Daily Brief

T-Mobile agreed to a $31.5 million settlement with the FCC due to multiple data breaches that exposed personal information of millions of consumers. The settlement includes a $15.75 million investment in cybersecurity upgrades and an equal civil penalty to the U.S. Treasury. Breaches occurred across 2021, 2022, and 2023, including incidents involving API vulnerabilities and sales application breaches. T-Mobile commits to advanced security measures such as zero-trust architecture and multi-factor authentication to enhance data security. FCC Chairwoman Jessica Rosenworcel emphasized the importance of top-notch cybersecurity to protect sensitive consumer data. The FCC’s Privacy and Data Protection Task Force, a newly formed entity in 2023, played a crucial role in the investigation and settlement process. Recent FCC actions reflect ongoing efforts to enforce stricter data security standards among major U.S. telecom providers.

JPCERT/CC has developed techniques to detect ransomware attacks through analysis of Windows Event Logs. The detection revolves around identifying specific log entries that indicate ransomware activity, which can aid in quick response to mitigate threats. The suggested logs to monitor include Application, Security, System, and Setup, which might reveal ransomware entry points and tactics. Common ransomware traces in Event Logs include errors like Event IDs 13 and 10016, indicating access issues related to ransom activities. Monitoring logs is not foolproof but is essential for timely detect pre-spread of ransomware in networks. JPCERT/CC’s approach contrasts with older ransomware strains like WannaCry and Petya which did not leave evident traces in Windows logs. This methodology is increasingly relevant given the evolution and sophistication of modern ransomware threats.

Global news agency AFP suffered a significant cyberattack that disrupted its IT and content delivery systems. The attack occurred on Friday and did not affect global news coverage but impacted services to AFP's clients. France's ANSSI and AFP's technical teams are collaboratively working to manage and mitigate the cyberattack's effects. Specific details on the nature of the cyberattack and the identity of the perpetrators remain undisclosed. Client-specific services like real-time news feeds and content archives may be currently compromised. AFP warned other media about potential compromises of FTP credentials, advising immediate password changes. This cyberattack is part of a series of recent high-impact cyber incidents across various sectors in France. No ransomware groups or other cybercriminals have yet claimed responsibility for the attack.

US and UK national security agencies warn of ongoing Iranian spearphishing campaigns targeting high-value individuals across various sectors. The Islamic Revolutionary Guard Corps (IRGC) is actively seeking access to sensitive data through social engineering and credential harvesting techniques. Government officials, journalists, activists, and senior researchers are identified as primary targets, vulnerable to impersonation attacks and deceitful tactics urging document access via malicious links. Spearphishing strategies by the IRGC include building rapport, impersonating trusted contacts, and manipulating two-factor authentication processes to gain unauthorized access. An advisory highlights the indicators of compromise and lists known malicious domains utilized by the IRGC, providing guidance on enhancing defensive measures. Individuals linked to Iranian and Middle Eastern affairs are especially urged to stay vigilant against suspicious activities and adopt robust cyber defense tools. The advisory coincides with the DoJ's indictment of three Iranian nationals for their roles in cyber breaches related to Donald Trump's 2024 re-election campaign, underscoring the severe implications of such infiltration. These incidents symbolize the broader strategic cyber threats posed by Iran, aligning with global intelligence concerns about election security in over 50 countries this year.

Discovered vulnerabilities in the Common Unix Printing System (CUPS) could potentially allow remote command execution on Linux systems. Google’s implementation of Rust programming has significantly reduced memory-related vulnerabilities in Android. Kaspersky's forced withdrawal from the U.S. market raises concerns and unanswered questions among its users. Security flaws highlighted that could allow hijacking of Kia vehicles through exploitation of license plate data. Red Hat classified the CUPS vulnerabilities as Important, noting a low real-world impact due to the complexity of exploitation. Advice given to prevent data leaks includes enforcing policies against sharing with external AI services and employing DLP tools. Stressed the importance of continuous vigilance and adaptation to counter evolving cybersecurity threats effectively. Emphasized cooperative efforts to forge a secure digital future by staying informed and prepared.

