Surveillance capitalism faces a reckoning
Meta and Apple face fines in the E.U. for breach of user consent
Meta has been handed out a $414 million fine by Irish data protection authorities for lumping user consent agreement into its apps’ terms of service, essentially forcing users to agree to its data collection practices to serve targeted ads or risk losing all access to the platforms.
While the ruling invalidates the contract legal basis, the social media giant pointed out that it does not “mandate the use of consent,” adding it’s “assessing a variety of options that will allow us to continue offering a fully personalized service to our users.”
It’s not just Meta. In what’s a rare privacy penalty for Apple, France’s data protection watchdog, the CNIL, has imposed a sanction of €8 million for not seeking users’ consent before tracking iPhone users in version iOS 14.6 to serve personalized ads on the App Store, thereby violating the ePrivacy Directive.
The company has faced criticism in recent years over tracking of iPhone users’ app activity to serve its own ‘personalized ads’ vis-a-vis a recently introduced privacy requirement that requires third-party apps to obtain consent from users for cross-app tracking. What’s more, a 2021 study of App Tracking Transparency found that third-party apps are continuing to track users, albeit in an anonymized and aggregated fashion similar to Google’s Privacy Sandbox.
Indeed, Lockdown Privacy, an app that blocks ad trackers and badware, called Apple’s policy “functionally useless in stopping third-party tracking” and that it “made no difference in the total number of active third-party trackers.” The company has also come under the lens for collecting analytics data from iPhones and iPads regardless of whether or not the setting is on.
The developments point to a broader need for an opt-in approach (rather than opt-out) that puts users in the driving seat and pivot away from unregulated data collection frameworks that exist today.
What’s trending in security?
📃 In what’s the latest cybersecurity debacle to affect Twitter, data from 235 million users, including email addresses, has been gathered and put up for free on an underground hacking forum. The tranche is likely a refined version of another data dump comprising 400 million user details that was advertised for sale late last month. The data is said to have been collected in 2021 by exploiting a Twitter API vulnerability that was fixed in January 2022. While it’s evident that multiple threat actors got their hand on the API flaw, Twitter has not pubicly acknowledged the latest incidents. There are no clues to the identity or location of the hacker or hackers behind the breach. [Ars Technica / BBC / Bleeping Computer / Privacy Affairs / The Verge / The Washington Post]
🔐 The cybercriminals behind the Dridex banking trojan have adopted a new tactic in recent attacks targeting macOS devices, overwriting the victim’s document files to deliver their malicious code. The idea is to disguise the malicious Microsoft Word document used for malware delivery without having to rely on phishing emails. [The Hacker News]
🖥️ A new attack campaign has leveraged the legitimate Windows Error Reporting (WerFault.exe) to execute an open source remote access trojan called Pupy RAT on the victims’ machine. The infection is triggered from an ISO disc image file that includes the executable as well as shortcut file masquerading as an inventory document. [K7 Labs]
💵 An open source post-exploitation framework called Empire is being leveraged by threat actors, including that of Vice Society, for lateral movement and retrieving other payloads from an attacker-controlled domain. [Qualys]
⏬ A malicious campaign called PURPLEURCHIN created over 130,000 free trial and premium accounts on cloud platforms like GitHub and Heroku to mine cryptocurrency by leveraging DevOps and continuous integration/continuous deployment (CI/CD) practices in an automated manner. The threat actor, of South African origin, is being tracked under the name Automated Libra. The development comes as cryptomining attacks, where an adversary stealthily uses an organization’s computing resources to mine for cryptocurrencies, have become an extremely common occurrence in recent years. [The Hacker News]
🪙 Phishing pages spoofing Cisco and Grammarly have been used by threat actors to distribute a malware called DarkTortilla and maintain remote access to compromised systems. In a related development, the malware author behind PureCryter has been observed advertising a new information stealer dubbed PureLogs for $99 a year, a cryptocurrency miner named PureMiner, and a botnet called BlueLoader for the same price, underscoring a major expansion. [Cyble]
🤖 An unknown threat actor has been using Nitol DDoS Bot to install Amadey, a downloader malware that that’s used to deliver additional payloads, including ransomware. Nitol, besides capable of carrying out DDoS attacks, can wipe the Master Boot Record (MBR) to incapacitate the system after a reboot. [ASEC]
