EU Parliament Faces Scrutiny Over Massive Data Breach - 1

Image by European Parliament, from Flickr

EU Parliament Faces Scrutiny Over Massive Data Breach

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

The European Parliament is facing scrutiny after a significant data breach exposed the personal information of over 8,000 of its staff members. The breach, which affected the institution’s recruitment platform, compromised sensitive data such as ID cards, passports, marriage certificates, and criminal records.

Noyb states that in early May, the European Parliament informed its staff about a massive data breach in its recruitment platform. The Parliament only discovered the breach months after it occurred and has yet to determine the exact cause.

The data breach has raised serious concerns about the European Parliament’s cybersecurity practices, particularly given that the institution was already aware of vulnerabilities.

This breach follows a series of cybersecurity incidents involving EU institutions. These include attacks by Russian hacking groups and the discovery of spyware on devices belonging to members of the Parliament’s security and defense subcommittee.

The implications of the breach extend beyond the immediate harm to those affected. As Max Schrems, Chairman of noyb, pointed out, “It is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions.”

North Korea’s Cyber Threat Evolves With MoonPeak Malware - 2

Image by DC Studio, from Freepik

North Korea’s Cyber Threat Evolves With MoonPeak Malware

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Cisco Talos has identified a North Korean hacking group, “UAT-5394,” using various servers to test and control its malware. They’re working with a new version of malware called “MoonPeak,” which is based on an earlier malware called XenoRAT.

In their report, published yesterday, the researchers state that MoonPeak is based on the publicly available source code for XenoRAT, which was released on GitHub around October 2023.

Although MoonPeak retains many of the original XenoRAT’s functionalities, Cisco Talos’ analysis has identified consistent changes across its variants, indicating that the threat actors are independently modifying and evolving the code beyond the open-source version.

While MoonPeak shares some similarities with malware used by a known North Korean group called “Kimsuky,” Cisco Talos states they don’t have enough evidence to confirm a direct link between them.

The researchers suggest that new malware raises two main possibilities. First, UAT-5394 might be Kimsuky or a subgroup of Kimsuky that is replacing their old malware with MoonPeak.

Alternatively, UAT-5394 could be a different North Korean group that is using similar techniques and infrastructure to Kimsuky.

For now, Cisco Talos has decided to treat UAT-5394 as a separate group until they have more evidence to connect them to Kimsuky or confirm them as a unique group within North Korea’s hacking operations.

Cisco Talos’ researchers also revealed that the group is using special servers to test and update MoonPeak. Cisco Talos suggests that the group uses these servers to download and control the malware and often accesses them through VPNs to manage and update their malware.

Furthermore, Cybersecurity News reports that the XenoRAT malware has undergone several modifications by its creators, including changes to the client namespace, communication protocol, and obfuscation techniques.

These updates are designed to enhance evasion tactics and prevent unwanted clients from interacting with the command and control (C2) infrastructure.

According to The Cyber Express , the researchers noted a significant change in the actor’s tactics in June 2024. They shifted from using legitimate cloud storage providers to hosting malicious payloads on systems and servers that they now own and control.

TCE suggests that this move was likely aimed at protecting their operations from potential shutdowns by cloud service providers.

Finally, Cybersecurity News points out that the rapid pace of these changes reflects the group’s efforts to expand its campaign quickly while setting up more drop points and C2 servers.