Daily Brief

Google announces enhanced Safe Browsing for Chrome, offering real-time URL checks to prevent users from visiting malicious sites. The new protection mode on Chrome desktop and iOS will compare sites against Google's updated list of known unsafe sites in real-time, aiming to block 25% more phishing attempts. Previously, Chrome relied on a locally-stored list of unsafe sites, updated every 30-60 minutes; now it will leverage a more dynamic, server-side check without disclosing users' browsing history. Phishing domains often have short lifespans, with 60% existing for less than 10 minutes, necessitating more agile and frequent updates to URL blacklists. To perform checks, Chrome will send truncated, encrypted URL hashes to a privacy server that anonymizes user data before querying Google's Safe Browsing server. The privacy server, an Oblivious HTTP (OHTTP) relay, prevents any single party from seeing both the user's IP address and the URL hash prefixes, preserving user privacy. Google has confirmed that the privacy server's role is to prevent the Safe Browsing server from accessing users' IP addresses and associating URL checks with individual browsing histories.

Chinese internet users searching for Notepad++ and VNote are being targeted by trojanized versions of these applications, distributed through misleading ads on search engines like Baidu. The fake sites serving the infected software resemble legitimate product pages but include inconsistencies in website addresses and mismatched download offers. The malicious Windows installer from the fake Notepad-site points to an official repository, while the Linux and macOS downloads lead to hosted packages on a suspicious server. The altered installers are designed to download an advanced backdoor similar to Geacon, capable of carrying out multiple malicious activities, including file operations and establishing SSH connections. HTTPS protocol is utilized for communication between the infected systems and the command-and-control servers, allowing discreet data transmission. The malvertising campaign that is spreading these malicious installers is linked to other instances of cyber threats, where software masquerading as popular productivity tools was used to deliver malware.

US Senator Ron Wyden expresses concern over Chinese-manufactured electronic safe locks being a national security risk. Wyden's letter to the National Counterintelligence and Security Center (NCSC) raises alarms about potential espionage via backdoor codes in safe locks used by American businesses. Government agencies can access manufacturer reset codes, which could also be exploited by foreign adversaries to steal intellectual property. The Department of Defense is aware of the threat posed by these reset codes but has not informed the public to prevent the disclosure of this vulnerability. Wyden accuses federal agencies of silently protecting their interests while leaving American businesses vulnerable to foreign espionage. The senator urges the NCSC to educate businesses on using locks that meet US government security standards, which presumably do not include such backdoors. SECURAM Systems, a major seller of these electronic safe locks in the US, is obliged to obey Chinese law, including potential surveillance cooperation with the Chinese government.

A new advanced StopCrypt ransomware variant utilizes a multi-stage process and shellcodes to avoid detection. Unlike major ransomware targeting businesses, STOP prefers numerous lower-value consumer ransoms, largely distributed through shady websites. Distribution methods include malvertising and packaging with seemingly free adware bundles that also install other malware like password stealers. This new version, initially installing a benign-looking file and looping delays, proceeds to a sophisticated process hollowing technique for stealth. The ransomware achieves persistence, alters ACLs to prevent file deletions, and encrypts files appending ".msjd" or other extensions, demanding a ransom payment. Although STOP ransomware focuses on consumer targets without data theft, the evolution into a difficult-to-detect strain risks widespread individual damage.

Restoro and Reimage, two Cyprus-based tech support businesses, settled with the FTC for $26 million after being accused of running a Windows antivirus scam. The FTC claimed these firms strong-armed consumers into paying for unnecessary cleanup services and software by using scare tactics. FTC's undercover agents purchased services from the companies, revealing that the firms falsely claimed the agents' PCs needed extensive additional repairs. The scam particularly targeted older individuals, deceiving them into free performance checks that led to fabricated issues and high fees for remote services. The FTC charges included violations of deceptive representation under the FTC Act and deceptive calls under the Telemarketing Sales Rule. Although Restoro and Reimage have not admitted to any wrongdoing, they have ceased new transactions and renewals, according to a supposed FAQ on their websites, which are currently not accessible. The FTC's undercover investigation involved purchasing and testing the suspect services, verifying these allegations of fraud firsthand.

