Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Europe. Show all posts

Is Google Spying on You? EU Investigates AI Data Privacy Concerns



Google is currently being investigated in Europe over privacy concerns raised about how the search giant has used personal data to train its generative AI tools. The subject of investigation is led by Ireland's Data Protection Commission, which ensures that the giant technical company adheres to strict data protection laws within the European Union. This paper will establish whether Google adhered to its legal process, such as obtaining a Data Protection Impact Assessment (DPIA), before using people's private information to develop its intelligent machine models.

Data Collection for AI Training Causes Concerns

Generative AI technologies similar to Google's brand Gemini have emerged into the headlines because these tend to create fake information and leak personal information. This raises the question of whether Google's AI training methods, necessarily involving tremendous amounts of data through which such training must pass, are GDPR-compliant-its measures to protect privacy and rights regarding individuals when such data is used for developing AI.

This issue at the heart of the probe is if Google should have carried out a DPIA, which is an acronym for Data Protection Impact Assessment-the view of any risks data processing activities may have on the rights to privacy of individuals. The reason for conducting a DPIA is to ensure that the rights of the individuals are protected simply because companies like Google process humongous personal data so as to create such AI models. The investigation, however, is specifically focused on how Google has been using its model called PaLM2 for running different forms of AI, such as chatbots and enhancements in the search mechanism.

Fines Over Privacy Breaches

But if the DPC finds that Google did not comply with the GDPR, then this could pose a very serious threat to the company because the fine may amount to more than 4% of the annual revenue generated globally. Such a company as Google can raise billions of dollars in revenue every year; hence such can result in a tremendous amount.

Other tech companies, including OpenAI and Meta, also received similar privacy-based questions relating to their data practices when developing AI.

Other general issues revolve around the processing of personal data in this fast-emerging sphere of artificial intelligence.

Google Response to Investigation

The firm has so far refused to answer questions over specific sources of data used to train its generative AI tools. A company spokesperson said Google remains dedicated to compliance with the GDPR and will continue cooperating with the DPC throughout the course of the investigation. The company maintains it has done nothing illegal. And just because a company is under investigation, that doesn't mean there's something wrong with it; the very act of inquiring itself forms part of a broader effort to ensure that companies using technology take account of how personal information is being used.

Data Protection in the AI Era

DPC questioning of Google is part of a broader effort by the EU regulators to ensure generative AI technologies adhere to the bloc's high data-privacy standards. As concerns over how personal information is used, more companies are injecting AI into their operations. The GDPR has been among the most important tools for ensuring citizens' protection against misuse of data, especially during cases involving sensitive or personal data.

In the last few years, other tech companies have been prosecuted with regard to their data-related activities in AI development. Recently, the developers of ChatGPT, OpenAI, and Elon Musk's X (formerly Twitter), faced investigations and complaints under the law of GDPR. This indicates the growing pressure technological advancement and the seriousness in the protection of privacy are under.

The Future of AI and Data Privacy

In developing AI technologies, firms developing relevant technology need to strike a balance between innovation and privacy. The more innovation has brought numerous benefits into the world-search capabilities and more efficient processes-the more it has opened risks to light by leaving personal data not so carefully dealt with in most cases.

Moving forward, the regulators, including the DPC, would be tracking the manner in which the companies like Google are dealing with the data. It is sure to make rules much more well-defined on what is permissible usage of personal information for developing the AI that would better protect individuals' rights and freedoms in this digital age.

Ultimately, the consequences of this study may eventually shape how AI technologies are designed and implemented in the European Union; it will certainly inform tech businesses around the world.


China-Backed Earth Baku Broadens Cyber Assaults to Europe, Middle East, and Africa

 

The China-backed threat actor Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education sectors are among those singled out as part of the intrusion set.

Trend Micro researchers Ted Lee and Theo Chen, in an analysis published last week, noted that Earth Baku has updated its tools, tactics, and procedures (TTPs) in more recent campaigns. The group utilizes public-facing applications such as IIS servers as entry points for attacks, subsequently deploying sophisticated malware toolsets on the victim's environment. The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has assigned them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, has been known for its use of StealthVector as far back as October 2020. Their attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads. StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are further characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Sensitive data exfiltration to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd. "The group has employed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers stated.

"The persistence of Earth Baku is notable," said the researchers. "Their tactics show a sophisticated understanding of public-facing applications, allowing them to infiltrate various sectors with precision." They further explained that the group's post-exploitation tools are customized to fit specific operational needs, with iox and Rakshasa playing significant roles in maintaining prolonged access and stealth. Tailscale, the VPN service, ensures the attackers can manage their operations without detection, while MEGAcmd allows for efficient data exfiltration.

The continued evolution of Earth Baku's methods, including the introduction of new malware like SneakCross, highlights the growing complexity and threat posed by this actor. The group’s ability to adapt and refine their TTPs makes them a formidable adversary in the cyber landscape.

Poland Pushes for Shorter Drug Data Protection in EU

 


At a recent EU meeting in Luxembourg, Poland supported a European Commission proposal to shorten the time new drugs are protected by data exclusivity rules. Health Minister Izabela Leszczyna said Poland prefers one year of market protection over longer periods of data protection.

In April 2023, the European Commission suggested reducing the data exclusivity period for drugs from eight to six years. Minister Leszczyna agreed, saying this would help people access new treatments more quickly without adding extra paperwork. She also proposed one year of market protection for new uses of existing drugs instead of extending data protection.

