Daily Brief

Microsoft announced a delay in releasing their AI-powered Recall feature for Copilot+ PCs due to security and privacy concerns. The rollout will first undergo testing in the Windows Insider Program to gather feedback and ensure high standards for quality and security are met. Originally scheduled for June 18, 2024, the broad release has been postponed after receiving criticism for potential privacy threats and being a target for cybercriminals. The Recall function is designed to capture screenshots of user activity, creating a searchable database through an AI model on the device. Due to backlash, Microsoft transformed Recall into an opt-in feature and introduced additional security measures, including authentication requirements via Windows Hello for accessing content. Enhanced protection includes "just in time" decryption, allowing access to data only after authentication using biometrics or a PIN. Microsoft's cautious approach reflects wider industry concerns about the safe and responsible usage of AI technology amidst innovation pressures. The updates come shortly after Apple introduced a new AI processing method called Private Cloud_month Compute, emphasizing privacy in cloud-based computations.

Microsoft has postponed the public preview of its AI-powered Windows Recall feature, originally set for June 18, 2024, to address privacy and security issues. The Windows Recall feature, which takes frequent screenshots for data retrieval, raised significant privacy concerns among advocates and cybersecurity experts. Following criticism, Microsoft plans to initially release the feature to Windows Insiders for feedback before a broader roll-out to all Copilot+ AI PCs. Concerns were heightened by a ProPublica report criticizing Microsoft for prioritizing revenue over security and a congressional discussion regarding Microsoft's security lapses. The feature will now be opt-in and will encrypt its database using Windows Hello authentication for accessing the app, as part of additional security measures. Cybersecurity expert Kevin Beaumont highlighted the vulnerability of the feature to malware, which could manipulate it to steal user data. Microsoft acknowledges the need for further testing and securing of the Windows Recall feature in response to backlash and potential risks.

Microsoft President Brad Smith testified before the US House Committee on Homeland Security regarding the company's security breaches and business operations in China. The hearing addressed findings from a Homeland Security Cyber Safety Review Board report, which highlighted Microsoft's missteps that allowed Chinese spies to access sensitive US government emails. Smith claimed responsibility for Microsoft's failures but suggested the detection of the intrusion by the US State Department, not Microsoft, indicated the system's efficacy, sparking criticism from lawmakers. Lawmakers questioned the adequacy of Microsoft's security measures, given its significant role in providing software and cloud services to the US government. Discussions also covered Microsoft’s compliance with Chinese national security laws, with Smith denying that the company conformed to such regulations despite operating in China. The hearing explored potential vulnerabilities in Microsoft's dealings in China, where national laws could potentially compel the company to surrender user data or software code. The Congressional hearing underscored ongoing concerns regarding the intertwining of national security, international cyberespionage, and the role of private tech companies in safeguarding sensitive information.

Truist Bank acknowledged a system breach after data appeared on a hacker forum. The breach happened in October 2023; stolen data includes 65,000 employee records. Data for sale includes sensitive bank transactions and internal bank source code. The breach was contained swiftly, with further security measures and client notifications following. Truist Bank seamlessly cooperated with law enforcement and cybersecurity experts to mitigate consequences. The bank has found no evidence of fraud associated with the breach thus far. The sale was facilitated by known hacker "Sp1d3r," also linked to data thefts from other major firms. Truist Bank clearly stated that the breach is not related to the "Snowflake attacks."

The US Space Force's request for $77 million to enhance GPS resilience through additional satellites has been declined by Congress. The proposed R-GPS project aimed to mitigate spoofing attacks by expanding the GPS constellation with about 20 small satellites. This funding request is part of a broader Department of Defense budget scrutiny for 2025 by the House Appropriations Committee. Critics in the committee question the efficacy of adding more satellites in combating the primary GPS jamming threats. Current concerns also focus on the M-code signals which are supposed to enhance resistance to jamming but have seen repeated delays in user equipment availability. The total projected cost for the R-GPS initiative could reach approximately $1 billion over five years. The appropriations report has tasked the Director of Cost Assessment and Program Evaluation to review and report on the viability of R-GPS as a solution for improved national security positioning and timing services within 180 days. This setback comes despite ongoing investments in anti-jamming technology, equipment upgrades, and cybersecurity enhancements for GPS systems.

