Lockbit Leaks Files for Evolve Bank & Trust in Its Alleged ‘Federal Reserve’ Data Dump, Company Tells Customers It Is Investigating the Matter With Law Enforcement

After an apparent negotiation breakdown, the LockBit ransomware gang published a massive cache of files it says it allegedly stole from the US Federal Reserve central banking system.

The Russian-linked gang posted 21 separate links containing files of what appear to be parent directories, torrents, and compressed archive files belonging to another US financial institution, Evolve Bank and Trust.

The Feds recently singled out the bank and its parent company, Evolve Bancorp Inc., for engaging in unsafe and unsound banking practices.

Over the weekend, LockBit named the Federal Reserve on its dark victim blog, threatening to publish the purported stolen data on June 25th if a ransom demand was not paid by the deadline.

Claiming to have lifted “33 terabytes of juicy banking information containing Americans' banking secrets,” the group also insinuated that negotiations had broken down over an unacceptable ransom offer by the US central bank.

“You better hire another negotiator within 48 hours, and fire this clinical idiot who values Americans' bank secrecy at $50,000,” LockBit posted on its dark blog.

Cybersecurity experts are skeptical of LockBit’s claims, maintaining that it is seeking attention because its reputation is in tatters after the international law enforcement Operation Cronos obliterated its operations in February. The posting of Evolve’s files appears to validate that skepticism.

However, the Federal Reserve Board served Evolve Bank and Trust with a cease-and-desist order this month, citing multiple “deficiencies” in the bank's anti-money laundering, risk management, and consumer compliance programs.

It’s not inconceivable that the Federal Reserve collected some of the information that LockBit posted. The Federal Reserve has declined to address LockBit’s claims.

Headquartered in Memphis, Tennessee, the independent consumer Banking-as-a-Service and mortgage lender serves individuals and small businesses in at least 17 states nationwide, listing assets of $1.3 billion in 2022, according to its website.

Evolve is known for its open banking partnerships with Fintech platforms such as Mastercard, Visa, Affirm, Melio, Stripe, and Airwallex.

According to FinTech Weekly newsletter publisher Jason Mikula, Evolve Bank & Trust acknowledges the reports and is actively investigating the situation. It also said it is working with law enforcement authorities and will issue more detailed communications as it validates its findings. (Stefanie Schappert / Cybernews and tweet from Jason Mikula)

Related: Daily Mail, Diario AS, Red Hot Cyber, Daily Dot

A high-severity improper authentication vulnerability in Progress Software's MOVEit Transfer software (CVE-2024-5806, CVSS: 7.4) could allow cyberattackers to bypass the platform's authentication mechanisms and it was exploited in the wild just hours after it was made public.

The bug is an improper authentication vulnerability in MOVEit's SFTP module that "can lead to authentication bypass in limited scenarios," according to Progress' security advisory on the issue today, which includes patching information. It affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2.

The nonprofit Shadowserver Foundation, "very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts." It also reported that there are at least 1,800 exposed instances online (though not all of them are vulnerable

Progress didn't provide any details on the bug, but researchers at watchTowr, who called the vulnerability "truly bizarre," have determined two attack scenarios. In one case, an attacker could perform "forced authentication" using a malicious SMB server and a valid username (enabled by a dictionary-attack approach).

In another, more dangerous attack, a threat actor could impersonate any user on the system. "[We can] upload our SSH public key to the server without even logging in, and then use that key material to allow us to authenticate as anyone we want," according to watchTowr's post. "From here, we can do anything the user can do — including reading, modifying, and deleting previously protected and likely sensitive data." (Tara Seals / Dark Reading)

Related: Progress, Watchtwr, Shadowserver Foundation, Censys, Tenable, Help Net Security, Security Week, GBHackers, Cyber Daily, Daily Dot

The FBI is warning of cybercriminals posing as law firms and lawyers that offer cryptocurrency recovery services to victims of investment scams and steal funds and personal information.

The FBI says that fraudsters trick victims into thinking the service is legitimate by claiming a collaboration with government agencies like the FBI and the Consumer Financial Protection Bureau (CFPB).

They also build credibility by referencing real financial institutions and money exchanges when communicating with the victims. This tactic gives a false sense of authorization and capability to trace and recover lost funds.

Any scam victims are advised to file a report at the IC3 portal, including as many details as possible about the scammer and financial transaction information. (Bill Toulas / Bleeping Computer)

Related: TechRadar, Infosecurity Magazine, crypto.news, Cybernews, IC3.gov

Researchers at cloud security company Wiz discovered a remote code execution vulnerability (CVE-2024-37032) in Ollama, the open-source infrastructure project designed to simplify the packaging and deployment of AI models.

Dubbed Probllama, the vulnerability allows an attacker to send specially crafted HTTP requests to an Ollama application programming interface server.

Probllama operates through a mechanism known as path traversal, which exploits insufficient input validation in the API endpoint “/api/pull.” By crafting a malicious file containing a path traversal payload in the digest field, an attacker can manipulate the server to overwrite arbitrary files on the system.

In Docker deployments, where the server runs with root privileges, the vulnerability can be exploited to gain full remote code execution. By corrupting crucial system files, such as “/etc/ld.so.preload,” attackers can place malicious code that gets executed whenever a new process starts, giving them control over the server and the ability to compromise the AI models and applications hosted on it.

