Daily Brief

The UK's National Crime Agency (NCA) apprehended four individuals linked to recent ransomware attacks on major retailers, including M&S, Co-op, and Harrods. Arrests were made at various locations across the UK, targeting two men from the West Midlands, one man from London, and one woman from Staffordshire. Those detained are suspected of being involved in all three attacks, facing preliminary charges under the Computer Misuse Act, alongside allegations of blackmail and money laundering. The NCA seized electronic devices from the suspects for forensic analysis to gather more evidence in their ongoing investigation. Authorities emphasize the significance of these arrests but have withheld specific details to protect the right to a fair trial and manage significant safeguarding concerns. The NCA's Deputy Director, Paul Foster, highlighted the disruption caused by cyberattacks and reiterated the importance of cooperation between businesses and law enforcement in cybercrime cases. The investigation remains a top priority for the NCA, with further work anticipated both in the UK and with international partners.

New artifacts of ZuRu malware discovered, targeting macOS developers with a trojanized Termius app. The malware impersonates legitimate tools and uses modified versions of Khepri for command and control. Initially identified in 2021, ZuRu has evolved to exploit various popular macOS applications. The trojan relies on sponsored web searches, indicating opportunistic rather than targeted attacks. The latest version includes modifications to bypass detection, utilizing a hacked Termius.app and additional malicious executables. ZuRu's persistence mechanisms and update features ensure it remains active and up-to-date on infected systems. Researchers highlight the need for robust endpoint protection to guard against such sophisticated malware tactics.

Generative AI is increasingly integrated into daily-use SaaS applications, raising urgent security and privacy concerns for businesses. A significant 95% of U.S. companies now employ generative AI, highlighting the rapid adoption and the accompanying need for effective governance. AI governance involves establishing policies and controls to ensure responsible and secure AI usage aligned with organizational goals and compliance requirements. Without proper governance, AI tools may expose sensitive data, violate compliance laws, or function unpredictably due to biases or model changes. Companies face challenges in AI management due to lack of visibility and fragmented tool ownership across departments. Effective AI governance should include an inventory of AI usage, clear usage policies, monitored access, continuous risk assessment, and cross-functional collaboration. Specialized platforms like Reco's Dynamic SaaS Security solution are emerging to support organizations in managing AI-related risks efficiently.

Google Cloud now allows UK organizations to keep AI data fully within the country, addressing local data sovereignty needs. Despite local data storage, support services for UK users will be handled by Google’s global support team, potentially compromising data sovereignty. Concerns arise about US authorities accessing UK-stored data under US CLOUD Act, despite data being physically located in the UK. Veteran Linux vendor SUSE warns about risks of data crossing borders due to support services based outside the UK. Google offers encryption solutions where customers control their own keys, enhancing data security and compliance. CEO of UK cloud vendor Civo criticizes Google's approach, expressing concerns about US influence and inadequate safeguards against overseas data access. Google's processes for handling government data requests are stated to align with international best practices, yet specifics remain general. Alternatives like Google Cloud Airgapped and Google Cloud Dedicated present more controlled data environments but are limited to certain EU countries.

AMD has discovered new vulnerabilities, termed Transient Scheduler Attacks (TSA), in a wide range of its CPUs that could lead to potential information disclosure. TSA exploits speculative execution through side channels by observing execution timing under specific CPU conditions. The vulnerabilities, detailed in a joint research study by Microsoft and ETH Zurich, involve microarchitectural elements and do not directly modify data or program states but infer information via timing discrepancies. AMD has issued microcode updates to mitigate the risks associated with these vulnerabilities, affecting speculative execution processes. TSA emerges in two variations, TSA-L1 and TSA-SQ, where TSA-L1 involves L1 data cache and TSA-SQ relates to data retrieval from CPU store queues not ready for execution. The exploitation requires repeated access to the targeted system, as the conditions for the vulnerabilities are transient and involve sophisticated methods to utilize the false completions. Successful exploitation could enable unauthorized data leaks across different security domains, including kernel to user applications and hypervisors to guest OS, reflecting a significant security concern for multi-tenant environments.

