Ukraine Suspends Cyber Chief Amid Reports of Corruption, Journalist Intimidation

The head of the Security Service of Ukraine (SBU), Vasyl Malyuk, suspended the head of the SBU Cyber Security Department, Ilya Vityuk, from performing his duties pending the verification of the circumstances disclosed by Slidstvo-info journalists.

The SBU press office said that "During the verification of the circumstances disclosed by Slidstvo-info journalists, the head of the Service, Vasyl Malyuk, suspended the head of the Department of Counterintelligence Protection of the State's Interests in the Field of Information Security (DKIB), Vityuk, from the performance of his official duties.”

Slidstvo alleged that Vityuk and his family are making a “fortune” from real estate investments. According to a Slidstvo.Info report, Vitiuk’s wife bought an apartment in a premium residential complex in Kyiv and earns more than a million hryvnia a month (over $25,600) while staying on maternal leave, while his mother, who is a doctor, owns two apartments in Kyiv. In government documents, Vitiuk’s wife is listed as “private entrepreneur in the judicial industry,” the report said.

Two days after the publication, Slidstvo.info said that an SBU employee appeared to have instructed representatives of the Ukrainian military enlistment office to draft the journalist behind the investigation into the armed services in retaliation.

The press office clarified that Vityuk will serve in the combat unit of the Security Service of Ukraine during the inspections. This unit performs defensive tasks and destroys the enemy and his equipment directly at the front together with TsSO "A.” "He is currently assigned to this unit, and today he left for the area of ​​combat missions," the press office said. (Interfax-Ukraine and Daryna Antoniuk / The Record)

Related: Slidstvo, Slidstvo, The Record, Ukrainska Pravda

Security researchers Can Yoleri, Murat Özfidan, and Egemen Koçhisarlı with SOCRadar discovered an open and public storage server hosted on Microsoft’s Azure cloud service that was storing internal information relating to Microsoft’s Bing search engine.

The Azure storage server housed code, scripts, and configuration files containing passwords, keys, and credentials used by Microsoft employees for accessing other internal databases and systems.

However, the storage server itself was not protected with a password and could be accessed by anyone on the internet.

The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. (Zack Whittaker and Carly Page / TechCrunch)

Related: Times of India, The Verge, Neowin

Microsoft reported a record 147 flaws in Windows and related software in this month’s Patch Tuesday update.

Two of the vulnerabilities were zero-days, although the company initially failed to tag them as such. The first, tracked as CVE-2024-26234 and described as a proxy driver spoofing vulnerability, was issued to track a malicious driver signed using a valid Microsoft Hardware Publisher Certificate that was found by Sophos X-Ops in December 2023 and reported by team lead Christopher Budd.

This malicious file was labeled as "Catalog Authentication Client Service" by "Catalog Thales," likely an attempt to impersonate Thales Group. However, further investigation revealed that it was previously bundled with a marketing software called LaiXi Android Screen Mirroring.

The second zero-day silently patched today by Microsoft is tracked as CVE-2024-29988 and described as a SmartScreen prompt security feature bypass vulnerability caused by a protection mechanism failure weakness.

Three of April’s vulnerabilities earned Microsoft’s “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems without users' help.

Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important.” These usually involve bugs that require a bit more user interaction (social engineering) but can nevertheless result in system security bypass, compromise, and the theft of critical assets.

Ben McCarthy, lead cyber security engineer at Immersive Labs, called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.

Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search. (Brian Krebs / Krebs on Security and Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, gHacks, Dark Reading, Security Week, Microsoft, Sophos, SANS Internet Storm Center, Qualys Blog, Cyber Kendra, Security Boulevard, #threatintel, ITSEC News, Talos Intel, The Stack, SC Magazine, Tenable Blog, Rapid7, Zero Day Initiative - Blog, SANS Internet Storm Center, PaymentSecurity, AskWoody, Tripwire, Bleeping Computer

Security researchers at Bitdefender have discovered four vulnerabilities impacting multiple versions of WebOS, the operating system used in LG smart TVs, that enable varying degrees of unauthorized access and control over affected models, including authorization bypasses, privilege escalation, and command injection.

