Daily Brief

GDPR has led to significant reductions in data storage and processing for European companies due to increased management costs. The cost of GDPR compliance can range from $1.7 million for SMBs to $70 million for large organizations. European firms decreased data storage by 26% and data processing by 15% compared to US firms. GDPR has necessitated measures that, on average, represent a 20% increase in the cost of data for EU firms, with even higher impacts on data-intensive industries. GDPR compliance has also led to higher information production costs, but not as much as data storage or computation costs. The economic study did not assess the benefits of GDPR to consumers, though prior research indicates it generally provides positive privacy benefits.

Signal, the encrypted messaging app, has introduced a feature for creating unique usernames, enhancing user privacy by allowing individuals to communicate without sharing their phone numbers. This measure is a response to privacy concerns, ensuring that a user's phone number will no longer be automatically visible to everyone they chat with. Contacts who already have a user's phone number saved will continue to see it, maintaining convenience for known connections. To further reduce the risk of impersonation, usernames require the inclusion of two or more digits at the end and can be changed multiple times if desired. Signal is making the visibility of phone numbers an opt-in feature, going a step further to conceal them by default from those not saved in a user's contacts list. Additionally, Signal has introduced a privacy setting that allows users to control who can find them by their phone number within the app, restricting unsolicited messages. These updates are part of Signal's ongoing efforts to provide secure, private communication options for its users in an increasingly security-conscious digital landscape.

Russian-aligned hackers have targeted Ukraine with disinformation and attempts to harvest Microsoft login credentials through spam emails and spear-phishing attacks. ESET, a Slovak cybersecurity firm, attributed the attacks to Russian threat actors and codenamed the campaign 'Operation Texonto.' The disinformation spread involved emails with PDF attachments about heating, drug, and food shortages in Ukraine, some pretending to be from Ukrainian ministries. The campaign intensified with a second wave of emails during the holiday season, some suggesting extreme measures to avoid military drafts, and targeted Ukrainian speakers in Europe. Attackers used a domain initially involved in phishing to send spam advertising a fake Canadian pharmacy, possibly as a financial ploy after the phishing campaign was uncovered. Though no specific Russian threat actors were identified, techniques used in Operation Texonto overlapped with those of COLDRIVER, known for credential phishing. The situation reflects the ongoing influence operations amidst the war, alongside the decline of Russian state media's reach on social media platforms due to Western blocks and a strategy shift towards domestic audiences.

VMware has issued an advisory to uninstall their Enhanced Authentication Plugin (EAP) due to a critical security vulnerability. The flaw, with identifier CVE-2024-22245 and CVSS score of 9.6, could allow arbitrary Active Directory Service Principal Names (SPNs) ticket requests and relay by attackers. EAP has been deprecated since March 2021 and was used for direct login to vSphere's management interfaces via web browsers. An additional session hijack flaw, CVE-2024-22250 with CVSS score of 7.8, was also found, allowing potential privilege escalation on Windows systems. VMware will not release a fix; instead, it recommends complete removal of EAP from client systems to mitigate risk. The article also references a separate incident where SonarSource disclosed moderate-severity XSS vulnerabilities (CVE-2024-21726) in Joomla! CMS, which have been patched. Critical vulnerabilities and misconfigurations in Salesforce's Apex programming language were identified, potentially allowing data leakage, corruption, and business function compromise.

China's censorship system is extensive but suffers from bureaucracy overlap, inconsistent development, and underfunding, a USCC-commissioned report by Exovera reveals. Key censorship agencies in China, like the Central Propaganda Department and Cyberspace Administration, have overlapping functions, leading to inefficiencies. Local censorship efforts are disorganized, with regional governments relying on ad hoc channels for information control, often criticized for being "careless" in their approach. The lack of skilled staff at local levels means censorship duties sometimes fall to part-time workers or volunteers, creating potential for information control gaps that may incite social unrest. Despite varying resources—some regional bodies operate with limited budgets and human resources—uniform results are expected in the implementation of censorship. Chinese internet service providers and technology giants contribute to the censorship efforts with dedicated in-house or outsourced teams. Recommendations for the US include promoting alternative views in China through methods like satellite broadband, and developing tools to defend against China's propaganda and botnet attacks. The think tank urges the US to study Chinese tactics in influencing foreign companies and to consider sanctions on technology that supports China's AI-powered censorship.

