Speaking on stage at TechBBQ in Copenhagen just a day after the first electoral debate between Vice President Kamala Harris and President Donald Trump, the former US Army intelligence analyst said the “normalisation of disinformation” is “ensuring participants in democracy become so jaded, confused and exhausted, they lose confidence in their institutions.”

Manning, who in 2013 was convicted of leaking classified military documents to Wikileaks, added that campaigns to mislead voters have been made easier because of the internet.

“I’m generally a technology optimist, but there is a concern for the potential for misuse,” she said. “The biggest issue we’ll face in the next 15 years is how we verify information.”

While AI-generated images and text are both a problem, the root issue lies in how information is verified and how easily users trust information.

“As these technologies improve, even sophisticated users may struggle to distinguish between AI-generated content and reality,” she said.

However, the activist reiterated her view that we should not blame the technology, calling this a “short-sighted view.”

“The same arguments could be made about photo doctoring, and then Photoshop.”

With her speech coming just hours after the first face-to-face confrontation between Democrat Presidential candidate Harris and her rival Republican nominee Trump, Manning said she is “cautiously optimistic about the state of American democracy”.

“It is shakier than it has ever been, but it is heading in a direction that leads me to believe this uncertain period may be coming to an end. But that could change,” she added.

Encryption and privacy

Manning delivered her keynote to a packed hall of tech entrepreneurs and experts in the Danish capital’s Lokomotivvaerkstedet venue, confronting the current dividing lines being drawn between regulators in some countries and social media platforms.

In Brazil, a judge last week chose to ban social media platform X after it refused to appoint a local representative in a wider legal battle over the moderation of political content that allegedly incited violence and spread misinformation. X boss CEO Elon Musk has taken to the former Twitter platform to deny any wrongdoing and accuse the judge of breaching Brazil’s constitution.

Plus, the chief executive of Telegram has recently announced it will improve moderation on the platform after he was arrested in France for allegedly allowing criminal activity to run on the platform.

When asked for her opinion on privacy in the wake of these issues, Manning said: “I certainly take issue with Telegram not cracking down on very problematic information on its platform.”

However, she said that she is not sure where the line can be drawn on privacy and transparency in these instances.

“I tend to believe that an individual has a right to privacy, but I think large groups of people and the actions they do in an organised manner should be transparent.”

“When it comes to institutions, like Telegram, they still need to be held accountable, and there should be transparency over everything and everybody.”

Cyber secrecy

Manning continued that secrecy is “almost impossible” in 2024 because of “smartphones and the ability to capture information on the ground and share it quickly.”

“It’s very difficult to hide information,” she said. “I was shocked that in 2022, I had more information as a civilian about what was happening on the ground in Ukraine than I did as an intelligence analyst in 2010.”

She claimed that conflicts and information are very visible if you know how to look for them.

In the same vein, Manning said that cybercriminals are often ahead of cybersecurity professionals “due to a lack of experience on the part of those protecting against these threats.”

“Also, companies have little incentive to fully protect their information.

When a data breach happens, it gets reported, but then the news is quickly buried among other stories.”

As a result, Manning claims companies aren’t held liable: “This lack of accountability is one of the reasons why we see so many data breaches without substantial consequences.”

The post Chelsea Manning talks misinformation, X and Telegram at TechBBQ appeared first on TechInformed.

According to CNN, two officials from the US have raised concerns about the Russian military unit named the ‘General Staff Main Directorate for Deep Sea Research’ (GUGI).

“We are concerned about heightened Russian naval activity worldwide and that Russia’s decision calculus for damaging US and allied undersea critical infrastructure may be changing,” a US official said.

“Russia is continuing to develop naval capabilities for undersea sabotage mainly through GUGI, a closely guarded unit that operates surface vessels, submarines and naval drones.”

Subsea cables are a critical piece of the world’s internet infrastructure, delivering more than 95% of the data worldwide.

The US often tracks Russian ships that patrol close to critical maritime infrastructure and undersea cables often far from Russian shoes, the officials said.

Since the beginning of the war in Ukraine, Russia has been accused of sabotaging a cable connecting Estonia and Sweden in the Baltic Sea, which Putin denied. It has since been blamed on a pro-Ukrainian group – although President Zelensky has not confirmed knowledge of the operation.

Plus, increased naval activity off the Irish coast raised alarm in 2023, as many cables connecting North America to Europe run through the region.

