Daily Brief

Avast has agreed to pay $16.5 million to settle Federal Trade Commission (FTC) accusations of selling customer browsing data through its subsidiary Jumpshot. The FTC complaint alleged Avast misrepresented data practices, selling data that could reveal sensitive user information to third parties. Data sold included details on users' web searches, visits, and personal interests, potentially exposing confidential information such as religious beliefs and political leanings. Avast’s efforts to anonymize the data were inadequate, making it possible for data buyers to re-identify the browsing data with individual users. Jumpshot, closed in 2020 following the data sales allegations, had accumulated over eight petabytes of browsing data. As part of the settlement, Avast is prohibited from selling browser data moving forward, must destroy all web browsing data and derived algorithms, and must secure explicit user consent for any future data licensing. Avast denies wrongdoing but has agreed to the settlement to resolve the investigation, emphasizing its commitment to its user base.

A major cyberattack led Change Healthcare to shut down systems, disrupting pharmacy operations nationwide. The IT outage affected prescription order processing and insurance eligibility checks, causing some patients to pay full cash prices. Change Healthcare, owned by UnitedHealth, handles 15 billion healthcare transactions and is a crucial tech provider. The cyber security issue began on Wednesday and was confirmed to be an outside threat by Change Healthcare. The disruption is expected to extend into Friday, with the company working on resolving the issue and providing updates. Pharmacies like CVS and Athenahealth users experienced outages, with CVS enacting business continuity plans to minimize service disruption. Despite no compromise of CVS Health’s systems, the inability to process insurance claims for some customers persists. Other pharmacies, including Michigan's Scheurer Health and reportedly Publix, were also unable to process prescriptions due to the outage.

Law enforcement has disrupted the LockBit ransomware operation as they were developing a new variant aimed at solving past issues. Unlike rivals, LockBit chose .NET and CoreRT for its new variant, intending to target more platforms and possibly evade static file detection. A previous leak of LockBit's builder in September 2022 led to copycat attacks, which the new variant attempted to counter with an expiry date for each version. The under-development LockBit-NG-Dev features a completely rewritten codebase with multiple encryption methods, lacking some past capabilities but remaining powerful. Although progress has been made with three major arrests, the potential for LockBit's return under a new name exists, as near-200 affiliates remain at large. Trend Micro speculates that the disrupted .NET variant might influence the future of LockBit or be adopted by other ransomware groups.

Bitwarden has rolled out a new inline auto-fill menu to bolster security against credential theft via malicious form fields. The update is a response to the potential for attackers to leverage rogue iframes on compromised legitimate sites to capture user credentials. During the initial concern, Bitwarden had disabled iframe auto-fill by default but allowed users to re-enable it with a clear warning of the risks. The password manager has since integrated additional precautions that permit iframe auto-fill solely on recognized sites and subdomains linked to the origin domain. The updated auto-fill system aims to provide a secure and convenient user experience, maintaining visibility on the screen and offering keyboard navigation. While this feature is not enabled by default, users can activate it via Bitwarden settings, with recommendations to disable any similar browser auto-fill services to prevent conflict. Bitwarden offers various auto-fill methods, including shortcuts and context menus, and allows users to specify trusted URLs for the auto-fill feature.

ScreenConnect servers have been compromised using a severe auth bypass vulnerability, leading to LockBit ransomware deployment on affected networks. ConnectWise quickly addressed the vulnerability with security updates, right after the flaw was exposed and proof-of-concept exploits were shared by cybersecurity firms. ConnectWise released an unrestricted software update allowing all clients, including those with expired licenses, to upgrade and protect their systems. The Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the vulnerability to its Known Exploited Vulnerabilities Catalog, implementing a one-week compliance deadline for U.S. federal agencies. A relatively small number of ScreenConnect servers have been patched, leaving many potential targets for LockBit ransomware attacks. Sophos X-Ops observed several LockBit attacks following exploitation of ScreenConnect vulnerabilities, indicating some LockBit affiliates remain active post law enforcement crackdown. LockBit infrastructure and dark web operations were recently dismantled in an international law enforcement effort, yet affiliates and splinter groups continue to pose threats. The U.S. State Department is offering rewards for information leading to LockBit associates, reflecting the significance of the threat the group poses to organizations globally.

