Dark Storm group claims credit for DDoS attack on X that Musk blames on Ukraine
NY sues Allstate for data breach reporting failure, 24-hour cyber incident reporting window set in Switzerland, AI voice cloning apps allow nonconsensual impersonation, CA AG launches location data industry probe, KS healthcare provider attack exposed PII for hundreds of thousands, much more
Don't miss my latest CSO piece, which walks through how to build a security operations center.
Metacurity is a mostly reader-supported publication that relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription.
If you can't commit to a subscription today, please consider donating whatever you can. Thank you!
Elon Musk blamed widespread disruptions on X (formerly Twitter) on a “massive cyberattack,” which he claimed was orchestrated by a “large, coordinated group” or country, even as "hacktivist" threat group Dark Storm claimed credit for a DDoS attack on the right-wing platform.
Tens of thousands of users globally reported intermittent outages on X on Monday, according to the monitoring website Downdetector. New posts failed to load for users in countries including the US, UK, France, and India at various points throughout the day. The service disruptions lasted a few minutes each.
Musk later acknowledged that the platform had experienced a site-wide disruption. “We get attacked every day, but this was done with a lot of resources,” he wrote in a post on X, formerly known as Twitter. In an interview on Fox Business, he said the cyberattack was intended to take down X “with IP addresses originating in the Ukraine area.”
Dark Storm, a pro-Palestinian “hacktivist” group that also collaborates with pro-Russian hackers, took credit for the attack via its Telegram page but has not provided proof that it was behind the disruptions. A representative for Dark Storm said that the attack was part of a broader hacktivist effort against Israel.
A spokesperson for X did not respond to multiple requests for comment. It is difficult to quickly determine the source of a cyber incident, as attackers often use techniques to mask their location.
In the case of distributed denial-of-service attacks, or DDoS, the attacks are carried out by compromised devices controlled by the hackers, not the hackers themselves. (Charles Capel and Jeff Stone / Bloomberg and Emily Forlini / PCMag)
Related: Associated Press, Decrypt, Cybernews, BBC News, Irish Star, The Desk, Verge, Variety, Newsweek, The Hill, Le Monde, The Guardian, Malwarebytes, Inc, ZDNET, Sky News, MobileSyrup, The Daily Beast, Daily Mail, SiliconANGLE, The Gateway Pundit, Decrypt, Android Central, The National Pulse, The Post Millennial, CircleID, Mediaite, Al Jazeera, Interesting Engineering, Politico, GB News, Türkiye Today, New York Times, Financial Express, Moneycontrol, israelhayom.com, Crypto Briefing, Newser, Cyber Security News, The Indian Express, NewsNation, Benzinga, The Independent, Cointelegraph, Latestly.com, Japan Today, Latestly.com, SBS, Silicon UK, The Guardian, The West Australian, Mashable, Tech Xplore, Futurism, CNBC Technology, CBSNews.com, SBS, Raw Story, Engadget, Daily Kos, Over Security, Business Insider, TechNadu, Metro.co.uk, Cyber Kendra, Protos, Protos, Decripto.org, Protos, Techradar, The Tech Portal, Finance Magnates, Fast Company, Washington Examiner, Insider Paper, Technology | The Hill, Ukrainska Pravda, The Daily Dot, eSecurityPlanet, Ars Technica, Euro Weekly News, The Crypto Times, Bleeping Computer, The Record, The Jerusalem Post, ABC.net.au
New York Attorney General Letitia James filed a lawsuit against Allstate, accusing the insurer's National General unit of failing to report a data breach that exposed drivers' license numbers and lacked reasonable safeguards to protect drivers' private information.
James said National General's poor data security led to back-to-back breaches in 2020 and 2021 when hackers targeting its online auto insurance quoting tools accessed the license numbers of more than 165,000 New Yorkers and 199,000 people overall.
National General allegedly did not notify drivers or New York state agencies about the first breach, which occurred between August and November 2020, and needed three months to uncover the much larger second breach in January 2021.
James said National General violated the state's Stop Hacks and Improve Electronic Data Security Act by failing to protect customer information and by misleading customers about its data security practices.
The lawsuit seeks civil fines of $5,000 per violation, plus other remedies. (Jonathan Stempel / Reuters)
Related: Letitia James, PYMNTS, Teiss, Life Insurance International, Coverager, FingerLakes.com, USA Today, The Insurer, The Register, SC Media
Switzerland's National Cybersecurity Centre (NCSC) announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery.
According to the NCSC announcement, this new requirement is introduced in response to the increasing number of cybersecurity incidents and their impact on the country.