SIM swappers are now targeting eSIMs to port victims' phone numbers to devices under their control. eSIMs (Embedded Subscriber Identity Modules) are digital, can be reprogrammed remotely, and are becoming prevalent in modern smartphones and wearables. Cybersecurity firm F.A.C.C.T. observed over a hundred attempts at one financial organization to gain access to personal accounts through eSIM hijacking. Attackers gain control of a user's service provider account, generate a QR code for a new eSIM, and scan it to transfer the victim's phone number to their device. Once attackers hijack the phone number, they can receive access codes and two-factor authentication tokens, allowing them to access bank accounts and other secure services. Cybercriminals also exploit the hijacked number for scams in messenger apps by impersonating the victim. Traditional SIM swapping involved social engineering or insider assistance but is now shifting towards exploiting newer technologies like eSIMs. Experts recommend strong, unique passwords and two-factor authentication for service provider accounts, and suggest using physical keys or authenticator apps for critical accounts.

Mikhail Vasiliev, a Canadian-Russian dual national and key figure within the LockBit ransomware group, has been sentenced to nearly four years in prison by a Canadian court. Vasiliev has been ordered to pay restitution exceeding CA$860,000 to some victims and faces extradition to the United States for additional charges. He pleaded guilty to cyber-extortion, mischief, and weapons charges related to attacks on Canadian businesses. The LockBit ransomware group has extorted over $120 million since 2020, targeting over 2,000 victims. Despite takedowns of LockBit's infrastructure earlier this year, the group remains active, with new victim listings appearing shortly after the law enforcement actions. Few LockBit members have been apprehended; Vasiliev is one of just three individuals named, with only one other arrested. Law enforcement found evidence at Vasiliev's home linking him to LockBit's operations, including a target list and communications with the group's leader. Vasiliev's transition to cybercrime was purportedly influenced by the isolation during the pandemic, according to his defense lawyer.

Hackers have updated their techniques to execute SIM swap attacks using eSIM technology. eSIMs are digital SIM cards embedded in mobile devices, offering the same functionalities as traditional SIMs but with the ability to be reprogrammed remotely. Cybersecurity firm F.A.C.C.T. reports numerous attempts by fraudsters to take over online service accounts, particularly targeting a financial organization. Attackers gain control of a user's service provider account to port the victim's phone number to a device with an eSIM, thereafter gaining access to the victim's calls and messages. Once in possession of the phone number, criminals can intercept access codes and two-factor authentication tokens, compromising bank accounts and other sensitive services. Fraudsters can also access and manipulate the victim's messaging accounts, further spreading scams and requesting money from contacts. Security experts advise using complex passwords, enabling two-factor authentication for provider accounts, and considering additional protective measures like physical security keys for critical accounts like e-banking and crypto wallets.

Google has upgraded its Safe Browsing service, providing real-time online threat protection while maintaining user privacy. The enhanced service prevents Chrome users from leaking browsing history to Google, addressing privacy concerns. Standard Safe Browsing now offers more comprehensive, real-time data checks, similar to the previously more private Enhanced version. The system uses hash-based checks and Oblivious HTTP (OHTTP) protocol to anonymously verify site safety without revealing user identity. Fastly's privacy servers play a role in stripping identifiable information before forwarding data to Google's Safe Browsing server. This update is significant due to the increasing number of unsafe sites which appear and disappear within minutes, surpassing the effectiveness of static lists. Password Checkup feature on iOS will also warn about weak and reused passwords, enhancing user security further.

Tech support companies Restoro and Reimage agree to pay $26 million to settle FTC charges of deceptive marketing and scare tactics. The two firms misled customers with false computer threat alerts to sell unnecessary repair services, exploiting particularly older consumers. The Federal Trade Commission (FTC) found that online ads and pop-ups from these companies fraudulently impersonated Microsoft system warnings. FTC investigations revealed the companies' diagnostics software claimed non-existent issues, prompting unnecessary purchases of repair plans. Despite claims of serious computer issues, telemarketers would then upsell more expensive repair plans after remote access to consumers' computers. The proposed FTC order, awaiting court approval, prohibits the companies from continuing their deceptive marketing and scare tactics. The FTC's recent actions also include banning Avast from selling browsing data and imposing restrictions on other companies for misleading practices.

