Daily Brief

U.S. Senator Ron Wyden has proposed a bill to mandate interoperability and security among federal government collaboration software such as Microsoft Teams, Zoom, and Slack. The bill, named the Secure and Interoperable Government Collaboration Technology Act, requires end-to-end encryption and adherence to federal record-keeping standards. The General Services Administration (GSA) and the National Institute of Standards and Technology (NIST) would play key roles in setting interoperable standards and technologies. The legislation targets reducing government expenditure on software by breaking the monopoly of big tech companies and enhancing competition. The bill has not garnered significant bipartisan support yet, reducing its chances of passing in an election year. Homeland Security would be tasked with reviewing these collaboration tools, and standards would be updated biennially based on reviews conducted by a GSA and Office of Management and Budget working group. Despite the positive reception from digital rights groups and endorsements from figures like Cory Doctorow, it faces potential hurdles from major tech firms. The proposed standards do not apply to certain technologies such as email, voice services, and national security systems, maintaining certain exclusions in government tech security measures.

Microsoft faces criticism for charging additional fees for security add-ons, despite frequent security incidents involving its products. The company's security strategies have been questioned following major compromises, including the Exchange Online attack attributed to a Chinese-linked group. Microsoft demands that customers purchase an E5 subscription for comprehensive security tools or add-ons on an E3 subscription, increasing costs significantly. Microsoft's profit-driven approach to security has led to frustrations among customers who feel forced to pay continually increasing rates for essential security measures. Analysts suggest that integrating more security features into basic subscriptions could alleviate customer burdens, though this might decrease Microsoft's security-related revenues and draw regulatory scrutiny. Recent concessions by Microsoft, like providing free access to cloud security logs, show a potential shift towards enhancing baseline security in response to customer needs and bad publicity. However, questions remain about how far Microsoft will go in making security a fundamental part of all cloud subscriptions.

Cisco identified two zero-day vulnerabilities in its security products, leveraged by a state-backed hacking group to infiltrate government networks globally. The hacking campaign, dubbed ArcaneDoor, has been active since November 2023, utilizing sophisticated malware for cyber-espionage. Identified vulnerabilities, CVE-2024-20353 and CVE-2024-20359, allow persistent local code execution and denial of service on Cisco's ASA and FTD devices. The hackers, using aliases UAT4356 and STORM-1849, deployed malware implants 'Line Dancer' and 'Line Runner' to maintain persistence and execute malicious actions on compromised networks. Cisco’s security team detected the campaign in January 2024, noting the preparation phase for these attacks dated back to at least July 2023. Following the discovery, Cisco released patches for the vulnerabilities and strongly urged customers to update their systems and monitor for any signs of compromise. The company also emphasized the importance of strong security practices, including multi-factor authentication and centralized, secure logging.

Google has updated its client-side encryption on Google Meet to include external participants, even those without Google accounts. The feature is now available to Workspace users with Enterprise Plus, Education Standard, and Education Plus licenses. External participants can join encrypted meetings after verifying their identity through third-party identity providers. The update ensures that all data within the meeting is accessible only by the meeting participants, enhancing privacy and security. Activation of the new feature requires administrators to configure identity provider settings and update access controls. Supported identity verification methods include existing Google or Microsoft accounts, or a one-time password received via SMS or email. This change aims to facilitate secure collaborations with stakeholders outside the organization while maintaining strict data privacy.

Consolidated Nuclear Security LLC (CNS), managing the Pantex Plant since 2014, agreed to pay $18.4 million in a settlement over falsified timesheets. CNS admitted that employees at the Amarillo, Texas nuclear facility recorded hours not worked, prompting reimbursement to the government. The false time recording involved a few production technicians at Pantex, a key U.S. nuclear weapons assembly and maintenance facility. CNS took responsibility, terminated the involved employees, and cooperated fully with the investigation, avoiding criminal liability. The U.S. Department of Justice emphasized the seriousness of the misconduct, highlighting the need for accurate billing on national security projects. The settlement is part of broader efforts to enforce accountability and protect public funds in government contracting, especially in sensitive sectors.

