Healthcare software as a service (SaaS) company Phreesia is notifying over 910,000 people that their personal and health data was exposed in a May breach of its subsidiary ConnectOnCall, acquired in October 2023.

ConnectOnCall is a telehealth platform and after-hours on-call answering service with automated patient call tracking for healthcare providers.

“On May 12, 2024, ConnectOnCall learned of an issue impacting ConnectOnCall and immediately began an investigation and took steps to secure the product and ensure the overall security of its environment,” the company revealed.

“ConnectOnCall’s investigation revealed that between February 16, 2024, and May 12, 2024, an unknown third party had access to ConnectOnCall and certain data within the application, including certain information in provider-patient communications.”

After discovering the breach, Phreesia notified federal law enforcement of the incident and hired external cybersecurity specialists to investigate its nature and impact.

Phreesia also took ConnectOnCall offline and has since been working to restore the systems within a new and more secure environment.

While the statement doesn’t include the total number of people impacted, ConnectOnCall told the U.S. Department of Health and Human Services that the breach affected the protected health information of 914,138 patients.

​The personal information exposed during the almost three-month-long breach includes information shared in communications between patients and their healthcare providers, such as names and phone numbers.

This may have also included medical record numbers, dates of birth, as well as information related to health conditions, treatments, or prescriptions, and, in a small number of cases, the affected individuals’ Social Security Numbers.

“The ConnectOnCall service is separate from Phreesia’s other services, including our patient intake platform. Based on our investigation to date, there is no evidence that our other services have been affected,” Phreesia said in a separate statement on its official website.

“We understand the importance of this service to our clients’ business, and we are working to restore the ConnectOnCall service as quickly as possible.”

Phreesia also advised potentially impacted individuals to report suspected identity theft or fraud to their insurer, health plan, or financial institution, even though the company has no evidence that the exposed personal information has been misused.

Dec 16, 2024Ravie LakshmananCyber Attack / Cyber Espionage

The Security Service of Ukraine (SBU or SSU) has exposed a novel espionage campaign suspected to be orchestrated by Russia’s Federal Security Service (FSB) that involves recruiting Ukrainian minors for criminal activities under the guise of “quest games.”

Law enforcement officials said that it detained two FSB agent groups following a special operation in Kharkiv. These groups, per the agency, consisted exclusively of children aged 15 and 16.

“The minors carried out hostile tasks of conducting reconnaissance, correcting strikes, and arson,” the SSU said in a statement released Friday. “To mask subversive activities, both enemy cells operated separately from each other.”

As per the quest game rules set by the FSB, the children were given geographic coordinates, after which they were instructed to get to the location, take photos and videos of targets, and provide a general description of the surrounding area.

The results of these reconnaissance missions were subsequently shared to the Russian intelligence agency via anonymous chats. The SSU said the information gathered from these activities was used to carry out airstrikes in Kharkiv.

Ukraine’s principal security arm also revealed that it has detained “all members of the enemy groups” who were found taking photos of air defense facilities in the country. One of the organizers has been taken into custody and faces life imprisonment.

Also charged in connection with the efforts is a “liaison” of the FSB agent groups, a police officer from the Krasnodar region of Russia. He has been charged in absentia under Part 2 of Article 113 of the Criminal Code of Ukraine, which relates to acts of sabotage committed under martial law.

The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new set of cyber attacks that it said were aimed at defense companies in the country as well as its security and defense forces. The intrusions have been attributed to a Russia-linked actor tracked as UAC-0185.

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.

Mikhail “Mike” Shefel’s former Facebook profile. Shefel has since legally changed his last name to Lenin.

Mr. Shefel, who recently changed his legal surname to Lenin, was the star of last year’s story, Ten Years Later, New Clues in the Target Breach. That investigation detailed how the 38-year-old Shefel adopted the nickname Rescator while working as vice president of payments at ChronoPay, a Russian financial company that paid spammers to advertise fake antivirus scams, male enhancement drugs and knockoff pharmaceuticals.

Mr. Shefel did not respond to requests for comment in advance of that December 2023 profile. Nor did he respond to reporting here in January 2024 that he ran an IT company with a 34-year-old Russian man named Aleksandr Ermakov, who was sanctioned by authorities in Australia, the U.K. and U.S. for stealing data on nearly 10 million customers of the Australian health insurance giant Medibank.

But not long after KrebsOnSecurity reported in April that Shefel/Rescator also was behind the theft of Social Security and tax information from a majority of South Carolina residents in 2012, Mr. Shefel began contacting this author with the pretense of setting the record straight on his alleged criminal hacking activities.

In a series of live video chats and text messages, Mr. Shefel confirmed he indeed went by the Rescator identity for several years, and that he did operate a slew of websites between 2013 and 2015 that sold payment card data stolen from Target, Home Depot and a number of other nationwide retail chains.

