Daily Brief

The South Korean Personal Information Protection Commission fined Meta $15.67 million for illegal handling and sharing of sensitive user data. Meta collected detailed personal information from approximately 980,000 South Korean Facebook users without their consent. Data included religious affiliations, political views, and sexual orientation which was shared with around 4,000 advertisers. Meta used user behavior, such as Facebook likes and ad clicks, to analyze and categorize users for targeted advertising. The information shared led to categorization sensitive to religious beliefs, sexual orientation, and political affiliations. Meta also faced criticism for insufficient verification processes allowing malicious actors to access inactive accounts and personal data. The commission vowed to monitor Meta’s compliance with corrective measures to protect user data. Meta responded by stating it would review the decision carefully and ensure compliance.

Google Cloud announces enforcement of mandatory multi-factor authentication (MFA) for all users by end of 2025 to enhance security. The phased implementation will start in 2025, with proactive communication to enterprises and users to facilitate planned deployments. Users can integrate MFA with their primary identity provider or add an extra MFA layer through their Google account. This security measure aims to combat the prevalent threat of phishing and credential theft which often leads to unauthorized network access. Similar MFA enforcement strategies have been adopted by other major cloud providers like Amazon Web Services and Azure recently. In related news, data warehousing company Snowflake mandated MFA for all users in July 2024 following a significant breach involving stolen credentials. Arrests have been made related to a cybercriminal gang involved in data theft and extortion, highlighting ongoing cybercrime challenges.

Chinese cyberspies, known as Volt Typhoon, reportedly breached Singapore Telecommunications (Singtel) as a preliminary step to target U.S. telecom networks. The breach was detected in June and believed to be a strategy by China to prepare for similar attacks on critical U.S. telecommunications infrastructure. Volt Typhoon's activities are part of a broader pattern targeting global critical infrastructure sectors including communications, energy, transport, and water systems. The group's tactics suggest a shift from traditional espionage to positioning for disruptive or destructive cyberattacks, according to assessments by US, Canada, UK, Australia, and New Zealand. Another related Chinese espionage group, Salt Typhoon, has been implicated in recent breaches of major U.S. telecom providers including Verizon, AT&T, and Lumen Technologies. Salt Typhoon also allegedly targeted mobile devices associated with political figures in the U.S. presidential race. China denies the existence of Volt Typhoon and the accusations from Western governments. Singtel emphasizes its commitment to robust cybersecurity practices in response to ongoing threats.

IntelBroker, a well-known seller of stolen data, has claimed to have stolen source code and other sensitive materials from Nokia. The stolen data reportedly includes Nokia's source code, SSH keys, RSA keys, Bitbucket logins, and details of SMTP accounts. The theft is said to be the result of a collaboration between IntelBroker and EnergyWeaponUser, targeting a third-party supplier working with Nokia. IntelBroker advertised the stolen data for sale on Breachforums, a cyber-crime message board, seeking serious buyers with credentials. Nokia is currently investigating the claims to determine the extent and veracity of the alleged security breach. The breach allegedly involved not only direct assets of Nokia but also exposed flaws in third-party access to critical software supply chains. This incident marks the second major claim of cyber theft by IntelBroker and EnergyWeaponUser, following a similar claim involving Cisco. Despite efforts to shut it down, Breachforums remains an active platform for trading stolen data, illustrating persistent challenges in cyber law enforcement.

Schneider Electric is currently investigating a cybersecurity incident where more than 40 GB of data was stolen by the ransomware group Hellcat. The attackers gained access through Schneider Electric's Atlassian Jira system, impacting critical data including projects, issues, and plugins. Hellcat has demanded a ransom of $125,000, uniquely requesting the amount to be paid in baguettes instead of the usual cryptocurrency. The ransomware group threatened to release the sensitive customer and operational data unless their demands are met. Schneider Electric's internal project execution tracking platform was breached, but their products and services remain unaffected as the platform is hosted within an isolated environment. This incident marks the third breach for Schneider Electric in less than two years, following previous attacks by different ransomware groups. The new CEO, Olivier Blum, faces immediate challenges as this breach coincides with his appointment.

