Plus: A cloud company says notorious Russian hacker group APT29 attacked it, Chinese hackers use ransomware to hide their espionage campaigns, and a bank popular with startups discloses a cyberattack.

WIRED learned this week that Amazon Web Services investigated claims that the AI search startup Perplexity may have violated the cloud company's rules by appearing to pull data from websites that have attempted to shield themselves from such scraping. The news comes after WIRED published findings last week about the AI search chatbot's indiscriminate data-scraping practices and questionable content generation. WIRED's inquiries to AWS about the matter spurred it to look at Perplexity's activities. A separate WIRED investigation into Quora's Poe AI platform found that it downloaded entire articles from a variety of publishers and shared the files with users, effectively circumventing paywalls.

The US Justice Department announced convictions earlier this week related to a series of violent home invasions in which more than a dozen men threatened, assaulted, tortured, or kidnapped 11 people as part of efforts to steal cryptocurrency.

On Wednesday, WikiLeaks founder Julian Assange agreed to plead guilty to one count of espionage in US court, finally concluding a protracted legal battle between the US government and the controversial, anonymity-focused publisher. The American Privacy Rights Act—the latest in an endless parade of “comprehensive” US privacy bills—got pulled from a congressional hearing and is now unlikely to receive a full vote. And a new tailor-built platform created by the firm SITU Research has been used for the first time in the International Criminal Court as a tool for prosecuting a war crimes case.

Concrete proof is finally starting to emerge from San Jose and New York City that AI gunshot detection systems operate substantially below their advertised accuracy rates. Deepfake creators are revictimizing individuals from the GirlsDoPorn sex trafficking operation by hosting altered versions of videos from that platform. And bureaucratic hurdles are making it even more difficult for health care providers like hospitals to recover and come back online after ransomware attacks.

But wait, there's more. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Google Is Piloting a Face-Recognition Office Security System**

At its campus in Kirkland, Washington, Google is rolling out a face recognition system to detect “unauthorized individuals” and block their access to its offices, according to a document about the plan viewed by CNBC. Security cameras inside Google spaces have already been collecting face data and comparing it to employee badge photos in an attempt to flag people who are not regular employees or part of the broader Google workforce. If the system identifies a person of interest, Google’s “Security and Resilience Services” team will work to identify would-be intruders “who may pose a security risk to Google’s people, products, or locations,” according to the document. People who work at or visit the Kirkland campus will not be able to opt out of having their face data collected by the system, but the document notes that data is collected “strictly for immediate use and not stored.” It adds that employees can opt out of having their badge images stored by Google and that this cache of images is only being used to test the system. The document says that the goal of the program is to “maintain safety and security of our people and spaces.”

**German Cloud Company Says It Was the Target of Russian “Cozy Bear” Hackers**

The German cloud company Teamviewer confirmed on Friday that it suffered a cyberattack earlier this week. The company accused the notorious Russian hacking group APT29—also called “Cozy Bear” and “Midnight Blizzard”—of carrying out the attack. “Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment,” Teamviewer said in a statement. The company later confirmed that “the attack was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data.”

**Chinese Hackers Have Been Using Ransomware Attacks to Mask Their Activities**

Suspected Chinese government-backed hackers, including the group known as “ChamelGang,” have deployed ransomware in dozens of high-profile attacks as a distraction while they conduct espionage operations on victims' networks. Researchers from the security firms SentinelOne, Recorded Future, and TeamT5 have found evidence, for example, that attackers used the tactic in hacks of a critical Indian health care platform and Brazil's presidential office. Espionage actors are participating in “an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence,” the researchers wrote.

**Evolve Bank, Used by Startups, Confirms LockBit Ransomware Attack**

On Wednesday, Evolve Bank and Trust, a financial firm popular with fintech startups, confirmed that it was the victim of a ransomware attack and data breach that may impact customers. “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers,” the bank said in a statement on Wednesday. The prolific and aggressive ransomware gang known as LockBit recently posted data on its dark-web leak site that it claimed had been stolen from Evolve.

Google Is Piloting Face Recognition for Office Security

PRESS RELEASE

BROWNWOOD, Texas, June 26, 2024 /PRNewswire/ -- Landmark Admin, LLC ("Landmark"), is providing notice of a recent data security incident. Landmark is a third-party administrator for life insurance carriers and may have received certain personal information from producers, insureds, policy owners or policy beneficiaries for insurance policies which Landmark administered.

