Daily Brief

Microsoft President Brad Smith testified before Congress, acknowledging the company's security shortcomings and defending its operations in China. The U.S. government, including the White House and Congress, are urged to take action to prevent further security breaches linked to Microsoft, leveraging tools from executive orders to revised federal spending. A Homeland Security report criticized Microsoft for "avoidable errors" that allowed Chinese-backed cyberspies to access sensitive U.S. government emails via Microsoft's Exchange Online. Despite the risks, Smith claimed Microsoft is not compelled by Chinese law to hand over data or provide governmental snooping services, a statement met with skepticism by some members of Congress. Discussions highlighted the potential national security threats due to the U.S. government's heavy reliance on Microsoft for cloud infrastructure, operating systems, and security products. There are calls for an independent evaluation of security tools offered by Microsoft and potentially exploring other vendor options to enhance cybersecurity diversity and effectiveness. Senators have questioned the Pentagon's continued investment in Microsoft products despite these security issues, suggesting a reassessment of contractual decisions with the company. The ongoing debate emphasizes the need for a robust government strategy to ensure software accountability and secure procurement practices at the federal level.

Stanford Internet Observatory (SIO), known for highlighting social media disinformation, is undergoing management changes and staff reductions. The restructuring follows the departure of research director Renee DiResta and amidst legal pressures from conservative groups critiquing the organization's role in online speech moderation. Despite these changes, a Stanford spokesperson affirmed that SIO will not disband but will continue its mission, focusing areas such as child safety but reducing its focus on election misinformation. The changes occur during crucial political periods in both the US and UK, raising questions about the timing and impact on election integrity research. Last year, SIO faced significant pressure from the Subcommittee on the Weaponization of the Federal Government, which demanded documents related to their moderation activities. SIO's involvement in the Election Integrity Partnership and the Virality Project targeted it for lawsuits and legal scrutiny, alleging violation of First Amendment rights due to perceived government collaboration in censorship. These legal and political challenges have led to substantial legal costs for Stanford, as well as concerns over the chilling effects on freedom of inquiry and academic research integrity.

Keytronic, a large PCBA manufacturer, confirmed a data breach following a ransomware attack by the Black Basta group. The cyberattack occurred on May 6, disrupting operations and causing Keytronic to shut down facilities in the U.S. and Mexico for two weeks. The attack led to the theft of 530GB of sensitive data, including HR, finance, and engineering information, as well as personal details such as employees' passports and social security cards. Keytronic disclosed in an SEC filing that the breach will materially impact their financial condition in the fourth quarter of 2024, with already $600,000 spent on external cybersecurity responses. The company is in the process of notifying affected parties and regulatory agencies as required, following the new SEC guidelines. The Black Basta ransomware operation, believed to include former members of the Conti group, has claimed responsibility for this and several other significant breaches in various sectors.

Meta has paused its AI training plans using European user data following concerns from European data protection agencies, particularly led by Ireland. The decision prevents Meta from utilizing Facebook and Instagram posts from EU citizens to train its large language models (LLMs), claiming this will delay AI advancements and offerings in Europe. Meta expressed disappointment, stating this move contradicts their efforts to incorporate regulatory feedback and could hinder European technological innovation. However, European Data Protection Commissioner and privacy advocates have welcomed this decision, with continued engagement planned to address data usage and privacy concerns. Meta intended to use only public posts for AI training and had included options for European users to opt out, which were not made available to non-EU users. Without EU data, Meta argues its AI won't effectively understand regional languages or cultural contexts, resulting in a compromised service quality for European users. Meta has committed to ongoing collaboration with European regulators, including resolving specific issues raised by the UK's Information Commissioner’s Office. The decision has broader implications for AI development policies, emphasizing the need for privacy assurance in the early stages of technological development.

Mozilla Firefox has introduced a feature in version 127 that requires device credentials to access stored passwords in its browser's password manager. This security update necessitates the use of biometrics, system passwords, or pins, preventing unauthorized access to credentials during local or remote device access. The security feature aligns Firefox with other browsers like Google Chrome and Microsoft Edge, which already employ similar authentication measures for accessing saved login details. Although this update secures the password manager from unauthorized physical access, it does not protect against information-stealing malware that can decrypt stored credentials. Mozilla recommends setting a Primary Password as an added layer of security, which encrypts the password database and is solely known to the user. Despite enhanced protections, the Primary Password can still be brute-forced, making it crucial to use a long and complicated password to enhance security. Firefox's implementation helps in balancing user convenience with increased security measures for managing web credentials.

