Daily Brief

Scattered Spider, also known as Octo Tempest and other aliases, has shifted focus to stealing data from SaaS applications and setting up persistent access through the creation of new virtual machines. The group utilizes advanced social engineering, including SMS phishing and account hijacking, predominantly targeting corporate help desk agents to manipulate access controls and gain sensitive information. Mandiant’s report highlights the gang's transition from ransomware to data extortion without system encryption, expanding their operations to a broader range in industries and organizations. The hackers escalate privileges using compromised accounts to abuse SaaS applications, leveraging tools like Okta for single sign-on to deepen their access within victim environments. Scattered Spider uses innovative tactics for persistence and data extraction, such as configuring new virtual machines to disable security features and utilizing cloud syncing tools across platforms like AWS and GCP. They also engage in reconnaissance using client SaaS applications and launching attacks such as the Golden SAML to maintain persistent cloud-based application access. Mandiant advises strengthening monitoring of SaaS platforms, re-evaluating virtual machine infrastructure management, and improving MFA and VPN policies to protect against similar sophisticated cyber-attacks.

Ukraine's Security Service dismantled infrastructure that broke into soldiers' devices to deploy spyware, controlled by pro-Russia operatives. Operatives used SIM farms to send phishing SMS and spread spyware, allowing control over data and communications from infected devices. A woman in Zhytomyr managed over 600 mobile numbers under direct Russian instructions, paid in cryptocurrency for spying and spreading propaganda. A separate man in Dnipro handled around 15,000 social media accounts using Ukrainian SIM cards, selling access on dark web forums primarily to Russian intelligence. These cyber operations aimed to gather military intelligence, control narrative through propaganda, and instigate social engineering attacks including the use of dating sites and social media. Only the Dnipro man has been detained so far, while the woman has been notified of suspicion under Ukraine’s laws correlating to misuse of computers. Simultaneously, Kyiv police detained a key member of ransomware gangs, indicating ongoing intense cybercrime and links to Russian operations in Ukraine.

Google's Privacy Sandbox initiative, intended to replace third-party tracking cookies, has been criticized by Austrian privacy nonprofit noyb for still enabling user tracking. Noyb's complaint to the Austrian data protection authority asserts that Google disguises tracking as a privacy improvement within its own browsers. Despite Google’s claims of enhancing user privacy, noyb argues Google uses deceptive tactics to gain user consent for first-party ad tracking. Privacy Sandbox aims to limit third-party data sharing while still permitting advertisements tailored to individual users through Google’s own tracking technology. Delays in the implementation of Privacy Sandbox have occurred as Google adjusts to feedback from regulators and developers, with a full transition proposed for early next year. Google faces accusations of utilizing dark patterns to increase acceptance of its tracking methods, thereby misleading users into thinking they are opting into privacy-enhancing features. Noyb challenges Google’s right to collect data without full, informed consent, claiming this practice still violates regional data protection laws despite being less invasive than third-party cookies. Google defends Privacy' Sandbox as a significant advancement in privacy, promising to seek balanced solutions for all stakeholders involved.

Globe Life discovered a breach in one of its web portals potentially exposing consumer and policyholder data. The breach was identified during a review of access permissions and user identity management, prompted by an inquiry from a state insurance regulator. Immediate actions included shutting down external access to the compromised portal to mitigate further unauthorized access. Globe Life has engaged external security experts to remedy the breach and fully assess its nature, scope, and impact. The company has activated its incident response plan in response to the discovery of the breach. Operations other than the affected portal remain functional, and the overall impact on Globe Life’s business operations is currently deemed insignificant. Ongoing investigation efforts are underway, with the complete implications of the incident still being determined.

Industry leaders are convening in a webinar to address the challenges of securing petabyte-scale data. The webinar focuses on strategies for protecting vast and constantly changing data environments. As data growth accelerates, businesses of all sizes face the necessity of advanced data security. Participants will learn about continuous attack surface discovery, penetration testing, and red teaming. The discussion is tailored for CISOs, security engineers, IT professionals, and business leaders responsible for data security. The event is a platform for sharing real-world experiences and solutions from top field experts. Registration is open for those seeking to enhance their strategies in managing and securing large-scale data assets.