TI investigated earlier this year what the threat to subsea cables means, how they are protected, and how easily the cables can be fixed. Read here for more.

The post US raises concerns over alleged Russian sabotage of subsea cables appeared first on TechInformed.

The RansomHub group has claimed responsibility for the attack and is threatening to leak 93GB of data allegedly stolen from the organisation’s systems within six days, it said.

This relatively new ransomware-as-a-service (RaaS) operator extorts victims in exchange for not leaking stolen files and sells the documents to the highest bidder if negotiations fail.

Considering the wide range of reproductive and sexual healthcare services offered by Planned Parenthood, including access to contraception, abortion care, and hormone therapy, a data breach within the organisation could have significant privacy, legal and safety concerns for patients.

While the criminals have published confidential documents on their extortion portal on the dark web to prove their claims, this has not been confirmed by Planned Parenthood.

According to law enforcement agencies, since surfacing in February this year RansomHub and its affiliates have breached over 200 victims from a wide range of critical US infrastructure sectors.

Last month, the FBI, CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) issued a joint advisory about RansomHub’s trend of targeting healthcare organisations.

Earlier this month TechInformed published a report on a healthcare table top simulation, which focussed on preparing the sector to manage and mitigate cyber attacks.

Unhealthy attention

Healthcare has become a key target for ransomware criminals this year. Following an attack in February by ALPHV/Blackcat, Change Healthcare’s payment system was shut down leading to a reported $22 million ransom payout.

In the UK, meanwhile, a cyber-attack in June on pathology service Synnovis impacted several London hospitals and led to an unprecedently low level of blood stocks across England.

According to Greg Day, vice president and global field CISO at Cybereason, these attacks highlight how reliant the industry has become on digital technology for managing patient medical data and supporting numerous treatment processes.

He added that in his firm’s annual ransomware report on costs, it found that over half of the affected organisations took between three to 12 months to even detect they had been compromised.

“This delay often leaves many feeling compelled to pay the ransom. However, less than half of those who paid were able to recover their data and services without corruption.

He urged every business needs to test their response capabilities and strengthen their resilience. “As the complexity of attacks and the digitisation of medical systems continue to grow, we must develop faster, more effective ways to detect and mitigate these malicious operations,” he added.

The post Planned Parenthood: cyber attackers threaten to leak data appeared first on TechInformed.

They explore the difficulties governments face in regulating social media platforms while maintaining free speech and Elon Musk’s controversial stance on free speech absolutionism.

The conversation then moves to an insightful interview with Tom Alcock, founder of Code Red Partners, who shares his expertise in cybersecurity recruitment. He discusses the need to recruit beyond traditional methods, emphasising practical experience and diverse backgrounds.

Alcock also highlights the challenges of retaining cybersecurity talent, especially the importance of creating inclusive environments that foster engagement and prevent attrition to illicit opportunities. Diversity, he explains, plays a crucial role in bringing new perspectives and enhancing the overall effectiveness of cybersecurity recruitment.

The post TI:TALKS: Brazil bans X, plus finding cybersecurity talent with Tom Alcock appeared first on TechInformed.

Though specific details remain sparse, Shashi Verma, TfL’s chief technology officer, has assured the public that there is currently no evidence of customer data compromise.

“We have introduced a number of measures to our internal systems to deal with an ongoing cyber security incident. The security of our systems and customer data is very important to us, and we will continue to assess the situation throughout and after the incident.

“There is currently no impact to TfL services, and we are working closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident,” he said.

The organisation’s corporate headquarters at Palestra House, Southwark, is thought to be the main site affected. Due to office mitigations, employees have been advised to work from home.

The organisation has been transparent in its communication, aiming to prevent misinformation and reassure the public, particularly given the ongoing nature of the attack.

Javvad Malik, lead security awareness advocate at KnowBe4, emphasised the need for ongoing vigilance, particularly for organisations managing public infrastructure.

“We also need to bear in mind that the main root causes which allow criminals to penetrate organisations are social engineering, unpatched software, or poor credentials. While it’s not certain how the breach at TFL occurred, it is quite likely one of these avenues would be the culprit,” he said.

Mayur Upadhyaya, CEO and co-founder of APIContext noted that the attack on TfL underscores the importance of securing all parts of an organisation’s IT infrastructure, not just those directly exposed to the public.

