CrowdStrike update wreaks havoc

A routine update led to more than 8.5 million Windows devices crashing

A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition’s top stories -

↘️ A faulty configuration update pushed by CrowdStrike caused nearly 9 million Windows devices across the world to crash and get stuck in a boot loop. The embattled endpoint security vendor blamed the issue on a validation error that failed to spot a broken channel file update that’s pushed over the cloud. The incident caused airlines, banks, emergency communications, hospitals and other critical organizations to grind to a halt. Cyber criminals seized the opportunity, sending out phishing emails container stealer malware and spinning up malicious domains purporting to host fixes. This is not the first time a botched update has led to a global disaster. As The Register points out, “a routine McAfee antivirus update in 2010 similarly bricked massive numbers of Windows machines.” CrowdStrike CEO George Kurtz, at the time, was McAfee’s CTO. The company is also offering its partners a $10 Uber Eats gift card as an apology, which Uber ended up flagging as fraud because of “high usage rate.” That’s not all. CrowdStrike is facing lawsuits from investors and customers following the incident, but it’s believed that the company is shielded from legal action due to the licensing structure that limit the developer’s liability. [The Hacker News / The Register / TechCrunch]

↘️ The U.S. Federal Bureau of Investigation (FBI) said it cracked the phone of the now-deceased 20-year-old man who wounded Donald Trump during a Pennsylvania rally in an attempted assassination. The bureau said that it had "successfully gained access" to the phone that belonged to Thomas Matthew Crooks, a one-time nursing aide who was shot and killed by Secret Service agents moments after his attempt on the former U.S. president’s life. It’s being reported that the agency used an unreleased tool from the Israeli mobile forensics company Cellebrite to unlock the phone, a Samsung model, in about 40 minutes. Internal documents obtained by 404 Media show that Cellebrite’s tools currently on the market have failed to unlock many phones running iOS 17.4 or newer, as well as Google Pixel 6, 7, and 8 phones that have been turned off. The development has once again brought to fore the back-and-forth between device manufacturers and law enforcement, who have decried moves to enable encryption by default as hampering their ability to tackle serious crimes. In 2015, Apple famously refused to unlock the iPhone 5c that belonged to one of the then-suspects linked to the San Bernardino mass shooting, prompting a little known Australian firm named Azimuth to do the unlock. [FBI / Bloomberg / The Washington Post / 404 Media / The Verge]

via GIPHY

↘️ Europol has sounded the alarm on the use of Privacy Enhancing Technologies (PET) in home routing, stating they pose new hurdles for lawful interception of information during criminal investigations. While home routing allows an international traveler to have all their communications (i.e., calls, messages, and data) processed through their home network rather than the network of the country they are visiting, this means that “the service provider abroad is not able to deliver communication data to law enforcement upon a judicial request, if the domestic service provided has enabled PET in home routing.”

The E.U. agency said that cybercriminals are abusing this loophole to evade law enforcement. As is typically the case, the crux of the problem hinges on the fact that service-level encryption is used when enabling home routing by the network operator, effectively stymieing efforts to obtain access to unencrypted data. “For service-level encryption, the subscriber (user) equipment exchanges session-based encryption keys with the service provider in the home network,” it pointed out. “If PET is enabled, the visiting network no longer has access to the keys used by the home network and therefore data in the clear cannot be retrieved.” As solutions, it has proposed an E.U. regulation to disable PET in home routing. A second option is to implement a cross-border mechanism that allows law enforcement to issue interception requests. [Europol]

↘️ Israeli company NSO Group, which is the maker of the infamous Pegasus spyware, said it’s appropriate for its global clients to target any high-ranking government or military official with the technology because their jobs categorically make them “legitimate intelligence targets.” [The Record]

↘️ The Japan Aerospace Exploration Agency (JAXA) said its network was targeting using unspecified zero-day exploits since January 2024, but noted that no information was compromised. The discovery was made while working with Microsoft to probe a 2023 cyberattack on its systems that took place late last year. [JAXA]

↘️ Health-related fraudulent ads powered by artificial intelligence (AI) and deepfake videos have been saturating Meta’s Facebook, Messenger, and Instagram, reaching millions of people worldwide. “Most of the ads cater to targeted geographical regions with tailored content using the names of celebrities, politicians, TV presenters, doctors and other healthcare professionals to bait consumers,” researchers said. The findings show how technological advancements such as AI could enables scammer to generate highly convincing messages. In a related development, scammers are also using legitimate-but-hijacked Facebook accounts to share posts that tag victims’ Facebook business accounts, triggering an automated email from Facebook. The message tricks users into clicking on phishing pages by warning them that their Pages will be disabled unless they re-verify their accounts. [Bitdefender / Kaspersky]

via Kaspersky

↘️ A recent study by academic researchers from the University of Maryland has revealed that Apple’s Wi-Fi Positioning System (WPS) could be abused by hackers to track the locations of Wi-Fi access points and their owners globally, essentially turning the technology into a mass surveillance tool to track access point locations, movements, and outages. The attack, which works by taking advantage of Apple’s Wi-Fi geolocation API to detect online BSSIDs, “allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days,” the researchers said. [Dark Reading]