The FTC ordered Avast to pay $16.5 million for unlawfully selling user browsing data. Avast is banned from selling or licensing browsing data for advertising, violating user privacy. The FTC alleges Avast gathered and sold detailed user browsing data without consent since at least 2014. Avast misled customers, claiming to safeguard privacy while profiting from their data via Jumpshot. Avast must now obtain clear consent before selling data from non-Avast products and delete all data shared with third parties. Users affected by the sale of their data without consent will be notified about the FTC's enforcement actions. The FTC condemns Avast's practices, labeling them as bait-and-switch tactics that compromised consumer privacy.

Apple introduces PQ3, a new post-quantum cryptographic (PQC) protocol, to elevate iMessage security against future quantum computing threats. PQ3 is considered the first messaging protocol with Level 3 security, surpassing current protections offered by widely-used messaging applications. Apple's PQ3 merges techniques from Kyber and Elliptic Curve cryptography (ECC) to provide enhanced encryption and mitigate the risks associated with quantum attacks. The protocol is designed to combat harvest now, decrypt later (HNDL) attacks, where encrypted data could potentially be decrypted by quantum computers in the future. PQ3 includes an automatic key rotation feature, limiting exposure to past and future message decryption in case of a key compromise; keys rotate every 50 messages or at least once every seven days. Support for Apple's PQ3 protocol is planned for rollout in upcoming iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 releases. Apple's announcement comes as other tech companies like AWS, Cloudflare, Google, and Signal have been moving towards quantum-resistant encryption to safeguard against evolving threats.

Ukrainian police have apprehended a father and son suspected of being affiliates of the LockBit ransomware group, which has launched over 3,000 attacks in more than four years. The arrests were part of an international effort, with coordination from French authorities and Europol, to dismantle the cybercrime network. LockBit leaders still evade capture, with recent indictments issued for Russian nationals unlikely to lead to immediate arrests due to extradition challenges. The United States has put forth a reward of up to $15 million for information leading to the identification or capture of LockBit members, as part of a broader strategy to combat ransomware. Despite significant geopolitical and operational challenges, particularly due to the conflict in Ukraine, authorities continue their relentless pursuit of cybercriminals involved in ransomware attacks. The recent arrests and reward announcements indicate a strengthening international resolve to confront ransomware syndicates and hold their operators accountable.

Law enforcement agencies have disrupted the infrastructure of the LockBit ransomware group. Trend Micro analyzed a new version of LockBit malware being developed, which may evolve into LockBit 4.0. The next-gen LockBit variant, while still under development, is written in .NET and is likely to support multiple operating systems. This new variant lacks some capabilities of previous versions, like propagating through networks, but offers most expected functionalities, including various encryption modes and self-deletion features. The malware uses AES+RSA encryption and includes features such as file/dir exclusion and random file renaming to hinder restoration. Trend Micro’s technical analysis exposes the full capabilities of the new LockBit variant, potentially aiding in future defense strategies. The discovery of the LockBit-NG-Dev poses a significant challenge for the criminal group to continue operations, especially with security researchers now aware of its source code.

Russian Consular Department software installer compromised to distribute Konni RAT malware by suspected North Korean actors. German cybersecurity firm DCSO linked the cyberespionage operation to North Korea's historic patterns of targeting Russian entities. The backdoored software, named 'Statistika KZU', was intended for internal use by the Russian Ministry of Foreign Affairs. The MSI file initiates contact with a C2 server, allowing file transfers and command execution by the remote access trojan. Previous instances of similar backdooring occurred in October 2023, involving Russian tax filing software. Unclear how the installer was obtained by threat actors, hinting at extensive espionage efforts by North Korea against Russia. Despite geopolitical ties strengthening between North Korea and Russia, espionage activities continue to assess and verify Russian foreign policy. The report emphasizes the persistent threat landscape amidst evolving international relations.