Balancing Incentives and Access

Minister Leszczyna emphasised that Poland supports measures to ensure all EU countries have access to modern treatments. She suggested that incentives should focus on market protection and not last longer than a year. For drugs treating rare diseases, extending protection could be considered, but for other drugs, different solutions should be found.

Challenges in Generic Drug Production 

Krzysztof Kopeć, President of the Polish Association of Pharmaceutical Industry Employers, highlighted issues with drug shortages, especially for generic drugs. He explained that producing drugs in Europe is becoming less profitable, leading to shortages. Although the European Commission wants to boost drug production in Europe, current regulations do not support this, and production costs are higher in Europe than in Asia.

Concerns from Innovative Drug Companies

Innovative drug companies argue that changing existing intellectual property rules is not the answer to drug access problems. They believe the current rules should continue to support innovation and ensure EU patients can access new treatments. Michał Byliniak, General Director of INFARMA, stressed the need for EU reforms to improve drug supply security, availability, and affordability while also supporting new drug development.

INFARMA is discussing potential risks of shorter protection periods with the Ministry of Health and other stakeholders. They warn that reducing protection could limit access to advanced treatments. INFARMA supports keeping current data protection levels and creating incentives to promote innovation, address unmet medical needs, and encourage research in the EU.

Poland's support for a shorter data exclusivity period shows its commitment to balancing access to new treatments, innovation, and economic realities in the EU drug industry. As discussions continue, the goal remains to create rules that ensure safe, effective, and affordable medicines are available to everyone in Europe.



Hackers Use Trojanized Minesweeper Clone to Phish Financial Organizations

 

Hackers are exploiting code from a Python clone of Microsoft's classic Minesweeper game to conceal malicious scripts in attacks targeting financial institutions in Europe and the US.

Ukraine's CSIRT-NBU and CERT-UA have identified the threat actor 'UAC-0188' as responsible for these attacks. They are using the legitimate game code to hide Python scripts that download and install the SuperOps RMM (Remote Monitoring and Management) software. SuperOps RMM, though legitimate, provides remote actors with direct access to compromised systems.

CERT-UA's investigation into the initial discovery has uncovered at least five breaches in financial and insurance sectors across Europe and the United States linked to these same files.

The attack initiates with an email from "support@patient-docs-mail.com," posing as a medical center with the subject "Personal Web Archive of Medical Documents." The email prompts recipients to download a 33MB .SCR file from a Dropbox link. This file includes harmless code from a Python clone of Minesweeper, alongside malicious Python code designed to download additional scripts from a remote source, "anotepad.com."

Incorporating Minesweeper code within the executable helps disguise the 28MB base64-encoded string containing the malicious code, making it seem benign to security software. The Minesweeper code features a function named "create_license_ver," repurposed to decode and execute the hidden malicious code, using legitimate software components to mask and facilitate the attack.

The base64 string decodes to a ZIP file containing an MSI installer for SuperOps RMM, which is extracted and executed using a static password. While SuperOps RMM is a legitimate tool, in this scenario, it grants attackers unauthorized access to the victim's computer.

CERT-UA advises organizations not using SuperOps RMM to treat its presence or related network activity, such as connections to "superops.com" or "superops.ai" domains, as indicators of a compromise.

The agency has also provided additional indicators of compromise (IoCs) associated with this attack at the end of their report.

Europe's Digital Markets Act Compels Tech Corporations to Adapt

 

Europeans now have the liberty to select their preferred online services, such as browsers, search engines, and iPhone apps, along with determining the usage of their personal online data. 

These changes stem from the implementation of the Digital Markets Act (DMA), a set of laws introduced by the European Union targeting major technology firms including Amazon, Apple, Microsoft, Google (under Alphabet), Meta (formerly Facebook), and ByteDance (owner of TikTok).

This legislation marks Europe's ongoing efforts to regulate large tech companies, requiring them to adapt their business practices. Notably, Apple has agreed to allow users to download smartphone apps from sources other than its App Store. The DMA applies to 22 services ranging from operating systems to messaging apps and social media platforms, affecting prominent offerings like Google Maps, YouTube, Amazon's Marketplace, Apple's Safari browser, Meta's Facebook, Instagram, WhatsApp, Microsoft Windows, and LinkedIn.

Companies found in violation of the DMA could face hefty fines, up to 20% of their global annual revenue, and even potential breakup for severe breaches. The impact of these rules is not limited to Europe, as other countries, including Japan, Britain, Mexico, South Korea, Australia, Brazil, and India, are considering similar legislation to curb tech giants' dominance in online markets.

One significant change resulting from the DMA is Apple's decision to allow European iPhone users to download apps from sources beyond its App Store, a move the company had previously resisted. However, Apple will introduce a 55-cent fee for each iOS app downloaded from external stores, raising concerns among critics about the viability of alternative app platforms.

Furthermore, the DMA grants users greater freedom to choose their preferred online services and restricts companies from favouring their own offerings in search results. 

For instance, Google search results will now include listings from competing services like Expedia for searches related to hotels. Additionally, users can opt out of targeted advertising based on their online data, while messaging systems are required to be interoperable, forcing Meta to propose solutions for seamless communication between its platforms, Facebook Messenger and WhatsApp.

