Daily Brief

Gartner has indicated a shift from SOAR solutions to generative AI-based security methods. Automation helps in efficiently enriching Indicators of Compromise (IoCs), increasing response speed against potential threats. Continuous monitoring of an organization's external attack surface can identify vulnerabilities before exploitation. Automated tools like OWASP ZAP and Burp Suite facilitate regular web application vulnerability scans. Automating credential monitoring with services like Have I Been Pwned offers quick detection of compromised credentials in breaches. Blink Ops provides a platform with numerous security automation workflows, aiding in diverse cybersecurity strategies such as SOC operations and vulnerability management. Adoption of automated security measures can significantly enhance an organization's defensive capabilities and incident response times.

International law enforcement, including Italian, Irish, and Australian police, coordinated a global operation targeting the encrypted messaging platform, Ghost, used by organized crime groups. Australian mastermind Jay Je Yoon Jung was arrested, charged with creating and managing Ghost, a platform similar to EncroChat but smaller in scale. Operation Kraken by Australian Federal Police led to intervention in 50 life-threatening scenarios, seizure of 200 kg of drugs, and 25 illegal firearms. Ghost, mainly utilized by drug traffickers and money launderers, was infiltrated leading to ongoing arrests in nine countries involved, with significant impacts on organized crime. Europol highlighted the success of the operation, underscoring the sophisticated international collaboration that made the takedown possible. Organized crime groups in Ireland saw significant disruption, with millions in drugs and hundreds of thousands in cash seized. Further investigations and arrests are anticipated as law enforcement continues to analyze the data from the platform.

The article discusses the transformation within the field of cybersecurity testing, particularly in penetration testing (PT). Traditional PT has been pricey and time-consuming, covering only a small percentage of an organization’s assets. Advances in software now allow automated daily security tests significantly cheaper than traditional methods. Pentera introduced automated security validation solutions in 2015, leading to a significant shift towards embracing these technologies. Today, automated PT provides broader coverage and more frequent testing, offering a more cost-effective and efficient solution compared to manual testing. Despite automation, the need remains for expert pentesters in complex scenarios, but routine security validations are increasingly software-driven. The adoption of automated PT tools is deemed essential for addressing cybersecurity challenges efficiently as the threat landscape expands.

North Korean group, identified as UNC2970 and linked to Lazarus Group, targets aerospace and energy sectors using job-related phishing schemes. The attacks use a backdoor malware called MISTPEN, embedded in job description documents sent via email and WhatsApp. Primary attack vector involves a malicious ZIP file containing a trojanized PDF reader, repurposed to trigger the MISTPEN malware upon opening a PDF. The malware, labeled MISTPEN, is a trojanized Notepad++ plugin, capable of downloading and executing files from a control server. Targets are primarily high-level employees in multiple countries including the U.S., U.K., the Netherlands, and others, aiming to access sensitive information. Mandiant reports show iterative improvement and enhancement of MISTPEN's capabilities to avoid detection and analysis. The initial infection mechanism involves BURNBOOK, a loader that decrypts and triggers the MISTPEN backdoor.

Russia's GRU military intelligence, specifically Unit 29155, is targeting Western critical infrastructures for cyberattacks that could result in physical destruction and loss of life. The State Department has accused Moscow of integrating a cyber operational unit within the state-funded news agency RT to expand its offensive cyber capabilities. The FBI and allied security agencies have issued alerts detailing persistent Russian cyber activities aimed at governmental and critical infrastructure entities across NATO and EU countries. The increased use of cyber mercenaries and destructive hybrid attacks signifies a notable shift in Russian military strategy towards the militarization of cyberspace. Western organizations are urged to enhance their cyber defenses by adopting multi-factor authentication and regular system patching to mitigate risks from these attacks. Tom Kellermann of Contrast Security warns that Russia's kinetic military limitations might motivate further punitive cyber measures against the West, particularly in supporting Ukraine. The Kremlin appears to be leveraging cyber warfare to cause significant disruptions and chaos within Western nations as a strategic element of broader geopolitical conflicts.