What Happened?

On or about May 13, 2024, Landmark detected suspicious activity on its system and later learned that an unauthorized third party accessed its network. Upon discovery of this incident, Landmark immediately disconnected indicated systems and remote access to the network and promptly engaged a specialized third-party cybersecurity firm and IT personnel to assist with securing the environment, as well as to conduct a comprehensive forensic investigation to determine the nature and scope of the incident. While the forensic investigation remains ongoing, Landmark found evidence to suggest some of its files may have been compromised by an unauthorized third-party.

Based on these findings, Landmark began reviewing the affected systems to identify the specific individuals and the types of information that may have been compromised.

What Information Was Impacted? 

The following information may have been subject to unauthorized access: first name/initial and last name; address; Social Security number; tax identification number; driver's license number/state-issued identification card; passport number; financial account number; medical information; date of birth; health insurance policy number; and life and annuity policy information.

The information varies by individual. Affected individuals will be notified by mail of information that was impacted.

What Remediation Measures Were Taken?

Landmark takes the privacy and security of personal information seriously. Since the discovery, Landmark moved quickly to investigate and secure its systems. Landmark has taken steps to further enhance its network security, and took steps, and will continue to take steps, to mitigate the risk of future harm.

What Steps Can Individuals Take?

Landmark encourages everyone to remain vigilant against incidents of identity theft by reviewing their account statements and monitoring their credit reports for any suspicious activity. Individuals can obtain free copies of their credit reports by going to the following website: www.annualcreditreport.com or by calling them toll-free at 1-877-322-8228. (Hearing impaired consumers can access their TDD service at 1-877-730-4204.)

You can also obtain more information from the Federal Trade Commission (FTC) about identity theft and ways to protect yourself. The FTC has an identity theft hotline: 877-438-4338; TTY: 1-866-653-4261. They also provide information on-line at www.ftc.gov/idtheft.

Other Important Information: 

If you have questions about the Incident not addressed in this notice please call the help line at 1-844-428-5109 and representatives are available for 90 days from the date of this letter to assist you between the hours of 8:00 a.m. to 8:00 p.m. Eastern time, Monday through Friday excluding U.S. holidays.

Landmark sincerely regrets any concern or inconvenience this matter may cause and remains dedicated to ensuring the privacy and security of all information in our control.

Landmark Admin, LLC Provides Notice of Data Privacy Incident

WIRED was able to download stories from publishers like The New York Times and The Atlantic using Poe’s Assistant bot. One expert calls it “prima facie copyright infringement,” which Quora disputes.

Poe, an AI chatbot platform owned by the question-and-answer site Quora and backed by a $75 million Andreessen Horowitz investment, is providing users with downloadable HTML files of articles published by paywalled journalistic outlets.

Prompting the service’s Assistant bot with the URL of this WIRED story about the AI-powered search service Perplexity plagiarizing one of our stories, for example, yields a detailed, 235-word summary and a 1-MB file containing an HTML capture of the entire article, which users can download from Poe’s servers directly from the chatbot.

WIRED was similarly able to retrieve articles from paywalled sites including The New York Times, Bloomberg Businessweek, The Atlantic, Forbes, Defector, and 404 Media in downloadable format simply by entering URLs into the Assistant bot’s interface. This appears to be just the latest example of the AI industry’s cavalier approach to intellectual property law, which is rapidly undermining existing business models in fields like journalism and music.

“This is a significant copyright issue,” James Grimmelmann, professor of digital and information law at Cornell University, wrote in an email. “Because they made a copy on their own server, that's prima facie copyright infringement.” (Quora disputes this, comparing Poe to a cloud storage service.)

When asked to summarize the content of a test website controlled by my colleague Dhruv Mehrotra, the bot did not return a summary but did return an HTML file. According to the website’s server logs, immediately after the Assistant bot was prompted to summarize the site, a server identifying itself as “Quora Bot” visited the site. It did not attempt to visit the site’s robots.txt page, suggesting that Poe and Quora ignore the Robots Exclusion Protocol, a widely accepted though not legally binding web standard.

A prominent media executive, whom WIRED granted anonymity to candidly discuss a legally sensitive matter his company is actively investigating, says that his publication also observed servers identifying themselves as Quora bots accessing its site immediately after giving Poe’s chatbot prompts about specific articles; these prompts, he says, yielded much or all of the text of these articles.