Google has postponed its plan to phase out third-party cookies in Chrome to 2025, due to ongoing discussions with UK regulators. The delay allows the UK's Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO) more time to review proposed changes. The phased elimination was initially scheduled for the end of 2024 but faced setbacks over concerns regarding competition and privacy. Google's Privacy Sandbox initiative aims to eliminate third-party cookies while reducing cross-site tracking and maintaining the economic viability of online content. The advertising industry has expressed significant concerns, suggesting that the move favors Google's own solutions and impedes independent marketing strategies. Recent feedback and a leaked draft report have brought up questions about the true privacy efficacy of the Privacy Sandbox. Google has reaffirmed its commitment to work with the CMA and ICO to address these concerns and hopes to begin phasing out third-party cookies in early 2024, pending agreement.

The FTC is issuing $5.6 million in refunds to affected Ring users following a significant privacy breach. Private video feeds of Ring users were accessed without proper authorization by Amazon employees and contractors. The refunds are part of a settlement from a complaint filed in May 2023, which claimed insufficient security measures by Ring. Affected devices included smart home security products like video doorbells and cameras. Allegations included unrestricted internal access to devices for employees and third-party contractors. Ring implemented multi-factor authentication only in 2019, prior to which user accounts were susceptible to hijacking. Over 117,000 consumers are eligible for the payouts, which will be processed via PayPal and need redemption within 30 days. The recipients were identified based on data provided by Ring concerning the vulnerabilities cited in the FTC complaint.

The US has charged four Iranian nationals, linked to military-connected companies, with cyberattacks on US entities. Accused worked for fake companies including Mehrsam Andisheh Saz Nik, fronts for Iran's Islamic Revolutionary Guard Corps (IRGC). The attacks, occurring from 2016 to 2021, targeted over a dozen US firms and departments including State and Treasury. Techniques used included spearphishing, social engineering, and malware to infiltrate and manipulate victims' accounts. Specific incidents included breaching defense contractors' emails to steal classified info and launching further attacks. The attackers impersonated individuals, often females, to build trust and deploy malware. The US struggles to arrest these nationals as they are unlikely to be extradited by Iran, similar to cybercriminals in other adversary countries. US Department of Justice vows to utilize a comprehensive government approach to counter and penalize such cyber threats.

The U.S. Treasury Department has sanctioned two Iranian firms and four nationals for cyber-attacks on behalf of the Iranian Revolutionary Guard Corps. These entities targeted U.S. companies and governmental bodies through spear-phishing and malware from 2016 to 2021. An indictment was unsealed by the DOJ, charging the four individuals with orchestrating the attacks and offering a $10 million reward for information leading to their apprehension. The targeted Iranian firms, known under aliases like Tortoiseshell, acted as fronts for the IRGC’s cyber operations. These cyber attacks compromised over 200,000 employee accounts across defense and government sectors. Charges against the individuals include conspiracy to commit computer and wire fraud, identity theft, and damaging protected computers. This action highlights ongoing U.S.-Iran tensions, such as recent military exchanges following an Israeli airstrike on Iran’s embassy in Syria.

Cybersecurity experts have identified an active attack strategy using phishing to deploy SSLoad malware, alongside tools like Cobalt Strike and ConnectWise ScreenConnect. The malware operation, dubbed FROZEN#SHADOW by Securonix, utilizes deceitful emails targeting entities across Asia, Europe, and the Americas to initiate the infection using a malicious JavaScript file. Once the malware infiltrates a system, it deploys multiple backdoors and payloads to not only maintain persistence but also to facilitate stealth operations and avoid detection. Attack vectors include delivering malware via macro-enabled Word documents and booby-trapped URLs through website contact forms. Upon infection, the malware conducts initial system reconnaissance, followed by downloading Cobalt Strike which subsequently installs the ScreenConnect software, allowing further remote control by threat actors. The threat actors expand their control within the network, gaining access to domain controllers and creating domain administrator accounts, significantly escalating their level of access. Remediation and recovery from such an infiltration are noted as particularly challenging, time-consuming, and costly for affected organizations.

