Daily Brief

Google celebrates Gmail's 20th birthday by implementing stricter rules to reduce spam. New measures are now in effect targeting bulk senders of over 5,000 messages per day. Google has made email authentication mandatory for bulk senders and introduced a lower spam rate threshold. Unauthenticated messages have decreased by 75 percent since initial implementation of these requirements. The requirements include email authentication, one-click unsubscribe options, and adherence to spam thresholds. Bulk senders who fail to comply will receive temporary errors with specific error codes to help them identify non-compliant emails. Scammers and attackers often use bulk sending as a disguise, prompting Google to crack down on unsecured systems. These changes currently apply only to personal Gmail accounts, not Google Workspace business accounts.

Apple Silicon processors have been found to contain a significant security vulnerability called GoFetch, a problem known to the industry even before these processors were launched. The GoFetch vulnerability is related to a fundamental issue with modern processor design that balances the need for speed against cryptographic security. Processor designers use high-speed caches to keep essential data close to the processor to boost performance, but this compromises cryptographic operations that require constant execution time to prevent timing attacks. The specific vulnerability with Apple’s Data Memory Prefetcher (DMP) feature allows an attacker to indirectly glean cryptographic keys by observing the timing of cache hits and misses, even when crypto code attempts to avoid such leaks. The preference of chipmakers to prioritize speed in their processors, fueled by market competition and benchmarking, may have led to a lack of rigor in searching for such subtle security flaws. The secretive nature of chip design and the lack of detailed public information make it difficult for external parties to identify and address vulnerabilities quickly, potentially exacerbating security risks. There's a call for chipmakers to reconsider their approach towards secrecy and speed, advocating for more openness which could lead to earlier detection of security flaws and better-informed coding practices for optimized performance.

Google settles a class action lawsuit by agreeing to erase billions of records of users' browsing activities while in 'Incognito' mode. The lawsuit accused Google of misleading users by tracking internet browsing even in private browsing modes across web browsers like Chrome. U.S. District Judge Yvonne Gonzalez Rogers has yet to approve the settlement, which mandates comprehensive data deletion and anonymization. Google must remove information that identifies private browsing data, including IP addresses, detailed URLs, and the X-Client-Data header field. The tech giant has committed to blocking third-party cookies in Chrome's Incognito Mode for five years and plans to eliminate tracking cookies by the end of the year. Internal Google communications revealed during the lawsuit process described Incognito Mode as a "confusing mess" and "effectively a lie." In response to the settlement terms, Google updated the description of Incognito Mode to clarify the limitations of privacy protection it offers. Additional measures introduced include new guidelines for bulk email senders to Gmail, aimed at reducing spam and phishing, with mandatory unsubscribe options.

TA558, an established threat actor, launches a large-scale phishing campaign to distribute Venom RAT across various sectors in Latin America. Targeted sectors include hospitality, finance, manufacturing, and government agencies across Spain, Mexico, the US, Portugal, Brazil, and more. The campaign employs phishing emails for initial access, leading to sensitive data theft and system control via the Venom RAT malware. Venom RAT is an offshoot of Quasar RAT known for its data harvesting and remote system command capabilities. The campaign follows increased use of DarkGate malware loader and various malvertising campaigns post-QakBot takedown, targeting financial institutions in the US and Europe. Notorious malvertising group ScamClub has pivoted to video advertisement attacks, exploiting VAST tags for redirecting users to scams, with most victims in the US. Security experts emphasize the importance of enhancing cloud security measures and updating security processes in the face of evolving cyber threats.

The Indian government successfully rescued 250 citizens coerced into cybercrime activities by a Cambodian gang. Victims were lured by the promise of lucrative job opportunities in Cambodia but were instead forced into illegal online activities. The rescue operation involved collaboration between the Indian Embassy in Cambodia and local authorities. India Today highlights that around 5,000 Indians may still be held and forced into scam operations, generating approximately $60 million over six months. Rescued individuals report harsh living conditions and violent enforcement of financial targets by the criminal syndicate. The scammers primarily created fake social media profiles and defrauded people by impersonating law enforcement officers. A senior government employee's complaint led to the unveiling of some Indian links to the scam, underscoring the scam's reach and sophistication. Ongoing investigations aim to repatriate more victims and highlight the need for international cooperation in the fight against cybercrime.

