Daily Brief

Trust Centers provide a long-term solution to the high costs and inefficiencies of repeated security questionnaires, employing automation and simplification to streamline processes. SafeBase's Trust Center reduces the need for incoming questionnaires by up to 98%, allowing organizations to shift from a reactive request-driven approach to a proactive self-serve model. AI-powered tools and integrations like Chrome extensions enhance the functionality of Trust Centers, enabling organizations to answer residual questionnaires efficiently and within third-party risk management (TPRM) systems. Trust Centers not only cut down on manual labor but also serve as flexible, centralized hubs for accessing and managing security documentation, which boosts security transparency and integrity. Using Trust Centers helps organizations move away from the traditional Band-Aid solutions for handling security questionnaires by addressing the root issues of the security review process. SafeBase provides analytics tools within the Trust Center to help organizations measure the impact on security-driven revenue, buyer engagement, and operational efficiency. Organizations that implement Trust Centers can expect decreased dependency on security questionnaires, improved deal lead times, and better alignment of security efforts with overall business outcomes.

The surge in SaaS adoption primarily aims to boost productivity but raises significant security and governance challenges for IT teams. IT and finance leaders aim to reduce costs by managing over-deployed or underused SaaS licenses, estimated to be about 25% of all SaaS subscriptions. Nudge Security offers a solution by providing a comprehensive inventory of SaaS applications used within an organization, facilitating better SaaS management. By using tools such as Venn diagrams to illustrate user overlaps across similar apps, Nudge Security helps organizations reduce redundancy and manage app sprawl. Nudge Security also assesses the security profiles of SaaS vendors, aiding in the risk assessment of various providers and ensuring compliance with organizational security standards. The platform integrates usage, spend, and security data, helping organizations make informed decisions about reducing SaaS expenditures without impacting productivity. Features like alerts for new app introductions and directories of approved apps support ongoing SaaS governance and prevent unnecessary software proliferation. Nudge Security's approach aligns the efforts of finance and IT security teams by providing a unified view of SaaS usage, security, and costs, leading to more effective governance.

Patchwork, also known as APT-C-09, is a state-sponsored hacking group likely of Indian origin, active since at least 2009. The group targets entities with ties to Bhutan using Brute Ratel C4 and an updated backdoor, PGoShell. This marks the first instance of Patchwork using the Red Teaming software, Brute Ratel C4. Previous campaigns targeted universities and research organizations in China and used romance-themed lures in Pakistan and India. The initial attack vector involved a deceptive Windows shortcut file that downloads a decoy document while deploying malicious tools. PGoShell offers functionalities such as remote shell capabilities, screen capturing, and executing additional payloads. The same hacking group has previously been involved in campaigns using various other sophisticated malware and backdoors.

The UK's Information Commissioner's Office (ICO) has reprimanded Chelmer Valley High School for unlawfully using facial recognition technology (FRT) to process canteen payments. This violation occurred because the school failed to conduct a Data Protection Impact Assessment (DPIA) and assess risks before implementing FRT, contrary to UK GDPR and the 2018 Data Protection Act. The ICO criticized the school for not obtaining clear consent to process students' biometric data and for not adequately involving parents or the school's data protection officer in the decision-making process. Despite past warnings from 2021 about similar practices in other schools, Chelmer Valley High School proceeded without proper consent, initially relying on "assumed consent," which is not legally valid. The ICO has provided recommendations for the school's future compliance but the situation raises ongoing concerns about the use of high-risk AI and biometric technologies in UK schools. Campaign group digitaldefendme has emphasized the severe implications of using such technology on children's rights and privacy, urging for better training and legal adherence in the education sector.

CrowdStrike's validation system error led to millions of Windows devices crashing due to a content configuration update on July 19, 2024. The issue affected Windows hosts with sensor version 7.11 or higher during a specific one-hour window and did not impact Apple macOS or Linux systems. The crash was triggered by a Rapid Response Content update, which contained unforeseen errors in a new Interprocess Communication Template Type. These updates, part of regular security measures, are designed to enhance telemetry and detect novel threat techniques but resulted in a system crash. The problematic content was an out-of-bounds memory read within the Content Interpreter’s processing of Template Instance 291, causing a critical exception and system crash. Following the incident, CrowdStrike enhanced its testing processes and error handling mechanisms and is planning a staggered deployment strategy for future updates. The error underscores the challenges in deploying complex security measures without impacting system stability.

