RansomHub ransomware group leaks alleged 487 GB of sensitive data stolen from Kawasaki Motors Europe (KME), following a…

RansomHub ransomware group leaks alleged 487 GB of sensitive data stolen from Kawasaki Motors Europe (KME), following a cyberattack. The breach includes business documents and financial data, raising cybersecurity concerns for global firms.

The notorious RansomHub ransomware group has leaked 487 gigabytes of data it allegedly stole from Kawasaki Motors Europe (KME). This cyberattack was publicly **disclosed** by Kawasaki last week, though the company emphasized that the attack had not been successful in its aims.

As a preventive measure, Kawasaki temporarily isolated its servers and initiated a thorough “cleansing process” to detect any potential infections. However, despite Kawasaki’s recovery efforts, RansomHub went ahead with the data release. On September 5, 2024, the group listed the stolen information on the dark web, utilizing its official dark web leak sites to dump the data.

As seen by the Hackread.com research team, among the exposed files are critical business documents, including financial information, banking records, dealership details, and internal communications.

A partial list of the leaked data includes directories titled “Dealer Lists,” “Financing Kawasaki,” “COVID,” “Trading Terms,” and more, with timestamps showing activity as recent as early September.

Screenshot from the dark web leak site of the RansomHub Ransomware Group (Screenshot credit: Hackread.com)

**Kawasaki’s Response and Cybersecurity Strategy**

While Kawasaki Motors Europe disclosed the breach to its customers, it appears that the company opted not to engage with the ransom demands. **Jason Soroko**, Senior Fellow at Sectigo, speculated that Kawasaki may have prioritized system restoration over paying the ransom.

He suggested that this decision reflects Kawasaki’s readiness to deal with the potential fallout of a data breach, emphasizing the importance of having strong cybersecurity systems in place to avoid financial damage through ransom payments.

_“_Kawasaki Motors Europe’s official statement claimed they could take the hit with the data versus the financial hit of paying the ransom, however, the RansomHub group released 487 GB of allegedly stolen data. This suggests, but does not prove, Kawasaki chose not to negotiate with the attackers, prioritizing system restoration and data cleansing._“_

Soroko added that Kawasaki’s stance might serve as a model for other companies: instead of negotiating with cybercriminals, businesses should focus on recovery and work to fortify their systems against future attacks.

He also pointed out the need for organizations, especially in the United States, to enhance their cybersecurity infrastructure, prepare for such incidents, and collaborate with government authorities to better handle ransomware threats.

_“_Given RansomHub’s increased activity, US companies should bolster cybersecurity measures, prepare robust incident response plans, and avoid paying ransoms, aligning with government advisories. Staying informed about such threats and collaborating with authorities can mitigate risks and protect sensitive data,_“_ he explained.

**The Role of RansomHub**

RansomHub is a notorious player in cybercrime especially ransomware attacks, having made headlines recently for its involvement in other major breaches. Earlier this month, the group claimed responsibility for **hacking Planned Parenthood** and stealing 93 gigabytes of sensitive data.

This trend of increased activity exposes the growing threat posed by ransomware groups, which often target high-profile organizations in sectors ranging from healthcare to manufacturing.

1.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
2.  **Qilin Ransomware Upgrade: Now Steals Google Chrome Credentials**
3.  **Russian Hackers Hit Mail Servers in Europe for Political, Military Intel**
4.  **Xplain Hack: Play Ransomware Leaks Sensitive Swiss Government Data**
5.  **Hackers hit Europe’s largest healthcare provider with Snake ransomware**

RansomHub Ransomware Gang Leaks 487GB of Alleged Kawasaki Europe Data

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact.

Mike Kosak, Senior Principal Intelligence Analyst, LastPass

September 16, 2024

4 Min Read

Source: Saphiens via Alamy Stock Photo

COMMENTARY

As the 2024 US presidential election approaches, cybersecurity is a frequent topic of conversation. From my time in the intelligence community supporting the Department of Defense, I'm familiar with government planning around elections. While the most discussed threats for 2024 are nation-state misinformation and disinformation, this election season, I'm also following cybersecurity threats to municipal election systems. 

The good news is the threat of an actual impactful disruption is low. As the US has funneled significant resources into securing elections over the past decade, US Cybersecurity and Infrastructure Security Agency (CISA) lead Jen Easterly said election infrastructure "has never been more secure." However, that doesn't mean threat actors aren't likely to attempt some sort of attacks, such as website defacements or distributed denial of service (DDoS) attacks against municipal election websites.

Here are the four threats against local election systems we will most likely hear about in 2024:

**Voting Machine Hacking**

The most high-profile threat to US elections is voting machine hacking. However, voting machines are rarely connected directly to the Internet, which aligns with current cybersecurity guidelines. This means the most realistic threat vector would require physical access to the machines, according to F5 Labs, a concern addressed through anti-tampering and physical security guidelines around the country. While cyber vulnerabilities within voting machines exist — as demonstrated annually at the DEFCON Voting Village hacking event — to date, there have been no reports of cyberattacks taking voting machines offline or changing votes, despite the clear value of such a capability to US adversaries.

**DDoS Attacks**

DDoS attacks are a less disruptive but more frequent threat to US elections. Election monitoring and information websites leveraging Google's Project Shield DDoS protection services experienced a 400% increase in weekly attacks during the 2022 midterms. While several companies like Cloudflare offer free DDoS protection services to election-related websites, some sites are still going down. Mississippi's election websites were briefly taken offline in 2022 by a DDoS attack claimed by a pro-Russia hacking group. However, the attack did not impact voting results or availability.

