Daily Brief

Microsoft's latest Patch Tuesday update has caused some Windows devices to display the BitLocker recovery screen upon reboot. This issue has impacted various versions, from Windows 10 21H2 to Windows 11 23H2 and Windows Server 2008 to Windows Server 2022. Affected users must enter their BitLocker recovery key to start their devices, a situation confirmed by Microsoft's update on the Windows Release Health dashboard. Microsoft advises accessing the BitLocker recovery key via a dedicated portal, which requires a Microsoft account. The appearance of the BitLocker recovery screen is typically uncommon after updates, specifically linked to devices with the "Device Encryption" setting enabled. Microsoft is currently investigating the problem and has promised future updates once more information is available. The company has a history of issues with updates that disrupt user access, referencing a past BitLocker vulnerability and subsequent patch problems in January. This BitLocker recovery key requirement comes during a period of heightened sensitivity due to a recent significant IT outage, making the timing particularly impactful.

CrowdStrike identified a bug in their Content Validator that let a problematic update pass, leading to crashes of millions of Windows systems on July 19, 2024. The faulty update aimed to enhance telemetry on new threat techniques but inadvertently caused system crashes due to an out-of-bounds memory read error. Despite thorough testing of earlier updates, the specific faulty update skipped additional verifications and dynamic checks, trusting previous successful deployments. The update impacted systems running Falcon version 7.11 and later; CrowdStrike reversed the update within an hour, but the damage affected approximately 8.5 million systems. The problematic update attempted to enhance detection capabilities for abuses in Named Pipes within certain command and control frameworks speculated to include Cobalt Strike. Following the incident, CrowdStrike plans to implement additional safeguards, including enhanced validation checks and improved error handling in response to content updates. CrowdStrike has committed to a detailed investigation of the incident, with more information to be released after their internal review is complete.

Mandiant, now part of Google Cloud, is hosting the mWISE™ cybersecurity conference in Denver, Colorado on September 18-19, 2024. The conference is designed for frontline cybersecurity practitioners, featuring sessions that focus on current relevant issues. Nine content tracks will be presented, covering urgent issues in cybersecurity, including two new tracks specifically focused on AI. High-profile sessions include discussions on the use of generative AI in cybercrime, secure AI system designs, and a revamped security control framework by Equifax. Innovative methodologies for integrating new technologies into security programs without compromising safety will be explored. Discussions will also address building trust in collaborative environments and adapting zero-trail tactics based on firsthand experiences with combating the hacktivist group, Killnet. Real-world case studies focusing on recent breaches and defensive tactics employed during cyber incidents will be highlighted. Special rates are available for early registrants, with a significant discount offered until August 12.

Leidos Holdings, a key IT services provider for the U.S. Department of Defense and other agencies, had internal documents leaked. The stolen documents reportedly do not contain sensitive customer data. They were stolen via a previous attack on Diligent Corporation, a governance software provider. Leidos learned recently that these documents are now circulating publicly, although the original cyberattack occurred in 2022. All necessary data breach notifications related to this incident have already been made earlier in 2023, as confirmed by a Leidos spokesperson. The leaked documents were used by Leidos to store "information gathered in internal investigations," the exact nature of which remains uncertain. Leidos has merged with Lockheed Martin’s Information Systems & Global Solutions business in 2016, which significantly increased its IT services capabilities. Following the incident, Leidos may face increased scrutiny from its government clients to prevent future security lapses.

A new zero-day security flaw in Telegram's Android app, termed "EvilVideo," enables attackers to embed malware within files seemingly presented as normal videos. Discovered by ESET, the vulnerability was initially offered in an illegal underground market in early June 2024 and later patched by Telegram in a July update. The exploit misuses Telegram’s API to disguise malicious APK files as videos, tricking users into initiating downloads by displaying error prompts encouraging use of external players. Once executed, the APK, misleadingly named "xHamster Premium Mod," begins its malicious activities, which could include unauthorized installations and data breaches. The vulnerability impacts only the Telegram Android application and does not affect web or Windows clients. The broader context of the vulnerability surfaces as cybercriminals leverage the popular Telegram-based game "Hamster Kombat" to distribute different malwares like “Ratel” and deploy fake app stores. Concerns are heightened by ESET's discovery of related malwares including "BadPack" Android malware which alters APK file headers to evade detection. The developments underscore ongoing risks in popular platforms and the need for heightened security measures and vigilant software updates.

