Daily Brief

The Mozilla Foundation's recent study found that 22 out of 25 top dating apps fail to properly protect user privacy. Researchers highlighted that dating apps harvest extensive personal details including sensitive information like sexual preferences and HIV status. Many of these apps share or sell extensive user data to third parties, including advertisers, without robust privacy safeguards. One disturbing incident noted involved user data from certain apps being sold to a Catholic organization, which then used the information to publicly out a priest. The research revealed significant concerns over the use of AI in dating apps, with plans for further AI integration posing additional privacy risks. Only one app, Lex (a queer dating app), received a positive privacy evaluation from the Mozilla team. The findings raise serious questions about the privacy measures of major dating platforms, including those owned by Match Group and their interactions with AI companies like OpenAI.

An Android bug allows DNS queries to leak even when the VPN kill switch is enabled, threatening user privacy. Discovered by Mullvad VPN, the issue arises when switching VPN servers or reconfiguring them, affecting all Android versions, including Android 14. The Android feature "Always-on VPN" with a kill switch is supposed to prevent any data from bypassing the VPN, but the bug circumvents this by leaking DNS data during certain configurations and network changes. Apps using the C function getaddrinfo for hostname resolution leak DNS queries, while those using Android APIs like DnsResolver do not. To mitigate the leak when switching servers, users can configure a false DNS server during the VPN's active period. However, no solution has yet been found for leaks occurring during VPN reconnections. Previous issues found in October 2022 show Android leaking DNS queries during WiFi connections, highlighting recurrent privacy risks. Google has acknowledged the issue and expressed a commitment to investigating and resolving it to safeguard Android user privacy.

Iranian hackers linked to the state-backed APT42 group are impersonating journalists to infiltrate networks in the West and Middle East. Mandiant first identified APT42 in 2022, revealing their activities have spanned since 2015 across 14 countries. Targets include NGOs, media, educational bodies, and legal entities; attacks often begin with spear-phishing emails. Malware used includes "Nicecurl" and "Tamecat" backdoors, facilitating data theft, command execution, and system manipulation. Phishing tactics involve creating trust via communication before directing victims to malicious sites that mimic reputable services to steal credentials and MFA tokens. APT42 meticulously avoids detection by using built-in cloud tool features, regularly clearing browser histories, and masking malicious activities within legitimate operations. Utilization of VPNs, Cloudflare domains, and temporary servers complicates attributing the attacks directly to APT42. Indicators of Compromise (IoCs) and detection tools are detailed in Google’s comprehensive report on the APT42 campaign.

Czechia and Germany reported targeted by Russia's APT28, using a Microsoft Outlook vulnerability. The attacks are part of an espionage campaign, affecting political, state, and infrastructure entities. The exploited bug, CVE-2023-23397, in Outlook allowed unauthorized Net-NTLMv2 hash access. German Federal Government identified a long-term breach affecting the Social Democratic Party's emails. The EU, NATO, UK, and US condemned the actions, citing threats to democratic processes and security. A parallel Microsoft report linked APT28 to other cyberattacks via a Microsoft Windows Print Spooler component. Recent coordinated law enforcement disrupted a related botnet used by APT28 to mask their activities. Ongoing attacks by pro-Russia hacktivists pose risks to critical infrastructure in North America and Europe.

InformNapalm, a volunteer intelligence group, has accused Kaspersky of aiding Russia in the development of military drones used in Ukraine. The allegations stem from a 100 GB data breach from Albatross, a Russian company allegedly involved in drone manufacturing with Iranian collaboration. Kaspersky allegedly contributed neural network technologies essential for Albatross drones, said to be vital for their operational capabilities. Some Kaspersky employees purportedly engaged heavily in the development of these drones, and even held leadership roles within Albatross. Albatross presentations highlighted the critical role of Kaspersky’s neural network solutions in making the drones functional. Despite claims of non-commercial, humanitarian collaboration with Albatross, Kaspersky faces scrutiny and potential U.S. sanctions for its involvement. Kaspersky denies the accusations, framing the allegations as based on misinterpretations and disinformation.

