Daily Brief

Google eliminated 2.28 million apps from the Play Store in 2023 due to policy violations threatening user security. The company also suspended 333,000 Google Play accounts involved in uploading malware or engaging in fraud. Enhanced review processes and security measures have been key to identifying and removing harmful app submissions. Additionally, Google restricted 200,000 apps from accessing sensitive permissions like SMS and location data unjustifiably. Collaborations with 31 SDK providers aim to minimize sensitive data collection, affecting 790,000 apps. Recent investigations discovered 17 malicious VPN apps using an SDK to turn devices into proxies for illicit activities. Despite efforts, risks remain; users are advised to download apps only from Google Play and monitor app permissions and activities. Google's SAFE principles guide these initiatives, focusing on user safety, developer support, innovation, and evolving defenses.

Financial Business and Consumer Solutions (FBCS) experienced a data breach affecting 1,955,385 people. Unauthorized access to FBCS networks was detected on February 26, 2024, with the breach beginning on February 14, 2024. Potentially accessed data could expose affected individuals to phishing, fraud, and social engineering attacks. FBCS has offered 12 months of free credit monitoring through Cyex to all impacted individuals. The company has implemented enhanced security measures within a newly constructed environment to prevent future breaches. No ransomware groups have claimed responsibility for the incident as of the latest updates. Victims are advised to stay vigilant, monitor their account statements, and check their credit reports for suspicious activities.

Identity-based attacks, involving compromised credentials, are becoming the main vectors for global cybercrime, with an annual increase of 71%. Various methods are employed by attackers, including broad-based phishing, spear-phishing, credential stuffing, password spraying, pass-the-hash, and Man-in-the-Middle attacks. A primary concern is password reuse, with 73% of individuals duplicating passwords across personal and professional accounts. Pass-the-hash attacks affect 95% of businesses, allowing attackers to authenticate into systems using stolen hashed passwords. Organizations must implement strong password policies, enforce multi-factor authentication, and conduct regular security audits to mitigate threats. Protecting service desks from social engineering is crucial as they are key points for attackers to gain unauthorized access. Specops Software’s tools, such as Specops Password Policy and Secure Service Desk, can provide significant defenses against identity-based attacks.

Muddling Meerkat, linked to China, manipulates DNS for global reconnaissance since October 2019. Likely affiliated with China's government, utilizing DNS to avoid detection by the Great Firewall. Employs DNS open resolvers extensively, making queries appear from Chinese IP addresses. DNS queries include mail exchange and other records from top-level domains to evade DNS blocklists. Over 20 super-aged domains implicated, aiding in blending these activities with normal DNS traffic. Efforts observed in using Chinese servers to query for random subdomains, indicating DNS spoofing practices. Distinct from regular Great Firewall activities, Muddling Meerkat sources false MX record responses. Uncertain motives hinted to potentially involve extensive internet mapping or research projects.

A significant security vulnerability, CVE-2024-27322, has been identified in the R programming language, particularly affecting its data serialization methods. This flaw allows execution of arbitrary code when a malicious RDS (R Data Serialization) file is loaded, posing a threat particularly in supply chain attacks. Attackers can exploit this vulnerability by embedding malicious code in R packages, which gets executed when the packages are loaded by unsuspecting users. The security issue stems from the use of promise objects and lazy evaluation mechanisms in R, which can trigger automatic code execution upon package decompression and deserialization. The vulnerability has been patched in the latest R software release, version 4.4.0, as of April 24, 2024. Users are exposed to potential risks if they load untrusted R packages, which may contain override files crafted to exploit this vulnerability. The discovery highlights ongoing concerns regarding the security of serialization and deserialization processes in widely used programming languages.

The French government has proposed acquiring strategic assets from Atos, focusing on Advanced Computing, Mission-Critical Systems, and Cybersecurity Products, amid the firm's financial turmoil. The assets, vital for national security and sovereign operations, are valued between €700 million and €1 billion. France aims to ensure these assets do not fall into foreign hands, given Atos's roles in supercomputing for the military and AI initiatives. The decision is a reaction to increased financial instability at Atos, which now estimates a funding need of €1.1 billion for 2024-25, almost double the previous forecast. Potential stakeholders and participants mentioned include Dassault Aviation and Thales, with Airbus having initially shown interest but later withdrawing. The non-binding letter of intent allows for an exchange of information until July 31 as part of Atos's broader financial restructuring efforts. The strategic intervention underscores the importance of maintaining control over technologies critical to national security and energy independence in France.