Shefel claims the true mastermind behind the Target and other retail breaches was Dmitri Golubov, an infamous Ukrainian hacker known as the co-founder of Carderplanet, among the earliest Russian-language cybercrime forums focused on payment card fraud. Mr. Golubov could not be reached for comment, and Shefel says he no longer has the laptop containing evidence to support that claim.

Shefel asserts he and his team were responsible for developing the card-stealing malware that Golubov’s hackers installed on Target and Home Depot payment terminals, and that at the time he was technical director of a long-running Russian cybercrime community called Lampeduza.

“My nickname was MikeMike, and I worked with Dmitri Golubov and made technologies for him,” Shefel said. “I’m also godfather of his second son.”

Dmitri Golubov, circa 2005. Image: U.S. Postal Investigative Service.

A week after breaking the story about the 2013 data breach at Target, KrebsOnSecurity published Who’s Selling Cards from Target?, which identified a Ukrainian man who went by the nickname Helkern as Rescator’s original identity. But Shefel claims Helkern was subordinate to Golubov, and that he was responsible for introducing the two men more than a decade ago.

“Helkern was my friend, I [set up a] meeting with Golubov and him in 2013,” Shefel said. “That was in Odessa, Ukraine. I was often in that city, and [it’s where] I met my second wife.”

Shefel claims he made several hundred thousand dollars selling cards stolen by Golubov’s Ukraine-based hacking crew, but that not long after Russia annexed Crimea in 2014 Golubov cut him out of the business and replaced Shefel’s malware coding team with programmers in Ukraine.

Golubov was arrested in Ukraine in 2005 as part of a joint investigation with multiple U.S. federal law enforcement agencies, but his political connections in the country ensured his case went nowhere. Golubov later earned immunity from prosecution by becoming an elected politician and founding the Internet Party of Ukraine, which called for free internet for all, the creation of country-wide “hacker schools” and the “computerization of the entire economy.”

Mr. Shefel says he stopped selling stolen payment cards after being pushed out of the business, and invested his earnings in a now-defunct Russian search engine called tf[.]org. He also apparently ran a business called click2dad[.]net that paid people to click on ads for Russian government employment opportunities.

When those enterprises fizzled out, Shefel reverted to selling malware coding services for hire under the nickname “Getsend“; this claim checks out, as Getsend for many years advertised the same Telegram handle that Shefel used in our recent chats and video calls.

Shefel acknowledged that his outreach was motivated by a desire to publicize several new business ventures. None of those will be mentioned here because Shefel is already using my December 2023 profile of him to advertise what appears to be a pyramid scheme, and to remind others within the Russian hacker community of his skills and accomplishments.

Shefel says he is now flat broke, and that he currently has little to show for a storied hacking career. The Moscow native said he recently heard from his ex-wife, who had read last year’s story about him and was suddenly wondering where he’d hidden all of his earnings.

More urgently, Shefel needs money to stay out of prison. In February, he and Ermakov were arrested on charges of operating a short-lived ransomware affiliate program in 2021 called Sugar (a.k.a. Sugar Locker), which targeted single computers and end-users instead of corporations. Shefel is due to face those charges in a Moscow court on Friday, Nov. 15, 2024. Ermakov was recently found guilty and given two years probation.

Shefel claims his Sugar ransomware affiliate program was a bust, and never generated any profits. Russia is known for not prosecuting criminal hackers within its borders who scrupulously avoid attacking Russian businesses and consumers. When asked why he now faces prosecution over Sugar, Shefel said he’s certain the investigation was instigated by  Pyotr “Peter” Vrublevsky — the son of his former boss at ChronoPay.

ChronoPay founder and CEO Pavel Vrublevsky was the key subject of my 2014 book Spam Nation, which described his role as head of one of Russia’s most notorious criminal spam operations.

Vrublevsky Sr. recently declared bankruptcy, and is currently in prison on fraud charges. Russian authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes. They also accused Vrublevsky of facilitating money laundering for Hydra, the largest Russian darknet market at the time. Hydra trafficked in illegal drugs and financial services, including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services.

However, in 2022 KrebsOnSecurity reported on a more likely reason for Vrublevsky’s latest criminal charges: He’d been extensively documenting the nicknames, real names and criminal exploits of Russian hackers who worked with the protection of corrupt officials in the Russian Federal Security Service (FSB), and operating a Telegram channel that threatened to expose alleged nefarious dealings by Russian financial executives.

Shefel believes Vrublevsky’s son Peter paid corrupt cops to levy criminal charges against him after reporting the youth to Moscow police, allegedly for walking around in public with a loaded firearm. Shefel says the Russian authorities told the younger Vrublevsky that he had lodged the firearms complaint.

In July 2024, the Russian news outlet Izvestia published a lengthy investigation into Peter Vrublevsky, alleging that the younger son took up his father’s mantle and was responsible for advertising Sprut, a Russian-language narcotics bazaar that sprang to life after the Hydra darknet market was shut down by international law enforcement agencies in 2022.

