Daily Brief

The EU is considering legislation that mandates ISPs and messaging apps to scan user content or implement encryption backdoors, sparking significant privacy concerns. Over 600 security experts have opposed the proposal, arguing it is intrusive and technically unfeasible, with a high potential for false positives. Critics warn that the legislation could lead to a "national security disaster," potentially exposing data to adversarial nations and undermining privacy. The proposed rules aim to combat child sexual abuse material (CSAM) but lack clear guidance on implementation, relying on AI for detection. If passed, encrypted app providers like WhatsApp and Signal would be required to comply, despite technical and ethical challenges. Some EU member states, such as Germany, are expressing reservations, potentially delaying the legislation for further review. Companies like Signal and Tuta have pledged to resist compliance, citing EU constitutional privacy rights and potential legal challenges. Similar UK legislation has faced implementation hurdles, highlighting the complexity and contentious nature of such surveillance measures.

Akira ransomware group targets SonicWall devices, exploiting a year-old SSL VPN flaw (CVE-2024-40766) and misconfigurations to gain unauthorized access. Rapid7 reports a surge in SonicWall intrusions, with Akira leveraging brute-force attacks on user credentials to breach networks. SonicWall advises enabling Botnet Filtering and Account Lockout policies, and reviewing LDAP SSL VPN Default User Groups to mitigate risks. Misconfigured LDAP settings can allow attackers to bypass Active Directory controls, granting unauthorized access to sensitive network services. Australian Cyber Security Centre confirms Akira's targeting of vulnerable Australian organizations, emphasizing global implications. Akira's recent tactics include SEO poisoning and using the Bumblebee malware loader to deploy ransomware and exfiltrate data. Organizations are urged to rotate passwords, remove inactive accounts, and restrict Virtual Office Portal access to bolster defenses against these attacks.

London North Eastern Railway (LNER) confirmed a data breach involving customer contact details and travel information accessed through a third-party supplier. The breach did not affect sensitive financial data such as bank accounts, payment cards, or passwords, according to LNER's statement. Operational services, including ticketing and rail services, remain unaffected, ensuring continuity of LNER's inter-city operations across major UK hubs. Customers are advised to remain vigilant against phishing attempts and to maintain secure password practices as a precautionary measure. The breach's connection to recent Salesloft Drift attacks remains speculative, with no definitive attribution to the ongoing incidents. LNER has committed to providing further updates as more information becomes available, while the exact method of the breach remains unclear. The incident emphasizes the need for robust third-party risk management strategies to safeguard customer data from supplier-related vulnerabilities.

The UK's Communications and Digital Committee reviewed Ofcom's enforcement of the Online Safety Act, with experts expressing concerns over its effectiveness and implications for civil liberties. Ofcom's suggestion that the Act could have prevented the 2024 Southport riots raised concerns about unrealistic expectations and political causality, according to legal academics. The Act's scope is limited to harmful or illegal content, excluding "awful but lawful" material, which restricts Ofcom's regulatory leverage. Critics noted that misinformation spread during the riots would not fall under the Act's regulations, as it was shared by individuals believing it to be true. Ofcom's proposals to reform recommender systems are seen as conflating content moderation with algorithmic changes, raising questions about enforcement feasibility. The rise in VPN use as a workaround to the Act's safeguards for children online has prompted calls for stricter age verification measures, though a ban on VPNs is unlikely. The committee plans to continue discussions with civil society organizations to address ongoing challenges with the Act's implementation and impact.

Cybersecurity researchers have identified two campaigns distributing fake browser extensions via malicious ads and websites, aiming to steal sensitive data from Meta Business accounts. The campaigns involve fake "Meta Verified" extensions, such as SocialMetrics Pro and Madgicx Plus, which falsely promise enhanced Facebook and Instagram features. Once installed, these extensions collect session cookies and IP addresses, sending them to a Telegram bot controlled by attackers, facilitating unauthorized access. The malicious extensions exploit the Facebook Graph API to gather additional account information, potentially leading to the sale of compromised accounts on underground forums. The campaigns are linked to Vietnamese-speaking threat actors, utilizing mass-generated links and tutorials to industrialize malvertising efforts. The extensions, still available on the Chrome Web Store, can intercept and modify network traffic, capture form inputs, and harvest sensitive data. Businesses are advised to scrutinize browser extensions and monitor for unauthorized access to prevent account hijacking and data theft.