Google has updated Chrome with new features to increase user control over personal data and enhance online safety. The upgraded Safety Check runs automatically, revoking permissions for unused websites and highlighting undesirable notifications. Google Safe Browsing now aids in automatically denying notification permissions to suspicious sites. Safety Check alerts users about potential security risks with installed Chrome extensions and provides tools for easy removal. New updates include the ability for users to easily opt out of website notifications directly from their notification drawer on Pixel and Android devices. Chrome now allows one-time permissions for camera and mic access, which enhances user privacy by revoking permissions once the site is exited. Users will be notified if credentials stored in Google Password Manager are compromised in a data breach.

The GSM Association announced plans to implement end-to-end encryption (E2EE) for RCS messaging between Android and iOS, enhancing privacy and security across platforms. This move follows Apple's integration of RCS in its latest iOS 18 update, which includes advanced messaging features. RCS, initially lacking default end-to-end encryption, has prompted enhancements such as Google's adoption of the Signal protocol for Android RCS conversations. Apple, alongside GSMA members, aims to standardize encryption across messaging to ensure privacy. Technical challenges like key federation and group membership security are being addressed to facilitate this cross-platform encryption. Companies like Google and Meta are working on interoperability and privacy measures for their messaging apps in congruence with global regulatory demands. The evolution of RCS encryption aims to provide standardized, secure communication options, rivaling existing services like Apple's iMessage.

Broadcom released updates for a critical vulnerability in VMware vCenter Server, identified as CVE-2024-38812, which is capable of allowing remote code execution. The flaw, a heap-overflow vulnerability within the DCE/RPC protocol, carries a severe CVSS score of 9.8. Attackers can exploit this vulnerability by sending a specially crafted network packet to achieve remote code execution on affected systems. Alongside this, a related privilege escalation issue, CVE-2024-38813 (CVSS 7.5), was also fixed, potentially allowing root access from crafted network packets. These vulnerabilities were discovered by researchers zbl and srs from team TZL during the Matrix Cup cybersecurity competition in China. VMware has not detected any malicious exploitation of these vulnerabilities but recommends updating to the latest versions to mitigate risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI concurrently emphasized the seriousness of XSS vulnerabilities in a joint advisory. Organizations are urged to eliminate cross-site scripting flaws to prevent potential data theft and system manipulation by threat actors.

Australian Federal Police (AFP) arrested the alleged operator of Ghost, an encrypted app tailored for criminal activities including drug trafficking and money laundering. Ghost, developed about 9 years ago, was distributed via modified smartphones, each costing around AU$2350, which included access to an encrypted network. The operation, named "Kraken," involved AFP conducting a supply chain attack by modifying software updates to infiltrate and monitor the communications within the Ghost network. Recent enforcement actions included 71 search warrants across four states, resulting in 38 arrests, the seizure of 25 illicit weapons, and prevention of 200 kilograms of drugs from distribution. AFP claims to have thwarted 50 potential violent crimes or murders by cracking the Ghost network. The network was reportedly used by various organized crime groups globally, including Italian, Middle Eastern, and Korean crime syndicates, to coordinate criminal activities. Europol supported the operation, emphasizing the international effort in targeting hidden criminal networks.

Meta's WhatsApp implemented a fix to ensure messages under the "View Once" feature truly disappear, but it was circumvented within a week. The "View Once" function, launched in August 2021, was intended to protect user privacy by making messages disappear after being viewed. Security researchers from Zengo exposed a flaw that allows these messages to be perpetually accessible due to inadequate digital rights management on some operating systems. Despite Meta's attempt to patch the vulnerability through code adjustments, hackers found new ways to exploit it, illustrating ongoing security challenges. WhatsApp's solution remained ineffective, as the fundamental problem involves sending self-destructing messages to platforms not supporting DRM protections. Zengo reported the issue to Meta via a bug bounty program but remained unsatisfied with the communication and Meta's response to the reported vulnerabilities. Meta has hinted at a more comprehensive solution under development, though specifics and timelines are not disclosed.

