Daily Brief

Mozilla Firefox has introduced a feature in version 127 that requires device credentials to access stored passwords in its browser's password manager. This security update necessitates the use of biometrics, system passwords, or pins, preventing unauthorized access to credentials during local or remote device access. The security feature aligns Firefox with other browsers like Google Chrome and Microsoft Edge, which already employ similar authentication measures for accessing saved login details. Although this update secures the password manager from unauthorized physical access, it does not protect against information-stealing malware that can decrypt stored credentials. Mozilla recommends setting a Primary Password as an added layer of security, which encrypts the password database and is solely known to the user. Despite enhanced protections, the Primary Password can still be brute-forced, making it crucial to use a long and complicated password to enhance security. Firefox's implementation helps in balancing user convenience with increased security measures for managing web credentials.

A Nigerian, Ebuka Raphael Umeti, was convicted by the U.S. Department of Justice for his role in a $1.5 million business email compromise (BEC) scam. Alongside two alleged co-conspirators, Umeti utilized social engineering and malicious software to defraud companies through deceptive emails. The scammers successfully extracted $571,000 from a New York wholesaler and $400,000 from a Texan metal supplier by impersonating legitimate business entities. Starting in 2020, the group expanded their operations to include malware developed by a new participant, Saudi national Mohammed Naji Mohammedali Butaish. Umeti and his Nigerian accomplice, Franklin Ifeanyichukwu Okwonna, were arrested in January 2023 and found guilty, while the third accomplice remains at large due to lack of extradition treaty with Saudi Arabia. Umeti faces up to 102 years in prison, though actual sentencing might be less severe; sentencing is scheduled for late August 2023.

Last week, a ransomware attack by Synnovis, affecting multiple London hospitals, forced over 800 operations and 700 outpatient appointments to be cancelled. The attack, attributed to the Qilin ransomware operation, occurred on June 3, severely disrupting the affected hospitals' pathology services. While emergency departments remained operational, many procedures dependent on pathology services had to be postponed. NHS England warns that the disruption could persist for months, with Synnovis focusing on recovery efforts to restore IT functionality gradually. The attack has exacerbated existing challenges in the healthcare system, leading to a shortage of blood supplies, particularly types O-positive and O-negative, essential for urgent medical procedures. The rise in ransomware activities, including the recent increase in Qilin attacks, underscores ongoing threats to global healthcare infrastructure and the need for enhanced cybersecurity measures. Despite the initial downtime of Qilin's leak site post-attack, it is now back online, with the gang yet to officially claim responsibility for the breach.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a severe Windows flaw, CVE-2024-26169, as being exploited in ransomware attacks. This vulnerability in the Windows Error Reporting service allows attackers to gain SYSTEM permissions without user interaction, classified as a zero-day due to its active exploitation. Microsoft issued a fix for this issue on March 12, 2024, though not initially labeled as exploited in the security advisory. Investigations by Symantec attribute the exploitation of this vulnerability to the Black Basta ransomware group, noting the use of exploit tools dating back to December 2023. The Cybersecurity agency has given Federal Civilian Executive Branch Agencies (FCEB) a July 4 deadline to secure their systems against this vulnerability, under directive BOD 22-01. Beyond federal agencies, all organizations are strongly encouraged to patch this flaw due to its potential to facilitate widespread ransomware attacks. Black Basta, identified as a significant threat, has been responsible for over 500 organizational breaches and extorted at least $100 million in ransoms.

Nagaraju Kandula, a former employee of National Computer Systems (NCS), was sentenced to two years and eight months in prison for deleting 180 virtual servers. Kandula pleaded guilty to the act, which was driven by spite after being terminated from his job due to poor performance. The malicious activity caused significant financial damage to NCS, amounting to approximately $678,000. Kandula had retained access to the company’s systems due to NCS’s oversight in not invalidating his credentials post-termination. Over several months, he accessed the NCS system multiple times, testing and eventually executing a script that wiped the servers. The servers involved were primarily used for quality assurance within software testing, preventing a compromise of sensitive information. This incident underscores the critical need for companies to secure their systems against former employees by immediately revoking access and changing passwords.