↘️ Scammers are double-scamming victims by offering to help recover from scams by helping them recover lost money by soliciting an upfront fee. “Victims of previous scams are easily identified by criminals who commonly keep and sell information about individuals they have exploited,” the Australian Competition and Consumer Commission (ACCC) said. Targets of the campaign primarly include people aged 65 and older. [ACCC]

↘️ Malware creators and sellers are increasingly attempting to evade responsibility by including disclaimers stating that their tools are intended for “educational purposes and penetration testing only” in a superficial attempt to avoid legal repercussions, while advertising their malicious capabilities on cybercrime forums. The development comes as threat actors are obtaining corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks. This is accomplished by purchasing access to compromised accounts on cybercrime forums and marketplaces. [Abnormal Security]

↘️ China’s National Computer Virus Emergency Response Center (CVERC) has characterized Volt Typhoon as an invention of the Western intelligence community. Describing it as a misinformation campaign, the agency claimed that “although its main targets are U.S. congress and American people, it also attempt[s] to defame China, sow discords between China and other countries, contain China’s development, and rob Chinese companies.” It has also asserted that any real attacks that had taken place were instead conducted by the Dark Power ransomware gang, and that evidence revealing this was being suppressed by the U.S. It’s worth noting that the report is riddled with grammatical and spelling errors. [CVERC / The Record]

↘️ Crypto exchange Binance and Brazilian financial institutions are the target of a Windows banking trojan called Coyote. “During a Coyote attack, a legitimate open-source OBS file and the Chromium Embedded Framework (CEF) dynamic linked library (DLL) are injected with a compromised DLL,” BlackBerry said. “The compromised DLL uses the Nim programming language to load the Coyote banking Trojan and harvest user financial information, with persistence on the system.” [BlackBerry]

↘️ U.S. telco AT&T has become the latest company to join the list of Snowflake customers who fell victim to a recent credential stuffing campaign. The Dallas-based company said it recently suffered a data breach impacting call and text messaging records of “nearly all” its customers. The company is in the process of notifying about 110 million people that they were affected. [The Hacker News / WIRED]

↘️ More than 310 gigabytes of data from stalkerware service mSpy, including 2.4 million unique emails, have been stolen. The data, which dates back to 2014, includes personal information and customer support tickets. mSpy is owned by a Ukrainian company called Brainstack. The surveillance software company has suffered at least two data breaches in the past. A dataset containing information on more than 400,000 mSpy users was leaked in 2015, and roughly two million mSpy records were leaked in 2018. [TechCrunch]

↘️ A nascent threat actor named CRYSTALRAY is solely relying on an arsenal of open-source software to facilitate every step of its attack chain — ranging from initial reconnaissance to lateral movement to persistence — and scale its credential stealing and cryptocurrency mining operations exponentially. [The Hacker News]

↘️ At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week following its acquisition of Google Domains. Malicious hackers are said to have taken advantage of the fact that many erstwhile Google Domains customers still haven’t set up their new accounts, thus allowing them to commandeer any migrated Squarespace accounts that hadn’t yet been registered by supplying an email address tied to an existing domain. To make matters worse, Squarespace does not require email validation when creating accounts, which has allowed attackers to create accounts by guessing the email addresses that might have been migrated with the domains transferred from Google Domains. [Security Alliance / Krebs on Security]

↘️ A shadowy Chinese organized cybercrime syndicate codenamed Vigorish Viper is using a stealthy technology suite and various shell companies to hide a constellation of illegal gambling platforms that have connections to European soccer clubs. The amorphous entity, linked to a company named Yabo Group, runs a massive smokescreen of an operation that takes elaborate steps to conceal the true nature of the underlying infrastructure from anyone other than its intended audience, who are primarily bettors based in China. Users attempting to navigate to one of their domains are extensively profiled and fingerprinted using traffic distribution systems and various anti-analysis techniques before they are redirected to the sites. These sites are also staffed by physically imprisoned individuals in Southeast Asia. The findings highlight the global reach and criminal nature of their activities. [The Hacker News / Josimar]

↘️ A novel malware called FrostyGoop that it believes has been was used in a cyberattack in late January 2024 to target a heating utility in the Ukrainian city of Lviv, disabling the service to 600 apartment buildings for around 48 hours during freezing temperatures.. Its ninth malware family discovered explicitly targeting industrial networks, and marks the first instance in which hackers have directly sabotaged a heating utility. The attack has not been attributed to a known threat actor or group. [WIRED / The Hacker News]

