Daily Brief

Microsoft announced changes to its AI-powered Recall feature, making it opt-in instead of default due to privacy concerns. Recall captures and analyzes screenshots every five seconds to create a visual timeline, but faced criticism for inadequate privacy safeguards. Significant security updates include biometric authentication via Windows Hello for accessing Recall data, and encryption of stored snapshots. Microsoft highlighted that Recall snapshots are processed locally, not shared externally, and can be managed or deleted by the user at any time. IT administrators in enterprise environments can disable the Recall feature on managed devices, though user consent is required to enable it. Critics like Kevin Beaumont and Andy Greenberg have expressed concerns about privacy and likened the initial implementation to spyware. Microsoft's decision to alter Recall aligns with efforts to prioritize security, influenced by previous security challenges from nation-state actors.

A 4chan user has reportedly leaked 270GB of New York Times data, including its source code, on peer-to-peer networks. The leaked data supposedly contains around 5,000 repositories and 3.6 million files from The New York Times Company. Files in the leak may consist of various proprietary information, from software blueprints to email marketing campaigns. Of the leaked files, fewer than 30 are reportedly encrypted, exposing significant content to potential misuse. The authenticity of the leak has not yet been confirmed, and The New York Times has not commented on the issue. Previous incidents have targeted The New York Times and other media with cyberattacks, including efforts by the Syrian Electronic Army and suspected Russian operatives. The situation underscores ongoing security challenges faced by major news organizations in the digital age.

The FCC has voted unanimously for a new rulemaking notice demanding U.S. internet service providers (ISPs) to create, and annually revise, a confidential security plan addressing Border Gateway Protocol (BGP) risks. This regulatory action aims to prevent BGP hijacking, where rogue entities strategically misdirect internet traffic, which can lead to surveillance or data tampering. Providers, especially the top nine U.S. broadband companies, are also required to file quarterly public reports on their BGP security measures. This initiative aligns with national cybersecurity efforts under Initiative 4.1.5 of the National Cybersecurity Strategy Implementation Plan, focusing on enhancing secure Internet routing practices. The move involves adopting Resource Public Key Infrastructure (RPKI) to reinforce BGP security, although it's noted that even RPKI isn't completely foolproof against attack methods. Smaller ISPs won't be mandated to regularly submit BGP security plans, but must provide them if the FCC requests. Public comments are encouraged before finalizing the regulatory proposal, allowing stakeholders to voice perspectives or concerns.

LastPass experienced a near 12-hour outage caused by a problematic update to its Chrome extension. The outage began at around 1 PM ET, with users unable to access their password vaults, receiving "404 Not Found" errors. User frustrations were voiced on social platforms like Reddit and Twitter, highlighting issues with accessing saved credentials. LastPass identified the cause as an update that inadvertently stressed their backend infrastructure. The company confirmed the resolution of the issue around 8 PM ET but faced ongoing login and functionality complaints from users. Performance stability and operations were reportedly restored, yet some users continued to face login issues and non-functional features. The problematic update was believed to have sent excessive requests to LastPass servers, resembling a DDoS attack.

Apple plans to introduce a new standalone password manager app, 'Passwords', during its next Worldwide Developers Conference. The app will be integrated into iOS 18, iPadOS 18, and macOS 15, leveraging the existing iCloud Keychain infrastructure to store and manage user passwords. iCloud Keychain, while already functioning as a password manager, is currently embedded within device settings and may not be easily accessible or widely used. The 'Passwords' app is designed to encourage the use of strong, unique passwords to enhance security and aid in protecting users against data breaches. With features for importing credentials from other password managers and categorizing passwords, the app aims to attract users from competitors such as Bitwarden, LastPass, and 1Password. Apple's inclusion of multi-factor authentication capabilities directly within the app positions it as a replacement for other authenticator apps like Google Authenticator and Authy. LastPass criticizes Apple's approach, suggesting that relying on a single vendor's system can restrict user freedom and flexibility across different devices and operating systems.