“Poe is a platform that lets users ask questions and have back-and-forth dialog with a variety of AI-powered bots provided by third parties,” Quora spokesperson Autumn Besselman wrote in an email. “We do not have or train our own AI models. Poe has a feature that enables a user to show the contents of a URL to a bot, but the bot will only see content that it is served by the domain. We would be happy to connect with your technical team to help them make sure your paywalled content isn’t served to people using Poe.”

“The file attachments on Poe are created at the direction of users and operate similarly to cloud storage services, ‘read it later’ services, and ‘web clipper’ products, which we believe are all consistent with copyright law,” Besselman wrote in response to an email asking follow-up questions. Andreessen Horowitz did not respond to a request for comment.

Quora cofounder Adam D’Angelo is a former Facebook CTO as well as an OpenAI board member. (D’Angelo was among the board members who voted to fire OpenAI CEO Sam Altman last year and was the only member who subsequently joined a new board formed after Altman’s return.) In March, nearly three months after Andreessen Horowitz announced that it had led a funding round for Quora, he sat for an interview with David George, a general partner at the venture firm who asked about the relationship between Quora and Poe.

“We’d love to have all of this as integrated as possible,” said D’Angelo. “If you think about the relationship between Facebook and Facebook Messenger, these are two products built by the same company, but they share a lot. I think that Poe and Quora might evolve to a similar kind of relationship. We’d love to get more of the human aspects of Quora into Poe. We’d also love to get the whole Quora dataset into the Poe bots and we’re also working—we’ve launched some of this already—to get some of the Poe AI to generate answers that are available on Quora.”

A user who goes to Poe’s website is prompted to start a chat with one of a number of chatbots. These range from bots offering direct access to various large language models and specialized bots like Mrstherapist (“Your very own therapist with relationship, trauma, stress etc.”) to the Assistant bot, the default option.

The Assistant bot is designated on the site as “by Poe” and as powered by AI firm Anthropic. This doesn’t mean that the bot is Anthropic’s; as the company points out, customers with access to its API can implement its models in their own products however they see fit. Claude, the Anthropic model on which the Assistant bot is apparently built, does not have access to the internet but can work with text provided to it—in this case, seemingly, by Quora crawlers that scrape websites in response to prompts. The HTML file the Assistant bot offers for download after being prompted with an article’s URL re-creates the article when opened in a browser, making it functionally equivalent to a PDF file.

Journalism companies have threatened and carried out legal action over claims that AI companies are infringing on their copyrights. The New York Times, for example, is suing OpenAI and Microsoft alleging infringement, and Forbes reportedly recently sent Perplexity a letter accusing it of “willful infringement.” (OpenAI, Microsoft, and Perplexity have denied wrongdoing.) Publishers whose articles WIRED was able to download were furious when apprised of the situation.

“As the law and The Times’ terms of service make clear,” wrote Charlie Stadtlander, a spokesperson for The New York Times, in an email, “scraping or reproducing The Times' content is prohibited without our prior written permission.”

“These stupid chatbots drive me fucking crazy,” wrote Defector co-owner and editor in chief Tom Ley in a text message. “Defector does not condone having its precious blogs stolen by a dumb chatbot backed by egghead-ass Andreessen Horowitz.”

Quora’s Chatbot Platform Poe Allows Users to Download Paywalled Articles on Demand

Though the Chicago-area hospital did not pay a ransom, a host of sensitive medical information is now at risk.

Source: Helen Sessions via Alamy Stock Photo

A full 791,000 of patients have had their personal information compromised in a cyberattack that resulted in Lurie Children's Hospital in Chicago taking its systems offline.

Cybercriminals accessed the children's hospital's systems, disrupting its patient portal, communications, and ability to access medical records.

In a data breach notification this week, the hospital cited the investigation as ongoing and said that the threat actors accessed the systems between Jan. 26 and 31, 2024.

Once the hospital went offline, it implemented standard response procedures, including its downtime procedures, though it has remained open throughout the duration of the investigation thus far.

While still determining the nature and scope of the attack, the hospital said, information "relating to certain individuals, such as name, address, date of birth, dates of service, driver's license number, email address, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, Social Security number, and telephone number, was impacted," though it varies depending on the individual.

