Daily Brief

A novel Android backdoor named Wpeeper has been detected in unofficial app stores, posing as Uptodown App Store. Wpeeper uses hacked WordPress sites as relays for its command and control (C2) servers, concealing its actual network infrastructure. Discovered by QAX's XLab on April 18, 2024, with no prior detections on Virus Total, the malware ceased activity on April 22 to likely avoid detection. Analysis revealed thousands of devices were infected, but the full extent of the infection remains uncertain. Wpeeper's communications are encrypted and can dynamically update its C2 server addresses to maintain operational security. The malware's capabilities include stealing user data through 13 different commands, though the end use of this data is not clearly stated. Recommendations include downloading apps only from Google Play and using Android's Play Protect to defend against malware like Wpeeper.

UnitedHealth's Change Healthcare was breached by the BlackCat ransomware gang using stolen credentials without multi-factor authentication (MFA). The breach, occurring in late February 2024, severely disrupted critical healthcare services across the U.S., impacting payment processing, prescriptions, and insurance claims. The BlackCat gang initially received a $22 million ransom, which was subsequently stolen by an affiliate in an exit scam; this led to another extortion attempt via data leakage. After public disclosure through the CEO's testimony, it was revealed the attackers had network access for about ten days prior to deploying ransomware, stealing corporate and patient data. Remedial actions included extensive system and network overhauls, with the replacement of thousands of laptops and rebuilding of core services in a few weeks—a task usually spanning several months. Despite heavy operational impacts, the essential services are nearly restored to full capacity, with payment processing at about 86% of its pre-incident level. The decision to pay the ransom was described by CEO Andrew Witty as one of his hardest, underscoring the intense predicament ransomware victims face.

Cybersecurity researchers have identified multiple malicious campaigns on Docker Hub involving over four million "imageless" containers over a span of five years. These containers lack actual content, featuring only documentation which leads users to phishing or malware-infested websites. Approximately 3.2 million of these repositories serve as redirection mechanisms to deceptive sites as part of three distinct campaigns. One reported campaign involves a downloader which contacts a command-and-control server to fetch links to cracked software, disguising the server’s malicious intent. The exact purpose of another website cluster identified in the campaigns remains unknown, although it spreads across platforms with weak content moderation. JFrog's security experts highlight the difficulty in protecting users from such threats at the initial stages, recommending heightened vigilance as the primary defense. The situation underscores the broader risk of supply chain attacks in the open-source ecosystem, urging developers to be cautious with downloads from these sources.

The European Commission has initiated formal proceedings against Meta for inadequately monitoring political misinformation spread by foreign entities ahead of the European elections. Concerns center on Meta’s advertising network being a potential target for Russian online attackers, violating the Digital Services Act (DSA). Meta could face penalties up to $8.5 billion under the DSA for failure in policies surrounding deceptive advertising and political content management. A particular issue raised was the deprecation of CrowdTangle, a tool previously used by journalists and researchers to monitor elections in real-time, without providing a sufficient replacement. The investigation involves multiple aspects of election integrity, including Meta's content recommender systems and mechanisms for users to flag illegal content as non-compliant with DSA. Meta has five working days to respond to the EC’s inquiries and demonstrate the corrective measures it has implemented regarding its election-monitoring tools and overall compliance with the DSA. Ursula von der Leyen emphasized the importance of robust rules to protect EU citizens from targeted disinformation and the need for strict compliance by major digital platforms during election periods.

The U.S. Government has introduced new AI security guidelines to protect critical infrastructure against AI-driven threats. These guidelines are a result of a comprehensive assessment of AI risks across all sixteen critical infrastructure sectors. The measures involve enhancing transparency and implementing secure-by-design practices to assess and mitigate AI risks effectively. Owners and operators are urged to evaluate their sector-specific AI uses and coordinate mitigation strategies, especially identifying dependencies on AI vendors. The initiative aligns with recent cybersecurity insights from the Five Eyes intelligence alliance on the secure deployment of AI technologies. Concerns include adversarial manipulation of AI systems, prompt injection attacks, and the potential for AI to be used in nation-state espionage and influence operations. Recent incidents highlighted include vulnerabilities in AI models like the Keras 2 neural network library that could allow attackers to trojanize AI systems. Best practices recommended include robust validation of AI systems, stringent supply chain security, and strict access and configuration controls to prevent malicious exploitation.

