Daily Brief

CISA has issued a warning regarding multiple vulnerabilities in ISC's BIND 9 DNS software. These vulnerabilities could be exploited by cyber threat actors to trigger a denial-of-service (DoS) condition. Affected functionalities include unexpected termination, CPU resource depletion, slowed query processing, and server unresponsiveness. Patches have been released for BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1 to correct these vulnerabilities. There is currently no evidence that these vulnerabilities have been exploited in the wild. These security flaws follow another significant vulnerability in BIND 9 known as KeyTrap, addressed earlier by ISC.

Docker has issued a warning about a critical flaw in Docker Engine, affecting versions since 19.03, which allows attackers to bypass authorization plugins. The vulnerability, identified as CVE-2024-41110, could let attackers make unauthorized API requests, gaining escalated privileges under specific conditions. Originally fixed in Docker Engine v18.09.1 in January 2019, the regression was not carried over to subsequent versions, leading to the recent notice. Docker has remedied the issue in its latest versions, 23.0.14 and 27.1.0, as of July 23, 2024, following its detection in April 2024. The flaw impacts Docker Desktop up to version 4.32.0, with a fix scheduled in the upcoming version 4.33 release. Docker highlighted that the configuration in Docker Desktop does not typically include AuthZ plugins, constraining the potential for privilege escalation to the Docker Desktop VM rather than the host system. While there is no evidence of active exploitation in the wild, Docker stresses the importance of updating to the latest versions to mitigate risks. The incident underscores concerns about container security as reported by Palo Alto Networks’ Unit 42, which highlights the susceptibility of containers to various attack techniques.

Google has enhanced its Chrome browser to include new security warnings for downloads of potentially malicious files. The updated system uses a nuanced warning taxonomy from Google Safe Browsing, classifying files as either "Suspicious" or "Dangerous" with distinct iconography and warning texts. Chrome's Enhanced Protection mode now offers automatic deep scans of password-protected files, aiding in the detection and prevention of malware. Users can input the files' passwords within Chrome to permit deep scanning by Google Safe Browsing without repeated prompts. The data, including files and passwords, is securely deleted shortly after scanning to maintain privacy and security. In Standard Protection mode, only the metadata of password-protected archives is checked unless the user opts to manually enter the password for a full scan. Google emphasizes that these improvements aim to help users make more informed decisions regarding file safety and enhance overall download protection.

Windows PCs and servers at Grant Thornton Australia began experiencing the Blue Screen of Death due to a flaw in CrowdStrike's testing software. The devices were encrypted with Microsoft's BitLocker, requiring a 48-character key for system recovery. Rob Woltz, a senior systems engineer, leveraged barcode scanners to automate the input of BitLocker keys during the recovery process. A simple script was developed to generate barcodes for each affected PC, minimizing data security risks and manual entry errors. The initial solution was rapidly scaled by purchasing additional barcode scanners and having remote staff return to the office for quick recovery assistance. Every PC in the Australian branch was fixed by lunchtime on the following Monday, with each recovery taking about three to five minutes. The server recovery process was handled manually, taking about 20 minutes per machine. The utilization of barcodes over manual entry was not only a secure and efficient solution but also praised as a remarkable innovation by colleagues.

CrowdStrike's endpoint security tool, Falcon, received a faulty update causing widespread outages affecting 8.5 million Windows devices. The update aimed to enhance detection of novel attack techniques but led to critical system failures, displaying the blue screen of death and causing continuous reboot cycles. The problem began on July 19 with a problematic rapid response update intended to detect malicious use of named pipes in Windows. Fixed deployed within 78 minutes, but not before causing significant disruption across various sectors including airlines, banks, and hospitals. CrowdStrike has since pledged more rigorous testing and a phased rollout for updates to prevent future issues. Microsoft and CISA responded with recovery advice, while CrowdSprike offered recovery scripts and technical assistance at client sites. The company faces potential class-action lawsuits and congressional investigation regarding the outage. Analysts suggest the event is recoverable but will require CrowdStrike to maintain transparency and implement improved software update processes.