Singapore's Monetary Authority launched an application named COSMIC, in collaboration with six major commercial banks, to tackle money laundering and terrorism financing. Banks can share customer information based on predefined red flags that indicate potential criminal behavior, with protections in place for legitimate customers. Customers are encouraged to provide clarifications on their risk profiles or transactions to aid financial institutions in informed risk assessments. Chinese advanced persistent threat groups have targeted ASEAN countries for cyber espionage, focusing on sensitive information about diplomatic relations and economic decisions. Japan plans to introduce a domestic passenger jet by 2035 to recover from the SpaceJet program's termination. Alister Dias, Google Cloud's vice president for Australia and New Zealand, announced his departure to prioritize family and personal projects. Recent alliances in the APAC region include partnerships and tech deployments across various industries, enhancing capabilities like data analytics, weather forecasting, cyber defenses, payment solutions, and satellite remote sensing. The Chinese Commerce Minister met with the Dutch Trade Minister to discuss the impact of export sanctions on the semiconductor industry and seek ways to strengthen cooperation.

The US House of Representatives staff are prohibited from using Microsoft's Copilot AI tools until a government edition is released. Microsoft Copilot, which includes AI services for various applications, is considered a risk due to the potential leakage of sensitive data to unauthorized cloud services. The House's Office of Cybersecurity deemed the use of Copilot as a threat, leading to its removal and blockage from all devices. The ban aligns with previous restrictions on ChatGPT, reflecting growing concerns about data privacy and the need for "sovereign AI" tailored to national security needs. Microsoft is preparing a government edition of Copilot with enhanced security, which the House will review upon release later in the year. The caution is based on recent incidents, such as Samsung's accidental leak of secrets via ChatGPT and a bug in OpenAI's software that exposed parts of user conversations.

A backdoor was found in the open source compression library xz, specifically within liblzma, which is part of the package widely used in Linux distributions and macOS. The malicious code enabled remote code execution by altering the SSH daemon operation via systemd, and was discovered by a Microsoft engineer due to unusual latency issues. The affected versions of the xz package were used in several bleeding-edge Linux distributions, exposing SSH to potential remote exploitation. The sophisticated attack was a part of a supply chain threat and was almost an unprecedented intrusion enabler, potentially more impactful than the SolarWinds incident. Malicious commits were made by an individual called "Jia Tan," who spent nearly two years building trust before introducing the backdoor, and were part of an assumed long con. The incident highlights concerns regarding the security of open-source projects, especially those maintained by volunteers with limited resources and recognition. No conclusive evidence ties the attack to a nation-state, but the level of sophistication suggests the possibility of a well-funded adversary.

Google has implemented stricter spam filters that automatically block emails from bulk senders not adhering to enhanced authentication standards. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) authentication are now mandatory for bulk senders targeting Gmail users. New measures require less than 0.3% spam rate, an easy unsubscribe process, quick unsubscription response, and accurate "From" headers, preventing Gmail impersonation. Non-compliant bulk senders will initially encounter temporary errors starting in April 2023, escalating to outright rejection of non-compliant traffic by April 2024. Bulk senders have been advised to adjust their practices during the temporary error phase before stricter enforcement begins. Google's AI-powered defenses claim to block nearly 15 billion unwanted emails daily, keeping spam, phishing, and malware at bay with a 99.9% success rate. The security update aims to simplify trust in email sources for users and eliminate vulnerabilities leveraged by cyber attackers.

OWASP disclosed a data breach revealing resumes with personal information due to a Media Wiki server misconfiguration. The breach affected members from 2006 to 2014 who had submitted resumes during the earlier membership application process. Exposed data included names, email addresses, phone numbers, physical addresses, and other personal information. The breach was discovered after OWASP received several support requests in late February. OWASP has contacted affected individuals, assuring that outdated information poses a limited risk and advising caution if details are current. As a response, OWASP disabled directory browsing, reviewed server configurations, removed resumes, purged caches, and requested Web Archive to delete exposed data. The nonprofit, focusing on software security, no longer collects resumes as part of the membership process, which reduces the risk of such exposure in the future.