A new educational initiative, "Risk Reporting to the Board for Modern CISOs," aims to enhance communication between CISOs and board members by translating technical risks into business-relevant insights. The course addresses the disconnect where 84% of directors see cybersecurity as a business risk, yet only half feel confident in their understanding for effective oversight. Boards are increasingly accountable for cyber risk, with regulations like SEC rules and EU's NIS2 mandating disclosure and oversight, highlighting the need for clear communication. The program teaches CISOs to present risk in terms of governance, finance, and strategy, moving beyond technical metrics to actionable insights that align with business objectives. Dr. Gerald Auger, with extensive industry and teaching experience, leads the course, providing practical tools and templates for effective board communication. By improving CISO-board alignment, organizations can expect stronger support for security initiatives and a more integrated role for cybersecurity in strategic planning. The initiative reflects a growing recognition that cybersecurity is central to business oversight and long-term growth, necessitating clear and actionable insights from security leaders.

BAE Systems is developing the Herne, an extra-large autonomous underwater vehicle designed for military applications, with a focus on protecting underwater infrastructure from potential sabotage threats. The Herne submarine, capable of pre-programmed intelligence and surveillance missions, has completed trials and is set for further development with Cellula Robotics under a 10-year agreement. This uncrewed submarine can travel up to 3,100 miles and operate for 45 days at depths of 16,400 feet, with a flexible cargo space for various mission payloads. Currently battery-powered, BAE is exploring hydrogen fuel cells as a future power source to enhance the submarine's operational capabilities. The Royal Navy's ASW Spearhead program complements these efforts by improving sonar systems for detecting and tracking hostile submarines, enhancing maritime defense capabilities. The Herne's development signifies a shift towards autonomous maritime defense solutions, offering increased endurance and safety by reducing human involvement in potentially hazardous missions. BAE's rapid development strategy aims to provide cost-effective, scalable autonomous capabilities, positioning the Herne as a significant advancement in underwater military technology.

Cybersecurity researchers revealed a campaign using ConnectWise ScreenConnect to deploy AsyncRAT, a remote access trojan, targeting sensitive data on compromised systems. Attackers leverage the legitimate RMM software to gain remote access, employing VBScript and PowerShell loaders to execute obfuscated components from external sources. The infection chain involves trojanized installers masquerading as business documents, distributed via phishing emails, to initiate the malware deployment. Persistence is achieved through a fake "Skype Updater" scheduled task, allowing the payload to execute after each login, evading detection. AsyncRAT capabilities include keystroke logging, credential theft, and scanning for cryptocurrency wallets across multiple web browsers. Exfiltrated data is sent to a command-and-control server, facilitating further payload execution and post-exploitation commands. The use of fileless malware tactics complicates detection and eradication, posing significant challenges to cybersecurity defenses.

NASA has prohibited Chinese nationals from accessing its facilities and networks, including virtual platforms, to safeguard sensitive information and operations. This decision follows the admission of espionage activities by Chenguang Gong, who accessed critical US aerospace data. The espionage involved downloading information on missile-confusing sensors and radiation-hardened cameras used for early warnings. NASA's actions reflect heightened security measures due to its collaboration with the US military and the strategic importance of its projects. The ban aligns with US law, which restricts NASA from engaging with China's space program without Congressional approval. NASA aims to maintain American leadership in space exploration, with plans for lunar and future Mars missions. The move underscores the broader geopolitical competition between the US and China in the space domain.

Bitdefender researchers identified the EggStreme malware, believed to be linked to Chinese APTs, targeting a military company in the Philippines. The EggStreme Framework uses a sophisticated, multi-stage approach to maintain persistent access on compromised systems. Key components include EggStremeFuel and EggStremeLoader, which establish persistence, and EggStremeAgent, a backdoor with extensive capabilities. The malware operates filelessly, executing malicious code in memory, enhancing its stealth and making detection challenging. The attack aligns with China's strategic interests in the South China Sea, where territorial disputes with the Philippines are ongoing. The nature of the targeted entity remains unclear, potentially involving either the Philippine armed forces or a defense contractor. This incident underscores the persistent cyber threats faced by organizations involved in geopolitical conflicts.

