Daily Brief

Password manager 1Password has identified a critical bug in versions prior to 8.10.36 on macOS, potentially affecting hundreds of thousands of users. The vulnerability allows malicious entities to steal sensitive data from 1Password Vaults, which function as individual password managers within the app. This bug exploits missing macOS-specific inter-process validations, allowing attackers to hijack or impersonate trusted 1Password integrations like browser extensions. Although there have been no reported exploits of CVE-2024-42219, the public disclosure of the issue significantly increases the risk of attempted attacks. The security flaw was discovered by the security team at investment app Robinhood during routine probing of third-party applications. To mitigate the risk, 1Password has not provided any specific remediations other than advising users to update their software to version 8.10.36. Approximately 150,000 businesses and millions of individual consumers rely on 1Password, underscoring the widespread impact of this vulnerability.

ADT confirmed a data breach involving unauthorized access to their databases, resulting in stolen customer information. The security breach was disclosed in a Form 8-K regulatory filing with the SEC. Exposed data includes email addresses, phone numbers, physical addresses, user IDs, and details of products purchased. Threat actor 'netnsher' leaked 30,800 customer records on a hacking forum on July 31st. Despite the breach, ADT reports no evidence of compromised home security systems or theft of credit card and banking data. Company took immediate action to close the breach and is investigating with third-party cybersecurity experts. Represents a small percentage of ADT's total customer base; precise figures on affected customers not released.

A new 0.0.0.0 Day browser vulnerability has been discovered, affecting MacOS and Linux systems. Major browsers like Google Chrome, Mozilla Firefox, and Apple Safari are vulnerable; Windows is not affected due to IP blocking by Microsoft. The vulnerability allows malicious websites to interact with and execute arbitrary code on local services. The issue stems from inconsistent security implementations and lack of browser standardization. Attackers could exploit local applications by sending crafted payloads to 0.0.0.0, bypassing standard protection like Private Network Access. Impacted applications include those running on localhost accessible via the 0.0.0.0 IP, like local Selenium Grid instances. Researchers at Oligo Security expect a fix by April 2024, where direct access to private network endpoints from public websites will be blocked. The flaw exposes fundamental security issues in the way browsers handle network requests and server assumptions about environment security constraints.

CISA Director Jen Easterly, alongside EU and UK cybersecurity chiefs, declared at Black Hat US that election security infrastructure is currently at its most robust level. Despite encountering interference attempts by state actors like China and Russia, the US, UK, and EU reported smooth and secure voting processes in recent elections. The collaborative efforts among CISA, ENISA, and the NCSC have evolved from reactionary post-2016 to proactive approaches in minimizing cybersecurity threats and improving resilience. Enhanced data-sharing strategies, continuous resilience testing, and maintaining auditable records are prioritized to shield elections from physical and cyber threats. Persistent challenges remain in countering disinformation and influence operations intended to undermine public confidence in democratic processes. Easterly emphasized the continuing complexity of the threat landscape involving cyber threats, disinformation, and foreign influence, stressing the need for vigilance and citizen engagement. The success of election security measures is partly attributed to the solidarity and enhanced communication within the international cybersecurity community.

Automated Security Validation (ASV) provides an attacker's perspective, highlighting potential vulnerabilities and enabling security teams to validate and remediate exposures efficiently. ASV, while critical for identifying and prioritizing vulnerabilities, is insufficient alone for comprehensive cybersecurity; it requires integration into broader frameworks. The Continuous Threat Exposure Management (CTEM) framework offers a proactive approach, enhancing security posture by continuously managing threat exposure through a structured, multi-stage process. Integrating ASV within the CTEM framework enhances effectiveness, allowing for more accurate threat prioritization, efficient remediation, and a stronger security posture. CTEM's comprehensive approach, encompassing scoping, discovery, prioritization, validation, and mobilization, enables security and IT teams to focus on the most impactful issues. The synergistic combination of ASV with CTEM's exposure assessment capabilities results in more effective prevention of high-impact attacks and optimizes remediation efforts. Organizations leveraging both ASV and CTEM can manage cyber risks more proactively and effectively, reducing overall risk exposure.

