Daily Brief

Google announced a new Chrome feature, Device Bound Session Credentials (DBSC), designed to prevent cookie theft by tying cookies to specific devices. DBSC utilizes public/private key pairs and the device's Trusted Platform Module (TPM) chip to secure authentication cookies, making them useless if stolen. The feature aims to render the cookie theft industry ineffective by eliminating the value of exfiltrated cookies, forcing attackers to deal with device-level security. Currently in the prototype phase, users can test DBSC on Chromium-based browsers by enabling a dedicated flag on Windows, Linux, and macOS. The server-client session is initiated using a dedicated API, with each session having a unique key to ensure privacy, and users can delete the keys at any time. Google expects this feature to improve security for Google accounts, Workspace, and Cloud customers automatically upon full deployment. The initiative responds to recent abuse of Google's OAuth "MultiLogin" API by threat actors and contributes to Google's broader efforts to enhance Chrome's defense against phishing and malware.

Ecommerce platform Pandabuy has confirmed a data breach exposing info of 1.3 million customers. Cybercriminals advertised the sale of Pandabuy customer data on an online forum, including sensitive personal details. Security expert Troy Hunt verified the breach with 1.3 million unique email addresses affected; 35% were already in the HIBP database. Pandabuy has identified the incident as a "data breach" by a "hacker organization," claiming that financial information was not compromised. The company responded to the breach by offering a 10% shipping discount to sellers for one month. User reactions on social media are negative, with criticism regarding Pandabuy's initial attempt to silence discussion of the breach. The breach and response tactics reflect China's broader issues with censorship and control of information.

The Russian Prosecutor General's Office charged six individuals for their involvement in stealing credit card data from foreign online stores. Using malware for card skimming, the group infected e-commerce sites to harvest over 160,000 payment card details, which they sold on the dark web. The named suspects (Denis Priymachenko, Alexander Aseev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, Anton Tolmachev) began their operation around seven years ago. They face charges under the Russian Criminal Code for illegal turnover of payment means and the creation and distribution of malicious computer programs. The case represents a relatively uncommon instance of Russian law enforcement acting against cybercriminals within its jurisdiction. Consumers are urged to use digital payment solutions or one-time use cards, and to regularly check statements to detect any unauthorized activity.

Microsoft's Threat Analysis Center warns that trolls could use AI, including deepfakes, to influence elections worldwide. Simple deceptive tactics, such as adding legitimate news logos to images, are proving effective at spreading misinformation. The threat center has tracked the evolution of AI deception tactics from Russian trolls over the past decade, noting an increase in sophistication and a shift toward video. AI-generated content in private settings is identified as particularly concerning due to the lack of contextual clues for viewers to verify authenticity. AI-audio fakes are easier to produce and more difficult to discern compared to video, rendering them a potent medium for misinformation. Microsoft's team underscores the challenge of detecting subtle blends of real and artificial content, which can be a powerful tool for election interference.

Binarly has launched a free online scanner to identify Linux executables affected by a compromise in XZ Utils, referenced as CVE-2024-3094. CVE-2024-3094 represents a supply chain attack within XZ Utils, a widely-used data compression toolkit in Linux distributions. A Microsoft engineer discovered the backdoor in XZ Utils version 5.6.0 and 5.6.1 while probing slow SSH logins on Debian Sid. The backdoor was inserted by an anonymous contributor, but only distributions with a "bleeding edge" update process were affected. CISA recommended downgrading XZ Utils to version 5.4.6 and investigating further malicious activity. Binarly’s new scanner employs static analysis to detect manipulation of GNU Indirect Function (IFUNC) transitions, a technique used by the backdoor for code execution interception. The scanner offers an improvement over byte string matching and YARA rules, reducing false positives and fatigue associated with other detection methods. Available at xz.fail, the tool allows users to upload binary files for high-confidence checks against this and potentially other similar backdoors.

