Daily Brief

The Port of Seattle confirmed a ransomware attack orchestrated by the Rhysida group affected its operations for three weeks. The cyberattack initially reported on August 24 led to IT disruptions, impacting flight check-ins and reservations at Seattle-Tacoma International Airport. Key services like baggage handling, ticketing, and online services like the Port's Wi-Fi and website were significantly disrupted. Despite the severe impact, the Port decided not to pay the ransom, focusing instead on restoring affected services without complying with the criminals' demands. Most of the compromised systems were brought back online within a week, although full functionality for certain services is still in the process of being restored. The ransomware group behind the attack, Rhysida, has been active since May 2023 and has targeted various sectors including healthcare, defense, and entertainment. The Port is working under the guidance of cybersecurity professionals and law enforcement agencies to secure its systems and investigate the breach.

Transport for London (TfL) mandates in-person password resets for 30,000 staff following a recent cybersecurity breach. This stringent measure follows a cyberattack disclosed two weeks prior, which impacted TfL's internal systems and online services but not the transportation operations. Customer data, including names, contact details, and addresses, was compromised, necessitating direct contact with affected users about data protection steps. Ongoing system disruptions have hindered TfL’s ability to handle customer requests and process contactless journey refunds. A 17-year-old from Walsall was arrested by the UK's National Crime Agency, suspected of connection to the TfL and other high-profile cyberattacks. Prior incidents include an earlier data breach in May 2023 where a ransomware gang accessed customer data from TfL’s managed file transfer servers. Despite assurances of secure network operations, the situation remains a significant concern for both employees’ and customers’ data security.

23andMe has agreed to a $30 million settlement after a data breach affected 6.4 million customers. The breach involved unauthorized access through credential stuffing, exposing personal and genetic information. The settlement includes cash payments to impacted customers and mandates enhanced security measures. Measures include anti-credential stuffing protections, mandatory two-factor authentication, and annual cybersecurity audits. 23andMe is required to implement a robust incident response plan and halt data retention for inactive accounts. Despite the settlement, 23andMe denies any wrongdoing and liability in failing to protect customer data. Information compromised in the breach was reportedly offered for sale on the dark web, leading to multiple lawsuits. The settlement awaits judicial approval and aims to compensate affected parties and prevent future breaches.

Security flaws in Feeld dating app revealed potential access to highly sensitive user data, including private messages and media. The app, catering to individuals interested in non-traditional relationship models, lacked robust security measures to protect user information. Research by UK-based Fortbridge exposed eight critical vulnerabilities, allowing interception of data and manipulation of user functions such as messaging and profile viewing. Exploits included accessing private chats, media configured to disappear, and impersonating other users within the chat. Despite reporting the vulnerabilities to Feeld in March, necessary security fixes were delayed, with minor updates focused on new features rather than addressing the security issues. The absence of end-to-end encryption and simple exploitation methods pose significant risks of personal data misuse and privacy violations. The delay in addressing these security issues has led to user dissatisfaction, despite the company claiming to have mitigated the vulnerabilities.

Ivanti reported active exploitation of a high-severity vulnerability in its Cloud Services Appliance (CSA). The vulnerability, identified as CVE-2024-8190, allows remote attackers with admin rights to execute code remotely. CSA users are urged to upgrade from version 4.6.x to 5.0 to mitigate the security risk. Dual-homed CSA configurations present a reduced risk, and users should review admin user settings and system logs. The flaw, along with other vulnerabilities, was added to CISA’s Known Exploited Vulnerabilities catalog, requiring federal agencies to patch their systems by October 4. Ivanti has improved its internal scanning and testing to enhance the discovery and disclosure process of such vulnerabilities. This comes after a series of fixes to other related products, emphasizing the ongoing threat landscape and efforts for better security.

New Linux malware, called "Hadooken," targets Oracle WebLogic servers to deploy cryptominers and initiate DDoS attacks. Attack leveraged due to weak credentials; attackers gain system access to potentially execute ransomware on Windows. Oracle WebLogic is popular in critical sectors such as finance and government, attractive for its rich resources ideal for cryptomining. Once inside the system, attackers use scripts to propagate Hadooken malware, which also tries to access SSH data and infect other servers. The malware disguises its processes as legitimate, making detection and removal challenging, and also cleans logs to hinder forensic efforts. Researchers noted potential links between Hadooken and known ransomware families, suggesting further malicious uses of the malware could emerge. Over 230,000 WebLogic servers are exposed online, amplifying the potential impact of the malware attack; Aqua Security report details defensive strategies.