The French government has offered €700 million for key technology assets from the struggling IT company, Atos. This proposal is focused on acquiring Atos’ Big Data & Security division, which includes Advanced Computing, Mission-Critical Systems, and Cybersecurity activities. These assets are critical as they support IT projects within the French military and other governmental sectors. Atos has recently accepted a bailout from its largest shareholder, Onepoint, aiding in restructuring its financial debts and ensuring stability. The discussion and potential agreement on the acquisition will be overseen by Conciliator Maître Hélène Bourbouloux, with no certain outcome guaranteed. Atos is also negotiating the sale of its Worldgrid business unit to Alten SA for €270 million, a transaction expected to conclude by the end of 2024. The company's shares saw significant shifts, with a recent increase of over 16% following the acquisition news, contrasting with a previous 20% drop earlier in the year.

Regulated industries such as finance, healthcare, and government face stringent regulatory standards requiring robust cybersecurity to avoid severe penalties and reputation damage. These sectors are experiencing a significant increase in cyber threats, prompting a shift from traditional security measures to military-grade cyber defenses. Military-grade cyber defenses incorporate advanced technologies such as real-time data analytics, machine learning, and Content Disarm and Reconstruction (CDR) to pre-emptively tackle threats. The collaboration between military and private sectors enhances access to cutting-edge technologies and best practices, significantly strengthening industry cyber defenses. Insider Risk Programs are pivotal within a comprehensive cybersecurity strategy to protect against internal threats and safeguard sensitive data from within the organization. Military-inspired cybersecurity strategies emphasize proactive threat prevention, rapid response, and layered security protocols, proven effective in defending critical national and corporate assets. The adoption of military cyber strategies, technology, and partnerships is crucial for regulated industries to enhance resilience against cyberattacks, meet compliance requirements, and protect critical infrastructure.

Security experts have discovered 24 critical vulnerabilities in ZKTeco's biometric access systems, posing significant cybersecurity risks. Flaws identified include six SQL injections, seven stack-based buffer overflows, five command injections, four arbitrary file writes, and two arbitrary file reads. These vulnerabilities could allow attackers to bypass authentication processes, steal biometric data, and remotely control the biometric devices. Stolen biometric data may be sold on the dark web, increasing the risk of identity theft and sophisticated cyber-attacks such as deepfake and social engineering. Attackers could potentially access restricted areas and implant backdoors in networks for espionage or disruptive purposes. The vulnerabilities were found through reverse engineering the device's firmware and communication protocols, with no current confirmation if these issues have been addressed. Recommended mitigation strategies include isolating biometric devices on separate network segments, using strong passwords, and regular system updates. The presence of these vulnerabilities undermines the security benefits of biometric authentication, making affected systems easy targets for unauthorized access.

North Korean hackers, identified as responsible for one-third of the phishing attacks in Brazil since 2020, particularly target the government and key sectors like aerospace, technology, and finance. These groups employ sophisticated phishing tactics, focusing especially on cryptocurrency and fintech, with actors like UNC4899 deploying trojanized applications to steal data. UNC4899 engages targets through social media, offering fake job opportunities to distribute malware via seemingly benign documents and trojanized GitHub projects. Other North Korean groups like PAEKTUSAN and PRONTO have conducted campaigns impersonating recruiters or focusing on diplomats with the aim of credential theft and espionage. Microsoft and Google have observed similar deceptive strategies, including the distribution of malware through fake npm packages, which poses a significant risk given the trust placed in open-source repositories. The expanding methods of attacks, including the use of LinkedIn and freelance platforms for spreading malware, highlight an evolving threat landscape.

Microsoft announced a delay in releasing their AI-powered Recall feature for Copilot+ PCs due to security and privacy concerns. The rollout will first undergo testing in the Windows Insider Program to gather feedback and ensure high standards for quality and security are met. Originally scheduled for June 18, 2024, the broad release has been postponed after receiving criticism for potential privacy threats and being a target for cybercriminals. The Recall function is designed to capture screenshots of user activity, creating a searchable database through an AI model on the device. Due to backlash, Microsoft transformed Recall into an opt-in feature and introduced additional security measures, including authentication requirements via Windows Hello for accessing content. Enhanced protection includes "just in time" decryption, allowing access to data only after authentication using biometrics or a PIN. Microsoft's cautious approach reflects wider industry concerns about the safe and responsible usage of AI technology amidst innovation pressures. The updates come shortly after Apple introduced a new AI processing method called Private Cloud_month Compute, emphasizing privacy in cloud-based computations.