Europe's Shipping Industry Grapples with Widespread Cyberattack

 

A significant cyberattack has impacted shipping companies across Europe, commencing on Thursday afternoon. The attack, believed to be a Distributed Denial of Service (DDoS) incident, has led to the widespread unavailability of numerous websites. IT teams are currently hard at work, actively addressing and resolving the situation.

Johanna Boijer-Svahnström, the Senior Vice President of Viking Line, discussed the extensive cyberattack that occurred on Thursday. In a statement to HBL, she emphasized that the cyber assault had a notable impact on major shipping companies operating throughout Europe.

"It appears to be a DDOS cyber attack targeting shipping companies across Europe. Our webpages are currently inaccessible, and our IT department is actively working to resolve the issue," Johanna conveyed to HBL.

The Cyber Express reached out to the company to verify the security incident and gather additional information following the cyberattack. Regrettably, at the time of preparing this report, no confirmation has been received from Viking Line.

According to media reports, the Viking Line cyberattack appears to have been a DDoS attack stemming from an overload on the company's website. This cyber assault had a widespread impact, affecting nearly all major shipping companies in the region.

About Viking Line

Viking Line, established in 1959, is a prominent shipping company specializing in cruise, cargo, and passenger services primarily within the Baltic Sea region. The company maintains a fleet of more than 50 vessels offering services in all three categories, with a current workforce of over 2,000 employees.

A recent report citing research conducted by the law firm HFW suggests that the shipping industry is considered an "easy target" for cybercriminals. The same report indicates a notable increase in ransomware attacks, with ransom demands rising by an astounding 350% over the past year.

"Our findings reveal that despite improvements in maritime cybersecurity, the industry remains vulnerable. Shipping organizations are facing a surge in cyberattacks, along with a substantial increase in ransom payment demands. As technology continues to play a larger role across all aspects of shipping, encompassing ship networks, offshore installations, and onshore control centers, the potential for cybersecurity breaches also escalates," reported Heavylift PFI, quoting Tom Walters, a partner at Hollman Fenwick Willan, a global law firm.

Incidents like the Viking Line Cyberattack underscore the critical importance of robust cybersecurity measures within the shipping industry. It serves as a reminder that a proactive approach to cybersecurity across various sectors is imperative to prevent escalating challenges.

Consumer Finance Group Supports Enhanced Privacy in the Use of Digital Euro

Privacy and security in financial transactions are becoming increasingly important in our digital age. The Consumer Finance Group's recent call for stricter privacy protections for the digital Euro is a proactive step to ensure that people's financial information is protected.

The Consumer Finance Group, a prominent advocate for consumer rights, has raised concerns about the potential privacy vulnerabilities associated with the digital Euro, which is currently under development by the European Central Bank. As reported by ThePrint and Reuters, the group emphasizes the need for robust privacy protections.

One of the key concerns highlighted by the Consumer Finance Group is the risk of digital Euro transactions being traced and monitored without adequate safeguards. This could lead to an invasion of financial privacy, as every transaction could potentially be linked to an individual, raising concerns about surveillance and misuse of data.

To address these concerns, the group has proposed several measures:

  • Enhanced Encryption: They suggest implementing advanced encryption protocols to protect the privacy of digital Euro users. This would make it exceedingly difficult for unauthorized parties to access transaction details.
  • Anonymous Transactions: The group advocates for the option of anonymous transactions, allowing users to make payments without revealing their identities. While this could raise concerns about potential illicit activities, it also protects the privacy of law-abiding citizens.
  • Clear Data Retention Policies: Consumer Finance Group also calls for transparent data retention policies, ensuring that personal financial data is not stored longer than necessary and is subject to strict regulations.
  • User Consent: They propose that users should have clear and informed consent regarding the collection and use of their financial data, empowering individuals to make choices about their privacy.

While these measures are essential for safeguarding privacy, it's essential to strike a balance between privacy and security. Implementing stringent privacy measures must also consider the need to combat financial crimes such as money laundering and terrorism financing.

The European Central Bank and policymakers should carefully consider the recommendations put forth by the Consumer Finance Group. Finding the right balance between privacy and security in the digital Euro's design will be crucial in gaining public trust and ensuring the widespread adoption of this digital currency.

The need for stronger privacy protections in the digital Euro is a reminder of the importance of safeguarding personal financial data in our increasingly digitalized society. Regulators and financial institutions must prioritize addressing these privacy issues as digital currencies become more widely used.

Is Italy's ChatGPT Ban Setting a New Standard for the Rest of Europe?

 

After Italy became the first Western country to block advanced chatbot ChatGPT on Friday due to a lack of transparency in its data use, Europe is wondering who will follow. Several neighboring countries have already expressed interest in the decision.

“In the space of a few days, specialists from all over the world and a country, Italy, are trying to slow down the meteoric progression of this technology, which is as prodigious as it is worrying,” writes the French daily Le Parisien.


Many cities in France have already begun with their own research “to assess the changes brought about by ChatGPT and the consequences of its use in the context of local action,” reports Ouest-France.


The city of Montpellier wants to ban ChatGPT for municipal staff, as a precaution," the paper reports. “The ChatGPT software should be banned within municipal teams considering that its use could be detrimental.”


According to the BBC, the Irish data protection commission is following up with the Italian regulator to understand the basis for its action and "will coordinate with all E.U. (European Union) data protection authorities" in relation to the ban.