Microsoft decides to make its controversial Recall feature on Copilot+ Windows PCs an opt-in feature following significant backlash and criticisms regarding security. Initially, Recall was designed to automatically capture and store screenshots and user activities on local devices to enhance searchability and access to past activities. Security experts raised alarms about the potential for easy access to sensitive data due to the data being stored in non-encrypted databases. Following critique, enhancements include mandatory opt-in during setup, integration with Windows Hello for authentication, and improved data encryption. Critics, including former Microsoft threat analyst Kevin Beaumont, expressed severe concerns about the fundamental security risks posed by Recall. Recall's intended functionality includes capturing nearly all user activities, including screen content and app usage, to create a searchable archive of past actions. Microsoft plans to implement additional security measures such as just-in-time decryption, which will further protect the data consistency and access. The company emphasizes its commitment to evolving its products based on consumer and enterprise feedback to uphold privacy, security, and trust.

Christie's, a British auction house, experienced a security breach by the RansomHub ransomware gang, leading to stolen customer data. The data theft occurred between May 8 and May 9, 2024, and was discovered by Christie's on May 9. External cybersecurity experts were hired, and law enforcement was notified to assist in the investigation and response. Customer information, including names, addresses, and ID details, was extracted, affecting at least 500,000 clients. Christie's completed a review of the affected data and notified potential victims, offering them a free year of identity theft protection and fraud monitoring. There have been no reported attempts to misuse the information stolen despite RansomHub's claims of selling the data on their own platform. The company has taken additional security measures to prevent future incidents and continues to evaluate and enhance their cybersecurity framework.

Frontier Communications suffered a cyberattack in mid-April 2024, leading to unauthorized access of its IT systems. Personal data of approximately 750,000 customers, including full names and Social Security Numbers, were exposed in the breach. The RansomHub ransomware group claimed responsibility for the attack, threatening to sell or leak the information unless demands are met. Frontier has notified the affected customers and offered one year of free credit monitoring and identity theft services through Kroll to mitigate potential damage. No financial information of customers was compromised in the breach, according to Frontier. The company took immediate action by shutting down some systems to contain the attack and has since enhanced its network security. Customers experienced connectivity issues during the attack, illustrating the operational impact beyond data exposure. Frontier continues to investigate the full impact of the incident while advising customers to stay vigilant against unsolicited communications and to monitor their accounts closely.

Frontier Communications acknowledged a data breach affecting 751,895 individuals, as reported in a regulatory filing. Compromised information includes names and social security numbers; no financial data was reportedly affected. The breach was first detected on April 14, prompting immediate activation of Frontier's incident response plans. Following detection, Frontier engaged cybersecurity experts and implemented enhanced security measures to contain the breach. The company has also notified law enforcement and relevant regulatory authorities about the incident. Contrary to claims by the cybercriminal group RansomHub, Frontier maintains that financial data and additional personal information were not compromised. RansomHub, having previously targeted other high-profile entities, falsely claimed to have stolen extensive data, attempting to sell it once via their blog. Frontier remains vigilant, reinforcing network security post-incident to prevent further unauthorized access.

Microsoft has updated its Windows Recall feature for Copilot+ PCs to be opt-in, bolstering user privacy following substantial customer feedback. The enhanced Recall requires users to authenticate via Windows Hello before enabling or accessing the feature, ensuring that data is only accessible to verified users. Data within Recall remains encrypted at all times and is only decrypted 'just in time' when a user authenticates, providing an additional layer of security against unauthorized access. The feature takes screenshots periodically to create a searchable index of computer activity, aimed at improving productivity by allowing users to search through past activities using natural language. Despite improvements, Microsoft has not confirmed whether these privacy settings will also apply by default in corporate environments, a significant concern highlighted by enterprise customers. The updated security measures, including proof of presence and encryption, respond to initial criticism that the feature compromised user privacy and security.

