Thursday 7th November

Good morning everyone, thank you for joining me for the latest installment of Cyber Daily. Today we're looking at news of Meta’s privacy fine in South Korea and an unsettling report on the Chinese cyber group Volt Typhoon allegedly testing its tactics on Singapore’s largest telecom provider. Also unauthorised data-sharing fines to nation-state cyber “test runs,” companies worldwide are grappling with evolving, high-stakes threats.

Meta’s $15.7M Privacy Fine in South Korea

Meta’s latest privacy stumble has come at a hefty price in South Korea. The country’s Personal Information Protection Commission (PIPC) slapped Meta with a 21.62 billion won ($15.67 million) fine for allegedly gathering and sharing sensitive data from 980,000 local Facebook users without proper consent. According to the PIPC, Meta tracked user interactions—like page likes and ad clicks—to infer political views, religious beliefs, and even sexual orientation, later funneling this data to 4,000 advertisers.

The commission’s investigation also flagged Meta’s lax security for inactive accounts, which reportedly led to malicious actors successfully resetting passwords using fake IDs, leaking data of ten Korean users. The PIPC has pledged continued scrutiny of Meta’s practices, saying it’s dedicated to enforcing privacy laws “without discrimination” against global tech players.

Meta, meanwhile, says it will “carefully review” the decision, as the company faces growing regulatory backlash over privacy practices worldwide.

ToxicPanda Malware: A New Threat for Global Bank Accounts

The latest Android banking trojan, “ToxicPanda,” has already infected over 1,500 devices, allowing attackers to take over accounts and siphon funds with alarming ease. Identified by Cleafy researchers, ToxicPanda leverages On-Device Fraud (ODF) techniques to bypass identity checks, making it particularly effective against 16 targeted banks across Europe and Latin America. Italy has been the hardest hit, with over 56% of cases, but infections are rising in places like Portugal, Spain, and Peru, suggesting a strategic expansion.

Despite its relatively unsophisticated coding and placeholder commands, ToxicPanda’s functionality is formidable: it intercepts one-time passwords (OTPs) to evade two-factor authentication and utilises Android’s accessibility services for remote control. Researchers noted striking similarities to the TgToxic malware, hinting that the same threat actors, likely Chinese-speaking, may be behind both.

Interestingly, ToxicPanda lacks advanced features like Domain Generation Algorithms (DGA) and relies on static domains for its command-and-control (C2) connection. This malware’s success underscores the need for real-time, proactive detection, as traditional antivirus programs have struggled to flag it due to its simple technical structure.

Chinese Cyberspies Breach Singapore Telecommunications in Potential US Hack Dry Run

The Chinese government-backed Volt Typhoon cyber-espionage group reportedly infiltrated Singapore Telecommunications (Singtel) this summer in what some analysts describe as a “test run” for more attacks on U.S. telecom infrastructure. According to sources cited by Bloomberg, Volt Typhoon’s breach—detected in June—could foreshadow future, more disruptive incursions targeting communications, energy, and transport systems in the U.S.

This Singtel attack follows a broader campaign from Volt Typhoon against critical infrastructure worldwide. Last February, U.S. intelligence agencies warned that the group is embedding itself within IT networks to eventually disrupt operational technology (OT) assets, which manage core infrastructure functions. The hackers employed a custom web shell during the Singtel breach, which echoes recent attacks using the Versa SD-WAN vulnerability CVE-2024-39717 to plant malware on systems, as reported by Lumen Technologies’ Black Lotus Labs.

Volt Typhoon’s reported tactics—including exploiting unpatched SD-WAN systems and credential-harvesting malware—underscore increasing cyber risks to global critical infrastructure. Singtel, while declining to confirm the breach specifics, emphasized its commitment to “network resilience” and proactive threat monitoring to secure its assets amid evolving cyber threats.