Trust Centers provide a long-term solution to the high costs and inefficiencies of repeated security questionnaires, employing automation and simplification to streamline processes. SafeBase's Trust Center reduces the need for incoming questionnaires by up to 98%, allowing organizations to shift from a reactive request-driven approach to a proactive self-serve model. AI-powered tools and integrations like Chrome extensions enhance the functionality of Trust Centers, enabling organizations to answer residual questionnaires efficiently and within third-party risk management (TPRM) systems. Trust Centers not only cut down on manual labor but also serve as flexible, centralized hubs for accessing and managing security documentation, which boosts security transparency and integrity. Using Trust Centers helps organizations move away from the traditional Band-Aid solutions for handling security questionnaires by addressing the root issues of the security review process. SafeBase provides analytics tools within the Trust Center to help organizations measure the impact on security-driven revenue, buyer engagement, and operational efficiency. Organizations that implement Trust Centers can expect decreased dependency on security questionnaires, improved deal lead times, and better alignment of security efforts with overall business outcomes.

The surge in SaaS adoption primarily aims to boost productivity but raises significant security and governance challenges for IT teams. IT and finance leaders aim to reduce costs by managing over-deployed or underused SaaS licenses, estimated to be about 25% of all SaaS subscriptions. Nudge Security offers a solution by providing a comprehensive inventory of SaaS applications used within an organization, facilitating better SaaS management. By using tools such as Venn diagrams to illustrate user overlaps across similar apps, Nudge Security helps organizations reduce redundancy and manage app sprawl. Nudge Security also assesses the security profiles of SaaS vendors, aiding in the risk assessment of various providers and ensuring compliance with organizational security standards. The platform integrates usage, spend, and security data, helping organizations make informed decisions about reducing SaaS expenditures without impacting productivity. Features like alerts for new app introductions and directories of approved apps support ongoing SaaS governance and prevent unnecessary software proliferation. Nudge Security's approach aligns the efforts of finance and IT security teams by providing a unified view of SaaS usage, security, and costs, leading to more effective governance.

Patchwork, also known as APT-C-09, is a state-sponsored hacking group likely of Indian origin, active since at least 2009. The group targets entities with ties to Bhutan using Brute Ratel C4 and an updated backdoor, PGoShell. This marks the first instance of Patchwork using the Red Teaming software, Brute Ratel C4. Previous campaigns targeted universities and research organizations in China and used romance-themed lures in Pakistan and India. The initial attack vector involved a deceptive Windows shortcut file that downloads a decoy document while deploying malicious tools. PGoShell offers functionalities such as remote shell capabilities, screen capturing, and executing additional payloads. The same hacking group has previously been involved in campaigns using various other sophisticated malware and backdoors.

The UK's Information Commissioner's Office (ICO) has reprimanded Chelmer Valley High School for unlawfully using facial recognition technology (FRT) to process canteen payments. This violation occurred because the school failed to conduct a Data Protection Impact Assessment (DPIA) and assess risks before implementing FRT, contrary to UK GDPR and the 2018 Data Protection Act. The ICO criticized the school for not obtaining clear consent to process students' biometric data and for not adequately involving parents or the school's data protection officer in the decision-making process. Despite past warnings from 2021 about similar practices in other schools, Chelmer Valley High School proceeded without proper consent, initially relying on "assumed consent," which is not legally valid. The ICO has provided recommendations for the school's future compliance but the situation raises ongoing concerns about the use of high-risk AI and biometric technologies in UK schools. Campaign group digitaldefendme has emphasized the severe implications of using such technology on children's rights and privacy, urging for better training and legal adherence in the education sector.

CrowdStrike's validation system error led to millions of Windows devices crashing due to a content configuration update on July 19, 2024. The issue affected Windows hosts with sensor version 7.11 or higher during a specific one-hour window and did not impact Apple macOS or Linux systems. The crash was triggered by a Rapid Response Content update, which contained unforeseen errors in a new Interprocess Communication Template Type. These updates, part of regular security measures, are designed to enhance telemetry and detect novel threat techniques but resulted in a system crash. The problematic content was an out-of-bounds memory read within the Content Interpreter’s processing of Template Instance 291, causing a critical exception and system crash. Following the incident, CrowdStrike enhanced its testing processes and error handling mechanisms and is planning a staggered deployment strategy for future updates. The error underscores the challenges in deploying complex security measures without impacting system stability.