Nagaraju Kandula, a former quality assurance employee at National Computer Systems (NCS), was sentenced to 2.5 years in prison for deleting 180 virtual servers. Kandula, angered by his termination due to poor performance, took revenge by using his still-active company credentials to sabotage the Singapore-based IT firm. His unauthorized access between January and March 2023 enabled him to test and execute a script that wiped the servers on March 18-19, causing an estimated $678,000 in damages. The deleted servers belonged to a software testing environment, and the incident reportedly resulted in no leakage of sensitive information, minimizing the potential additional risks. The incident underscores the importance of revoking access rights and updating passwords immediately after an employee is dismissed to prevent potential security breaches. Police tracked down Kandula through the IP address associated with the sabotaging activities; his laptop and the malicious script were seized upon his arrest. This case highlights the catastrophic consequences of not adequately securing administrative credentials post-employee termination.

Scattered Spider, also known as Octo Tempest and other aliases, has shifted focus to stealing data from SaaS applications and setting up persistent access through the creation of new virtual machines. The group utilizes advanced social engineering, including SMS phishing and account hijacking, predominantly targeting corporate help desk agents to manipulate access controls and gain sensitive information. Mandiant’s report highlights the gang's transition from ransomware to data extortion without system encryption, expanding their operations to a broader range in industries and organizations. The hackers escalate privileges using compromised accounts to abuse SaaS applications, leveraging tools like Okta for single sign-on to deepen their access within victim environments. Scattered Spider uses innovative tactics for persistence and data extraction, such as configuring new virtual machines to disable security features and utilizing cloud syncing tools across platforms like AWS and GCP. They also engage in reconnaissance using client SaaS applications and launching attacks such as the Golden SAML to maintain persistent cloud-based application access. Mandiant advises strengthening monitoring of SaaS platforms, re-evaluating virtual machine infrastructure management, and improving MFA and VPN policies to protect against similar sophisticated cyber-attacks.

Ukraine's Security Service dismantled infrastructure that broke into soldiers' devices to deploy spyware, controlled by pro-Russia operatives. Operatives used SIM farms to send phishing SMS and spread spyware, allowing control over data and communications from infected devices. A woman in Zhytomyr managed over 600 mobile numbers under direct Russian instructions, paid in cryptocurrency for spying and spreading propaganda. A separate man in Dnipro handled around 15,000 social media accounts using Ukrainian SIM cards, selling access on dark web forums primarily to Russian intelligence. These cyber operations aimed to gather military intelligence, control narrative through propaganda, and instigate social engineering attacks including the use of dating sites and social media. Only the Dnipro man has been detained so far, while the woman has been notified of suspicion under Ukraine’s laws correlating to misuse of computers. Simultaneously, Kyiv police detained a key member of ransomware gangs, indicating ongoing intense cybercrime and links to Russian operations in Ukraine.

Google's Privacy Sandbox initiative, intended to replace third-party tracking cookies, has been criticized by Austrian privacy nonprofit noyb for still enabling user tracking. Noyb's complaint to the Austrian data protection authority asserts that Google disguises tracking as a privacy improvement within its own browsers. Despite Google’s claims of enhancing user privacy, noyb argues Google uses deceptive tactics to gain user consent for first-party ad tracking. Privacy Sandbox aims to limit third-party data sharing while still permitting advertisements tailored to individual users through Google’s own tracking technology. Delays in the implementation of Privacy Sandbox have occurred as Google adjusts to feedback from regulators and developers, with a full transition proposed for early next year. Google faces accusations of utilizing dark patterns to increase acceptance of its tracking methods, thereby misleading users into thinking they are opting into privacy-enhancing features. Noyb challenges Google’s right to collect data without full, informed consent, claiming this practice still violates regional data protection laws despite being less invasive than third-party cookies. Google defends Privacy' Sandbox as a significant advancement in privacy, promising to seek balanced solutions for all stakeholders involved.

Globe Life discovered a breach in one of its web portals potentially exposing consumer and policyholder data. The breach was identified during a review of access permissions and user identity management, prompted by an inquiry from a state insurance regulator. Immediate actions included shutting down external access to the compromised portal to mitigate further unauthorized access. Globe Life has engaged external security experts to remedy the breach and fully assess its nature, scope, and impact. The company has activated its incident response plan in response to the discovery of the breach. Operations other than the affected portal remain functional, and the overall impact on Globe Life’s business operations is currently deemed insignificant. Ongoing investigation efforts are underway, with the complete implications of the incident still being determined.