He added: “TfL’s response, including the work-from-home directive and enhanced security measures, underscores the need for preparedness and contingency planning to minimise the impact of cyber incidents. Such proactive steps are crucial for maintaining operational resilience and mitigating potential damage.

“In today’s interconnected world, APIs are the lifeblood of digital operations. Securing these gateways is paramount to preventing unauthorised access and data breaches. Regular security assessments, vulnerability management, and incident response planning are essential components of a robust cybersecurity strategy.”

The cyber-attack comes after a string of attacks on public services in recent months, including a June cyber-extortion attempt on the NHS by the Russian ransomware gang Qilin.

William Wright, chief executive of cybersecurity company Closed Door Security, added: “The big question people will also want to know is who carried out the attack and if it can be attributed to another country, like Russia. TfL was also attacked by Russia last year, so it definitely isn’t out of the realm of possibility.”

Last year, personal information was stolen in an attack by a Russian ransomware group.

Wright said: “Given Russia’s recent uptick in attacks on the West, it wouldn’t be surprising, but it is far too early to speculate.”

The post Transport for London hit by major cyber-attack; no customer data breached appeared first on TechInformed.

After holding IT roles in the US military and aerospace industries, Kron moved into a senior cybersecurity role at the US Army’s Regional Cyber Centre, joining Florida-based Knowbe4 eight years ago, as a security awareness advocate.

Knowbe4 is a security awareness training and simulated phishing platform that helps organisations address the human element of cybersecurity. It boasts over 65,000 customers, which range from small businesses to big enterprises.

Earlier this month the platform acquired UK-based AI powered email security firm Egress to help it create an advanced artificial intelligence-powered cybersecurity platform. Knowbe4 also hit the headlines recently for unwittingly employing a North Korean hacker.

Tell us more about Knowbe4’s training platform and how the acquisition of Egress’s business will enhance it?

What our platform really tackles the human element involved in cyber security, which means a lot of training, a lot of education and simulations of phishing attacks. These give you a chance to practice what you have learned during training. If people  make a mistake, it’s not a problem , it’s a fail-safe environment – it’s not the end of the world if you make a misstep.

Egress is going to help us to expand our platform even more so we can do things with the emails – put more warning banners on things that say ‘Hey this looks like a phishing email because of this’…It gives them an idea to be more careful of that email.

Do you cover newer threats such as deepfakes?

We teach people about deepfakes; we educate people on the dangers of deepfakes, but we don’t generally generate deepfakes. We have an AI component within our platform that is very cool. It looks at what people are trained on, and it will choose the  templates relevant to individuals. AI does a really good job with personalising training packages.

Is email still considered the main vector for phishing attacks?

It’s interesting the attackers are starting to pivot. They are trying to get people out of email and onto other platforms such as WhatsApp or Teams. So, we have filters that look at email traffic but if you go on WhatsApp that’s going to be a whole lot harder to see. It’s a clever way of doing it – another evolution of tech in general and then exploiting it for bad.

Are you noticing an increase in attacks on targeted individuals?

Most phishing attacks have always been targeted spear-phishing attacks.  I don’t know that I’ve noticed an increase in it. But I have noticed that the way they carry out attacks is more advanced. For example, in the old days, you’d get an email from the CEO saying I need you to email $250K right away  – there’s always a sense of urgency… But when it’s followed up by a text message people let their guard down there’s an inherent trust. So, for the higher value targets that kind of effort is being put into this to make it successful.

With GenAI phishing appears to be getting more sophisticated – gone are the days of the badly spelt Nigerian Prince scam….

It seems like this when there are 6.4bn fake emails sent out every single day. A lot of these are caught by filters now. But the ones that make it through to people’s desktops are the higher quality ones. Because the bad ones are being caught, a side effect from filters is that people are being exposed to the higher quality ones. Which means the average person is going to be exposed to the more difficult-to-spot attacks.

And now AI is being used to increase the efficiency and the amount of people being attacked. It used to be you’d read one of these scams and the grammar and spelling were awful – what we’re finding now, is that the responses feel authentic. An English-speaking scammer can now turn something into German or American English. AI allows attackers to scale further.

Are we losing the battle?

I wouldn’t say that. But it’s still a tough thing to face. The technology is changing but the tactics remain the same.  They still know that if they get you in a highly emotional state, you don’t think thing through,  that part hasn’t changed.

