Daily Brief

Starting April 29, 2024, a new U.K. law will ban default passwords on smart devices to enhance cybersecurity. The Product Security and Telecommunications Infrastructure (PSTI) act requires device manufacturers to eliminate simple default passwords, provide a security contact, and inform consumers about the expected duration of security updates. Manufacturers failing to comply with the PSTI act face severe penalties, including recalls and fines up to £10 million or 4% of their annual global revenues. This legislation is intended to prevent IoT devices from being exploited for DDoS attacks, addressing vulnerabilities like those exploited by the Mirai botnet. The U.K. is the first nation globally to legislate against default usernames and passwords in IoT products. Concurrently, a report highlights ongoing threats from Mirai-variant botnets, underscoring the persisting relevance of robust IoT security measures. Separately, major U.S. telecoms were fined $196 million by the FCC for unauthorized sharing of customer location data, illustrating broader issues of data privacy and security.

The FCC fined AT&T, Verizon, Sprint, and T-Mobile US nearly $200 million for illegally selling location data to third-party brokers. Fines are distributed as follows: AT&T $57 million, Verizon $47 million, Sprint $12 million, and T-Mobile $80 million. These penalties arise from a 2018 investigation initiated by U.S. Senator Ron Wyden, spotlighting the unauthorized sale of real-time customer location data. Carriers argue that data brokers and third parties responsible for obtaining proper customer consent should be blamed, not the telecom companies themselves. Each carrier is planning to appeal against the FCC's decision, citing various reasons including the support of life-critical services like emergency medical alerts which required location data. The FCC asserts that customer consent was not properly obtained and that carriers cannot shift their statutory privacy responsibilities to third parties. This issue underscores broader concerns about privacy and national security, emphasizing the ease of accessing personal data through brokers. Legislative efforts are underway to prevent government agencies from buying American citizens’ data from brokers, aiming to protect privacy in the post-Dobbs era.

Google blocked 2.28 million Android apps from the Play Store in 2023 for violating security rules. The initiative was part of enhanced security measures including machine learning and updated app review processes. New policies were implemented to tackle AI apps, notifications, and privacy, including a rule allowing users to delete account data without app reinstallation. The company also cracked down on 333,000 developer accounts and rejected an additional 200,000 apps for improper handling of sensitive permissions. This marked a significant increase in app rejections from 1.43 million in 2022, attributed to better security tools and changes in counting methodology as per the EU’s Digital Services Act. Despite these measures, loopholes remain, exemplified by a screen recording app undetected by Google until external notification. Google's efforts reflect a growing commitment to safeguarding user privacy and enhancing app store security against malicious applications.

The "Muddling Meerkat" activity linked to a Chinese state-sponsored group has been manipulating DNS since October 2019, with increased actions in September 2023. This group specifically alters Mail Exchange (MX) records through China’s Great Firewall (GFW), a method not previously seen in the country’s censorship techniques. The manipulation involves DNS query and response interference, where the GFW injects fake responses, potentially misdirecting communications. Infoblox identifies this sophisticated DNS manipulation, which could be easily mistaken for normal internet traffic, highlighting the advanced capabilities of Muddling Meerkat. The operations aim possibly to test network resilience or mask other malicious activities by creating DNS "noise." Targets are usually long-standing domain names registered before the year 2000, likely due to their absence on DNS blocklists. Infoblox has listed indicators of compromise (IoCs) and techniques, tactics, and procedures (TTPs) for Muddling Meerkat, advising on domains that can be safely blocked.

Canadian pharmacy chain London Drugs has temporarily closed all its locations across four provinces due to a cybersecurity incident identified on April 28, 2024. The incident prompted immediate network and data protection measures, including the engagement of third-party cybersecurity experts for containment and forensic analysis. The company, operating over 80 stores in British Columbia, Alberta, Saskatchewan, and Manitoba, has not disclosed specifics about the nature of the cyberattack, such as whether ransomware was involved. While there is currently no evidence suggesting that customer or employee data has been compromised, the investigation is ongoing. Pharmacists are available to assist with urgent needs despite store closures; customers must contact pharmacy departments directly. This cybersecurity incident at London Drugs resembles recent cyberattacks on healthcare and pharmaceutical providers globally, highlighting a trend of increasing focus on these sectors by cybercriminals. Comparatively, the recent cyberattack on TransForm, impacting several hospitals in Ontario, was confirmed as a ransomware attack by the Daixin Team, who also claimed responsibility for data theft. London Drugs has apologized for any disruptions caused and prioritized resolving the incident swiftly to resume normal operations.