The Monetary Authority of Singapore (MAS) has recommended that financial institutions prepare for quantum computing threats, suggesting the adoption of post-quantum cryptography (PQC) and quantum key distribution (QKD). MAS highlights that quantum computing could compromise current encryption and digital signature algorithms, posing significant cybersecurity risks within the coming decade. Financial institutions should monitor quantum computing advancements and ensure they can update cryptographic measures without disrupting current systems. MAS emphasizes the importance of awareness within institutions, especially among third-party providers and management, in understanding and mitigating quantum risks. Upgrading systems to be quantum-resistant is advised, along with implementing personnel training, setting standards, and preparing contingency plans. The advisory is likely to influence financial services across Asia, given Singapore's growing status as a regional financial hub. Industry experts support MAS's advisory, noting recent developments that show cryptographically relevant quantum computers may be nearer than expected. Cybersecurity professionals recommend early action to guard against potential "capture now decrypt later" attacks, highlighting the longevity of sensitive data's relevance.

VMware issued a warning for admins to remove a vulnerable authentication plugin, the Enhanced Authentication Plug-in (EAP), susceptible to attacks. Two unpatched security vulnerabilities, CVE-2024-22245 and CVE-2024-22250, enable authentication relay and session hijack attacks in Windows domain environments. The deprecated EAP allows seamless logins to VMware's management interfaces but has been outmoded since vCenter Server 7.0 Update 2 in March 2021. There are no current indications that the vulnerabilities have been exploited in the wild; however, VMware provides guidelines for removing or disabling the plugin. The deprecated plugin must be manually installed, and VMware recommends using alternative authentication methods like Active Directory over LDAPS or ADFS. VMware disclosed that a critical vCenter Server vulnerability patched in October was actively exploited by the UNC3886 Chinese cyber espionage group for over two years.

A new set of attacks, named 'VoltSchemer,' can manipulate a smartphone's voice assistant and cause physical damage through wireless chargers. Academic researchers from the University of Florida and CertiK demonstrate that the magnetic field from wireless chargers can be interfered with to induce harmful effects on smartphones. Electromagnetic interference is used to manipulate the charger’s behavior without physically altering the charging station or smartphone. Attack methods include overheating the phone to dangerous levels, bypassing safety standards to transfer energy to unintended items, and injecting voice commands. Experiments reveal that a smartphone can overheat to the point of emergency shutdown, while nearby metallic objects can reach temperatures high enough to cause fires or damage. In one scenario, voice commands were covertly transmitted to a phone's voice assistant, including initiating calls or launching apps. The risks exposed underscore the need for improved security designs in wireless charging technology to prevent potential misuse. The research team has informed wireless charger manufacturers of their findings to discuss potential countermeasures against such attacks.

Security researchers have uncovered a malware campaign targeting Redis servers for cryptocurrency mining using a malware called 'Migo'. Attackers exploit unprotected Redis servers on Linux hosts, deploying system-weakening commands to disable security features and facilitate prolonged cryptojacking activities. The campaign was identified by Cado Security through their honeypots, revealing the use of command-line instructions to deactivate protective configurations and exploit the server's resources. Once the Redis server is compromised, attackers establish a cron job to download and execute the primary payload, a UPX-packed ELF binary compiled in Go named Migo, from a file-sharing service. Migo’s primary purpose is to download, install, and execute a modified version of the XMRig Monero miner, establishing persistence through a systemd service. The malware includes a user-mode rootkit that hides its processes and files by intercepting system tools, complicating detection and removal. Attackers conclude the campaign by setting up firewall rules, disabling SELinux, neutralizing competing miners, and manipulating '/etc/hosts' to obstruct communications with cloud services. While the cryptojacking does not pose an immediate threat of data disruption or corruption, the access gained could potentially be leveraged to deploy more harmful payloads.

ConnectWise issued an immediate patch advisory for a critical authentication bypass flaw in ScreenConnect servers, leading to potential remote code execution (RCE). The vulnerability can be exploited without user interaction in low-complexity attacks, posing a serious risk of unauthorized data access or code execution on affected systems. High-privilege actors could also exploit a separate patched path traversal defect in ScreenConnect's remote desktop software. Security researchers at Huntress have developed a proof-of-concept (PoC) exploit, highlighting that thousands of servers are still vulnerable according to searches on Censys and Shodan platforms. On-premise ScreenConnect servers running versions older than 23.9.7 are at risk, while cloud servers on screenconnect.com have been secured. Industry advisories have previously noted that legitimate remote desktop tools like ScreenConnect are increasingly repurposed by attackers for unauthorized network access and as a means for persistent threats.