The potential attacks hinge on the ability to create arbitrary accounts on the device using a service that runs on ports 3000/3001, which is available for smartphone connectivity, using a PIN.

Bitdefender says that although the vulnerable LG WebOS service is supposed to be used only in local area networks (LAN) settings, Shodan internet scans show 91,000 exposed devices that are potentially vulnerable to the flaws.

The vulnerabilities impact webOS 4.9.7 – 5.30.40 on LG43UM7000PLA, webOS 04.50.51 – 5.5.0 on OLED55CXPUA, webOS 0.36.50 – 6.3.3-442 on OLED48C1PUB, and webOS 03.33.85 – 7.3.1-43 on OLED55A23LA.

Bitdefender reported its findings to LG on November 1, 2023, but the vendor did not release the related security updates until March 22, 2024.

Though LG TVs alert users when important WebOS updates are available, those can be postponed indefinitely. Therefore, impacted users should apply the update by going to the TV's Settings > Support > Software Update and selecting "Check for Update." (Bill Toulas / Bleeping Computer)

Related: Bitdefender, Dark Reading, The Register, Ars Technica, Security Affairs, Help Net Security, Hack Read

Non-profit healthcare service provider Group Health Cooperative of South Central Wisconsin (GHC-SCW) disclosed that a ransomware gang breached its network in January and stole documents containing the personal and medical information of over 500,000 individuals.

However, the attackers couldn't encrypt the compromised devices, which allowed GHC-SCW to secure its systems with the help of external cyber incident response experts and bring them back online after they were isolated to contain the breach.

Health data stolen during the January ransomware attack includes affected individuals' names, addresses, telephone numbers, e-mail addresses, dates of birth and deaths, social security numbers, member numbers, and Medicare and/or Medicaid numbers.

Although it didn't provide the exact number of affected people, additional information shared with the U.S. Department of Health and Human Services shows that the data breach impacted 533,809 individuals.

While the Wisconsin-based healthcare non-profit didn't reveal the name of the threat group behind the January breach, the BlackSuit ransomware gang claimed the attack in March.

According to the attackers' claims, the stolen files also contain affected patients' financial information, employees' data, business contracts, and e-mail correspondence.

GHC-SCW has yet to find evidence of the stolen information being used for malicious purposes. (Sergiu Gatlan / Bleeping Computer)

Related: Group Health Cooperative, JD Supra, The HIPAA Journal, PR Newswire, Cybernews

The new hacking group Ransomhub, which claims to have access to a massive stash of data stolen from UnitedHealth Group’s subsidiary Change Healthcare, could be bluffing.

Ransomhub refused to provide any backing for their claim or identify the affiliate. "We will not disclose any information," the hackers said in a chat.

Analyst Brett Callow of cybersecurity company Emsisoft said he suspected Ransomhub's claim was valid, but he cautioned that he was making "a very low confidence guess" and that the group could be trying out a scam.

UnitedHealth said it was aware of the claim and was continuing to work with authorities. The FBI did not immediately return a message. (Paphael Satter / Reuters)

Related: Cyberscoop

The US Congress is racing to vote this week on a measure reauthorizing the controversial Section 702 of the Foreign Intelligence Surveillance Act (FISA), which is officially set to expire on April 19.

Section 702 governs how federal agencies may collect and use data collected from overseas targets.

Congressional sources say that a vote to salvage the program could come as early as Thursday, following a series of scheduled briefings on Tuesday and Wednesday between lawmakers and intelligence officials. There will also be several smaller votes that may significantly modify the program's terms for years to come.

