Daily Brief

U.S. congress members underlined the risks of Chinese dominance in the drone industry, likening it to serious strategic vulnerabilities. Congressman John Moolenaar referred to a systematic strategy by Beijing, dubbed "the Huawei Playbook," aimed at controlling crucial technologies through national champions and aggressive market tactics. The dominance of Chinese companies, particularly DJI, which controls 80% of the U.S. drone market, was flagged as a significant concern, potentially impacting national security. Adam Bry, CEO of Skydio, emphasized the severe implications of Chinese strategies on the drone sector, especially concerning given the critical role of AI and autonomy in future drone technology. Testimonies during the hearing highlighted the necessity of ensuring competition and reducing dependency on Chinese-made drones through sanctions and market access barriers. Previous warnings from organizations like CISA, FBI, and DHS about the espionage risks associated with Chinese drones were reiterated. New laws like the American Security Drone Act of 2023 have begun to address these concerns but limitations in domestic manufacturing capacity remain an issue.

99.7% of organizations use SaaS applications with embedded AI functionalities, essential for efficient workflows yet posing data security risks. 70% of popular AI applications may exploit organizational data for AI model training, potentially exposing sensitive business information and intellectual property. AI model training entails risky practices including data retraining, human reviews, and sharing information with third parties, intricately buried in service terms and privacy policies. Significant risks involve IP and data leaks, misalignment of interests due to shared competitive intelligence, non-compliant third-party collaborations, and complex compliance issues with global data protection regulations. Lack of transparency in SaaS applications about the specific data used for AI training increases risks of inadvertent proprietary data exposure. Differences in data opt-out processes across platforms complicate security management, requiring robust SaaS Security Posture Management to ensure data privacy and compliance.

Polyfill.io was shut down after researchers found it delivering malicious code via its CDN, affecting over 100,000 websites. Polyfill has denied allegations, claiming the reports are defamation and that their services are safe due to static caching via Cloudflare. Despite their claims, the service relaunched on a new domain, polyfill.com, under the same registrar. Sansec and Cloudflare have confirmed the security risks associated with the original polyfill.io CDN, which led to unwanted redirects and misuse of Cloudflare's name. The original creator of the Polyfill open source project clarified they had never owned the polyfill.io domain and warned users against using it. A misleading domain name similar to Google Analytics was used by the malicious CDN to redirect visitors to sports betting sites. Experts advise users to cease using both polyfill.io and the new polyfill.com domain and to switch to verified alternatives provided by reliable companies like Cloudflare and Fastly.

AlgoKit enables developers to build decentralized blockchain applications (dApps) using native Python, simplifying the entry for developers familiar with Python. Python's readability, maintainability, and integration capabilities with other technologies make it ideal for developing complex blockchain applications. The AlgoKit toolkit facilitates the setup of development environments and allows the deployment of secure, production-ready dApps on the Algorand blockchain. Developers can start a local Algorand blockchain network, create new projects, and write smart contracts all through command-line instructions provided by AlgoKit. The production template within AlgoKit includes features for testing, continuous integration/continuous delivery (CI/CD), and deployment, streamlining the development process. Through the use of ARC4Contract and the ARC4 ABI method, Python developers can ensure their contracts interact smoothly with the Algorand ecosystem. AlgoKit also supports the compilation of Python-written contracts into TEAL, the bytecode for the Algorand Virtual Machine, and provides automated tools for contract interaction and testing.

Cloudflare has officially declared that it never authorized Polyfill.io to use its brand name or logo, countering misleading claims on the Polyfill.io website. Over 100,000 websites were compromised due to a supply chain attack launched via malicious code embedded in Polyfill.io’s CDN, which was taken over by Chinese entity 'Funnull'. Cloudflare has launched an automatic JavaScript URL rewriting service that substitutes Polyfill.io links with safe ones, to mitigate the risk and maintain website functionality without disruption. This free service automatically activates for Cloudflare users on the free plan, with a manual activation option available for paid plans. Cloudflare strongly advises all website owners to cease using Polyfill.io and switch to secure alternatives, recommending their own secure mirror CDN for a non-disruptive transition. Polyfill.io domain is currently offline, following the disclosure and remedial action by Cloudflare and ongoing investigations into the DNS changes that briefly pointed to Cloudflare servers.

