Daily Brief

The U.S. Federal Trade Commission (FTC) has approved amendments to its Safeguards Rule, which mandate non-banking financial organisations to report data breaches within a 30-day timeframe. The rule will apply to the likes of insurance firms, mortgage brokers, payday lenders, and car dealerships. Targets of the amendment entities responsible for the safekeeping of customers' financial information are required to inform the FTC in case of a data breach involving 500 or more consumers, as quickly as possible but no later than 30 days after the incident's discovery. The FTC rule amendment reflects similar legislative measures adopted by state governments across the U.S. for instance, in California, businesses are required to disclose breaches that affect 500 or more state residents. The mandatory disclosure is estimated to affect an additional 155 firms and the new rule will come into effect 180 days after it is published in the Federal Register, probably by 2024. The FTC initiative aligns with recent moves by the Securities and Exchange Commission (SEC), which introduced its mandatory breach reporting rules in July with an even tighter four-day window. The Department of Homeland Security (DHS) is also examining ways to streamline the reporting of security incidents at the federal level, including proposing a single reporting portal.

Security researchers from Infoblox uncovered a massive cybercrime link shortening service operated by an actor they've named Prolific Puma. Operating undetected for at least four years, Prolific Puma has registered thousands of domains largely on the U.S. top-level domain (usTLD) to facilitate delivery of phishing, scams, and malware. Prolific Puma's method often involves multiple redirects through shortened links to the landing pages. Some links also lead users to a CAPTCHA challenge, possibly to shield against automated scans. The actor is suspected to serve multiple clients as the nature of the short links varied. Delivery methods include text messages, social media, and advertisements. The-operator registered up to 75,000 unique domain names since April 2022, spread across 13 TLDs but primarily using usTLD. To circumnavigate detection and scrutiny, Prolific Puma "ages" its domains by leaving them inactive for a few weeks before moving them to a bulletproof hosting provider. Infoblox believes that Prolific Puma only provides the link shortening service while the control of landing pages is likely with different actors. However, they do not rule out the possibility of Prolific Puma controlling the entire operation.

Canada's Treasury Board President, Anita Anand, has announced a ban on the use of Tencent's WeChat app and Kaspersky security products on state-issued mobile devices over privacy and security risks. The Canadian government expressed fears that these companies could secretly relay sensitive information to Russian and Chinese intelligence agencies. Although no verified incidents of compromising government data have been reported, the potential risks linked with the data collection methods of these apps, particularly on mobile devices, are considered unacceptable. The ban will be implemented from October 30, 2023, by which time, all designated software must have been removed. Download options for these apps will also be blocked post this deadline. While the government supports individual freedom in choosing apps, they advise referring to the Canadian Cyber Centre's recommendations. Kaspersky argues this decision wasn't based on a technical evaluation of their products but is politically motivated, rejecting all claims as groundless. It suggests the action is part of Canada's response to the existing geopolitical climate. Other countries, including the U.S., Germany, Italy, and the U.K., have previously expressed concerns about and imposed restrictions on Kaspersky products over issues related to potential Russian espionage risks.

Threat actors have targeted the NuGet software distribution system in a new typosquatting campaign, using its MSBuild integration to execute code and install malware. The campaign was detected by ReversingLabs on October 15, 2023, and uses packages leveraging MSBuild integration instead of the common approach of incorporating downloaders in the install scripts. MSBuild integration's ability to automatically run scripts when a package is installed has generated security concerns, with the malicious code spotted by ReversingLabs hidden in a “build” directory. This abuse of MSBuild integration was initially introduced by a security researcher in 2019 to show how it can be used to run code when NuGet packages are installed, but this is the first recorded use by threat actors. The malicious packages are part of a campaign that began in August 2023 but did not abuse MSBuild integrations until mid-October 2023. The attackers have been refining their techniques, initially using PowerShell scripts to fetch the malware from a GitHub repository, and after the packages were removed, immediately tried to upload new ones, indicating an intent to continue the campaign.

The British Library had to grapple with an unresponsive website, WiFi, phone lines, and other services after a "cyber incident" led to a significant IT outage. The outage started on the morning of October 28, and its effects continue to be felt, impacting both the St Pancras site in London and locations in Yorkshire. This security issue has been so severe that internal experts as well as the National Cyber Security Centre (NCSC) are involved in the process of investigation and response. Despite the major technology blackout, the British Library has kept its sites open, reminding visitors and patrons of available services through social media, while warning about limitations due to the issue. Payments in cash are being accepted as one of the workarounds, while ordering and collection of items remain limited. The library is yet to confirm details about the nature of the security incident and has not issued any statement on the reports of problems with its VMware ESXi servers, which have been blamed for exacerbating the situation.