Shan Hanes, former CEO of Heartland Tri-State Bank, was sentenced to 24 years in prison for a $47 million cryptocurrency scam. The scam, involving embezzlement and deception, led to the financial ruin of Heartland Tri-State Bank in Elkhart, Kansas. Hanes was involved in a pig butchering cryptocurrency scam that led him to embezzle funds from the Elkhart Church of Christ and the Santa Fe Investment Club. The FBI has managed to recover $8 million from the scammed funds, following the crash of the bank and has begun returning this to local investors. The scam and subsequent investigation revealed the significant influence Hanes held over the bank’s operations and in the local community, discouraging employees from reporting suspicious activities. Kansas state authorities intervened after a tip-off from the bank's chief financial officer, unveiling the extent of the fraud that exceeded the bank’s total capitalization. The U.S. Attorney’s Office commended the FBI for its role in uncovering the fraud and recovering part of the stolen funds, ensuring partial restitution to affected investors.

Google has announced mandatory multi-factor authentication (MFA) for all Google Cloud accounts by the end of 2025 to boost security. The implementation will occur in a phased approach throughout 2025, targeting both admins and any users with access to Google Cloud services. This change applies exclusively to Google Cloud platforms and does not affect general consumer Google accounts. The transition will start with reminders to the 30% of users currently not using MFA, followed by notifications to enable MFA for all users by early 2025. By the end of 2025, all Google Cloud and federated users must use MFA, either through their identity provider or an additional layer provided by Google. Google emphasizes the effectiveness of MFA in preventing hacks, citing research indicating MFA users are 99% less likely to be compromised. Google has developed user-friendly MFA options, including biometric-based passkeys, to facilitate a smooth transition without disrupting the user experience.

Interpol's Operation Synergia II led to 41 arrests and dismantled 1,037 servers related to cybercrimes including ransomware and phishing. The operation targeted 22,000 IP addresses worldwide and successfully took down approximately 76% of them. In addition to server seizures, 59 servers and 43 electronic devices were confiscated for further evidence extraction. Intelligence from cybersecurity firms such as Group-IB and Kaspersky played a crucial role in identifying over 30,000 suspicious IPs. Operation spanned from April to August 2024, involving law enforcement from 95 countries. Ongoing investigations are targeting an additional 65 individuals suspected of involvement in cybercriminal activities. The crackdown highlights a rise in the use of generative AI for phishing schemes and a 70% increase in information stealer use, setting the stage for ransomware attacks. Interpol emphasized the global nature of cybercrime and the necessity of coordinated international efforts to combat its rise.

Business email compromise (BEC) scammers are exploiting DocuSign's Envelope API to automate and customize fraudulent document requests. Attackers create legitimate DocuSign accounts, alter templates, and use these accounts to mimic e-sign requests from reputable brands. The fraudulent documents are distributed directly through DocuSign, bypassing traditional email spam and phishing filters, thereby appearing more legitimate. Once the fraudulent documents are signed, scammers can efficiently forward invoices on a large scale, leveraging DocuSign’s automation features to collect payments. In 2023, the FBI reported that BEC scams have cost US businesses approximately $2.9 billion, with some potentially unreported losses due to embarrassment. Wallarm, a security firm, has observed an increase in this type of scam over recent months and noted that DocuSign’s response to the issue suggests that a remedy may not be immediately forthcoming. DocuSign has produced an Incident Reporting guide and advises vigilance, such as verifying sender addresses and payment details, as key defenses against these scams.

The FBI is seeking public help to identify Chinese hackers responsible for global cyber intrusions targeting edge devices and computer networks. These attacks, conducted by Advanced Persistent Threat groups such as APT31, APT41, and Volt Typhoon, involved deploying malware and exploiting zero-day vulnerabilities to exfiltrate data from global entities. The malicious campaigns, known as "Pacific Rim," have targeted critical infrastructure and governmental facilities across South and Southeast Asia, including nuclear plants and airports. From 2021, the focus shifted to more targeted attacks against specific organisations in government, military, and critical sectors, primarily in the Asia-Pacific region. Newer attacks involve sophisticated tools like Asnarök, Gh0st RAT, and Pygmy Goat malware, enabling deep access, evasion of detection, and persistent control over compromised systems. The UK’s National Cyber Security Centre highlighted the complexity and sophistication of the Pygmy Goat backdoor used in these attacks, noting its potential for future modifications. Sophos has actively countered these threats by deploying defensive measures and conducting detailed analyses of exploits used by these threat actors. These findings underscore the ongoing and sophisticated nature of state-sponsored cyber espionage activities linked to Chinese educational and research institutions.

