Daily Brief

Scholastic, a major publisher of children's books, including the U.S. editions of the Harry Potter series, was recently added to the Have I Been Pwned database after a data breach. A hacker identified as "Parasocial" accessed Scholastic's employee portal using stolen credentials from an employee infected with malware. Approximately 8 million data items were exfiltrated, including over 4 million unique email addresses, names, phone numbers, and addresses, primarily from U.S.-based customers. The breach prominently affected educational contacts such as teachers and administrators, with more than one million records compromised. This breach occurred despite the hacker stating they were motivated by boredom and claimed no intention to sell or misuse the stolen data. Scholastic has initiated an investigation with third-party cybersecurity experts to ascertain the extent of the breach and implement stronger security measures. The incident underscores the critical need for robust security practices, including the use of multifactor authentication (MFA) to prevent similar breaches in the future.

A University of Bonn study indicates food delivery apps in Indonesia significantly increased BMI, especially among wealthier, employed individuals from 2015 to 2018. The increase in BMI was most notable in cities and among those with higher incomes and more education. Despite negative impacts on obesity, usage of these "superapps" like Grab and Gojek also correlated with reduced underweight populations and boosted consumption of healthier food options such as fruits and meats. Alibaba Cloud expanded its Kubernetes Cloud Container Compute Service globally, aiming to decrease Kubernetes operational costs by up to 55%. The U.S. Treasury sanctioned entities and individuals from China and North Korea for alleged cyber-crimes, including a campaign known as Salt Typhoon. U.S. and India signed a Memorandum of Understanding to enhance cybercrime cooperation and broaden their investigative capabilities against various crimes. Vietnam implemented tax collection measures targeting transactions by international tech companies like PayPal and Airbnb to improve tax authority efficiency. Amazon has acquired Indian BNPL service Axio, which powers its local ecommerce operations, indicating a strategic expansion into consumer credit services in India.

U.S. president-elect Donald Trump has suggested the U.S. government should acquire 50% of TikTok's operations in the U.S. as part of a national security strategy. TikTok, a social media service owned by Chinese company ByteDance, was set to shut down in the U.S. due to the Protecting Americans from Foreign Adversary Controlled Applications Act, which cited national security risks. The Supreme Court upheld the law, rejecting TikTok's appeal that it infringed on free speech rights. Trump has promised, upon inauguration, to issue an executive order allowing TikTok to operate for an additional 90 days to facilitate a deal ensuring U.S. ownership. Trump's plan includes forming a joint venture with U.S. investors to manage TikTok's U.S. operations, asserting this solution would benefit national security and the platform’s valuation. TikTok expressed gratitude towards Trump's intervention, which temporarily restored its services and provided assurance to service providers regarding legal penalties. The future of TikTok’s operations and ownership remains uncertain with no evident interested buyers and unclear financial viability due to ByteDance's opaque registrations and financial disclosures.

OpenAI's ChatGPT API has been found vulnerable to DDoS attacks where it can be tricked into flooding a targeted website with excessive network requests. Security researcher Benjamin Flesch reported that manipulating the "urls" parameter in an HTTP POST request can cause ChatGPT’s crawler to overload a site with repeated hits. The crawler, named ChatGPT-User, does not deduplicate URLs or limit the number of hyperlinks in a request, enabling thousands of requests to be sent within seconds to a single site. Victims of such attacks would see these requests as coming from multiple IP addresses, making it difficult to defend against using traditional IP blocking methods. According to Flesch, OpenAI has not responded to reports sent through various official channels including BugCrowd and HackerOne. The API also exhibits vulnerabilities to prompt injection, allowing unintended interactions beyond its primary purpose of fetching website data. Flesch criticizes the lack of simple, effective security measures well-established in software development to prevent such abuses, questioning the capabilities of the AI agent handling requests.

TikTok was shut down in the U.S. following a Supreme Court ruling that upheld a law banning the app due to national security concerns. The shutdown may be temporary as President Trump announced he would issue an executive order to extend the deadline for TikTok to secure a U.S. buyer by 90 days. Trump's proposed order also aims to eliminate liability for any company that assisted TikTok in operating before the order takes effect. The president suggested a plan where the U.S. government, together with another buyer, would take over more than 50% of TikTok to allow it to continue operations in the U.S. TikTok and other related apps by ByteDance were removed from the Google and Apple app stores. Trump's intervention offers a potential lifeline, hinting at continued efforts to negotiate a deal that addresses security concerns while keeping the app available in the U.S. Despite the app's inoperability, the TikTok website remains active, allowing U.S. users to download data and view content.