Industry leaders are convening in a webinar to address the challenges of securing petabyte-scale data. The webinar focuses on strategies for protecting vast and constantly changing data environments. As data growth accelerates, businesses of all sizes face the necessity of advanced data security. Participants will learn about continuous attack surface discovery, penetration testing, and red teaming. The discussion is tailored for CISOs, security engineers, IT professionals, and business leaders responsible for data security. The event is a platform for sharing real-world experiences and solutions from top field experts. Registration is open for those seeking to enhance their strategies in managing and securing large-scale data assets.

The French government has offered €700 million for key technology assets from the struggling IT company, Atos. This proposal is focused on acquiring Atos’ Big Data & Security division, which includes Advanced Computing, Mission-Critical Systems, and Cybersecurity activities. These assets are critical as they support IT projects within the French military and other governmental sectors. Atos has recently accepted a bailout from its largest shareholder, Onepoint, aiding in restructuring its financial debts and ensuring stability. The discussion and potential agreement on the acquisition will be overseen by Conciliator Maître Hélène Bourbouloux, with no certain outcome guaranteed. Atos is also negotiating the sale of its Worldgrid business unit to Alten SA for €270 million, a transaction expected to conclude by the end of 2024. The company's shares saw significant shifts, with a recent increase of over 16% following the acquisition news, contrasting with a previous 20% drop earlier in the year.

Regulated industries such as finance, healthcare, and government face stringent regulatory standards requiring robust cybersecurity to avoid severe penalties and reputation damage. These sectors are experiencing a significant increase in cyber threats, prompting a shift from traditional security measures to military-grade cyber defenses. Military-grade cyber defenses incorporate advanced technologies such as real-time data analytics, machine learning, and Content Disarm and Reconstruction (CDR) to pre-emptively tackle threats. The collaboration between military and private sectors enhances access to cutting-edge technologies and best practices, significantly strengthening industry cyber defenses. Insider Risk Programs are pivotal within a comprehensive cybersecurity strategy to protect against internal threats and safeguard sensitive data from within the organization. Military-inspired cybersecurity strategies emphasize proactive threat prevention, rapid response, and layered security protocols, proven effective in defending critical national and corporate assets. The adoption of military cyber strategies, technology, and partnerships is crucial for regulated industries to enhance resilience against cyberattacks, meet compliance requirements, and protect critical infrastructure.

Security experts have discovered 24 critical vulnerabilities in ZKTeco's biometric access systems, posing significant cybersecurity risks. Flaws identified include six SQL injections, seven stack-based buffer overflows, five command injections, four arbitrary file writes, and two arbitrary file reads. These vulnerabilities could allow attackers to bypass authentication processes, steal biometric data, and remotely control the biometric devices. Stolen biometric data may be sold on the dark web, increasing the risk of identity theft and sophisticated cyber-attacks such as deepfake and social engineering. Attackers could potentially access restricted areas and implant backdoors in networks for espionage or disruptive purposes. The vulnerabilities were found through reverse engineering the device's firmware and communication protocols, with no current confirmation if these issues have been addressed. Recommended mitigation strategies include isolating biometric devices on separate network segments, using strong passwords, and regular system updates. The presence of these vulnerabilities undermines the security benefits of biometric authentication, making affected systems easy targets for unauthorized access.

North Korean hackers, identified as responsible for one-third of the phishing attacks in Brazil since 2020, particularly target the government and key sectors like aerospace, technology, and finance. These groups employ sophisticated phishing tactics, focusing especially on cryptocurrency and fintech, with actors like UNC4899 deploying trojanized applications to steal data. UNC4899 engages targets through social media, offering fake job opportunities to distribute malware via seemingly benign documents and trojanized GitHub projects. Other North Korean groups like PAEKTUSAN and PRONTO have conducted campaigns impersonating recruiters or focusing on diplomats with the aim of credential theft and espionage. Microsoft and Google have observed similar deceptive strategies, including the distribution of malware through fake npm packages, which poses a significant risk given the trust placed in open-source repositories. The expanding methods of attacks, including the use of LinkedIn and freelance platforms for spreading malware, highlight an evolving threat landscape.