Kawasaki Motors Europe experienced a cyberattack at its EU headquarters, which was targeted by the RansomHub ransomware gang. The attack led to temporary isolation of the company's servers and a comprehensive cleansing procedure to remove any potential malware. RansomHub has threatened to release 487 GB of stolen data unless their demands are met by the set deadline. Kawasaki's IT staff, alongside external cybersecurity experts, are working on restoring server infrastructure, with 90% expected to be operational by next week. Business operations, including dealership network, third-party suppliers, and logistics, reportedly remain unaffected by the cyber incident. The breach is part of a larger pattern of attacks by RansomHub, which has grown more active and threatening following the shutdown of the BlackCat/ALPHV ransomware operation. Authorities remain concerned as RansomHub has significantly targeted critical U.S. infrastructure sectors, accumulating over 210 victims since its inception.

A security flaw in the Apple Vision Pro headset allowed attackers to infer keystrokes from users’ eye movements. The vulnerability, identified as CVE-2024-40865, could exploit the gaze-controlled virtual keyboard when avatars are shared. Researchers from the University of Florida developed an attack called GAZEploit, showcasing how biometric data from eye movements could reconstruct typed text. Apple addressed the flaw with an update in visionOS 1.3 on July 29, 2024, by suspending the vulnerable component while the virtual keyboard is in use. The attack involved using a supervised learning model to analyze the eye gaze data to interpret keystrokes, differentiating between activities like typing and other virtual tasks. This represents the first known instance where gaze information leakage has been used to remotely deduce keystrokes, posing significant privacy and security implications.

British authorities detained a 17-year-old from Walsall suspected of launching a cyber attack on Transport for London (TfL) on September 1, 2024. The arrest occurred on September 5, following the attack's immediate investigation by the National Crime Agency (NCA). TfL confirmed the attack led to unauthorized access to customer data, including bank details for approximately 5,000 individuals. No noteworthy impact on customers has been reported yet, although the situation is described as evolving, with ongoing investigations. The teenager was interrogated and later released on bail; the investigation remains active with TfL's cooperation. Deputy Director Paul Foster emphasized the disruption such attacks can cause to public infrastructure and commended the swift response of TfL. The same individual was previously linked to another case involving a ransomware attack on MGM Resorts attributed to the Scattered Spider group. Scattered Spider, known for targeting cloud infrastructures, is associated with various cybercrimes and sophisticated social engineering tactics.

Cybersecurity experts discovered a new variant of TrickMo, a banking trojan exploiting Android accessibility services to commit on-device banking fraud. The malware uses obfuscation techniques including malformed ZIP files and JSONPacker to evade detection and analysis efforts by cybersecurity professionals. TrickMo can capture banking credentials through HTML overlay attacks, intercept SMS and notifications for two-factor authentication codes, and perform unauthorized actions using victim's devices. Originally identified in 2019 and linked to the TrickBot e-crime gang, TrickMo has evolved with capabilities to record screen activity, log keystrokes, harvest data, and remotely control infected devices. The malicious app, disguised as the Google Chrome browser, deceives users into enabling extensive permissions under the guise of updating Google Play Services, which facilitates further malicious activities. Researchers at Cleafy revealed misconfigurations in TrickMo's command-and-control server, exposing 12 GB of sensitive data including stolen credentials and personal information, susceptible to further exploitation. The exposure of such extensive data risks identity theft, unauthorized transactions, and has severe long-term consequences for victims, impacting financial and reputational integrity. This disclosure coincides with Google's efforts to tighten security on sideloaded apps through the Play Integrity API to ensure apps are downloaded from official Play Store.