Given the increased profile of the presidential election, we can expect to see DDoS on a larger scale in 2024. However, as CISA and the FBI stated in a July 31 alert, these attacks would not prevent voters from casting their ballots.

**Ransomware**

The FBI and CISA released a similar alert on Aug. 15 related to ransomware disruptions, reassuring the public that any attack along these lines would not compromise the security or accuracy of voting. Ransomware groups will likely target municipalities — already a common target — in the run-up to the elections. 

For instance, a ransomware attack in April forced a Georgia county to temporarily disconnect from the state's voter registration system as a precautionary measure — highlighting disruptions that could occur around access to voter data or other election information. However, the FBI and CISA noted, "Any successful ransomware attack on election infrastructure tracked by FBI and CISA has remained localized and successfully managed with minimal disruption to election operations and no impact on the security and accuracy of ballot casting or tabulation processes or systems." Similar to DDoS attacks, no reporting suggests ransomware attacks have ever prevented a vote from being cast.

**Website Defacement and Email Access**

Website defacements are another common threat, where attackers take over election-related sites to alter data or images. These attacks can either aim to embarrass the site owner or subtly manipulate information, such as polling results or polling station hours.

In 2020, a threat actor briefly took over the campaign website for then President Trump, posting a derogatory message and seeking payment in return for not releasing data they claimed to have stolen. While these attacks may occur and could cause local disruptions, they would not impact the ability to vote or tally votes.

Hybrid cyber-physical threats, such as the increasing use of emails or spoofed phone numbers to deliver fake bomb threats or conduct swatting attacks, also present a concern, where false scenarios are reported to provoke a large police response. In 2018, a months-long campaign targeting US schools and businesses caused evacuations, police responses, and major disruptions. Similar attacks on election day could target polling stations, election offices, or ballot-counting sites.

Finally, threat actors (particularly nation-states) will continue to target email accounts of political operatives and organizations. The US intelligence community has already attributed social engineering attacks targeting both major US political parties to Iran. These attacks aimed to access sensitive or embarrassing information to influence the US election, highlighting the frequency of politically motivated social engineering attacks and the importance of secure, unique passwords and multifactor authentication. 

**Safeguarding the Vote**

While cyberattacks will undoubtedly target US election infrastructure over the next few months, it's important to place these events in the context of the protections put in place. Federal, state, local, and tribal governments, as well as international allies, have all been tracking these threats and implementing mitigations and contingencies to help ensure a secure and smooth election. 

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact. Voters should stay informed and rely on official sources to ensure their participation is not disrupted.

**About the Author**

Senior Principal Intelligence Analyst, LastPass

Mike Kosak is a former US Department of Defense (DoD) counterterrorism intelligence officer with more than 20 years of experience as a threat intelligence analyst. While with the DoD, he served in several senior intelligence officer roles, including leading the Pentagon office responsible for providing intelligence updates to the chairman of the Joint Chiefs of Staff, and was deployed to Iraq three times in support of Operation Iraqi Freedom. He also served as the acting senior command representative to the Joint Special Operations Command for the Defense Intelligence Agency. During his deployments, he led intelligence teams in support of both conventional and special forces. Following his government service, Kosak held private sector cyber intelligence positions at Bank of America, where he led the Strategic Cyber Intelligence and Threat Evaluation teams, and TIAA, where he led the Cyber Threat Intelligence team. He currently serves as the senior principal intelligence analyst at LastPass.

Cybersecurity &amp; the 2024 US Elections

A hacker known as IntelBroker claims to have breached the UK-based company Experience Engine, allegedly exposing sensitive data.…

A hacker known as IntelBroker claims to have breached the UK-based company Experience Engine, allegedly exposing sensitive data. The hacker is selling the data on an online forum, raising concerns about data security for affected clients and businesses.

The notorious IntelBroker hacker has claimed responsibility for breaching Experience Engine, a UK-based company that provides experiential marketing and promotional staffing services. The hacker, who was previously linked to several high-profile data breaches, is now selling the allegedly stolen data on Breach Forums, demanding payment in **Monero** (XML) cryptocurrency to remain anonymous and untraceable.

****Who is Experience Engine?****

Experience Engine, founded over 20 years ago, specializes in creating experiential marketing and promotional staffing solutions. With a global reach and a client base that includes major corporations; they work across sectors such as tech, public sectors, and fast-moving consumer goods (FMCG) brands, offering a network of over 1,200 “Experience Engineers™.”

These professionals are tech-trained to help businesses engage with customers through activations, events, and brand ambassador roles. The company claims to offer access to over 200,000 properties worldwide, focusing on integrating campaigns and humanizing complex technological messages for brands.

Screenshot from Experience Engine’s website highlighting its portfolio

****The Alleged Breach****

According to IntelBroker, the breach occurred in September and involves a trove of sensitive data. The hacker is also offering to sell entire .bak database files, which contain a large amount of client and transactional information. IntelBroker has even provided sample data, which includes details from tables such as dbo.invoice and dbo.booking_backup, containing thousands of rows of sensitive records.

One of the notable tables, dbo.invoice, includes 31,000 rows of data, with fields such as InvoiceID, InvoiceNumber, and InvoiceDate, alongside client-specific information such as contact details and invoice amounts. For instance, one invoice dated October 3, 2006, references Thomas Cook, a now-defunct global travel group, headquartered in the United Kingdom with payment details and banking information related to a booking at the now permanently closed Thirty Thirty New York City Hotel.