In 2023, Google prevented 2.28 million policy-violating apps from being published on the Play Store, a significant increase from 1.43 million in 2022. Google rejected or remediated nearly 200,000 app submissions due to improper access to sensitive user data like location and SMS messages. The company blocked 333,000 accounts for attempting to distribute malware or for repeated policy violations. Enhanced developer onboarding and review processes now require more extensive identity verification to better screen and manage the developer community. Google strengthened Android's privacy and security through partnerships with SDK providers, addressing issues in over 790,000 apps across more than 31 SDKs. The company removed approximately 1.5 million outdated apps from the Play Store to maintain a high security and functionality standard. These efforts are part of broader initiatives, including real-time malware scanning and the implementation of security badges for apps, to secure the Android ecosystem against fraud and malicious software.

Canadian pharmacy chain London Drugs closed all locations due to a cybersecurity incident detected on April 28, 2024. Cyberattack prompted the shutdown of stores across Western Canada, with no specified date for reopening. Immediate measures included hiring third-party cybersecurity experts to assist in containment, remediation, and a forensic investigation. Despite the cyberattack, there is currently no evidence that customer or employee data has been compromised. London Drugs has not yet notified authorities, citing the absence of compromised personal or health information. Customers with urgent needs are advised to contact their local pharmacy directly for assistance. London Drugs operates with over 9,000 employees across more than 80 stores in Alberta, Saskatchewan, Manitoba, and British Columbia.

The FBI has issued a warning about fraudulent verification schemes on dating apps which cause recurrent subscription charges. These schemes feature fraudsters pretending to provide safety measures by verifying users are not sexual predators, only to steal personal and financial data. Victims are tricked into providing their name, phone number, email address, and credit card details, thinking they are undergoing a legitimate safety process. Once the verification is completed, victims discover unauthorized monthly charges from obscure companies on their credit card statements. Personal information collected during the fake verification process is often used for identity theft or sold in cybercrime markets. Investigations reveal multiple domains involved in these scams, with payment processing often routed through companies in Cyprus. The FBI advises the public to be cautious, verify the authenticity of such verification links, and report suspicious activities to the IC3 website. These scams are not isolated but part of a larger trend of using fake security measures to exploit unsuspecting users on dating platforms.

Google blocked 2.28 million Android apps from the Play store in 2023 due to policy violations and security threats. The company also suspended 333,000 Google Play accounts linked to malware distribution, fraudulent apps, or severe policy breaches. This marks an increase from 1.5 million apps blocked and 173,000 accounts suspended in the previous year. Google's enforcement is part of its commitment to the 'SAFE' principles: Safeguard Users, Advocate for Developer Protection, Foster Responsible Innovation, and Evolve Platform Defenses. The firm rejected or remedied 200,000 app submissions that requested risky permissions without legitimate reasons. Google collaborated with 31 SDK providers to reduce sensitive data collection and sharing through apps. 790,000 apps have been impacted by this initiative, potentially affecting tens of millions of users. Google warns Android users to download apps only from Google Play and to ensure active Play Protect and regular permission reviews on their devices.

Google eliminated 2.28 million apps from the Play Store in 2023 due to policy violations threatening user security. The company also suspended 333,000 Google Play accounts involved in uploading malware or engaging in fraud. Enhanced review processes and security measures have been key to identifying and removing harmful app submissions. Additionally, Google restricted 200,000 apps from accessing sensitive permissions like SMS and location data unjustifiably. Collaborations with 31 SDK providers aim to minimize sensitive data collection, affecting 790,000 apps. Recent investigations discovered 17 malicious VPN apps using an SDK to turn devices into proxies for illicit activities. Despite efforts, risks remain; users are advised to download apps only from Google Play and monitor app permissions and activities. Google's SAFE principles guide these initiatives, focusing on user safety, developer support, innovation, and evolving defenses.

