Daily Brief

Google has decided not to phase out third-party cookie support in Chrome, contrary to earlier plans aimed at enhancing user privacy. Anthony Chavez, VP of Google's Privacy Sandbox, cited significant work and implications for online advertisers as reasons for maintaining third-party cookie support. New proposed approach introduces a choice for Chrome users to either engage with the Privacy Sandbox or continue allowing third-party cookies and data surveillance. This announcement follows criticism and regulatory pressure, including an investigation by the UK's Competition and Markets Authority (CMA). Critics, such as the Electronic Frontier Foundation, argue that Google's decision favors profit over privacy, highlighting ongoing concerns with user surveillance through advertising. The UK's CMA is reevaluating its stance and has invited public comments on Google's revised approach to understanding potential market and consumer impacts. In response, privacy advocates urge users to adopt tools like the Privacy Badger browser extension to better control online tracking and enhance privacy.

Greece's Land Registry experienced a data breach after facing 400 cyberattacks targeting its IT infrastructure over the past week. Hackers compromised employee terminals and stole 1.2 GB of data, which is approximately 0.0006% of the total data managed by the agency. The stolen data consisted of administrative documents and did not include any personal information of citizens. Attempts by attackers to create a malicious user and access the central database were thwarted, though one backup was accessed. No ransomware was detected on the systems according to the internal investigation supported by the Cybersecurity Directorate of the General Staff of National Defense. Emergency measures included terminating all VPN access and resetting passwords, with mandatory two-factor authentication for employee accounts. All attacks, including the last recorded attempt on July 19, 2024, were successfully repelled; normal operations and secure public transactions remain unaffected. These incidents follow major cyberattacks on other Greek state-owned entities in previous years, including ransomware attacks on the postal service and the country's largest natural gas distributor.

Google has reversed its decision to phase out third-party cookies in Chrome by early 2025, and instead will roll out a new feature that lets users control cookie settings. Third-party cookies are widely used for tracking users' online activities, raising privacy concerns addressed by regulations like the GDPR. Competitors Mozilla Firefox and Apple Safari have blocked these cookies by default since 2020, putting pressure on Google to follow suit. Google's proposed alternative, the Privacy Sandbox, aims for a less intrusive way to gather user data but has seen slow adoption and remains in beta testing. The new Chrome experience outlined by Google will offer users enhanced choices regarding third-party cookie use, with adjustable settings at any time. Privacy advocacy groups like the EFF criticize Google's decision, highlighting the continued prioritization of advertising revenue over user privacy. This development may impact publishers and advertisers who rely heavily on cookie-related data for targeted advertising campaigns and user tracking.

Global law enforcement agencies, including the UK's National Crime Agency (NCA), Police Service of Northern Ireland (PSNI), and FBI, collaborated on Operation Power Off, resulting in the shutdown of the notorious DDoS-for-hire service, digitalstress.su. The joint operation led to the arrest of the suspected administrator of digitalstress.su on July 2, though the identity of the suspect remains undisclosed. Digitalstress.su was implicated in orchestrating tens of thousands of DDoS attacks weekly, leveraging its platform as an accessible tool for aspiring cybercriminals. The takedown included typical law enforcement tactics such as displaying a splash page indicating police control and targeted messaging to users of the dismantled site, warning and deterring further illicit activities. Law enforcement's innovative strategies have extended to controlling communication channels used by digitalstress.su, potentially leading to broader investigations and additional arrests. The operational success demonstrates the vulnerability of criminal operations even under supposedly secure domains like the old Soviet Union (.su) and asserts that online criminals can no longer expect anonymity or impunity. The operation is contemporaneous with similar actions in Spain against the hacktivist group NoName057(16), highlighting a sustained and coordinated international effort against cybercrime, particularly DDoS attacks.

The US has imposed sanctions on Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, members of the hacktivist group Cyber Army of Russia Reborn (CARR). CARR has escalated its cyberattacks since 2022, initially focusing on DDoS attacks and later targeting critical infrastructure in the US and Europe. In a recent operation, CARR compromised the SCADA systems of a US energy firm and manipulated a water storage unit in Texas, demonstrating their capabilities with a published video. Although the attacks did not result in major damages, they posed significant risk to US critical infrastructure, prompting legal and sanction actions. The sanctions prevent any US-based financial interactions with the targeted individuals and aim to isolate and reduce their cybercrime activities. Similar sanction strategies have been implemented against other international cybercriminals, supporting the US stance on combating global cyber threats and securing critical infrastructures. Treasury officials emphasized the necessity of these actions to protect national security and prevent potential catastrophes from cyber intrusions.