France's unemployment department, France Travail, reported a significant data breach affecting data dating back 20 years and up to 43 million individuals. Exposed information includes names, birth dates, social security numbers, and contact details, while passwords and banking details remain secure. The breach occurred between February 6 and March 5, and French citizens are advised to be vigilant against phishing attacks. The Cybercrime Brigade of the Paris Judicial Police is investigating the incident, believed to involve a combination of social engineering and technical attack vectors. France Travail is working to notify affected individuals and has promised to strengthen its cybersecurity measures in response to increasing threats. This breach comes on the heels of other significant French data breaches and DDoS attacks on government departments, suggesting a rise in cyber threats against France. France Travail's breach is now considered the largest in the country's history, eclipsing the previous record set by breaches at Viamedis and Almerys.

Google is set to update its Safe Browsing feature in Chrome, providing real-time phishing and malware protection. The protection will be available without compromising user privacy, utilizing encryption and privacy-enhancing techniques. The updated Safe Browsing will counter transient malicious websites by checking against server-side lists in real-time, aiming to block 25% more phishing attempts. This feature will also extend to Android devices, ensuring widespread security across different platforms. An "Enhanced Protection" mode is available for users seeking proactive defense, leveraging AI for deeper scans of downloads. User privacy is maintained through Fastly Oblivious HTTP (OHTTP) relays, which hide IP addresses and mix user requests to prevent identity matching. Google ensures that no single entity, including themselves or Fastly, can decrypt both the URL hash prefixes and the originating IP addresses, reinforcing user privacy.

The Cybercrime Atlas initiative has moved into its operational phase in 2024 with aims to map and disrupt global cybercriminal activities. Launched by the World Economic Forum (WEF) in 2023, the project involves public-private collaboration, including major players like Banco Santander, Fortinet, Microsoft, and PayPal. The initiative now counts over 20 law enforcement agencies, security firms, financial institutions, NGOs, and academics among its members. The group aims to target the infrastructure of cybercriminal groups, facilitate arrests, and attribute attacks, thus hindering their operations and profitability. Despite previous takedowns, cybercrime persists, with recent ransomware attacks on America's healthcare system and the British Library emphasizing the urgency of this initiative. The Cybercrime Atlas seeks to create actionable intelligence to challenge cybercriminals and has placed cyber threats on the agenda for CEOs and boards. The WEF is also addressing the cybersecurity skills gap and engaging non-cybersecurity audiences in discussions on combating ransomware and improving organizational cybersecurity resilience.

The US Department of Health and Human Services is starting an investigation into Change Healthcare after a reported 6 TB data theft by the ALPHV ransomware group. Change Healthcare's recovery from the cyberattack is underway, with critical services including prescription processing and insurance claims slowly coming back online. ALPHV claimed responsibility for the attack and the theft of sensitive data, which may include health information of US military personnel and payment details. The actual contents of the stolen data have not been confirmed by Change Healthcare, and security experts have detected a $22 million Bitcoin transaction possibly linked to the ransomware payment. Multiple class action lawsuits have been filed against Change Healthcare, and there is a move to consolidate these cases to streamline litigation processes. The cybersecurity measures of Change Healthcare are under scrutiny to check compliance with HIPAA data protection and privacy rules, following the breach.

A Russian-Canadian man, Mikhail Vasiliev, has been sentenced to nearly four years in prison in Canada for participating in the LockBit ransomware operation. Vasiliev was arrested in November 2022, following a search of his home where authorities found evidence of his involvement in cyber extortion. He pleaded guilty to multiple charges, including cyber extortion, and is responsible for paying more than $860,000 in restitution to victims. Vasiliev was labeled a "cyber terrorist" by Justice Michelle Fuerst, who highlighted his motivation by greed during the pandemic. LockBit's operations were severely impacted in February 2024 when law enforcement seized its infrastructure and arrested three affiliates. Meanwhile, a federal jury in Washington D.C. convicted Roman Sterlingov for laundering money through Bitcoin Fog, a service used to launder profits from various crimes including computer related offenses and theft.