The CyberWire Daily Podcast 2.23.24
Ep 2010 | 2.23.24

Crackdown on privacy leads to a multi-million dollar fine.


The FTC fines Avast over privacy violations. ConnectWise's ScreenConnect is under active exploitation. AT&T restores services nationwide. An Australian telecom provider suffers a data breach. EU Member States publish a cybersecurity and resilience report. Microsoft unleashes a PyRIT. A new infostealer targets the oil and gas sector. A cyberattack cripples a major US healthcare provider. Our guest is Kevin Magee from Microsoft Canada with insights on why cybersecurity startups in Ireland are having so much success building new companies there. And a USB device is buzzing with malware. 

Today is February 23rd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The FTC fines Avast over privacy violations. 

The Federal Trade Commission (FTC) has concluded a significant enforcement action against Avast, a prominent software provider known for its antivirus and security products. The action requires Avast to pay $16.5 million and imposes strict limitations on its handling of web browsing data.

The FTC's complaint detailed how Avast, under the guise of offering privacy protection through its browser extensions and antivirus software, engaged in the collection of detailed browsing data from users. This data encompassed sensitive information, potentially revealing individuals' religious beliefs, health concerns, political leanings, and financial status, among other private details.

The core of the FTC's complaint was the contradiction between Avast's privacy assurances and its actual practices. Despite advertising its products as tools to safeguard user privacy and block third-party tracking, Avast was found to have collected extensive browsing data, which it stored indefinitely and sold to over 100 third parties through its subsidiary, Jumpshot. This practice was not only in direct conflict with Avast's privacy promises but also occurred without providing adequate notice to consumers or obtaining their consent.

Highlighting the severity of Avast's misconduct, the FTC criticized the company for not sufficiently anonymizing the browsing data before sale. Avast's claims of deploying special algorithms to strip identifying information were challenged, with the FTC pointing out the continued risk of re-identification due to the detailed nature of the data sold, including unique browser identifiers and precise activity logs.

The FTC's settlement with Avast includes several critical provisions aimed at rectifying the identified privacy breaches and preventing future violations. Notably, Avast is now prohibited from selling or licensing browsing data from its branded products for advertising purposes. Additionally, the company is required to secure affirmative express consent from consumers before engaging in similar practices with data from non-Avast products. The agreement also mandates the deletion of all browsing information previously collected, along with any derivative products or algorithms.

Beyond these immediate remedies, the settlement obliges Avast to notify consumers affected by the unauthorized data sales about the FTC's enforcement action. Furthermore, Avast is tasked with establishing a comprehensive privacy program designed to address the misconduct highlighted by the FTC and safeguard consumer privacy moving forward.

ConnectWise's ScreenConnect is under active exploitation. 

A critical vulnerability in ConnectWise's ScreenConnect, scoring a maximum CVSS of 10, is being exploited by ransomware criminals shortly after disclosure. Described as "trivial" to exploit for remote code execution, the flaw (CVE-2024-1709) poses a significant risk, especially to managed service providers (MSPs) that are valuable targets for cyberattacks. Cybersecurity firms like Huntress and Sophos have observed ransomware attacks exploiting this vulnerability, impacting both servers and client machines. Despite the recent law enforcement operation against the LockBit ransomware group, attacks persist, using tools like the leaked LockBit 3 builder. Sophos warns that compromised systems need thorough investigation beyond patching, as various attackers are exploiting ScreenConnect to deploy ransomware and other malicious software.

AT&T restores services nationwide.

AT&T network services have been restored after a significant outage yesterday affected many users across North America. The outage was attributed to an incorrect process during network expansion, not a cyberattack. The disruption impacted at least 70,000 customers, including 911 emergency services. AT&T has apologized to affected customers and says they are committed to maintaining reliable service.

An Australian telecom provider suffers a data breach. 

Tangerine, an Australian telecommunications provider, reported a cyberattack that compromised the personal information of 230,000 individuals, involving current and former customer accounts. The breach was discovered two days after its occurrence on February 18, and exposed names, addresses, dates of birth, email addresses, mobile numbers, and account numbers. Tangerine claims financial and sensitive identification data remained secure. The intrusion was linked to a contractor's login credentials. Tangerine has since revoked access to the compromised account, enhanced security measures, and started notifying affected individuals. 

