Daily Brief

Europol criticized Meta for its use of end-to-end encryption (E2EE), claiming it hides child sexual abuse material (CSAM), yet no statistical evidence supports this assertion. Critics argue against weakening E2EE, highlighting it as detrimental and lacking in viable secure alternatives. A report from Dublin City University discusses how social platforms like TikTok and YouTube Shorts target teens with harmful content through their algorithms. Public discourse includes propositions such as banning mobile phones for under-16s and imposing strict usage limits similar to measures in China, despite their practical and ethical implications. These discussions are part of a broader concern about a supposed crisis in youth mental health, attributed by some to increased screen time, though such claims are contested by various professionals. The narrative that urgent action is needed to safeguard youth often overlooks the potential negative impacts of suggested interventions. Experts suggest improving the situation by fixing harmful algorithms and enhancing parental controls on devices rather than imposing restrictive measures.

Cybersecurity experts discovered a malicious Python package named requests-darwin-lite imitating the popular requests library, embedding a Golang-version of Sliver C2 malware. The malware is ingeniously hidden within a PNG image of the library’s logo, utilizing a steganographic method. The fake package has been downloaded 417 times before its removal from the Python Package Index (PyPI). It targets specific systems by proceeding with the infection chain only if a pre-set Universally Unique Identifier (UUID) matches, hinting at either a highly targeted attack or a preparatory step for a broader campaign. The deceptive package modifies the setup.py file to decode and execute a Base64-encoded command that collects the system's UUID. Unlike the original requests library logo file which is 300 kB, the malicious PNG image in the compromised package is about 17 MB, containing hidden binary data. This incident underscores the ongoing vulnerabilities within open-source ecosystems and emphasizes the need for systematic security strategies to protect against such malware infiltration.

ASEAN organizations are experiencing an increase in cyber threats across various industries. A July 2023 Cloudflare whitepaper highlights that 78% of surveyed cybersecurity professionals faced at least one incident over the past year. The majority (76%) noted a rise in the frequency of these security incidents, with many reporting multiple events. The complexity of cybersecurity is growing due to the hybrid working model and distributed IT infrastructure. Cloudflare's comprehensive solution, "Everywhere Security," offers unified threat management across cloud-native platforms. The company’s platform aims to simplify cybersecurity, integrating services such as Zero Trust, application protection, and email security. Cloudflare’s extensive network helps apply real-time threat intelligence, enhancing threat visibility and reducing alert redundancies. The initiative aligns with the ASEAN Digital Masterplan 2025, promoting secure, transformative digital services across the region.

Encrypted email provider Proton Mail handed over personal identifying information of users to law enforcement. After revealing IP addresses in 2021, Proton Mail has attracted criticism for not fully upholding its privacy claims. Recently, Proton provided a user's recovery email to Spanish police, aiding in tracking activities related to Catalan separatism. US Patent and Trademark Office admitted a second data leak in two years, exposing 14,000 patent applicants' private addresses. Google addressed an exploited vulnerability in Chrome, highlighting the need for users to update their browsers. LockBit ransomware continues to pose a threat by disrupting critical services in Wichita, Kansas, despite law enforcement pressures. Proton clarifies that while it offers privacy by default, it does not guarantee anonymity; user details can be disclosed if legally compelled.

Ransomware activities reached peak levels last year, identifying over 4,500 victims across 60 criminal gangs. Drew Schmitt, a professional ransomware negotiator, discussed evolving ransomware tactics and the complexities of incident response. Schmitt emphasizes that his team focuses on threat actor communication and risk advisement, not solely on facilitating ransom payments. Debate continues regarding whether ransom payments should be banned, amidst growing use of coercive tactics by ransomware gangs. Law enforcement efforts to combat ransomware gangs have shown some success, indicating that no group is entirely immune to takedowns. Some ransomware entities, like ALPHV, experience significant disruptions, while others like LockBit might only be temporarily impacted. Schmitt advocates for a multifaceted approach to combat ransomware, including incentives for improved security measures rather than just a payment ban. There’s discussion about potentially regulating ransomware negotiators and broader legal strategies in managing ransomware incidents.