Passwork 7, a business-focused password management solution, operates both on-premises and cloud-based, simplifying user password handling and compliance with regulatory demands. The latest update emphasizes backend improvements, maintaining a user-friendly interface for managing password cards and user roles without altering the front-end user experience. Features new private vaults for sensitive departments like HR and finance, where credentials are visible only to the authorized user, enhancing internal security protocols. Role-based access control has been revamped, offering customized roles with detailed permissions settings, facilitating finer control over who accesses what data. Supports secure password management by integrating with Single Sign-On and LDAP systems and including a zero-knowledge security architecture to ensure data encryption. Offers robust features like automatic password generation, two-factor authentication to expand security measures, and an active monitoring system to alert admins about compromised credentials. Transparent pricing models are provided, offering various options that cater to different business sizes and budgets, making it an accessible solution for effective password management. Passwork 7 is positioned as a necessary tool for organizations aiming to enhance their password management protocols and reduce potential security breaches, thereby cutting down on support costs and potential data breach damages.

Researchers from University College London and the University of Sydney developed an AI agent, named A1, that can exploit vulnerabilities in cryptocurrency smart contracts. A1 uses AI models from big tech firms like OpenAI and Google to create executable exploits, demonstrating a high success rate in identifying and exploiting contract weaknesses. Tested on Ethereum and Binance Smart Chain, A1 successfully exploited several contracts, potentially extracting millions of dollars per case. The researchers showcased that A1 could remain profitable, identifying fresh vulnerabilities within a short time window, improving over manual security methodologies. Concerns raised over the ethical implications and potential misuse of such powerful AI tools in cybercrime, with a discrepancy in attack profitability versus the cost of defensive measures. The study highlights a significant gap in investment capabilities between attackers and defenders, suggesting an increase in the efficiency of defensive strategies to close this gap. The researchers originally planned to release A1 as open-source but retraced that decision due to the potential risks and impacts of widespread access to such a tool.

A critical security flaw in ServiceNow, CVE-2025-3648, allows possible data exposure and extraction with an 8.2 CVSS score. Misconfigured access control lists (ACLs) in ServiceNow can let unauthorized users infer and access sensitive data under certain conditions. The vulnerability affects the record count UI element, which could be exploited to expose information from numerous tables across ServiceNow platforms. ServiceNow instances everywhere are at risk, requiring only minimal table access for the exploitation of sensitive data by weakly configured user accounts. A variety of attack techniques, such as dot-walking and self-registration, could widen the impact, enabling attackers to gain unauthorized access and manipulate data. ServiceNow has rolled out Query ACLs, Security Data Filters, and Deny-Unless ACLs to mitigate this vulnerability and improve security. ServiceNow customers are advised to apply updated security settings and prepare for default query range ACLs to shift to deny mode, necessitating configured exclusions for legitimate access.

Microsoft is updating the Authenticator app on iOS to allow backups directly to iCloud without requiring a Microsoft account. The change, scheduled for rollout in September, aims to alleviate complications in enterprise environments by separating personal and corporate data. Users will need to operate on devices with iOS 16.0 or later, and have both iCloud and iCloud Keychain enabled to utilize the new feature. The updated backup feature will automatically save and restore TOTP credentials and account names across devices using the same Apple account. Managed Apple IDs on corporate devices will replace personal accounts for backups, ensuring better alignment with corporate data management policies. Microsoft stresses that only TOTP secrets are backed up; other credentials remain unbacked. Users have the option to disable the backup feature via their iCloud settings if desired.

A researcher discovered a method to extract Windows product keys from ChatGPT by disguising the query as a game. ChatGPT was manipulated to bypass its internal safeguards, revealing sensitive information including a key belonging to Wells Fargo. The exploit involved asking ChatGPT to guess a sequence of characters claiming it was a Windows serial number, then triggering disclosure by saying "I give up." The technique demonstrates potential weaknesses in AI models' content filters that could be exploited to obtain other sensitive data. The problem is exacerbated by instances where confidential data is inadvertently included in training data sets, such as when keys are mistakenly uploaded to GitHub. To address such vulnerabilities, AI systems need enhanced contextual understanding and robust multi-layered verification processes. The incident highlights broader concerns regarding the security of AI-powered interfaces and their ability to unintentionally disclose private data.