A Nigerian, Ebuka Raphael Umeti, was convicted by the U.S. Department of Justice for his role in a $1.5 million business email compromise (BEC) scam. Alongside two alleged co-conspirators, Umeti utilized social engineering and malicious software to defraud companies through deceptive emails. The scammers successfully extracted $571,000 from a New York wholesaler and $400,000 from a Texan metal supplier by impersonating legitimate business entities. Starting in 2020, the group expanded their operations to include malware developed by a new participant, Saudi national Mohammed Naji Mohammedali Butaish. Umeti and his Nigerian accomplice, Franklin Ifeanyichukwu Okwonna, were arrested in January 2023 and found guilty, while the third accomplice remains at large due to lack of extradition treaty with Saudi Arabia. Umeti faces up to 102 years in prison, though actual sentencing might be less severe; sentencing is scheduled for late August 2023.

Last week, a ransomware attack by Synnovis, affecting multiple London hospitals, forced over 800 operations and 700 outpatient appointments to be cancelled. The attack, attributed to the Qilin ransomware operation, occurred on June 3, severely disrupting the affected hospitals' pathology services. While emergency departments remained operational, many procedures dependent on pathology services had to be postponed. NHS England warns that the disruption could persist for months, with Synnovis focusing on recovery efforts to restore IT functionality gradually. The attack has exacerbated existing challenges in the healthcare system, leading to a shortage of blood supplies, particularly types O-positive and O-negative, essential for urgent medical procedures. The rise in ransomware activities, including the recent increase in Qilin attacks, underscores ongoing threats to global healthcare infrastructure and the need for enhanced cybersecurity measures. Despite the initial downtime of Qilin's leak site post-attack, it is now back online, with the gang yet to officially claim responsibility for the breach.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a severe Windows flaw, CVE-2024-26169, as being exploited in ransomware attacks. This vulnerability in the Windows Error Reporting service allows attackers to gain SYSTEM permissions without user interaction, classified as a zero-day due to its active exploitation. Microsoft issued a fix for this issue on March 12, 2024, though not initially labeled as exploited in the security advisory. Investigations by Symantec attribute the exploitation of this vulnerability to the Black Basta ransomware group, noting the use of exploit tools dating back to December 2023. The Cybersecurity agency has given Federal Civilian Executive Branch Agencies (FCEB) a July 4 deadline to secure their systems against this vulnerability, under directive BOD 22-01. Beyond federal agencies, all organizations are strongly encouraged to patch this flaw due to its potential to facilitate widespread ransomware attacks. Black Basta, identified as a significant threat, has been responsible for over 500 organizational breaches and extorted at least $100 million in ransoms.

Nagaraju Kandula, a former employee of National Computer Systems (NCS), was sentenced to two years and eight months in prison for deleting 180 virtual servers. Kandula pleaded guilty to the act, which was driven by spite after being terminated from his job due to poor performance. The malicious activity caused significant financial damage to NCS, amounting to approximately $678,000. Kandula had retained access to the company’s systems due to NCS’s oversight in not invalidating his credentials post-termination. Over several months, he accessed the NCS system multiple times, testing and eventually executing a script that wiped the servers. The servers involved were primarily used for quality assurance within software testing, preventing a compromise of sensitive information. This incident underscores the critical need for companies to secure their systems against former employees by immediately revoking access and changing passwords.

Nagaraju Kandula, a former quality assurance employee at National Computer Systems (NCS), was sentenced to 2.5 years in prison for deleting 180 virtual servers. Kandula, angered by his termination due to poor performance, took revenge by using his still-active company credentials to sabotage the Singapore-based IT firm. His unauthorized access between January and March 2023 enabled him to test and execute a script that wiped the servers on March 18-19, causing an estimated $678,000 in damages. The deleted servers belonged to a software testing environment, and the incident reportedly resulted in no leakage of sensitive information, minimizing the potential additional risks. The incident underscores the importance of revoking access rights and updating passwords immediately after an employee is dismissed to prevent potential security breaches. Police tracked down Kandula through the IP address associated with the sabotaging activities; his laptop and the malicious script were seized upon his arrest. This case highlights the catastrophic consequences of not adequately securing administrative credentials post-employee termination.

