Daily Brief

X has started using public posts from its members to train its Grok AI platform without initial user consent. The new setting enabling this use is turned on by default and was only recently made visible to users. This training method supports the platform's goals in a competitive AI market but raises privacy concerns due to lack of transparency. Users noticed the change on July 25, leading to clarification and guidance from X's Safety team via social media. The web version already includes this setting, with plans to extend it to mobile platforms soon. Users can opt out by adjusting their settings on the web version under the "Data sharing and personalization" section. The option to use data for training is part of broader controls over user interaction with Grok, aiming to enhance user experience despite privacy worries.

WhatsApp for Windows allows Python and PHP script execution upon recipient opening the file, without any prior warning. Only users with Python installed—typically software developers, researchers, and power users—are susceptible to the Python script execution. Meta, WhatsApp’s parent company, has been informed but remains inactive in adding the risky .pyz, .pyzw, and .php file extensions to the block list. This vulnerability is similar to a previous one found in Telegram, which allowed remote code execution through Python files. The testing revealed that while WhatsApp blocks direct execution of some file types like .EXE and .DLL, it permits others like Python ZIP apps and PyInstaller programs. Security researcher Das, who discovered the flaw, reported it to Meta, but the issue was closed as not applicable, indicating an oversight in addressing file execution vulnerabilities. There appears to be a general attitude at WhatsApp to not view this type of susceptibility as significant, despite its implications for user security.

French judicial authorities and Europol initiated a "disinfection operation" targeting PlugX, a malware compromising systems across several EU countries. This response follows Sekoia's sinkholing of a command-and-control server for PlugX in September 2023, revealing daily connections from nearly 100,000 IPs. PlugX, identified as a tool frequently utilized by groups linked to the Chinese government, has been active since 2008, facilitating remote access and data theft. The malware has evolved to include wormable traits that enable spread through USB drives, making it capable of infiltrating even air-gapped networks. Cleanup efforts already benefited victims in France, Malta, Portugal, Croatia, Slovakia, and Austria, with the operation set to continue for several months. Current removal techniques can delete the malware from workstations but not from USB devices, with decisions on further actions deferred to national CERTs and cybersecurity authorities. Europol is assisting in deploying Sekoia's removal tool among its partner nations, highlighting the international collaboration against this persistent cyber threat.

Cybersecurity researchers identified a harmful package, "lr-utils-lib," on the Python Package Index (PyPI) designed specifically to target Apple macOS systems to steal Google Cloud credentials. The malware was programmed to check if it was installed on a macOS system and then check the system's UUID against a list of 64 predefined hashes to target specific devices. Upon successful identification, the package attempted to steal authentication data from files within the macOS's Google Cloud configuration directory. The stolen credentials were transmitted to a remote server through HTTP, indicating a sophisticated method of exfiltration. The package, before being removed, was downloaded 59 times, suggesting a relatively limited but focused attack. Associated with the package was a fake LinkedIn profile, which indicates a possible use of social engineering in the attack's strategy. The motives and actors behind this targeted attack remain unknown, but it highlights the risks to both individuals and enterprises due to the potential access to enterprise systems via developer machines. This incident underlines continuous threats in the software supply chain, especially targeting specific systems using disguised packages.

Gemini, a U.S. cryptocurrency exchange, reported a data breach affecting its customers' banking details through a third-party vendor. Unauthorized access occurred between June 3 and June 7, 2024, compromising names, bank account numbers, and routing numbers used for ACH transfers. The breach was localized to the Automated Clearing House (ACH) service provider, and no other sensitive personal information was exposed. Gemini has contained the incident and initiated an investigation with the help of external cybersecurity experts. Affected users are advised to enable multi-factor authentication on their bank accounts and monitor for any signs of unauthorized or fraudulent activity. Gemini has informed the affected individuals and recommended placing fraud alerts or security freezes on their credit reports. This breach follows a significant 2022 incident involving another third-party vendor that impacted 5.7 million users.

FBCS has increased the reported number of individuals affected by their February data breach to 4.2 million. Initially reported at 1.9 million, the numbers were later adjusted to 3.2 million in May, before reaching the current figure. Compromised data includes sensitive personal information which varies per individual, heightening risks of identity theft. All affected individuals are being notified and offered 24 months of free credit monitoring and identity restoration services. The type of cyber attack responsible for the breach remains unidentified, with no claims from any ransomware groups. FBCS discovered unauthorized access to its network on February 26, 2024, confirming the breach was confined to their internal systems. Affected parties are advised to remain vigilant for phishing attempts and to monitor their credit reports for unauthorized activities.

