Daily Brief

Google recently withdrew a reCaptcha script update after it failed to function on Mozilla Firefox for Windows. The issue, uncovered by multiple user reports and confirmed via direct testing, manifested as an endlessly spinning circle within the reCaptcha module. The fault was traced to an incorrect dark mode detection routine that affected Firefox specifically, attempting to manipulate DOM elements before they were fully loaded. Users discovered a temporary fix by altering their browser’s user-agent to imitate that of Microsoft Edge or Google Chrome. Mozilla developers highlighted that the flaw originated from Google's script and not Firefox itself and promptly informed Google. Following internal tests confirming a fix across various regions, Google decided to roll back to a previous version of the script, effectively resolving the problem. Despite some speculation, the error appears to have been unintentional and was quickly addressed by Google.

NATO and the European Union along with partners condemned Russia’s cyber espionage led by APT28 targeting Germany, Czechia, and other countries. APT28 used a Microsoft Outlook zero-day exploit to compromise email accounts in the Social Democratic Party's Executive Committee in Germany. The cyber espionage included attacks on logistics, armaments, aerospace, and IT sectors, along with foundations and associations across multiple European nations and Ukraine. The Czech Ministry of Foreign Affairs announced that Czech institutions were also targeted in the 2023 Outlook campaign, highlighting repeated cyber attacks by Russian state actors. Condemnations of APT28’s actions were issued by the Council of the European Union and NATO, supported by the United Kingdom, citing threats to allied security. APT28, linked to Russia’s Military Unit 26165, has a history of significant cyberattacks, including the 2015 German Federal Parliament breach and interference in the 2016 U.S. Presidential Election. The EU sanctioned members of APT28 in October 2020 for their involvement in past significant cyber breaches.

Microsoft has implemented passkey authentication for personal Microsoft accounts, enhancing user security by enabling password-less login options. Users can now utilize Windows Hello, FIDO2 security keys, biometrics, or device PINs for accessing services like Windows, Office 365, and Xbox Live. This development, announced on World Password Day, aims to combat phishing attacks and eventually phase out the use of passwords entirely. Passkeys work by matching a cryptographic key stored on the user's device with a public key on Microsoft's server to verify identity securely and effortlessly. The introduction of passkeys eliminates common security risks associated with password use, such as interception, theft, and weak password practices. Passkeys are designed to be compatible across various devices and operating systems, reducing friction in the authentication process. Microsoft also ensures that passkeys are synchronized across a user’s devices for convenience, although this could pose potential security risks if an account is compromised. Users interested in leveraging this new feature can set up their passkey by following specific steps provided by Microsoft on their website.

Identity Access Management (IAM) is crucial for medium-sized businesses to protect sensitive data and comply with regulations like HIPAA, SOX, and PCI DSS. IAM ensures only authorized users can access necessary resources, reducing risks of unauthorized access, data breaches, and insider threats. Implementing IAM can also streamline access management and reduce administrative overhead, potentially lowering data breach costs significantly. Medium-sized businesses often struggle with the implementation of large-scale IAM solutions designed for bigger corporations, facing challenges like understaffing and budget constraints. The market offers some no-code IAM solutions which provide out-of-the-box integrations and require no custom coding, easing the burden on IT staff. These no-code platforms can be deployed quickly, automating processes and ensuring efficient privilege management across both local and cloud-based systems.

Announcing a new expert-led webinar focused on tackling Distributed Denial of Service (DDoS) attacks. Featuring Andrey Slastenov, Head of Security at Gcore, who will share advanced defense tactics. The webinar aims to enhance understanding of contemporary DDoS threats and how they can impact businesses. Intended for both newcomers and seasoned professionals in the field of cybersecurity. Participants will learn effective strategies to secure their online environments and improve resilience against attacks. Offers an opportunity for cybersecurity professionals to update their tactics and response plans. Registration now open for those seeking to proactively safeguard their business’s digital infrastructure.