InterBorken hacker on Breach Forums (Screenshot: Hackread.com)

Another table, dbo.booking_backup, contains 784,000 rows of data, featuring sensitive customer information such as names, addresses, emails, booking histories, and revenue data. Among the entries are details of clients from the UK, United States, and Saint Lucia, with personal information, email addresses, and booking records all included.

The data sample provided by IntelBroker reveals alarming details of the alleged breach. The exposed data includes highly sensitive information, including financial transactions, customer contact details, and bank account numbers.

For instance, a sample from the dbo.invoice table analyzed by the Hackread.com research team shows details of an invoice amounting to $4699.36, with full banking details for the recipient. The booking records reveal customer names, addresses, and even room revenue from bookings, which can put individuals’ privacy and financial security at risk.

Moreover, the nature of the alleged data breach suggests that Experience Engine’s security protocols may have been insufficient to prevent this large-scale leak. Given that the company manages promotional staffing and experiential campaigns for global brands, the impact on their reputation could be severe.

****IntelBroker’s Dark History****

IntelBroker is no stranger to the hacking world. The hacker has been linked to several high-profile breaches, including the following organisations:

*   **Europol**
*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **U.S. contractor Acuity Inc.**
*   **Staffing giant Robert Half**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

(Screenshot: Hackread.com)

The alleged breach of Experience Engine adds another company to IntelBroker’s cybercrime portfolio. With millions of sensitive records potentially exposed, the fallout from this breach could have long-lasting consequences.

Hackread.com has reached out to Experience Engine for comment. If and when the company responds the article will be updated accordingly. Stay tuned!

1.  **UK’s Freecycle Data Breach Impacts 7 Million Users**
2.  **Exposed ICS in the US, and UK Threaten Water Supplies**
3.  **NCA Arrests Teenager in Walsall Over TfL Cyber Attack**
4.  **IntelBroker Apple Breach: Steals Source Code for Internal Tools**
5.  **UK Criminal Records Office Down in Potential Ransomware Attack**

Hacker Claims Breach of UK’s Experience Engine, Data Sold Online

Apple has filed a motion to "voluntarily" dismiss its lawsuit against commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information.
The development was first reported by The Washington Post on Friday.
The iPhone maker said its efforts, coupled with those of others in the industry and national governments to tackle

Spyware / Threat Intelligence

Apple has filed a motion to "voluntarily" dismiss its lawsuit against commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information.

The development was first reported by The Washington Post on Friday.

The iPhone maker said its efforts, coupled with those of others in the industry and national governments to tackle the rise of commercial spyware, have "substantially weakened" the defendants.

"At the same time, unfortunately, other malicious actors have arisen in the commercial spyware industry," the company said. "It is because of this combination of factors that Apple now seeks voluntary dismissal of this case."

"While Apple continues to believe in the merits of its claims, it has also determined that proceeding further with this case has the potential to put vital security information at risk."

Apple originally filed the lawsuit against the Israeli company in November 2021 in an attempt to hold it accountable for illegally targeting users with its Pegasus surveillance tool.

It described NSO Group, a subsidiary of Q Cyber Technologies Limited, as "amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse."

Earlier this January, a federal judge denied a motion from NSO Group to dismiss the lawsuit under the grounds that the company is "based in Israel and Apple should have sued them there," with the court stating that "the anti-hacking purpose of the CFAA fits Apple's allegations to a T, and NSO has not shown otherwise."

In its motion for voluntary dismissal, Apple said three major developments have been a contributing factor: The risk that the threat intelligence information it has developed to protect users against spyware attacks could be exposed, pointing to a July 25, 2024, report from The Guardian.

The British newspaper revealed that Israeli officials had seized documents from NSO Group in July 2020 in an apparent effort to stop the handover of information about the notorious hacking tool as part of the company's ongoing legal tussle with Meta-owned WhatsApp, which filed a similar lawsuit in 2019.

"The seizures were part of an unusual legal maneuver created by Israel to block the disclosure of information about Pegasus, which the government believed would cause 'serious diplomatic and security damage' to the country," The Guardian noted at the time.

Apple also cited as reasons for changing dynamics in the commercial spyware industry and the proliferation of different spyware companies, as well as the possibility of revealing to third-parties "the information Apple uses to defeat spyware while defendants and others create significant obstacles to obtaining an effective remedy."

The development comes as the Atlantic Council divulged that the individuals behind some of the spyware vendors in Israel, Italy, and India that have come under the scanner for enabling authoritarian regimes to spy on human rights advocates, opposition leaders, and journalists have sought to rename them, start new ones, or undertake strategic jurisdiction hopping.

Case in point, Intellexa, the now-sanctioned company behind the Predator spyware, has resurfaced with new infrastructure in connection with its ongoing use by likely customers in countries such as Angola, the Democratic Republic of the Congo (DRC), and Saudi Arabia.

"Predator's operators have significantly enhanced their infrastructure, adding layers of complexity to evade detection," the cybersecurity company's Insikt Group said.

"The new infrastructure includes an additional tier in its multi-tiered delivery system, which anonymizes customer operations, making it even harder to identify which countries are using the spyware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence Exposure

PRESS RELEASE

Burlingame, Sept. 13, 2024 (GLOBE NEWSWIRE) -- CoherentMI published a report, titled, South Korea Digital Forensics Market is estimated to value at US$ 1.64 Billion in the year 2024 and is anticipated to reach US$ 3.52 Billion by 2031, at a CAGR of 11.5% during forecast period 2024-2031. With rising digitalization across various industry verticals in South Korea, incidents of cybercrimes have also increased exponentially over the years. Organizations across banking, finance, healthcare and other sectors are increasingly focusing on protecting sensitive data and investigating cyber threats. This has propelled the demand for professional digital forensics services that can retrieve hidden electronic data from computers, mobiles and other devices to solve cybercrime cases.