The hospital's notice did not specifically say that it was the victim of a ransomware attack, but it noted that the hospital did not pay a ransom of any kind.

"Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken," according to the hospital.

The cybercriminals in question are in the Rhysida ransomware gang, which has claimed responsibility of the attack, listing the hospital on its website and the apparent 600GB it claims to have stolen as "sold."

The hospital is in the process of informing affected individuals and is providing 24 months to Experian Identity Works. A call center is available to address questions and concerns about the information released on the cyberattack as well.

Hundreds of Thousands Impacted in Children's Hospital Cyberattack

Red Hat Security Advisory 2024-0045-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, and resource exhaustion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0045.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.16.0 security update  
Advisory ID:        RHSA-2024:0045-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0045  
Issue date:         2024-06-27  
Revision:           03  
CVE Names:          CVE-2023-29483  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.0 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.16.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.16.0. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2024:0041

Security Fix(es):

* dnspython: denial of service in stub resolver (CVE-2023-29483)  
* golang: net/http/cookiejar: incorrect forwarding of sensitive headers and  
cookies on HTTP redirect (CVE-2023-45289)  
* golang: net/http: memory exhaustion in Request.ParseMultipartForm  
(CVE-2023-45290)  
* containers/image: digest type does not guarantee valid type  
(CVE-2024-3727)  
* golang: crypto/x509: Verify panics on certificates with an unknown public  
key algorithm (CVE-2024-24783)  
* golang: net/mail: comments in display names are incorrectly handled  
(CVE-2024-24784)  
* golang: html/template: errors returned from MarshalJSON methods may break  
template escaping (CVE-2024-24785)  
* golang-protobuf: encoding/protojson, internal/encoding/json: infinite  
loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON  
(CVE-2024-24786)  
* jose: resource exhaustion (CVE-2024-28176)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at   
https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

CVEs:

CVE-2023-29483

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2262921  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017  
https://bugzilla.redhat.com/show_bug.cgi?id=2268018  
https://bugzilla.redhat.com/show_bug.cgi?id=2268019  
https://bugzilla.redhat.com/show_bug.cgi?id=2268021  
https://bugzilla.redhat.com/show_bug.cgi?id=2268022  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://bugzilla.redhat.com/show_bug.cgi?id=2268820  
https://bugzilla.redhat.com/show_bug.cgi?id=2274520  
https://bugzilla.redhat.com/show_bug.cgi?id=2274767

Red Hat Security Advisory 2024-0045-03

Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.

Red Hat Security Advisory 2024-0041-03

Ubuntu Security Notice 6857-1 - Joshua Rogers discovered that Squid incorrectly handled requests with the urn: scheme. A remote attacker could possibly use this issue to cause Squid to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS. It was discovered that Squid incorrectly handled SSPI and SMB authentication. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only affected Ubuntu 16.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-6857-1June 27, 2024squid3 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:Several security issues were fixed in Squid.Software Description:- squid3: Web proxy cache serverDetails:Joshua Rogers discovered that Squid incorrectly handled requests with theurn: scheme. A remote attacker could possibly use this issue to causeSquid to consume resources, leading to a denial of service. This issueonly affected Ubuntu 16.04 LTS. (CVE-2021-28651)It was discovered that Squid incorrectly handled SSPI and SMBauthentication. A remote attacker could use this issue to cause Squid tocrash, resulting in a denial of service, or possibly obtain sensitiveinformation. This issue only affected Ubuntu 16.04 LTS. (CVE-2022-41318)Joshua Rogers discovered that Squid incorrectly handled HTTP messageprocessing. A remote attacker could possibly use this issue to causeSquid to crash, resulting in a denial of service. (CVE-2023-49285)Joshua Rogers discovered that Squid incorrectly handled Helper processmanagement. A remote attacker could possibly use this issue to causeSquid to crash, resulting in a denial of service. (CVE-2023-49286)Joshua Rogers discovered that Squid incorrectly handled HTTP requestparsing. A remote attacker could possibly use this issue to causeSquid to crash, resulting in a denial of service.(CVE-2023-50269, CVE-2024-25617)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS   squid                           3.5.27-1ubuntu1.14+esm2                                   Available with Ubuntu Pro   squid3                          3.5.27-1ubuntu1.14+esm2                                   Available with Ubuntu ProUbuntu 16.04 LTS   squid                           3.5.12-1ubuntu7.16+esm3                                   Available with Ubuntu Pro   squid3                          3.5.12-1ubuntu7.16+esm3                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6857-1   CVE-2021-28651, CVE-2022-41318, CVE-2023-49285, CVE-2023-49286,   CVE-2023-50269, CVE-2024-25617

Ubuntu Security Notice USN-6857-1

The Arkansas Attorney General filed a lawsuit against webshop Temu for allegedly being dangerous malware which is after personal data.