Australian airline Qantas acknowledges a data breach affecting 5.7 million customers through a cyberattack on a third-party platform. The breach was first detected on June 30, with Qantas announcing the compromise the following day. Data exposed includes customer email addresses among other personal details, but excludes financial information and Qantas Frequent Flyer accounts. The data breach is linked to threat actors known as Scattered Spider, similar to recent attacks on other airlines. Qantas is now contacting affected customers to inform them of the specific data exposed and to offer support. Qantas has enhanced cybersecurity measures following the breach and continues to monitor for fraudulent activities targeting their customers. Customers are advised to remain vigilant for malicious emails posing as communications from Qantas.

Google has expanded its Advanced Protection Program to Android devices, starting with Android 16, to improve security for users at high risk of sophisticated spyware attacks. Advanced Protection can be activated via Android’s Settings under Security & Privacy, enhancing safeguards particularly in Google applications such as Chrome, Messages, and Phone. The new security features include heightened HTTPS and JavaScript security already accessible from Chrome v133, but more integrated when Advanced Protection is turned on. Advanced Protection also ensures automatic site isolation for high-risk activities like logging in or submitting forms on websites, aimed at preventing unauthorized data access. Google recommends that individuals prone to targeted attacks enroll in the Advanced Protection Program to benefit from stronger multi-factor authentication and consistent enforcement of stringent security settings across their devices.

The U.S. Treasury Department has imposed sanctions on Song Kum Hyok, a North Korean, for cybercrimes including attempts to hack the U.S. Treasury. Song Kum Hyok is linked to Andariel, a group engaged in ransomware attacks on U.S. hospitals, money laundering, and funding cyber intrusions globally. Andariel, identified as part of North Korea's military intelligence cyber arm, has previously been sanctioned but continues illicit activities including digital asset theft and impersonation. The sanctioned operations involve a scheme where foreign IT workers are hired under stolen U.S. identities to infiltrate American companies, splitting income with the North Korean regime. These activities fund North Korea's weapons programs and were part of efforts to circumvent sanctions. A Russian national, Gayk Asatryan, and his companies were also sanctioned for employing North Korean IT workers, further supporting Pyongyang's illicit operations. The U.S. continues to address security concerns posed by North Korean IT workers who are involved in large-scale scams affecting major companies worldwide, including theft of intellectual property.

Bitcoin Depot reports a data breach impacting 27,000 customers due to unauthorized network access detected on June 23, 2024. Despite concluding the internal investigation by July 18, 2024, federal law enforcement delayed public disclosure until their investigation was complete. Exposed information varies by individual, likely including data gathered during mandated Know-Your-Customer processes. Bitcoin Depot operates 8,800 Bitcoin ATMs across the U.S., Canada, and Australia, likely heightening the breach's impact. Affected customers have been advised to monitor accounts for fraud and consider extra security measures but were not offered identity theft protection services. This breach follows a similar incident at Byte Federal in December 2024 where data of 58,000 customers was compromised by exploiting a software vulnerability.

AMD has discovered four new side-channel vulnerabilities, named Transient Scheduler Attacks (TSAs), affecting a wide range of their processors including desktop, mobile, and datacenter models. These vulnerabilities were found during an investigation into a Microsoft report on microarchitectural data leaks, resembling the infamous Meltdown and Spectre bugs. Despite low to medium-severity ratings due to their high complexity and execution demands, security firms like Trend Micro and CrowdStrike rate these threats as critical. Successful exploitation of these vulnerabilities could lead to information disclosure, including kernel data leaks which could potentially escalate privileges or bypass security protocols. The attacks are not executable through malicious websites but require local access, usually through malware or a malicious virtual machine (VM), with low privilege levels on the target system. AMD suggests that sustained multiple executions are necessary for an effective attack, making it unlikely for casual or opportunistic exploitation but a concern for targeted attacks. AMD advises updating systems with the latest Windows builds and assessing the use of VERW instruction mitigation, which may impact system performance. There is currently no known exploit available publicly for these vulnerabilities, indicating no immediate widespread threat but highlighting the need for vigilance and timely updates.