↘️ The private member information of the original BreachForums hacking forum from 2022 has been leaked online, making it a valuable tool to gain insight into its user base. BreachForums has already been revived twice following attempts by law enforcement to seize its online infrastructure. “The exposure of these databases represents a risk of attracting law enforcement attention for any person who interacted on those forums,” Flashpoint said. [Bleeping Computer / Flashpoint]

↘️ Google fixed a flaw after hackers bypassed email verification to create “a few thousand” Workspace accounts to access third-party apps via Sign in with Google. The tech giant claimed the activity commenced in late June. [Krebs on Security]

↘️ A security audit of HomeBrew has uncovered security issues that, while not critical, could allow an attacker to load executable code at unexpected points and undermine the integrity guarantees intended by sandboxing. The flaws, some of which reside in the CI/CD pipeline, could also permit “an attacker to surreptitiously modify binary (‘bottle’) builds of formulae and potentially pivot from triggering CI/CD workflows to controlling the execution of CI/CD workflows and exfiltrating their secrets,” Trail of Bits said. [Trail of Bits]

↘️ The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has released a new open source software package, Dioptra, that allows developers to determine “how well their AI software stands up to a variety of adversarial attacks.” [NIST]

↘️ A “well-orchestrated” scam campaign observed between January and June 2024 leveraged a security blindspot in Proofpoint’s filtering protections to disseminate millions of spoofed messages mimicking well-known global brands such as Disney, IBM, Nike, Best Buy, and Coca-Cola — all of which are Proofpoint’s customers. The emails were aimed at stealing funds and credit card details. Called EchoSpoofing, this was achieved by sending the dodgy emails from an SMTP server in their control through a Microsoft 365 account and exploiting a configuration flaw in Proofpoint servers that allowed accepted email messages with an approved IP range, including from the Microsoft 365 tenant accounts set up by the spammers to relay their mails.

In other words, it’s a form of converting a rogue email into a clean one by simply routing them through a trusted server. At issue was the Proofpoint vulnerability in the default settings of the relay service, which allowed non-organization members to send outgoing mail by routing it to the relay server associated with a specific customer (this information is publicly accessible via DNS MX records). This was complicated by the fact that Microsoft 365 accounts don’t require proof of domain ownership when emails are relayed through their servers, a combination that enabled the threat actors send the messages as though they are coming from legitimate companies. [The Hacker News / The Register]

↘️ Researchers have discovered three cross-site scripting (XSS) vulnerabilities in Research Electronic Data Capture (REDCap) — CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396 — that “could allow attackers to execute malicious JavaScript code in victims’ browsers, potentially compromising sensitive data.” [Trustwave]

↘️ Malicious actors are now able to purchase Generative AI (GenAI) account credentials on Russian underground hacker markets like LLM Paradise (the market has since shut shop) along with other various illegal goods for as little as $15. Many of these credentials are stolen from corporate end-users’ computers when they get infected with stealer malware, which are known to harvest stored browser passwords and cookies, and exfiltrate them to the operators in the form of a log file. These stealer logs are then peddled on the dark web, generating illicit revenue for the actors. The customers who end up purchasing the stolen GenAI account credentials monetise the access to create convincing phishing campaigns, develop sophisticated malware, and produce chatbots.

The development comes amid a rise in threats to GenAI systems, including LLMjacking, the abuse of stolen accounts for cybercrime, and prompt injection attacks to bypass safety guardrails. Indeed, a recent report from Robust Intelligence has found that Meta’s machine learning model for detecting prompt injection attacks — Prompt-Guard-86M — is itself vulnerable to prompt injection attacks by “inserting character-wise spaces between all English alphabet characters in a given prompt.” The company also previously found that “fine-tuned variants more than 3 times more susceptible to jailbreak instructions and over 22 times more likely to produce a harmful response than the original foundation model.‍” [eSentire / Robust Intelligence]

↘️ Vulnerabilities in dating apps like Badoo, Bumble, Grindr, happn, Hinge, and Hily let malicious users and stalkers pinpoint the locations of their victims down to two meters using a technique called oracle trilateration. The issues, which stem from the services’ use of exact locations when applying filters, have since been addressed. [TechCrunch]

↘️ A cyber-espionage group working on behalf of North Korea’s foreign intelligence service has been accused of systematically stealing technical information and intellectual property from organizations across the world to advance its own nuclear and military programs. The group, codenamed Andariel, uses ransomware attacks to fund its espionage campaigns, the U.S. government said. The information pursued by the threat actor is broad and varied, encompassing details pertaining to missile defense systems, combat ships, uranium processing and enrichment, shipbuilding, and robotics. It’s also known for exploiting multiple well-known vulnerabilities to gain initial access to target networks. [The Hacker News]