University of California, Irvine researchers challenge the efficacy and intent behind Google's reCAPTCHA, suggesting it exploits users for profit rather than providing security. Despite advancements, AI models now solve CAPTCHA challenges with high accuracy, questioning reCAPTCHA's role in combating bots and automated abuse. Over 819 million hours and an estimated $6.1 billion in human labor have been expended on solving reCAPTCHA puzzles, with Google potentially profiting immensely from associated data. Academic findings highlight the reCAPTCHA v2's vulnerabilities, with some types being solvable by AI almost 100% of the time, casting doubts on its actual security capabilities. Users reportedly find image CAPTCHA puzzles particularly annoying and less user-friendly, scoring lower on usability scales. The study underscores a substantial environmental and economic impact from reCAPTCHA traffic, including significant energy consumption and CO2 production. Researchers argue for a reevaluation of using CAPTCHA as a security measure, advocating for responsibilities to shift away from users towards service providers like Google.

A critical flaw in Microsoft Defender SmartScreen, officially identified as CVE-2024-21412, was exploited to deliver malicious software, including ACR Stealer, Lumma, and Meduza Stealer. Fortinet FortiGuard Labs discovered the campaign impacting users in the U.S., Spain, and Thailand via malicious files exploiting the high-severity vulnerability. The attack sequence starts with a booby-trapped link directing to a URL file, leading to download of an LNK file, which subsequently fetches an executable containing a script for further malicious activities. Microsoft patched this security vulnerability in its February 2024 updates following discovery and reporting of the exploit. The ACR Stealer hides its command-and-control communications using a technique involving the Steam community website, which complicates efforts to disrupt its control over compromised systems. Cyber adversaries are increasingly leveraging malvertising and SEO poisoning to deploy new malware variants like Atomic Stealer by presenting them as legitimate software downloads. Recent cybersecurity events highlight the rising sophistication and resilience of cybercriminal operations aiming to steal sensitive data from compromised systems.

CISA added CVE-2012-4792 and CVE-2024-39891 to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation. CVE-2012-4792 is a decade-old use-after-free issue in Internet Explorer, previously used in targeted attacks on the CFR and Capstone Turbine websites. CVE-2024-39891 is an information disclosure flaw in Twilio's Authy, exploited to discern if phone numbers are registered with Authy. Both vulnerabilities are considered serious threats to federal systems, prompting urgent remediation guidance by August 13, 2024. Twilio has patched the Authy vulnerability in recent app updates to mitigate risks. These vulnerabilities highlight ongoing concerns around legacy software vulnerabilities and information security in widely used applications.

A critical flaw was found in CrowdStrike's test software, leading to a significant outage affecting 8.5 million Windows machines globally. The problem arose from a bug in the "Content Validator" software component, which failed to detect problematic data within a newly released template. The incident occurred after the implementation of an "InterProcessCommunication (IPC) Template Type" designed to identify attacks involving Named Pipes. Despite successful tests of similar updates earlier in the year, the July 19 template release contained errors, overlooked due to the Content Validator malfunction, resulting in system crashes. CrowdStrike has acknowledged the fault and has committed to enhancing testing protocols, staggering update releases, and giving customers more control over update deployments. Promises include more rigorous testing, user control over deployments, detailed release notes, and a forthcoming comprehensive root cause analysis once the internal investigation concludes.

KnowBe4, a security training provider, mistakenly hired a fake North Korean IT technician who then initiated malicious activities. Despite undergoing multiple video interviews and background checks, the applicant's true identity, using a stolen U.S. ID and AI-altered photo, went undetected. The imposter was sent a Mac workstation, which began loading malware upon setup, detected promptly by KnowBe4’s security systems. KnowBe4’s security operations center addressed the malware issue within 25 minutes, preventing any illegal access or data compromise. Investigations suggested the laptop was part of an “IT mule laptop farm” likely located in North Korea or China, used to disguise location and engage in cybercrime. The FBI has been alerted to the incident, highlighting international dimensions of cybersecurity threats. CEO Sjouwerman emphasized the importance of monitoring devices with remote access and strengthening vetting processes to prevent similar incidents.