The US General Services Administration (GSA) found significant reliability and bias issues in five tested remote identity verification (RiDV) technologies. Only two of the tested products demonstrated equitable performance across all demographic groups; others had notably higher error rates for certain demographics, including Black participants and individuals with darker skin tones. The worst-performing technology had a 50% false negative rate, while the best still failed 10% of the time, indicating a significant challenge in the effectiveness of current RiDV solutions. The study extends beyond previous research by evaluating the complete end-to-end process of RiDV, including user interface and document verification checks. None of the vendors were explicitly named in the GSA study; however, the associated privacy impact assessment listed companies like TransUnion and LexisNexis. LexisNexis acknowledged the study, emphasizing the need for a multi-layered identification approach rather than relying solely on visual identification. The final peer-reviewed results of the study are expected in 2025, which will provide further insights into the causes of errors and product performance. The GSA plans to use these study findings to enhance equity in technology deployment and improve public service delivery.

Critical security flaws in Automatic Tank Gauge (ATG) systems could expose gas stations, airports, and military bases to severe risks of remote attacks, including physical and environmental damage. Six different ATG models from five manufacturers are affected by 11 new vulnerabilities, with eight classified as critical, allowing attackers full administrative and operating system access. Thousands of these ATGs are connected to the internet without adequate security, making these systems highly vulnerable to cyber threats. Additional vulnerabilities have been discovered in OpenPLC systems and the Riello NetMan 204 network card used in UPS systems, with some remaining unpatched. The AJCloud IP camera management platform also exhibited critical vulnerabilities that could compromise sensitive user data and camera control. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of increasing threats to operational technology and industrial control systems that are accessible via the internet. New tools have been released by Claroty to aid in the forensic analysis of compromised programmable logic controllers (PLCs), which are frequently targeted in cyber-attacks. The exposure of operational technology (OT) systems to the internet is a significant risk, with many organizations employing multiple remote access tools that further complicate and extend attack surfaces.

PwC's cybersecurity report identifies cloud threats as the primary security concern for 42% of business leaders. Other major concerns include hack and leak operations (38%), third-party breaches (35%), attacks on connected products (33%), and ransomware (27%), with ransomware concern rising to 42% among CISOs. Despite high levels of concern, companies feel underprepared to tackle these threats, with cloud attacks ranking highest in terms of unpreparedness at 34%. The use of generative AI is expanding the attack surface, with 67% of leaders indicating it increases vulnerability to cyberattacks. Regulatory pressures are driving improvements in cybersecurity practices, with 96% of leaders acknowledging that regulatory demands have enhanced their security measures. Investment in cybersecurity is on the rise, with 32% of organizations reporting a significant increase in the past year. The report emphasizes the need for an agile, enterprise-wide approach to resilience to maintain security and business continuity amidst evolving cybersecurity threats.

Attackers are increasingly adopting session hijacking to circumvent multi-factor authentication (MFA) due to its effectiveness over traditional methods. Modern session hijacking targets cloud-based apps over public internet, shifting from old Man-in-the-Middle (MitM) attacks that focused on local network traffic. This technique steals valid session elements like cookies and IDs to continue the session from an attacker-controlled device, effectively bypassing standard security controls such as encrypted traffic and VPNs. Attack motives include the ability to bypass authentication controls, navigate sprawling identities across multiple cloud apps, and utilize compromised sessions to access critical data or perform actions invisibly. Current phishing tools, Adjust-in-the-Middle (AitM) and Browser-in-the-Middle (BitM), and modern infostealers are popular in executing session hijacks, targeting both credentials and session cookies. The effectiveness of Endpoint Detection and Response (EDR) systems against infostealers varies, with many attackers managing to bypass these defenses, especially in BYOD scenarios. Organizations have limited capability in detecting unauthorized session use due to variable app-level controls, making the threat of session hijacking a challenging issue for IT security. New defensive tactics, such as using unique browser markers for session identification, are being developed to better detect and mitigate unauthorized session hijacking.

Microsoft 365 (M365) is crucial for productivity and collaboration, used by over 400 million users globally. M365's widespread adoption makes it a prime target for cyber threats such as ransomware, prompting the need for robust security measures. Cybercriminals exploit M365 via phishing, brute force attacks, and vulnerability exploitation, often targeting user accounts, including administrators, for greater access. To defend against these threats, organizations are recommended to implement multilayered security strategies, including Multi-Factor Authentication (MFA), user role-based access controls, regular vulnerability assessments, and penetration testing. User awareness training is essential to equip employees with knowledge on latest threats and prevention techniques. Real-time monitoring, logging activities, and the adoption of Zero Trust principles are suggested to enhance detection and prevention capabilities. Advanced phishing detection tools and automated backup and recovery solutions are crucial to mitigate and recover from ransomware attacks effectively. Backupify offers robust Microsoft 365 backup solutions, featuring daily automated backups and immutable storage, helping organizations ensure data integrity and swift recovery post-cyberattacks.