Firstmac Limited, a key Australian non-bank financial firm, reported a significant data breach, with over 500GB of customer data potentially compromised. The breach announcement came a day after the Embargo cyber-extortion group claimed responsibility and leaked the data online. Firstmac is a prominent mortgage lender in Australia, managing $15 billion in mortgages and has served over 100,000 home loans. The breached data includes potentially sensitive information, although Firstmac reassured customers that their accounts and funds remain secure. Enhanced security measures, including two-factor authentication for account changes, have been implemented following the incident. Firstmac is offering free identity theft protection services to affected customers and advises vigilance against unsolicited communication. The exact nature of the Embargo group is still unclear, with no prior ransomware activity confirmed and uncertainty about their operations in data breaches.

Almost 75% of critical infrastructure companies faced a ransomware attack last year. Claroty CEO Yaniv Vardi emphasizes the increasing trend of both physical and digital attacks on crucial networks. Critical infrastructure includes essential systems like power lines, internet cables, and water control technologies. The threats are escalating due to the rapid pace of connectivity outstripping security measures. Vardi advocates for stronger public-private cooperation and stricter governmental regulations. He highlights that suppliers of software and hardware must be held more accountable to enhance security. The need for comprehensive defense strategies is urgent as the vulnerability of critical infrastructures heightens.

The Post Millennial, a conservative Canadian news magazine, was hacked, leading to data leaks impacting nearly 27 million people. Hackers defaced the website, posting false messages attributed to editor Andy Ngo and shared links to the stolen data which included personal information of writers, editors, and subscribers. The leaked data includes highly sensitive details such as IP addresses, physical addresses, emails, phone numbers, and plaintext passwords. The information was reportedly sourced from The Post Millennial and various mailing lists used in different campaigns, some not directly managed by the news site. Cybersecurity expert Troy Hunt added the data to the Have I Been Pwned service to help notify affected individuals, though the exact source of the data remains unconfirmed. The Post Millennial has yet to release an official statement about the breach, and efforts to obtain comments from them and associated media groups have been unsuccessful. Individuals potentially impacted are advised to reset passwords, monitor account activities, and be cautious of unsolicited communications in any form.

Black Basta ransomware affiliates have compromised over 500 organizations globally, including sectors critical to infrastructure. The attacks targeted entities across North America, Europe, and Australia, encrypting and exfiltrating data. Notable victims include high-profile companies such as Rheinmetall, Hyundai Europe, and Capita, as well as institutions like the Toronto Public Library. After the Conti group's disbandment in 2022, Black Basta is speculated to be a spin-off or rebrand, possibly linked to other Russian cybercrime groups. This gang has amassed at least $100 million in ransoms from more than 90 victims as of late 2023. CISA and FBI provided tactical recommendations for organizations to defend against such ransomware attacks, emphasizing the need for updated systems, secure remote access, and phishing-resistant MFA. Specific advisories were issued to healthcare organizations, highlighting their vulnerability due to operational dependence on technology and sensitive data access. Recent suspected Black Basta involvement in a ransomware attack on Ascension's systems underscored the accelerating threat against the healthcare sector.

Europol confirmed a breach in its Europol Platform for Experts (EPE), following claims by threat actor IntelBroker. The breach reportedly involves stolen For Official Use Only (FOUO) documents; however, Europol states no operational data was jeopardized. The EPE portal, used for sharing non-personal crime data, was offline for maintenance following the incident. IntelBroker claims access to sensitive data from various Europol communities, including personal information from the EC3 SPACE database containing 9,128 records. The hacker markets the stolen data exclusively in exchange for the cryptocurrency Monero (XMR), emphasizing a sale to only reputable members. IntelBroker's previous attacks include breaches at U.S. government agencies and large corporations, demonstrating a pattern of targeting significant entities. Europol has initiated an investigation into the extent of the breach and taken preliminary measures to further secure its systems.