BreachForums v1 database was fully leaked on Telegram, revealing extensive member data including private messages, cryptocurrency addresses, and forum posts. The data was initially sold by the forum's founder, Conor Fitzpatrick, while he was out on bail in July and has circulated among various threat actors. The leaked information is comprehensive, covering detailed data up to November 29th, 2022, and includes hashed passwords and payment logs. Private messages in the database show hackers discussing exploits and seeking access to networks and stolen data, highlighting significant operational security risks for the members. Cryptocurrency transactions traced in the database can potentially link specific payments to identifiable threat actors. Despite being seized by the FBI and the arrest of Fitzpatrick in 2023, this full release marks the first public exposure of the extensive forum data. The release provides an opportunity for threat actors to assess and improve their operational security practices in light of potential exposure and identification.

The Philippine government has ordered the cessation of Philippine Offshore Gaming Operators (POGOs) by year's end, a move announced by President Ferdinand "Bongbong" Marcos Jr. POGOs, which serve mostly players outside the Philippines, particularly in mainland China where gambling is banned, have been implicated in illegal activities including financial scams, money laundering, and human trafficking. President Marcos cited both economic costs and severe criminal activities as reasons for the shutdown during his State of the Nation address. In a recent raid in Tarlac province, police rescued 875 workers from various countries, uncovering illegal operations including romance scams. The POGO industry was estimated to generate significant revenue for the Philippines but was also associated with substantial financial losses due to its illegal activities and reputational damage. Currently, Philippine authorities have canceled licenses for 298 POGOs, and efforts are ongoing to curb illegal gaming operations that persist despite the shutdown. The Philippine Department of Labor and Employment will aid Filipinos displaced from POGO jobs, acknowledging that the total ban will not completely eliminate the associated problems. The government emphasizes continued vigilance against illegal gaming operations that might continue underground or morph into other forms of criminal enterprises.

Evasive Panda, a Chinese hacking group, has been using updated versions of Macma macOS backdoor and Nightdoor Windows malware. The attacks targeted organizations in Taiwan and an American NGO in China, exploiting vulnerabilities like an Apache HTTP server flaw. Symantmec's investigations reveal that Evasive Panda has refreshed their modular malware framework, MgBot, to avoid detection. Recent malicious activities involved using Tencent QQ software updates to deploy MgBot malware via supply chain or adversary-in-the-middle attacks. The latest versions of Macma malware show enhancements and shared code with other tools from Evasive Panda's arsenal, indicating a sophisticated custom malware development approach. Nightdoor malware, used in conjunction, retrieves payloads from OneDrive and employs anti-VM techniques to persist undetected on the infected systems. The group’s extensive toolkit includes various malware targeting not only macOS and Windows but also Linux, Android, and Solaris OS systems. Evasive Panda has a history of both domestic and international espionage endeavors and has been active since at least 2012.

Threat actors exploit the popularity of the mobile clicker game Hamster Kombat, targeting its 250 million-strong player base with spyware and info-stealing malware. Fake Android and Windows apps related to the game are tricking players into installing malicious software, including the Ratel Android spyware and Lumma Stealer for Windows. The genuine Hamster Kombat game is only available via Telegram, not on any official app stores, which increases the risk of players encountering and downloading malicious versions. Cybercriminals use various deceptive methods including clone apps on Google Play, fake Telegram channels, and malicious GitHub repositories to distribute malware. Detailed malware functionalities include intercepting SMS, hiding notifications, redirecting users to profit-generating ads, and falsely subscribing them to premium services. ESET cybersecurity experts warn players to only download the game from the official Telegram channel and remain cautious of unverified sources. No security checks or official whitepaper have been released for the game, despite its massive user base and links to cryptocurrency earnings.

Last week, a CrowdStrike Falcon platform update led to 8.5 million Windows systems crashing worldwide. The disruption affected major logistics operations, causing global flight and shipping delays. The issue was traced back to a malformed configuration file in the Falcon system, leading to a BSOD (Blue Screen of Death) on Windows devices. CrowdStrike identified the problematic file as a Channel File, essential for detecting and managing cybersecurity threats. Experts speculate the error involved the Channel File causing unintended memory access, leading to system crashes. CrowdStrike CEO George Kurtz has been called to testify before Congress regarding the incident. The situation highlights significant flaws in quality assurance and the dangers of deploying updates without adequate testing. Recommendations include implementing gradual rollout strategies like Google's Canary releases to prevent such widespread issues.