Cybersecurity researchers at JFrog have revealed a critical flaw in the Vanna.AI library, identified as CVE-2024-5565 with a CVSS score of 8.1, which poses a significant remote code execution risk. The flaw arises from a prompt injection vulnerability in Vanna’s "ask" function which allows execution of arbitrary commands by manipulating input prompts. Vanna.AI, a Python-based machine learning library, lets users interact with SQL databases by converting natural language questions into SQL queries. Attackers exploit this vulnerability by engaging in "prompt injections," misleading the AI’s language model to bypass built-in safety protocols and perform unintended actions. Techniques such as Skeleton Key and Crescendo exploit, which involve multi-turn dialogues that gradually alter the AI’s behavior, have become increasingly concerning as they allow evasion of AI safeguards. As a response to the discovery, Vanna has released a hardening guide recommending that users run potentially vulnerable functions in a sandboxed environment to prevent exploitation. The incident underscores the necessity for robust security measures when integrating generative AI models with critical systems, highlighting that reliance on inbuilt AI safeguards alone is insufficient.

A 22-year-old Russian, Amin Timovich Stigal, has been indicted by the U.S. for launching cyber attacks against Ukraine and its allies just before the 2022 military invasion. Stigal is allegedly linked with the Russian military's GRU and remains at large, with the U.S. offering a $10 million reward for information leading to his capture. These pre-invasion cyberattacks employed a destructive malware known as WhisperGate, intended to disrupt Ukrainian government and IT systems. The malware, while masquerading as ransomware, was primarily designed to disable computer systems completely upon activation. Microsoft, monitoring the situation under the alias Cadet Blizzard, reported the initial use of this malware in mid-January 2022. The attacks not only targeted Ukraine but extended to probing U.S. federal government systems, utilizing the same malicious infrastructure. Stigal and conspirators also engaged in data theft and defacement, selling sensitive information online to undermine confidence in Ukrainian security among the populace and allied nations.

Fortra FileCatalyst Workflow identified with a high-risk SQL injection flaw, CVE-2024-5276, with a CVSS score of 9.8. Versions affected include 5.1.6 Build 135 and earlier; patched version available in 5.1.6 build 139. The vulnerability allows potential unauthorized creation, deletion, or modification of data within the application’s database. Attack vectors include unauthenticated access if anonymous access is enabled, or through authenticated user exploitation. Temporary mitigation can be achieved by disabling certain servlets in the application's "web.xml" file. Tenable cybersecurity reported the flaw and released a proof-of-concept exploit, highlighting the urgency and potential misuse. Organizations using Fortra FileCatalyst Workflow urged to apply updates or mitigations promptly to prevent potential breaches.

Chinese cyberespionage groups, specifically ChamelGang, have been leveraging ransomware such as CatB to complicate attack attribution, distract defenders, and occasionally as a secondary revenue source while primarily focusing on data theft. ChamelGang, also known by names such as CamoFei, has targeted government entities and critical infrastructure sectors from 2021 through 2023, using sophisticated initial access, reconnaissance, lateral movement, and data exfiltration techniques. Notable attacks include the breach of Brazil’s Presidential computers in November 2022, involving 192 compromised devices and subsequent deployment of CatB ransomware with ransom notes indicating contact and payment methods. Another significant ChamelGang operation involved an attack on the All India Institute Of Medical Sciences, disrupting healthcare services with the deployment of CatB ransomware. Separate activity clusters not conclusively attributed employed BestCrypt and Microsoft BitLocker in cyberattacks targeting mostly North American organizations, with some victims in South America and Europe. These attacks typically lasted about nine days, indicating attackers' familiarity with targeted environments, and involved automated and serial encryption at server endpoints and individualized attacks on workstations. Cross-analysis with other cybersecurity firms suggests some overlap between these activities and previous intrusions associated with Chinese and North Korean APTs. The strategic incorporation of ransomware in espionage activities aims to blur the distinction between cybercrime and state-sponsored actions, potentially leading to misattribution and obscuring the primarily espionage-oriented nature of the intrusions.

South Korean media outlet accuses KT, a local telecom company, of deliberately infecting users' P2P systems with malware. Allegedly, 600,000 users affected; malware designed to hide files within the P2P service, leading to service disruptions. Malicious activities started in May 2020, conducted internally from KT's datacenter for nearly five months. Police have raided KT's headquarters and datacenter, seizing evidence under potential violations of local communication and information network laws. Investigation reveals a specialized KT team responsible for interfering with file transfers, including roles in malware development, distribution, and wiretapping. Thirteen employees from KT and its partners have been identified and referred for possible prosecution. KT defends actions by labeling the web hard drive P2P service itself as malicious, necessitating control measures. Actions are part of broader issues with network usage in South Korea, highlighted by disputes over network operation costs with major streaming services like Netflix.