The Information Commissioner's Office, the United Kingdom's independent data regulator, also told the BBC that it would "support" AI developments while also "challenging non-compliance" with data protection laws.


ChatGPT is already restricted in several countries, including China, Iran, North Korea, and Russia. The E.U. is in the process of preparing the Artificial Intelligence Act, legislation “to define which AIs are likely to have societal consequences,” explains Le Parisien. “This future law should in particular make it possible to fight against the racist or misogynistic biases of generative artificial intelligence algorithms and software (such as ChatGPT). 


The Artificial Intelligence Act also proposes appointing one regulator in charge of artificial intelligence in each country.


The Italian situation

The Italian data protection authority explained that it was banning and investigating ChatGPT due to privacy concerns about the model, which was developed by a U.S. start-up called OpenAI, which is backed by billions of dollars in investment from Microsoft.


The decision "with immediate effect" announced by the Italian National Authority for the Protection of Personal data was taken because “the ChatGPT robot is not respecting the legislation on personal data and does not have a system to verify the age of minor users,” Le Point reported. 


“The move by the agency, which is independent from the government, made Italy the first Western country to take action against a chatbot powered by artificial intelligence,” wrote Reuters. 


The Italian data protection authority stated that it would not only block OpenAI's chatbot, but would also investigate whether it complied with the EU's General Data Protection Regulation.

Protecting minors

It goes on to say that the new technology "exposes minors to completely inappropriate answers in comparison to their level of development and awareness."


According to the press release from the Italian Authority, on March 20, ChatGPT "suffered a loss of data ('data breach') concerning user conversations and information relating to the payment of subscribers to the paid service."


It also mentions the "lack of a legal basis justifying the mass collection and storage of personal data for the purpose of 'training' the algorithms underlying the platform's operation."


ChatGPT was released to the public in November and was quickly adopted by millions of users who were impressed by its ability to answer difficult questions clearly, mimic writing styles, write sonnets and papers, and even pass exams. ChatGPT can also be used without any technical knowledge to write computer code.


“Since its release last year, ChatGPT has set off a tech craze, prompting rivals to launch similar products and companies to integrate it or similar technologies into their apps and products,” writes Reuters.


"On Friday, OpenAI, which disabled ChatGPT for users in Italy in response to the agency's request, said it is actively working to reduce the use of personal data in training its AI systems like ChatGPT."


According to Euronews, the Italian watchdog has now asked OpenAI to "communicate within 20 days the measures undertaken" to remedy the situation, or face a fine of €20 million ($21.7 million) or up to 4% of annual worldwide turnover.


The announcement comes after Europol, the European police agency, warned on Monday that criminals were ready to use AI chatbots like ChatGPT to commit fraud and other cybercrimes. The rapidly evolving capabilities of chatbots, from phishing to misinformation and malware, are likely to be quickly exploited by those with malicious intent, Europol warned in a report.


Police Hacked Thousands of Phones. Was it Legal?


In October 2020, Christian Lödden’s potential clients sought to discuss just one thing, which carried on for a week. Every individual whom the German criminal defense lawyer has contacted had apparently been utilizing the encrypted phone network EncroChat. This information raised concerns about their devices being hacked, potentially exposing the crimes they may have been a part of. “I had 20 meetings like this. Then I realized—oh my gosh—the flood is coming.” Lödden says. 

Authorities in Europe, led by French and Dutch forces disclosed how the EncroChar network had been compromised several months earlier. More than 100 million messages were siphoned out by malware the police covertly inserted into the encrypted system, exposing the inner workings of the criminal underworld. People openly discussed drug deals, coordinated kidnappings, premeditated killings, and worse. 

The hack, considered one of the largest ever being conducted by the police, was an intelligence gold mine. It led to hundreds of arrests, home raids, and thousands of kilograms of drugs being seized. Following this, thousands of EncroChat members are now imprisoned in Europe, including the UK, Germany, France, and the Netherlands, after two years have passed. 

Hacking EncroChat 

The EncroChat phone network, which was established in 2016, had about 60,000 users when it was uncovered by law enforcement. According to EncroChat's company website, subscribers paid hundreds of dollars to use a customized Android phone that could "guarantee anonymity." The phone's security features included the ability to "panic wipe" everything on the device, live customer assistance, and encrypted conversations, notes, and phone calls using a version of the Signal protocol. Its GPS chip, microphone, and camera may all be taken out. 

Instead of decrypting the phone network, it appears that the police who hacked it compromised the EncroChat servers in Roubaix, France, and then distributed malware to devices. 

According to court filings, 32,477 of EncroChat's 66,134 users in 122 countries were affected, despite the little-known fact on how the breach occurred or the kind of malware deployed. 

The Documents obtained by Motherboard indicated that the investigators might potentially collect all of the data on the phones. The participating law enforcement agencies in the inquiry exchanged this information. (EncroChat claimed to be a legitimate business before shutting down as a result of the breach.) 

Legal Challenged Building Up 

In regard to the hack, Europe is facing several legal challenges. 

While in many countries the court has ruled that the hacked EncroChat messages can be utilized as legal shreds of evidence, these decisions have now been disputed. 