Kaspersky has been implicated in assisting the development of military drones used by Russia in the Ukrainian conflict, according to volunteer group InformNapalm. Data from a hacked 100 GB archive from Russian company Albatross reveals connections with Kaspersky employees contributing to drone technology since 2018. Albatross, in collaboration with Kaspersky, reportedly developed technology crucial for operational UAVs, which are currently operational in scouting against Ukraine. InformNapalm argues that due to these activities, Kaspersky should face U.S sanctions similar to those imposed on the Russian technology sector. U.S sanctions could impact Kaspersky's ability to acquire equipment and create products that might support Russian military efforts. Kaspersky denies involvement claiming the cooperation with Albatross was for humanitarian purposes and non-commercial, stressing transparency and mission dedication against malware. Despite Kaspersky's denials, InformNapalm suggests their findings warrant further investigation and possible action due to the strategic use of drones based on Kaspersky-developed technologies.

A Mullvad VPN user discovered a bug in Android devices leaking DNS queries during VPN server switches, even with "Always-on VPN" enabled. This issue persists across all VPN apps on Android and occurs with direct calls to the getaddrinfo C function during certain situations such as VPN reconfiguration, crashes, or stops. Mullvad revealed that this leakage happens even with the "Block Connections Without VPN" (VPN kill switch) activated, contrary to expected secure behavior. Proposed mitigation includes using a bogus DNS server while the VPN is active, although no fix has been found for reconnect leakage scenarios. Mullvad had previously noted similar DNS leakage on Android due to connectivity checks when Wi-Fi is engaged, highlighting ongoing privacy risks. This problem presents substantial privacy concerns, potentially exposing users' locations and the websites they visit, and persists on the latest Android version. Mullvad urges a fix at the operating system level to protect all Android users, regardless of the apps they use, highlighting ongoing vulnerabilities.

The NSA and FBI reported that North Korean APT43 hackers are exploiting weak DMARC email policies to conduct spearphishing campaigns. These attacks mimic credible entities like journalists and academics to gain access to sensitive geopolitical and policy-related data. North Korea's Reconnaissance General Bureau, involved in multiple espionage activities, manages APT43, which operates under various aliases including Kimsuky and Black Banshee. The hacking group targets think tanks, research centers, and academic institutions primarily in the US, Europe, Japan, and South Korea. Compromises achieved via these phishing scams are used to enhance the credibility and success of future attacks and to gather intelligence beneficial to North Korea’s regime. APT43's activities aim at thwarting any perceived political, military, or economic threats to North Korea by staying abreast of adversarial strategies and events. To counter these threats, the agencies recommend strengthening DMARC policies by setting configurations to quarantine or reject emails failing DMARC checks, and setting other fields to enhance email server reports and security.

Software supply chain vulnerabilities are increasingly prevalent, forming a significant cybersecurity frontier. Varun Badhwar, CEO of Endor Labs, predicts that 95-99% of enterprise code could soon derive from untrusted, unvetted sources. The surge in open-source software usage heightens these risks, necessitating improved management and security practices. Adequate solutions include detailed documentation, reliable software bills of materials, and better vetting of open-source libraries. Automation is viewed as a crucial tool for enhancing software supply chain management, yet it is not the only solution needed. Enterprises must reevaluate and retool their approaches to software procurement and management to mitigate emerging risks. The full maturity of software supply chain security could take up to a decade, indicating the beginning stages of this cybersecurity field.

Google recently withdrew a reCaptcha script update after it failed to function on Mozilla Firefox for Windows. The issue, uncovered by multiple user reports and confirmed via direct testing, manifested as an endlessly spinning circle within the reCaptcha module. The fault was traced to an incorrect dark mode detection routine that affected Firefox specifically, attempting to manipulate DOM elements before they were fully loaded. Users discovered a temporary fix by altering their browser’s user-agent to imitate that of Microsoft Edge or Google Chrome. Mozilla developers highlighted that the flaw originated from Google's script and not Firefox itself and promptly informed Google. Following internal tests confirming a fix across various regions, Google decided to roll back to a previous version of the script, effectively resolving the problem. Despite some speculation, the error appears to have been unintentional and was quickly addressed by Google.