MarineMax, a leading boat and yacht retailer, experienced a data breach following a cyberattack in March. Despite claiming no sensitive data storage in the affected systems, personal information of customers and employees was stolen. Cybercrime organization Rhysida, operating a Ransomware-as-a-Service, claimed responsibility and is demanding 15 BTC for the stolen data. Exfiltrated data, including personal identification documents and financial records, posted on the dark web by Rhysida. The revenue reported by MarineMax in the previous year was $2.39 billion, highlighting the scale of the affected organization. Rhysida is known for high-profile breaches, such as those against the British Library and Chilean Army, as well as a recent incident involving Sony's Insomniac Games.

Americans reported over $1.1 billion in losses due to impersonation scams in 2023, tripling the losses from 2020. The Federal Trade Commission (FTC) released data indicating 490,000 scams, with the majority involving business and government impersonations. Scammers commonly use phone calls, but email and text message schemes are increasing annually. The FTC's report indicates a trend of scammers impersonating multiple entities in a single fraud attempt, such as fake employees from popular brands transferring victims to fraudulent banks or government agencies. The top five scam types include both business and government impersonation, with scammers often using advanced techniques to deceive victims. The FTC emphasizes consumer education on scam prevention methods, like scrutinizing unsolicited messages and verifying the legitimacy of requests for money transfers. New rules will empower the FTC to pursue civil penalties and restitution in federal courts against scammers fraudulently using government or business identifiers.

Over 1.3 million PandaBuy customers' data has been leaked after a breach by two threat actors exploiting multiple vulnerabilities. PandaBuy, a platform for international shopping from Chinese e-commerce, has suffered a significant compromise of user data. Threat actors 'Sanggiero' and 'IntelBoker' claimed credit for the breach, indicating they used critical API vulnerabilities for access. The leaked data includes user IDs, names, contact details, order information, and addresses, partially available for purchase on a forum with cryptocurrency. Have I Been Pwned has confirmed the exposure of 1,348,407 accounts, although the actual number of unique affected users is somewhat lower than the 3 million claimed by the threat actors. There has been no official statement from PandaBuy, and there are allegations of the company attempting to censor discussions about the breach on social media platforms. PandaBuy advised customers to change their passwords and remain alert for scams resulting from the breach. The affected users' data has been added to Have I Been Pwned for notification purposes.

Nearly 2.9 million people affected by a data theft incident at Harvard Pilgrim healthcare that was discovered a year ago. The breach occurred during a March ransomware attack on systems related to the health service company’s commercial and Medicare Advantage plans. Sensitive personal information including names, addresses, phone numbers, social security numbers, and clinical data was compromised. Harvard Pilgrim has sent notification letters to the victims and has been updating the number of people affected over the months. The company is offering credit monitoring and identity protection services, although there is no indication that the stolen data has been misused as of yet. The investigation is still ongoing, and Harvard Pilgrim will continue to notify additional affected individuals as more information is uncovered. In parallel, Sellafield Ltd faces prosecution for cybersecurity failures, and TheMoon botnet targets end-of-life SOHO routers, with more than 40,000 systems compromised worldwide.

The Indian government successfully repatriated around 250 citizens from Cambodia who were coerced into conducting cyber scams. These individuals were deceived by job offers but ended up trapped in illegal cyber activities and cyber slavery. Efforts are ongoing with Cambodian authorities to dismantle the recruitment networks accountable for this fraud. Investigations reveal the alarming scale of human trafficking-fueled fraud, with thousands of Indians exploited. Scammers, particularly in pig butchering scams, create romantic illusions to swindle victims out of funds through phony cryptocurrency investments. Some victims were freed after their families paid ransoms; scammers garner significant crypto inflows, often through sophisticated techniques to bypass security measures. Recent research has highlighted the exploitation of cryptographic functions in Ethereum called CREATE2, allowing scammers to evade detection and steal cryptocurrencies.