On July 19, a flawed update from cybersecurity firm CrowdStrike caused a massive outage affecting millions of Windows systems globally. The update inadvertently introduced a "logic error" in a configuration file, leading to widespread Blue Screens of Death (BSOD) and disrupting critical services like flights and healthcare. The fiasco highlighted significant vulnerabilities in the digital infrastructure's dependency on single points of failure, particularly in widely used systems like Windows. Microsoft's integration allowing third-party access at the kernel level, while facilitating competition, contributed to the scale of the problem. CrowdStrike's testing protocols have been criticized post-incident, as the calamitous error that passed QA suggests the need for a stringent review and overhaul of testing procedures and deployment mechanisms. Security expert Kevin Beaumont criticized the practice of deploying major updates globally without phased or "canary" testing to ensure stability and security. The slow and inadequate initial response by CrowdStrike exacerbated the problem, leaving users and administrators scrambling to manage the fallout. The catastrophic event serves as a crucial lesson for the tech industry on the importance of rigorous testing, robust fail-safe mechanisms, and preparedness for self-inflicted tech crises.

Acronis notified its customers about a severe vulnerability allowing attackers to bypass server authentication using default credentials. The security flaw, identified as CVE-2023-45249, affects Acronis Cyber Protect (ACI), a platform used by over 20,000 service providers globally. ACI combines remote management, backup, and virtualization capabilities to securely handle disaster recovery and enterprise data backups. Despite the patch being available nine months ago, the vulnerability has been actively exploited in the wild. Acronis recommends that customers urgently update their software installations to the latest version to mitigate risk. Users can check the vulnerability of their systems by verifying the build number of ACI through the Help -> About section of the software. Maintaining up-to-date software is crucial for securing Acronis products against potential cyberattacks.

Russian ransomware groups are responsible for about 69% of all crypto ransom proceeds, totaling over $500 million in the past year. North Korea leads in cryptocurrency theft through exploits, having stolen over a billion dollars, while Asia leads in scams and investment fraud. Major ransomware operations such as LockBit, Black Basta, and Cl0p are predominantly managed by Russian-speaking threat actors. Russian darknet markets are significant in the cybercrime ecosystem, accounting for 95% of global darknet market sales, totalling $1.4 billion in transactions. TRM Labs identifies a significant link between Russian criminal activities and the sanctioned Garantex exchange, which allegedly processes over 82% of crypto transactions related to sanctioned entities. Russian cybercriminals also reportedly support their military by using crypto transactions for purchasing critical weapon components from China. The predominance of Russians in cybercrime is attributed to historical, regulatory, and geopolitical factors, compounded by the difficulty Western nations face in disrupting these activities due to political and logistical barriers.

Progress Software has issued a security warning about a new critical flaw in Telerik Report Server, marked as CVE-2024-6327, which could allow remote code execution. This is the second severe vulnerability reported in as many months, following another high-risk bug that also permitted administrative rights via authentication bypass. CVE-2024-6327 has a high severity score of 9.9 and affects all versions of the software prior to 10.1.24.709, making it a prime target for exploitation. An Advanced Persistent Threat (APT) group previously exploited a similar vulnerability in the Telerik suite, particularly CVE-2019-18935, to attack US federal agencies. CISA has flagged these types of vulnerabilities but faced detection challenges due to atypical installation paths, potentially obscuring further exploitation. Progress also disclosed another concerning vulnerability, CVE-2024-6096 in Telerik Reporting, rated at 8.8, highlighting ongoing security risks within these products. The repeated discovery of critical vulnerabilities in such a short timeframe underscores the significant threat to organizations using Telerik products without promptly applying security updates.

A Spanish cybercrime group, known as GXC Team, has been selling a sophisticated phishing-as-a-service platform integrated with Android malware. This malware service is extensively used for targeting over 36 banks and various institutions globally, demanding a subscription fee of about $500 per month. The malicious combo is particularly aimed at users of financial institutions in Spain, the US, the UK, Slovakia, and Brazil, and also involves tax and governmental services. Using deceptive tactics, the malware encourages victims to download a bogus Android banking app which can intercept SMS one-time passwords and forward them via Telegram. The GXC Team has also ventured into offering stolen banking credentials and bespoke coding services to other cybercriminal groups focussing on different sectors including cryptocurrency. Options for client engagement extend to AI-enhanced voice calling tools which facilitate more effective phishing (vishing) attacks, mimicking legitimate voices from recognized sources. Recent advancements noted involve using adversary-in-the-middle (AiTM) phishing kits capable of bypassing secure authentication methods offered on various platforms. Emerging trends show phishing campaigns increasingly using techniques such as encoding URLs with security tools or tricking users into executing harmful scripts, evolving the landscape of social engineering threats.