According to a report by Computer Weekly, many of the reported cases possess complexity: Every country has a unique legal system with distinct guidelines about the kinds of evidence that may be utilized and the procedures prosecutors must adhere to. For instance, Germany places strict restrictions on the installation of malware on mobile devices, while the UK generally forbids the use of "intercepted" evidence in court. 

The most well-known objection to date comes from German attorneys. One of the top courts on the continent, the Court of Justice of the European Union (CJEU), received an EncroChat appeal from a regional court in Berlin in October. 

The judge asked the court to rule on 14 issues relating to the use of the data in criminal cases and how it was moved across Europe. The Berlin court emphasized how covert the investigation was. The court decision's machine translation states that "technical specifics on the operation of the trojan software and the storage, assignment, and filtering of the data by the French authorities and Europol are not known." "French military secrecy inherently affects how the trojan software functions." 

Police Being Praised 

Despite the legal issues, police departments all around Europe have praised the EncroChat breach and how it has assisted in locking up criminals. In massive coordinated policing operations that began as soon as the hack was revealed in June 2020, hundreds of people were imprisoned. In the Netherlands, police found criminals using shipping containers as "torture chambers." 

Since then, a steady stream of EncroChat cases has been brought before courts, and individuals have been imprisoned for some of the most severe crimes. The data from EncroChat has been a tremendous help to law enforcement; as a result of the police raids, organized crime arrests in Germany increased by 17%, and at least 2,800 persons have been detained in the UK. 

But is it Legal? 

Despite the police being lauded for capturing the criminals, according to the lawyers, this method of investigation is flawed and should not be presented as evidence in court. They emphasized how the secrecy of the hacking indicates that suspects have not received fair trials. A lawsuit from Germany was then sent to Europe's top court toward the end of 2022. 

If successful, the appeal could jeopardize criminals' convictions across Europe. Additionally, analysts claim that the consequences have an impact on end-to-end encryption globally. 

“Even bad people have rights in our jurisdictions because we are so proud of our rule of law […] We’re not defending criminals or defending crimes. We are defending the rights of accused people,” says Lödden.  

Manchester Arena's Weapon Detecting


Evolv claims it can detect all weapons

US-based company "Evolv" known for selling artificial intelligence (AI) scanners, claims it detects all weapons.

However, the research firm IPVM says Evolv might fail in detecting various types of knives and some components and bombs. 

Evolv says it has told venues of all "capabilities and limitations." Marion Oswald, from Government Centre for Data Ethics and Innovation said there should be more public knowledge as well as independent evaluation of the systems before they are launched in the UK. 

Because these technologies will replace methods of metal detection and physical searches that have been tried and tested. 

Raised Concerns

AI and machine learning allow scanners to make unique "signatures" of weapons that distinguish them from items like computers or keys, lessening the need for preventing long queues in manual checks. 

"Metallic composition, shape, fragmentation - we have tens of thousands of these signatures, for all the weapons that are out there. All the guns, all the bombs, and all the large tactical knives," said Peter George, chief executive, in 2021. For years, independent security experts have raised concerns over some of Evolv's claims. 

The company in the past didn't allow IPVM to test its technology named Evolv Express. However, last year, Evolve allowed the National Center for Spectator Sports Safety and Security (NCS4). 

NCS4's public report, released last year, gave a score of 2.84 out of 3 to Evolv- most of the guns were detected 100% of the time. 

IPVM's private report shows loopholes

However, it also produced a separate report (private), received via a Freedom of Information request by IPVM. The report gave Evolv's ability to identify large knives 42% of the time. The report said that the system failed to detect every knife on the sensitivity level noticed during the exercise. 

The report recommended full transparency to potential customers, on the basis of the data collected. ASM Global, owner of Manchester arena said its use of Evolv Express is the "first such deployment at the arena in Europe," it is also planning to introduce technology to other venues. 

In an unfortunate incident in 2017, a man detonated a bomb at an Ariana Grande concert in the arena, which kille22 people and injured more than hundreds, primarily children. 

Evolv's Response

Evolv didn't debate IPVM's private report findings. It says that the company believes in communicating sensitive security information, which includes capabilities and limitations of Evolv's systems, allowing security experts to make informed decisions for their specific venues. 

We should pay attention to NCS4's report as there isn't much public information as to how Evolv technology works. 



Ransomware Hit European Pipeline & Energy Supplier Encevo Linked to BlackCat

 

BlackCat ransomware gang claimed responsibility for the attack that occurred last week on Creos Luxembourg S.A., a company that owns and provides electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. 

In the wake of the news, cyber security researchers reported that they are currently investigating the extent of the damage done. 

Encevo, the parent company of Creos and energy that facilitates five EU countries confirmed on July 25 that the firm suffered a cyberattack over the weekend of July 22–23. The cyberattack had rendered Encevo and Creos’ customer portals inaccessible however, the services themselves remained unaffected. 

According to the reports, the BlackCat ransomware group uploaded 150GB of data on its exaction site stolen from Encevo, including contracts, bills, passports, and emails. The gang is now threatening to release and sell the data within hours if the ransom isn't paid. 

The attack majorly affected the natural gas pipeline and the energy supplier Enovos, however, Encevo assured its users that the supply would not be disrupted. The firm recommended its users update their login credentials as soon as possible, alongside, customers should also change their passwords on other websites if they are the same. 