The Irish Data Protection Commission (DPC) has fined Meta €91 million for violating GDPR rules by improperly storing user passwords in plaintext. The security lapse occurred in March 2019, and Meta disclosed it had stored user passwords in plaintext which were accessible to internal systems. The probe revealed Meta failed to notify the DPC promptly, did not document the data breach properly, and lacked sufficient technical measures to protect user data. Initial reports claimed Facebook passwords were exposed, but it was later revealed that Instagram passwords were also affected, impacting millions of users. Krebs on Security reported that about 2,000 Meta employees made nine million queries containing plaintext passwords, dating back to 2012. Meta responded by taking immediate corrective actions and claimed to have proactively communicated the issue to the DPC. The DPC emphasized the extreme sensitivity of passwords as they provide direct access to user accounts, highlighting the severe privacy implications of the breach.

Recent studies highlight that AI models, particularly those used for generating code (LLMs), often invent names for software packages that do not actually exist. This issue presents significant risks as malicious actors could exploit these "hallucinated" package names by creating dangerous software laden with malware. The research involved generating 576,000 code samples from 16 popular LLMs which indicated an average hallucination rate of 5.2% in commercial models and 21.7% in open-source models. A concerning find was that out of 2.23 million packages analyzed, about 440,445 were determined to be hallucinations, illustrating the extent of the problem across different AI platforms. Mitigation strategies like Retrieval Augmented Generation and Supervised Fine-Tuning have shown to reduce the rate of hallucinations but at the cost of degrading the overall code quality. Another study noted that as LLMs increase in size, they tend to provide more plausible but incorrect answers, suggesting a trade-off between model reliability and accuracy. The findings from these studies suggest a critical need for redesign in AI systems to minimize errors, particularly in applications where accuracy and reliability are crucial.

Sam Curry uncovered a remote exploitation vulnerability affecting Kias, allowing hijackers to control aspects of the car using just a smartphone and the owner's license plate number. The exploit enabled attackers to track vehicles, start engines, unlock doors, and access onboard cameras remotely by registering as secondary invisible users through a dealer web portal. Despite the severe implications, Kia has fixed the vulnerability, confirmed by Curry, making the exploit inoperative with their latest updates. Separate incidents included a UK citizen charged by the SEC for hacking into companies to steal financial secrets, accumulating around $3.75 million. Ransomware attack on Monaco-based domain registrar Namebay disrupted mail and web hosting services. An unnamed cyberattack targeting a Kansas water treatment facility temporarily disrupted operations but failed to compromise the safety of the drinking water or steal customer data. TikTok and Meta responded to allegations of Russian influence in upcoming U.S elections by banning accounts linked to Russian government media outlets. The articles highlight multiple facets of cyber threats from car hijackings to ransomware and nation-state interventions in infrastructure and social media.

Binance, a global cryptocurrency exchange, contributed to an investigation led by India's Enforcement Directorate, which resulted in the arrest of individuals involved in a crypto-related scam. The scam involved a gaming app named Fiewin, promoted as a legitimate platform for gamers to win real money but was primarily used for money laundering. The perpetrators, including one named Joseph Stalin, utilized Binance accounts to obscure the origins and movements of illicit funds by deploying numerous complex transactions. Binance's "deep cooperation" was pivotal in revealing the app's role within a broader cross-border criminal network. In related global tech news, SpaceX disclosed plans for a substantial investment in Vietnam totaling $1.5 billion, aiming to overcome previous regulatory challenges. Singapore introduced new Invincible-class submarines tasked with safeguarding its waters and protecting essential submarine communication cables connecting the island to the global network.

Alethe Denis, senior security consultant at Bishop Fox, specializes in physical security assessments by impersonating various characters to reveal vulnerabilities. Denis successfully infiltrated a corporate building, utilizing credentials found from dumpster diving to install a device and exfiltrate data over the corporate Wi-Fi network for over a week undiscovered. Her role involves extensive social engineering, mainly through in-person interactions, taking advantage of lax physical security measures. Red team operations highlight the effectiveness of human-based social engineering over AI-assisted methods in current scenarios. Denis employs tactics like email phishing disguised as company policies or surveys which lead to credential harvesting sites. Despite preparation, Denis and her team occasionally face setbacks, as illustrated by an encounter with an experienced security manager who foiled their plan. Denis emphasizes the importance of questioning and verification in preventing voice-phishing and other social engineering attacks. The red team's goal, according to Denis, is not only to test system vulnerabilities but also to improve awareness and defense against actual malicious attacks.