Daily Brief

Google blocked 2.36 million risky Android app submissions in 2024, showing a significant increase from previous years due to improved AI-assisted review processes. The tech giant banned 158,000 developer accounts for attempting to circulate malware and spyware through the Play Store. Google Play Protect was upgraded to bolster real-time protection and scanned over 200 billion apps daily, identifying 13 million new malware threats. The enhancements included the prevention of 1.3 million apps from accessing excessive user permissions and the addition of 80 trusted SDKs to the Google Play SDK index. The Play Integrity API contributed to an 80% reduction in app abuse from untrusted sources, with security features in Android 13 aiding in 91% of app installs. Google expanded its untrusted APK installation blocking system to multiple countries, successfully thwarting 36 million malicious installation attempts. Despite these advances, the ongoing sophistication of cyberthreats requires users to remain cautious and proactive in managing app permissions and security settings.

Rear Admiral Mark Montgomery criticized the Trump administration's termination of U.S. cyber advisory boards, highlighting national security risks. Testimony before the U.S. House Homeland Security Committee revealed concerns about heightened vulnerabilities to cyberattacks from China. The Cyber Safety Review Board's investigation into the Salt Typhoon espionage case was halted, an act Montgomery deemed detrimental to U.S. cyber defenses. Trump's initial actions also included freezes on foreign aid impacting cyber defenses for U.S. allies and halts on domestic cybersecurity funding, although some freezes were later rescinded. Montgomery supported taking aggressive offensive cyber measures against China to demonstrate U.S. cyber capabilities. The handling of Volt Typhoon, a Chinese espionage operation, was used as a specific example to advocate for offensive cyber actions to dismantle adversarial infrastructure. Despite criticism, Montgomery expressed cautious optimism about current strategies under National Security Advisor Mike Waltz, emphasizing the need for proactive measures against cyber threats.

The New York Blood Center (NYBC) experienced a ransomware attack that caused disruptions and forced the rescheduling of donor appointments. NYBC is a crucial blood collection agency, serving over 75 million people and providing blood products and medical services to over 500 hospitals nationwide. The cybersecurity breach was detected on January 26 after NYBC noticed suspicious activity on its IT systems. Immediate actions included engaging cybersecurity experts for investigation and taking affected systems offline to contain the threat. Despite the attack, NYBC continues to accept donations but has had to cancel some appointments and blood drives due to ongoing operational disruptions. The ransomware attack came shortly after NYBC declared a blood emergency due to a significant drop in donations. The identity of the attackers and whether donor personal and health information was compromised remains undisclosed. NYBC emphasized its commitment to restoring services as swiftly and safely as possible, maintaining direct communication with hospital partners to manage the crisis.

Google has identified 57 distinct nation-state threat actors using AI for cyber and information operations. These actors are associated with China, Iran, North Korea, and Russia, primarily using AI to automate research, code troubleshooting, and content creation. Iranian APT group APT42 extensively uses Google's AI for phishing campaigns and reconnaissance on defense entities, making them the heaviest users. North Korean entities employ AI to draft employment-related documents, which likely aids in placing IT workers clandestinely in Western firms. Russian APT actors focus AI use on translating and encrypting malware, while Chinese groups use it for network reconnaissance and advanced hacking techniques. Google has observed the misuse of AI in creating uncensored content for phishing and BEC attacks, alongside counterfeit websites. Google stresses the importance of prompt injection defenses and advocates for stronger public-private partnerships to enhance cybersecurity measures.

DeepSeek, a Chinese AI startup, inadvertently exposed two databases containing over a million plaintext user chats and sensitive operational information. The unsecured databases were found on subdomains that allowed unauthorized SQL queries without authentication, posing a severe security risk. Discovered by Wiz Research, the data exposure included chat logs, API keys, backend details, operational metadata, and potentially plaintext passwords. This exposure was critical as it left DeepSeek vulnerable to data theft and unauthorized access, which could lead to further system intrusions and data breaches. Despite the swift response from DeepSeek in securing the databases after being alerted by Wiz, concerns persist about the company's overall security posture. The incident raises additional privacy concerns, especially given DeepSeek's obligation to adhere to stringent government data access requests in China. DeepSeek had faced persistent cyberattacks earlier in the week, which even led to a temporary suspension of new user registrations.