Threat actors are increasingly weaponizing the Microsoft Graph API to facilitate stealthy communications with their command-and-control (C&C) servers using Microsoft's cloud. The Symantec Threat Hunter Team has observed multiple state-aligned hacking groups like APT28 and OilRig adopting this method since January 2022. The abuse of the Microsoft Graph API allows attackers to evade detection, as traffic to well-known cloud services does not raise immediate suspicion. Instances of these techniques date back to June 2021 with the Harvester cluster using a custom implant called Graphon for communication via the API. Recently detected malware, BirdyClient, uses Microsoft’s OneDrive as a C&C server through the Graph API, illustrating an evolution in attack techniques. The exact distribution method and the objectives of the attackers using the Microsoft Graph API remain unclear, indicating ongoing and sophisticated threat activities. This tactic is cost-effective for attackers, as basic accounts for services like OneDrive are free, adding a layer of appeal to the misuse of legitimate infrastructure.

SaaS applications are increasingly prevalent in businesses, pushing technological and operational boundaries. A new guide by LayerX, titled "Let There Be Light: Eliminating the Risk of Shadow SaaS," addresses the security risks associated with unauthorized SaaS app usage, commonly known as shadow SaaS. Approximately 65% of SaaS apps are unapproved by IT departments, and 80% of employees admit to using such apps, creating significant data exposure risks. The guide offers a three-pronged strategy for mitigating shadow SaaS risks including App Discovery, User Monitoring, and Active Enforcement. It evaluates different security controls like CASB, SASE, and Secure Browser Extensions, providing detailed comparisons on their effectiveness. Secure Browser Extensions are highlighted as particularly effective for controlling shadow SaaS by enhancing visibility and governance while maintaining user flexibility. This guide is positioned as essential reading for security leaders aiming to secure their corporate environments without hindering operational flexibility.

The U.S. NSA, FBI, and Department of State issued a cybersecurity alert concerning North Korean hackers impersonating trusted email sources. This group, identified as Kimsuky, exploits weak DMARC policies to send spoofed emails, making them seem legitimate. Kimsuky targets geopolitical experts to gather information on topics like nuclear disarmament and U.S.-South Korea relations. The hackers engage in prolonged, seemingly innocuous conversations to gain the trust of their targets before asking for sensitive information. Proofpoint's analysis shows that Kimsuky rarely uses malware but focuses on credential harvesting and social engineering. Many targeted entities have inadequate or unenforced DMARC policies, enabling these phishing attempts to bypass standard security checks. U.S. government advises organizations to strengthen DMARC settings to quarantine or reject suspicious emails and to improve overall email security monitoring.

Google announced that passkeys are being used by over 400 million accounts, providing authentication over 1 billion times in the past two years. Passkeys allow authentication via fingerprint, face scan, or a PIN, proving quicker and more secure than traditional passwords. Google has surpassed traditional two-factor authentication methods, with passkeys used more frequently than SMS and app-based OTPs combined. The Advanced Protection Program, safeguarding high-risk users, will now support passkeys alongside or instead of hardware security keys. Google has incorporated passkeys in Chrome and across all its platforms by default since December 2022. Major companies including Apple, Amazon, and Microsoft have also adopted the passkey standard. Concerns persist regarding the potential for passkeys to lock users into specific platforms, impacting user freedom and experience.

A Europol-led initiative, Operation Pandora, successfully shut down 12 phone scam centers across Albania, Bosnia-Herzegovina, Kosovo, and Lebanon, and arrested 21 suspects involved in the operations. The criminal network made thousands of scam calls daily, including fake police alerts, investment fraud, and romance scams, potentially defrauding victims of over €10 million. The operation was triggered when a bank teller in Freiburg, Germany, became suspicious of a customer wanting to withdraw €100,000, uncovering the customer was a victim of a fake police scam. German investigators traced over 28,000 scam calls linked to the criminal network in just 48 hours, leading to an extensive investigation and eventual raids. More than 1.3 million nefarious conversations were intercepted during the course of the operation, helping to prevent further victimization and loss of funds. The different call centers specializes in various types of scams, with geographical specialization such as debt-collection fraud in Bosnia-Herzegovina, banking fraud in Kosovo, investment scams in Albania, and prepaid card fraud in Lebanon. The crackdown involved coordinated raids across multiple countries on April 18, seizing significant amounts of documents, data carriers, cash, and other assets totaling approximately €1 million.

