Daily Brief

The Cyberspace Administration of China (CAC) has initiated a campaign against manipulative internet practices, including echo chambers and discriminatory pricing algorithms. The CAC aims to eliminate "information cocoons" by banning recommendation algorithms that push highly similar content and limit user choice. The directive also demands greater transparency in how platforms use algorithms to rank and recommend content, to combat misuse and prevent internet addiction. Discriminatory pricing based on user demographics like age, occupation, and consumption habits is prohibited, with a call for fairness in e-commerce. Platforms must ensure personal data collection is limited to what is necessary for content recommendations and prohibit the use of illegal or harmful information in user profiling. The Chinese government requires online platforms to adjust their practices by the end of the year, with government assessments to follow in early next year. Significant reforms have been made since March 2022, including requirements for platforms to allow users to opt out of targeted advertising and to make their algorithms public. Violations of the new regulations will be met with penalties, the severity of which will match the degree of the violation.

Russian-backed APT28 implicated in innovative cyber espionage using neighboring organizations to breach target networks. Exploited Wi-Fi networks lacked multifactor authentication, enabling access via geographical proximity and stolen credentials. Once in the target network, attackers moved laterally and used neighbors' networks for data exfiltration. Volexity investigation highlights the creative lengths to which motivated nation-state actors will go for espionage. Guest Wi-Fi networks were also compromised, indicating a need for isolation between sensitive and less sensitive network resources. Additional cybersecurity news includes Microsoft’s seizure of phisher domains and vulnerabilities in Cisco's Firepower Management Center software. The emergence of Helldown ransomware targeting Linux and VMware ESX systems noted, with ransomware considered unsophisticated yet effective due to unknown vulnerability exploits. Misconfigured Jupyter Notebooks exploited for illegal livestreaming, underscoring the need for robust security configurations in data analysis environments.

Meta removed over 2 million accounts involved in 'pig butchering' scams, predominantly originating from Southeast Asia and the UAE. These accounts used manipulative tactics to lure users into fraudulent investment platforms, showing falsified returns. Many victims were recruited through deceptive job postings and forced to work as online scammers under life-threatening conditions. Meta has been collaborating with law enforcement agencies in affected countries to dismantle these criminal networks. The company has adopted various security measures across its platforms, including two-factor authentication and selfie verification to protect users. The FBI highlighted a significant increase in investment fraud leading to substantial financial losses, emphasizing the severity of the scam.

The Franklin project, launched at DEF CON, aims to fortify U.S. critical infrastructure against cyber threats by engaging skilled volunteer hackers. Six American water companies across Utah, Vermont, Indiana, and Oregon have initially partnered in the project to allow cybersecurity evaluations and fixes on their systems. The initiative is supported by the University of Chicago’s Cyber Policy Initiative and the National Rural Water Association, focusing on bolstering cybersecurity in the water sector. DEF CON founder Jeff Moss highlighted the project's goal to enhance national resilience and to create a "Hacker's Almanack" for sharing learned cybersecurity tactics. Despite the diverse IT systems among the U.S.'s roughly 50,000 water suppliers, the project aims to collectively harden these systems against potential foreign cyberattacks. Recent cybersecurity concerns have noted unauthorized probing into U.S. infrastructure by nations like China, Russia, and Iran, marking water systems as potential targets in conflicts. The project seeks not only to improve security but also to increase public awareness and policy support for defending essential services like water systems from cyber threats. Volunteers involved range from students to experienced professionals, all united by a commitment to enhance cybersecurity in the water sector.

Thailand police arrested a 35-year-old Chinese national who was operating an SMS blaster from a van in Bangkok, capable of sending over 100,000 phishing texts per hour. Over the course of three days, nearly one million fraudulent SMS messages were sent, misleading recipients with fake notifications about expiring points from AIS, Thailand’s largest mobile operator. The sent messages included a phishing link, purporting to be from AIS, which led users to a malicious website designed to steal credit card information. The scammers, part of an international fraud ring, used private Telegram channels for coordination and decision-making regarding the content of the messages. AIS supported the police operation by helping to pinpoint the location of the SMS blaster, although specific methods were not disclosed to prevent future misuse by spammers. Despite the general public's growing awareness and typically low success rates for such phishing attempts, the large volume and high density of potential victims in Bangkok allowed for substantial illegal earnings.