Frauds can fool the best of us. How did Knowbe4 accidentally end up hiring a North Korean hacker?

I can’t talk about everything because it’s still an open investigation, but we want to be very upfront because we want other firms to understand that this is a threat and we’ve written a blog about it.

We were looking for someone who was an AI developer, and we received over 1000 responses which we got down to 30-40  candidates and went through this whole hiring process. After four zoom calls we ended up hiring someone with a great resume and they went through a background check, the whole nine yards. And we hired them, sent over the equipment, but then we sensed immediately, upon letting them into the network, that they were downloading hacking tools.

Were they able to breach you?

When we hire new employees, their user account only grants limited permissions that allow them to proceed through our new hire onboarding process and training. And the way we do it, the only thing he had access to start with was his training modules.

We’re a very security conscious company – so when we confronted him, he said he was trying to fix something with his router for Wi-Fi. That didn’t add up –  so within 25 mins he was shut off the network.

What was their modus operandi?

This guy was part of a North Korean gang. They used AI generated modified photos as his picture along with a stolen identity of a US citizen and because it was backed by the North Korean state – he had a lot of documents and ID matches.

The guy really knew what he was doing. Then they use VPNs to access the workstation from their physical location, which is usually based North Korea or China. From here it’s  picked up by a new person who takes it to an apartment building and operated by North Koreans working at an IT mule laptop farm.

The scam is that they are actually doing the work for us, acting as our employees and getting very well paid, and they give a large amount of these earnings to the North Korean government to fund their illegal programs.

On a lighter note, how do you take your coffee?

With cream and sugar.

What was the last piece of tech you bought for yourself?

A high-end video card so that I can play around with some of my own AI stuff at home. I’m working with LLMs to test them out and to see what’s going on behind the curtain.

I’m really fascinated by AI graphics – some of those GenAI tools are amazing. I’ve been looking at an AI video generator called Kling AI – which has just opened to the public. It’s hosted in China – which sometimes gives people reservations – but you can generate an image from a text prompt, a video from a text prompt or from taking the image in there and then prompting it to move and look around. It can generate some incredible stuff from just that 2D image. To me that’s fascinating.

The post A coffee with…Erich Kron, security awareness advocate, KnowBe4 appeared first on TechInformed.

But despite the success of the FBI and its allies in tackling some of the biggest threat actors, businesses find themselves no safer from cyber-attacks than in previous years.

Security firm WithSecure says the frequency of attacks and ransom payments collected in the first half of 2024 was still higher than over the same periods in 2022 and 2023.

So, has the disbandment of two of the most dominant and well-known ransomware gangs done nothing to make enterprises more secure? Or is something else going on?

Emerging data from reports such as WithSecure’s indicate a shifting trend: affiliates once aligned with LockBit and ALPHV are now avoiding the big-name gang. Trust in a larger group has waned, with many members opting for smaller, more nimble groups.

A shift in the landscape

Since the downfall of LockBit in February, cybersecurity experts are still evaluating the long-term impact on the ransomware ecosystem – however, the prevailing consensus is that affiliates are adopting a more “nomadic” approach.

Affiliates are smaller criminal enterprises that lease a ransomware operator’s malware, techniques, stolen passwords etc in return for paying a monthly fee and share a percentage of any ransom payments.

“Through the data, the FBI identified 190 affiliates using LockBit’s service in February,” says Tim Mitchell, a security researcher at Secureworks.

“By May, following sanctions and indictments against LockBit’s admin, only about 60 affiliates remained active,” presenting a dramatic two-thirds reduction in those affiliated following the initial action.

With new sanctions in place, it has become illegal for companies in the US and the UK to pay ransoms to the gang, cutting off its primary revenue stream and attracting affiliates to other gangs.

“It’s surprising that they’re still active, albeit at a much lower rate,” says Mitchell. “March saw a significant surge in victim names, around 170 in one month (though many were possibly rehashed victims from earlier), but by June or July, the number had plummeted to about 12-15 victims.”

Before the exposure of its admin, its leader Dmitry Khoroshev, declared the gang to be the “eternal” group – however, Mitchell believes that without a rebrand, it’s looking unlikely that LockBit will remain as disruptive as before.

For ALPHV, while the FBI disrupted its site in December 2023, the gang continued operating until early this year when it revealed responsibility for the Change Healthcare attack that crippled pharmacies across the US, including those in hospitals.