Market Dynamics: 

The South Korea digital forensics market is expected to witness significant growth, owing to increasing number of cybercrimes in the country. According to statistics, the number of cybercrimes reported in South Korea increased from 78,385 cases in 2018 to 95,172 cases in 2019. With rapid digitalization and increasing internet penetration, the cases of cyberbullying, hacking, data theft, and financial fraud have increased sharply. As a result, the demand for digital forensics solutions to collect, examine, and analyze digital evidence from computing devices such as smartphones, laptops, and servers is growing significantly. Moreover, increasing investments by law enforcement agencies to strengthen their digital investigation capabilities is also fueling the market growth.

Key Market Takeaways:

*   On the basis of forensic type, the computer forensics segment is expected to hold a dominant position, owing to a large volume of electronic evidence involving computers in cybercrime investigations.
    
*   On the basis of component, the services segment is expected to hold the largest share due to increasing demand for forensic consulting, investigation, training and education from law enforcement agencies and enterprises. 
    
*   On the basis of verticals, the government and defense segment is expected to hold the major market share due to initiatives towards strengthening cybersecurity and increasing reliance on digital forensics solutions.
    
*   Regionally, South Korea is expected to hold a dominant position over the forecast period due to stringent cyber regulations, robust law enforcement agencies and digital infrastructure in the country.
    
*   Key players operating in the South Korea digital forensics market include AhnLab, FireEye, IBM Corporation., Guidance Software, Inc., OpenTextCorp. These players are focusing on developing innovative forensic solutions and adopting organic and inorganic growth strategies to strengthen their market presence.
    

Market Trends:

Mobile device forensics and cloud forensics are the major trends witnessed in the South Korea digital forensics market. With increasing usage of smartphones and tablets, mobile device forensics solutions that can extract, recover, analyze and preserve deleted data from mobile devices are gaining more importance. Additionally, as more data is being stored on cloud systems, cloud forensics solutions are being increasingly used to investigate data breach incidents involving cloud applications and services. Major players in the market are focusing on developing advanced mobile and cloud forensics solutions to leverage lucrative business opportunities.

Recent Developments:

*   On April 22 2021, Plainbit Co., Ltd., has signed a memorandum of understanding with FRONTEO Inc. FRONTEO Inc. is an overseas subsidiary of FRONTEO Korea, Inc., based in Minato-ku, Tokyo. The partnership aims to strengthen digital forensic services through collaborative business initiatives, facilitating mutual exchange and cooperation between the two companies. FRONTEO specializes in digital forensic services, while Plainbit focuses on enhancing digital forensic capabilities through collaborative business initiatives.
    

Get a detailed analysis on regions, market segments, and companies: https://www.coherentmi.com/industry-reports/south-korea-digital-forensics-market

South Korea Digital Forensics Market Opportunities:

Computer Forensics: The computer forensics segment held the largest market share in 2024 owing to increasing cases of cybercrimes involving computers. Computer forensics aids in investigating computer related crimes by analyzing data stored on computers and recovering digital evidence. It allows examination of digital media in a forensically sound manner and law enforcement agencies heavily rely on computer forensics for examining digital devices seized from crime scenes.

Network Forensics: Network forensics is anticipated to witness substantial growth during the forecast period due to rising network intrusions and data breaches. It involves monitoring and analyzing network traffic for potential security issues and policy violations. Network forensics provides insights into network security incidents, data leakage and helps identify compromised accounts. The technology assists in conducting post-intrusion analysis and network traffic reconstruction to gather digital evidence from network infrastructure.

South Korea Digital Forensics Market Segmentation:

*   By Verticals:
    
    *   Banking, Financial Services, and Insurance (BFSI)
        
    

The research provides answers to the following key questions:

1.  What is the estimated growth rate of the market for the forecast period 2024-2031?
    
2.  What will be the market size during the estimated period?
    
3.  What are the key driving forces responsible for shaping the fate of the South Korea Digital Forensics market during the forecast period?
    
4.  Who are the major market vendors and what are the winning strategies that have helped them occupy a strong foothold in the South Korea Digital Forensics market?
    
5.  What are the prominent market trends influencing the development of the South Korea Digital Forensics market across different regions?
    
6.  What are the major threats and challenges likely to act as a barrier in the growth of the South Korea Digital Forensics market?
    
7.  What are the major opportunities the market leaders can rely on to gain success and profitability?
    

Purchase Latest Edition of this Research Report @ https://www.coherentmi.com/industry-reports/south-korea-digital-forensics-market/buynow

Key insights provided by the report that could help you take critical strategic decisions?

*   Regional report analysis highlighting the consumption of products/services in a region also shows the factors that influence the market in each region.
    
*   Reports provide opportunities and threats faced by suppliers in the South Korea Digital Forensics industry around the world.
    
*   The report shows regions and sectors with the fastest growth potential.
    
*   A competitive environment that includes market rankings of major companies, along with new product launches, partnerships, business expansions, and acquisitions.
    
*   The report provides an extensive corporate profile consisting of company overviews, company insights, product benchmarks, and SWOT analysis for key market participants.
    
*   This report provides the industry's current and future market outlook on the recent development, growth opportunities, drivers, challenges, and two regional constraints emerging in advanced regions.
    

Browse Related Reports:

United States Racing Drones Market: The United States Racing Drones Market is estimated to be valued at USD 353.01 Mn in 2024 and is expected to reach USD 1,333.19 Mn by 2031, growing at a CAGR of 18.1% from 2024 to 2031.