🏦 A cybercrime group known as Bluebottle has French-speaking African banks in its crosshairs as part of a recent campaign that demonstrates an evolution in tools and tactics. While it’s not known if the group was able to capitalize financially on the activity, the attacks targeted three different entities in Africa between mid-July and September 2022. The threat actor also likely shares overlaps with an adversary tracked by Group-IB as OPERA1ER because of similar tooling and the absence of custom malware. [The Hacker News]
🪱 The Raspberry Robin worm, which acts as a loader for other malware, has been linked to a new wave of attacks aimed at financial and insurance companies in Europe. The threat actor behind the worm is thought to be part of larger ecosystem facilitating pre-ransomware activity and is considered one of the largest malware distribution platforms currently active. [The Hacker News]
🔽 The Russia-linked Turla hackers targeted Ukrainian entities by piggybacking on infrastructure used in unrelated criminal operations in the past. The finding serves as a reminder that there may be significant Russian activity in cyberspace occurring under the radar. The attack is also likely a way for the threat actor to stay undetected by hiding inside other hackers’ footprints while combing through a vast collection of networks to gather information of interest. [WIRED / CyberScoop / The Hacker News]
🚘 Numerous security defects in vehicles from 16 car makers could be exploited to remotely control car functions and access internal applications and systems, leading to exposure of a trove of personal information, account takeover, and more. What’s more, successful exploitation of the flaws could put car owners at risk of digital harassment and stalking. The findings underscore the potential risks for consumers and automakers alike as car manufacturers continue to increase the amount of software in vehicles and provide a myriad number of ways to help connect customers with companion apps on smartphones and other devices. These developments have raised the stakes, necessitating the need for automotive cybersecurity standards. [The Hacker News]
🔑 Antivirus company Bitdefender released a decryptor for MegaCortex ransomware family, making it possible for victims to restore their data for free. The decryptor was developed in coordination with Swiss police and European law enforcement agencies, which carried out raids in October 2021 against cybercriminals behind the Dharma, MegaCortex and LockerGoga ransomware strains. [Bitdefender]
↘️ Threat actors are exploiting Fortinet appliances vulnerable to flaws such as CVE-2022-40684 to infect targets with ransomware, in some cases by purchasing access to compromised Fortinet devices in underground markets. cybercriminals are known to compromise systems and then sell those infected machines, or credentials to access those systems, on underground forums and dark markets as part of the initial access broker subeconomy. [eSentire]
🚨 More than a dozen new macOS malware families were discovered in 2022, including information stealers, cryptocurrency miners, loaders, and backdoors, with many of them linked to China. This includes SysJoker, DazzleSpy, CoinMiner, Gimmick, oRat, CrateDepression, Pymafka, VPN Trojan, CloudMensis, rShell, Insekt, KeySteal, and SentinelSneak. [Objective-See]
🚩 Rackspace confirmed that the ransomware incident that took down the company’s hosted Microsoft Exchange server environment in early December 2022 was carried out by the Play cybercrime group. It also said the attack entailed the exploitation of a flaw that Microsoft patched in November 2022, for which it had applied the mitigations. The attack highlights the risks of relying on mitigations alone to safeguard from potential threats. It also comes at a time when cybercriminals have become much faster at exploiting new vulnerabilities, drastically shrinking the time between initial disclosure and exploit availability. [The Hacker News]
🛡️ The Serbian government disclosed that it has been at the end of at least five separate distributed denial-of-service (DDoS) attacks with an intent to hobble the country’s IT infrastructure. The attacks, however, were repelled. [The Government of Serbia]
⚠️ Microsoft has fixed an important-severity security flaw in its Azure Cognitive Search (ACS), dubbed ACSESSED, after it was found that it could be exploited to allow cross-tenant network bypass attacks and access private data. The vulnerability was reported on February 23, 2022, and fixed by Microsoft on August 31, 2022. [Mnemonic]
📶 The U.S. Federal Communications Commission (FCC) has announced plans to overhaul its security reporting rules for the telecom industry to, among other things, eliminate a mandatory seven-day waiting period for notifying customers of stolen data, require all breaches to be reported to the FCC, FBI, and U.S. Secret Service, and expand the definition of what constitutes an incident to include inadvertent exposure of customer information, not just outside hacks. Calling the waiting rule outdated, the agency also noted that telecommunication carriers have access to a “treasure trove of data about who we are, where we have traveled, and who we have talked to.” The development comes as telecom breaches have become rampant in recent years. [FCC]
🗄️ The past few weeks in data breaches, leaks, and ransomware: Air France, Canadian Copper Mountain Mining Corporation, Chick-fil-A, Experian, Five Guys, Intrado, KLM, Queensland University of Technology, RailYatri, and Wabtec Corporation.