President-elect Donald Trump has nominated South Dakota Governor Kristi Noem as the Secretary of Homeland Security. Noem is known for her strong stance on border control and has actively participated in cyber initiatives at the state level. Concerns rise about her potential impact on federal cybersecurity policies, including a shift away from CISA’s role in countering mis/disinformation. CISA Director Jen Easterly will resign before Trump's inauguration, raising questions about the future of the agency under Noem’s leadership. Noem’s past refusal of federal cybersecurity grants suggests she may prioritize state-level over federal approaches. Her tenure in South Dakota saw growth in cybersecurity jobs and academic programs, highlighting an emphasis on local cyber initiatives. The incoming administration's position on issues like TikTok and broader cybersecurity challenges remains uncertain. The Trump administration plans to limit CISA’s role to protecting civil government networks and coordinating critical infrastructure security.

Microsoft is currently testing updates to the WebAuthn API to enable support for third-party passkey providers on Windows 11, enhancing passwordless authentication. This development allows users to employ biometrics like fingerprints and facial recognition through third-party providers such as 1Password and Bitwarden, alongside native Windows options. The integration aims to streamline authentication by maintaining the Windows Hello user experience while adding the flexibility to use passkeys created on mobile devices. These features are available to Windows Insiders in the Beta Channel as of Preview Build 22635.4515 (KB5046756), inviting users to provide feedback on the enhancements. Microsoft is contributing to the broader adoption of passkey technology by releasing source code for developers, facilitating the creation of compatible plugins. This initiative is part of Microsoft’s commitment to the FIDO Alliance standards for passwordless sign-ins, reflecting a significant shift towards more secure and user-friendly authentication methods. In addition to passkey updates, Microsoft announced new features for Windows 11 PCs and an optimized web browser for PC gaming, enhancing overall user interaction and multitasking capabilities.

Hackers are utilizing an outdated Avast Anti-Rootkit driver to bypass security and gain control over systems by terminating security processes. This malicious approach, known as BYOVD (Bring-Your-Own-Vulnerable-Driver), leverages kernel-level access granted by the driver to manipulate OS operations and halt various security tools. The malware involved, recognized by the filename "kill-floor.exe," deploys the vulnerable driver and systematically deactivates 142 identified security processes from multiple vendors including McAfee, Symantec, and Microsoft Defender. Researchers from Trellix uncovered this technique which enables attackers to execute malicious activities without detection by neutralizing threat alerts and prevention mechanisms. Similar exploitation of this driver was linked to AvosLocker and Cuba ransomware attacks back in 2021, indicating ongoing abuse of these vulnerabilities. Avast addressed related security flaws (CVE-2022-26522 and CVE-2022-26523) discovered in 2016 and reported in December 2021, highlighting systemic issues with maintaining driver security. To mitigate such threats, security experts recommend employing defensive solutions like Microsoft's vulnerable driver blocklist and Trellix's signature or hash-based identification rules.

Microsoft identified a China-based cyber threat actor named Storm-2077, active since January 2024, targeting U.S. government and global sectors. The adversary employs phishing and malware, including Cobalt Strike and Spark RAT, to infiltrate systems and gather intelligence. Storm-2077 has operated sophisticated attacks on cloud environments, manipulating administrative access to extract sensitive email data. Google's Threat Intelligence Group exposed GLASSBRIDGE, a pro-China influence operation using fake news sites to spread favorable narratives. Over 1000 inauthentic GLASSBRIDGE-operated websites have been blocked by Google from appearing in its News and Discover features since 2022. GLASSBRIDGE operations are linked to multiple PR firms like Shanghai Haixun Technology and Times Newswire/Shenzhen Haimai Yunxiang Media. These inauthentic sites republish content from PRC state media and other PR-generated materials, posing as independent news outlets.

North Korea-linked hackers, identified as Sapphire Sleet, have stolen over $10 million in cryptocurrency via LinkedIn social engineering scams. These operations involve posing as recruiters or job seekers, using fake profiles to deceive targets into downloading malware. The hackers leverage AI tools like Faceswap and possibly voice-changing software to create and manipulate identities and interact with potential victims. The primary scam technique includes fake online meetings where error messages prompt victims to download malicious scripts that compromise their devices. Microsoft has traced this activity back to Sapphire Sleet, which has connections with other known groups like APT38 and BlueNoroff, active since at least 2020. The stolen digital assets mainly include cryptocurrencies, accessed by obtaining credentials and wallet details through malware installations. North Korean IT workers are sent abroad to not only do legitimate work but also secretly participate in intellectual property theft and ransom activities. Microsoft reports that these workers have collectively earned approximately $370,000 through such illicit means, while using sophisticated methods to obscure their identities and actions online.