2023 witnessed a surge in cyberattacks, including ransomware, DDoS, and data breaches. Many incidents could have been prevented with improved cyber hygiene practices. An upcoming webinar will guide participants on optimizing cybersecurity efforts. Key focus areas include defense, deterrence, and cost-effective compliance in cyber hygiene. Attendees will learn essential strategies to protect against various types of cyber threats. The webinar includes sessions on Attack Surface Discovery, Penetration Testing, and Red Teaming. Registration is open for those looking to enhance their organization's security preparedness.

Cybersecurity researchers have identified an advanced macOS variant of the previously known LightSpy spyware, now targeting Apple computers. The malware exploits CVE-2018-4233 and CVE-2018-4404 vulnerabilities using exploits partly borrowed from the Metasploit framework specifically to target macOS version 10. LightSpy is a sophisticated malware with plugin-based architecture capable of capturing a wide range of data including microphone audio, camera snapshots, screen activity, and sensitive information from browsers and iCloud Keychain. The intrusion begins with a WebKit flaw exploitation, delivering a disguised MachO binary, leading to further downloading and execution of payloads that ensure persistence and root access for the malware. The spyware connects to a command-and-control server to fetch commands and can dynamically download plugins to extend its capabilities. ThreatFabric's analysis has traced the active deployment of this macOS variant of LightSpy to about 20 devices since January 2024, primarily test devices. Researchers were able to access the command-and-control panel due to a misconfiguration, revealing more insights into the operations and targets of the malware. This discovery is part of broader, global security concerns involving malware and targeted cyber-espionage affecting various operating systems and devices.

Cisco addressed several bugs in WebEx that potentially exposed sensitive information from government meetings. The security flaws enabled unauthorized access to 10,000 meetings involving Dutch officials, revealing details like meeting times, participant identities, and agendas. German officials could also have been affected, as some government meetings did not use password protection for WebEx sessions. The investigation was triggered by a German news report in May 2024, which disclosed that the WebEx flaws were exploited to access detailed meeting information. Dutch and German authorities are assessing the impact of the breach, with ongoing investigations to determine the full extent of unauthorized access. While there's no direct evidence of exploitation by external hostile entities, the possibility has prompted a review of security protocols for video conferencing services. Cisco has fully implemented fixes for these vulnerabilities as of May 28, 2024, and has informed affected customers based on available logs. The company continues to monitor for further unauthorized activity.

Cyber-physical systems (CPS) are particularly vulnerable as they were not typically designed with security as a primary concern. The Network and Information Security 2 Directive (NIS2) has broadened regulation requirements, affecting sectors such as energy, transport, water management, and healthcare. Understanding and applying the NIS2 regulations in managing CPS risks, which involve proprietary protocols and legacy systems, is crucial for businesses in relevant sectors. Claroty highlights the importance of exposure management over vulnerability management in securing vulnerabilities within the Extended Internet of Things (XIoT). A webinar hosted by The Register featuring experts from Claroty will discuss how to apply NIS2 regulations and effectively manage CPS risks using Claroty xDome. Professionals interested in improving their organization's risk management for cyber-physical systems can join the webinar on June 10, 2024.

A critical remote code execution vulnerability in PHP for Windows, identified as CVE-2024-4577, affects all versions since 5.x. The vulnerability was discovered by security researcher Orange Tsai and has been patched by PHP project maintainers. The flaw arises from mishandled character encoding conversions in PHP when used in CGI mode on Windows, particularly with the 'Best-Fit' feature. Exploitation can allow unauthenticated attackers to execute arbitrary code on remote PHP servers. The vulnerability is notably severe in systems using Windows XAMPP with default configurations, impacting various PHP versions including EoL (End of Life) PHP 8.0, 7.x, and 5.x. Recommended mitigation strategies include upgrading to patched PHP versions or applying specific mod_rewrite rules to block attacks. The vulnerability has led to active scanning by threat actors and researchers looking to exploit affected systems. DEVCORE suggests transitioning from CGI to more secure server APIs like FastCGI, PHP-FPM, and Mod-PHP to enhance security.