Daily Brief

Google has postponed the deprecation of third-party cookies in Chrome until the second half of 2024, marking the third extension. This decision is due to ongoing discussions with the U.K. Competition and Markets Authority (CMA) to address competition concerns related to Google's Privacy Sandbox. Privacy Sandbox is designed to provide privacy-preserving ad targeting alternatives to traditional cookies and cross-app identifiers. Unlike Google, Apple and Mozilla have already eliminated support for third-party cookies as of 2020. The U.K. regulators, including the ICO, are scrutinizing the Privacy Sandbox to ensure it benefits consumers and does not unduly advantage Google’s advertising technologies. Challenges have been identified in Google's proposed alternatives, potentially allowing advertisers to bypass intended privacy protections. Google continues to engage with various stakeholders and has been asked by the CMA to collect further industry feedback and test results by June's end. Additionally, Google announced enhancements to Google Meet, including support for external participants in encrypted calls.

The Reserve Bank of India (RBI) has imposed a ban on Kotak Mahindra Bank barring new online customer sign-ups due to serious IT management deficiencies. Identified issues include poor management of IT inventory, inadequate patch and change management, flawed user access and vendor risk management, and weak data security measures. Kotak Mahindra Bank, possessing over 41 million customers and $500 billion in assets, has failed consecutive annual assessments on IT risk and information security governance led by RBI. Previous attempts at corrective IT actions by the bank were deemed either inadequate or incorrectly sustained. The bank's rapid introduction of new products, including gaining three million new customers for a credit card product, prompted concerns about operational resilience. RBI's decision aims to protect customers and the broader digital banking ecosystem by forcing Kotak Mahindra to enhance technological infrastructures. The bank pledges to implement new technologies and work rigorously to resolve remaining issues swiftly, though it does not foresee a material impact on overall business. Investor confidence appears stable as reflected by a 1.65 percent increase in stock price following the announcement.

State-sponsored hackers employed two zero-day vulnerabilities in Cisco hardware to launch a malware campaign named ArcaneDoor, aimed at covert data espionage. Cisco Talos identified the threat actor as UAT4356, also known as Storm-1849, deploying two backdoors, Line Runner and Line Dancer, for actions like data exfiltration and network traffic capture. The two exploited Cisco vulnerabilities allowed root-level and administrative-level code execution, enabling the persistence and operation of the malware across reboots. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to apply the fixes provided by Cisco by May 1, 2024, to mitigate the vulnerabilities. The initial access pathway to the Cisco devices by the hackers remains unclear, although preparations by UAT4356 traced back to July 2023. Attackers demonstrated advanced tactics to avoid detection and maintain persistence, indicating deep knowledge of the Cisco appliances and typical forensic examinations. The scope of customer impact by these exploits remains undisclosed by Cisco Talos; however, the emphasis was on the need for regular updates, monitoring, and security of perimeter network devices.

Australia's top intelligence and police authorities are pressing for "accountable encryption" to support law enforcement in accessing encrypted communications during investigations. The Australian Security and Intelligence Organisation (ASIO) director highlighted the challenging balance between privacy protected by encryption and the secure zones it creates for extremists. Authorities are concerned about the delay and difficulty in intercepting potential threats due to current encryption technologies, despite existing laws. While not advocating for an end to end-to-end encryption, they urge tech companies to comply more effectively with lawful intercepts as permitted by court warrants. The discussion is in line with global law enforcement bodies, including European police chiefs, who argue that encryption complicates investigations into serious crimes like terrorism and child exploitation. Officials are also worried about the dual-use nature of AI technology, which is being exploited by extremists for malicious purposes, such as attack planning and weapon building. ASIO already employs AI to enhance their data analysis capabilities but faces challenges with encrypted data obstructing swift threat assessment.

A sophisticated nation-state actor exploited vulnerabilities in Cisco security appliances starting in November 2023 for espionage. The cyberattacks, named “ArcaneDoor,” were discovered in January and targeted VPN services key to government and critical infrastructure globally. Joint advisories by cybersecurity agencies from Canada, Australia, and the UK highlighted the focus on espionage using bespoke malware tools. Two specific vulnerabilities, CVE-2024-20353 and CVE-2024-20359, in Cisco devices were exploited, with patches released recently. The intruders deployed two custom malwares, Line Dancer and Line Runner, enabling them to control and extract data from the compromised systems. The actors also showed interest in other vendor devices, including those from Microsoft, signaling a broader threat landscape. Cisco encouraged customers to urgently update affected systems and check for signs of compromise, as suggested in the Cisco Talos blog and security advisories.