Los Angeles County Superior Court, the largest trial court in the U.S., temporarily shut all 36 courthouses due to a significant ransomware attack. The malware attack, reported on Friday, compromised every electronic platform used by the court, including internal systems, external communications, and internet-connected devices. Court officials and IT professionals have been working intensively to reconfigure and restore servers and databases since the attack. As of Sunday evening, many critical systems were still offline, leading to the closure of court services on Monday with plans to reopen by Tuesday. Presiding Judge Samantha P. Jessner emphasized the unprecedented nature of the attack and the ongoing efforts to protect data integrity and secure the network. Recovery efforts have faced multiple obstacles, making it impossible for legal proceedings to occur as scheduled. The cyberattack is noted to be unrelated to the simultaneous CrowdStrike incident affecting Windows systems globally.

Play ransomware now specifically targets VMware ESXi virtual machines on Linux, expanding attack possibilities across the platform. Trend Micro reported the ransomware checks for ESXi environments to execute and remains undetected on Linux systems. This strategic focus follows a broader trend where ransomware groups increasingly target virtualized environments used by enterprises for efficient resource management. Disruption from these attacks includes major business operations outages and restricted data recovery options due to encryption of VMs and backups. The ransomware leverages tools from a threat actor known as Prolific Puma and shuts down all VMs before encryption. The malware places a ransom note within the ESXi client and console, demanding payment to decrypt data. High-profile victims of Play ransomware include Rackspace, the City of Oakland, Arnold Clark, the City of Antwerp, and Dallas County. Agencies like the FBI and CISA recommend enforcing multi-factor authentication, maintaining updated offline backups, and implementing robust recovery strategies to mitigate risks.

Europol reports significant disruption of ransomware-as-a-service groups, leading to fragmented cybersecurity threats. Increased individual operations noted, as cybercriminals use modified tools independently due to diminished trust in large groups. The takedown of major groups like ALPHV/BlackCat and LockBit has encouraged talented affiliates to develop their own malware and operate solo. There is evidence of affiliates moving away from group affiliations to mitigate risks, especially following law enforcement successes. Attribution challenges are growing as the landscape of cybercrime becomes less centralized and more populated by independent actors. AI tools are proving beneficial for solo operators, allowing them to quickly create and refine malicious code without extensive resources. Shift in target preference from large enterprises to small and medium-sized businesses, exploiting weaker defenses for easier payouts. Reliance on multi-layered extortion methods continues, emphasizing the importance of robust cybersecurity practices and backup systems.

UK's National Crime Agency (NCA) led a joint operation to dismantle the DDoS-for-hire service DigitalStress. The owner of DigitalStress, known by the alias Skiop, was arrested earlier in the month by the Police Service of Northern Ireland. Agents from the NCA infiltrated DigitalStress’s communication services to gather intelligence on users and plan follow-up actions. Law enforcement intends to use the acquired data to assist global police efforts in targeting users and administrators of this criminal marketplace. Individuals in the UK who engaged with the DigitalStress platform will be contacted by law enforcement. Conspirators involved in the operation confirmed the owner’s unavailability and cautioned against accessing a related site, suspecting it to be a law enforcement trap. DigitalStress's disruption is part of the broader Operation PowerOFF, targeting various DDoS-for-hire platforms since December 2018. The takedown reflects ongoing international efforts to combat cybercrime, notably the use of DDoS attacks by various criminal elements.

A zero-day vulnerability, named 'EvilVideo,' in Telegram for Android allowed malicious APKs to be disguised as video files. The exploit, discovered by ESET researchers, involved sending specially crafted APK files that appeared as videos thanks to manipulation of the Telegram API. Despite being marketed as "one-click" by the seller, engaging the malware requires multiple user interactions diminishing the likelihood of successful infection. Telegram patched the flaw in version 10.14.5 after being alerted by ESET, who also found command and control servers linked to the malware. The vulnerable APKs masquerade as legitimate applications such as Avast Antivirus or xHamster Premium Mod, threatening device security. ESET’s tests confirmed that this exploit does not affect the Telegram desktop or web clients, where the payload behaves like a normal MP4 video file. Users are advised to check their systems for any signs of infection, especially if they have interacted with video files in Telegram that prompted for external playback before the patch.