New Zealand Power Tool Market: New Zealand Power Tool Market is estimated to be valued at US$ 167.2 million in 2024 and is expected to reach US$ 286.1 million by 2031, exhibiting a compound annual growth rate (CAGR) of 8% from 2024 to 2031.

Philippines Robot as a Service Market: Philippines robot as a service market is estimated to be valued at US$ 298.9 Million in 2024, and is expected to reach US$ 918.8 Million by 2031, growing at a compound annual growth rate (CAGR) of 17.4% from 2024 to 2031.

UAE Dark Kitchens/Ghost Kitchens/Cloud Kitchens Market: The UAE Dark Kitchens/Ghost Kitchens/Cloud Kitchens market size was valued at US$ 330.3 million in 2023 and is expected to reach US$ 821.5 million by 2030, grow at a compound annual growth rate (CAGR) of 13.9% from 2023 to 2030.

Author of this marketing PR:

Ravina Pandya, PR Writer, has a strong foothold in the market research industry. She specializes in writing well-researched articles from different industries, including food and beverages, information and technology, healthcare, chemical and materials, etc. With an MBA in E-commerce, she has an expertise in SEO-optimized content that resonates with industry professionals.

About Us:

At CoherentMI, we are a leading global market intelligence company dedicated to providing comprehensive insights, analysis, and strategic solutions to empower businesses and organizations worldwide. Moreover, CoherentMI is a subsidiary of Coherent Market Insights Pvt Ltd., which is a market intelligence and consulting organization that helps businesses in critical business decisions. With our cutting-edge technology and experienced team of industry experts, we deliver actionable intelligence that helps our clients make informed decisions and stay ahead in today's rapidly changing business landscape.

South Korea Digital Forensics Market to Hit US $3.52B by 2031

Plus: New evidence emerges about who may have helped 9/11 hijackers, UK police arrest a teen in connection with an attack on London’s transit system, and Poland’s spyware scandal enters a new phase.

After Apple's product launch event this week, WIRED did a deep dive on the company's new secure server environment, known as Private Cloud Compute, which attempts to replicate in the cloud the security and privacy of processing data locally on users' individual devices. The goal is to minimize possible exposure of data processed for Apple Intelligence, the company's new AI platform. In addition to hearing about PCC from Apple's senior vice president of software engineering, Craig Federighi, WIRED readers also received a first look at content generated by Apple Intelligence's “Image Playground” feature as part of crucial updates on the recent birthday of Federighi's dog Bailey.

Turning to privacy protection of a very different kind in another new AI service, WIRED looked at how users of the social media platform X can keep their data from being slurped up by the “unhinged” generative AI tool from xAI known as Grok AI. And in other news about Apple products, researchers developed a technique for using eye tracking to discern passwords and PINs people typed using 3D Apple Vision Pro avatars—a sort of keylogger for mixed reality. (The flaw that made the technique possible has since been patched.)

On the national security front, the US this week indicted two people accused to spreading propaganda meant to inspire “lone wolf” terrorist attacks. The case, against alleged members of the far-right network known as the Terrorgram Collective, marks a turn in how the US cracks down on neofascist extremists.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**ChatGPT Tricked Into Revealing Instructions for Making Fertilizer Bombs After Being Led Deep Into Fantasy Storytelling**

OpenAI's generative AI platform ChatGPT is designed with strict guardrails that keep the service from offering advice on dangerous and illegal topics like tips on laundering money or a how-to guide for disposing of a body. But an artist and hacker who goes by “Amadon” figured out a way to trick or “jailbreak” the chatbot by telling it to “play a game” and then guiding it into a science-fiction fantasy story in which the system's restrictions didn't apply. Amadon then got ChatGPT to spit out instructions for making dangerous fertilizer bombs. An OpenAI spokesperson did not respond to TechCrunch's inquiries about the research.

“It’s about weaving narratives and crafting contexts that play within the system’s rules, pushing boundaries without crossing them. The goal isn’t to hack in a conventional sense but to engage in a strategic dance with the AI, figuring out how to get the right response by understanding how it ‘thinks,’” Amadon told TechCrunch. “The sci-fi scenario takes the AI out of a context where it’s looking for censored content … There really is no limit to what you can ask it once you get around the guardrails.”

**New Evidence Indicates That at Least Two Saudi Officials May Have Helped 9/11 Hijackers**

In the fervent investigations following the September 11, 2001, terrorist attacks in the United States, the FBI and CIA both concluded that it was coincidental that a Saudi Arabian official had helped two of the hijackers in California and that there had not been high-level Saudi involvement in the attacks. The 9/11 commission incorporated that determination, but some findings indicated subsequently that the conclusions might not be sound. With the 23-year anniversary of the attacks this week, ProPublica published new evidence “suggest\[ing\] more strongly than ever that at least two Saudi officials deliberately assisted the first Qaida hijackers when they arrived in the United States in January 2000.”

The evidence comes primarily from a federal lawsuit against the Saudi government brought by survivors of the 9/11 attacks and relatives of victims. A judge in New York will soon make a decision in that case about a Saudi motion to dismiss. But evidence that has already emerged in the case, including videos and documents such as telephone records, points to possible connections between the Saudi government and the hijackers.

“Why is this information coming out now?” said retired FBI agent Daniel Gonzalez, who pursued the Saudi connections for almost 15 years. “We should have had all of this three or four weeks after 9/11.”