There has been a significant increase in hacktivism, often linked with ongoing geopolitical conflicts, such as the war in Ukraine. Hacktivist groups have used platforms like Telegram to coordinate attacks and disseminate information, even as platforms attempt to curtail malicious activity. Notable hacktivist groups such as NoName057(16) and Anonymous Sudan engage in cyberattacks as a form of political activism, with varying levels of consistency and impact. Pro-Russian hacktivist groups, for example, have targeted countries that are seen as opposing Russian interests or providing support to Ukraine. Hacktivist attacks foster Fear, Uncertainty, and Doubt (FUD), impacting societal perception more than the direct effect of the cyber operations. NoName057(16) appears to target countries proportionate to their level of support to Ukraine, as tracked by the Ukraine Support Tracker, though geographical proximity also plays a role in victim selection. The distinction between proportional and disproportional responses is observed in the divergence between the level of support promised and the frequency of attacks experienced by various countries.

Cybercriminals are exploiting SSH-Snake, an open-source network mapping tool, for malicious network attacks. SSH-Snake operates as a self-replicating worm that finds SSH credentials to propagate across networks, making it more reliable for threat actors. The tool assists hackers in harvesting credentials, IP addresses, and bash command histories, offering stealth and lateral movement capabilities. Threat actors are taking advantage of recommended SSH key practices and exploiting tools intended for legitimate security assessments. The tool's developer, Joshua Rogers, emphasizes the importance of proactive security and infrastructure design to mitigate such threats. In related news, Aqua has detected a new botnet campaign, "Lucifer," targeting vulnerabilities in Apache Hadoop and Apache Druid for cryptojacking and DDoS attacks. Security specialists are urged to re-architect systems to prevent the wide-reaching impact of bots and scripts like SSH-Snake when exploited by attackers.

A leak on GitHub has exposed Chinese infosec vendor I-Soon as a contractor involved in government-sponsored cyber-attacks. The leaked documents indicate I-Soon has developed Remote Access Trojans (RATs) for major operating systems, including Linux, Windows, macOS, iOS, and Android. The Android malware I-Soon created is reportedly capable of extracting extensive messaging histories from various chat applications, including Telegram. I-Soon is said to have successfully targeted government departments in several Asian countries and even infiltrated a NATO system. Hardware hacking devices utilized by I-Soon, such as a 'poisoned' power bank that can upload data from victims' devices, are part of their espionage toolkit. The leak suggests a competitive industry in China where multiple agencies provide lists of foreign government systems as targets, with rewards for successful breaches. This leak provides a rare insight into the outsourcing of Beijing's cyber operations, though it reveals no unprecedented capabilities. The Register anticipates that further insights may emerge from the leaked documents once they undergo accurate translation and analysis.

The U.S. State Department is offering up to $15 million for information on the LockBit ransomware group's leaders and participants. LockBit has executed over 2,000 attacks worldwide since January 2020, with victims paying more than $144 million in ransoms. A U.K. National Crime Agency-led operation has recently disrupted the LockBit group, linked to Russia and operating for over four years. LockBit operates as Ransomware-as-a-Service (RaaS), using affiliates to execute cyberattacks and sharing proceeds of the ransom payments. The group is known for its high frequency of attacks and willingness to target any type of infrastructure, making it highly destructive. Following an investigation starting from April 2022, arrests were made and servers seized, potentially allowing victims to recover data without payment. Despite LockBit experiencing disruptions, cybersecurity experts warn that the group could quickly regroup and resume operations under a different name.

Microsoft has expanded free logging features for Purview Audit standard customers, following a May breach involving Chinese hackers. Enhanced logging capabilities will help detect similar cyberattacks and comply with U.S. federal logging requirements. Expansion includes an automatic increase in log retention from 90 to 180 days, with no additional costs or configurations. The changes align with CISA’s Secure by Design guidance and respond to criticisms of Microsoft's previous logging license policies. Microsoft's actions follow the exposure of an Exchange Online breach where 60,000 emails from U.S. State Department officials were compromised. Senator Ron Wyden criticizes Microsoft for profiting from cybersecurity vulnerabilities and suggests holding software companies accountable for negligence.