Izvestia reports that Peter Vrublevsky was the advertising mastermind behind this 3D ad campaign and others promoting the Russian online narcotics bazaar Sprut.

Izvestia reports that Peter Vrublevsky is currently living in Switzerland, where he reportedly fled in 2022 after being “arrested in absentia” in Russia on charges of running a violent group that could be hired via Telegram to conduct a range of physical attacks in real life, including firebombings and muggings.

Shefel claims his former partner Golubov was involved in the development and dissemination of early ransomware strains, including Cryptolocker, and that Golubov remains active in the cybercrime community.

Meanwhile, Mr. Shefel portrays himself as someone who is barely scraping by with the few odd coding jobs that come his way each month. Incredibly, the day after our initial interview via Telegram, Shefel proposed going into business together.

By way of example, he suggested maybe a company centered around recovering lost passwords for cryptocurrency accounts, or perhaps a series of online retail stores that sold cheap Chinese goods at a steep markup in the United States.

“Hi, how are you?” he inquired. “Maybe we can open business?”

Hands on When it comes to AI inferencing, the faster you can generate a response, the better – and over the past few weeks, we’ve seen a number of announcements from chip upstarts claiming mind-bogglingly high numbers.

Most recently, Cerebras claimed it had achieved an inference milestone, generating 969 tokens/sec in Meta’s 405 billion parameter behemoth – 539 tokens/sec at the model’s full 128K context window.

In the small Llama 3.1 70B model, Cerebras reported even higher performance, topping 2,100 tokens/sec. Not far behind at 1,665 tokens/sec is AI chip startup Groq.

These numbers far exceed anything that’s possible with GPUs alone. Artificial Analysis’s Llama 3.1 70B API leaderboard shows even the fastest GPU-based offerings top out at around 120 tokens/sec, with conventional IaaS providers closer to 30.

Some of this is down to the fact that neither Cerebras or Groq’s chips are GPUs. They’re purpose-built AI accelerators that take advantage of large banks of SRAM to overcome the bandwidth bottlenecks normally associated with inference.

However, that doesn’t account for such a large jump. Cerebras and Groq have previously shown Llama 3.1 70B performance of around 450 and 250 tokens/sec, respectively.

Instead, the leap in performance is possible thanks to a technique called speculative decoding.

A cheat code for performance

If you’re not familiar with the concept of speculative decoding, don’t worry. The technique is actually quite simple and involves using a smaller draft model – say Llama 3.1 8B – to generate the initial output, while a larger model – like Llama 3.1 70B or 405B – acts as a fact checker in order to preserve accuracy.

When successful, research suggests the technique can speed up token generation by anywhere from 2x to 3x while real-world applications have shown upwards of a 6x improvement. 

You can think of this draft model a bit like a personal assistant who’s an expert typist. They can respond to emails a lot faster, and so long as their prediction is accurate, all you – in this analogy the big model – have to do is click send. If they don’t get it right on the odd email, you can step in and correct it.

The result of using speculative decoding is, at least on average, higher throughputs because the draft model requires fewer resources – both in terms of TOPS or FLOPS and memory bandwidth. What’s more, because the big model is still checking the results, the benchmarkers at Artificial Analysis claim there’s effectively no loss in accuracy compared to just running the full model.

Try it for yourself

With all of that out of the way, we can move on to testing speculative decoding for ourselves. Speculative decoding is supported in a number of popular model runners, but for the purposes of this hands on we’ll be using Llama.cpp.

This is not intended to be a guide for installing and configuring Llama.cpp. The good news is getting it running is relatively straightforward and there are even some prebuilt packages available for macOS, Windows, and Linux – which you can find here.

That said, for best performance with your specific hardware, we always recommend compiling the latest release manually. You can find more information on compiling Llama.cpp here.

Once you’ve got Llama.cpp deployed, we can spin up a new server using speculative decoding. Start by locating the llama-server executable in your preferred terminal emulator.

Next we’ll pull down our models. We’ll be using a pair of 8-bit quantized GGUF models from Hugging Face to keep things simple. For our draft model, we’ll use Llama 3.2 1B and for our main model, we’ll use Llama 3.1 8B – which will require a little under 12GB of vRAM or system memory to run.

If you’re on macOS or Linux you can use wget to pull down the models.

wget https://huggingface.co/bartowski/Meta-Llama-3.1-8B-Instruct-GGUF/resolve/main/Meta-Llama-3.1-8B-Instruct-Q8_0.gguf

wget https://huggingface.co/bartowski/Llama-3.2-1B-Instruct-GGUF/resolve/main/Llama-3.2-1B-Instruct-Q8_0.gguf

Next, we can test out speculative decoding by running the following command. Don’t worry, we’ll go over each parameter in detail in a minute.