Researchers discovered that Safari on iOS 17.4 exposes users to potential web tracking due to the way Apple implemented third-party app store installations under EU antitrust rules. Implemented with "catastrophic security and privacy flaws," Safari allows third-party app stores to receive a unique per-user identifier when users visit various websites, compromising their privacy. The MarketplaceKit process utilized in these installations does not adequately check origin or validate incoming requests, which could lead to further security vulnerabilities. Only a few approved marketplaces currently exist, but these could potentially exploit the flawed Safari implementation to track user behavior across sites. The researchers advise using alternative browsers like Brave, which checks website origins against URLs to prevent cross-site tracking. Apple's required modifications under the Digital Markets Act (DMA) have led to security oversights, making previously cited concerns over privacy and security ironically valid. The flaw stems from Apple's attempt to oversee and track the usage between third-party marketplaces and their users, ostensibly for calculating fees.

Starting April 29, 2024, a new U.K. law will ban default passwords on smart devices to enhance cybersecurity. The Product Security and Telecommunications Infrastructure (PSTI) act requires device manufacturers to eliminate simple default passwords, provide a security contact, and inform consumers about the expected duration of security updates. Manufacturers failing to comply with the PSTI act face severe penalties, including recalls and fines up to £10 million or 4% of their annual global revenues. This legislation is intended to prevent IoT devices from being exploited for DDoS attacks, addressing vulnerabilities like those exploited by the Mirai botnet. The U.K. is the first nation globally to legislate against default usernames and passwords in IoT products. Concurrently, a report highlights ongoing threats from Mirai-variant botnets, underscoring the persisting relevance of robust IoT security measures. Separately, major U.S. telecoms were fined $196 million by the FCC for unauthorized sharing of customer location data, illustrating broader issues of data privacy and security.

The FCC fined AT&T, Verizon, Sprint, and T-Mobile US nearly $200 million for illegally selling location data to third-party brokers. Fines are distributed as follows: AT&T $57 million, Verizon $47 million, Sprint $12 million, and T-Mobile $80 million. These penalties arise from a 2018 investigation initiated by U.S. Senator Ron Wyden, spotlighting the unauthorized sale of real-time customer location data. Carriers argue that data brokers and third parties responsible for obtaining proper customer consent should be blamed, not the telecom companies themselves. Each carrier is planning to appeal against the FCC's decision, citing various reasons including the support of life-critical services like emergency medical alerts which required location data. The FCC asserts that customer consent was not properly obtained and that carriers cannot shift their statutory privacy responsibilities to third parties. This issue underscores broader concerns about privacy and national security, emphasizing the ease of accessing personal data through brokers. Legislative efforts are underway to prevent government agencies from buying American citizens’ data from brokers, aiming to protect privacy in the post-Dobbs era.

Google blocked 2.28 million Android apps from the Play Store in 2023 for violating security rules. The initiative was part of enhanced security measures including machine learning and updated app review processes. New policies were implemented to tackle AI apps, notifications, and privacy, including a rule allowing users to delete account data without app reinstallation. The company also cracked down on 333,000 developer accounts and rejected an additional 200,000 apps for improper handling of sensitive permissions. This marked a significant increase in app rejections from 1.43 million in 2022, attributed to better security tools and changes in counting methodology as per the EU’s Digital Services Act. Despite these measures, loopholes remain, exemplified by a screen recording app undetected by Google until external notification. Google's efforts reflect a growing commitment to safeguarding user privacy and enhancing app store security against malicious applications.

The "Muddling Meerkat" activity linked to a Chinese state-sponsored group has been manipulating DNS since October 2019, with increased actions in September 2023. This group specifically alters Mail Exchange (MX) records through China’s Great Firewall (GFW), a method not previously seen in the country’s censorship techniques. The manipulation involves DNS query and response interference, where the GFW injects fake responses, potentially misdirecting communications. Infoblox identifies this sophisticated DNS manipulation, which could be easily mistaken for normal internet traffic, highlighting the advanced capabilities of Muddling Meerkat. The operations aim possibly to test network resilience or mask other malicious activities by creating DNS "noise." Targets are usually long-standing domain names registered before the year 2000, likely due to their absence on DNS blocklists. Infoblox has listed indicators of compromise (IoCs) and techniques, tactics, and procedures (TTPs) for Muddling Meerkat, advising on domains that can be safely blocked.

