Daily Brief

Tens of thousands of fuel storage tanks are at risk due to vulnerabilities in Automatic Tank Gauges (ATGs) used in critical infrastructure. Researchers from Bitsight identified 10 CVEs affecting products from Dover Fueling Solutions, OPW Fuel Management Systems, Franklin Fueling Systems, and OMNTEC. Seven of these vulnerabilities are rated critical and permit attackers full administrative control of the devices. Despite ongoing efforts with CISA to resolve the issues, approximately 1,200-1,500 devices remain unpatched. Vulnerabilities could lead to physical and environmental hazards by allowing unauthorized changes to tank storage parameters or disabling alarms. Impacted devices are found in various sectors including gas stations, airports, and utility companies. Manufacturers have issued patches for some vulnerabilities; however, three critical flaws still lack fixes. Recommendation includes isolating affected devices from wider networks and ensuring they are not directly accessible from the internet.

Salesforce is introducing Einstein Copilot to improve interactions in sales, marketing, and customer service through its CRM tool. Einstein Copilot utilizes natural language processing to provide answers, insights, and task automation, improving productivity and process efficiency. Data processed by Einstein Copilot is encrypted and not stored long-term to protect sensitive customer information. Salesforce employs a shared responsibility model for data security, requiring customers to manage access permissions and secure app configurations connected to the AI. Best practices for deploying Einstein Copilot include locking down sensitive data permissions, updating internal data, and purging outdated documents. The system includes mechanisms like the Prompt Builder to safeguard against improper AI training and prompt injection attacks. Salesforce collaborates with Varonis to evaluate and enhance organizations' security postures prior to implementing Einstein Copilot. A demo and risk assessment from Varonis are available to ensure organizations are prepared for a secure integration of Einstein Copilot.

The U.S. Department of Commerce proposes a ban on the import and sale of connected vehicles that utilize Chinese and Russian technology in critical systems. The ban targets both hardware and software related to Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS). This measure addresses security concerns that these technologies might allow foreign adversaries to gather sensitive data and manipulate vehicle operations. The prohibition will affect all wheeled on-road vehicles including cars, trucks, and buses, excluding agricultural and mining vehicles. Technologies from China and Russia are considered to pose undue risks to U.S. national security and the privacy of American citizens. The policy aims to secure U.S. technology supply chains against potential exploitation by entities tied to adversarial nations. Software restrictions are set to be enforced starting with Model Year 2027, and hardware restrictions by Model Year 2030, or January 1, 2029, for units lacking a model year designation. The White House emphasizes this initiative as crucial for maintaining the resilience and security of U.S. automotive and digital infrastructure.

MoneyGram experienced a significant cyberattack, resulting in system outages starting last Friday. The company confirmed the cybersecurity incident on Monday after initial reports of a "network outage." In response, MoneyGram proactively took systems offline to address the issue, impacting connectivity. This incident affected both their physical and digital money transfer services across 200 countries. MoneyGram is the second-largest money transfer company globally, handling over 120 million transactions yearly. The extended outage and loss of system connectivity suggest a possible ransomware attack. MoneyGram is collaborating with external cybersecurity experts and law enforcement to mitigate the impact and restore services. No specific details on the nature of the cyberattack or when services will fully resume have been provided yet.

Kaspersky has initiated the withdrawal of its antivirus solutions from the U.S. market by automatically transitioning its users to UltraAV starting September 19, 2024. This move comes as Kaspersky prepares to completely exit the U.S. market by the end of September 2024, following a ban due to national security concerns. The transition involved a software update that automatically replaced Kaspersky antivirus with UltraAV, with the intent to ensure continuous protection for users. Some Kaspersky users reported that they were not adequately informed about the automatic software switch, leading to surprise and concern when they noticed the new program installed on their systems. According to UltraAV, all Kaspersky U.S. users with a valid email should have received details about the transition beginning September 5, although complaints suggest the communication might not have been clear about the automation of the process. UltraAV is part of the U.S.-based Pango Group, which owns several other cybersecurity and VPN products, boasting a significant user base across its various applications.