./llama-speculative -m Meta-Llama-3.1-8B-Instruct-Q8_0.gguf -md Llama-3.2-1B-Instruct-Q8_0.gguf -c 4096 -cd 4096 -ngl 99 -ngld 99 --draft-max 16 --draft-min 4 -n 128 -p "Who was the first prime minister of Britain?"

Note: Windows users will want to replace ./llama-speculative with llama-speculative.exe. If you aren’t using GPU acceleration, you’ll also want to remove -ngl 99 and -ngld 99.

A few seconds after entering our prompt, our answer will appear, along with a readout showing the generation rate and how many tokens were drafted by the small model versus how many were accepted by the big one. 

encoded    9 tokens in    0.033 seconds, speed:  269.574 t/s
decoded  139 tokens in    0.762 seconds, speed:  182.501 t/s
...
n_draft   = 16
n_predict = 139
n_drafted = 208
n_accept  = 125
accept    = 60.096%

The higher the acceptance rate, the higher the generation rate will be. In this case, we’re using fairly low parameter count models – particularly for the draft model – which may explain why the accept rate is so low.

However, even with an acceptance rate of 60 percent, we’re still seeing a pretty sizable uplift in performance at 182 tokens/sec. Using Llama 3.1 8B without speculative decoding enabled, we saw performance closer to 90–100 tokens/sec.

So what’s going on in this command?  

• ./llama-speculative specifies that we want to use speculative decoding.
• -m and -md set the path to the main (big) and draft (small) models, respectively
• -c and -cd set the context window for the main and draft models, respectively
• -ngl 99 and -ngld 99 tell Llama.cpp to offload all the layers of our main and draft models to the GPU.
• –draft-max and –draft-min set the maximum and minimum number of tokens the draft model should generate at a time.
• –draft-p-min sets the minimum probability of speculative decoding taking place.
• -n sets the maximum number of tokens to output.
• -p  is where we enter our prompt in quotes.

You can find a full breakdown of available parameters by running:

./llama-speculative --help

If you’d like to use speculative decoding in a project, you can also spin up an OpenAI-compatible API server using the following:

./llama-server -m Meta-Llama-3.1-8B-Instruct-Q8_0.gguf -md Llama-3.2-1B-Instruct-Q8_0.gguf -c 4096 -cd 4096 -ngl 99 -ngld 99 --draft-max 8 --draft-min 4 --draft-p-min 0.9 --host 0.0.0.0 --port 8087

This will expose your API server on port 8087 when you can interact with it just like any other OpenAI-compatible API server. This example is provided as a proof of concept. In a production setting you’ll likely want to set an API key and limit access via your firewall.

As a side note here, we also saw a modest performance uplift when including --sampling-seq k to prioritize Top-K sampling, but your mileage may vary.

A full list of llama-server parameters can be found by running:

./llama-server --help

With the server up and running, you can now point your application or a front-end like Open WebUI to interact with the server. For more information on setting up the latter, check out our guide on retrieval augmented generation here.

Why speculate?

Speculative decoding is by no means new. The technique was discussed at least as far back as November 2022 – not long after ChatGPT triggered the AI arms race.

However, with monolithic models growing ever larger, speculative decode offers a means to run large monolithic models like Llama 3.1 405B more efficiently without compromising on accuracy.

While Meta’s 405B foundation model might be tiny compared to OpenAI’s GPT4 – which is said to be roughly 1.7 trillion parameters in size – it’s still an incredibly difficult model to run at high throughputs.

At full resolution, achieving a generation rate of 25 tokens a second would require in excess of 810GB of vRAM and more than 20 TB/sec of memory bandwidth. Achieving higher performance would require additional levels of parallelism, which means more GPUs or accelerators.

Using speculative decoding with something like Llama 3.1 70B as the draft model, you’d need another 140GB of memory on top of the 810, but, in theory could achieve generation rates well over 100 tokens/sec – until a mispredict happens, at which point your throughput will crater.

And this is one of the challenges associated with speculative decoding: It’s tremendously effective at bolstering throughput, but in our testing, latency can be sporadic and inconsistent.

We can actually see this in Cerebra’s previously published results for Llama 3.1 70B when using speculative decode. We don’t know what the draft model is, but we’re fairly certain it’s the 8B variant based on previous benchmarks. As you can see, there’s a huge spike in performance when speculative decode is implemented, but the variation in latency is still huge – jumping up and down by 400 or more tokens.

To be perfectly clear, at 1,665 to 2,100 tokens/sec for 70B and up to 969 tokens/sec for 405B, there’s a good chance the output will finish generating before you ever notice the hiccup.

As for why you’d need an inference engine capable of generating hundreds or thousands of tokens in the blink of an eye, Cerebras actually does a nice job of illustrating the problem.

In this slide, Cerebras makes its case for why faster inference and lower latency are important for supporting CoT and agentic AI applications going forward – Click to enlarge

If you’ve tried out OpenAI’s o1, you may have noticed it’s a lot slower than previous models. This is because the model employs a chain of thought (CoT) tree to break down the task into individual steps, evaluate the responses, identify mistakes or gaps in logic, and correct them before presenting an answer to the user.