Cloud security provider Rubrik has filed to go public on the New York Stock Exchange, aiming to raise up to $700 million. Subscription revenues reported at $784 million, with a 47% annual growth rate and a client base of around 6,100. Despite growth, Rubrik experienced a net loss of $277.7 million in the last financial year. CEO Bipul Sinha highlights a unique architecture that integrates data with AI to enhance cyber resilience. Rubrik's product, Ruby, leverages Microsoft Azure OpenAI Service for AI-driven data defense and recovery. A strategic partnership formed with Microsoft in 2021 includes equity investment and joint development of integrated data protection solutions. Under the alliance, Rubrik committed $220 million over a decade for Azure usage and prioritizing Azure's public cloud functionality for customers. Rubrik recently suffered a cyberattack due to the GoAnywhere vulnerability but continues to progress with its public offering plans.

A severe vulnerability, CVE-2024-3094 (CVSS score: 10.0), was disclosed in the XZ Utils library, a compression tool prevalent in Linux distributions, enabling remote code execution. The issue was discovered by a Microsoft engineer who noticed a backdoor within the utility allowing remote attackers to bypass secure shell authentication. The backdoor was systematically inserted by a project maintainer named Jia Tan over a multi-year period, culminating in the compromised release versions 5.6.0 and 5.6.1 of XZ Utils. Malicious updates introduced by Tan were partly facilitated by sockpuppet accounts that pressured the initial maintainer to expand the project's maintainership roles. Expert analysis from both Akamai and an open-source cryptographer indicated that the backdoor allowed remote attackers to execute arbitrary payloads, effectively compromising the system. The incident underscores the vulnerabilities associated with open-source software supply chains and the lengths to which state-sponsored actors may go to embed stealthy backdoors into critical infrastructure. Calls for more robust processes and tools to detect tampering and malicious components in software are highlighted as a response to prevent future supply chain attacks.

Polish officials are under investigation for potentially misusing Pegasus spyware to surveil political opponents. A parliamentary probe initiated in February is examining the previous government's deployment of Pegasus. Victims of Pegasus spyware in Poland are to be informed that they were targets of surveillance. NSO Group's Pegasus allows for extensive access to a victim's communication and data, drawing global scrutiny. Reports have linked Pegasus to the surveillance of political figures and activists, challenging NSO's claim of legitimate use. Former Polish PM Kaczyński acknowledged the purchase of Pegasus but claimed ignorance of its specific deployment targets, asserting its use was legal and mainly against criminals. International organizations have documented the use of Pegasus in EU countries, including Poland, Spain, Hungary, Belgium, and the Netherlands.

Earth Freybug, a covert activity cluster within APT41, a known China-linked cyber espionage group, utilizes new malware named UNAPIMON to conduct stealthy operations. UNAPIMON employs advanced tactics such as DLL hijacking and API unhooking to evade detection and enable remote command execution via compromised systems. The initial attack vector involves the manipulation of a legitimate VMware Tools executable to create a scheduled task and deploy additional malicious scripts. The UNAPIMON malware operates by injecting a malicious DLL into the Windows command interpreter, effectively turning it into a backdoor, while avoiding sandbox detection. Trend Micro researchers commend the malware authors' use of simplistic but effective techniques and an open-source Microsoft library to achieve stealth and facilitate attacks. The report indicates Earth Freybug's history of evolving methods, reinforcing the need for continuous vigilance and security process updates in the face of such adaptive threats.

Cloud environments, including public, private, and hybrid, experienced 82% of the data breaches in 2023, highlighting the critical vulnerabilities present in these systems. Visibility and inconsistency in vendor permission management systems are major hurdles in cloud security, leading to accidental misconfigurations, and blurred lines of responsibility among IT teams. The complexity of cloud security is exacerbated by stretched resources, making it difficult for teams to prioritize and remediate the wide array of exposures effectively. Continuous Threat Exposure Management (CTEM) is proposed as a necessary framework to prevent high-impact attacks by focusing on the most serious vulnerabilities and streamlining remediation workflows. CTEM's strategy includes mapping attack paths to identify and prioritize the resolution of the most critical exposures and choke points in cloud environments. Tools analyzing hybrid attack paths offer detailed insights into potential breaches and assist in preemptive security measures, covering both on-prem and multi-cloud environments. Adopting the CTEM approach supports organizations in transitioning from reactive security measures to a proactive defense, ensuring more secure operations in cloud-based infrastructure.