Malicious actors exploited vulnerabilities in Progress Software WhatsUp Gold shortly after a proof-of-concept (PoC) was publicized. The critical flaws, identified as CVE-2024-6670 and CVE-2024-6671 with a CVSS score of 9.8, enable an unauthenticated attacker to retrieve encrypted passwords. Attacks began on August 30, 2024, just five hours post the PoC release, as organizations struggled to apply patches in time. Threat actors exploited WhatsUp Gold systems to download various remote access tools, such as Atera Agent and Splashtop Remote, establishing persistence on attacked systems. The exploited vulnerabilities had been patched by Progress in mid-August 2024, but the PoC publication led to immediate exploitation. There's a potential link to ransomware actors given the nature of the attack and the tools deployed. This incident marks another instance of WhatsUp Gold vulnerabilities being weaponized, following similar past exploits.

Phishing with deceptive sites and messages remains the primary method for stealing user credentials, posing significant security risks. Traditional security measures including user training and basic multi-factor authentication (MFA) are insufficient in completely eliminating credential theft. Beyond Identity employs public-private key cryptography, eliminating shared secrets that could be intercepted, and uses secure enclaves to protect private keys. The Platform Authenticator prevents verifier impersonation and ensures authentication requests originate from legitimate sources. Beyond Identity's solution eliminates credential stuffing by removing passwords from the authentication process and replacing them with more secure alternatives. Push bombing attacks are mitigated by avoiding reliance on push notifications and implementing phishing-resistant MFA with comprehensive device security checks. Beyond Identity enhances security by ensuring device compliance during authentication and continuously during active sessions, leveraging real-time device risk data. The solution integrates disparate risk signals for adaptive, risk-based access, allowing continuous authentication and comprehensive risk compliance.

Cybersecurity experts reveal a malware campaign exploiting Linux systems using Oracle Weblogic to initiate illicit cryptocurrency mining. Named Hadooken, the malware deploys a crypto miner and a DDoS botnet called Tsunami after gaining access via security vulnerabilities and weak system credentials. Attack involves implementation of dual payloads coded in Python and shell script, aiming to download and execute malware from remote servers. The malware performs lateral movements within the network to expand its reach and further spread the Hadooken malware. It seeks to establish long-term persistence on infiltrated systems by scheduling recurring tasks to operate the crypto miner. Associated IP addresses are linked to a hosting provider known for connections to cybercrime, as per recent security reports. Researchers indicate the operation likely ties back to a continuously expanding network facilitated by the recruitment of young developers in cybercrime-friendly hosting environments.

The U.S. Department of the Treasury’s Office of Foreign Assets Control has sanctioned Cambodian senator Ly Yong Phat for involvement in severe human rights abuses associated with forced labor and cyber scams. Ly Yong Phat reportedly owns the L.Y.P. Group, which operates the O Smach Resort, alleged to be a center for online scam operations exploiting trafficked workers. Victims were enticed to the resort with fake job offers, then coerced into promoting fraudulent investment schemes in cryptocurrency and foreign exchange under harsh conditions. Reports indicate that workers faced physical abuse, had their documents seized, and were forced to work under threat; some victims attempted desperate escapes, including fatal jumps. Rescue missions by Cambodian authorities have freed numerous victims from diverse nationalities, trapped under dire circumstances at the resort. Following the sanctions, any U.S. assets owned by Ly Yong Phat are frozen, and U.S. entities are barred from conducting business with him without special authorization. The scenario reflects a broader regional issue, with similar cyber scam operations and forced labor camps reported in the Philippines and Myanmar, impacting diplomatic relations and regional security.

Australian Prime Minister Anthony Albanese announced plans to introduce a minimum social media age of 16 to protect childhood experiences, with legislation expected before the next election. Meta admitted during a parliamentary committee that it has used Australians' posts to train AI models without explicit consent since 2007. The Australian government is considering implementing a levy on Big Tech firms for using local content and possibly for AI training, in response to Meta stopping payments to local publishers. New privacy legislation will include measures to combat data breaches and make doxxing illegal, alongside updates to hate crime laws to include online activities. Australia will enforce digital platforms to disclose their management of misinformation and disinformation, with a government-created code if voluntary compliance fails. The government proposed an anti-scam framework targeting digital platforms, suggesting fines up to AUD$50 million for non-compliance. The series of proposed laws and regulations suggest a robust governmental stance on regulating Big Tech's operations in Australia, potentially setting a trend for global digital policy.