The cyber espionage group known as Arid Viper is behind an Android spyware campaign targeting Arabic-speaking users using a fake dating app. Arid Viper, also known as APT-C-23, Desert Falcon, or TAG-63, is reportedly aligned with Hamas, an Islamist militant movement governing the Gaza Strip. No evidence connects this campaign to the ongoing Israel-Hamas conflict. The deceptive app, which closely mimics a non-malicious online dating application named Skipped, is part of the group's strategy of using attractive lures, like social life, to trick their targets. Cisco Talos, who analyzed the campaign, cites an extensive network of similar dating-themed applications available in official app stores, suggesting Arid Viper might leverage these apps for future malicious campaigns. The spyware, once installed, can record audio and video, read contacts, access call logs, intercept messages, manage Wi-Fi settings, close background apps, capture photos, and create system alerts. This threat actor is also capable of downloading additional malware camouflaged as popular apps like Facebook Messenger, Instagram, and WhatsApp. Recorded Future found indications that may link Arid Viper to Hamas through shared infrastructure related to an Android application named Al Qassam disseminated in a Telegram Channel affiliated with Izz ad-Din al-Qassam Brigades, the military wing of Hamas.

Chris Philp MP, the UK’s Minister of State for Crime, Policing and Fire, has advocated for increased use of algorithmic-assisted facial recognition by police forces. The call is in tandem with the government's commitment to spend £17.5m ($21.3m) on a 'resilient and highly accurate system' to scan all police-accessible image databases. The two types of facial recognition being used are live (LFR) and retrospective (RFR). RFR involves using images from crime scenes to find a match on police databases, while LFR checks real-time footage against a pre-defined target list of known criminals or suspects. Philp claims that the use of such technology could help identify suspects in otherwise intractably difficult or lengthy cases, citing examples such as murder, sex offences, domestic burglary, assault, car theft, and shoplifting. The Metropolitan Police has already successfully used LFR, with a recent event at an Arsenal v Tottenham game resulting in the arrest of three perpetrators of different crimes. However, principal research scientist at the National Physical Laboratory, Dr Tony Mansfield, expressed concerns about a potential bias in the system against black individuals during low threshold operations. In the past, agencies such as Big Brother Watch, Liberty, and Privacy International have strongly criticised the use of facial recognition technology by police, with specific reference to its planned use at the 2017 Notting Hill Carnival.

Cybersecurity researchers discovered malicious packages published on the NuGet package manager that were linked to an ongoing coordinated campaign distributing the SeroXen RAT malware since August 1, 2023. The attackers behind the campaign were found to be consistently publishing new malicious packages in the NuGet repository. The malicious components, which imitated popular packages and spanned several versions, exploited NuGet's MSBuild integrations feature, using inline tasks to execute the malicious code. This instance is regarded as the first-known example of malware using NuGet's inline tasks feature for code execution. Packages were designed to conceal malicious code through the use of spaces and tabs, making it less noticeable on default screen views. They also artificially inflated download counts to seem legitimate. The ultimate aim was to use these packages as conduits for retrieving a secondary .NET payload hosted on throwaway GitHub repositories.

PentestPad offers a platform that boosts collaboration and accelerates the process for penetration test or pentest teams. It allows automated report generation, real-time collaboration, and integration with leading pen testing tools, delivering improved productivity and exceeding client expectations. The tool offers customizable project management features, making it easy to control the scope and track progress of projects. It uses a traffic monitoring tool that helps monitor performance, showing how many projects a person is working on, their findings and the average criticality per finding. PentestPad logs activity and is capable of detecting behaviors such as brute force attacks, offering insights on what resulted in a successful vulnerability exploit. It includes an automated reporting feature, eliminating common pain points such as formatting and back-and-forth communication over vulnerability descriptions. The platform also supports vulnerability retesting, using AI to detect if a previously identified vulnerability is still present. PentestPad is fully customizable, allowing for white-labelling of reports and the choice between a cloud or on-premise implementation. It also integrates with Slack, Jira and Active Directory (LDAP).

Atlassian has identified a significant security flaw (CVE-2023-22518) in Confluence Data Center and Server, warning that it has the potential for significant data loss if exploited by an unauthenticated attacker. The bug holds a severity rating of 9.1 out of a maximum 10 on the CVSS scoring system and is categorized as an "improper authorization vulnerability." All versions of Confluence Data Center and Server are potentially at risk, though Atlassian has taken steps to address the bug in several versions. Atlassian advises that the flaw doesn't impact confidentiality, as attackers cannot exfiltrate any instance data. Detailed information about the flaw has not been released to prevent assisting potential threat actors. Customers are urged to secure their instances, particularly those accessible to the public internet, and recommended to disconnect until a patch can be applied. Unsupported versions should upgrade to a fixed version. There is currently no evidence of active exploitation of the flaw, however, past vulnerabilities like CVE-2023-22515 have been weaponized by threat actors. Atlassian Cloud sites are not affected by this issue.

