequently, these systems are often more valuable targets for ransomware actors due to the possibility of a larger payout resulting from a successful attack, compared to a typical Windows user."

A second factor, she guesses, "is that some ransomware actors may perceive Linux as an unexploited market that could yield a higher return on investment."

Finally, "the prevalence of containerization and virtualization technologies in enterprise environments has expanded the potential attack surface for ransomware actors," she says. Many of these technologies are Linux-based, so "as ransomware groups exhaust the supply of 'low-hanging fruit,' they will likely prioritize these higher effort targets."

Whatever the primary motive, if more threat actors follow in this same path, enterprises running Linux-based systems need to be ready.

Defending against ransomware requires "a multi-faceted approach," Delamotte says, prioritizing visibility, education, insurance, multi-layered security, and patching, all at once.

"By taking a proactive approach to cybersecurity," she says, "enterprises can increase their chances of successfully defending against ransomware attacks."

IceFire Ransomware Portends a Broader Shift From Windows to Linux

AT&T is notifying customers of a Customer Proprietary Network Information compromise, exposing years-old upgrade details.

A compromise of an unnamed marketing vendor used by AT&T has exposed data associated with nearly 9 million wireless telecom accounts.

The breached data did not contain payment information, account passwords, Social Security numbers, or other personally identifiable information, AT&T said in a statement provided to Dark Reading. Instead, the cyberattack allowed unauthorized access to information used to determine eligibility it said, characterizing the data as years old. 

The mobile carrier is notifying affected customers, it said. According to notification letter in an AT&T Community forum.

"We recently determined that an unauthorized person breached a vendor's system and gained access to your Customer Proprietary Network Information (CPNI)," the data breach notification letter in the AT&T community forum read. "In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed."

It added, "​We have notified federal law enforcement about the unauthorized access of your CPNI as required by the Federal Communications Commission. Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.​"

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

AT&T Vendor Breach Exposes Data on 9M Wireless Accounts

The threat actor who posted the data for sale has claimed credit for multiple other breaches, including one at grocery platform Weee! that exposed data on more than 1.1 million customers.

Hundreds of US lawmakers and their families are at risk of identity theft, financial scams, and potentially even physical threats after a known info-theft threat actor called IntelBroker made House of Representatives members' personally identifiable information (PII) available for sale on the "Breached" criminal forum.

The information, confirmed as being obtained via a breach at health insurance marketplace DC Health Link, includes names, Social Security numbers, birth dates, addresses, and other sensitive identifying information. The data on the House members was part of a larger data set of PII belonging to more than 170,000 individuals enrolled with DC Health Link that the threat actor put up for sale this week.

**DC Health Link: A Significant Breach**

In a March 8 email to members of the House and their staff, US House Chief Administrative Officer Catherine Szpindor said the attack on DC Health Link does not appear to have specifically targeted US lawmakers. But the breach was significant and potentially exposed PII on thousands of people enrolled with DC Health Link.

"The FBI also informed us that they were able to purchase this PII, along with other enrollee information, on the Dark Web," Speaker of the House Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) said in a joint letter to the executive director at DC Health Link on March 8. The letter sought specifics from the health exchange on the breach, including details on the full scope of the attack and DC Health Link's plans to notify affected individuals and offer credit monitoring services for them.

Despite the letter, details of the intrusion at DC Health Link are not yet available. The organization, governed by an executive board appointed by the DC mayor, did not immediately respond to a request for comment on the incident.

A report in BleepingComputer this week first identified the threat actor as the appropriately named IntelBroker, after the cybercriminals put the stolen data up for sale on March 6. According to the underground forum ad, the data set is available for "an undisclosed amount in Monero cryptocurrency." Interested parties are asked to contact the sellers via a middleman for details.

**IntelBroker's Resume of Previous Breaches**

This is not the first big heist for the group: A threat actor, using the same moniker in February, had claimed credit for a breach at Weee!, an Asian and Hispanic food delivery service. IntelBroker later leaked some 1.1 million unique email addresses and detailed information on over 11.3 million orders placed via the service. 