Allegedly, although not publicly confirmed by Change Healthcare, the gang received a $22 million ransom payment. However, in this case the affiliate who executed the attack did not receive the share, and ALPHV went on to cease operations entirely – suggesting an exit scam.

This incident has eroded trust from both sides of the attack. Despite the large payment from Change Healthcare, the firm has not seen the stolen data, and affiliates left homeless may have lost their confidence in the well-known group.

Fragmentation

Following LockBit’s takedown, the number of ransomware groups listing victims has risen from 43 to 68, according to Secureworks data.

“For affiliates, it’s becoming clear that they might not get what they promised from larger groups, which may be driving them towards smaller, more reliable groups,” says Mitchell.

“After BlackCat’s impact on the marketplace, affiliates were left without a platform, and no obvious successor emerged,” he added.

According to cybersecurity firm Mandiant, some threat actors claim to use multiple ransomware families simultaneously, providing them with some level of stability to weather possible disruptions to ransomware-as-a-service (RaaS) offerings.

It expects that “the threat actors impacted will likely in time be able to recover and continue to engage in ransomware and extortion activity.”

Going underground

“While government efforts slowed down well-known operators, other groups like Blacksuit, Medusa, and PLAY have filled the void LockBit left,” says Tyler Reese, director of product management at Netwrix.

For instance, according to a report from researchers at GuidePoint security, Medusa is offering generous profit-sharing percentages, with up to 90% going to the affiliates – this is a much better deal than in the past when affiliates were obliged to part with up to 40% of the ransom profits which went to the gangs.

Another smaller gang called Cloak is offering an 85% profit share, with no initial payment needed to become an affiliate – something that appears to have worked for the gang Medusa as victim numbers have surged since February according to WithSecure.

Similarly, Mitchell adds, Qilin – responsible for recently publishing NHS data it attained, and also caught stealing credentials stored in Google Chrome – has stepped up, though it’s not to the same scale as LockBit.

As well as this, RansomHub, which provides infrastructure and features top of Ransomware Groups by number of victims in August this year according to BitDefender, is attempting to recruit affiliates that have been impacted by recent shutdowns or exit scams.

“RansomHub became a bit of a place for homeless ransomware operators,” says Mitchell.

According to WithSecure, it is choosing to attract new recruits by letting them accept payment from the victims directly, before sending their share to the RansomHub – something WithSecure reports to be a possible attempt to reassure those who were spooked by ALPHV’s exit scam, which was only able to occur because the gang controlled payments.

“In terms of top groups, there’s no clear leader, but there are a lot more schemes operating than ever before,” says Mitchell.

To gain access, “it’s still largely through old vulnerabilities in internet-facing services, and reusing stolen credentials,” he adds.

Ransom-where?

Determining where in the world an affiliate is located is also harder if acting alone as most use the same tools and will use a Virtual Private Server (VPS) to make it look as if they are in another country.

“These groups are focused on making as much money as possible, focusing on critical infrastructure like hospitals and government agencies to cause major disruption,” says Kevin Curran, senior member of IEEE and professor of cybersecurity at Ulster University.

“AI-enhanced cyber-attacks are a serious concern for the near future. Authorities like the UK’s National Cyber Security Centre (NCSC) are focusing on ensuring AI systems are secure-by-design and continue to urge organisations to adopt robust cybersecurity,” he adds.

Ransomware remains a significant, and costly threat. According to Netwrix 2024 research, 45% of organisations that experienced a cyberattack have had to deal with unplanned expenses to fix security gaps.

Alongside this, 16% faced a decrease in company evaluation, and 13% had to deal with lawsuits compared to only 3% a year ago.

“There is no single solution or ‘magic bullet’ to eradicate ransomware entirely,” says Reese.

“Regular data backups, timely software and system patching, robust endpoint and network protection, and strong identity protections with multi-factor authentication are significant steps toward cyber resilience in the era of inevitable attacks.”

The post Ransomware gangs of 2024: The rise of the affiliates appeared first on TechInformed.

But inside this room full of cybersecurity experts, TechInformed is prepping for a different kind of sightseeing.

More than 20,000 cybersecurity professionals have gathered in the Nevada city in the August heat for Black Hat — a weeklong event that offers security consulting, training, and briefings to hackers, corporations, and government agencies

We were invited to join several of those experts in this suite for an immersive tabletop exercise demonstrating a ransomware attack on a medical facility from both the offensive and defensive sides.