Threat actor 'Stargazer Goblin' operates a Distribution-as-a-Service using over 3,000 fabricated GitHub accounts. The malware, primarily infostealers like RedLine and Atlantida Stealer, is distributed via password-protected archives in GitHub repositories and compromised WordPress sites. Check Point Research uncovered this scheme, marking it as the first documented extensive malware distribution network on GitHub. The Stargazers Ghost Network employs a coordinated strategy where different 'ghost' accounts perform specific roles, enhancing operational resilience. GitHub has closed down over 1,500 malicious repositories since May 2024, but over 200 are still active and distributing malware. Users are often deceived by the apparent legitimacy of the GitHub repositories, promoting inadvertent downloads of malicious software. The operation began promotion on the dark web in June 2023 but has been active since at least August 2022. Check Point estimates the operation has generated over $100,000 for the threat actors involved.

Apple highlighted concerns over Google Chrome's Topics advertising technology being used to fingerprint and potentially track users online. Research from the University of Wisconsin-Madison initially suggested the Topics API could reidentify users online, despite Google's efforts to introduce randomness in its algorithms. The criticism is part of broader concerns over web privacy, with Topics intended to replace third-party cookies which are widely acknowledged as invasive. However, Apple's claims of high reidentification risks in Topics were challenged by Google engineers, revealing flaws in the research methodology. After corrections in the simulation, the reidentification rates dramatically dropped, indicating a smaller privacy risk than initially presented. The ongoing discussion reflects the tech industry's struggles to balance effective advertising with user privacy. Google continues to work on enhancing Topics, while Apple maintains its stance on limiting web fingerprinting and increasing user privacy.

Docker has patched a critical vulnerability in Docker Engine that allowed attackers to bypass authentication plugins. The flaw, known as CVE-2024-41110, was originally fixed in the 2019 release of Docker Engine v18.09.1 but reappeared in subsequent versions due to an oversight. CVE-2024-41110 involves sending an API request with a Content-Length of 0, causing the AuthZ plugin to receive the request without data for proper validation. This vulnerability exposed Docker instances to potential unauthorized actions, including privilege escalation, for a period of approximately five years. Affected versions include Docker Engine up to v27.1.0; patched versions have been released to address this issue. Users who deployed AuthZ plugins for access control are advised to update or disable plugins and restrict API access. Docker Desktop is also impacted, but exploitation is limited to the VM environment; an update is expected in the upcoming version.

KnowBe4, a U.S.-based cybersecurity firm, unwittingly hired a North Korean state actor posing as a Principal Software Engineer. The North Korean hacker attempted to install information-stealing malware on the company's devices. KnowBe4's security measures detected and prevented the malware deployment, averting a potential data breach. The incident underscores ongoing concerns about North Korean operatives infiltrating American companies to support their country's cyber programs and weapons funding. The hacker used AI tools to create a false identity and manipulated video interview technology to bypass pre-employment security checks. KnowBe4 detected suspicious activity from the employee's workstation which led to the discovery of the infostealer malware aimed at extracting browser-stored data. The company suggests isolating new hires in a network sandbox and scrutinizing inconsistencies in shipping addresses to mitigate similar risks.

The U.S. Department of Transportation (DoT) launched an investigation into Delta Air Lines' response to a global IT outage initiated by a problematic update from CrowdStrike. The update led to widespread disruptions, with Delta experiencing significant challenges including hundreds of flight cancellations and delays, unlike its competitors who recovered swiftly. Secretary of Transportation Pete Buttigieg highlighted about 3,000 customer complaints, mentioning issues with delayed flights and difficulty reaching customer service. Delta reported making gradual progress, observing a 50% reduction in cancellations and significant improvements in flight operations and crew management systems. The incident has had a severe financial impact on Delta, with anticipated costs around $163 million, and broader industry implications with insurers expecting large payouts for covered losses. Additional context includes Delta's efforts at recovery with extensive staff mobilization and plans to normalize operations by the upcoming weekend. CrowdStrike has initiated an opt-in program for automatic restoration of affected endpoints and released a preliminary postmortem report acknowledging faults in their update deployment process.