An ongoing cybercrime campaign utilizes typosquatting to mimic popular JavaScript npm packages, tricking developers into downloading malicious versions. The malware contains info-stealing capabilities and uses Ethereum smart contracts for command and control, evading traditional cybersecurity measures. Security firms, including Phylum and Socket, detected approximately 287 typosquatted packages affecting widely-used libraries with millions of weekly downloads. The typosquatting campaign dates back to October, with malware found in packages that resemble names of popular libraries such as Puppeteer and husky. The usage of blockchain technology complicates the disruption of the command and control infrastructure, making the malware more resilient against takedown attempts. Analysis by Checkmarx identified malicious packages designed for multi-platform operation (Windows, Linux, macOS), focusing mainly on development environments. Checkmarx emphasizes the importance of rigorous security protocols in package management and the verification of testing utilities to prevent such attacks.

The U.S. Intelligence Community, including CISA, ODNI, and the FBI, warn of influence operations by Russian and Iranian actors aimed at disrupting the upcoming U.S. presidential election. Russian operations are particularly focused on swing states, creating false narratives around election fraud to damage the credibility of the electoral process. Fabricated media such as articles and videos are being used by Russian entities to incite voter fear and violence, suggesting internal unrest due to political differences. Iranian influence efforts, though less extensive compared to Russia, involve similar tactics of spreading fake news to suppress voter turnout and promote violence. The FBI highlighted instances of impersonation where threat actors misused agency insignia in videos to spread false information about election safety and rigged voting. Concerns remain high about potential revenge actions from Iran against U.S. officials believed responsible for the death of a notable Iranian military leader. CISA and FBI reassure that despite threats, the integrity of the election infrastructure remains secure with contingency plans in place for managing operational issues like power outages.

Canadian authorities have arrested Alexander "Connor" Moucka for data theft from Snowflake's cloud storage services, affecting major global companies. Moucka was arrested following a U.S. request and appeared in court with proceedings set to continue. The investigation, involving Snowflake, Mandiant, and CrowdStrike, revealed Moucka used malware to steal customer credentials. The data breaches began in April 2024 and impacted users of services such as AT&T, Ticketmaster, and others, affecting hundreds of millions. The compromised Snowflake accounts lacked multi-factor authentication, making the breach possible. Notable companies among the breached include Mastercard, NBC Universal, and Capital One. Following the breach, Snowflake has mandated multi-factor authentication and longer passwords for new accounts starting October 2024.

A statewide IT outage in Washington has disrupted all court services due to "unauthorized activity." The Washington State Administrative Office of the Courts (AOC) has taken immediate action to secure systems and is working to restore services, with ongoing intermittent impacts expected. The incident, not officially labeled as a cyberattack, has led to the proactive shutdown of systems. Courts across the state, including superior and municipal courts, are experiencing variable levels of disruption, with some maintaining minimal operations. Key services like case management, online payments, and court record searches have been affected. Restoration efforts involve leading experts, but there remains no clear timeline for when full functionality will be restored. Similar cybersecurity issues are concurrently affecting courts in California, indicating a possibly wider problem in the judiciary's IT infrastructure.

Google resolved two zero-day vulnerabilities in Android, being exploited in precise, targeted attacks as part of its November security updates. The vulnerabilities, identified as CVE-2024-43047 and CVE-2024-43093, were actively exploited, affecting Qualcomm components, and the Android Framework respectively. CVE-2024-43047, disclosed by Qualcomm, involves a use-after-free issue in its DSP service that permits elevation of privileges. CVE-2024-43093 affects Google Play updates and Android Framework, specifically targeting the Documents UI, raising privileges without disclosed detection origin. Of the 51 total vulnerabilities addressed, 49 were other issues, with one marked as critical—again involving Qualcomm’s proprietary components. Android devices running versions 12 through 15 received patch updates, split into two levels, addressing core and vendor-specific vulnerabilities. Users are advised to install the latest updates via system settings to protect against potential exploits, with older versions like Android 11 receiving limited support.