Daily Brief

The Dutch Data Protection Authority fined Clearview AI €30.5 million for illegally collecting biometric data. Clearview AI’s technology involves scraping public internet sources to create a database of facial images without user consent. The database comprises over 30 billion photos, including those of Dutch citizens, used to generate unique biometric codes. This practice has raised significant privacy and ethical concerns, particularly around the absence of individual consent. Other European authorities, including those in Italy and France, have also fined Clearview AI for similar GDPR violations. Clearview AI argues that it is not subject to GDPR as it has no business presence or customers in the EU. Dutch DPA threatens an additional fine of €5.1 million if Clearview AI continues its current practices without compliance changes.

D-Link has announced it will not fix four critical remote code execution (RCE) flaws in all hardware and firmware versions of its DIR-846W router. The decision is based on the company’s end-of-life and end-of-support policies, which halt firmware updates for products no longer supported. Three of the four vulnerabilities are rated critical and can be exploited without authentication. Although the DIR-846W routers are primarily sold outside the U.S., they are still available in markets like Latin America, posing a significant security risk globally. Security researchers have withheld proofs of concept, but the vulnerabilities are public, increasing the risk of exploitation. D-Link recommends users retire the affected routers immediately and upgrade to supported models to mitigate risks. The company also suggests updating firmware, using strong passwords, and enabling WiFi encryption as interim protective measures. Vulnerable routers like DIR-846W are targets for malware botnets, such as Mirai and Moobot, which can lead to larger cybersecurity incidents involving DDoS attacks and password theft.

The Dutch Data Protection Authority (DPA) imposed a €30.5 million ($33 million) fine on Clearview AI for illegally collecting and storing facial images without consent. Clearview AI's technology scrapes the internet for publicly available photos to add to its database, which reportedly contains over 50 billion images. The Dutch DPA highlighted that Clearview AI's actions violate the General Data Protection Regulation (GDPR), under which individuals should be informed about and have access to their data. Clearview AI asserts that it does not operate within the EU and therefore GDPR does not apply to them, challenging the enforceability of the decision. The Dutch DPA also threatened additional penalties of up to 5.1 million euros if Clearview fails to cease its alleged violations. There are considerations to hold Clearview's management personally accountable for continued GDPR violations, enhancing regulatory pressure on the company. Clearview AI's usage by government agencies is promoted as a means to enhance law enforcement efficiency, though this practice has stirred significant privacy concerns globally.

Verkada agreed to pay $2.95 million to settle allegations by the FTC related to major security breaches and violations of the CAN-SPAM Act. The settlement requires Verkada to develop a comprehensive information security program and undergo regular security assessments. Hackers exploited vulnerabilities in Verkada’s systems, gaining admin-level access and extracting sensitive data from 150,000 live camera feeds. The breaches included unauthorized access to environments like health clinics and schools, raising significant privacy concerns. The FTC criticized Verkada for deceptive practices about their product’s security features and compliance with privacy standards like HIPAA. Verkada is now mandated to include clear opt-out options in promotional emails as part of the CAN-SPAM Act compliance. The company is also prohibited from making false claims about its privacy and security standards, and must report future security breaches to the FTC within 10 days. Despite settling, Verkada does not admit to the FTC’s allegations but has agreed to comply with the order's terms.

Head Mare, an active hacktivist group since 2023, targets organizations in Russia and Belarus using advanced cyberattack methods. The group exploits the CVE-2023-38831 vulnerability in WinRAR to execute arbitrary code and deliver malicious payloads. Attacks focus on sectors including government, transportation, energy, manufacturing, and the environment. Unlike typical hacktivist actions, Head Mare also employs ransomware tactics by encrypting victim's devices and demanding ransoms. Utilizes custom malware like PhantomDL and PhantomCore for backdoor access and remote operations, and disguises malicious activities using deceptive file names like OneDrive.exe and VLC.exe. Deploys various tools for discovery, lateral movement, and credential harvesting, including Sliver, rsockstun, ngrok, and Mimikatz. Culminates attacks by deploying ransomware (LockBit or Babuk) and leaving a ransom note, using tactics similar to other groups active in the region. Distinguishes itself with custom-made malware and recent vulnerability exploitation for effective phishing campaigns.