"For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person. This is why we ask our customers not to contact us at the moment. Once again we apologize to our customers for the inconvenience and we do our best to restore full service as soon as possible. Creos and Enovos emphasize once again that the supply of electricity and gas are not affected and that the breakdown service is guaranteed’’, the company added. 

Reportedly, Creos has been contacted by many cyber news portals enquiring about more technical details and the consequences of the cyberattack, however, the representatives of the company did not share any information on the matter.

European Organizations Targeted by 'Mustang Panda’ Hacking Group

 

Cybersecurity researchers have unearthed a new campaign by advanced persistent threat (APT) group Mustang Panda targeting European and Russian organizations using topical spear-phishing lures linked to the war in Ukraine. 

Mustang Panda, also known as RedDelta, Bronze President, or TA416 has been active since at least 2012 and over the years has targeted entities in EU member states, the United States and Asian countries where China has interests. The targets have included diplomatic organizations, non-governmental organizations (NGOs), religious organizations, telecommunication firms, and political activists.

"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report published this week. 

The hacking group is known for designing its phishing lures based on current scenarios that might be of interest to its targets. These have included the COVID-19 pandemic, international summits, and political topics. The attacks observed this year by researchers from Cisco Talos and several other security firms used reports from EU institutions regarding the security situation in Europe both before and after Russia's invasion of Ukraine. 

Mustang Panda modus operandi 

The PlugX RAT, also known as KorPlug, continues to remain the Mustang Panda's preferred spying tool. is Mustang Panda’s malware of choice. The threat actor has used multiple variants of it for several years, together with other threat actors originating from China. 

Recent attack campaigns spotted this year have primarily phishing messages containing malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto infected devices. 

A similar technique is also used to target various entities in the U.S. and several Asian countries like Myanmar, Hong Kong, Japan, and Taiwan. 

The researchers also spotted Mustang Panda distributing a malicious file containing PlugX with a Russian name referencing the Blagoveshchensk Border Guard Detachment. But similar attacks identified towards the end of March 2022 show that the actors are upgrading their tactics by minimizing the remote URLs used to obtain different components of the infection chain. 

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft. 

"By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft," Talos researchers added.

Spanish FA Reported a Cyber Attack, Private Texts Seized

 

Police have been informed that the Royal Spanish Football Federation (RFEF) has witnessed a cyber attack. In recent months, top leaders of the union, particularly president Luis Rubiales, have had documents and information from private email accounts, private texts, and audio calls taken.

Headquartered in Las Rozas, La Ciudad del Ftbol, a community near Madrid, the Royal Spanish Football Federation is Spain's football regulating organization. The Spanish FA won the 2010 FIFA World Cup and two European Championships in a row as a result of these events. 

"It's likely this personally identifiable information, taken unlawfully and with clear criminal purpose, was provided to numerous media," the RFEF added. 

Before the publishing of the information, an unnamed journalist informed the RFEF claiming its media outlet had been provided access to illegally acquired material from an unknown source who communicated over an encrypted voice. 

"Through third parties, the media outlet in issue claimed to have obtained confidential contracts, private WhatsApp conversations, emails, and a variety of documents involving the RFEF management," the journalist told. "If accurate, it would be a crime of secret revelation and a breach of the people attacked's fundamental rights." 

The Spanish FA has condemned such "criminal and mafia" acts to all relevant organizations, as well as appointed a private firm to improve security and prevent future attacks.

Cyberattacks, like hacktivists, can be linked to cyber warfare or cyberterrorism. To put it another way, motivations can differ. And there are three basic types of motivations: criminal, political, and personal. Money theft, data theft, and company disruption are all options for criminally minded attackers.

Toddler Android Banking Malware Spreads Across Europe

 

Cybersecurity researchers have unearthed a new Android banking Trojan dubbed ‘Toddler’, which is infecting users across Europe. According to the team at the PRODAFT Threat Intelligence (PTI), Toddler, also known as TeaBot / Anatsa, is part of an increasing trend of mobile banking malware attacking countries such as Spain, Germany, Switzerland, and the Netherlands. 

The malware was first identified in January by a cybersecurity firm Cleafy. Threat actors have used the malware to attack users of 60 banks in Europe. In June, Bitdefender discovered Spain and Italy as two countries where users were most likely to get infected.

According to PTI, Spain has secured the top spot in cyberattacks in this year’s malware analysis. To date, at least 7,632 mobile devices have been infected. After breaking into the Command and Control (C2) server used by Trojan horse operators, the researchers also discovered over 1000 sets of stolen banking credentials.

Cybersecurity researchers have spotted numerous legitimate websites “serving” the Toddler malware through malicious .APK files and Android apps. However, there is no evidence of the malware on the Google Play Store. 

Toddler is pre-configured to target the users of “dozens” of banks across Europe, yet all of the known infections so far relate to just 18 different financial organizations, five of which comprise 90% of attacks. The Trojan works by utilizing overlay attacks to trick victims into submitting banking credentials on fraudulent login screens. Once installed, the malware monitors what legitimate apps are being opened -- and once target software is launched, the overlay attack begins. 

"Toddler downloads the specially-crafted login page for the opened target application from its C2. The downloaded webview phishing page is then laid over the target application. The user suspects nothing because this event happens almost instantaneously when the legitimate application is opened,” PRODAFT noted.

The malware also attempts to steal other account records, such as those used to access cryptocurrency wallets. The C2 command list includes the activation of an infected device’s screen, prompting users to grant permissions, uninstalling apps, and trying accessing Google Authenticator via accessibility. 