Mandiant has released a guide to help companies spot North Korean agents applying for IT roles within the U.S., amidst rising infiltration attempts. These North Korean workers, typically operating from China and Russia, are found to divert their substantial salaries to support North Korea's military ambitions and secure long-term network access for further exploitation. The guide includes practical tips such as scrutinizing resumes for inconsistencies, conducting comprehensive background checks including biometrics and identity verification, and requiring video during online interviews. Multiple job applications across various companies, using different names or details linked through email addresses, are highlighted as significant red flags. Mandiant advises training HR departments to recognize manipulated digital profiles and suspicious discrepancies in educational background listings, such as unlikely overseas educational institutions. Advanced monitoring strategies were suggested, including checking for unusual device connections or remote management software installations shortly after employment begins. Implementing hardware-based Multi-Factor Authentication (MFA) and serial number verification at onboarding can prevent fraudulent access via remote PC farms commonly used by North Korean operatives.

Ransomware has evolved into a sophisticated and organized industry. Cybercriminals are enhancing their attack methodologies, posing significant risks to businesses. The webinar, led by Emily Laufer from Zscaler, aims to equip businesses with advanced strategies to counter these threats. Key insights will be shared from the latest research conducted by ThreatLabz. Participants will learn effective measures to deploy in order to protect their businesses from ransomware disruptions. The session is designed to provide actionable intelligence and a strategic advantage in cybersecurity.

SaaS applications are central to business functions and contain critical data including customer and employee information, IP, and financial records. The shared responsibility model in SaaS environments puts the onus on customers to secure their applications, often leading to gaps due to complex settings and permissions. Recent attacks on companies like Snowflake and Azure Cloud highlight the vulnerabilities in SaaS applications and the importance of enhanced security measures. SSPM solutions harden configurations and combined with an ITDR solution, offer comprehensive protection against unauthorized access and data breaches. Misconfigurations and weak identity security are major risk factors; SSPM can address these by managing permissions and enhancing security protocols. Return on Investment (ROI) studies, such as the one by Forrester, demonstrate significant financial benefits of SSPM, often achieving payback in less than six months. Continuous advancements in threats, including those exploiting GenAI tools within SaaS apps, require robust security solutions like SSPM to protect sensitive data and ensure compliance. The increasing priority of SaaS security in business agendas is reflected in the expanded investment in dedicated security staff and technologies to mitigate risks.

Cybersecurity experts have identified Octo2, an advanced version of the Android banking trojan Octo, with increased device takeover abilities. Octo2 has been spotted in active campaigns across several European countries including Italy, Poland, Moldova, and Hungary. This malware is a development from the previously known Exobot, originating from the same source code as the Marcher banking Trojan. Octo2 offers sophisticated features enabling remote actions for fraudulent transactions and exhibits improved stability and anti-analysis techniques. The malware facilitates its proliferation through fake apps created via a known APK binding service, Zombinder, misleading users to install malicious plugins. The transition of Octo to a Malware-as-a-Service (MaaS) model allows the original developer to monetize by offering it to other cybercriminals. ThreatFabric notes that due to the source code leak of the original Octo malware, numerous variants like Octo2 have emerged, enhancing the threat landscape globally.

In Q1 2023, 6.41 million data records were globally affected by leaks and breaches, highlighting pervasive cybersecurity threats. Europe, North America, and Asia are the most affected regions, showcasing a significant need for improved cybersecurity measures. Major past data breaches include LinkedIn, Duolingo, Aadhaar, Yahoo, and Cam4, leading to substantial personal and financial data exposure. Average global cost of a data breach for companies stands at approximately $4.45 million, underlining heavy financial burdens. Data leaks often stem from operational errors or negligent cybersecurity practices, while breaches usually involve deliberate unauthorized access. Types of data commonly compromised include Personally Identifiable Information (PII), financial details, health information, and intellectual property. Preventative measures include using strong passwords, two-factor authentication, updated antivirus software, and cautious information sharing. Surfshark offers tools like Alternative ID and Surfshark Alert for enhanced personal data protection and breach alerts, emphasizing proactive security practices.