The alleged source code for Knight ransomware version 3.0 is being offered for sale by the operation's representative on a cybercriminal forum. Knight ransomware, a re-brand of Cyclops, targets a variety of systems and offers a 'lite' version for smaller-scale affiliates. Cyber-intelligence firm KELA observed the sale announcement on the RAMP forums by a user known to represent the Knight group. The advertisement promises exclusive sale of the source code, including the encryption panel and locker, to maintain its value. The seller, using the alias Cyclops, has not mentioned a specific price but insists on a deposit from reputable buyers with the transaction guaranteed through RAMP or XSS forums. Contact details for the potential transaction have been provided by the seller, adding legitimacy to the offer. Activity from Knight ransomware representatives has ceased on various forums since December 2023, and the victim extortion portal went offline in February 2024. KELA suggests that the inactivity of the Knight ransomware operation might indicate a move to exit the criminal business by selling off their assets.

Western authorities dismantled LockBit ransomware infrastructure in a coordinated effort named "Operation Cronos." The takedown included the seizure of the group's leak site, once used to publish victim information, now repurposed to reveal LockBit's secrets. The UK's National Crime Agency (NCA) controls the leak site, with countdown timers indicating when new information will be released, including the identity of LockBit's leader. Arrests have been made in Ukraine and Poland, building on previous arrests in the US and Canada. Additional indictments have been issued against Russian nationals alleged to have deployed LockBit ransomware in the US. The NCA acquired LockBit's source code and intelligence data, revealing that ransom-paying victims' data was not always deleted as promised by the criminals. Over 200 cryptocurrency accounts associated with LockBit have been frozen, and victim decryptors are being made available through the FBI and Europol's "No More Ransom" portal. Further disclosures are planned throughout the week, culminating in the unveiling of LockBitSupp's identity and insights into the gang's cryptocurrency transactions before the leak site is closed permanently.

A new malware campaign targeting Redis servers is facilitating cryptojacking by compromising Linux hosts for cryptocurrency mining. The campaign uses the Migo malware, a Golang ELF binary with obfuscation features that maintains persistence on infected machines. Migo works by disabling specific Redis server configurations to weaken security defenses and set up future attacks. It establishes persistence, removes competing miners, and deploys an XMRig installer for mining operations. Migo also disables SELinux and uses a modified version of the libprocesshider rootkit to conceal malicious activities. The campaign was discovered when unusual commands targeted honeypot instances of Redis servers, commonly used in cloud environments. While the operations resemble those of established cryptojacking groups, the exact intentions and targets remain partially unclear, demonstrating persistent evolution in cloud-focused attack strategies.

Wyze, a smart home security camera company, experienced a cybersecurity incident affecting around 13,000 users. Due to a third-party caching client library error, some Wyze customers had access to other users' camera feeds. The issue occurred following a system outage and the subsequent restoration of service, causing device ID and user ID mappings to be confused. Wyze took immediate action by revoking access to the Events tab and is implementing additional measures to prevent future incidents. Despite having a security team and undergoing multiple audits, Wyze acknowledged the incident as disappointing and contrary to their commitment to customer protection. The company is exploring new client libraries and has added extra verification layers to safeguard user-device relationships. Some Wyze users have reported feeling violated by the privacy breach, with discussions leaning towards negative sentiments and talks of review bombings across various platforms.

Ransomware groups largely rely on the cybercrime supply chain, where access to targets is purchased rather than independently discovered. Infostealer malware, which steals sensitive data like credentials and self-terminates, has seen significant growth and often results in ransomware attacks. Threat actors monetize stolen data via Telegram channels. Flare has tracked over 46 million stealer logs, with many containing corporate credentials. Initial access brokers specialize in gaining and selling access to company networks to ransomware groups and affiliates, with more than 500 entities breached in 2023. The ransomware ecosystem is expanding, with over 50 active groups and a complex network of affiliates who execute attacks and share profits. The competition among ransomware groups for skilled affiliates is intense, as demonstrated by public accusations and disputes on dark web forums. Building a Continuous Threat Exposure Management (CTEM) program is presented as essential for companies to disrupt the cybercrime supply chain and mitigate threats. Flare offers a Continuous Threat Exposure Management (TEM) solution for organizations to detect, assess, and mitigate cyber threats, integrating with security programs to enhance defenses.