Security vendor BitDefender, which covered the incident in its blog at the time, published an ad that IntelBroker placed on BreachedForums that showed the attacker boasting about obtaining full names, email addresses, phone number, and even order notes which included apartment and building access codes.

Meanwhile, Chris Strand, chief risk and compliance officer at Cybersixgill says his company has been tracking IntelBroker since 2022 and is about to release a report on the actor. "IntelBroker is a highly active Breached member with an 9/10 reputation score, who claimed in the past to be the developer of Endurance ransomware," Strand says.

IntelBroker's use of Breached to sell the health exchange PII, instead of a dedicated leak site or a Telegram channel, is consistent with the threat actor's previous tactics. It suggests either a lack of resources or inexperience on the individual's part, Strand says. 

"In addition to IntelBroker's presence on Breached, the threat actor has maintained a public GitHub repository titled Endurance-Wiper," he tells Dark Reading.

In November, IntelBroker claimed that it used Endurance to steal data from high level US government agencies, Strand notes. The threat actor has in total made some 13 claims about breaching top US government agencies, likely to attract customers to a ransomware-as-a-service (RaaS) program. Other organizations that IntelBroker claims to have broken into include Volvo, cult footwear maker Dr. Martens, and an Indonesian subsidiary of The Body Shop.

"Our intelligence analysts have been tracking IntelBroker since 2022, and we have been collecting intel attributed to that threat actor since then, as well as associated threats that have been related or attributed to IntelBroker," Strand says.

**Is House Members' PII a National Security Threat?**

Justin Fier, senior vice president of red team operations at Darktrace, says the threat actor's reason for putting the data up for sale appears to be purely financially motivated rather than political. And given the high profile of the victims, IntelBroker may find that the attention the breach is garnering will increase the value of the stolen data (or bring more heat than it would like).

The buyers might be another story. Given the availability of physical addresses and electronic contact information, the kinds of potential follow-on attacks are myriad, ranging from social engineering for identity theft or espionage, to physical targeting, meaning that interested parties could run the gamut in terms of motivation.

"The amount tells you a great deal about who they may be thinking of in terms of buyers," he says. If all that the threat actor ends up asking is a couple of thousand dollars, they are likely to be a smaller criminal enterprise. But "you start talking millions, they are clearly then catering to nation-state buyers," he says.

Fier assesses that the data that the threat actor stole on US House members as potentially posing a national security issue. "We shouldn't only think external nation-states that might want to purchase this," Fier says. "Who is to say that other political parties and/or activists couldn't weaponize it?"

US Lawmakers Face Cyberattacks, Potential Physical Harm After DC Health Link Breach

Much like a hostage's proof-of-life video, the ransomware gang offers the film as verification that it has the goods, and asks $1 million for the data.

A ransomware gang, dubbed Medusa, has publicly released a roughly one-hour-long video containing stolen data from the Minneapolis Public School (MPS) District — with a demand of $1 million in payment in exchange for the data's deletion.

The video, shared on the American video-sharing platform Vimeo, came after Medusa listed the school district as one of its victims on its proprietary Tor data leak site. The ransomware gang provided a deadline of March 17 for the payment to be made, though it said it was willing to accept equal amounts of payment for the same data from additional buyers in the meantime. 

The video was first brought to the world's attention by Brett Callow, threat analyst at Emisoft, who, back in September, also shared screen captures of threats from the Vice ransomware gang threatening to leak data from the Los Angeles Unified School District (LAUSD).

"Medusa has uploaded a ~51 minute video to Vimeo which shows screenshots of the data they claim to have stolen from #MPS. It's the first time recall seeing this particular tactic. #ransomware," Callow posted in a tweet, alongside a screen capture of the Vimeo leak.