The mandate is introduced via an amendment to the Information Security Act (ISA), which will go into effect on April 1, 2025. The law applies to critical service providers such as utilities, local government, and transportation organizations. (Bill Toulas / Bleeping Computer)
Related: NCSC, Fedlex, Industrial Cyber, Infosecurity Magazine, Cyber Daily, Cybernews
A Consumer Reports investigation discovered that most leading artificial intelligence voice cloning programs have no meaningful barriers to stop people from nonconsensually impersonating others.
Their survey of the six leading publicly available AI voice cloning tools found that five have easily bypassable safeguards, making it simple to clone a person’s voice without their consent. Deepfake audio detection software often struggles to distinguish between real and synthetic voices.
Four of the services—ElevenLabs, Speechify, PlayHT, and Lovo—require checking a box indicating that the person whose voice is being cloned has given authorization.
Another service, Resemble AI, requires recording audio in real-time rather than allowing a person to upload a recording. However, consumer reports easily circumvented that restriction by simply playing an audio recording on a computer.
Only the sixth service, Descript, had a somewhat adequate safeguard. A would-be cloner must record a specific consent statement, which is difficult to falsify except through cloning through another service.
All six services are available to the public via their websites. Only Eleven Labs and Resemble AI cost $5 and $1 — to create a custom voice clone. The others are free. (Kevin Collier / NBC News)
Related: Consumer Reports, Consumer Reports, The Register, ZDNet, Computerworld, TechCrunch
California Attorney General Rob Bonta initiated an investigative sweep into the location data industry, targeting advertising networks, mobile app providers, and data brokers that may be violating the California Consumer Privacy Act (CCPA).
The investigation addresses concerns about how businesses manage consumers' rights to stop selling and sharing personal information, including sensitive geolocation data.
Bonta highlighted the risks associated with location data collection. "Every day, we give off a steady stream of data that broadcasts not only who we are, but where we go," he said. He emphasized the potential for misuse of this data in light of federal threats to immigrant communities and healthcare services.
The CCPA grants Californians increased privacy rights, allowing them to know how their personal information is collected and shared. Under this law, consumers can exercise their right to "opt out" from having their personal information sold or shared. Businesses must comply with these requests unless they receive further authorization from consumers. (Legal Newsline)
Related: OAG.ca.gov
Sunflower Medical Group, a Kansas healthcare provider with multiple urgent care facilities, said a cyberattack in December exposed sensitive information from hundreds of thousands of people.
Leaked information could potentially include the names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical information, and health insurance information of those affected.
The company said it initially discovered the breach on January 7 and hired a cybersecurity firm to investigate. However, it was later discovered that the hackers had been inside their systems since mid-December. The hackers made copies of Sunflower’s files.
Sunflower said it sent letters to all victims it had valid addresses for and offered one year of credit monitoring services. (Jonathan Greig / The Record)
Related: Sunflower Medical Group, Attorney General of Maine, Attorney General of Vermont, Attorney General of California, Security Week, The Register, Bank Info Security, JD Supra, The HIPAA Journal
Security firm Fortra said the number of unauthorized copies of the testing tool Cobalt Strike used in the wild is down 80% over the last two years following the launch of a global crackdown.
Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC), and Fortra, which bought Cobalt Strike in 2020, have worked since 2023 to address the longstanding issue of pirated and unlicensed versions of the software being downloaded by criminals from illegal marketplaces and used in cyberattacks.
Fortra said that a three-year operation named “Morpheus” culminated in July 2024 with the coordinated global takedown of known IP addresses and domain names associated with criminal activity related to unauthorized versions of Cobalt Strike.
That effort, headed by the UK's National Crime Agency, flagged 690 IP addresses to online service providers in 27 countries, 593 of which have been taken down to date. Law enforcement agencies in Australia, the U.S., Canada, Germany, the Netherlands, and Poland assisted the operation.
The 80% decrease in unauthorized copies has helped “drastically reduce availability to cybercriminals,” Fortra said. (Jonathan Greig / The Record)
Related: Fortra, gbhackers, IT Pro, SC World, Security Week, Dark Reading
The government of Mission, Texas, filed a state of emergency declaration after a cyberattack exposed all of the data held on city systems.
The city government notified residents of the incident on Wednesday, telling them cybercriminals targeted portions of their network. The attack required them to take systems offline, but officials said emergency services were still operational.
A local news outlet disputed this assessment, writing that police officers have lost the ability to run license plates and driver’s licenses through state databases. City leaders sent a memo to government workers on Tuesday warning that much of the IT system was shut down due to the incident.
Located on the border with Mexico, the city of more than 87,000 is one of the largest in Hidalgo County.
Mayor Norie Gonzalez Garza sent a letter to Texas Governor Greg Abbott on Tuesday urging him to declare a more expansive state of emergency for the city while she filed a local state of disaster declaration herself. (Jonathan Greig / The Record)
Related: City of Mission, ValleyCentral, SC Media, Texas Border Business
Researchers at Palo Alto Networks' Unit 42 report that a popular set of SCADA software systems made by ICONICS used in critical infrastructure worldwide suffered from at least five known vulnerabilities that could have allowed for privilege escalation, DLL hijacking, and the ability to modify critical files.