Tabletops are like the war games used to prepare military forces across the globe during times of peace.

The healthcare sector is a prime target for cyber criminals, and a surge in ransomware attacks on hospitals threatens patients’ safety and data.

High-profile attacks have included the Change Healthcare ransomware attack in February, which shut down the largest healthcare payment system in the US and led to a reported $22 million ransom payout.

When lives are at risk, the stakes are high: In May, an attack on Ascension Health, the operators of over 140 hospitals in the US, put patients’ lives at risk and crippled revenue flow in the healthcare industry for weeks.

In the UK, meanwhile, a cyber-attack in June on pathology service Synnovis impacted several London hospitals and led to an unprecedently low level of blood stocks across England.

Tabletop scenario

And so, a dozen or so people have gathered in this tabletop – Operation 911.

Participants include several hospital executives, the FBI, software developers, security professionals, hackers who have worked for various military organisations and local law enforcement officers from the Las Vegas Metropolitan Police Department.

They are split evenly into two teams: The red team, ‘The Red Raccoons,’ is charged with launching a high-stakes ransomware attack against Sunshine Healthcare, a fictitious hospital located in Las Vegas renowned for its patient care, new innovations, and recent acquisitions.

They are led by Semperis security researcher Tomer Nahum, who has recently achieved Microsoft Most Valuable Researcher (MVR) status.

The Purple Knights, meanwhile, take on the role of the hospital incident response and crisis management team. Former ransomware negotiator Jeff Wichman guides them, currently Semperis director of incident response.

Both teams are shepherded through each step by Marty Momdjian, Semperis EVP of services, who boasts over 20 years of healthcare cyber protection.

High profile

Momdjian explains that the tabletop is based on a real-life scenario that lasted around 30 days from the start of the event to the recovery.

Profiling Sunshine Healthcare, he adds that the company turned over $9bn in revenue last year and has a total of 2,500 licensed beds in its five Vegas locations. The company owns the only trauma centre in the region and has 50 in-state clinics. For simplicity, all patient records are kept on a single medical record system (an EMR).

“One of the reasons we wanted to feature an expanding facility is that healthcare facilities go through a lot of M&A, and they become vulnerable targets for hackers,” explains Momdjian.

He adds that because there’s a trauma centre, the stakes are higher because this must be kept up and running – it’s not a case of shutting all systems down.

“This is a real scenario that’s occurred in major metropolitan areas where there are always Level 1 and 2 trauma centres. When those go offline, it becomes extremely chaotic. And it’s very, very painful,” Momdjian adds.

According to the health sector cyber expert, every healthcare company has been striving towards a single EMR for the last decade, but having one centralised point for medical records also makes it more open to attacks.

“If the EMR goes down, all your sites will go down. All physical locations, units, departments, patient care workflows, ADT (patient tracking), and anything that goes through the EMR are on a single platform,” Momdjian points out.

“The Purple Knights especially need to think about that when they are going through the exercise and the steps and what the impact is with any decision you are making.

“On the red team, that’s your target – to get to the EMR, get the data, exfiltrate and then extortion, disrupting patient services to the extent that the hospital has no other option but to pay the ransom.”

Attack framework

For the Purple Knights, Momdjian suggests following the latest guidelines from the US Department of Health and Human Service’s HC3 framework, which he has contributed to, as well as the standard NIST framework.

Frameworks like these can help frequently attacked organisations see the wood from the trees. He explains: “There are alerts coming out every single day — it’s complete overload. So the focus for us is working through what really matters when a major ransomware attack occurs—because the faster you respond, the faster you can recover.”

The red team, meanwhile, is instructed to follow the kill chain (the phases or steps involved in a cyber-attack), which, Momdjian adds, is well-documented by healthcare adversaries.

In terms of finding a way into the hospital group’s systems, the red team decides to target VIP executives attached to the company in some capacity. “We’re looking for names of executives that have been in the news a lot and have active social media accounts,” explains one red team member.

“We’ll look at what systems they’re using and what their admins are so that we can come up with some kind of social engineering strategy to gain access to the network,” he added.

The weakest link

As Sunshine Health also has a university relationship and a research department, the red team are also sniffing around this to find a way in.