The level of permanence that this Trojan can sustain is unusual. Toddler includes multiple persistence mechanisms. Most notably, it exploits accessibility features to prevent infected devices from rebooting. "Toddler sets a new precedent for persistence module implementation. Removal of the malware from the device requires huge technical expertise, and it looks like the process will not get easier in the future,” researchers stated.

NATO's Cloud Platform Hacked

 

The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries. 

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium. 

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles. 

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence. 

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities". 

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment. 

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Malware Sload Aiming Europe Again

 

Sload (also termed as Starslord loader) has proven to be one of the most destructive malware variants in recent years. It usually acts as a downloader, which is a computer virus that accumulates and exfiltrates data from an infected system in order to analyze the target and drop a more significant payload if the target is profitable. 

Sload has been active in Europe since at least 2018, with numerous vendors reporting assaults on targets in the United Kingdom and Italy. Instead of employing an executable or a malicious document to invade devices, the malware's developers have chosen to use scripts that are intrinsic to Windows operating systems such as VBS and PowerShell as an initial foothold, tricking users into executing them using spear phishing. 

The downloader is undergoing development and has gone through several iterations; the creator is continuously changing the first stage script but the main module remains basically unchanged. 

According to early reports, this virus downloads a PowerShell script, which then downloads and executes Sload, using a rogue LNK file (Windows shortcut). Later editions start with obfuscated WSF/VBS scripts that are frequently mutated to avoid detection by anti-virus software. The initial script used in attacks has a low VirusTotal score and is meant to get beyond complex security technologies like EDRs. 

This year, Minerva Labs has noticed Sload infections arriving from Italian endpoints. The script they found is an obfuscated WSF script that decodes a sequence of malicious commands and then secretly downloads and runs a remote payload in memory after being executed. 

The script does this by renaming legal Windows binaries, which is a straightforward evasion method. Both "bitsadmin.exe" and "Powershell.exe" are copied and renamed, with the former being used to download a malicious PowerShell script and the latter loading it into memory and executing it. 

The downloader's final payload varies, but it has been known to drop the Ramnit and Trickbot banking trojans, both of which are extremely dangerous malware that can lead to ransomware attacks. 

APT: China-Based Threat Group Attacks Pulse Secure VPNs

 

Several hacker groups that are supposed to support Chinese long-term economic goals continue in the defense, high-tech, public, transportation, and financial services industry networks in the US and Europe. 

Many breaches have taken place wherein attacks by Chinese threat actors penetrated Pulse Secure VPN devices to break into an organization's network and steal confidential material. 

Whereas in several other incidents the attackers took full advantage of the Pulse Connect Secure (PCS) (CVE-2021-22893) authentication bypass vulnerability to enter into the victim's network. The intruders also gained control of the combination of previously known vulnerabilities. Meanwhile, last month, a failure in the bypass authentication was detected and rectified. 

Mandiant issued a warning this week – on China's advanced persistent threat (APT) activity for U.S. and European organizations. In the alert, Mandiant had focused on a battery of malware tools used to address vulnerabilities in Pulse Secure VPN devices on two Chinese-based organizations: UNC2630 and UNC2717. Mandiant said that UNC2630 had targeted US military industry groups and UNC2717 had attacked an EU entity. 

"The exploitation activity we have observed is a mix of targeting unpatched systems with CVEs from 2019 and 2020, as well as a previously unpatched 2021 CVE (CVE-2021-22893)," says Stephen Eckels, a reverse engineer at Mandiant. "Since our original report, Pulse Secure and Mandiant have worked together, and the zero-day has since been patched." 

"At this time, Pulse Secure has patched all known vulnerabilities," Eckels added. 

In certain cases, the attackers had set up their local admin accounts on critical Windows servers to operate freely on the target network. Instead of depending on internal endpoints of the security vulnerabilities, they used exclusivity of Pulse Secure web-shells and malware. 

The UNC2630 and UNC2717, according to Mandiant, are just two of the various groups which threaten Pulse Secure VPNs that seem to work for the interest of the Chinese administration. Many of the groups use the same number of instruments, but their strategies and tactics are different. 

There has been no confirmation so far that the threat actors had acquired American data that would provide economic advantages for Chinese enterprises. In particular, a 2012 agreement between President Barack Obama and a Chinese counterpart Xi prohibits cyber espionage of such data. 

"Right now we're not able to say that they haven't, just that we don't have direct evidence that they have violated [the agreement]," Mandiant says. "Some of the affected entities are private companies that would have commercial intellectual property, the theft of which would violate the agreement. We just have not seen direct evidence of that type of data being staged or exfiltrated." 

Mandiant's assessment of the Chinese ferocious ATP activities is coinciding with this week's alert from Microsoft for Nobellum, the Russian menace actor behind the SolarWinds attack and an extensive e-mail campaign. In both cases, cyber espionage seems to be the major motif in support of national strategic objectives.

Zeppelin Ransomware have Resumed their Operations After a Temporary Pause

 

According to BleepingComputer, the operators behind the Zeppelin ransomware-as-a-service (RaaS), aka Buran, have resumed operations following a brief outage. Zeppelin's operators, unlike other ransomware, do not steal data from victims or maintain a leak site. 