Keonne Rodriguez and William Lonergan Hill are charged by the U.S. DOJ for laundering over $100 million through their cryptocurrency mixer, Samourai. Samourai's services, Whirlpool and Ricochet, allegedly processed over $2 billion in illicit funds, helping mask the origins of transactions linked to criminal activities. The founders reportedly earned approximately $4.5 million in fees from these money laundering services. Samourai Wallet app, downloaded over 100,000 times, facilitated private and anonymous cryptocurrency transactions. Icelandic authorities have seized Samourai's domains and servers, and Google Play has removed the app following legal actions. Rodriguez has been arrested in the U.S., while Hill was detained in Portugal, with the U.S. seeking his extradition for trial. Both founders face heavy charges including money laundering with up to a 20-year sentence and operating an unlicensed money-transmitting business with up to a 5-year sentence. The indictment highlights extensive use of Samourai mixer for laundering proceeds from dark web markets, wire fraud, and schemes defrauding decentralized finance protocols.

Proof-of-concept exploit code has been released for a critical vulnerability in Progress Flowmon, a network performance monitoring tool used globally by over 1,500 companies. The vulnerability, identified as CVE-2024-2389, allows remote, unauthenticated attackers to execute arbitrary commands via a specially crafted API request. Progress Software, the developer of Flowmon, has released patches for affected versions and urged customers to update to v12.3.4 or 11.1.14 immediately. Researchers from Rhino Security Labs demonstrated the exploit, which could enable attackers to plant a webshell and escalate privileges to root access on the network system. There are about 500 Flowmon servers exposed on the public internet, increasing the risk of exploitation. Italy's CSIRT had previously warned about the availability of this exploit in the public domain, confirming its active circulation among cybersecurity communities. Although no active exploitations have been reported, the presence of the exploit code in public forums like X places an urgent emphasis on updating affected systems promptly.

U.S. Senator Ron Wyden has proposed a bill to mandate interoperability and security among federal government collaboration software such as Microsoft Teams, Zoom, and Slack. The bill, named the Secure and Interoperable Government Collaboration Technology Act, requires end-to-end encryption and adherence to federal record-keeping standards. The General Services Administration (GSA) and the National Institute of Standards and Technology (NIST) would play key roles in setting interoperable standards and technologies. The legislation targets reducing government expenditure on software by breaking the monopoly of big tech companies and enhancing competition. The bill has not garnered significant bipartisan support yet, reducing its chances of passing in an election year. Homeland Security would be tasked with reviewing these collaboration tools, and standards would be updated biennially based on reviews conducted by a GSA and Office of Management and Budget working group. Despite the positive reception from digital rights groups and endorsements from figures like Cory Doctorow, it faces potential hurdles from major tech firms. The proposed standards do not apply to certain technologies such as email, voice services, and national security systems, maintaining certain exclusions in government tech security measures.

Microsoft faces criticism for charging additional fees for security add-ons, despite frequent security incidents involving its products. The company's security strategies have been questioned following major compromises, including the Exchange Online attack attributed to a Chinese-linked group. Microsoft demands that customers purchase an E5 subscription for comprehensive security tools or add-ons on an E3 subscription, increasing costs significantly. Microsoft's profit-driven approach to security has led to frustrations among customers who feel forced to pay continually increasing rates for essential security measures. Analysts suggest that integrating more security features into basic subscriptions could alleviate customer burdens, though this might decrease Microsoft's security-related revenues and draw regulatory scrutiny. Recent concessions by Microsoft, like providing free access to cloud security logs, show a potential shift towards enhancing baseline security in response to customer needs and bad publicity. However, questions remain about how far Microsoft will go in making security a fundamental part of all cloud subscriptions.