“Universities are notorious for having weak security,” adds another red team member. “We’re using that connection between the university and the main hospital system as an access point so that we can look for weaknesses and external apps.”

The targeting of a prestigious university researcher rings true with one member of the Purple Knights, who asks Momdjian for advice. The expert says he’s encountered this type before.

“They want to be published and are posting a lot. They tend to use the same password for their healthcare system as they do for social media and LinkedIn. And they make it easy for hackers to find because they tend to use their work email address to sign up for other accounts,” he says.

He advises that if these high-profile medics/ researchers don’t cooperate, you need to apply protective measures against them. “Limit their access. If an incident is escalated to a specific level, remove their access because you know they are an easy target. Tell them that it is part of your policy.”

He adds that it’s standard for hackers to find a way in by buying a password dump from the dark web. “So incident response (IR) should start by making a list of their VIP execs — doing dark web checks on execs and VIPs.”

In terms of other defence measures, another member of the Purple Knights added that a lot has been done in terms of setting up the tech stack and putting in defence vectors. “The main threats we identified were any types of social engineering and phishing emails – user training is useful here,” one member suggests.

The team is also working with Sunshine Health’s chief security officer to develop a disaster recovery (DR) plan and an Incident Response (IR) plan.

However, there’s trouble ahead:  the social engineering exercise used by the red team has worked – and they’ve gained access to the network. It’s time for them to start collecting information and living off the land. What steps can the Purple Knights take to mitigate an attack and protect Sunshine Healthcare from these criminals?

For Anatomy of a healthcare attack – part 2: Going for the jugular click here

The post Operation 911: Anatomy of an Attack (Part 1) appeared first on TechInformed.

Lisa Sotto, a partner at Hunton Andrews Kurth and chair of the firm’s global privacy and cybersecurity practice, offers an in-depth analysis of a lawyer’s role during a cyber-attack. Known as the “Queen of Breach,” Lisa explains how legal professionals manage confidentiality, coordinate forensic investigations, and handle ransomware negotiations.

She also outlines the essential steps companies should take immediately after a breach and discusses the complexities of ransom decisions and regulatory notification obligations.

Next, the conversation shifts to the tech side with Matt Berzinski, senior director at Ping Identity. He discusses the transformative impact of AI on cybersecurity, particularly in relation to the data breach. He warns about cybercriminals’ increasing use of AI for account takeovers and phishing attacks and envisions a future with passwordless authentication powered by technologies like passkeys and FIDO2 standards, which promise enhanced security and a smoother user experience.

This episode comprehensively examines the evolving cybersecurity landscape, blending expert legal advice with forward-looking insights into AI-driven security innovations. Don’t miss it!

The post NPD data breach: Legal and technical perspectives with Lisa Sotto & Matt Berzinski appeared first on TechInformed.

The prosecutors stated that Durov is being held in custody as part of a cyber-crime investigation assessing twelve different offences linked to organised crime.

Telegram has said in a statement, “It is absurd to claim that a platform or its owner is responsible for abuse of that platform.”

Before founding Telegram in 2013, Durov founded a social media company called VKontakte in 2006 in Russia.

In 2014, the founder exiled himself after refusing to comply with the Russian government’s demands to shut down opposition communities on Vkontakte.

Now, Durov is based in Dubai while running the platform there, too.

Telegram joins Facebook, WhatsApp, Instagram, and TikTok as one of the world’s largest social media platforms, with 950 million active users monthly.

The platform offers end-to-end encryption, which means messages cannot be accessed by anyone other than the device that sends and receives them—although this is not a default setting like it is on WhatsApp.

Telegram has previously faced criticism over the ability of users to spread disinformation on the app easily.

The app was cited as one of the platforms used by far-right groups to spread disinformation about refugees that led to rioting in Southport and other UK cities last month.

According to one report, fireworks and flares were being advertised for sale on a Telegram messenger group aimed at UK rioters last month.

Groups can be as large as 200,000, while WhatsApp groups, for instance, can only be as large as 1,000. However, the app, reported to employ less than one hundred staff, said that its moderation “is within industry standards and constantly improving,” and it abides by European Union laws.

“Almost a billion users globally use Telegram as a means of communication and as a source of vital information,” the app’s statement said. “We’re awaiting a prompt resolution of this situation. Telegram is with you all.”

The post Pavel Durov, Telegram founder, arrested in France amid cyber-crime probe appeared first on TechInformed.