The focus of privacy advocates has turned almost entirely to an amendment that aims to force the FBI and other agencies to apply for a warrant before accessing the communications of Americans incidentally captured by the US under the 702 program. (Dell Cameron / Wired)

Related: Cyberscoop, Washington Post, The Dispatch, FBI, The Register, The Hill, CNN

The US Environmental Protection Agency (EPA) said there has been no breach of data from the agency following claims made by threat actors operating under the alias USDoD.

The EPA said that the Cybersecurity and Infrastructure Security Agency (CISA) and FBI confirmed that the data was already publicly available. “Additionally, the hacker confirmed they never breached the EPA and that the data was publicly available” on Facility Registry Service (FRS), a portal allowing anyone to search all the facilities from which the EPA collects information. (Jonathan Greig / The Record)

Related: BankInfoSecurity, Hack Read, CSO Online, SC Media

Researchers at Varonis Threat Labs discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from Microsoft SharePoint.

Due to the sensitivity of SharePoint data, many companies audit sensitive events, like data downloading, to trigger alerts in cloud access security tools, data loss prevention tools, and security information and event management platforms (SIEMs).

The Varonis researchers devised two simple techniques that enable users to bypass audit logs or generate less sensitive events by downloading data a certain way or disguising it as data syncing actions.

Varonis disclosed these bugs in November 2023, and Microsoft added the flaws to a patch backlog for future fixing.

However, the issues were rated as moderate severity, so they won't receive immediate fixes. Therefore, SharePoint admins should be aware of these risks and learn to identify and mitigate them until patches become available.

Varonis recommends monitoring for high volumes of access activity within a short timeframe and the introduction of new devices from unusual locations, which could be signs of unauthorized data exfiltration. (Bill Toulas / Bleeping Computer)

Related: Varonis

GBI Genios, a database company used by numerous media organizations in Germany, announced its servers were unavailable “due to a massive hacker attack.”

Genios said the incident was a ransomware attack and cautioned, “unfortunately we have to assume an outage for several days.”

“Our communication options are also limited. We will inform you as soon as we can foresee when access will be possible again. We apologize for the inconvenience and hope for your understanding,” the statement added.

The Munich-based company is a subsidiary of the Frankfurter Allgemeine Zeitung and the Handelsblatt Media Group. In addition to media entities, the company’s databases are widely used by universities and libraries. (Alexander Martin / The Record)

Related: GBI-Genios, CSO Germany, Golem.de, Heise Online, IT-Online

The government of Palau denied several new claims by the DragonForce ransomware gang that the two sides were in contact following an attack last month.

The DragonForce ransomware gang officially posted Palau to its leak site, threatening to publish data stolen from the island nation’s government within three days.

The government found letters from both the LockBit and DragonForce ransomware gangs but was never contacted by either.

The communication links provided in both ransom notes did not work, according to Palau officials, leading many to believe there may be geopolitical motives behind the incident. The gang denied that the attack on Palau was for any reason other than financial gain.

“We have nothing to do with political issues. Representatives of this state came to us, but for some reason they did not clarify the information about the leak. In three days, all the data from Palau will be available on our blog. You can find interesting information there,” the gang said, adding that it stole more than 21 GB of data.” (Jonathan Greig / The Record)

Related: SC Media

Paris Saint-Germain (PSG), the Qatari-owned titan of French football, has informed its supporters that a cyberattack targeted the club’s online ticketing service.

The warning was shared with fans on Monday, although the incident was detected last week on April 3, according to the letter first published by Le Parisien newspaper.

The letter PSG sent to fans informs them that the club’s IT department “was challenged by unusual access attempts to the club's ticketing system.

“Our teams detected a vulnerability which they resolved in less than 24 hours. To this end, additional security measures were immediately implemented.” The club informed the country’s data protection regulator, the Commission Nationale Informatique et Libertés (CNIL), on April 5.