The U.S. Department of Justice has indicted Amin Timovich Stigal, a 22-year-old Russian, for cyberattacks targeting Ukrainian government systems. Stigal is alleged to have collaborated with Russian military intelligence (GRU) to deploy the WhisperGate malware, targeting critical Ukrainian infrastructure just before Russia's invasion. In January 2022, the attacks affected vital sectors including government, military, and emergency services among others, using malware designed to mimic ransomware but actually intended to delete data. The U.S. State Department is offering a $10 million reward for information leading to Stigal's capture, emphasizing the severity of the cyber espionage activities. The indictment accuses the attackers of defacing websites, stealing personal data, and sowing distrust among Ukrainian citizens regarding the security of their personal and governmental data. The WhisperGate attacks were later attributed to Russian military by the U.S. and allies, with Microsoft’s intelligence unit linking the group to Cadet Blizzard, associated with the GRU. Additional activities by the group include attacks on infrastructure in a Central European country and probing of U.S. government systems, with efforts to conceal their Russian affiliation using fake identities and U.S.-based infrastructure.

The U.S. government has announced a $5 million bounty for information leading to the arrest or conviction of Ruja Ignatova, also known as "CryptoQueen." Ignatova co-founded OneCoin in 2014, which was promoted as a major digital currency but was later revealed to be a $4 billion Ponzi scheme. She was indicted on multiple charges including wire fraud and money laundering in 2017, and additional charges of securities fraud were added in 2018. Ignatova evaded capture by fleeing from Bulgaria to Greece in October 2017 and may be living under a new identity following possible plastic surgery. OneCoin was falsely advertised with lavish global events and celebrity-endorsed parties to attract investors. Ignatova's current whereabouts are unknown, with the FBI seeking tips via various communication channels and through U.S. Embassies worldwide. Her brother, Konstantin, and co-founder Karl Sebastian Greenwood have been arrested and charged, with Greenwood pleading guilty in 2022.

Remy St Felix led a gang involved in violent home invasions across the U.S., targeting wealthy cryptocurrency investors. The criminal activities occurred between September 2022 and July 2023, including assaults, kidnappings, and robberies. Victims were often physically restrained and threatened with further violence to coerce access to their crypto wallets. The gang successfully stole hundreds of millions in cryptocurrency, utilizing tech-savvy methods and remote software for account access. In one instance, over $150,000 was stolen from a single couple in North Carolina through remote exploitation of their crypto accounts. St Felix was arrested in July 2023 and has been convicted of multiple charges including conspiracy, kidnapping, and wire fraud. The criminals attempted to launder the illicit gains using privacy-focused cryptocurrencies and platforms lacking rigorous compliance checks. St Felix faces a sentencing range from seven years to life in prison; his case highlights the intersection of physical violence and cybercrime in crypto theft.

Julian Assange, founder of WikiLeaks, pleaded guilty to a single charge of conspiracy to obtain and disclose national defense information in the US District Court for the Northern Mariana Islands. Assange's plea was part of a deal that allowed him to admit guilt to one charge instead of the original 18, leading to his release as he had already served the sentence's duration in the UK. The court session marked the close of years of complex legal battles, including potential extradition from Sweden and later from the UK after refuge in the Ecuadorian embassy. Australian Prime Minister Anthony Albanese highlighted ongoing diplomatic efforts to resolve Assange's case, stressing it had been too prolonged and unproductive to continue. Assange left the court free and headed back to Australia on a privately chartered jet funded by a crowdfunding campaign initiated by his wife. His case has raised numerous discussions about journalism's limits, espionage, and legal ethics, particularly concerning the use of the US Espionage Act against journalists. The resolution of Assange's case suggests a potential new era of increased secrecy and challenges in journalistic freedom, setting a significant legal precedent.

LockBit ransomware group claimed to have attacked the U.S. Federal Reserve, stealing 33 terabytes of sensitive data. It was later revealed that the actual target was Evolve Bank & Trust, not the Federal Reserve. LockBit's initial claim included ongoing negotiations and threats to release the data unless better ransom negotiations were made. Evolve Bank & Trust confirmed a cybersecurity incident involving their data being illegally obtained and released on the dark web. In response, Evolve is offering affected customers credit monitoring and identity theft protection, and they have engaged law enforcement to address the situation. Recent examinations by the Federal Reserve identified significant deficiencies in Evolve’s risk management and compliance, leading to demands for improvement. This incident highlights LockBit's strategy of making exaggerated claims to maintain relevance within the cybercriminal community.