A survey by Arlington Research for Kaspersky revealed common tech misconceptions among 10,000 consumers, including 1,000 UK respondents. About 49% of participants cover their webcams for privacy, yet 44% engage in risky behaviors like sharing personal data via social media games. A significant misconception is that 40% of users believe browsing in "incognito mode" fully hides their online activities. Misunderstandings extend to data security; 24% trust that encrypted services like WhatsApp safeguard against malicious links. Around 22% think iOS devices are completely immune to hacking attempts. A noteworthy 41% are rightly concerned about the extensive data collection by modern vehicles, reflecting valid privacy issues. Kaspersky's research highlights the need for better digital literacy and critical thinking about cybersecurity.

Microsoft is developing security updates to rectify two vulnerabilities that facilitate downgrade attacks on Windows, potentially reintroducing old flaws. The vulnerabilities were disclosed by Alon Leviev of SafeBreach Labs at Black Hat USA 2024 and DEF CON 32. CVE-2024-38202, rooted in the Windows Backup component, allows attackers with basic privileges to bypass Virtualization Based Security features and reintroduce old vulnerabilities. The second flaw enables privilege escalation, permitting adversaries to replace current Windows system files with outdated versions. Leviev demonstrated a tool called Windows Downdate, which can manipulate the Windows Update process to create undetectable and irreversible downgrades in critical OS components. These vulnerabilities could downgrade essential security features such as VBS, Credential Guard, Secure Kernel, and Hyper-V’s hypervisor, exposing systems to numerous past vulnerabilities. Microsoft’s VBS features, introduced in 2015, have harbored this downgrade attack surface for nearly a decade, according to Leviev.

Cybersecurity experts identified a complex phishing attack using Google Drawings and WhatsApp shortened URLs to steal sensitive data. The scam commences with a phishing email directing users to a Google Drawing that mimics an Amazon account verification link. Attackers benefit from using legitimate platforms like Google and WhatsApp which often evade standard security measures and are not usually blocked by firewalls. The deceptive Amazon login page uses URL shorteners for added disguise and to elude security scanners, capturing victims' credentials and personal information. Once the information is obtained, victims are redirected to the real Amazon page, and the fake link becomes inaccessible from the victim's IP address. Microsoft 365's anti-phishing features have also been found vulnerable, where CSS alterations can hide safety tips meant to warn users of potential phishing risks.

Entrust faces significant hurdles in regaining trust as a certificate authority after losing favor with major browsers like Google Chrome and Mozilla Firefox. Rivals at Sectigo predict that Microsoft and Apple may also distrust Entrust's newly issued certificates in Edge and Safari. Historically, no certificate authority has succeeded in regaining trust after being removed from browser root stores, signaling a challenging road ahead for Entrust. Sectigo executives highlight Entrust's ongoing issues, including failure to meet baseline certification requirements and problematic renewal policies. Entrust partners with SSL.com to resell certificates, attempting to maintain relevance while it works on rebuilding its reputation. There are concerns about the efficiency and compatibility of Entrust’s new partnership with SSL.com, as well as about the pricing discrepancies between direct and resold certificates. Entrust continues to assert its commitment to regaining full browser acceptance and improving internal processes, despite skepticism from the industry and customers.

SANS Institute has scheduled its flagship event, Network Security 2024, from September 4-9 at Caesars Palace in Las Vegas and online, featuring both in-person and live online attendance options. The event aims to provide cutting-edge cybersecurity training and networking opportunities, focusing on AI integration and real-world application of skills. Keynote speaker Daniel Miessler will address the optimization and strategic integration of AI into security programs. Network Security 2024 offers over 45 specialized courses and more than 40 GIAC certifications, taught by top experts in the field. A dedicated AI Cybersecurity Summit will explore new AI advancements and their applications in areas like social engineering and deep fake technology. The introduction of three immersive cyber villages will allow hands-on learning and collaboration through real-world scenario simulations and challenges. Celebrating the 35th anniversary of the SANS Institute, in-person attendees will receive a complimentary Cyber Bundle which includes an extended OnDemand course, admission to a special night event, and more. The institution urges professionals to secure their attendance early to capitalize on the unique educational and career advancement opportunities at Network Security 2024.