University of California, Irvine researchers challenge the efficacy and intent behind Google's reCAPTCHA, suggesting it exploits users for profit rather than providing security. Despite advancements, AI models now solve CAPTCHA challenges with high accuracy, questioning reCAPTCHA's role in combating bots and automated abuse. Over 819 million hours and an estimated $6.1 billion in human labor have been expended on solving reCAPTCHA puzzles, with Google potentially profiting immensely from associated data. Academic findings highlight the reCAPTCHA v2's vulnerabilities, with some types being solvable by AI almost 100% of the time, casting doubts on its actual security capabilities. Users reportedly find image CAPTCHA puzzles particularly annoying and less user-friendly, scoring lower on usability scales. The study underscores a substantial environmental and economic impact from reCAPTCHA traffic, including significant energy consumption and CO2 production. Researchers argue for a reevaluation of using CAPTCHA as a security measure, advocating for responsibilities to shift away from users towards service providers like Google.

A critical flaw in Microsoft Defender SmartScreen, officially identified as CVE-2024-21412, was exploited to deliver malicious software, including ACR Stealer, Lumma, and Meduza Stealer. Fortinet FortiGuard Labs discovered the campaign impacting users in the U.S., Spain, and Thailand via malicious files exploiting the high-severity vulnerability. The attack sequence starts with a booby-trapped link directing to a URL file, leading to download of an LNK file, which subsequently fetches an executable containing a script for further malicious activities. Microsoft patched this security vulnerability in its February 2024 updates following discovery and reporting of the exploit. The ACR Stealer hides its command-and-control communications using a technique involving the Steam community website, which complicates efforts to disrupt its control over compromised systems. Cyber adversaries are increasingly leveraging malvertising and SEO poisoning to deploy new malware variants like Atomic Stealer by presenting them as legitimate software downloads. Recent cybersecurity events highlight the rising sophistication and resilience of cybercriminal operations aiming to steal sensitive data from compromised systems.

CISA added CVE-2012-4792 and CVE-2024-39891 to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation. CVE-2012-4792 is a decade-old use-after-free issue in Internet Explorer, previously used in targeted attacks on the CFR and Capstone Turbine websites. CVE-2024-39891 is an information disclosure flaw in Twilio's Authy, exploited to discern if phone numbers are registered with Authy. Both vulnerabilities are considered serious threats to federal systems, prompting urgent remediation guidance by August 13, 2024. Twilio has patched the Authy vulnerability in recent app updates to mitigate risks. These vulnerabilities highlight ongoing concerns around legacy software vulnerabilities and information security in widely used applications.

A critical flaw was found in CrowdStrike's test software, leading to a significant outage affecting 8.5 million Windows machines globally. The problem arose from a bug in the "Content Validator" software component, which failed to detect problematic data within a newly released template. The incident occurred after the implementation of an "InterProcessCommunication (IPC) Template Type" designed to identify attacks involving Named Pipes. Despite successful tests of similar updates earlier in the year, the July 19 template release contained errors, overlooked due to the Content Validator malfunction, resulting in system crashes. CrowdStrike has acknowledged the fault and has committed to enhancing testing protocols, staggering update releases, and giving customers more control over update deployments. Promises include more rigorous testing, user control over deployments, detailed release notes, and a forthcoming comprehensive root cause analysis once the internal investigation concludes.

KnowBe4, a security training provider, mistakenly hired a fake North Korean IT technician who then initiated malicious activities. Despite undergoing multiple video interviews and background checks, the applicant's true identity, using a stolen U.S. ID and AI-altered photo, went undetected. The imposter was sent a Mac workstation, which began loading malware upon setup, detected promptly by KnowBe4’s security systems. KnowBe4’s security operations center addressed the malware issue within 25 minutes, preventing any illegal access or data compromise. Investigations suggested the laptop was part of an “IT mule laptop farm” likely located in North Korea or China, used to disguise location and engage in cybercrime. The FBI has been alerted to the incident, highlighting international dimensions of cybersecurity threats. CEO Sjouwerman emphasized the importance of monitoring devices with remote access and strengthening vetting processes to prevent similar incidents.