Daily Brief

Meta Platforms has eradicated approximately 63,000 Instagram accounts based in Nigeria, implicated in extensive financial sextortion schemes targeting primarily adult men in the U.S. A subset of around 2,500 accounts was linked to a concentrated network operated by about 20 individuals, employing fake profiles to conceal their identities. Some targets included minors, prompting Meta to report these incidents to the National Center for Missing and Explicated Children (NCMEC). Meta also dismantled an additional 7,200 assets, including Facebook accounts, pages, and groups dedicated to recruiting and training scammers, sharing scamming strategies, and resources for creating fake accounts. These activities were attributed to the Yahoo Boys, a notorious cybercrime group, previously highlighted for similar sextortion activities targeting youths across multiple countries, including the U.S., Australia, and Canada. Following a Bloomberg report linking these sextortion cases to suicides, Meta has introduced new detection and prevention techniques specifically aimed at protecting teenagers from such exploitations. This operation coincides with INTERPOL’s Jackal III, which targeted similar cybercrime syndicates across 21 countries, resulting in numerous arrests and significant asset seizures.

The browser represents a critical yet vulnerable component of modern workspaces, heavily utilized but often poorly protected. Or Eshed from LayerX and Christopher Smedberg from Advance Publishing will discuss browser-centric security strategies in an upcoming webinar. Traditional security tools fall short in protecting against the unique threats presented by browsers, necessitating a shift to browser-specific security measures. Approximately 83% of employees rely on browsers for most of their work, necessitating robust protection to secure critical enterprise assets. Attackers target browsers due to their access to user activities, credentials, and sensitive data, exposing businesses to data breaches and account takeovers. Solutions like SWGs and CASBs currently used in enterprises cannot fully address web-based threats due to innate limitations in detecting sophisticated attacks and encryption challenges. Implementing security directly within browsers is advised to effectively mitigate daily risks faced by employees in the modern hybrid-work environment.

Cybersecurity experts from Tenable have identified a privilege escalation vulnerability named ConfusedFunction in Google Cloud Platform’s Cloud Functions service. The vulnerability enables attackers to escalate their privileges to the Default Cloud Build Service Account, gaining access to multiple services including Cloud Build, Storage, Artifact Registry, and Container Registry. Attackers can potentially engage in lateral movement and escalate privileges within a victim’s project, potentially leading to unauthorized data access, modification, or deletion. Cloud Functions, affected by this vulnerability, are designed for serverless function execution, triggered by cloud events without the need for server management. Tenable highlighted that the vulnerabilities stem from the extensive permissions granted to the Cloud Build service account created by default when a Cloud Function is configured. Google has since addressed this issue by altering the default behavior to use the Compute Engine service account instead, although pre-existing instances remain unaffected. Despite Google's fix, the inherent complexities of inter-service communications and software frameworks can still pose risks, mandating careful permission management by users.

Organizations generally aim for a 97-99% patch rate but typically achieve only 75-85%. Patching is crucial for security but is viewed as a laborious and thankless task within IT operations. The average organization manages approximately 2,900 software applications, with 69% of IT teams finding it impossible to keep all patched timely. Corporate leadership now sees patch disruption as a necessary inconvenience due to better education on the subject. Patching processes and ownership responsibilities remain unclear, exacerbating the difficulty in maintaining consistent patch management. Advances in endpoint management tools are integrating vulnerability and patch management to simplify processes. There is a strong hesitance to fully automate patching processes due to the need for human oversight in critical updates. Despite available tools for improvement, many enterprises are slow to adopt them, largely due to unresolved issues in patch management ownership and execution.

CISA has issued a warning regarding multiple vulnerabilities in ISC's BIND 9 DNS software. These vulnerabilities could be exploited by cyber threat actors to trigger a denial-of-service (DoS) condition. Affected functionalities include unexpected termination, CPU resource depletion, slowed query processing, and server unresponsiveness. Patches have been released for BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1 to correct these vulnerabilities. There is currently no evidence that these vulnerabilities have been exploited in the wild. These security flaws follow another significant vulnerability in BIND 9 known as KeyTrap, addressed earlier by ISC.