BlackSuit ransomware has demanded ransoms totaling up to $500 million, with individual demands reaching $60 million. The ransomware is an evolution of Royal ransomware, using phishing, exploitation of internet-facing applications, and initial access brokers to gain entry and deploy ransomware. Infection tactics include disarming antivirus software, data exfiltration, and then system encryption, often using legitimate RMM software for persistence. BlackSuit operators favor direct negotiation of ransom via encrypted communication channels, and have recently stepped up direct threats to victims' contacts to increase pressure. Tools used by BlackSuit actors include SharpShares, SoftPerfect NetWorx for network enumeration, and Mimikatz along with other credential and password stealing utilities. CISA and the FBI alert about the new aggressive strategies ransomware groups are adopting, including leveraging sensitive or illegal content found in exfiltrated data to coerce payment and inflict reputational damage. The wider landscape of ransomware continues to evolve, with new families like Lynx and OceanSpy emerging, and existing groups like Hunters International adopting new malware tools.

A critical security flaw in Progress Software’s WhatsUp Gold is under active exploitation; users advised to patch immediately. The flaw, identified as CVE-2024-4885, is a remote code execution vulnerability with a CVSS score of 9.8, affecting versions prior to 2023.1.3. Security researcher Sina Kheirkhah discovered the flaw in the GetFileWithoutZip method, which allows attackers to execute code as the service account without proper user-validation. A proof-of-concept exploit for CVE-2024-4885 is publicly available, increasing the risk of attack. The Shadowserver Foundation has reported multiple exploitation attempts beginning August 1, 2024, linked to this vulnerability. Additional critical flaws addressed in the latest WhatsUp Gold patch include CVE-2024-4883 and CVE-2024-4884, both allowing unauthenticated remote code execution. A high-severity privilege escalation vulnerability, CVE-2024-5009, also patched, allows local attackers to elevate privileges. Progress Software recommends updating immediately and restricting traffic to trusted IP addresses to protect against these vulnerabilities.

Samsung has introduced a $1 million bug bounty for those who can remotely breach Knox Vault in Galaxy S or Z series smartphones without user interaction. The Knox Vault is an isolated subsystem with its own processor and storage, designed to securely hold credentials and handle authentication routines. Lower rewards are offered for other vulnerabilities: up to $300,000 for local access breaches and up to $400,000 for compromising Samsung’s TEEGRIS system. Cash rewards also available for defeating the Rich Execution Environment (REE) OS, and for bypassing Samsung’s Auto Blocker anti-malware engine. Third-party app store remote installations offer a $100,000 reward, with various other incentives for different levels and methods of access. In 2023, Samsung paid $827,925 in total to 113 individuals for their contributions to improving product security. Samsung’s bounty programs contrast starkly to Microsoft’s, which awarded $16.6 million to researchers in the previous year, highlighting significant investment in cybersecurity.

Symantec threat hunters highlighted the increasing use of legitimate cloud storage services by state-sponsored cyber spies to carry out attacks. These attacks leverage trusted domains and encrypted traffic from platforms like Google Drive and Microsoft OneDrive, making them difficult to detect. Recent campaigns include the use of a backdoor named “Grager,” which was deployed in Taiwan, Hong Kong, and Vietnam, utilizing Microsoft's Graph API for command and control communications. Another backdoor, “Moon_Tag,” suspected of being developed by a Chinese-speaking group, showed how attackers are also using published code and cloud APIs to facilitate their malware. Symantec also identified “OneDriveTools,” a malware targeting IT services in the US and Europe, indicating the geographic diversity of these cloud-based cyberattacks. Attackers benefit from zero infrastructure costs and enhanced stealth via these cloud platforms, a trend expected to grow, as noted by Symantec’s Marc Elias. Symantec has published indicators of compromise and MITRE tactics to assist defenders in recognizing and combating these sophisticated threats.

Samsung announces a $1 million bug bounty for compromising its Knox Vault subsystem, an isolated processor and storage system used in Galaxy smartphones. The full bounty requires a zero-click method by an unprivileged user to retrieve credentials without user interaction. Additional rewards set for breaking into other Samsung security systems like TEEGRIS, with different payouts for remote and local exploits. Lesser bounties include defeating Samsung's anti-malware engine with payouts up to $100,000, and exploiting installation flaws in third-party or Galaxy Store apps. In comparison, Microsoft has paid out significantly more in bug bounties, $16.6 million in one year, underlining the high stakes and competition in cyber security. Samsung’s program has awarded less than $5 million in total payouts over seven years, with last year’s highest individual award being $57,190. The article contrasts Samsung's increasing bug bounty incentives with insights on motivations behind security research and corporate strategies for engaging external researchers to improve product security.