Ascension, a major U.S. healthcare provider, experienced a significant ransomware attack in May 2024, initiated by an employee inadvertently downloading a malicious file. The attack severely disrupted the MyChart electronic health records system, phone services, and crucial systems for ordering tests, procedures, and medications. In response to the attack, Ascension was compelled to offline multiple systems to mitigate damage, resorting to manual documentation of medical services. A few non-urgent elective procedures, tests, and appointments were postponed, and certain emergency services were redirected to alternative healthcare facilities. While restoration efforts are ongoing, Ascension has confirmed the breach affected only seven of their approximately 25,000 network servers, mainly impacting non-clinical administrative data. Preliminary investigations revealed that the stolen data may include Protected Health Information (PHI) and Personally Identifiable Information (PII), but no evidence suggests that complete Electronic Health Record (EHR) systems were compromised. The breach has tentatively been linked to the Black Basta ransomware group by external sources; however, Ascension has not confirmed this association officially.

Oracle Advertising is closing due to a steep decline in revenue, down from $2 billion in 2022 to $300 million in 2024. This decision was announced in Oracle’s fiscal 2024 Q4 earnings call, highlighting a broader strategic shift away from advertising. The shutdown is a culmination of over a decade of acquisitions aimed at building Oracle's ad capabilities, now made obsolete by increasing privacy regulations and market changes. Key external pressures include enhanced privacy laws like GDPR, changes in tech company policies reducing data access, and a shift in market demands toward more privacy-focused approaches. The closure will likely result in layoffs, affecting between 1,001 and 5,000 employees listed under Oracle Advertising on LinkedIn. Despite the advertising business shutdown, Oracle recorded $53 billion in sales and a profit of $10 billion, reflecting overall business growth. Industry experts suggest this move reflects broader market trends where reliance on third-party data for advertising is becoming less viable and profitable. This closure marks an industry shift towards less invasive advertising practices and a potential increase in data privacy.

The New York Times experienced a data breach in January 2024 involving their GitHub repositories, affecting numerous freelancers. Sensitive personal information was accessed, including names, contact details, and additional personal and professional data. The compromised data involved about 273GB, and includes source code and internal documentation, which was leaked on 4chan. Affected data was primarily for freelance visual contributors; full-time staff was reportedly not impacted. The breach originated from exposed credentials that permitted unauthorized access to the GitHub repos. The Times has informed affected individuals and advised precautions to secure personal information and strengthen account security. This incident has raised concerns regarding the safeguarding of sensitive information within external development platforms like GitHub.

The Toronto District School Board (TDSB) experienced a ransomware attack on its technology testing environment, affecting Canada's largest school board. TDSB is investigating potential exposure of sensitive information following the unauthorized access by a third party. The attack was contained in the testing environment with no disruption to the board's operational systems or daily activities. TDSB, serving roughly 247,000 students and employing 40,000 staff, is working with law enforcement and cybersecurity experts to assess the breach's scope. All individuals potentially impacted by the data breach will be notified as the investigation progresses. No major ransomware groups have claimed responsibility for the incident so far. The incident has been reported to both the Toronto Police Service and the Information and Privacy Commissioner of Ontario.

Panera Bread experienced a ransomware attack in March, compromising employee sensitive data. The breach was detected by Panera, which then engaged external cybersecurity experts for investigation and containment. Notification letters were sent to affected employees, disclosing potential exposure of names, Social Security numbers, and other employment-related information. No evidence currently suggests that the stolen data has been publicly disclosed or misused. Impacted employees are offered a one-year subscription to identity and credit monitoring services. The attack caused significant disruptions to Panera’s operations, including a week-long IT systems outage affecting sales, employee scheduling, and customer rewards services. Details about the number of affected employees, the specific ransomware involved, and confirmation of a ransom payment remain undisclosed.