Scattered Spider, also known as Octo Tempest and other aliases, has shifted focus to stealing data from SaaS applications and setting up persistent access through the creation of new virtual machines. The group utilizes advanced social engineering, including SMS phishing and account hijacking, predominantly targeting corporate help desk agents to manipulate access controls and gain sensitive information. Mandiant’s report highlights the gang's transition from ransomware to data extortion without system encryption, expanding their operations to a broader range in industries and organizations. The hackers escalate privileges using compromised accounts to abuse SaaS applications, leveraging tools like Okta for single sign-on to deepen their access within victim environments. Scattered Spider uses innovative tactics for persistence and data extraction, such as configuring new virtual machines to disable security features and utilizing cloud syncing tools across platforms like AWS and GCP. They also engage in reconnaissance using client SaaS applications and launching attacks such as the Golden SAML to maintain persistent cloud-based application access. Mandiant advises strengthening monitoring of SaaS platforms, re-evaluating virtual machine infrastructure management, and improving MFA and VPN policies to protect against similar sophisticated cyber-attacks.

Ukraine's Security Service dismantled infrastructure that broke into soldiers' devices to deploy spyware, controlled by pro-Russia operatives. Operatives used SIM farms to send phishing SMS and spread spyware, allowing control over data and communications from infected devices. A woman in Zhytomyr managed over 600 mobile numbers under direct Russian instructions, paid in cryptocurrency for spying and spreading propaganda. A separate man in Dnipro handled around 15,000 social media accounts using Ukrainian SIM cards, selling access on dark web forums primarily to Russian intelligence. These cyber operations aimed to gather military intelligence, control narrative through propaganda, and instigate social engineering attacks including the use of dating sites and social media. Only the Dnipro man has been detained so far, while the woman has been notified of suspicion under Ukraine’s laws correlating to misuse of computers. Simultaneously, Kyiv police detained a key member of ransomware gangs, indicating ongoing intense cybercrime and links to Russian operations in Ukraine.

Google's Privacy Sandbox initiative, intended to replace third-party tracking cookies, has been criticized by Austrian privacy nonprofit noyb for still enabling user tracking. Noyb's complaint to the Austrian data protection authority asserts that Google disguises tracking as a privacy improvement within its own browsers. Despite Google’s claims of enhancing user privacy, noyb argues Google uses deceptive tactics to gain user consent for first-party ad tracking. Privacy Sandbox aims to limit third-party data sharing while still permitting advertisements tailored to individual users through Google’s own tracking technology. Delays in the implementation of Privacy Sandbox have occurred as Google adjusts to feedback from regulators and developers, with a full transition proposed for early next year. Google faces accusations of utilizing dark patterns to increase acceptance of its tracking methods, thereby misleading users into thinking they are opting into privacy-enhancing features. Noyb challenges Google’s right to collect data without full, informed consent, claiming this practice still violates regional data protection laws despite being less invasive than third-party cookies. Google defends Privacy' Sandbox as a significant advancement in privacy, promising to seek balanced solutions for all stakeholders involved.

Globe Life discovered a breach in one of its web portals potentially exposing consumer and policyholder data. The breach was identified during a review of access permissions and user identity management, prompted by an inquiry from a state insurance regulator. Immediate actions included shutting down external access to the compromised portal to mitigate further unauthorized access. Globe Life has engaged external security experts to remedy the breach and fully assess its nature, scope, and impact. The company has activated its incident response plan in response to the discovery of the breach. Operations other than the affected portal remain functional, and the overall impact on Globe Life’s business operations is currently deemed insignificant. Ongoing investigation efforts are underway, with the complete implications of the incident still being determined.

Industry leaders are convening in a webinar to address the challenges of securing petabyte-scale data. The webinar focuses on strategies for protecting vast and constantly changing data environments. As data growth accelerates, businesses of all sizes face the necessity of advanced data security. Participants will learn about continuous attack surface discovery, penetration testing, and red teaming. The discussion is tailored for CISOs, security engineers, IT professionals, and business leaders responsible for data security. The event is a platform for sharing real-world experiences and solutions from top field experts. Registration is open for those seeking to enhance their strategies in managing and securing large-scale data assets.