A new variant of the Octo Android malware, named "Octo2," is spreading in Europe, masquerading as NordVPN, Google Chrome, and Europe Enterprise apps. Octo2 offers improved operational stability, advanced evasion capabilities, and uses a domain generation algorithm for robust command and control communications. Originally derived from the ExoBot trojan, Octo has evolved significantly, incorporating features like keylogging, SMS interception, and a remote access tool. The malware's distribution is not observed on the Google Play Store but is suspected to be through third-party stores, posing heightened risks to Android users. Threat actors have specifically targeted users in Italy, Poland, Moldova, and Hungary, with potential plans to expand these campaigns globally. Enhancements in Octo2 include a new low-quality setting for its remote access tool to improve connectivity and dynamic loading of libraries to evade detection. Octo2's introduction comes after leaks of earlier versions, prompting its developers to innovate and market the new variant with special discounts for previous customers.

Telegram has revised its privacy policies to share user data, including IP addresses and phone numbers, with law enforcement agencies following valid legal orders. The change aims to combat illegal activities on the messaging platform such as drug trafficking, child pornography, and money laundering. The company's CEO, Pavel Durov, confirmed that this data disclosure policy would now include any user suspected of violating Telegram's terms, expanding beyond previous policies focused solely on terror suspects. In response to these legal requests, Telegram will conduct a legal analysis before disclosing any user information. These disclosures will be reported in Telegram's periodic transparency reports, aligning with the company's commitment to user privacy while cooperating with law enforcement. Metadata collection by Telegram includes details such as IP addresses, devices used, and app activity to help identify and mitigate abuses on the platform. The policy update follows the arrest and conditional release of Pavel Durov in France, highlighting pressures on Telegram to monitor and control content more effectively. Additionally, the Ukrainian government has recently banned Telegram for certain officials and worker classes due to national security concerns.

The US government banned Kaspersky products due to concerns of potential spying by Russia, leading to the prohibition of sales and updates of Kaspersky software in the US. As a result of the ban, Kaspersky has begun replacing its software with UltraAV for its US-based users, utilizing an automatic update system for Windows users while Apple and Android users must install it manually. UltraAV, provided by domestic vendor Pango (recently acquired by Aura), lacks a significant market presence and has not been independently tested by major antivirus testing organizations. UltraAV's antivirus engine origins trace back to Max Secure Software, an Indian company also owned by Aura, with uncertainties surrounding its performance and reliability. There are concerns in the cyber security community about the sudden switch to UltraAV, given its unfamiliarity and unproven track record in a competitive and security-focused market. Consumers must decide by September 30th to continue with UltraAV or switch to a different security provider, with pricing terms carried over from their Kaspersky plans. The transition raises questions about the effectiveness and trustworthiness of UltraAV’s cybersecurity protection capabilities.

The Biden administration introduced measures to ban imports and sales of connected vehicle technologies and components from China and Russia, citing national security concerns. The rule targets "vehicle connectivity systems" (VCS), like Bluetooth and Wi-Fi, and "automated driving systems" (ADS) that allow autonomous vehicle operation. The Commerce Department highlighted risks of surveillance, sabotage, and disruption tied to these technologies. A public feedback process is set for March, with software bans starting model year 2027, and hardware from model year 2030; however, exemptions could be granted for small-scale producers. The White House emphasized that such technologies could collect sensitive data, track locations, and harvest crucial infrastructure information, potentially leveraged by adversaries. The policy supplements prior actions by President Biden, including increased tariffs on Chinese electric vehicles and linking tax credits to domestic manufacturing. Secretary of Commerce Gina Raimondo emphasized the proactive steps to prevent potential risks from foreign-controlled technologies on American infrastructure and privacy.

Telegram CEO Pavel Durov updated the company's terms of service, allowing the disclosure of IP addresses and phone numbers of users involved in criminal activities upon valid legal requests. Previously, Telegram only cooperated with law enforcement in terrorism-related cases. The new terms expand this cooperation to include a broader range of criminal activities. This policy update signals a shift in Telegram's stance, as the platform was previously known for strong privacy protections and minimal cooperation with government inquiries. The update follows Durov's arrest and subsequent bail in France, where he faced charges related to failing to prevent illegal activities on Telegram. In recent weeks, Telegram has increased moderation efforts, using AI tools and human moderators to address illegal content shared on the platform. This policy change aligns Telegram more closely with other tech companies like ProtonMail, which have faced similar pressures to cooperate with law enforcement agencies.