Traditional security measures struggle to protect the expanding digital estates of modern businesses, leading to frequent breaches. The recurrent security incidents are often linked to outdated reliance on password credentials, exemplified by recent breaches involving Okta and the MOVEit application. SSH Communications Security introduces the PrivX Zero Trust Suite, integrating multiple security functions to manage complex digital environments effectively. The suite shifts from static passwords to just-in-time certificates and adds strong multifactor authentication to enhance control over privileged accounts. For industrial environments, the system supports access via common OT protocols, enhancing security without disrupting existing operations. The Universal SSH Key Manager within the suite helps manage and secure SSH keys, with capabilities for future transition to post-quantum cryptography. SSH Secure Collaboration tools safeguard communications in regulated industries by enforcing encryption and maintaining clear audit trails. The comprehensive approach of SSH's Zero Trust Suite aims to replace numerous disjointed tools with a unified, scalable, and secure platform.

The UK's Competition and Markets Authority (CMA) expresses ongoing concerns regarding Google's Privacy Sandbox, a technology intended to replace web cookies for ad targeting. Despite initial intentions, the Privacy Sandbox faces criticism for not adequately addressing privacy and competition issues, leading to delayed implementation until 2025. Privacy concerns center around the Topics API, which categorizes user interests for targeted ads based on browser activity without sufficiently informing users of data usage. Additional worries include potential misuse of Topics data for non-advertising purposes, which could contravene data protection laws. Google has received feedback from regulators, including a draft assessment from the UK Information Commissioner's Office (ICO), indicating that the technology fails to meet privacy standards. The ICO's evaluation and public comments reflect a growing list of nearly 80 unaddressed issues with Google's Privacy Sandbox, highlighting the complexity and potential risks of the new ad technology. Competitors and regulatory bodies are wary of Google's new ad mechanisms, fearing increased gatekeeping powers and a lack of transparency in data handling. Google continues to collaborate with global privacy and competition regulators to refine and improve the Privacy Sandbox amidst increasing scrutiny and regulatory pressure.

The UK has introduced new laws under the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) to enhance cybersecurity measures for smart devices. Manufacturers must now avoid default passwords that are easily guessable or commonly found online, with significant fines imposed for non-compliance. The legislation mandates that vendors provide a contact point for security issues and disclose the minimum duration for security updates on devices. The PSTI Act is applicable to a wide range of consumer smart devices including smartphones, home appliances, and wearables. The National Cyber Security Centre (NCSC) issued guidelines to assist consumers in strengthening device security, recommending the use of passwords composed of three random words. Critics argue that the current requirements under the PSTI Act, covering only three of ETSI's 13 recommended standards, are insufficient for robust security. There is concern among experts about the government's commitment to enforcing these rules, despite the potential for severe financial penalties for violations. Overall, the new laws are seen as a positive initial step towards securing smart devices, but some believe stronger measures are necessary.

Multiple critical vulnerabilities discovered in the Judge0 online code execution system. Flaws enable sandbox escape, allowing attackers root access on host machines. The vulnerabilities are tied to issues in a Ruby script which improperly handles symbolic links. Attackers could exploit these flaws to overwrite scripts, escape Docker containers, and escalate privileges. Compromise may result in complete control over the Judge0 system, its database, and connected applications. CVE-2024-29021 involves an SSRF vulnerability that can lead to command injection via database manipulation. The vulnerabilities were patched in Judge0 version 1.13.1 released on April 18, 2024, following responsible disclosure. Users urged to update immediately to prevent potential exploitation of these security gaps.