Canadian pharmacy chain London Drugs has temporarily closed all its locations across four provinces due to a cybersecurity incident identified on April 28, 2024. The incident prompted immediate network and data protection measures, including the engagement of third-party cybersecurity experts for containment and forensic analysis. The company, operating over 80 stores in British Columbia, Alberta, Saskatchewan, and Manitoba, has not disclosed specifics about the nature of the cyberattack, such as whether ransomware was involved. While there is currently no evidence suggesting that customer or employee data has been compromised, the investigation is ongoing. Pharmacists are available to assist with urgent needs despite store closures; customers must contact pharmacy departments directly. This cybersecurity incident at London Drugs resembles recent cyberattacks on healthcare and pharmaceutical providers globally, highlighting a trend of increasing focus on these sectors by cybercriminals. Comparatively, the recent cyberattack on TransForm, impacting several hospitals in Ontario, was confirmed as a ransomware attack by the Daixin Team, who also claimed responsibility for data theft. London Drugs has apologized for any disruptions caused and prioritized resolving the incident swiftly to resume normal operations.

In 2023, Google prevented 2.28 million policy-violating apps from being published on the Play Store, a significant increase from 1.43 million in 2022. Google rejected or remediated nearly 200,000 app submissions due to improper access to sensitive user data like location and SMS messages. The company blocked 333,000 accounts for attempting to distribute malware or for repeated policy violations. Enhanced developer onboarding and review processes now require more extensive identity verification to better screen and manage the developer community. Google strengthened Android's privacy and security through partnerships with SDK providers, addressing issues in over 790,000 apps across more than 31 SDKs. The company removed approximately 1.5 million outdated apps from the Play Store to maintain a high security and functionality standard. These efforts are part of broader initiatives, including real-time malware scanning and the implementation of security badges for apps, to secure the Android ecosystem against fraud and malicious software.

Canadian pharmacy chain London Drugs closed all locations due to a cybersecurity incident detected on April 28, 2024. Cyberattack prompted the shutdown of stores across Western Canada, with no specified date for reopening. Immediate measures included hiring third-party cybersecurity experts to assist in containment, remediation, and a forensic investigation. Despite the cyberattack, there is currently no evidence that customer or employee data has been compromised. London Drugs has not yet notified authorities, citing the absence of compromised personal or health information. Customers with urgent needs are advised to contact their local pharmacy directly for assistance. London Drugs operates with over 9,000 employees across more than 80 stores in Alberta, Saskatchewan, Manitoba, and British Columbia.

The FBI has issued a warning about fraudulent verification schemes on dating apps which cause recurrent subscription charges. These schemes feature fraudsters pretending to provide safety measures by verifying users are not sexual predators, only to steal personal and financial data. Victims are tricked into providing their name, phone number, email address, and credit card details, thinking they are undergoing a legitimate safety process. Once the verification is completed, victims discover unauthorized monthly charges from obscure companies on their credit card statements. Personal information collected during the fake verification process is often used for identity theft or sold in cybercrime markets. Investigations reveal multiple domains involved in these scams, with payment processing often routed through companies in Cyprus. The FBI advises the public to be cautious, verify the authenticity of such verification links, and report suspicious activities to the IC3 website. These scams are not isolated but part of a larger trend of using fake security measures to exploit unsuspecting users on dating platforms.

Google blocked 2.28 million Android apps from the Play store in 2023 due to policy violations and security threats. The company also suspended 333,000 Google Play accounts linked to malware distribution, fraudulent apps, or severe policy breaches. This marks an increase from 1.5 million apps blocked and 173,000 accounts suspended in the previous year. Google's enforcement is part of its commitment to the 'SAFE' principles: Safeguard Users, Advocate for Developer Protection, Foster Responsible Innovation, and Evolve Platform Defenses. The firm rejected or remedied 200,000 app submissions that requested risky permissions without legitimate reasons. Google collaborated with 31 SDK providers to reduce sensitive data collection and sharing through apps. 790,000 apps have been impacted by this initiative, potentially affecting tens of millions of users. Google warns Android users to download apps only from Google Play and to ensure active Play Protect and regular permission reviews on their devices.