EU Member States publish a cybersecurity and resilience report.

EU Member States, supported by the European Commission and ENISA (the EU's Cybersecurity Agency), have published a report on the cybersecurity and resilience of Europe's communication infrastructures and networks. This document advances EU-wide efforts to secure telecommunications, particularly focusing on 5G network security. It results from a detailed risk assessment identifying threats, including ransomware and supply chain attacks. The report outlines ten new risk scenarios, and recommendations include enhancing resilience against physical and cyber attacks, assessing the criticality of international connections, and fostering collaboration for improved security measures. The report emphasizes the need for swift implementation of these resilience-enhancing steps to address the rapidly changing threat landscape.

Microsoft unleashes a PyRIT.

Microsoft has introduced PyRIT, an open-source tool aimed at enhancing the red teaming process for generative AI systems. Developed to help security experts and ML engineers uncover risks, PyRIT automates auditing tasks and highlights areas needing deeper examination. Addressing the unique challenges of red teaming in generative AI—which involves assessing both security and responsible AI risks due to its probabilistic nature and the variability in system architectures—PyRIT enhances, rather than replaces, manual efforts. Originating in 2022 as a script collection for red teaming generative AI, it has demonstrated effectiveness with systems like Copilot. PyRIT allows for controlled red team strategies, generates harmful prompts, adapts tactics based on AI responses, supports various attack strategies, and saves interactions for analysis.

A new infostealer targets the oil and gas sector.

The oil and gas sector is under threat from a new Malware-as-a-Service (MaaS) called Rhadamanthys Stealer, a sophisticated phishing campaign targeting critical infrastructure and sensitive data. This C++ information stealer, originally emerging in August 2022, focuses on pilfering email, FTP, and online banking credentials. It has quickly evolved, adding capabilities and improving evasion techniques, including altering clipboard data for cryptocurrency theft and recovering deleted Google Account cookies. The deployment of Rhadamanthys Stealer follows the takedown of the LockBit ransomware group, hinting at cybercriminals' strategic shifts or opportunistic behavior. With phishing emails as its delivery mechanism, Rhadamanthys poses a significant risk to the increasingly digital-dependent oil and gas industry, emphasizing the necessity for robust cybersecurity measures, continuous monitoring, and employee awareness to mitigate threats.

A cyberattack cripples a major US healthcare provider. 

UnitedHealth Group (UHG) reported that its subsidiary, Change Healthcare, was targeted by a cyberattack likely conducted by government-backed hackers, according to a regulatory filing. UHG has not specified a timeline for system recovery or identified the attackers' nation. Change Healthcare, a major player in the U.S. healthcare system for patient billing and handling approximately one-third of U.S. patient records, experienced the attack early Wednesday. The specific nature of the cyberattack remains undisclosed. The incident has disrupted pharmacies nationwide, preventing prescription fulfillments through insurance. UHG has engaged security experts, cooperated with law enforcement, and informed affected stakeholders.


Coming up, we have Kevin Magee of Microsoft Canada talking about meeting 15 cybersecurity startups in Ireland to find out why they are having so much success building new companies there. 


A USB device is buzzing with malware. 

And finally, our Marital Aids desk made us aware of a report from MalwareBytes, about one of their customers successfully blocking an attempted malware infestation from an…unusual source.

We’re a family show, I’ll do my best to keep the descriptions clean. You know those catalogs your grandparents get in the mail, the ones that include neck massagers that are suspiciously torpedo shaped? The infected device was one of those, purchased at the Spencers novelty shop in the local shopping mall. The device features a USB port for battery charging, but if you plug the unit into your PC it attempts to install the Lumma information stealer. Lumma, distributed via a Malware-as-a-Service (MaaS) model, targets cryptocurrency wallets, browser extensions, and two-factor authentication details, and can be spread through infected USB devices. The incident raises concerns about how the device became infected, with Spencer’s acknowledging awareness but providing no further details. Advice for USB device safety includes using AC plug sockets for charging to avoid data transfer, and, of course, employing USB condoms for data exchange prevention. 

Happy Friday, everyone. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.