Financial Business and Consumer Solutions (FBCS) experienced a data breach affecting 1,955,385 people. Unauthorized access to FBCS networks was detected on February 26, 2024, with the breach beginning on February 14, 2024. Potentially accessed data could expose affected individuals to phishing, fraud, and social engineering attacks. FBCS has offered 12 months of free credit monitoring through Cyex to all impacted individuals. The company has implemented enhanced security measures within a newly constructed environment to prevent future breaches. No ransomware groups have claimed responsibility for the incident as of the latest updates. Victims are advised to stay vigilant, monitor their account statements, and check their credit reports for suspicious activities.

Identity-based attacks, involving compromised credentials, are becoming the main vectors for global cybercrime, with an annual increase of 71%. Various methods are employed by attackers, including broad-based phishing, spear-phishing, credential stuffing, password spraying, pass-the-hash, and Man-in-the-Middle attacks. A primary concern is password reuse, with 73% of individuals duplicating passwords across personal and professional accounts. Pass-the-hash attacks affect 95% of businesses, allowing attackers to authenticate into systems using stolen hashed passwords. Organizations must implement strong password policies, enforce multi-factor authentication, and conduct regular security audits to mitigate threats. Protecting service desks from social engineering is crucial as they are key points for attackers to gain unauthorized access. Specops Software’s tools, such as Specops Password Policy and Secure Service Desk, can provide significant defenses against identity-based attacks.

Muddling Meerkat, linked to China, manipulates DNS for global reconnaissance since October 2019. Likely affiliated with China's government, utilizing DNS to avoid detection by the Great Firewall. Employs DNS open resolvers extensively, making queries appear from Chinese IP addresses. DNS queries include mail exchange and other records from top-level domains to evade DNS blocklists. Over 20 super-aged domains implicated, aiding in blending these activities with normal DNS traffic. Efforts observed in using Chinese servers to query for random subdomains, indicating DNS spoofing practices. Distinct from regular Great Firewall activities, Muddling Meerkat sources false MX record responses. Uncertain motives hinted to potentially involve extensive internet mapping or research projects.

A significant security vulnerability, CVE-2024-27322, has been identified in the R programming language, particularly affecting its data serialization methods. This flaw allows execution of arbitrary code when a malicious RDS (R Data Serialization) file is loaded, posing a threat particularly in supply chain attacks. Attackers can exploit this vulnerability by embedding malicious code in R packages, which gets executed when the packages are loaded by unsuspecting users. The security issue stems from the use of promise objects and lazy evaluation mechanisms in R, which can trigger automatic code execution upon package decompression and deserialization. The vulnerability has been patched in the latest R software release, version 4.4.0, as of April 24, 2024. Users are exposed to potential risks if they load untrusted R packages, which may contain override files crafted to exploit this vulnerability. The discovery highlights ongoing concerns regarding the security of serialization and deserialization processes in widely used programming languages.

The French government has proposed acquiring strategic assets from Atos, focusing on Advanced Computing, Mission-Critical Systems, and Cybersecurity Products, amid the firm's financial turmoil. The assets, vital for national security and sovereign operations, are valued between €700 million and €1 billion. France aims to ensure these assets do not fall into foreign hands, given Atos's roles in supercomputing for the military and AI initiatives. The decision is a reaction to increased financial instability at Atos, which now estimates a funding need of €1.1 billion for 2024-25, almost double the previous forecast. Potential stakeholders and participants mentioned include Dassault Aviation and Thales, with Airbus having initially shown interest but later withdrawing. The non-binding letter of intent allows for an exchange of information until July 31 as part of Atos's broader financial restructuring efforts. The strategic intervention underscores the importance of maintaining control over technologies critical to national security and energy independence in France.