HPE Aruba has issued updates for severe vulnerabilities in ArubaOS, potentially enabling remote code execution. Four out of ten security flaws have been identified as critical, allowing arbitrary code execution by a remote attacker. Attack vectors include exploiting buffer overflow vulnerabilities by sending malicious packets to the PAPI UDP port. Affected products are Mobility Conductor, Mobility Controllers, and WLAN and SD-WAN Gateways under Aruba Central management. Vulnerable software versions include those in ArubaOS and SD-WAN which are no longer maintained. Security researcher Chancen reported seven of the issues, highlighting the critical nature of the four buffer overflow flaws. HPE Aruba recommends installing the latest patches, and as an interim solution, enabling Enhanced PAPI Security on ArubaOS 8.x with a non-default key.

Amnesty International reports Indonesia acquired spyware via a complex network involving Israel, Greece, Singapore, and Malaysia. The investigation used open-source intelligence to track spyware purchases by Indonesian authorities from 2017 to 2023. Key buyers included the Indonesian National Police and the National Cyber and Crypto Agency. Major suppliers identified were Q Cyber Technologies, Intellexa consortium, Saito Tech, FinFisher, and Wintego Systems. Transactions frequently involved intermediary companies in Singapore that obscured the actual buyers and hindered supply chain transparency. Some spyware platforms were linked to malicious domains mimicking opposition and media websites, particularly in regions documenting human rights abuses. Amnesty criticized the lack of regulatory oversight in Indonesia, which fosters a permissive environment for spyware misuse and potential human rights violations. The report highlights the difficulty in tracing spyware use due to the secretive nature of the technologies which potentially facilitates impunity for abuses.

Chinese researchers unmask critical security vulnerabilities across nearly 14,000 government websites in China, revealing significant cybersecurity concerns. The study highlights poor domain name configurations, outdated third-party libraries (like vulnerable jQuery versions), and inadequate server redundancy among key issues. Analysis shows over 25% of these government websites may suffer from ineffective DNS configurations, potentially leading to accessibility and reliability issues. The research identifies a dangerous reliance on a limited number of DNS service providers, posing risks of network failures or mass service outages if these providers face cyber attacks or technical problems. Despite the presence of DNSSEC signatures, issues persist with unsigned or improperly documented signatures, indicating potential inaccuracies in public WHOIS records and a lack of comprehensive domain coverage. The team used Zed Attack Proxy (ZAP) for analysis but noted that practical and immediate solutions to enhance security remain elusive, emphasizing the need for continuous monitoring and updates. The findings may conflict with the Chinese government's directive to upgrade cybersecurity measures across its digital services, as the country has been pushing for enhanced security protocols and improvements in government-operated digital platforms.

Microsoft extends passkey technology to consumer accounts, allowing login via face, fingerprint, or PIN across various platforms. In celebration of World Password Day, Microsoft announces passkeys now function across desktop and mobile browsers, with upcoming app support. Google confirms their passkey system has authenticated over 1 billion logins across more than 400 million accounts. Passkeys, based on FIDO alliance standards supported by Apple, Microsoft, and Google, use cryptographic key pairs for secure authentications. Passkeys eliminate the need for traditional passwords, aiming to simplify user access and enhance security against password attacks. Microsoft reports a dramatic spike in password attacks, highlighting the urgency for more robust security measures like passkey technology. Passkeys are described as phishing-resistant, offering unique authentication that prevents misuse on fraudulent sites. Microsoft and Google predict that passkeys will significantly reduce the complications associated with managing passwords.

Onur Aksoy, a Florida-based CEO, was sentenced to 6.5 years for trafficking counterfeit Cisco devices. Aksoy’s operation involved over $100 million in fake network equipment sold to entities including U.S. military, government, and healthcare sectors. The counterfeit products were sourced from China and Hong Kong, appearing like new, genuine Cisco products but were, in fact, modified outdated models. U.S. Customs intercepted 180 shipments related to Aksoy’s companies between 2014 and 2022, which led to alterations in shipping strategies to avoid detection. Performance and functionality issues in these counterfeit devices caused significant disruptions in customer operations. Cisco had repeatedly contacted Aksoy from 2014 to 2019 to stop the illegal operations, receiving forged documents in response. A 2021 raid on Aksoy’s warehouse resulted in the seizure of over 1,156 counterfeit Cisco devices, leading to his eventual arrest and sentencing. Apart from prison, Aksoy is required to pay $100 million in restitution to Cisco and allow the destruction of seized counterfeit products.