NATO and the European Union along with partners condemned Russia’s cyber espionage led by APT28 targeting Germany, Czechia, and other countries. APT28 used a Microsoft Outlook zero-day exploit to compromise email accounts in the Social Democratic Party's Executive Committee in Germany. The cyber espionage included attacks on logistics, armaments, aerospace, and IT sectors, along with foundations and associations across multiple European nations and Ukraine. The Czech Ministry of Foreign Affairs announced that Czech institutions were also targeted in the 2023 Outlook campaign, highlighting repeated cyber attacks by Russian state actors. Condemnations of APT28’s actions were issued by the Council of the European Union and NATO, supported by the United Kingdom, citing threats to allied security. APT28, linked to Russia’s Military Unit 26165, has a history of significant cyberattacks, including the 2015 German Federal Parliament breach and interference in the 2016 U.S. Presidential Election. The EU sanctioned members of APT28 in October 2020 for their involvement in past significant cyber breaches.

Microsoft has implemented passkey authentication for personal Microsoft accounts, enhancing user security by enabling password-less login options. Users can now utilize Windows Hello, FIDO2 security keys, biometrics, or device PINs for accessing services like Windows, Office 365, and Xbox Live. This development, announced on World Password Day, aims to combat phishing attacks and eventually phase out the use of passwords entirely. Passkeys work by matching a cryptographic key stored on the user's device with a public key on Microsoft's server to verify identity securely and effortlessly. The introduction of passkeys eliminates common security risks associated with password use, such as interception, theft, and weak password practices. Passkeys are designed to be compatible across various devices and operating systems, reducing friction in the authentication process. Microsoft also ensures that passkeys are synchronized across a user’s devices for convenience, although this could pose potential security risks if an account is compromised. Users interested in leveraging this new feature can set up their passkey by following specific steps provided by Microsoft on their website.

Identity Access Management (IAM) is crucial for medium-sized businesses to protect sensitive data and comply with regulations like HIPAA, SOX, and PCI DSS. IAM ensures only authorized users can access necessary resources, reducing risks of unauthorized access, data breaches, and insider threats. Implementing IAM can also streamline access management and reduce administrative overhead, potentially lowering data breach costs significantly. Medium-sized businesses often struggle with the implementation of large-scale IAM solutions designed for bigger corporations, facing challenges like understaffing and budget constraints. The market offers some no-code IAM solutions which provide out-of-the-box integrations and require no custom coding, easing the burden on IT staff. These no-code platforms can be deployed quickly, automating processes and ensuring efficient privilege management across both local and cloud-based systems.

Announcing a new expert-led webinar focused on tackling Distributed Denial of Service (DDoS) attacks. Featuring Andrey Slastenov, Head of Security at Gcore, who will share advanced defense tactics. The webinar aims to enhance understanding of contemporary DDoS threats and how they can impact businesses. Intended for both newcomers and seasoned professionals in the field of cybersecurity. Participants will learn effective strategies to secure their online environments and improve resilience against attacks. Offers an opportunity for cybersecurity professionals to update their tactics and response plans. Registration now open for those seeking to proactively safeguard their business’s digital infrastructure.

Threat actors are increasingly weaponizing the Microsoft Graph API to facilitate stealthy communications with their command-and-control (C&C) servers using Microsoft's cloud. The Symantec Threat Hunter Team has observed multiple state-aligned hacking groups like APT28 and OilRig adopting this method since January 2022. The abuse of the Microsoft Graph API allows attackers to evade detection, as traffic to well-known cloud services does not raise immediate suspicion. Instances of these techniques date back to June 2021 with the Harvester cluster using a custom implant called Graphon for communication via the API. Recently detected malware, BirdyClient, uses Microsoft’s OneDrive as a C&C server through the Graph API, illustrating an evolution in attack techniques. The exact distribution method and the objectives of the attackers using the Microsoft Graph API remain unclear, indicating ongoing and sophisticated threat activities. This tactic is cost-effective for attackers, as basic accounts for services like OneDrive are free, adding a layer of appeal to the misuse of legitimate infrastructure.