Experts from BlackBerry Cylance discovered a new version of the Vega RaaS, called Zeppelin, and it first appeared on the threat landscape in November 2019. In Europe, the United States, and Canada, the latest version was used in attacks against technology and healthcare firms. Zeppelin was discovered in November and was spread via a watering hole attack in which the PowerShell payloads were hosted on the Pastebin website. 

The Zeppelin ransomware does not infect users in Russia or other ex-USSR countries like Ukraine, Belorussia, or Kazakhstan, unlike other Vega ransomware variants. The ransomware enumerates files on all drives and network shares and attempts to encrypt them after being executed. Experts found that the encryption algorithm used is the same as that used by other Vega variants. 

“This is in contrast with the classic RaaS operations, where developers typically look for partners to breach into a victim network, to steal data, and deploy the file-encrypting malware. The two parties then split paid ransoms, with developers getting the smaller piece (up to 30%),” reported BleepingComputer. 

Advanced Intel (AdvIntel), threat detection and loss avoidance firm, discovered that the Zeppelin ransomware developers revised their operation in March. They announced a "big software upgrade" as well as a new round of sales. According to an intelligence survey, the new Zeppelin version costs $2,300 per core build, as per AdvIntel head of research Yelisey Boguslavskiy. 

Following the major update, Zeppelin's developers released a new version of the malware on April 27 that had few new features but improved the encryption's stability. They also promised that development on the malware would continue and that long-term users, known as "subscribers," would receive special care. 

“We continue to work. We provide individual conditions and a loyal approach for each subscriber, the conditions are negotiable. Write to us, and we will be able to agree on a mutually beneficial term of cooperation”, said Zeppelin ransomware. 

Zeppelin is one of the few ransomware operations on the market that does not use a pure RaaS model, and it is also one of the most common, with high-profile members of the cybercrime community recommending it.

New FiveHands Ransomware Deploy Into SonicWall Internal System

 

Earlier this year, money-oriented cybercriminals leveraged a zero-day vulnerability that has been introduced by SonicWall in its Secure Mobile Access (SMA) 100 Series VPN appliances to install advanced ransomware studied as FiveHands, victims are reported to be North American and European networks. 

The operation was traced by FireEye’s Mandiant cyber analysts as “UNC2447’’. Analysts unit has informed that the group took advantage of the CVE-2021-20016 SonicWall bug to breach networks and further install FiveHands ransomware payloads before the vendor released patches in late February 2021. Further, the report also reads that the threat actor poses advanced skills in exploiting networks. 

Additionally, over the past half a year, a brand new cyber hacker group has been noticed to be exploiting a wide range of malware and creating pressure on ransomware victims into making payments. 

Previously in similar contexts, FireEye reported that the cyber attackers have been deploying ransomware families and malware such as FiveHands (a variant of the DeathRansom ransomware), Sombrat, the Cobalt Strike beacon, the Warprism PowerShell dropper, and FoxGrabber, additionally the new ransomware's actions also demonstrated signs of RagnarLocker and HelloKitty ransomware affiliation. 

“When affiliate-based ransomware is observed by Mandiant, uncategorized clusters are assigned based on the infrastructure used, and in the case of UNC2447 were based on the Sombrat and Cobalt Strike Beacon infrastructure used across 5 intrusions between November 2020 and February 2021,” FireEye reported. 

The group deployed a critical SQL injection flaw in SonicWall SMA100 series devices, which will give remote access to attackers and further, access to login credentials, session information, and other vulnerable appliances. 

The existence of the vulnerability was first observed in January 2021, when SonicWall warned its customers that the company's internal system has been attacked in a cyber operation that may have targeted zero-day vulnerabilities in the company’s secure remote access devices. CVE-2021-20016 was patched in February 2021 by SonicWall, however, FireEye reported that UNC2447 had exploited it before the patch was released. 

"UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant further added in a report published today.

Facebook Dating Service available in 20 countries


Facebook has launched one of its most awaiting features; Facebook dating service in the United States and other 19 countries for its users who are above 18 years or older.

Currently, dating feature would be available in countries including US, Bolivia, Canada, Brazil, Argentina, Singapore, Suriname, Thailand, Laos, Guyana, Ecuador, Chile, Bolivia, Philippines, Mexico, Paraguay, Peru, Columbia,  Vietnam, and Malaysia.

Facebook said that they would launch a dating service in Europe in early 2020. While there is no word when they would launch the service in South East Asia.

"Today people are asked to make a decision as to whether or not they like someone immediately based on a static profile. To help you show, rather than tell, who you are, we're bringing Stories to Dating," Facebook blog post.

The user can create a dating profile, which will be entirely different and separate from the main profile.  People can integrate their Instagram posts in a dating profile, by the end of the year, and they would be able to add Instagram followers to their Secret Crush lists, in addition of their Facebook friends.

"By the end of the year, we'll make it possible to add Facebook and Instagram Stories to your Dating profile too,"  Facebook wrote in a blog post.

The dating service won't match you with your  Facebook friend until you choose to use Secret Crush and your crush too should have added you to their crush list.

"All of your Dating activity will stay in Facebook Dating. It won't be shared to the rest of Facebook," said the company.

"Finding a romantic partner is deeply personal, which is why we built Dating to be safe, inclusive and opt-in. Safety, security and privacy are at the forefront of this product," blog post.