The club said there is no evidence “data has been extracted or exploited by a malicious third party” but warned fans that the system held a range of personal data, including names, email and postal addresses, mobile numbers, and dates of birth. (Alexander Martin / The Record)

Related: Cybernews, Cybersecurity News

The Medusa ransomware group says it is responsible for an attack on the Tarrant County Appraisal District in Texas, threatening to leak nearly 218 gigabytes of data in six days if a $100,000 ransom is not paid.

On April 3, the county warned that about 300 people's data had been accessed by hackers. Officials say they’re “working diligently” to restore operations. (Jonathan Greig / The Record)

Related: Cybernews

A recording of a phone call between a hacker, who claims to represent the ransomware gang DragonForce, and the victim company employee was posted by the ransomware gang on its dark website in an apparent attempt to pressure the company to pay a ransom demand.

The recording shows a somewhat hilarious and failed attempt to extort and intimidate a company’s rank-and-file employee. It also shows how ransomware gangs are always looking for different ways to intimidate the companies they hack.

After asking to speak to management, the hacker is futilely transferred to “Beth” from HR. After experiencing frustration in stating his demands, Beth says, “I would never negotiate with a terrorist or a hacker as you call yourself,” asking the hacker to confirm a good phone number to call them back.

When the hacker says they “got no phone number,” Beth has had enough.

“Alright, well then I’m just gonna go ahead and end this phone call now,” she says. “I think we spent enough time and energy on this.” (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Tech Times

The self-described gay furry hackers in SiegedSec relaunched a hacktivism campaign aimed at targeting those critical of transgender rights.

The effort, dubbed #OpTransRights, initially began last year when the group targeted government websites in five states with policies against matters such as gender-confirming healthcare.

Now, instead of focusing on government entities, SiegedSec plans to target “churches, media sources, and other organizations.” The campaign’s first action took place on April 1, when SiegedSec announced that it had hacked the River Valley Church in Burnsville, Minnesota, due to the pastor’s views towards transgender people.

The hack saw SiegedSec not only leak roughly 15,000 user accounts from the ministry’s website, including detailed prayer requests but also use the church’s Amazon account to purchase thousands of dollars worth of inflatable sea lions.

In their announcement regarding the new campaign, SiegedSec revealed that they had taken actions against the church once again. Yet this time, the group chose to dox the church’s pastor Rob Ketterling, which included the release of his personal cell phone number.

“We encourage our viewers to send over a text to Rob,” the hackers wrote in their release. “Go tell him what you think about his transphobia!” (Mikael Thalen / DailyDot)

AI-based data security company Cyera announced it had raised $300 million in a Series C venture funding round.

Coatue led the round, which included participation from new investors Spark Capital, Georgian, and AT&T Ventures, as well as investment from all existing investors Sequoia, Accel, Redpoint, and Cyberstarts. (Ingrid Lunden / TechCrunch)

Related: Cyera, Calcalist, Crunchbase News, Silicon Angle, FinSMEs, GovInfoSecurity, Ynet News

AI-powered social media monitoring platform Alethea Group announced it had raised $20 million in a Series B venture funding round.

Google Ventures led the round with participation from Ballistic Ventures and Hakluyt Capital. (Sam Sabin / Axios)

Related: Alethea

Best Thing of the Day: Hacking Phones Never Pays Off

Murdoch-owned tabloid The Sun lost £66 million (around $83 million) last year, and its online audience dropped by 4 million readers as the newspaper continued to grapple with the fallout from the phone-hacking scandal.

Worst Thing of the Day: So What If We’re Selling Our Tech to Hideous Regimes?

Israeli security analytics company Cognyte did not receive a license from the state to sell cyber-intelligence systems to the repressive regime in Myanmar, but that was apparently not sufficient grounds to open an investigation.

Bonus Worst Thing of the Day: But We Like Tracking Cookies

Of 85,000 European websites examined by the University of Amsterdam (UvA) and ETH Zürich, 90% violated at least one privacy regulation, and 65% of those that offered cookie tracking permission options continued to track cookies even if users rejected them.

Closing Thought