Using CoT as part of the generative AI process is thought to improve the accuracy and reliability of answers and mitigate errant behavior or hallucinations. However, the consequence of the approach is it’s a lot slower.

The next evolution of this is to combine CoT methods with multiple domain-specific models in agentic workflow. According to Cerebras, such approaches require on the order of 100x as many steps and computational power. So, the faster you can churn out tokens, the better you can hide the added latency – or that’s the idea anyway. ®

Editor’s Note: The Register was provided an RTX 6000 Ada Generation graphics card by Nvidia, an Arc A770 GPU by Intel, and a Radeon Pro W7900 DS by AMD to support stories like this. None of these vendors had any input as to the content of this or other articles.

Baron Martin, a 20-year-old resident of Tucson, Arizona, was arrested Wednesday on charges of producing child sexual abuse material and cyberstalking. His arrest is connected to his involvement in online terror networks, specifically 764 and CVLT, which are known for violent extremist activities.

Martin, also known under the alias “Convict,” is charged with significant involvement in these networks since 2021. He allegedly boasted about being a leader within 764 and CVLT and provided guidance on victim extortion. The Department of Justice’s criminal complaint details his use of popular communication platforms to form and execute his plans, notably involving two minors in September 2022 to engage in self-harming acts.

U.S. Assistant Attorney General for National Security Matthew G. Olsen has described the 764 network as a dangerous organization of violent extremists. The network is said to systematically target children, utilizing child sexual abuse material in an agenda aimed at societal collapse and governmental destabilization. Olsen reaffirmed the Justice Department’s commitment to combating such acts of terrorism and dismantling these networks.

The unsealed complaint provides a grim overview of the 764 network’s operations. It describes the group’s targeting of underage populations to share extreme and violent media, desensitizing youth to violence and normalizing the dissemination of child sexual abuse material (CSAM). The network is noted for its use of cybercriminal tactics and manipulation of societal norms to exploit minors, guided by a broader agenda of societal chaos.

If convicted, Martin could face up to 30 years in prison for producing child sexual abuse material, alongside a potential 10-year term for the cyberstalking offense. Both charges also include fines and the possibility of lifetime supervised release.

CyberScoop reported earlier this month that groups like 764 and the global collective of loosely associated groups known as “The Com” are using tools and techniques normally reserved for financially motivated cybercrime tactics — such as SIM swapping, IP grabbing and social engineering — to commit violent crimes.

The reports offer insight into the underbelly of the global network, showing how they are using traditional cybercriminal tools to identify, target, groom, extort, and cause physical and psychological harm to victims as young as 10. They were shared with police nationwide and in some cases, with foreign-allied governments.

Gary Restaino, U.S. Attorney for the District of Arizona, emphasized in a release the importance of vigilance among parents and children in online environments. He noted that Project Safe Childhood, a Justice Department initiative, aims to protect youth from individual and organized threats online.

PRESS RELEASE

BOSTON — December 12, 2024 — Zerto, a Hewlett Packard Enterprise company, today announced the launch of the Zerto Cloud Vault, which delivers Zerto’s best-in-class cyber resilience capabilities as a service through managed service providers (MSPs). Zerto’s security-focused MSP partners at launch include Assurestor, Converge, LincolnIT, and Verinext. Built on the capabilities of the Zerto Cyber Resilience Vault, the Zerto Cloud Vault is a cloud-based, fully managed solution that offers logical air-gapping, immutability, and clean room recovery.

Ransomware attacks remain a harsh fact of life for most businesses with collective ransomware losses totaling over $1 billion in 2023 alone. This financial toll is exacerbated by the resulting data loss and downtime, with some estimates suggesting upwards of $1 million in losses per hour of downtime for larger businesses.

With Zerto Cloud Vault, customers can leverage MSPs that deliver tailored cyber resilience strategies to meet the specific requirements of their organizations. Cloud Vault is the latest offering in HPE’s comprehensive cyber resilience portfolio and complements the existing Zerto Cyber Resilience Vault, which is deployed as a self-hosted, on-premises stack.

Zerto Cloud Vault capabilities include:

“Zerto’s disaster recovery and cyber resilience solutions offer peace of mind to businesses struggling to combat ransomware attacks,” said Jim O’Dorisio, senior vice president and general manager, HPE Storage. “Leveraging our cyber resilience capabilities, MSPs will be able to bring fully managed Cloud Vault services to even more organizations, helping them thwart the plans of attackers and keep precious business assets safe.”