Russian nation-state hackers, identified as Star Blizzard, are impersonating U.S. officials in a spear-phishing campaign targeting diplomats. The hackers use a fraudulent WhatsApp group invitation to breach the accounts of officials in government, defense, and aid organizations. The phishing emails contain a defective QR code intended to provoke a response and subsequently, send a malicious link disguised as a legitimate WhatsApp invite. Responding and scanning the QR code from the link allows hackers to link their device to the victim's WhatsApp, gaining access to messages and data. Microsoft highlights the campaign's reliance on social engineering, which skirts typical antivirus detections. This activity follows a disruption in October 2024, when Microsoft and the U.S. DOJ temporarily hampered Star Blizzard's operations. Users are advised to verify suspicious communications and regularly check for unknown devices linked to their WhatsApp accounts.

The U.S. government enforced a ban on TikTok starting January 19, 2025, following a Supreme Court decision. The ruling required ByteDance to divest TikTok due to national security concerns about potential data manipulation by the Chinese government. Existing TikTok users in the U.S. cannot access the app, and no new downloads are allowed from official app stores. The Supreme Court cited risks of foreign adversary control and substantial personal data collection by TikTok as reasons for the ban. The U.S. White House insisted that TikTok can only remain operational in the U.S. under American ownership or an entity that can mitigate national security threats. Despite the ban, indications suggest a potential 90-day reprieve once the new U.S. presidency begins. The TikTok ban has driven American users towards other Chinese social media platforms, potentially counteracting the intended effects of the legislation. The Electronic Frontier Foundation criticized the decision, arguing that only comprehensive consumer privacy legislation can effectively protect data privacy.

The U.S. Treasury has sanctioned a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged roles in hacking Treasury systems. These sanctions are in response to intrusions attributed to the Silk Typhoon group, which has links to China's Ministry of State Security (MSS). Silk Typhoon is accused of exploiting security vulnerabilities in Microsoft Exchange Server, an attack affecting over 400 Treasury computers and resulting in the theft of highly sensitive data. The compromised data included sensitive policy documents, organizational charts, and material related to U.S. sanctions and foreign investments. High-profile U.S. officials, including the Secretary of the Treasury, were among those whose computers were accessed. The sanctions also target Sichuan Juxinhe Network Technology Co., implicated in cyber attacks against major U.S. telecom and internet service providers. This move is part of a broader U.S. effort to combat cyber threats, which includes potential rewards for information leading to the identification of foreign state-sponsored cyber actors.

The FCC has issued a ruling under CALEA section 105, mandating telecom carriers to secure their networks against unlawful interceptions, effective immediately. This move is a response to recent breaches by Chinese espionage operations named Salt Typhoon, which compromised major U.S. telcos like AT&T and Verizon. Salt Typhoon exploits involved accessing subscriber locations, monitoring internet traffic, and recording phone communications using surveillance systems originally intended for U.S. law enforcement. The FCC's action includes proposals requiring communication providers to develop, implement, and annually certify comprehensive cybersecurity and risk management plans. The U.S. Treasury Department has imposed sanctions on individuals and a company involved in the Salt Typhoon intrusions, highlighting a direct governmental response to these breaches. FCC Chair Jessica Rosenworcel emphasized the need for updated rules reflecting current threats and ensuring stronger protections against state-sponsored cyberattacks. CISA Director Jen Easterly remarked on the significance of the FCC's measures in bolstering national telecommunications infrastructure security against ongoing cyber threats.

In his final days as U.S. President, Joe Biden signed a wide-ranging cybersecurity executive order addressing topics like secure software development, AI-enhanced cyber defense, and stringent sanctions on ransomware criminals. The directive comes in response to a year marked by increased cyber threats from nation-states such as China and Russia, as well as significant disruptions caused by ransomware attacks on U.S. healthcare facilities. Key focuses of the order include enhancing the security of federal communications networks, demanding software providers to adhere to higher security standards, and using AI to bolster national cyber defenses. Enforcing stricter procurement policies, the order mandates that software vendors supplying to the government prove their adherence to secure development practices, potentially clashing with Trump's deregulatory stance. The executive order also emphasizes the need for more robust federal network security, advocating for phishing-resistant authentication methods and quicker threat sharing among agencies. However, several industry experts express concerns about both the timeline and the content of the executive order, particularly around the insufficient emphasis on continuous monitoring for zero-day vulnerabilities and end-to-end encryption for data privacy. The implementation of digital ID documents to counter fraud raised privacy concerns and doubts about the government's capability to stay ahead of evolving cyber threats.