**British Teenager Arrested in Investigation of Cyberattack on London Transportation Agency**

The United Kingdom's National Crime Agency said on Thursday that it arrested a teenager on September 5 as part of the investigation into a cyberattack on September 1 on the London transportation agency Transport for London (TfL). The suspect is a 17-year-old male and was not named. He was “detained on suspicion of Computer Misuse Act offenses” and has since been released on bail. In a statement on Thursday, TfL wrote, “Our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details, including email addresses and home addresses where provided.” Some data related to the London transit payment cards known as Oyster cards may have been accessed for about 5,000 customers, including bank account numbers. TfL is reportedly requiring roughly 30,000 users to appear in person to reset their account credentials.

**Polish Court Blocks Investigation Into Apparent Spyware Abuses by Previous Government Administration**

In a decision on Tuesday, Poland’s Constitutional Tribunal blocked an effort by Poland's lower house of parliament, known as the Sejm, to launch an investigation into the country's apparent use of the notorious hacking tool known as Pegasus while the Law and Justice (PiS) party was in power from 2015 to 2023. Three judges who had been appointed by PiS were responsible for blocking the inquiry. The decision cannot be appealed. The decision is controversial, with some, like Polish parliament member Magdalena Sroka, saying that it was “dictated by the fear of liability.”

Security News This Week: A Creative Trick Makes ChatGPT Spit Out Bomb-Making Instructions

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.
The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.
"An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows

Enterprise Security / Threat Intelligence

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.

The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.

"An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution," Ivanti noted in an advisory released earlier this week. "The attacker must have admin level privileges to exploit this vulnerability."

The flaw impacts Ivanti CSA 4.6, which has currently reached end-of-life status, requiring that customers upgrade to a supported version going forward. That said, it has been addressed in CSA 4.6 Patch 519.

"With the end-of-life status this is the last fix that Ivanti will backport for this version," the Utah-based IT software company added. "Customers must upgrade to Ivanti CSA 5.0 for continued support."

"CSA 5.0 is the only supported version and does not contain this vulnerability. Customers already running Ivanti CSA 5.0 do not need to take any additional action."

On Friday, Ivanti updated its advisory to note that it observed confirmed exploitation of the flaw in the wild targeting a "limited number of customers."

It did not reveal additional specifics related to the attacks or the identity of the threat actors weaponizing it, however, a number of other vulnerabilities in Ivanti products have been exploited as a zero-day by China-nexus cyberespionage groups.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 4, 2024.

The disclosure also comes as cybersecurity company Horizon3.ai posted a detailed technical analysis of a critical deserialization vulnerability (CVE-2024-29847, CVSS score: 10.0) impacting Endpoint Manager (EPM) that results in remote code execution.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability

The incident is a reminder why organizations need to pay attention to how they store and secure data in SaaS and cloud environments.

Source: JHVEPhoto via Shutterstock

Fortinet has confirmed the compromise of data belonging to a "small number" of its customers, after a hacker using the somewhat colorful moniker "Fortibitch" leaked 440GB of the information via BreachForums this week.

The hacker claimed to have obtained the data from an Azure SharePoint site and alleges they leaked it after the company refused to negotiate with the individual on a ransom demand. The situation once again highlights the responsibility that companies have to secure data held in third-party cloud repositories, researchers say.

Fortinet itself has not specifically identified the source of the breach. But in a Sept. 12 advisory, the company said someone had gained "unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party, cloud-based shared file drive."

The security vendor, one of the largest in the world by market cap, identified the issue as impacting less than 0.3% of its more than 775,000 customers worldwide, which would place the number of affected organizations at around 2,325.

Fortinet said it had seen no signs of malicious activity around the compromised data. "Fortinet immediately executed on a plan to protect customers and communicated directly with customers as appropriate and supported their risk mitigation plans," the security vendor noted in the advisory. "The incident did not involve any data encryption, deployment of ransomware, or access to Fortinet’s corporate network." Fortinet said it does not expect the incident to have any material impact on its operations or finances.

In a threat intelligence report shared with Dark Reading, CloudSEK said it had observed a threat actor using the Fortibitch handle leaking what appeared to include not just customer data, but also financial and marketing documents, product information, HR data from India, and some employee data.

"The actor attempted to extort the company but, after unsuccessful negotiations, released the data," CloudSEK said.  The company surmised that the hacker would have attempted to sell the data first, if it had been of any true value.

Fortinet did not confirm or deny if the hacker had attempted to engage with the company on the stolen data.

The hacker's post on BreachForums included somewhat context-free references to Fortinet's acquisitions of Lacework and NextDLP. It also referenced a few other threat actors, the most interesting of whom is a Ukrainian outfit tracked as DC8044. "There are no direct links between Fortibitch and DC8044, but the tone suggests a history between the two," according to CloudSEK. "Based on the available information, we can ascertain with medium confidence that the threat actor is based out of Ukraine."

**Breach a Reminder of Cloud Data Exposure Risks**

The Fortinet compromise — though apparently not too major — is a reminder of the heightened data exposure risks to enterprise organizations when using software-as-a-service (SaaS) and other cloud services without the appropriate guardrails. A recent scan by Metomic of some 6.5 million Google Drive files showed more than 40% of them containing sensitive data, including employee data and spreadsheets containing passwords.

Often, organizations stored the data on Google Drive files with little protection. More than one-third (34.2%) of the scanned files were shared with external email addresses, and more than 350,000 files had been shared publicly.

Rich Vibert, CEO and founder of Metomic, says there are three fundamental mistakes organizations make when it comes to protecting data in cloud environments: not using multifactor authentication (MFA) to control access to SaaS apps; giving employees too much access to folders and sensitive assets within the app itself; and storing sensitive data for too long.