Coupled with the expertise of Zerto’s vetted MSP partners, the hosted Zerto Cloud Vault mitigates the most devastating ransomware scenarios while keeping businesses in compliance with state and federal regulations — reducing the risk of substantial fines or prosecution. Where other solutions offer detrimental lengthy recovery point objectives (RPOs) and recovery time objectives (RTOs), Zerto Cloud Vault slashes both, minimizing the risks of disruption and allowing businesses to get back on their feet as fast as possible after the inevitable happens. Zerto is a part of HPE’s hybrid cloud business, helping HPE customers protect workloads and data across hybrid IT environments.

Partner Quotes

“Our Gold Standard for cyber recovery considers a product’s recoverability readiness, non-disruptive testing capability, and speed of data recovery; we found that Zerto substantially delivered on all these points. Combined with Cloud Vault, the protection provided from ransomware attacks was robust and allowed pinpoint recovery faster than any other products evaluated,” said Stephen Young, executive director, Assurestor.

“Ransomware attacks are a real threat to the data and operations of organizations of all sizes. Having the ability to offer a cloud vault with Zerto technology gives our clients added protection against ransomware and peace of mind that they can recover successfully,” said John Antimisiaris, executive vice president, LincolnIT.

“Some of our clients’ infrastructure protection needs to be kept with a very tight RPO, but they still need some deeper recovery options than simple replication can provide. A cyberattack is seldom clearly understood, even when recovery efforts have begun. Zerto Cloud Vault provides immutable protection history that can be leveraged to find the latest clean point in time for replicated hosts,” said Jeremy Brovage, product engineer and solutions architect, Converge Enterprise Cloud.

“Cyberattacks that encrypt data are one of the primary disruptors requiring data recovery. Zerto provides the best tools to recover quickly and with the least data loss in a cloud vault,” said Nick Martino, product manager, managed services, Verinext.

Explore the Zerto Cloud Vault and discover how it empowers businesses to safeguard their data and operations: Learn More. 

About Zerto

Zerto, a Hewlett Packard Enterprise company, empowers customers to run an always-on business by simplifying the protection, recovery, and mobility of on-premises and cloud applications. Zerto eliminates the risk and complexity of modernization and cloud adoption across private, public, and hybrid deployments. The simple, software-only solution uses continuous data protection at scale to solve for ransomware resilience, disaster recovery, and multi-cloud mobility. Zerto is trusted by over 9,500 customers globally, and is powering offerings for Microsoft Azure, IBM Cloud, Google Cloud, Oracle Cloud, and more than 350 managed service providers.

Automobile parts giant LKQ Corporation disclosed that one of its business units in Canada was hacked, allowing threat actors to steal data from the company.

LKQ is a public American company specializing in automotive replacement parts, components, and services to repair and maintain vehicles. The company has 45,000 employees in 25 countries and operates numerous brands, including Keystone, Tri Star, and ADL.

In a Friday evening FORM 8-K filing filed with the SEC, the company says one of its business units in Canada was breached on November 13, disrupting business operations.

“On November 13, 2024, LKQ Corporation (the “Company” or “we”) detected unauthorized access to information technology (IT) systems of a single business unit in Canada (“Business Unit”). The attack disrupted the Business Unit’s operations,” reads the LKQ Form 8-K filing.

“Upon discovery, we immediately began taking steps to investigate, contain, and recover from the incident, including activating our security incident response and recovery plans, partnering with industry leading forensic investigators, and initiating containment measures for affected systems. We also promptly notified law enforcement authorities. We are analyzing data impacted by the incident and will be notifying affected parties as appropriate.”

“As a result of the incident, the Company’s operations within this Business Unit were adversely impacted for a few weeks while affected systems were recovered; however, the Company believes that it has effectively contained the threat and that none of its other businesses were impacted by the threat, and the Business Unit is now operating near full capacity.”

The company says that they do not believe the incident will have any material impact on its financials or operations for the remainder of the fiscal year. LKQ says that they will seek reimbursement for costs and expenses stemming from the cyberattack from their cyber insurance company.

LKQ warns that its containment measures have caused some disruption within the breached business for a few weeks but has since restored operations.

No ransomware gangs or other threat actors have claimed responsibility for the attack.

Dec 13, 2024Ravie LakshmananCyber Attack / Malware

A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials.

The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to “mysterious unattributed threat”) by Datadog Security Labs, that involves phishing and several trojanized GitHub repositories hosting proof-of-concept (PoC) code for exploiting known security flaws.

“Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated,” researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn said in an analysis shared with The Hacker News.

It’s no surprise that security researchers have been an attractive target for threat actors, including nation-state groups from North Korea, as compromising their systems could yield information about possible exploits related to undisclosed security flaws they may be working on, which could then be leveraged to stage further attacks.

In recent years, there has emerged a trend where attackers attempt to capitalize on vulnerability disclosures to create GitHub repositories using phony profiles that claim to host PoCs for the flaws but actually are engineered to conduct data theft and even demand payment in exchange for the exploit.