Initial computer viruses like Creeper sparked the development of the cybersecurity field, highlighting early recognition of digital threats. Development of defensive tools like the Reaper program marked the beginning of anti-virus software, addressing the need for cyber defense mechanisms. Technological advancements in cybersecurity mirrored historical progress in physical warfare, evolving from simple walls to sophisticated detection systems. Modern cybersecurity challenges include the potential misuse of enhanced tools like AI to develop advanced malware capable of bypassing traditional security measures. Offensive AI emerges as a significant threat and necessity; advanced AI-driven threats require the development of sophisticated offensive AI tools for effective defense. The future of cybersecurity may rely heavily on understanding and implementing advanced offensive AI to outpace and counteract evolving cyber threats. Foster Nethercott, a seasoned cybersecurity expert, underscores the importance of offensive AI in cybersecurity strategy and development at industry workshops and events.

The U.S. Department of Justice has indicted North Korean hacker Rim Jong Hyok for ransomware attacks targeting U.S. healthcare facilities, helping fund illicit North Korean activities. These cyber attacks involved a ransomware strain called Maui, first reported in Japan and the U.S. in 2022, with ransom payments laundered through Hong Kong into Chinese yuan. The prosecutions are part of a broader accusation against Andariel, a North Korean hacking group also known as APT45 and other aliases, tied to the Korean military intelligence service. Andariel's operations include hacking into U.S. Air Force bases and defense contractors, stealing over 30GB of sensitive data, including information about military aircraft and satellites. The State Department has offered a reward of up to $10 million for information leading to Hyok's capture or identification of any associated individuals. Executed cyber strategies include exploiting internet-facing applications, employing a mix of custom malware, remote access tools, and public utilities for extensive system and data breaches. U.S. agencies have interdicted about $114,000 in virtual currency related to these attacks and frozen several involved online accounts. The NSA and CISA highlight ongoing threats posed by Andariel to multiple sectors worldwide, emphasizing the persistent security challenges from state-sponsored North Korean cyber activities.

Cybersecurity experts have uncovered an ongoing cyberattack targeting outdated Selenium Grid services to mine cryptocurrency, dubbed SeleniumGreed. The threat actors exploit Selenium WebDriver API, which allows full interaction with the host machine, to run Python code that downloads and executes XMRig, a crypto mining software. The campaign, active since at least April 2023, primarily targets older versions of Selenium (3.141.59 and previous) that lack default authentication, exposing them to unauthorized access. By sending requests to vulnerable Selenium Grid hubs, the attackers execute a Base64-encoded Python program to establish a reverse shell and retrieve the mining payload from an attacker-controlled server. The modified XMRig miner dynamically generates the mining pool IP at runtime and sets a TLS-fingerprint, ensuring communication is limited to servers controlled by the attacker. The attackers exploit inadequately protected instances of the Selenium automated testing framework, which should be secured from external access with proper firewall configurations. More than 30,000 instances of Selenium are susceptible to this exploit, highlighting the critical need for users to secure or update their deployments to prevent unauthorized use and potential data breaches. Cloud security firm Wiz emphasizes the importance of securing Selenium Grid instances and removing them from public access to mitigate security risks.

CrowdStrike has identified a spear-phishing campaign using a fake installer to target German users following a problematic Falcon Sensor update. The campaign involves an imposter website created to distribute a counterfeit installer, leveraging a fake JavaScript download to mask its malicious intent. The phishing website, impersonating a German entity, offers a password-protected ZIP file which contains a malicious executable disguised under normal-looking JavaScript. CrowdStrike's investigations highlight that the installer requires specific input for further installation, indicating a highly targeted approach. The malware deployment could not be fully analyzed or attributed due to its encrypted content and anti-forensic techniques used by the perpetrators. This incident occurs amidst a broader context of phishing attempts exploiting the recent CrowdStrike update fiasco to spread stealer malware. CrowdStrike leadership has publicly apologized for the disruptions caused by the initial faulty update and reaffirms their commitment to security.