Cicada3301 is a new ransomware variant targeting small to medium-sized businesses, exploiting vulnerabilities for initial access. This Rust-based ransomware can affect both Windows and Linux/ESXi systems, first appearing in June 2024. Shares features with the defunct BlackCat ransomware, including the use of ChaCha20 encryption, manipulation of system utilities, and remote execution capabilities via PsExec with compromised credentials. Cicada3301 operates as a Ransomware-as-a-Service (RaaS) platform, advertised on the RAMP underground forum. Implements tactics like encrypted file redirection, service disruptions to facilitate file encryption, and clearing event logs to obscure traces. Features intermittent encryption for large files and avoids shutting down running VMs during file encryption. Morphisec's research indicates potential collaboration between Cicada3301 and the operators of the Brutus botnet for network access, with techniques to bypass endpoint detection and response (EDR) systems.

Halliburton reported to the SEC that sensitive data was stolen in a cyberattack attributed to the RansomHub ransomware gang. The company detected unauthorized system access and is currently assessing the scope and nature of the data breach. Operational disruptions were confirmed, affecting Halliburton’s business applications and corporate functions. Security measures included taking certain systems offline and contracting Mandiant for investigation and remediation. There is ongoing communication with customers and stakeholders, although the impact on Halliburton's financials is expected to be non-material. Potential risks include litigation and shifts in customer behavior due to the breach and subsequent operational issues. Halliburton’s management continues to evaluate the necessity of notifying affected parties and regulatory requirements.

Transport for London (TfL) is currently managing a cyber security incident affecting its operations. TfL has taken immediate steps to secure its systems and prevent further unauthorized access. No customer data has been reported as compromised according to TfL's initial assessment. TfL services are operating normally with no disruptions reported. The incident has mainly impacted backroom systems at TfL’s corporate headquarters; staff were advised to work from home. TfL is collaborating with the National Crime Agency and the National Cyber Security Centre to address the incident. The Oyster and Contactless payment systems were taken offline for maintenance, likely as a precautionary measure related to the cyberattack.

A new malware called Rocinante is targeting Brazilian Android users by masquerading as legitimate banking applications. The trojan performs malicious activities such as keylogging, phishing, and device takeover using the Accessibility Service in Android devices. Rocinante can steal personal identifiable information (PII) and send it to criminals via a Telegram bot. The malware affects prominent Brazilian financial institutions and mimics apps from banks like Itaú Shop and Santander. Analysts link Rocinante to a malware operator known as DukeEugene, who also created similar malware strains including ERMAC and BlackRock. Source code leaks of ERMAC in 2023 have potentially influenced the development of Rocinante. Rocinante is distributed through phishing sites that trick users into downloading counterfeit apps, which then request accessibility services privileges. The article also highlights the presence of other malware threats in Spanish and Portuguese-speaking regions, including a campaign using malicious browser extensions targeting users in LATAM.

The Grey Matter ISV Partner Day is targeting Microsoft-focused ISVs, SaaS providers, and application builders in the UK and Ireland. Scheduled for 9 October at Select Car Leasing Stadium in Reading, the event offers a free learning platform with a focus on the latest Microsoft technologies. Attendees will benefit from twelve sessions across three content tracks, covering diverse topics such as data, AI, and cloud security. Specialized insights on products like GitHub and Microsoft Mapping, along with Azure cloud platform optimization and management, will be delivered. High-profile experts such as Gina Shobrook and Clemens Schotte will share their expertise on FinOps principles and the utilization of Azure Maps for location intelligence applications, respectively. Hands-on sessions will also cover vulnerability scanning, security awareness training, and the use of GitHub Copilot. Sales and marketing strategies to enhance digital transformation and go-to-market plans will be discussed by industry professionals like Sam Wijeyakumar. Registration for the event closes on 27 September, with a link provided for potential attendees to sign up.