INC Ransom claims responsibility for the cybersecurity incident at Leicester City Council with 3TB of data purportedly stolen. The tactic of "flashing" a victim's name on a leak blog and swiftly removing it suggests an attempt to pressure the council in ongoing ransom negotiations. Despite a system shutdown on March 7, the council has restored most services, including waste management, schooling, and public library systems. The council is progressing in addressing service backlogs and refrains from commenting on data breaches due to criminal investigations. INC Ransom also claimed an attack on NHS Dumfries and Galloway, with another 3TB of sensitive healthcare data allegedly stolen. The group's history suggests a double extortion model, threatening the exposure of sensitive data which could lead to targeted phishing attacks against residents.

Google celebrates Gmail's 20th birthday by implementing stricter rules to reduce spam. New measures are now in effect targeting bulk senders of over 5,000 messages per day. Google has made email authentication mandatory for bulk senders and introduced a lower spam rate threshold. Unauthenticated messages have decreased by 75 percent since initial implementation of these requirements. The requirements include email authentication, one-click unsubscribe options, and adherence to spam thresholds. Bulk senders who fail to comply will receive temporary errors with specific error codes to help them identify non-compliant emails. Scammers and attackers often use bulk sending as a disguise, prompting Google to crack down on unsecured systems. These changes currently apply only to personal Gmail accounts, not Google Workspace business accounts.

Apple Silicon processors have been found to contain a significant security vulnerability called GoFetch, a problem known to the industry even before these processors were launched. The GoFetch vulnerability is related to a fundamental issue with modern processor design that balances the need for speed against cryptographic security. Processor designers use high-speed caches to keep essential data close to the processor to boost performance, but this compromises cryptographic operations that require constant execution time to prevent timing attacks. The specific vulnerability with Apple’s Data Memory Prefetcher (DMP) feature allows an attacker to indirectly glean cryptographic keys by observing the timing of cache hits and misses, even when crypto code attempts to avoid such leaks. The preference of chipmakers to prioritize speed in their processors, fueled by market competition and benchmarking, may have led to a lack of rigor in searching for such subtle security flaws. The secretive nature of chip design and the lack of detailed public information make it difficult for external parties to identify and address vulnerabilities quickly, potentially exacerbating security risks. There's a call for chipmakers to reconsider their approach towards secrecy and speed, advocating for more openness which could lead to earlier detection of security flaws and better-informed coding practices for optimized performance.

Google settles a class action lawsuit by agreeing to erase billions of records of users' browsing activities while in 'Incognito' mode. The lawsuit accused Google of misleading users by tracking internet browsing even in private browsing modes across web browsers like Chrome. U.S. District Judge Yvonne Gonzalez Rogers has yet to approve the settlement, which mandates comprehensive data deletion and anonymization. Google must remove information that identifies private browsing data, including IP addresses, detailed URLs, and the X-Client-Data header field. The tech giant has committed to blocking third-party cookies in Chrome's Incognito Mode for five years and plans to eliminate tracking cookies by the end of the year. Internal Google communications revealed during the lawsuit process described Incognito Mode as a "confusing mess" and "effectively a lie." In response to the settlement terms, Google updated the description of Incognito Mode to clarify the limitations of privacy protection it offers. Additional measures introduced include new guidelines for bulk email senders to Gmail, aimed at reducing spam and phishing, with mandatory unsubscribe options.

TA558, an established threat actor, launches a large-scale phishing campaign to distribute Venom RAT across various sectors in Latin America. Targeted sectors include hospitality, finance, manufacturing, and government agencies across Spain, Mexico, the US, Portugal, Brazil, and more. The campaign employs phishing emails for initial access, leading to sensitive data theft and system control via the Venom RAT malware. Venom RAT is an offshoot of Quasar RAT known for its data harvesting and remote system command capabilities. The campaign follows increased use of DarkGate malware loader and various malvertising campaigns post-QakBot takedown, targeting financial institutions in the US and Europe. Notorious malvertising group ScamClub has pivoted to video advertisement attacks, exploiting VAST tags for redirecting users to scams, with most victims in the US. Security experts emphasize the importance of enhancing cloud security measures and updating security processes in the face of evolving cyber threats.