The campaigns undertaken by MUT-1244 not only involve making use of trojanized GitHub repositories but also phishing emails, both of which act as a conduit to deliver a second-stage payload capable of dropping a cryptocurrency miner, as well as stealing system information, private SSH keys, environment variables, and contents associated with specific folders (e.g., ~/.aws) to File.io.

One such repository was “github[.]com/hpc20235/yawpp,” which claimed to be “Yet Another WordPress Poster.” Prior to its takedown by GitHub, it contained two scripts: One to validate WordPress credentials and another to create posts using the XML-RPC API.

But the tool also harbored malicious code in the form of a rogue npm dependency, a package named @0xengine/xmlrpc that deployed the same malware. It was originally published to npm in October 2023 as a JavaScript-based XML-RPC server and client for Node.js. The library is no longer available for download.

It’s worth noting that cybersecurity firm Checkmarx revealed last month that the npm package remained active for over a year, attracting about 1,790 downloads.

The yawpp GitHub project is said to have enabled the exfiltration of over 390,000 credentials, likely for WordPress accounts, to an attacker-controlled Dropbox account by compromising unrelated threat actors who had access to these credentials through illicit means.

Another method used to deliver the payload entails sending phishing emails to academics in which they are tricked into visiting links that instruct them to launch the terminal and copy-paste a shell command to perform a supposed kernel upgrade. The discovery marks the first time a ClickFix-style attack has been documented against Linux systems.

“The second initial access vector that MUT-1244 utilizes is a set of malicious GitHub users publishing fake proof-of-concepts for CVEs,” the researchers explained. “Most of them were created in October or November [2024], have no legitimate activity, and have an AI-generated profile picture.”

Some of these bogus PoC repositories were previously highlighted by Alex Kaganovich, Colgate-Palmolive’s global head of offensive security red team, in mid-October 2024. But in an interesting twist, the second-stage malware is through four different ways –

• Backdoored configure compilation file
• Malicious payload embedded in a PDF file
• Using a Python dropper
• Inclusion of a malicious npm package “0xengine/meow”

“MUT-1244 was able to compromise the system of dozens of victims, mostly red teamers, security researchers, and anyone with an interest in downloading PoC exploit code,” the researchers said. “This allowed MUT-1244 to gain access to sensitive information, including private SSH keys, AWS credentials, and command history.”

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

London-based Finastra has offices in 42 countries and reported $1.9 billion in revenues last year. The company employs more than 7,000 people and serves approximately 8,100 financial institutions around the world. A major part of Finastra’s day-to-day business involves processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients.

On November 8, 2024, Finastra notified financial institution customers that on Nov. 7 its security team detected suspicious activity on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems.

“On November 8, a threat actor communicated on the dark web claiming to have data exfiltrated from this platform,” reads Finastra’s disclosure, a copy of which was shared by a source at one of the customer firms.

“There is no direct impact on customer operations, our customers’ systems, or Finastra’s ability to serve our customers currently,” the notice continued. “We have implemented an alternative secure file sharing platform to ensure continuity, and investigations are ongoing.”

But its notice to customers does indicate the intruder managed to extract or “exfiltrate” an unspecified volume of customer data.

“The threat actor did not deploy malware or tamper with any customer files within the environment,” the notice reads. “Furthermore, no files other than the exfiltrated files were viewed or accessed. We remain focused on determining the scope and nature of the data contained within the exfiltrated files.”

In a written statement in response to questions about the incident, Finastra said it has been “actively and transparently responding to our customers’ questions and keeping them informed about what we do and do not yet know about the data that was posted.” The company also shared an updated communication to its clients, which said while it was still investigating the root cause, “initial evidence points to credentials that were compromised.”

“Additionally, we have been sharing Indicators of Compromise (IOCs) and our CISO has been speaking directly with our customers’ security teams to provide updates on the investigation and our eDiscovery process,” the statement continues. Here is the rest of what they shared:

“In terms of eDiscovery, we are analyzing the data to determine what specific customers were affected, while simultaneously assessing and communicating which of our products are not dependent on the specific version of the SFTP platform that was compromised. The impacted SFTP platform is not used by all customers and is not the default platform used by Finastra or its customers to exchange data files associated with a broad suite of our products, so we are working as quickly as possible to rule out affected customers. However, as you can imagine, this is a time-intensive process because we have many large customers that leverage different Finastra products in different parts of their business. We are prioritizing accuracy and transparency in our communications.

Importantly, for any customers who are deemed to be affected, we will be reaching out and working with them directly.”

On Nov. 8, a cybercriminal using the nickname “abyss0” posted on the English-language cybercrime community BreachForums that they’d stolen files belonging to some of Finastra’s largest banking clients. The data auction did not specify a starting or “buy it now” price, but said interested buyers should reach out to them on Telegram.

abyss0’s Nov. 7 sales thread on BreachForums included many screenshots showing the file directory listings for various Finastra customers. Image: Ke-la.com.