Microsoft has postponed the public preview of its AI-powered Windows Recall feature, originally set for June 18, 2024, to address privacy and security issues. The Windows Recall feature, which takes frequent screenshots for data retrieval, raised significant privacy concerns among advocates and cybersecurity experts. Following criticism, Microsoft plans to initially release the feature to Windows Insiders for feedback before a broader roll-out to all Copilot+ AI PCs. Concerns were heightened by a ProPublica report criticizing Microsoft for prioritizing revenue over security and a congressional discussion regarding Microsoft's security lapses. The feature will now be opt-in and will encrypt its database using Windows Hello authentication for accessing the app, as part of additional security measures. Cybersecurity expert Kevin Beaumont highlighted the vulnerability of the feature to malware, which could manipulate it to steal user data. Microsoft acknowledges the need for further testing and securing of the Windows Recall feature in response to backlash and potential risks.

Microsoft President Brad Smith testified before the US House Committee on Homeland Security regarding the company's security breaches and business operations in China. The hearing addressed findings from a Homeland Security Cyber Safety Review Board report, which highlighted Microsoft's missteps that allowed Chinese spies to access sensitive US government emails. Smith claimed responsibility for Microsoft's failures but suggested the detection of the intrusion by the US State Department, not Microsoft, indicated the system's efficacy, sparking criticism from lawmakers. Lawmakers questioned the adequacy of Microsoft's security measures, given its significant role in providing software and cloud services to the US government. Discussions also covered Microsoft’s compliance with Chinese national security laws, with Smith denying that the company conformed to such regulations despite operating in China. The hearing explored potential vulnerabilities in Microsoft's dealings in China, where national laws could potentially compel the company to surrender user data or software code. The Congressional hearing underscored ongoing concerns regarding the intertwining of national security, international cyberespionage, and the role of private tech companies in safeguarding sensitive information.

Truist Bank acknowledged a system breach after data appeared on a hacker forum. The breach happened in October 2023; stolen data includes 65,000 employee records. Data for sale includes sensitive bank transactions and internal bank source code. The breach was contained swiftly, with further security measures and client notifications following. Truist Bank seamlessly cooperated with law enforcement and cybersecurity experts to mitigate consequences. The bank has found no evidence of fraud associated with the breach thus far. The sale was facilitated by known hacker "Sp1d3r," also linked to data thefts from other major firms. Truist Bank clearly stated that the breach is not related to the "Snowflake attacks."

The US Space Force's request for $77 million to enhance GPS resilience through additional satellites has been declined by Congress. The proposed R-GPS project aimed to mitigate spoofing attacks by expanding the GPS constellation with about 20 small satellites. This funding request is part of a broader Department of Defense budget scrutiny for 2025 by the House Appropriations Committee. Critics in the committee question the efficacy of adding more satellites in combating the primary GPS jamming threats. Current concerns also focus on the M-code signals which are supposed to enhance resistance to jamming but have seen repeated delays in user equipment availability. The total projected cost for the R-GPS initiative could reach approximately $1 billion over five years. The appropriations report has tasked the Director of Cost Assessment and Program Evaluation to review and report on the viability of R-GPS as a solution for improved national security positioning and timing services within 180 days. This setback comes despite ongoing investments in anti-jamming technology, equipment upgrades, and cybersecurity enhancements for GPS systems.

Ascension, a major U.S. healthcare provider, experienced a significant ransomware attack in May 2024, initiated by an employee inadvertently downloading a malicious file. The attack severely disrupted the MyChart electronic health records system, phone services, and crucial systems for ordering tests, procedures, and medications. In response to the attack, Ascension was compelled to offline multiple systems to mitigate damage, resorting to manual documentation of medical services. A few non-urgent elective procedures, tests, and appointments were postponed, and certain emergency services were redirected to alternative healthcare facilities. While restoration efforts are ongoing, Ascension has confirmed the breach affected only seven of their approximately 25,000 network servers, mainly impacting non-clinical administrative data. Preliminary investigations revealed that the stolen data may include Protected Health Information (PHI) and Personally Identifiable Information (PII), but no evidence suggests that complete Electronic Health Record (EHR) systems were compromised. The breach has tentatively been linked to the Black Basta ransomware group by external sources; however, Ascension has not confirmed this association officially.