Docker has issued a warning about a critical flaw in Docker Engine, affecting versions since 19.03, which allows attackers to bypass authorization plugins. The vulnerability, identified as CVE-2024-41110, could let attackers make unauthorized API requests, gaining escalated privileges under specific conditions. Originally fixed in Docker Engine v18.09.1 in January 2019, the regression was not carried over to subsequent versions, leading to the recent notice. Docker has remedied the issue in its latest versions, 23.0.14 and 27.1.0, as of July 23, 2024, following its detection in April 2024. The flaw impacts Docker Desktop up to version 4.32.0, with a fix scheduled in the upcoming version 4.33 release. Docker highlighted that the configuration in Docker Desktop does not typically include AuthZ plugins, constraining the potential for privilege escalation to the Docker Desktop VM rather than the host system. While there is no evidence of active exploitation in the wild, Docker stresses the importance of updating to the latest versions to mitigate risks. The incident underscores concerns about container security as reported by Palo Alto Networks’ Unit 42, which highlights the susceptibility of containers to various attack techniques.

Google has enhanced its Chrome browser to include new security warnings for downloads of potentially malicious files. The updated system uses a nuanced warning taxonomy from Google Safe Browsing, classifying files as either "Suspicious" or "Dangerous" with distinct iconography and warning texts. Chrome's Enhanced Protection mode now offers automatic deep scans of password-protected files, aiding in the detection and prevention of malware. Users can input the files' passwords within Chrome to permit deep scanning by Google Safe Browsing without repeated prompts. The data, including files and passwords, is securely deleted shortly after scanning to maintain privacy and security. In Standard Protection mode, only the metadata of password-protected archives is checked unless the user opts to manually enter the password for a full scan. Google emphasizes that these improvements aim to help users make more informed decisions regarding file safety and enhance overall download protection.

Windows PCs and servers at Grant Thornton Australia began experiencing the Blue Screen of Death due to a flaw in CrowdStrike's testing software. The devices were encrypted with Microsoft's BitLocker, requiring a 48-character key for system recovery. Rob Woltz, a senior systems engineer, leveraged barcode scanners to automate the input of BitLocker keys during the recovery process. A simple script was developed to generate barcodes for each affected PC, minimizing data security risks and manual entry errors. The initial solution was rapidly scaled by purchasing additional barcode scanners and having remote staff return to the office for quick recovery assistance. Every PC in the Australian branch was fixed by lunchtime on the following Monday, with each recovery taking about three to five minutes. The server recovery process was handled manually, taking about 20 minutes per machine. The utilization of barcodes over manual entry was not only a secure and efficient solution but also praised as a remarkable innovation by colleagues.

CrowdStrike's endpoint security tool, Falcon, received a faulty update causing widespread outages affecting 8.5 million Windows devices. The update aimed to enhance detection of novel attack techniques but led to critical system failures, displaying the blue screen of death and causing continuous reboot cycles. The problem began on July 19 with a problematic rapid response update intended to detect malicious use of named pipes in Windows. Fixed deployed within 78 minutes, but not before causing significant disruption across various sectors including airlines, banks, and hospitals. CrowdStrike has since pledged more rigorous testing and a phased rollout for updates to prevent future issues. Microsoft and CISA responded with recovery advice, while CrowdSprike offered recovery scripts and technical assistance at client sites. The company faces potential class-action lawsuits and congressional investigation regarding the outage. Analysts suggest the event is recoverable but will require CrowdStrike to maintain transparency and implement improved software update processes.

Threat actor 'Stargazer Goblin' operates a Distribution-as-a-Service using over 3,000 fabricated GitHub accounts. The malware, primarily infostealers like RedLine and Atlantida Stealer, is distributed via password-protected archives in GitHub repositories and compromised WordPress sites. Check Point Research uncovered this scheme, marking it as the first documented extensive malware distribution network on GitHub. The Stargazers Ghost Network employs a coordinated strategy where different 'ghost' accounts perform specific roles, enhancing operational resilience. GitHub has closed down over 1,500 malicious repositories since May 2024, but over 200 are still active and distributing malware. Users are often deceived by the apparent legitimacy of the GitHub repositories, promoting inadvertent downloads of malicious software. The operation began promotion on the dark web in June 2023 but has been active since at least August 2022. Check Point estimates the operation has generated over $100,000 for the threat actors involved.