According to screenshots collected by the cyber intelligence platform Ke-la.com, abyss0 first attempted to sell the data allegedly stolen from Finastra on October 31, but that earlier sales thread did not name the victim company. However, it did reference many of the same banks called out as Finastra customers in the Nov. 8 post on BreachForums.

The original October 31 post from abyss0, where they advertise the sale of data from several large banks that are customers of a large financial software company. Image: Ke-la.com.

The October sales thread also included a starting price: $20,000. By Nov. 3, that price had been reduced to $10,000. A review of abyss0’s posts to BreachForums reveals this user has offered to sell databases stolen in several dozen other breaches advertised over the past six months.

The apparent timeline of this breach suggests abyss0 gained access to Finastra’s file sharing system at least a week before the company says it first detected suspicious activity, and that the Nov. 7 activity cited by Finastra may have been the intruder returning to exfiltrate more data.

Maybe abyss0 found a buyer who paid for their early retirement. We may never know, because this person has effectively vanished. The Telegram account that abyss0 listed in their sales thread appears to have been suspended or deleted. Likewise, abyss0’s account on BreachForums no longer exists, and all of their sales threads have since disappeared.

It seems improbable that both Telegram and BreachForums would have given this user the boot at the same time. The simplest explanation is that something spooked abyss0 enough for them to abandon a number of pending sales opportunities, in addition to a well-manicured cybercrime persona.

In March 2020, Finastra suffered a ransomware attack that sidelined a number of the company’s core businesses for days. According to reporting from Bloomberg, Finastra was able to recover from that incident without paying a ransom.

This is a developing story. Updates will be noted with timestamps. If you have any additional information about this incident, please reach out to krebsonsecurity @ gmail.com or at protonmail.com.

Google is rolling out two new features to help Android users evade stalkers who abuse Bluetooth tags to surreptitious track them.

The Temporarily Pause Location feature lets users halt location updates sent to Bluetooth trackers via their phone for up to 24 hours. In Google’s view, this will allow users to quickly take action against a tag without having to stop and search for a hidden device, which may compromise safety.

When users feel safe enough to search for the device, the Find Nearby feature is introduced to help locate it. Android users could already activate a sound on a tracker placed on them, but the feature employs a visual aid – a shape that fills as the user nears the tracker – to simplify locating it. A text prompt will also describe the status of the connection to the tag.

Both features build on the existing protections Google has made available to users for years, more of which it said will continue to be rolled out over time.

However, these features work exclusively with trackers compatible with Android’s Find My Device Network, which launched earlier this year after much anticipation and was met with its fair share of naysayers.

Critics’ main gripe was that the network defaulted to activation only in high-traffic areas, although this can be manually changed to enable it everywhere. It meant tracker locating performance was limited in low-density areas.

Another issue lies in the limited number of devices compatible with the network. Only Pebblebee tags and Chipolo ONE Point and Chipolo CARD Point devices are fully compatible, benefiting from the bonus features that come with it.

Apple’s AirTags, among the most popular devices of their kind, are compatible but with limitations. Android users will be alerted if an AirTag is being used to track them, but the Find My Device Network features announced this week, for example, won’t work.

Other network features include gathering additional data about the tracker device itself. Once located, users can hold the tag near the back of their Android phone to retrieve data like the device identifier and the owner’s hidden email address. The data can be saved via screenshots and forwarded to law enforcement in extreme cases.

Both Apple and Google have been working for well over a year on a common device specification to allow trackers from all manufacturers to benefit from the advanced features on their respective networks.

Detecting Unwanted Location Trackers – the proposed specification name – was rolled out in May 2024 and Apple said that devices made by major players such as Chipolo, eufy, Jio, Motorola, and Pebblebee will adopt it in the future.

Serious and ongoing concerns

Consumer-grade Bluetooth trackers have been on the market for over a decade, but it was the release of Apple’s AirTags in 2021 that renewed concerns about people’s safety.

It took just over a year before the very worst offenses were carried out with the assistance of the tags, which were designed to help locate lost keys and pets.

Andre Smith was killed by his ex-girlfriend who tracked him using an AirTag concealed within his car’s bodywork. She would go on to be sentenced to 18 years in prison for manslaughter.

Numerous other grizzly cases have been reported over the years, from women stalked after separating from their partners, to celebrities tracked while on holiday. Charities such as Refuge and the Suzy Lamplugh Trust have reported an uptick in reports of AirTag and other Bluetooth tracker abuse since.

Apple has routinely and vehemently condemned abuse of AirTags. It said in a 2022 statement: “Based on our knowledge and on discussions with law enforcement, incidents of AirTag misuse are rare; however, each instance is one too many.”

Apple’s anti-tracking features mirror Android’s in that not all tags work with its Find My network. Tags adhering to the Detecting Unwanted Location Trackers standard but not compatible with Find My will also trigger unwanted tracking notifications on iOS 17.5 or newer. ®