News Heading - 1

UK Criminal Records Office Attributes Portal Issues to Cyber Incident

  • Written by Ari Denial Cybersecurity & Tech Writer

After weeks of delaying their statement, the UK’s Criminal Records Office (ACRO) has confirmed that the online portal issues that started on January were caused by a “cyber security incident.”

ACRO has been investigating a cyber security incident that forced it to temporarily shut down its customer portal.

ACRO manages criminal record information and shares it with other countries through an information sharing agreement with the Cabinet Office. The data is used for background checks on potential hires by employers and visa processing by embassies.

When providing data for a background check, it’s standard practice to include various pieces of information. This includes name and address history, which typically spans a decade, as well as extended family details, in case any familial connections could potentially impact the individual’s criminal history.

The person’s new foreign address, if applicable, is also included, as well as information on any legal representation they may have had. Additionally, passport information, a photograph, data regarding PIN cautions, reprimands, arrests, and charges or convictions are typically required.

ACRO has informed users that their personal data may have been affected by a cyber security incident that led to the temporary shutdown of its customer portal.

They have confirmed that personal data of users who used its services as a direct applicant, a nominated endorser or a professional administering an application for an applicant may have been affected by a recent cyber security incident. The agency has stated that payment information and dispatched certificates were not at risk.

The compromised personal data could include identification information and criminal conviction data of the applicants, as well as the names, relationship, occupation, phone numbers, email addresses, and case reference numbers of any nominated endorsers or third-party professionals.

ACRO has acknowledged that the manual processing of applications and website issues have resulted in a backlog. However, it stated that it is increasing resources and working to address the issue as quickly as possible.

News Heading - 2
  • Written by Ari Denial Cybersecurity & Tech Writer

ALPHV has gained notoriety for targeting critical infrastructure and health entities, in contrast to some other ransomware operators who have avoided such targets. This attack is detailed in a blog post by Mandiant, which includes information on detection and indicators.

According to Mandiant , a commercial scanning service has revealed the existence of over 8,500 IP addresses publicly advertising the “Symantec/Veritas Backup Exec ndmp” service on ports 10000, 9000, and 10001.

Mandiant’s findings reveal that the UNC4466 threat actor group compromised a Windows server running Veritas Backup Exec using a Metasploit module and maintained access to the host.

They used tools like Advanced IP Scanner and ADRecon to gather information about the victim’s environment and downloaded additional tools, including the ALPHV ransomware encryptor. The group used SOCKS5 tunneling for C2 communication and employed BITS transfers to download tools and deploy the ransomware payload.

To escalate privileges, the group used Mimikatz, LaZagne, and Nanodump to steal user credentials and evade detection by clearing event logs and disabling Microsoft Defender’s real-time monitoring.

Defenders can use the guidance provided in Mandiant’s report to detect UNC4466 attacks promptly and take necessary measures to prevent the execution of the ALPHV payload on their systems.