Google Chrome now alerts users when downloading risky password-protected files and provides more detailed warnings for potentially malicious files. A new two-tier warning system using AI-powered malware verdicts from Google's Safe Browsing service classifies files as either suspicious or dangerous based on the level of threat they pose. Enhanced Protection mode in Safe Browsing allows for deeper scans by sending suspicious files and passwords to Google's servers, with all data being deleted after scanning. Users in Standard Protection mode have their password-protected archives checked locally, with only metadata of archive contents verified against Safe Browsing. The update is part of ongoing improvements to Google Chrome's user safety features, aiming to reduce friction for users while enhancing protection against malicious downloads. Files and passwords shared with Google for scanning are promptly deleted to protect user privacy, and information is used solely to improve download protection measures. The recent changes have led to positive shifts in user behavior, with more timely adherence to warnings and fewer bypasses, indicating better compliance and safety awareness.

Microsoft's latest Patch Tuesday update has caused some Windows devices to display the BitLocker recovery screen upon reboot. This issue has impacted various versions, from Windows 10 21H2 to Windows 11 23H2 and Windows Server 2008 to Windows Server 2022. Affected users must enter their BitLocker recovery key to start their devices, a situation confirmed by Microsoft's update on the Windows Release Health dashboard. Microsoft advises accessing the BitLocker recovery key via a dedicated portal, which requires a Microsoft account. The appearance of the BitLocker recovery screen is typically uncommon after updates, specifically linked to devices with the "Device Encryption" setting enabled. Microsoft is currently investigating the problem and has promised future updates once more information is available. The company has a history of issues with updates that disrupt user access, referencing a past BitLocker vulnerability and subsequent patch problems in January. This BitLocker recovery key requirement comes during a period of heightened sensitivity due to a recent significant IT outage, making the timing particularly impactful.

CrowdStrike identified a bug in their Content Validator that let a problematic update pass, leading to crashes of millions of Windows systems on July 19, 2024. The faulty update aimed to enhance telemetry on new threat techniques but inadvertently caused system crashes due to an out-of-bounds memory read error. Despite thorough testing of earlier updates, the specific faulty update skipped additional verifications and dynamic checks, trusting previous successful deployments. The update impacted systems running Falcon version 7.11 and later; CrowdStrike reversed the update within an hour, but the damage affected approximately 8.5 million systems. The problematic update attempted to enhance detection capabilities for abuses in Named Pipes within certain command and control frameworks speculated to include Cobalt Strike. Following the incident, CrowdStrike plans to implement additional safeguards, including enhanced validation checks and improved error handling in response to content updates. CrowdStrike has committed to a detailed investigation of the incident, with more information to be released after their internal review is complete.

Mandiant, now part of Google Cloud, is hosting the mWISE™ cybersecurity conference in Denver, Colorado on September 18-19, 2024. The conference is designed for frontline cybersecurity practitioners, featuring sessions that focus on current relevant issues. Nine content tracks will be presented, covering urgent issues in cybersecurity, including two new tracks specifically focused on AI. High-profile sessions include discussions on the use of generative AI in cybercrime, secure AI system designs, and a revamped security control framework by Equifax. Innovative methodologies for integrating new technologies into security programs without compromising safety will be explored. Discussions will also address building trust in collaborative environments and adapting zero-trail tactics based on firsthand experiences with combating the hacktivist group, Killnet. Real-world case studies focusing on recent breaches and defensive tactics employed during cyber incidents will be highlighted. Special rates are available for early registrants, with a significant discount offered until August 12.

Leidos Holdings, a key IT services provider for the U.S. Department of Defense and other agencies, had internal documents leaked. The stolen documents reportedly do not contain sensitive customer data. They were stolen via a previous attack on Diligent Corporation, a governance software provider. Leidos learned recently that these documents are now circulating publicly, although the original cyberattack occurred in 2022. All necessary data breach notifications related to this incident have already been made earlier in 2023, as confirmed by a Leidos spokesperson. The leaked documents were used by Leidos to store "information gathered in internal investigations," the exact nature of which remains uncertain. Leidos has merged with Lockheed Martin’s Information Systems & Global Solutions business in 2016, which significantly increased its IT services capabilities. Following the incident, Leidos may face increased scrutiny from its government clients to prevent future security lapses.