Chinese AI startup DeepSeek inadvertently made two databases public, revealing sensitive user history and operational data. Over a million log entries, including plaintext user interactions and API keys, were accessible without proper security measures. Security firm Wiz Research identified these unsecured databases allowing unrestricted SQL queries through two different web portals. The lack of security could permit attackers to fetch plaintext passwords, chat messages, and even propriety information directly from DeepSeek's servers. Prior to notification by Wiz Research, it is unclear whether these vulnerabilities were exploited by malicious actors. Following notification, DeepSeek swiftly restricted database access, though the potential data leak pre-action remains a concern. The incident underlines ongoing security issues for DeepSeek, compounded by being based in China where the government mandates strict data controls. Earlier in the week, DeepSeek experienced a series of cyberattacks, which led to the temporary suspension of new user registrations.

Cloud-based Remote Desktop Protocol (RDP) solutions are emerging as superior alternatives to VPNs for secure remote access, minimizing organizational attack surfaces. Researchers revealed a significant unpatchable flaw in VPNs called Tunnelvision, which could allow attackers to siphon off data undetected across all major OS platforms. VPNs increase risk by requiring open firewall ports and providing broad network access, potentially leading to extensive organizational damage if one account is compromised. Cloud-based RDPs, such as TruGrid SecureRDP, offer enhanced security features like multi-factor authentication and role-based access control without requiring inbound firewall exposure. The shift towards Zero Trust models and the inherent security weaknesses in VPNs, such as vulnerability to brute-force and ransomware attacks, make cloud-based RDPs more appealing. Performance issues with VPNs, such as traffic congestion and latency, can be mitigated by using cloud-based RDP, which offers a more scalable and efficient solution. Cloud-based RDPs operate on a pay-as-you-go model, reducing upfront costs and resource requirements compared to traditional VPN solutions, which often require significant infrastructure investments.

Researchers at SquareX have uncovered a new cyberattack method termed 'Browser Syncjacking,' which exploits Chrome extensions to gain control over devices. The attack begins by tricking victims into installing a malicious Chrome extension, purportedly useful, from the Chrome Web Store. Once installed, this extension manipulates the victim’s browser to log into a managed attacker-created Google Workspace profile, prompting the user to enable Chrome's sync feature. When synchronization is enabled, the attacker gains access to all stored data on the browser including passwords and browsing history. The attacker further escalates the attack by taking over the browser through a fake Zoom update that installs malware, giving full control over the victim's browser. This allows the attacker to execute various malicious activities, such as installing additional malware, redirecting to phishing sites, and accessing sensitive personal data and system resources like webcams. SquareX emphasizes the sophisticated nature of these attacks, highlighting their stealth and the minimal permission and interaction required to execute them, making them hard to detect for an average user.

New York Blood Center Enterprises (NYBCe) is currently grappling with a ransomware attack that began five days ago, disrupting their operations. Over 400 hospitals and healthcare facilities across 15 states depend on NYBCe for over a million blood products annually. The cyber breach was detected on January 26, leading NYBCe to engage external cybersecurity experts and notify law enforcement to address and contain the situation. NYBCe’s response includes implementing alternative procedures to continue delivering essential services while working to safely restore their systems. The situation is compounded by a previously declared "blood emergency" due to a significant drop in blood donations and the ongoing national need for blood donors. The cyber incident has forced the cancellation of numerous blood drives and appointments, which are planned to be rescheduled. NYBCe continues to accept blood donations, though they advise of potential delays at collection points.

Europol and German law enforcement arrested two suspects and seized 17 servers under Operation Talent targeting the Cracked and Nulled hacking forums. The operation led to the takedown of 12 domains associated with over 10 million users involved in cybercrime discussions and illicit activities such as password theft and cracking. Authorities also shut down services linked to these forums, including a financial processor and a hosting service. Over 50 electronic devices and roughly €300,000 in cash and cryptocurrency were seized during property searches. Seized data, including email addresses, IP addresses, and communication channels, will drive further international investigations into the criminal users of these platforms. The FBI changed the name servers of the seized domains to ns1.fbi.seized.gov and ns2.fbi.seized.gov as part of the domain seizures. Europol described the forums as one-stop shops that functioned both as discussion spaces and marketplaces for illegal goods, including stolen data and hacking tools. The seizure extends to multiple related services, impacting the broader network of illegal activities associated with these platforms.