Security vulnerabilities have been found in several popular Chinese keyboard applications, potentially exposing over 1 billion users' keystrokes. Researchers from Citizen Lab identified that these keyboard apps from companies like Baidu, Honor, iFlytek, and Tencent, lacked adequate encryption, making it possible for malicious actors to intercept user data. Huawei's keyboard app was the only one among the examined apps to have no reported security flaws. The researchers estimate that the vulnerabilities could affect almost one billion users, with the compromised apps being widely used across various mobile devices. Upon responsible disclosure of the findings, all affected companies, except Honor and Tencent (QQ Pinyin), have patched the identified security issues as of April 1, 2024. Users are advised to update their keyboard apps and operating systems, or switch to locally-operated keyboard apps to enhance their data privacy. Citizen Lab recommended that app developers use standardized and rigorously tested encryption protocols to prevent potential security lapses. Concerns were raised about the reluctance of Chinese app developers to adopt Western cryptographic standards due to fears of embedded backdoors, leading them to create their own encryptions which may be less secure.

Silent Push security firm reports that 18 UK and US public-sector sites use ad tech including a Chinese company previously accused of ad fraud. US government rules prohibit ads on .gov websites, whereas UK allows limited advertising on .gov.uk domains. Investigation reveals advertising exchanges are listed in public-sector websites' ads.txt files, allowing real-time trading of visitor data. Concerns are raised about the online privacy and compliance with regulations given the presence of ad-tech on such government portals. The Chinese ad-tech vendor Yeahmobi, involved in these findings, was previously removed from Google Play for alleged ad fraud in 2018. Industry experts express unease over the unregulated nature of ad tech potentially exposing citizen data to foreign entities. Silent Push advocates for a policy change to forbid advertisements on government websites to protect visitor privacy and data.

A malware campaign has been targeting the update mechanism of eScan antivirus software, distributing backdoors and cryptocurrency miners using a threat termed GuptiMiner. Cybersecurity experts at Avast report that the threat actor, with potential links to the North Korean group Kimsuky, employs sophisticated techniques including DNS manipulation, payload sideloading, and malicious DNS servers. The attack exploits a lack of HTTPS security in eScan's update downloads by substituting updates with malicious versions, a vulnerability present for over five years, now patched as of July 31, 2023. The intrusion process involves multiple stages, starting with a rogue DLL execution leading to the deployment of a PNG file loader, which contacts a command-and-control server. At the later stages, it deploys a third-stage malware named Puppeteer, which controls the deployment of an XMRig cryptocurrency miner and additional backdoors allowing lateral movements and further infections on the network. The research highlighted the dual use of backdoors, one aiding in network scanning and lateral attacks, while another focuses on scanning local systems for private keys and crypto wallets. The comprehensive nature of the GuptiMiner operation and the unexpected inclusion of a cryptocurrency miner suggest its deployment might be a diversion to mask deeper network compromises.

A new malware campaign, dubbed CoralRaider, is distributing info-stealing malware through Content Delivery Network (CDN) caches. Threat actor suspected of Vietnamese origin utilizes three types of stealers: CryptBot, LummaC2, and Rhadamanthys, with operations noted from at least February 2024. Cisco Talos researchers identified tactics including the use of Windows Shortcut files, PowerShell scripts, and the FoDHelper technique for UAC bypass. The targeted campaign impacts diverse business sectors across multiple countries such as the U.S., U.K., Germany, Japan, and others. Attack vectors include deceptive downloads of movie files which actually contain malicious software, hinting at a widespread attack approach. The malware utilizes sophisticated methods such as updated CryptBot versions with advanced anti-analysis capabilities targeting data like credentials and financial information. Initial compromise is often achieved via phishing emails that guide victims to download malicious ZIP files containing dangerous LNK files.

CoralRaider, a financially driven cybercrime group, has been exploiting content delivery network caches to distribute info-stealing malware across the U.S., the U.K., Germany, and Japan. Malware deployed includes LummaC2, Rhadamanthys, and Cryptbot info stealers, sourced from malware-as-a-service platforms on underground marketplaces. The campaign operates by tricking users into opening malicious Windows shortcut files that download and execute obfuscated malicious scripts from a CDN. Techniques used involve PowerShell for decryption and payload delivery, modification of Windows Defender settings, and registry editing to bypass UAC. Cisco Talos, which analyzed the attacks, suggests a moderate level of confidence that these activities are linked to CoralRaider due to similarities in methods and procedures seen in past campaigns. This recent operation is not regionally confined, showing a significant expansion in target locations, including several countries across continents. The malware variants used display enhanced obfuscation and capabilities, focusing on stealing credentials, social media account details, and financial information including cryptocurrency wallets.