Andrew Tate's website, Real World, was hacked, compromising the personal data of its subscribers. Hackers accessed 113,000 active user accounts, and stole usernames, email addresses, and chat server contents. Security flaws allowed hackers to manipulate site features, spamming chat rooms with LGBTQ+ symbols and messages. The compromised data was reportedly sent to leakage and breach notification platforms such as Have I Been Pwned and DDoSecrets. The cyberattack occurred while Tate was under house arrest in Romania, facing serious charges including rape and human trafficking. An unsecured MongoDB database on the site exposed additional sensitive user information including encrypted passwords and account recovery codes. Real World has yet to issue a response or a statement addressing the security breach and data theft.

Thousands of Palo Alto Networks firewalls were compromised exploiting two newly patched security bugs. Attackers deployed web backdoors, crypto miners, and other malware by using these vulnerabilities. Initial hijackings included roughly 2,000 devices, which diminished to about 800 after patches were installed. The exploited vulnerabilities include a critical authentication bypass and a medium-severity privilege escalation. Attackers could gain admin access and execute arbitrary code through chained exploitation of these vulnerabilities. The vulnerability exploitation and resulting attacks have significantly increased after the proof-of-concept demo was released. Some attackers have used compromised devices to host and stage further malware attacks, indicating organized malicious activity.

Russian state hackers APT28 compromised a U.S. company's WiFi network remotely using a "nearest neighbor attack". The attack involved initial compromise of nearby organizations to gain indirect access to the target's enterprise WiFi network. The operation was detected by cybersecurity firm Volexity on February 4, 2022, during an investigation at a Washington, DC site. Hackers leveraged stolen credentials, bypassing multi-factor authentication protections due to direct WiFi access. APT28 exploited corporate WiFi vulnerabilities, demonstrating the limitations of MFA in protecting against sophisticated network intrusions. Through skillful use of daisy-chained connections and compromised dual-home devices, the attackers maintained minimal digital footprint. The attack led to lateral movement within the network and exfiltration of sensitive data using native Windows tools and methods. This incident highlights the evolving techniques of nation-state actors and underscores the need for enhanced security measures for corporate WiFi networks.

Microsoft announced the rollout of its AI-driven Recall feature exclusively for Windows Insiders using Snapdragon-powered Copilot+ PCs on the Dev Channel. The feature, delayed multiple times, captures and analyzes screenshots every few seconds using on-device AI, storing data locally in an SQLite database. Recall is an opt-in feature that enhances privacy by requiring Windows Hello for user verification and allows exclusion of specific apps from snapshot capture. Microsoft has incorporated safety measures in Recall, including anti-hammering and rate-limiting, to protect users from potential malware attacks. Recall has faced significant criticism from cybersecurity experts and privacy advocates warning of potential data theft by malicious entities. In response to privacy concerns, Microsoft ensured that no user data from Recall would be sent to Microsoft or third parties, nor used for training AI models. The company also introduced a related feature, Click to Do, which analyzes screen content to help users complete tasks efficiently, available within the Recall experience. Future updates will allow users to back up their encryption keys for data restoration in case of PC resets or device changes.

Mysterious Elephant, a South Asian threat actor also known as APT-K-47, targets Pakistani entities using Hajj-themed phishing lures. The group uses a sophisticated spear-phishing campaign to distribute Asyncshell malware hidden in a CHM file masquerading as a document about future Hajj policies. The malware establishes a command shell to a remote server, allowing execution of commands and control over the infected system. Asyncshell has evolved to feature different versions with enhanced capabilities like HTTPS communication for command-and-control operations. Recent modifications in the malware show adaptability, such as using variable command-and-control servers and employing Visual Basic Scripts for more stealthy operations. The threat uses a WinRAR vulnerability (CVE-2023-38831) as an entry point to compromise systems. Knownsec 404's analysis highlights the ongoing and advanced nature of APT-K-47's cyber espionage activities focused on regional geopolitical interests.