Daily Brief

The Dutch Data Protection Authority imposed a €290 million fine on Uber for GDPR violations related to transferring European driver data to the U.S. The data included sensitive information such as driver licenses, location data, payment details, and, in some cases, criminal and medical data. The Dutch regulator condemned Uber for not using appropriate mechanisms like Standard Contractual Clauses post-EU-U.S. Privacy Shield invalidation in 2020. Uber ended data transfers to the U.S. and has transitioned to using a new framework, the E.U.-U.S. Data Privacy Framework, introduced in July 2023. Uber contests the fine, asserting that its data transfer processes complied with GDPR regulations. The company was previously fined €10 million for not fully disclosing data retention periods and the specifics of international data sharing. This case highlights ongoing concerns about U.S. surveillance and the privacy of European data when stored outside the EU.

Remote work introduces significant risks including the use of unvetted software and exposure to scams outside traditional office protections. Hybrid employees using personal devices and networks increase the risk of shadow IT, potentially exposing corporate data to unauthorized use. Home networking devices often remain at default security settings, making them vulnerable to attacks like man-in-the-middle or evil twin. Public Wi-Fi networks used by remote workers can allow malicious entities to steal sensitive information and credentials. The lack of consistent software updates and patch management on personal devices can lead to malware infections that may spread across networks. Corporate data is now accessed through potentially insecure home and public internet connections, increasing the challenge of safeguarding information. Enterprises can mitigate these risks by focusing on securing endpoint devices directly and employing stringent security protocols and education. ThreatLocker’s eBook provides strategies to manage remote work security effectively, including preventing malware execution and securing network-connected devices.

Seattle-Tacoma International Airport experienced major IT outages likely caused by a cyberattack, affecting check-in systems and causing flight delays. The cyberattack forced the airport to isolate critical systems to mitigate further damage, significantly disrupting operations over the weekend. Despite the IT issues, the physical flight operations remained unaffected; however, some passengers experienced significant delays. Alaska Airlines reported disruptions in its baggage sorting capabilities, advising passengers to carry minimal essentials and avoid checking in bags. The airport and Port of Seattle have not provided an estimated time for when systems will be fully restored, urging travelers to use airline apps for check-in and other information. The FBI is involved, working to ascertain the specifics of the incident, though no cybercriminal groups have claimed responsibility for the attack. The airport continued to update the public via social media, recommending that travelers check-in online and arrive early due to ongoing system interruptions.

Nearly 2.7 TB of sensitive data including invoices, contracts, and HIPAA patient consent forms were exposed on an unprotected internet database. The data mishap affected ServiceBridge, a software-as-a-service provider, exposing significant business documents dating back to 2012. Security researcher Jeremiah Fowler discovered the breach, highlighting the potential for significant invoice fraud and phishing scams. Exposed documents also included personal customer information such as partial credit card numbers and contact details. Upon discovery, ServiceBridge was notified and the database was promptly secured, though the company has not publicly responded to the incident. The breach has serious implications for both the privacy of individuals and the security of businesses, increasing the risk of fraud and regulatory penalties. Fowler's findings underscore the need for businesses to enhance data protection measures and ensure quick, transparent communication with customers about data security incidents.

Cybersecurity researchers have identified more than 20 vulnerabilities within machine learning software supply chains, potentially impacting MLOps platforms. These vulnerabilities range from arbitrary code execution to the introduction of malicious datasets, rooted in both inherent and implementation-based flaws. Inherent flaws include issues like automatic code execution through model and dataset formats, while implementation flaws include weaknesses like insufficient authentication and container escapes. Notably, a cross-site scripting (XSS) vulnerability in MLFlow allows for client-side code execution in JupyterLab, posing significant security risks. A lack of proper security measures in MLOps platforms could allow attackers to deploy malware, including cryptocurrency miners, as demonstrated by attacks on the unpatched Anyscale Ray platform. Attackers could potentially exploit these vulnerabilities to infiltrate networks, escalate privileges, and access sensitive data or computing resources across an organization. The research emphasizes the critical need for robust security frameworks in deploying ML models and platforms, advising isolation and hardening of operational environments to prevent breaches.