A compromised website is utilized in a new malvertising campaign, promoting bogus versions of the PyCharm software for Python developers on Google search results. Unbeknownst to the owners, the ads unintendedly direct to a malware-infected webpage offering a link to download the software, which installs various malware. The campaign exploits Google's Dynamic Search Ads, an offering that utilizes the site's content programmatically to tailor the ads based on search terms. This method makes it lucrative for threat actors to alter the website's content, in turn, manipulating the ad campaigns to serve Google Search users with ads that can lead to malicious behavior. The unnamed website in question is a wedding planning portal, but this development comes amidst an Akamai-detailed global phishing campaign targeting hospitality sites, with significant DNS traffic in Switzerland, Hong Kong, and Canada. The campaign dates back to as early as June 2023.

From November, Meta will offer an ad-free subscription model service for Instagram and Facebook users in the EU, EEA, and Switzerland. This payment will prevent user data from being used for marketing purposes. The service is priced at €9.99/month for web and €12.99/month for iOS and Android, with an additional fee for each extra account from March 1, 2024. This move comes amidst increasing pressure from European regulators concerning how social media platforms utilize user data. Recent rulings mandated explicit user consent to serve targeted ads—consequently, Meta adopted the subscription model. The Court of Justice of the European Union (CJEU) recognised the subscription model as a valid consent form for an ad-funded service. Lack of subscription implies user consent to data use for personalised advertising. However, privacy campaigner Max Schrems argues that the fee isn't what the CJEU had in mind for an 'appropriate' alternative to ads. Using court terminology, he claimed that Meta's interpretation of the ruling was an 'obiter dictum'—exceeding the case's core issues—and promised to fight this approach. Meta faces an additional challenge concerning users under 18. While the subscription model is accessible to users aged 18 and up, it must consider its ad experience for teenagers in line with evolving regulations. Regarded as a gatekeeper under the European Commission's Digital Markets Act, Meta will likely face scrutiny over handling children's data for marketing purposes due to the Digital Services Act.

The Canadian government announced the ban on the usage of apps from Tencent and Kaspersky on government mobile devices, referencing them as an "unacceptable level of risk to privacy and security." The specified applications, Tencent's WeChat and Kaspersky's suite of applications, were removed from all government-issued mobile devices, with the ban coming into effect on 30th October 2023. Users of these government-issued devices will henceforth be prohibited from downloading these apps, with the decision based on a risk-based approach to cybersecurity. The President of the Treasury Board, Anita Anand, pointed to the considerable access these apps provide to the device's contents as the reason for the ban. Responding to the ban, Russian cybersecurity vendor Kaspersky labelled the decision as rooted in politics, and declared it as unsupported and a reaction to the current geopolitical climate. The move follows the February 2023 prohibition of TikTok, another major app, from government devices on similar grounds. Previously in March 2022, the US FCC had listed Kaspersky among companies that posed an "unacceptable risk to the national security".

Meta is launching a paid ad-free subscription for Facebook and Instagram users in the EU, EEA, and Switzerland next month, to comply with "evolving" data protection regulations. The ad-free subscription fee is €9.99/month on the web and €12.99/month on iOS and Android, and covers all linked accounts for a user. Starting from March 1, 2024, an additional fee of €6/month on web and €8/month on iOS or Android will be levied for each additional account listed in a user's Account Center. The move comes after Meta received a €390 million fine in January for breaches of Europe's General Data Protection Regulation, due to its mandatory requirement for users to accept targeted advertising. The company plans to shift to a consent-based approach for its advertising practices in August 2023. Meta will also temporarily pause displaying ads to users aged under 18 in regions where the ad-free subscription is available, effective November 6, 2023.

Atlassian has urged customers to immediately patch a high-severity flaw in its Confluence collaboration tool, citing a risk of "significant data loss". The Australian vendor issued an advisory for the "improper authorization vulnerability" in Confluence Data Center and Server on October 31, scoring a high 9.1/10 on severity on the Common Vulnerability Scoring System. Atlassian is yet to provide specific details on the nature of the flaw, but emphasizes that all versions of Confluence could be susceptible to it. Users are advised to upgrade immediately to a patched version of Confluence and to disconnect their Confluence instances from the public internet before the upgrade. Those using cloud-based Confluence do not need to worry; the flaw only affects on-prem versions of the product. This newly discovered flaw comes after an earlier flaw in October, which allowed attackers to create and misuse Confluence admin accounts. Atlassian's transition to a "cloud-first" company has some users concerned about the attention given to on-prem products, especially with server support for Confluence ending in February 2024. The two critical flaws within a month spark concerns about the maintenance of self-hosted Confluence.