It's unclear yet how the hacker might have accessed the data from Fortinet's SharePoint environment. But one likely scenario is that the attacker gained access to valid login credentials, via phishing for instance, and then logged in and exfiltrated data from SharePoint and similar environments, says Koushik Pal, threat intelligence reporter at CloudSEK. Information stealers are also a "really common" attack vector, Pal notes.

**Rethinking Cloud Security**

"Typically, developers should use environment variables, vaults, or encrypted storage for sensitive information, and avoid hardcoding credentials in source code," Pal says. Often developers hardcode access credentials like API keys, username and password into the source code and inadvertently push the code into a public or unsecured private repository from where they can be accessed relatively easily.

"Organizations should make MFA mandatory for accessing SharePoint and other critical systems to prevent unauthorized access even if credentials are compromised," Pal explains. "Monitor repositories on a regular basis for exposed credentials, sensitive data, or misconfigurations, and enforce security best practices across all teams."

Akhil Mittal, senior manager of cybersecurity at Synopsys Software Integrity Group, says incidents like the one Fortinet experienced show why it's a mistake for organizations to leave security around their cloud assets entirely to cloud service providers. "Organizations should rethink how they store customer data in shared drives, ensuring critical information is kept separate from less sensitive files," he says.

It's a good idea too to encrypt sensitive data both in transit and at rest, to mitigate damage even if attackers gain access. Mittal perceives continuous monitoring of cloud assets as fundamental to protecting them. "Applying zero-trust principles to third-party platforms also ensures no external service is trusted automatically, reducing the risk of unauthorized access," he adds.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Fortinet Confirms Customer Data Breach via Third Party

PRESS RELEASE

CLEARWATER, Fla., Sept. 11, 2024 /PRNewswire/ --  Concerns about the trustworthiness of internal data exist in nearly all organizations globally according to "The Real Value of Technology Connectivity" report released today by TeamViewer, a leading global provider of remote connectivity and workplace digitalization solutions. Ninety-nine percent of business leaders pointed to factors undermining trust in internal data, citing multiple versions of the truth (38%), conflicting data management practices (32%) and too many instances of poor hardware reliability (31%) as top reasons for mistrust.

Interestingly this mistrust of internal data varies across company size. It is more likely to be driven by lack of data literacy in smaller organizations. Forty percent of respondents working for companies generating US $10 million - US $49.99 million in yearly revenue report a lack of data literacy among employees, compared to 21% of companies generating US $10 billion and above.

The global research study also found that only 5% of business leaders believe they have seamless technology connectivity across their organizations, identifying a huge opportunity to close the connectivity gap to not only gain internal trust in data, but to also enhance nearly all areas of the business from innovation to HR.

When asked how seamless technology connectivity could help their organization:

*   80% of respondents state is allows for better customer interactions and increases customer satisfaction
    
*   81% say it enables better innovation
    
*   82% believe it allows more time for considered decision making
    
*   86% consider it an important aspect of working at their company increasing talent retention
    

Technology Connectivity = Industry Leadership & Cyber Defense 

The research also uncovered a correlation between excellent connectivity and industry leadership, with 33% of business leaders at organizations with excellent technology connectivity saying their financial performance is among the leaders in their industry. Just 16% of business leaders with good connectivity say the same. In addition, 61% say that excellent technology connectivity gives them a competitive edge.

Further, 34% of businesses with excellent connectivity say their operational performance is on par with industry leaders but only 19% with good connectivity say this is the case. Seamless technology connectivity, the extent to which staff can operate and connect without interruptions, and what all businesses should be aiming for, also increases resilience and supports risk management. In particular, better connectivity helps organizations to withstand the growing threat of cyberattacks. 38% of those with excellent connectivity, those one step below achieving seamless connectivity, are among the leaders in their sector for cybersecurity performance, compared to 22% of those with good connectivity.

"It's clear from the research that connectivity isn't just about driving workforce productivity and efficiencies. The approach of shifting connectivity from a supporting role and cost centre to one that empowers the business has an impact on growth, and ultimately revenue. Fragmented systems blunt competitive advantage so just being good is not good enough when it comes to connectivity. Businesses need seamless integration and harmonization of data to fully realise the opportunities that technologies like augmented reality (AR) and artificial intelligence (AI) bring," said Mei Dent, chief product and technology officer, TeamViewer.   

What is holding organizations back?

Organizations with gaps in connectivity (those who say they have good connectivity but not excellent or seamless) are more likely to be held back by differences between departments within their organization (30%) and the inability to show the ROI of tech connectivity (27%). Whereas those who say they have excellent connectivity are most likely to be held back by concerns about cybersecurity (24%). So, cybersecurity is both a benefit and a hindrance to better connectivity.

A company's ability to connect to any device, application and system in its infrastructure, and to make use of existing data, has an outsized influence on performance. Whether it is smarter logistics operations or remote technical guidance, access to knowledge from any device, at any time, helps people work smarter and reduces the mistrust that there are multiple versions of truth in data.

Dent continued, "There is a long way to go for companies to achieve seamless connectivity, but the benefits far outweigh the initial investment of time and resources. Doing nothing also has a cost. With many struggling with increased competition and a lack of skilled labour available, organizations need to do all they can to attract and retain the best talent. And one way to do this is to offer a working environment with integrated systems and connectivity that makes it a great place to work and thrive in their careers."