Disney recently suffered a significant data breach through their Slack channels, exposing over 1.2 terabytes of sensitive data to a hacktivist group called NullBulge. Other major companies, including Uber, Rockstar Games, Electronic Arts, and Cisco Webex, have also experienced breaches through commonly used collaboration tools. Slack, Microsoft Teams, and other popular tools may offer basic security but often fall short for secure, business-critical communications containing sensitive data. SalaX Secure Collaboration 2024 by SSH Communications Security offers a higher security level for sensitive communications with end-to-end encryption and various authentication methods. The new technology allows options for on-premises, public, or private cloud hosting, thus complying with data sovereignty requirements and offering more control over data. SalaX 2024 ensures that encrypted keys are exchanged before any communication begins and provides a secure, private platform for business communication. The platform meets SEC requirements for record-keeping and audits, avoiding fines and legal complications faced by companies using less secure methods. Built on the widely used and trusted Element technology, SalaX Secure Collaboration 2024 provides a robust solution for managing sensitive, business-critical communications.

Two severe security flaws identified in Traccar GPS tracking system could let remote attackers execute unauthorized code. The vulnerabilities arise from path traversal issues in the way Traccar handles image file uploads for devices. Exploitation is feasible if guest registration is enabled, a default setting in Traccar versions 5.1 to 5.12. Attackers could potentially overwrite files in the system, triggering remote code execution by uploading specially crafted files. Specific attack techniques vary by operating system; successful exploit can place files like crontab or LNK in critical system folders. The developer addressed these vulnerabilities in the release of Traccar version 6 by disabling self-registration by default. Users of versions 5.1 through 5.12 are urged to upgrade to mitigate risks associated with these security flaws.

Cybersecurity researchers identified new malware, NGate, which targets Android devices to clone contactless payment data for fraudulent purposes. NGate exploits near-field communication (NFC) from physical credit and debit cards, transmitting this data to an attacker’s rooted device. Originally derived from a legitimate NFC tool developed in 2015, NGate uses this to capture and relay NFC traffic. The malware campaign, observed attacking Czech banks since November 2023, involves social engineering and SMS phishing to deceive users into downloading malicious apps. Researchers note that the malicious apps, appearing as banking web applications or progressive web apps (PWAs), were not distributed through the Google Play store. Victims are manipulated via SMS links and phone calls from attackers posing as bank staff, directing them to install the NGate app under the guise of resolving bank account issues. This campaign was linked to a 22-year-old arrested in March 2024 by Czech authorities for related ATM thefts. NGate leverages multiple server setups, including a phishing website and an NFC relay server to facilitate data theft and card emulation attacks.

Deniss Zolotarjovs, a suspected member of the Karakurt ransomware gang, has been indicted for conspiring to commit money laundering, wire fraud, and extortion under the Hobbs Act in the United States. Zolotarjovs, a 33-year-old Latvian living in Moscow, was arrested in Georgia in December 2023 and extradited to the U.S. earlier this month. Court documents reveal that Zolotarjovs participated in stealing data from at least six U.S. companies from August 2021 to November 2023; he is accused of demanding cryptocurrency ransoms and leaking sensitive information online. Zolotarjovs, alias "Sforza," led negotiations and exerted additional pressure through direct communication with victims’ employees and partners in efforts to secure ransom payments. His tactics included attempting to revive unsuccessful extortions and recruiting journalists to publicize attacks, enhancing the credibility of threats. This is the first arrest and extradition of an alleged Karakurt gang member, marking a significant development in international cybercrime enforcement. The arrest also coincides with Microsoft announcing a workaround for dual-boot PCs and Google addressing a severe security vulnerability in Chrome exploited in the wild. The AARL admitted to paying a $1 million ransom to a separate ransomware group after a May attack, indicating ongoing challenges organizations face from cyber extortion schemes.

A Department of Justice audit found major security weaknesses in the FBI’s management of sensitive electronic storage media. The audit reported insufficient tracking and control mechanisms for storage media, and inadequate security in the physical destruction process of such media. The FBI is developing a new policy to enhance control and destruction of classified and sensitive electronic material. The FBI plans include the installation of secure storage "cages" with video surveillance for better protection. The Office of the Inspector General has made three recommendations which the FBI has acknowledged and is addressing. The FBI is expected to report back to OIG on progress within 90 days concerning the implementation of these security enhancements.