Apple highlighted concerns over Google Chrome's Topics advertising technology being used to fingerprint and potentially track users online. Research from the University of Wisconsin-Madison initially suggested the Topics API could reidentify users online, despite Google's efforts to introduce randomness in its algorithms. The criticism is part of broader concerns over web privacy, with Topics intended to replace third-party cookies which are widely acknowledged as invasive. However, Apple's claims of high reidentification risks in Topics were challenged by Google engineers, revealing flaws in the research methodology. After corrections in the simulation, the reidentification rates dramatically dropped, indicating a smaller privacy risk than initially presented. The ongoing discussion reflects the tech industry's struggles to balance effective advertising with user privacy. Google continues to work on enhancing Topics, while Apple maintains its stance on limiting web fingerprinting and increasing user privacy.

Docker has patched a critical vulnerability in Docker Engine that allowed attackers to bypass authentication plugins. The flaw, known as CVE-2024-41110, was originally fixed in the 2019 release of Docker Engine v18.09.1 but reappeared in subsequent versions due to an oversight. CVE-2024-41110 involves sending an API request with a Content-Length of 0, causing the AuthZ plugin to receive the request without data for proper validation. This vulnerability exposed Docker instances to potential unauthorized actions, including privilege escalation, for a period of approximately five years. Affected versions include Docker Engine up to v27.1.0; patched versions have been released to address this issue. Users who deployed AuthZ plugins for access control are advised to update or disable plugins and restrict API access. Docker Desktop is also impacted, but exploitation is limited to the VM environment; an update is expected in the upcoming version.

KnowBe4, a U.S.-based cybersecurity firm, unwittingly hired a North Korean state actor posing as a Principal Software Engineer. The North Korean hacker attempted to install information-stealing malware on the company's devices. KnowBe4's security measures detected and prevented the malware deployment, averting a potential data breach. The incident underscores ongoing concerns about North Korean operatives infiltrating American companies to support their country's cyber programs and weapons funding. The hacker used AI tools to create a false identity and manipulated video interview technology to bypass pre-employment security checks. KnowBe4 detected suspicious activity from the employee's workstation which led to the discovery of the infostealer malware aimed at extracting browser-stored data. The company suggests isolating new hires in a network sandbox and scrutinizing inconsistencies in shipping addresses to mitigate similar risks.

The U.S. Department of Transportation (DoT) launched an investigation into Delta Air Lines' response to a global IT outage initiated by a problematic update from CrowdStrike. The update led to widespread disruptions, with Delta experiencing significant challenges including hundreds of flight cancellations and delays, unlike its competitors who recovered swiftly. Secretary of Transportation Pete Buttigieg highlighted about 3,000 customer complaints, mentioning issues with delayed flights and difficulty reaching customer service. Delta reported making gradual progress, observing a 50% reduction in cancellations and significant improvements in flight operations and crew management systems. The incident has had a severe financial impact on Delta, with anticipated costs around $163 million, and broader industry implications with insurers expecting large payouts for covered losses. Additional context includes Delta's efforts at recovery with extensive staff mobilization and plans to normalize operations by the upcoming weekend. CrowdStrike has initiated an opt-in program for automatic restoration of affected endpoints and released a preliminary postmortem report acknowledging faults in their update deployment process.

Google Chrome now alerts users when downloading risky password-protected files and provides more detailed warnings for potentially malicious files. A new two-tier warning system using AI-powered malware verdicts from Google's Safe Browsing service classifies files as either suspicious or dangerous based on the level of threat they pose. Enhanced Protection mode in Safe Browsing allows for deeper scans by sending suspicious files and passwords to Google's servers, with all data being deleted after scanning. Users in Standard Protection mode have their password-protected archives checked locally, with only metadata of archive contents verified against Safe Browsing. The update is part of ongoing improvements to Google Chrome's user safety features, aiming to reduce friction for users while enhancing protection against malicious downloads. Files and passwords shared with Google for scanning are promptly deleted to protect user privacy, and information is used solely to improve download protection measures. The recent changes have led to positive shifts in user behavior, with more timely adherence to warnings and fewer bypasses, indicating better compliance and safety awareness.