Research Methodology 

The research was conducted by FT Longitude between March and April 2024. 500 business leaders across six countries took part: Australia, Canada, Japan, Germany, United Kingdom and the United States. Business leaders represented enterprises from the automotive, industrial manufacturing, IT, logistics, transport & distribution, financial services, retail, public sector and utilities industries.

About TeamViewer

TeamViewer is a leading global technology company that provides a connectivity platform to remotely access, control, manage, monitor, and repair devices of any kind – from laptops and mobile phones to industrial machines and robots. Although TeamViewer is free of charge for private use, it has around 640,000 subscribers and enables companies of all sizes and from all industries to digitalize their business-critical processes through seamless connectivity. Against the backdrop of global megatrends like device proliferation, automation and new work, TeamViewer proactively shapes digital transformation and continuously innovates in the fields of Augmented Reality, Internet of Things and Artificial Intelligence. Since the company's foundation in 2005, TeamViewer's software has been installed on more than 2.5 billion devices around the world. The company is headquartered in Goppingen, Germany, and employs more than 1,500 people globally. In 2023, TeamViewer achieved a revenue of around EUR 627 million. TeamViewer SE (TMV) is listed at Frankfurt Stock Exchange and belongs to the MDAX. Further information can be found at  https://www.teamviewer.com/.

99% of Business Leaders Have Concerns About the Trustworthiness of Internal Data

As the 104th season of the National Football League kicks off, expect cyberattacks aimed at its customers, players, and arenas.

Source: Illus\_man via Shutterstock

This past weekend, the National Football League kicked off its 2024 season, and while the sport itself has remained the same, mainly — hello, new kicking rules — the technological operations around games and players is constantly evolving, and face increasing cyber threats.

While all companies have a mix of digital and physical assets, sports teams have a unique cocktail of critical assets, especially as data has become increasingly the lifeblood of sports franchises in the NFL. Pervasive Wi-Fi in every stadium and cellular systems that allow, say, concessions to more easily handle demand means there's data to be collected on every aspect of venue operations. Technology also allows connections with fans that extend online, at home, and at stadiums through loyalty programs, biometric checks at venues, and experiences customized by QR codes on every stadium seat.

In addition to information on their fans, NFL teams have real-time data on players, brands that need protecting, and critical infrastructure relied on by arena operations and video broadcasters.

In all, it's a challenging logistical puzzle that requires continuous risk assessment, threat intelligence, and an agile IT team, says Brandon Covert, vice president of IT for the Cleveland Browns (and the area's professional soccer team, the Columbus Crew).

Related:Dark Reading Confidential: Pen Test Arrests, Five Years Later

"I started here 20 years ago, and there wasn't a whole lot of tech in our stadiums — they were all-cash, concrete buildings without a lot of technology," he says. "And now you see there's pervasive Wi-Fi ... and biometric payments and identification. All of these systems are inherently at risk, and we have to manage and mitigate that risk. The challenges \[that come along with\] tech just continue to grow, and get introduced to all areas of our business."

**A Game of Data**

The Cleveland Browns kicked off their game opener at their home stadium, the Huntington Bank Field, on Sept. 8. While the fans were focused on game day, the Browns' information-technology and security groups have been working year-round to ensure that the season remains free of technological glitches and safe from cyberattacks.

One of the thorniest issues is the need to secure increasing volumes of data, be that player data, broadcast feeds, transactional data, or customer information. Every iota of that information has value to cyberattackers, says Covert.

"Our charge being a sports organization — we have a really good bond with our fans and we get a lot of trust from our fans, probably elevated beyond what other industries see with their customers — so we want to be responsible and not be involved in any of those data breaches or loss of fan information, just from a brand and reputation standpoint for us," he says.

And indeed, stolen data on fans and players can appear on the Dark Web; plus, the rapid legalization of sports gambling has added potential monetary losses to the mix, ratcheting up the emotional rollercoaster ride for many fans, says Jake Aurand, counterintelligence lead for Binary Defense, a cyberthreat intelligence firm that counts the Cleveland Browns among its customers.

"Teams have a lot of customer information — whether it's biometric or credit card data from people purchasing game tickets — so we're constantly out there on the darknet looking to see if any of that data has been stolen and is being reposted somewhere on a forum," he says. "But what we're also doing is looking for \[potential threats on the\] physical side."

For instance, among the most major of concerns to operations continues to be ransomware, says Brad Garnett, director and general manager of the Talos Incident Response team at Cisco, which has a partnership with the NFL.

"Ransomware is not going anywhere," he says. "Anything that would impact the integrity of the game — whether that's football, baseball, basketball, or footy — anything that would attack the game's integrity or around infrastructure availability" is a concern for cyber defenders.

Cyberattacks on the operational systems of an arena or stadium could cause a broadcast outage or take an approach as simple as posting a bomb threat on a scoreboard, National Football League CISO Tomás Maldonado said in an interview in June.

"I think a lot of people don't fully appreciate the convergence between cyber physical and the ... ramifications of a cyber event ... they don't usually make that connection right off the bat," said Maldonaldo, who is securing his sixth season with the organization.

**A Game of 1s and 0s**

About half of the threats detected by the company have some cyber-physical component, but the other half are purely about data, Binary Defense's Aurand says. Using the Browns' branding to fool fans into purchasing fake merchandise or just giving up their payment card details are common scams, he says.

Teams should take an active approach to defense, he adds. There are tools for doing just that: CISA and the NFL conduct annual tabletop exercises to workshop incident response, for instance.

"You need a first line of defense put in place, ... looking for those attacks immediately, in real time and throwing them off or identifying them extremely quickly," Aurand says. "And two, you need to stop the attacker from being able to move any further in their attacks."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#intel