The Superior Court of Los Angeles County experienced a significant ransomware attack early Friday, causing the closure of 36 courthouses. All court-related network systems, including the MyJuryDuty Portal and case management systems, were shut down to mitigate the attack. Public and internal court services were disrupted, with essential restoration efforts pushing the expected reopening to the following Tuesday. No data breach evidence was found, and the incident is under investigation with assistance from state and federal authorities. Presiding Judge Samantha P. Jessner emphasized the unprecedented nature of the cyber attack and the ongoing efforts to restore and secure court operations. The previous cyber incident in July 2017, which led to the conviction of Texas man Oriyomi Sadiq Aloba for hacking LASC systems, underscores ongoing security challenges.

A Telegram zero-day vulnerability called 'EvilVideo' disguised malicious Android APKs as video files within the app. The exploit was sold on a Russian hacking forum by a user named 'Ancryno' and affects versions up to Telegram v10.14.4. Security firm ESET identified and analyzed the flaw after a PoC was publicly demonstrated. Telegram patched the vulnerability in their update to version 10.14.5 released on July 11, 2024, following ESET's disclosure. The exploit leveraged Telegram's API to deceive users into downloading and executing the malicious APK thinking it was a video. Actual exploitation required several user interactions, including disabling default security settings, reducing the risk of widespread impact. Two malicious APKs utilizing this exploit were identified, pretending to be legitimate applications like Avast Antivirus. Users are advised to scan their devices for any suspicious applications installed through Telegram.

95% of cybersecurity incidents are linked to human errors, emphasizing the significant risk posed by well-meaning employees. The average global cost of a data breach in 2023 is approximately USD 4.45 million, underscoring the financial devastation these incidents can cause. Common user mistakes include unauthorized device use, misdelivery of sensitive emails, password reuse, exposing remote interfaces, and misusing privileged accounts. Strict security measures such as password protection, two-factor authentication, and continuous cybersecurity education are crucial in mitigating risks. Implementation of data loss prevention strategies, enforced encryption on sensitive communications, and least privilege policies are recommended to safeguard company data. Regular audits and the revocation of unnecessary user permissions are essential in maintaining a secure IT environment. Comprehensive and ongoing training programs can transform employees from being potential security risks to valuable assets in preventing cyberattacks.

Oracle has agreed to pay $115 million to settle a class action lawsuit accusing the company of improperly using user data. The settlement, approved after two years of litigation, includes a commitment by Oracle not to capture specific types of electronic communications and to conduct audits ensuring customer compliance with privacy standards. Approximately 220 million individuals were represented in the class action, highlighting the scale and significance of the alleged privacy breaches. As part of a broader corporate strategy shift, Oracle announced in June it would exit its $300 million ad tech business, significantly down from $2 billion in revenue in 2022. The plaintiff group initiated the investigation in 2020, which involved extensive analysis of public records, complaints from various entities, and technical documentation from Oracle. Forensic research by computer science experts and consultations with a privacy law scholar were crucial in forming the basis of the lawsuit filed in 2022. The settlement not only provides financial compensation but also marks a transformation in Oracle’s approach toward handling consumer data and privacy.

Spanish police have arrested three individuals in Seville, Huelva, and Manacor for conducting DDoS attacks using DDoSia, a platform developed by the pro-Russian hacktivist group NoName057. DDoSia enables volunteers to use their bandwidth for attacks against NATO-aligned countries' organizations, incentivizing top contributors with payments. Equipment and documents were seized during the raids, which may aid further in the ongoing investigations. Despite the arrests, the group persisted in launching DDoS attacks, targeting EU organizations as recently as the following Monday. The DDoSia platform has grown significantly, boasting a 2,400% increase and over 13,000 Telegram channel users since its inception in August 2022. Targets of the DDoS attacks have included key government organizations in countries like Poland, Switzerland, Lithuania, Ukraine, Poland, and Italy, leading to significant service disruptions. Spanish authorities are actively seeking to identify and apprehend more individuals involved with the DDoSia attacks.