An international collaboration involving authorities from several countries, including Australia, France, Greece, Italy, Romania, Spain, the United States, and Europol, has seized multiple cybercrime forum domains. The operation, named Operation Talent, targeted popular online platforms like Cracked, Nulled, Sellix, and StarkRDP. Those attempting to access these forums are now met with a seizure banner, indicating that the domains and related information have been confiscated by law enforcement. Websites like Cracked and Nulled were known for providing hack tools and malware, including ScrubCrypt, which has been linked to the distribution of stealer malware. The maintainers of the Cracked forum confirmed the seizure on their Telegram channel and remarked that it was "a sad day" for their community. Seizing these domains is part of ongoing efforts to dismantle cybercrime networks and mitigate the distribution of illegal hacking tools and malware. Official announcements from the involved agencies regarding the details of the seizures are still pending.

A critical vulnerability in Lightning AI Studio allowed remote code execution through a hidden URL parameter. Rated a CVSS score of 9.4, the flaw could enable attackers to execute commands with root privileges, posing significant security risk. Researchers found a hidden “command” parameter that could pass Base64-encoded commands to be executed on the server. Potentially, attackers could exfiltrate sensitive information such as user tokens and personal data to an attacker-controlled server. The exposure required knowledge of a profile username and associated studio details, which were publicly accessible. This vulnerability could lead to unauthorized data manipulation or deletion by threat actors. Lightning AI team resolved the issue promptly following responsible disclosure procedures, patching the vulnerability by October 25, 2024. Highlighted the need for robust security practices in tools used for developing and deploying AI models.

The Open Rights Group (ORG) identified multiple security and privacy issues in canvassing apps developed for the UK's three major political parties. Labour's apps, including Reach, Doorstep, and Contact Creator, are linked to Experian, raising concerns about the transparency of data sharing. Conservative's Share2Win app stores sensitive credentials and lacks adequate privacy controls, increasing the risk of data breaches and unauthorized tracking. The Liberal Democrats’ MiniVan app utilizes Google Firebase SDKs, potentially exposing sensitive data due to common misconfigurations. Findings highlighted in the report suggest that dependency confusion attacks and insecure data storage are prevalent across the applications analyzed. None of the political parties responded to inquiries about the findings, nor did they engage with ORG to address the potential vulnerabilities. The report was sent to the Information Commissioner's Office (ICO) for further review, pointing to a broader issue of data misuse and inadequate controls in political canvassing tools.

David Kuszmar discovered a flaw in ChatGPT, named "Time Bandit," which bypasses safety features to access restricted content. The exploit is based on causing "temporal confusion" in ChatGPT, tricking it into providing detailed instructions on creating weapons, malware, and other sensitive topics. Kuszmar faced significant challenges in reporting the vulnerability, with initial non-responsiveness from OpenAI and escalating his concerns to BugCrowd, CISA, and the FBI. Despite Kuszmar's report and widespread verification attempts, OpenAI struggled to fully mitigate the flaw, acknowledging ongoing efforts to enhance model security. The "Time Bandit" exploit works by manipulating ChatGPT into a confused state about time, making it present sensitive information from a modern context as if it pertains to the past. OpenAI acknowledged the vulnerability and the researcher's effort in a statement, emphasizing their commitment to model safety and continuous improvement. Additionally, similar attempts to exploit Google's Gemini AI with "Time Bandit" were less successful, indicating varying levels of susceptibility among AI models.

SOC analyst roles are increasingly strained, confronting a high volume of security alerts, many of which are false positives, leading to severe stress and turnover. AI is being leveraged by cyber adversaries to craft more sophisticated attacks, posing greater challenges for traditional SOC operations. New AI tools in SOCs are helping automate the triage process, significantly reducing the burden on human analysts and enabling them to focus on genuine threats. Features like natural language data querying and anomaly detection are streamlining the tasks of SOC teams, making it quicker and easier to identify and respond to threats. AI-powered SOC platforms also assist in maintaining full transparency and control over automated triage and remediation processes, ensuring a human-in-the-loop for final decision-making. The use of advanced AI tools like ChatGPT helps SOC analysts keep up-to-date with emerging threats, attack methods, and preventive measures. Implementing AI in SOC operations is leading to faster, more efficient, and more effective security management, which is crucial in an era of escalating cyber threats and sophisticated attack methodologies. New technologies allow for affordable storage solutions such as AWS S3, enabling rapid data querying without prohibitive costs, enhancing data availability for AI-driven analysis.