Akira ransomware affiliates are exploiting SonicWall vulnerabilities, including CVE-2024-40766, to conduct widespread extortion attacks, impacting numerous organizations globally. The vulnerability, with a CVSS score of 9.8, was initially disclosed in August 2024, yet remains unpatched in many systems, offering a significant attack surface. Over 438,000 SonicWall devices are still publicly accessible, increasing the risk of ransomware attacks due to inadequate patching and security configurations. Rapid7 has responded to multiple incidents involving SonicWall appliances, indicating a potential for widespread industry impact if mitigations are not implemented. SonicWall advises upgrading to SonicOS 7.3.0 and enabling multi-factor authentication to mitigate risks associated with legacy credential use and misconfigurations. Threat intelligence firms have observed an increase in Akira activity since July 2024, exploiting default LDAP configurations and misconfigured VPNs for unauthorized access. Organizations are urged to apply patches, enforce MFA, and limit access to trusted networks to protect against these evolving ransomware threats.

A European DDoS mitigation provider faced a significant attack reaching 1.5 billion packets per second, marking one of the largest packet-rate floods publicly disclosed. The attack was launched from compromised IoT devices and MikroTik routers across over 11,000 networks globally, primarily using UDP flood techniques. FastNetMon, a defense company specializing in DDoS protection, successfully mitigated the threat using real-time detection and the customer's scrubbing facility. Mitigation strategies included deploying access control lists on edge routers to filter out malicious traffic and prevent service disruptions. This incident follows a recent record-breaking DDoS attack blocked by Cloudflare, emphasizing the growing threat of volumetric attacks. FastNetMon's founder stressed the need for ISP-level intervention to prevent the weaponization of consumer hardware in large-scale attacks. The case underscores the importance of proactive measures and industry collaboration to safeguard against escalating DDoS threats.

ChillyHell, a modular macOS backdoor, has been active for four years, evading detection despite being notarized by Apple. Initially reported by Mandiant in 2023, ChillyHell was linked to UNC4487, a cybercrime group targeting a Ukrainian auto insurance website. The malware's persistence mechanisms include installation as a LaunchAgent, a system LaunchDaemon, or through shell profile alterations. ChillyHell employs advanced evasion tactics such as timestomping and shifting between multiple command-and-control protocols. The malware's modular design enables it to execute various malicious commands, including brute-force attacks and payload deployment. Apple has revoked the developer certificates associated with ChillyHell, but the extent of its deployment remains unclear. This incident underscores the importance of vigilance, as even notarized software can harbor malicious code.

A significant supply-chain attack on the NPM ecosystem affected approximately 10% of cloud environments, exploiting popular packages like Chalk and Debug-js. Attackers gained access through a phishing attack on maintainer Josh Junon, injecting malicious code aimed at cryptocurrency theft. The open-source community swiftly responded, removing malicious packages within two hours, limiting the potential damage. Despite the attack's scale, financial gains for the attackers were minimal, totaling less than $1,000 in diverted cryptocurrency. The attack highlighted the rapid propagation potential of malicious code in supply-chain vulnerabilities, posing a significant operational risk. Technical analysis revealed the attack targeted browser environments, swapping cryptocurrency wallet addresses to redirect transactions. The incident underscores the critical need for robust security measures in managing open-source software dependencies.

Jaguar Land Rover confirmed a data breach following a cyberattack, affecting some company data, though the extent remains under investigation. The attack led to significant operational disruptions, impacting both retail and production activities, with systems taken offline as a precaution. JLR has engaged third-party cybersecurity experts to assist in a forensic investigation, working to restore global applications securely. The company is informing relevant regulators and will notify affected individuals if personal data is confirmed compromised. Employees have been instructed to work from home, with service disruptions reported, including issues with parts ordering and diagnostics. Scattered Spider, a ransomware group linked to previous attacks on Marks & Spencer, is suspected of orchestrating the attack, potentially collaborating with ShinyHunters and Lapsus$. The incident underscores the persistent threat of ransomware to large enterprises, emphasizing the need for robust cybersecurity measures.