ICONICS says its SCADA software is embedded in “hundreds of thousands of installations running in over 100 countries worldwide and running in over 70 percent of Global 500 companies.”
The flaws, which are known to affect versions 10.97.2 and 10.97.3 and possibly earlier versions, were discovered by Palo Alto Networks last year and have since been patched. However, public internet scans have identified “several dozen” vulnerable ICONICS servers that remain publicly connected to the internet. (Derek B. Johnson / Cyberscoop)
Related: Unit 42, Security Week
Researchers at Kaspersky warn that SideWinder, a likely India-based cyber-espionage group active since at least 2012, recently ramped up attacks on organizations in Africa and Asia's maritime and logistic sectors.
In many attacks, the threat group has used variously themed phishing emails to lure targets into clicking on a malicious document. The document contains an exploit for CVE-2017-11882, a memory corruption vulnerability in Microsoft Office that SideWinder has used for years in its campaigns, to drop a post-exploitation toolkit called StealerBot on vulnerable systems.
The malware can execute a wide range of malicious actions, including installing additional malware, capturing screenshots and logging keystrokes on compromised systems, swiping passwords, grabbing remote desktop login information, stealing files, and escalating privilege.
SideWinder has targeted maritime and logistics organizations in Egypt, Djibouti, United Arab Emirates, Bangladesh, Cambodia, and Vietnam, according to researchers from Kaspersky, who have been tracking the attacks since early 2024. Researchers also observed attacks against entities in the nuclear energy sector. (Jai Vijayan / Dark Reading)
Related: Securelist, Security Affairs, The Register
The US Federal Trade Commission (FTC) said that Americans lost a record $12.5 billion to fraud last year, a 25% increase over the previous year.
Consumers reported that investment scams resulted in the highest losses, totaling around $5.7 billion with a median loss of over $9,000 and exceeding all other fraud categories. The second largest reported loss was linked with imposter scams, amounting to $2.95 billion in 2024.
Younger people have also reported losing money to fraud more often than people over 70, as 44% of all reports filed last year came from consumers between 20 and 29.
Job scams and fake employment agency losses have also jumped significantly in recent years, with the number of reports nearly tripling and losses growing from $90 million to $501 million within just four years between 2020 and 2024.
In 2024, the FTC added 6.5 million consumer reports to the Consumer Sentinel Network (Sentinel) secure online database, including over 118.960 reports of investment fraud schemes and 845,806 reports of imposter scams. (Sergiu Gatlan / Bleeping Computer)
Related: Federal Trade Commission, PC Mag, Insurance Journal, PYMNTS, Detroit Free Press, CNET, TechSpot
Bank of America informed clients that their names, account details, addresses, contact information, date of birth, social security numbers, and other government IDs were all exposed when documents were left outside in an unsealed container.
Bank of America said a third-party 'data destruction vendor' was to blame for the breach.
According to bank officials, this company was hired to pick up documents from an unnamed financial center on December 30, 2024, and take them to be shredded for security purposes.
'Some documents were found outside of the secure containers on the exterior of the financial center,' the bank said in a statement. (Chris Melore / Daily Mail)
Related: Benzinga, The Daily Hodl
According to people familiar with the matter, venture capital firm Kleiner Perkins is in talks to lead a $350 million funding round for cybersecurity startup Chainguard Inc., which would raise Chainguard's valuation to $3.5 billion.
The deal would roughly triple the company’s value from a financing deal last year, underscoring the growing need for secure tools for software development. (Katie Roof / Bloomberg)
Related: Verdict
Albuquerque, NM-based cybersecurity risk management company Crogl announced it had raised $25M in a Series A venture funding round.
Menlo Ventures’ Tim Tully led the round. (Ingrid Lunden / TechCrunch)
Related: SiliconANGLE, FinSMEs, Globe Newswire, citybiz, MSSP Alert
Self-serve cybersecurity platform provider Sola Security announced it had launched from stealth with a $30 million venture funding seed round.
S Capital and Mike Moritz led the round with participation from S32, Glilot Capital Partners, and several angel investors. (Ingrid Lunden / TechCrunch)
Related: FinSMEs, Tech Funding News, Security Week, CTech
Best Thing of the Day: No More Justice Delayed in Cleveland
Cleveland Municipal Court said it will reopen to the public on Wednesday after being largely shut down since Feb. 23 due to a cyberattack.
Worst Thing of the Day: You Should Come Up With a Better Handle for This Group
UK defense forces say Britain must develop a "four eyes" alliance in the wake of Donald Trump's disastrous denial of funding for Ukraine's military defense.
Closing Thought