Cisco identified two zero-day vulnerabilities in its security products, leveraged by a state-backed hacking group to infiltrate government networks globally. The hacking campaign, dubbed ArcaneDoor, has been active since November 2023, utilizing sophisticated malware for cyber-espionage. Identified vulnerabilities, CVE-2024-20353 and CVE-2024-20359, allow persistent local code execution and denial of service on Cisco's ASA and FTD devices. The hackers, using aliases UAT4356 and STORM-1849, deployed malware implants 'Line Dancer' and 'Line Runner' to maintain persistence and execute malicious actions on compromised networks. Cisco’s security team detected the campaign in January 2024, noting the preparation phase for these attacks dated back to at least July 2023. Following the discovery, Cisco released patches for the vulnerabilities and strongly urged customers to update their systems and monitor for any signs of compromise. The company also emphasized the importance of strong security practices, including multi-factor authentication and centralized, secure logging.

Google has updated its client-side encryption on Google Meet to include external participants, even those without Google accounts. The feature is now available to Workspace users with Enterprise Plus, Education Standard, and Education Plus licenses. External participants can join encrypted meetings after verifying their identity through third-party identity providers. The update ensures that all data within the meeting is accessible only by the meeting participants, enhancing privacy and security. Activation of the new feature requires administrators to configure identity provider settings and update access controls. Supported identity verification methods include existing Google or Microsoft accounts, or a one-time password received via SMS or email. This change aims to facilitate secure collaborations with stakeholders outside the organization while maintaining strict data privacy.

Consolidated Nuclear Security LLC (CNS), managing the Pantex Plant since 2014, agreed to pay $18.4 million in a settlement over falsified timesheets. CNS admitted that employees at the Amarillo, Texas nuclear facility recorded hours not worked, prompting reimbursement to the government. The false time recording involved a few production technicians at Pantex, a key U.S. nuclear weapons assembly and maintenance facility. CNS took responsibility, terminated the involved employees, and cooperated fully with the investigation, avoiding criminal liability. The U.S. Department of Justice emphasized the seriousness of the misconduct, highlighting the need for accurate billing on national security projects. The settlement is part of broader efforts to enforce accountability and protect public funds in government contracting, especially in sensitive sectors.

Google has postponed its plan to phase out third-party cookies in Chrome to 2025, due to ongoing discussions with UK regulators. The delay allows the UK's Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO) more time to review proposed changes. The phased elimination was initially scheduled for the end of 2024 but faced setbacks over concerns regarding competition and privacy. Google's Privacy Sandbox initiative aims to eliminate third-party cookies while reducing cross-site tracking and maintaining the economic viability of online content. The advertising industry has expressed significant concerns, suggesting that the move favors Google's own solutions and impedes independent marketing strategies. Recent feedback and a leaked draft report have brought up questions about the true privacy efficacy of the Privacy Sandbox. Google has reaffirmed its commitment to work with the CMA and ICO to address these concerns and hopes to begin phasing out third-party cookies in early 2024, pending agreement.

The FTC is issuing $5.6 million in refunds to affected Ring users following a significant privacy breach. Private video feeds of Ring users were accessed without proper authorization by Amazon employees and contractors. The refunds are part of a settlement from a complaint filed in May 2023, which claimed insufficient security measures by Ring. Affected devices included smart home security products like video doorbells and cameras. Allegations included unrestricted internal access to devices for employees and third-party contractors. Ring implemented multi-factor authentication only in 2019, prior to which user accounts were susceptible to hijacking. Over 117,000 consumers are eligible for the payouts, which will be processed via PayPal and need redemption within 30 days. The recipients were identified based on data provided by Ring concerning the vulnerabilities cited in the FTC complaint.

The US has charged four Iranian nationals, linked to military-connected companies, with cyberattacks on US entities. Accused worked for fake companies including Mehrsam Andisheh Saz Nik, fronts for Iran's Islamic Revolutionary Guard Corps (IRGC). The attacks, occurring from 2016 to 2021, targeted over a dozen US firms and departments including State and Treasury. Techniques used included spearphishing, social engineering, and malware to infiltrate and manipulate victims' accounts. Specific incidents included breaching defense contractors' emails to steal classified info and launching further attacks. The attackers impersonated individuals, often females, to build trust and deploy malware. The US struggles to arrest these nationals as they are unlikely to be extradited by Iran, similar to cybercriminals in other adversary countries. US Department of Justice vows to utilize a comprehensive government approach to counter and penalize such cyber threats.