Chinese online shopping giant Temu is facing a lawsuit filed by State of Arkansas Attorney General Tim Griffin, alleging that the retailer’s mobile app spies on users.

> “Temu purports to be an online shopping platform, but it is dangerous malware, surreptitiously granting itself access to virtually all data on a user’s cellphone.”

Temu quickly denied the allegations.

In speaking with the outlet Ars Technica, a Temu spokesperson said “the allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded.”

According to Baclinko statistics, Temu was the most downloaded shopping app worldwide in 2023, with 337.2 million downloads, 1.8x more than Amazon Shopping, and according to TechCrunch, Temu was the most downloaded free iPhone app in the US for 2023.

Temu is most popular today likely for its exceedingly low prices (a brief scan of its website shows a shoulder-sling backpack being sold for $2.97, and a broom-and-dust–pan combo for $12.47). How those low prices are achieved has been a mystery for some onlookers, but current theories include:

*   Temu relies on the de minimis exception to ship goods directly to U.S. customers for a low price. A shipment below the de minimis value of $800 isn’t inspected or taxed by US Customs.
*   The online webshop pressures manufacturers to lower their prices even further to appease discount-seeking customers, leaving those manufacturers with little to no profit in return.
*   Most items sold on Temu are unbranded and manufactured en masse by manufacturers in China. Almost every tech product on Temu is a knockoff or “dupe” of a real, brand-name product.

But according to reporting last year from Wired, Temu’s low prices are easy to decipher—Temu itself is losing millions of dollars to break into the US market.

“An analysis of the company’s supply chain costs by WIRED—confirmed by a company insider—shows that Temu is losing an average of $30 per order as it throws money at trying to break into the American market.”

Attorney General Griffin seems determined that Temu baits users with misleading promises of discounted, quality goods and adds addictive features like wheels of fortune to keep users engaged to the app.

He called Temu “functionally malware and spyware,” adding that the app was “purposefully designed to gain unrestricted access to a user’s phone operating system.”

The lawsuit claims that Temu’s app can sneakily access “a user’s camera, specific location, contacts, text messages, documents, and other applications.” Further, the lawsuit alleges that Temu is capable of recompiling itself, changing properties, and overriding the data privacy settings set by the user. If true, this would make it almost impossible to detect, even by “sophisticated” users, the lawsuit said.

Some may suspect that this is another attempt to ban an app hailing from a “foreign adversarial country” like TikTok, but Attorney General Griffin is very clear about his reasons.

“Temu is not an online marketplace like Amazon or Walmart. It is a data-theft business that sells goods online as a means to an end.”

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 TEMU sued for being &#8220;dangerous malware&#8221; by Arkansas Attorney General 

The ransomware group claimed it had breached the Federal Reserve, but the target now appears to have been an Arkansas-based bank, Evolve.

Source: Anthony Pierce via Alamy Stock Photo

Evolve Bank, a financial institution headquartered in Arkansas, was the victim of an attack by the LockBit ransomware group which resulted in a data leak onto the Dark Web this week.

LockBit had drawn attention to itself earlier this week after claiming to have hacked the US Federal Reserve.

The announcement was seen by some within the IT security community as a bold — some used the word "desperate"­ — comeback attempt following the recent, high-profile law enforcement takedown of the ransomware giant. 

After publishing a post on its data leak site threatening to release "33 terabytes of juicy banking information containing Americans' banking secrets" if a ransom was not paid, LockBit then released some of the data, which was actually stolen from Evolve.

"It appears these bad actors have released illegally obtained data, including personal identification information (PII), on the Dark Web," according to an Evolve statement. "The data varies by individual, but may include your name, Social Security number, date of birth, account information and/or other personal information."

The statement noted the company had contacted law enforcement authorities as part of the bank's investigation and response efforts.

"Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat," the statement said.

The company added that retail banking customers’ debit cards, online, and digital banking credentials did not seem to be affected by the breach.