Wiz’s researchers found that many Ollama instances with the vulnerability were exposed to the internet, posing a significant security risk.

Ollama responded around four hours after Wiz informed it of the vulnerability on May 4 and immediately committed to creating a fix. The fix was released three days later, on May 8. (Duncan Riley / The Register)

Related: Payment Security, The Register, Wiz.io

In a data breach notification, luxury retailer Neiman Marcus confirmed it suffered a data breach after hackers attempted to sell the company's database, which was stolen in recent Snowflake data theft attacks.

The company says that the breach impacted 64,472 people.

"In May 2024, we learned that, between April and May 2024, an unauthorized third party gained access to a database platform used by Neiman Marcus Group. Based on our investigation, the unauthorized third party obtained certain personal information stored in the database platform," warns Neiman Marcus in a data breach notification.

"The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s) (without gift card PINs)."

Neiman Marcus said they disabled access to the database platform when the breach was detected, investigated with cybersecurity experts, and notified law enforcement. (Lawrence Abrams / Bleeping Computer)

Related: Maine Attorney General, Dallas Morning News, CRN, Security Week, The Record, Channel Futures, PCMag, Payment Security

South Africa’s National Health Laboratory Service (NHLS) confirmed that it is dealing with a ransomware attack that significantly affects the dissemination of lab results as the country responds to an outbreak of mpox.

The NHLS runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in nine provinces. The spokesperson declined to say which ransomware group was behind the incident or whether a ransom would be paid.

A spokesperson said that the ransomware attack began Saturday morning and that hackers deleted sections of their system, including backup servers, meaning they will have to rebuild many of the affected parts.

CEO Koleka Mlisana said that officials do not know when systems will be restored. Preliminary investigation results have shown that patient information databases were not lost or compromised.

An unidentified strain of ransomware was used to target specific parts of the agency’s IT systems, “rendering them inaccessible and blocking communication” from databases to and from users.

Officials have shut down certain systems to repair the damage, and an incident response team has been convened to address the attack. External cybersecurity firms have also been brought in to assist with the attack.

All the service’s laboratories are still functional and continue to receive and process clinical samples. However, under normal circumstances, lab reports are automatically generated and sent to clinicians or made available through the web. (Jonathan Greig / The Record)

Related: AllAfrica.com, News24, IOL, Daily Maverick, The Citizen

Indian telecom giant Bharat Sanchar Nigam suffered a data breach, with a threat actor claiming to have accessed sensitive information, including international mobile subscriber identity (IMSI) numbers, SIM card details, home location register data, and critical security keys.

Digital risk management firm Athenian Tech said the breach claimed by the threat actor, who goes by the name "kiberphant0m", involved more than 278 GB of data from BSNL's telecom operations, including server snapshots, which can be misused for SIM cloning and potentially more severe criminal activities like extortion.

The threat actor has publicly priced this data at $5,000. (The Economic Times)

Related: Telcom Talk, Fortune India, MediaNama, Business Standard, Business Today

Researchers at Cleafy report that the Medusa banking trojan for Android, also known as Tanglebot, has re-emerged after almost a year of keeping a lower profile in campaigns targeting France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.

In late May 2024, Cleafy's Threat Intelligence team observed a surge in installations of a previously unknown app called "4K Sports", whose characteristics didn't perfectly align with known malware families.

Initial investigations suggested a possible connection between the behavior of the "4K Sports" app and the Medusa family. However, a more in-depth analysis revealed discrepancies between the app and previously documented variants. These differences highlighted an evolution in the Medusa malware, with significant changes in its command structure and overall capabilities.

The researchers discovered 24 campaigns using the malware and attributed them to five separate botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) that delivered malicious apps. The UNKN botnet is operated by a distinct cluster of threat actors, which target European countries, particularly France, Italy, Spain, and the UK.

The new activity has been tracked since May and relies on more compact variants that require fewer permissions and come with fresh features in an attempt to initiate transactions directly from the compromised device. (Bill Toulas / Bleeping Computer and Cleafy)

Related: Tom’s Guide, Android Headlines, Phone Arena

The official X account for heavy metal band Metallica was hacked, with the exploiters using the breach to promote a Solana token with the ticker METAL.

Metallica’s team appears to have regained control of the account and has deleted all posts mentioning the token.

Metallica’s X account first posted about the token on June 26, claiming it was made in partnership with Ticketmaster. It was launched on the Solana-based token deployer pump.fun.

Ticketmaster did not announce the partnership or immediately respond to a request for comment.

Posts from Metallica’s account claimed fintech firm MoonPay was involved with the token, which MoonPay president Keith Grossman dismissed in an X post.

A series of subsequent posts in an apparent attempt to drum up buyers claimed users could cash in their METAL tokens to redeem exclusive items, including “free concert tickets,” custom gaming consoles, and merchandise. (Tom Mitchelhill / Cointelegraph)

Related: The Block, Watcher Guru, crypto.news

Best Thing of the Day: Can’t Have Too Many Cybersecurity Newsletters

Computer and security researcher Marcus Hutchins, who saved the world from WannaCry, has launched a smart cybersecurity newsletter, the inaugural issue of which offers a compelling analysis of why the US government has come down so hard on Kaspersky Lab.

Worst Thing of the Day: Those Who Served Are Not Getting Served

The US Department of Veteran Affairs is still struggling to fill veterans’ subscriptions four months after the Change Healthcare attack.

Closing Thought