Pavel Durov, founder and CEO of Telegram, was arrested in France due to alleged failures in moderating content on the app. French authorities issued an arrest warrant following a police investigation focused on the platform's lax content moderation. The failure to adequately moderate content has reportedly facilitated criminal activities on Telegram, including drug trafficking, child pornography, money laundering, and fraud. Investigation reports highlight that Telegram has become a central hub for cybercriminals to distribute malware, trade stolen data, and share illegal goods. This development underscores ongoing global concerns about the role of social media and messaging platforms in cybercrime expansion. Telegram, now a major player with over 950 million monthly users, has expanded its services to include an in-app browser and a Mini App Store. This arrest marks a significant move by government authorities to hold tech leaders accountable for their platforms' roles in facilitating criminal activities.

Cybersecurity researchers have identified a novel Linux malware, termed 'sedexp', that utilizes udev rules for persistence and to conceal credit card skimmer scripts. The malware, discovered by Aon's Stroz Friedberg incident response team, provides attackers with reverse shell capabilities and employs sophisticated concealment techniques. Sedexp has been attributed to financially motivated threat actors, indicating a primary focus on monetary gain from activities such as credit card scraping. The malware employs an innovative technique by manipulating udev rules; it triggers malicious actions when specific system devices are modified or accessed, leveraging these rules to hide its presence. Specifically, sedexp is programmed to execute when the Linux device file /dev/random is loaded, typically during system reboots, ensuring consistent malware activation. The malware also alters system memory to hide any files or configurations containing the string “sedexp” from typical system search commands, further concealing its presence. The use of such advanced techniques highlights the increasing sophistication of threat actors in the evolving landscape of cyber threats beyond conventional ransomware.

A newly identified Linux malware, named 'sedexp,' has been actively evading detection since 2022 using a novel persistence method involving udev rules. Discovered by Stroz Friedberg, the sophistication of sedexp lies in exploiting udev rules which are not documented in the MITRE ATT&CK framework, resulting in continued stealth operations. The udev rules used by sedexp trigger execution of the malware when new devices are added, specifically targeting '/dev/random,' a vital system component not monitored by security solutions. Sedexp masks its activity by naming its process 'kdevtmpfs,' mimicking legitimate system processes to avoid detection by standard security tools. Its capabilities include setting up reverse shells for remote access, memory manipulation to hide its presence, and potentially injecting malicious code to modify app behaviors or system processes. Sedexp has also been used in financially motivated attacks, particularly in credit card scraping activities on compromised web servers. Despite being active since 2022, traditional antivirus tools have struggled to detect sedexp, with only a few recognizing its signatures in sandbox environments and on VirusTotal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a security flaw in Versa Director and categorized it for urgent remediation. The flaw, designated CVE-2024-39717 with a CVSS score of 6.6, permits file upload exploitation through the "Change Favicon" feature. Exploitation requires administrative access, enabling attackers to upload malicious files disguised as benign PNG files. CISA's advisory underscores a real instance of this vulnerability being exploited, due to non-implementation of recommended firewall guidelines by the affected customer. Federal Civilian Executive Branch (FCEB) agencies are mandated to implement vendor-supplied patches by September 13, 2024, to counter the vulnerability. The announcement trails recent additions to the KEV catalog, highlighting ongoing concerns regarding cybersecurity vulnerabilities targeting government systems. Other related security breaches include CVE-2022-0185 and CVE-2021-31196, which involve significant threats to unpatched systems and servers by advanced persistent threat groups.

Meta Platforms identified efforts by Iranian state-backed hackers using WhatsApp to target political and diplomatic figures globally. The offensive, attributed to APT42 also known as Charming Kitten and other aliases, focused on individuals affiliated with both current and former U.S. administrations. The group, linked to Iran’s Islamic Revolutionary Guard Corps, employs sophisticated social engineering and malware for spying. Earlier incidents revealed by Proofpoint involved the same group using malware called AnvilEcho to target prominent Jewish figures. The hackers impersonated technical support for major tech firms like AOL and Microsoft to facilitate their attacks, though no account compromises have been confirmed. Meta has taken action by blocking the implicated WhatsApp accounts and advising targeted users on strengthening their online security. The exposure aligns with U.S. official accusations against Iran for attempting to disrupt the American electoral process and societal cohesion through misinformation and intelligence gathering.