"Those credentials appear to be secure," a statement said.

**Evolve Already Target of Fed Action**

Earlier this month, the Federal Reserve Board issued an enforcement action against Evolve Bancorp and Evolve Bank & Trust, accusing the company of deficiencies in their anti-money laundering, risk management, and consumer compliance programs.

"Examinations conducted in 2023 found Evolve did not maintain an effective risk-management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers," the Fed statement read.

Stephen Gates, principal security SME for Horizon3.ai, said in an emailed statement that once an organization experiences a breach, and the smoke begins to clear, the biggest decision is what to do next.

"Everything in the networking environment is now suspect, possibly riddled with other exploitable vulnerabilities and weaknesses that likely remain hidden," he said.

That means that teams must find the attack path that allowed the breach to happen, and they need to uncover other attack paths that could enable it to happen again.

"Now is the time to thoroughly assess the entire networking environment, both on-premises and cloud, but that could take months if not longer," Gates said.

**Financial Sector Defenses Must Evolve**

Piyush Pandey, CEO at Pathlock, says the recent enforcement action against Evolve Bancorp underscores the critical importance of robust sensitive data and application access controls within financial institutions.

"As traditional banking continues to intersect with innovative fintech solutions, maintaining stringent identity and access controls is a must," he says.

He also points out that the interconnectedness and complexity of supply chains in the financial sector increases the difficulty of managing and securing third-party access.

"Given how highly regulated the financial sector is with regards to data protection and privacy, ensuring that third-party vendors comply with these regulations is crucial, yet challenging," Pandey explains.

He adds that by focusing on rigorous controls testing and enforcement, including stringent management of third-party identities and access, financial institutions can significantly strengthen their security posture, protect sensitive data, and ensure compliance with regulatory requirements.

"This proactive approach not only safeguards customer data — and trust — but also enhances the institution's overall resilience against these types of attacks," Pandey says.

Narayana Pappu, CEO at Zendata, notes that financial and medical institutions store significant amount highly sensitive data with significant monetary impact for exposed organizations.

"Therefore, it makes sense that organizations like LockBit are going after this information," he says.

From his perspective, data minimization — not capturing or storing data that is not needed — would help these institutions significantly.

"The trend to date has been to capture, store and make multiple copies of information that is not really needed to run the business," Pappu says. "Just 5% of data collected is properly labeled and governed, for example."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

LockBit Attack Targets Evolve Bank, Not Federal Reserve

Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server.
"The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms," Trend Micro researchers Ahmed

Security researchers have shed more light on the cryptocurrency mining operation conducted by the **8220 Gang** by exploiting known security flaws in the Oracle WebLogic Server.

"The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms," Trend Micro researchers Ahmed Mohamed Ibrahim, Shubham Singh, and Sunil Bharti said in a new analysis published today.

The cybersecurity firm is tracking the financially motivated actor under the name Water Sigbin, which is known to weaponize vulnerabilities in Oracle WebLogic Server such as CVE-2017-3506, CVE- 2017-10271, and CVE-2023-21839 for initial access and drop the miner payload via multi-stage loading technique.

A successful foothold is followed by the deployment of PowerShell script that's responsible for dropping a first-stage loader ("wireguard2-3.exe") that mimics the legitimate WireGuard VPN application, but, in reality, launches another binary ("cvtres.exe") in memory by means of a DLL ("Zxpus.dll").

The injected executable serves as a conduit to load the PureCrypter loader ("Tixrgtluffu.dll") that, in turn, exfiltrates hardware information to a remote server and creates scheduled tasks to run the miner as well as excludes the malicious files from Microsoft Defender Antivirus.

In response, the command-and-control (C2) server responds with an encrypted message containing the XMRig configuration details, following which the loader retrieves and executes the miner from an attacker-controlled domain by masquerading it as "AddinProcess.exe," a legitimate Microsoft binary.

The development comes as the QiAnXin XLab team detailed a new installer tool used by the 8220 Gang called k4spreader since at least February 2024 to deliver the Tsunami DDoS botnet and the PwnRig mining program.

The malware, which is currently under development and has a shell version, has been leveraging security flaws such as Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate susceptible targets.

"k4spreader is written in cgo, including system persistence, downloading and updating itself, and releasing other malware for execution," the company said, adding it's also designed to disable the firewall, terminate rival botnets (e.g., kinsing), and printing operational status.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web