Otelier, a cloud-based hotel management platform, confirmed a data breach involving unauthorized access to its Amazon S3 cloud storage. Personal information and reservations details of guests from major hotel brands like Marriott, Hilton, and Hyatt were stolen, approximating 7 TB of data. The breach, initiated in July 2024 through stolen employee credentials from an Atlassian server, allowed continued data access until October. Marriott confirmed the impact of the breach on its operations, prompting suspension of automated services interacting with Otelier. Threat actors attempted to extort Marriott by demanding cryptocurrency, exploiting the belief that the compromised S3 buckets were owned by Marriott. Otelier has engaged cybersecurity experts for a comprehensive forensic analysis and has taken measures to enhance security and prevent future breaches. The exposed data includes names, addresses, emails, and phone numbers, but crucially, billing information and passwords were reportedly not compromised. Users are advised to remain vigilant for phishing attacks, as personal information is now susceptible to such exploitation.

A rogue Python package named 'pycord-self' on PyPI designed to steal Discord developers' auth tokens and implant a backdoor. The malicious package mimics the popular 'discord.py-self' library but adds hostile functions. Analysis by Socket revealed the package was added in June of the previous year and has been downloaded 885 times. The malevolent package sends stolen Discord tokens to an attacker-controlled URL, compromising account security. It also sets up a backdoor, enabling attackers to control the infected machine through a remote server configured on port 6969. Socket advises software developers to verify package sources thoroughly and scrutinize code to avoid such security threats. Despite being malicious, 'pycord-self' is still listed on PyPI, highlighting issues with platform verification processes.

Fortinet acknowledged that the FortiGate configuration data leaked by the Belsen Group was stolen during a 2022 zero-day attack. The data includes IP addresses, firewall rules, and some plaintext passwords, covering approximately 15,000 devices. The leaked files were organized by country, but notably excluded any configurations from Iran, with minimal representation from Russia. Most of the exposed entities were small and medium-sized businesses, with a few larger corporations and some unidentified government entities also affected. Belsen Group, only registered this month on a cybercrime forum, misrepresented the leak as a recent event, despite the data being stolen years prior. Fortinet advises that devices running updated firmware versions or patched post-October 2022 have a reduced risk, but still urged all users to reassess their security measures. Newly mentioned zero-day vulnerabilities towards the end of 2024 indicate an ongoing security challenge for Fortinet, emphasizing the importance of vigilant cybersecurity practices.

The U.S. Supreme Court has affirmed a law demanding TikTok detach from its Chinese parent company ByteDance or face a ban. The unanimous decision reflects national security concerns regarding Chinese data collection rather than freedom of speech issues. Scheduled enforcement of the ban is set for January 19th, following a rapid and unanimous verdict by the Supreme Court. Although the ban's enforcement mechanism is in place, confusion remains as incoming President Trump may not support the immediate enforcement. President Trump, who had previously attempted to ban TikTok, is reportedly exploring options to allow TikTok to continue operating in the U.S. through American ownership. Free speech advocates expressed disappointment, arguing that the ban imposes a significant limitation on free speech with minimal substantiation on security threats. The possibility remains open for a last-minute deal or a directive that could potentially keep TikTok operational in the U.S., pending negotiation of ownership changes approved by Beijing.

The U.S. Treasury has sanctioned Yin Kecheng, a Shanghai-based hacker linked to China's MSS, for his involvement in hacking the Treasury's network. Yin, with a decade-long career in cyber activities, played a role in compromising the Department of Treasury’s Departmental Offices network through a zero-day vulnerability. Sichuan Juxinhe Network Technology Co., a Chinese cybersecurity firm, is also sanctioned due to direct ties with the state-backed Salt Typhoon hacker group. Salt Typhoon has been implicated in breaches of major U.S. telecom and internet providers to snoop on high-profile communications. These entities, linked to the MSS, used sophisticated methods including exploiting zero-day vulnerabilities and received strong national backing. The sanctions block all U.S. property and financial assets of the implicated parties and prohibit any transactions with them without OFAC's approval. This move follows similar actions against other Chinese firms and is part of ongoing efforts to counter state-sponsored cyber activities targeting U.S. interests.