Exposure Management is a holistic strategy for identifying, assessing, and mitigating security vulnerabilities across an organization's entire digital presence, extending beyond mere software flaws to include misconfigurations and credential issues. This approach sees organizations continuously and proactively improving their cybersecurity posture by considering how attackers might exploit each identified vulnerability. Exposure Management is aligned with Gartner’s Continuous Threat Exposure Management (CTEM), providing a structured framework for actionable security improvements. Traditional pentesting and red teaming can be integrated with Exposure Management to create a robust defense by simulating attacks and identifying pre-emptive corrections. Unlike traditional vulnerability assessments, Exposure Management offers a broader perspective by including all possible security weaknesses, whereas Risk-Based Vulnerability Management (RBVM) prioritizes vulnerabilities based on explicit risk factors. The collaboration of Exposure Management with Red Teaming, Penetration Testing, Breach and Attack Simulation (BAS), and RBVM enables a comprehensive understanding and prioritization of cybersecurity efforts. Implementing Exposure Management allows organizations to allocate resources efficiently and optimize their response to the most critical and likely security threats.

Security investigations reveal phishing sites impersonating the U.S. Postal Service (USPS) generate traffic levels comparable to the legitimate USPS website, particularly peaking during the holiday season. Akamai Technologies detected substantial DNS queries to "combosquatting" domains, which closely mimic USPS's online presence, starting from an incident involving suspicious SMS with malicious JavaScript in October 2023. Analysis highlighted that the most engaged malicious domains, primarily during the October 2023 to February 2024 period, amassed nearly half a million queries, with two sites exceeding 150,000 each. Phishing tactics involved creating highly convincing replicas of the official USPS website, complete with accurate parcel tracking capabilities, encouraging users to input sensitive data. One specific scam included a fake postage item shop that gained traffic around November, exploiting consumer activity during the holiday gift-buying season. The total query count for all identified malicious USPS-themed websites reached over 1.128 million, only slightly less than the queries to the authentic USPS site during the same timeframe. Consumers are advised to verify package shipment communications directly through the official USPS website, avoiding links in unsolicited emails or SMS.

Google Chrome version 124 introduces a quantum-resistant encryption mechanism, X25519Kyber768, causing connectivity issues with some servers and firewalls. Users and system administrators report dropped connections post-update due to servers failing to handle the new, larger ClientHello messages in TLS handshakes. The issues affect various network devices and security appliances from major vendors including Fortinet, SonicWall, Palo Alto Networks, and AWS. This quantum-resistant algorithm aims to protect data from future "store now, decrypt later" attacks, which leverage advancements in quantum computing to decrypt previously secure communications. Companies like Apple and Signal have also begun implementing quantum-resistant algorithms to safeguard against future cryptographic threats. Administrators can temporarily disable the TLS 1.3 Kyber support in Chrome to resolve connectivity issues or await updates from affected vendors. Google advises that long-term use of post-quantum secure ciphers will be necessary, and the option to disable them in Chrome will eventually be removed.

Okta has observed a significant rise in credential stuffing attacks, leveraging residential proxy services, stolen credential lists, and scripting tools. These attacks have been primarily routed through anonymizing services like TOR and various residential proxies, making detection and mitigation more challenging. Cisco’s Talos intelligence also highlighted a global increase in brute-force attacks since March 18, 2024, targeting VPNs, web interfaces, and SSH services. Credential stuffing involves using stolen credentials from one breach to access accounts on other platforms, often utilizing information from phishing or malware. Okta's Identity Threat Research team noticed this uptick particularly between April 19 and April 26, 2024, using similar anonymizing infrastructures as noted by Talos. Residential proxies misused in these attacks often involve legitimate devices enrolled unknowingly into a botnet, camouflaging malicious traffic. To safeguard against these attacks, Okta advises organizations to adopt strong passwords, enable two-factor authentication, block suspicious IP addresses, and support passkeys. Recent discoveries include malicious Android VPN apps that convert devices into proxies without owners' knowledge, intensifying the credential stuffing threat landscape.

Japanese police introduced decoy payment cards in convenience stores to alert elderly individuals about tech support scams. The cards, labeled as “Virus Trojan Horse Removal Payment Card” and “Unpaid Bill Late Fee Payment Card,” are part of an initiative by the Echizen Police in Fukui prefecture. This measure is in response to $7.5 million lost in various online frauds last year in Fukui, including $700,000 from investment scams in January alone. The initiative involves local store employees who inform customers attempting to buy these cards that they are being scammed. The police reward store employees aiding in this preventive measure, which also helps identify victims and investigate the scams. The program has successfully prevented scams for at least two elderly men deceived into paying for fake malware removal. The conspicuous labels on the cards make them easily identifiable to victims who believe they are purchasing a legitimate solution to their supposed problem.