Europol confirmed a breach on its Europol Platform for Experts (EPE), no operational data compromised. Threat actor IntelBroker claims to have stolen For Official Use Only (FOUO) documents and personal data from the platform. The breach affected non-operational platforms, including EPE and EC3 SPACE, used by global law enforcement experts. IntelBroker is known for previous government and private sector breaches; now selling stolen EPE data on hacking forums. At publication time, EPE's website was offline for maintenance following the breach reveal. IntelBroker's claims include access to communities with sensitive cybercrime data and over 6,000 member profiles. The leaked data reportedly includes personal details of law enforcement agents and information used in cross-border criminal investigations. Europol is currently assessing the situation and conducting an ongoing investigation into the extent of the data breach.

FIN7, a financially motivated cybercrime group, has been deploying NetSupport RAT by spoofing Google advertisements to mimic reputable brands. Microsoft observed that the malicious MSIX files used in these ads can bypass defenses like Defender SmartScreen, promoting Microsoft to disable the MSIX protocol handler. eSentire reported that these attacks involve showing fake browser extension pop-ups that deceive users into downloading malicious MSIX packages, which deploy PowerShell scripts for malware. The PowerShell scripts executed are designed to gather system information, contact remote servers, and subsequently install the NetSupport RAT and additional malware. These tactics mark a significant shift for FIN7, which originally targeted point-of-sale systems and has since diversified to ransomware and now malvertising attacks. Other malware identified in the cyberattack chain includes DICELOADER, which is executed via a Python script. There is a noticeable shift toward targeting corporate users and exploiting business relations through deceptive malvertising and credential theft.

The FBI, NCA, and Europol identified and publicized the principal operator behind LockBit ransomware as Dmitry Yuryevich Khoroshev, a 31-year-old Russian national. Operation Cronos significantly disrupted the LockBit operation by seizing its infrastructure and transforming its data leak site into a law enforcement announcement platform. Despite major setbacks, LockBit returned online, promising a continuation of their activities and released details of 119 entities purportedly compromised by their ransomware. LockBit is speculated to potentially shut down and morph into a new entity amidst ongoing law enforcement pressure. Separately, the healthcare provider Ascension faced considerable operational disruptions attributed to a ransomware attack by Black Basta, affecting emergency services and patient care. Other entities including the City of Wichita and Brandywine Realty Trust also suffered from ransomware attacks, leading to significant data breaches and operational challenges.

Iran is considered the most likely nation to initiate a destructive cyber-attack against the US, according to former Air Force intelligence analyst Crystal Morin. Despite Iran's capabilities, China remains the greatest cyber threat to the US, influencing critical infrastructures and government networks. The intelligence community views China’s technological prowess in cyber capabilities as superior, having infiltrated various US sectors. Russia continues its focus on intelligence collection rather than direct destructive cyber warfare, avoiding mutually assured destruction. Morin's analysis as a cybersecurity strategist at Sysdig emphasizes the evolving landscape of global cyber threats faced by the US. US intelligence agencies concur on the significant cyber threat posed by both China and, to a slightly lesser extent, Russia.

Dell recently notified customers of a data breach that compromised 49 million customer records. The breach was initiated by a threat actor, known as Menelik, who exploited an API used by a partner portal. Menelik registered fake companies to gain unauthorized access to the portal and used it to scrape customer information without rate limiting. The scraped data included customer names, order details, service tags, and warranty information. Menelik originally notified Dell about the vulnerability in April, but claimed that Dell did not respond until the issue was made public. After the breach was disclosed, Dell engaged a third-party forensics firm and confirmed the incident was under investigation by law enforcement. APIs have become a significant security weak point, with several notable data breaches in recent years exploiting poorly secured APIs.