Google has issued patches for 50 security issues affecting its Pixel smartphones, including a high-severity zero-day being actively exploited. The exploited vulnerability, identified as CVE-2024-32896, allowed for elevation of privilege on Pixel firmware and was used in targeted attacks. GrapheneOS reported the vulnerability, originally tagged as CVE-2024-29748, was actively exploited by forensic companies to defeat security features like duress PIN/password systems. The flaw has been rectified in the June 2024 update for devices running Android 14, but older versions may not receive this critical fix unless upgraded to Android 15. Google emphasized the urgency of installing the latest update to prevent potential misuse of this and other critical vulnerabilities in their devices. To enhance security, Pixel users are advised to manually install the June security updates through their device settings. In related news, another significant vulnerability in Arm's GPU drivers, also exploited in the wild, has been identified and publicized earlier in the month.

A PoC exploit for CVE-2024-29855, a critical authentication bypass flaw in Veeam Recovery Orchestrator, has been published. The vulnerability allows unauthenticated attackers to gain administrative access via a hardcoded JWT secret used across installations. CVE-2024-29855 is critical with a CVSS v3.1 rating of 9.0, affecting versions 7.0.0.337 and 7.1.0.205 and earlier. Attackers can generate valid JWT tokens by deducing usernames from the SSL certificate’s CN field and iterating through a finite list of roles. The security researcher demonstrated that additional supposedly required conditions for exploitation could be bypassed or simplified. Veeam has released patched versions of the software and recommends immediate updates to mitigate the risk. The public availability of the exploit increases the urgency for affected organizations to patch vulnerable systems promptly.

Ukrainian police have arrested a 28-year-old Kyiv programmer linked to major Conti and LockBit ransomware attacks across Europe. The suspect, whose identity remains confidential, is accused of developing encryption tools that concealed viruses as harmless files, aiding in the evasion of popular antivirus software. If convicted under the Criminal Code of Ukraine for abusing computer systems, the individual could face up to 15 years in prison. The arrest is part of Operation Endgame, a broader Europol-led initiative aimed at dismantling cybercriminal networks and infrastructure such as malware loaders and botnets. Dutch authorities identified the programmer's involvement in specific ransomware attacks on a multinational corporation in 2021. The arrest occurred on April 18, but details were only recently publicized, highlighting ongoing international efforts to combat ransomware. Ukrainian and other international law enforcement agencies continue to target LockBit affiliates, with recent activities affecting the gang's operations although not completely disabling it.

A new attack named "Sleepy Pickle" has been identified, targeting machine learning (ML) models through the Pickle serialization format. Sleepy Pickle injects malicious payloads into ML model files to manipulate model behavior, such as tampering with model weights or modifying input and output data. The attack utilizes techniques including adversary-in-the-middle attacks, phishing, supply chain vulnerabilities, and exploiting system weaknesses to deliver the payload. Once the malicious pickle file is deserialized, it can change the ML model in real-time, enabling backdoors or data tampering that can generate dangerous or misleading outputs. This represents a significant supply chain threat as the compromised ML model can affect downstream users unknowingly. Trail of Bits warns that such attacks can maintain access and control over ML systems without being detected, as the models are altered when the pickle files are loaded. Recommendations include only loading ML models from trusted sources, using signed commits, or relying on safer serialization formats like TensorFlow or Jax with enhanced security measures.

Multi-factor authentication (MFA) significantly increases security, protecting businesses and individuals from cyber threats. MFA, including two-factor authentication, involves multiple security steps beyond just passwords, such as biometric verification. Authorities like the US Cybersecurity & Infrastructure Agency support MFA, emphasizing its role in preventing unauthorized access even if a password is compromised. The global MFA market is expanding rapidly, projected to double by 2027, with strong adoption due to increasing regulatory requirements. New regulations like PCI-DSS 4.0 and PSD2 in the EU mandate MFA to enhance security in financial transactions and protect sensitive data environments. Despite its strengths, MFA can be compromised through tactics like prompt bombing, exploiting user fatigue from repeated login prompts. Regulatory bodies and organizations are pushing for phishing-resistant MFA to counteract sophisticated cyberattack techniques. Proper implementation and ongoing adaptation of MFA practices are essential for organizations to protect against evolving cyber threats and comply with tightening regulations.