Though an MPS systems notice stated that the ransom has not yet been paid, and that there's no "evidence that any data accessed has been used to commit fraud," concerns about the level of cybersecurity regarding personal identifiable information (PII) of students in K-12 school districts abound, as attacks on student data continue to be ongoing. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Medusa Gang Video Shows Minneapolis School District's Ransomed Data

Unmanaged devices pose a significant challenge and risk for many organizations. Here are the five reasons you should care about unmanaged devices and assets.

Unmanaged devices pose a significant challenge for many organizations. These devices can be anything connected to a network but not actively managed by IT or security. These assets usually aren't captured in an asset inventory and can take many forms, such as shadow IT, rogue assets, and orphaned assets. Because security teams struggle to discover them, these devices fly under the radar and create potential footholds into a network.

What could happen if these devices are left unmanaged? Let's take a look at five reasons why you should care about unmanaged devices.

**Reason 1: Unmanaged devices are often the first foothold for attackers.**

Attackers often scan the network for any outliers: machines that have lower patch levels, unusual services running on ports, and unique pieces of software not found on the rest of the network. These outliers are great entry points for an attack because they tend to be more easily exploitable, are less likely to have security controls, and if orphaned, don't have anybody managing them. Identifying unmanaged devices to either update or decommission them is a great way to reduce your attack surface and mitigate risk.

**Reason 2: Unmanaged devices hinder incident investigations.**

Analysts in a security operations center (SOC) need to quickly and efficiently work through alerts. There was a case where an analyst received an alert that an internal IP address was communicating with a known-bad IP, notably the command-and-control (C2) server. However, the SIEM and CMDB didn't have any record of the IP on the network, nor did the vulnerability management or endpoint detection and response (EDR) consoles. The device turned out to be an IP camera that had been compromised by malware because it was using default credentials. With an asset inventory that tracks Internet of Things (IoT) devices, the analyst would have quickly resolved this incident. They could have also found other devices that share the same make and model to see if they were using default credentials.

**Reason 3: Accidental network bridges bypass firewalls.**

In another case, a critical manufacturing line was shut down due to ransomware. Investigations showed that a rogue device had bridged from the IT to the OT network, enabling attackers to bypass a firewall that had been put in place to segment the networks. The security team lacked visibility into network bridges of unmanaged devices, which is why the issue wasn't identified ahead of time.

**Reason 4: Rogue devices complicate governance of security controls.**

Proper governance dictates that every device has security controls. It's impossible to figure out coverage gaps without knowing all of the devices on the network. To zero in on your gaps, you need to start with a full asset inventory. Then, you can overlay data from security controls and look for gaps in the inventory. Some common things to look for are Windows machines missing CrowdStrike (or EDR agents).

**Reason 5: End-of-life devices are potentially vulnerable.**

Manufacturers often no longer provide functional and security fixes for these end-of-life (EOL) devices, making them much riskier and more difficult to secure if something goes wrong. If unmanaged devices are not inventoried, security teams are unable to get ahead of potential risks and issues. In addition, finance teams benefit from knowing which devices are fully depreciated and when a new budget is required to replace them.

**Solving for Unmanaged Devices**

Solving for unmanaged devices starts with a full asset inventory that delivers in-depth details about every asset on your network, including managed and unmanaged ones. Full asset inventory requires active, unauthenticated discovery, which doesn't assume any prior knowledge of network-connected devices, such as credentials to authenticate into devices and endpoints. Instead, it focuses on discovery capabilities that are research-driven to find and surface every network-connected asset, whether managed or unmanaged. This approach can be complemented through integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices.

Getting a handle on unmanaged assets is critical for any security program, and with a solution built around active, unauthenticated discovery, finding your unmanaged assets will finally be possible.

    

**About the Author**

Chris Kirsch started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and social engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world's largest hacker conference. Currently, Chris is the CEO of runZero (www.runzero.com), a cyber-asset management company he co-founded with Metasploit creator HD Moore.

Source

DARKReading