A single leaked secret in Slack led to the exfiltration of vast customer data, impacting a major data analytics company. Secrets, such as API keys and access tokens, are critical and proliferate through various collaboration tools beyond just source code repositories. CyberArk reports that machine identities significantly outnumber human identities, making secret management more crucial and complex. Collaboration platforms like Slack, Jira, and Microsoft Teams, though productivity-enhancing, pose risks for unintended data breaches due to their use for sharing secret information. GitGuardian’s analysis reveals that both low-level and high-severity secrets commonly reside in these collaboration tools, enhancing risk profiles. Organizations are advised to extend their secrets detection capabilities beyond code repositories to include real-time monitoring of collaboration tools. Cultural shifts towards greater awareness and proactive management of secret information within enterprises are essential to strengthen cybersecurity defenses.

Eight security flaws discovered in Microsoft apps for macOS could allow hackers to bypass OS security features and access user data. The vulnerabilities affect popular Microsoft applications including Outlook, Teams, Word, Excel, PowerPoint, and OneNote. Exploitation could enable attackers to execute actions like sending emails, recording audio, and taking pictures without user consent. The Transparency, Consent, and Control (TCC) framework, which is designed to manage app permissions on macOS, is circumvented by these flaws. Attackers can inject malicious libraries into apps, reusing permissions granted to the app and access sensitive information. Microsoft considers these vulnerabilities "low risk" and has made fixes in its OneNote and Teams applications. There are challenges in securing plugins within the current macOS framework; notarization of third-party plugins is suggested but complex. The flaws primarily allow attackers with existing access to the system to escalate privileges by exploiting app permissions.

Daniel Rhyne, 57, from Missouri, was arrested for attempting to extort $750,000 in Bitcoin from his former employer. Rhyne is charged with extortion, intentional damage to a protected computer, and wire fraud, facing up to 35 years in prison. He was formerly employed as a core infrastructure engineer at an unnamed industrial company in New Jersey. The extortion involved threats to shut down company servers and delete data backups unless a ransom of 20 bitcoins was paid. Rhyne allegedly gained unauthorized access by using a hidden virtual machine and modifying administrative passwords. The email for the extortion demand was traced back to an email address controlled by Rhyne. He used specific tools like Windows' net user and Sysinternals Utilities' PsPasswd for unauthorized access and modifications. The disturbances were intended to escalate over 10 days, threatening increasing damage to extort the ransom.

Transport for London (TfL) is currently addressing an active cyber security incident. Despite the ongoing incident, TfL confirms that there has been no disruption to its transportation services. There is no evidence suggesting any compromise of customer data according to TfL. Immediate measures have been implemented by TfL to secure their systems and prevent further unauthorized access. TfL is collaborating with the National Crime Agency and the National Cyber Security Centre to manage the situation. The incident was promptly reported to the appropriate government authorities, underscoring the seriousness of the breach. Shashi Verma, TfL’s chief technology officer, communicated steps taken to mitigate and control the incident, reinforcing commitments to system and data integrity.

Telegram CEO Pavel Durov was arrested and charged by French authorities over alleged misuse of the messaging platform. Russian Foreign Minister Sergey Lavrov suggested Durov's liberal approach to content moderation led to his legal troubles in France. Durov, who was released on €5 million bail, faces restrictions including a travel ban within France and mandatory police reporting. The charges relate to claims that Telegram was used for drug trafficking, cyber-bullying, organized crime, and spreading child sexual abuse material. Kremlin has expressed hope that Durov’s case will not evolve into political persecution, despite ongoing pressures on the tech entrepreneur. French President Macron denied political motives behind Durov’s arrest, emphasizing France’s commitment to legal procedures and freedom of expression. Telegram defended its moderation policies, stating compliance with EU laws and ongoing improvements to meet industry standards.