Temu, an international e-commerce platform, denies allegations of a data breach after a hacker claimed to have stolen 87 million customer records. The threat actor, identified as 'smokinthashit', advertised the stolen database for sale on BreachForums, providing a sample as purported proof. Temu conducted an internal investigation and found that the sample data provided by the hacker did not match any data within their systems. The company has stated its intent to take legal action against individuals spreading what it considers to be false information. Temu emphasizes its commitment to data security, noting its adherence to industry-leading practices and certifications such as MASA and PCI DSS. Despite the hacker's ongoing claims of access to Temu's systems, no concrete evidence has been provided to support the breach allegations. Recommendations for Temu users include enabling two-factor authentication, updating passwords, and remaining alert to phishing scams.

Broadcom has released crucial security updates for VMware vCenter Server and Cloud Foundation, following vulnerabilities that could allow remote system takeovers. The first vulnerability, CVE-2024-38812, identified as a heap overflow, enables remote code execution with a critical severity score of 9.8. The second vulnerability, CVE-2024-38813, is a privilege escalation flaw, allowing attackers to potentially obtain root access, scored at 7.5. Both security flaws were reported by participants of the Matrix Cup Cyber Security Competition in China, spotlighting significant contributions from the academic sector in cybersecurity. Affected versions include vCenter Server versions 7 and 8 and Cloud Foundation versions 4 and 5, with recommendations to implement available patches immediately. Patches were rolled out in specific updates, with no effective workarounds, emphasizing the urgency of applying these fixes to prevent potential exploits. The successful detection and patching process underscores the effectiveness and value of competitive hacking and bug bounty initiatives in identifying and mitigating security risks.

Rhysida ransomware group demands 100 Bitcoin (approx. $5.9 million) for data stolen from the Port of Seattle, which includes sensitive personal information of employees and civilians. The Port of Seattle confirmed a ransomware attack that occurred on August 24, 2024, acknowledging Rhysida's involvement but refused to pay the demanded ransom. Post-attack, the Port has successfully halted further unauthorized activity, implementing increased security measures and continuous system monitoring. Rhysida auctions the data instead of just leaking it, similar to tactics recently embraced by other cybercriminal groups like Meow and RansomHub. Security experts express skepticism over the profitability of selling stolen data via auction, suspecting it to be more about pressure tactics and public relations. The Port continues to revive affected systems, including baggage services and check-in kiosks, and commits to enhancing security controls and identity management in response to the attack. Despite the ongoing restoration efforts, the Port ensures the public of the safety and operational status of the Seattle-Tacoma International Airport and other facilities.

At least nine people, including a child, were killed and over 2,750 injured in Lebanon due to exploding pagers issued to Hezbollah members. Among the injured was Mojtaba Amani, Iran's ambassador in Lebanon. The Lebanese Red Cross deployed significant resources, including 130 ambulances and over 500 EMTs, and issued an urgent call for blood donations. Hezbollah has accused Israel of rigging the pagers with explosives, likening the incident to past covert operations where devices were tampered with to execute attacks. Some initial speculations suggested lithium-ion battery malfunctions, but further assessment leaned towards intentional sabotage with explosives. Hezbollah previously advised its members to switch from smartphones to pagers to avoid security breaches. The incident is described as the biggest security breach for Hezbollah, vowing retaliation against Israel, which has not responded to the allegations. Video evidence and statements point toward a sophisticated interference in the physical supply chain, potentially involving a state-level intelligence operation.

Google Cloud's Document AI service vulnerability allows data exfiltration from Cloud Storage buckets; remains unfixed despite Google's claims. Kat Traxler, principal security researcher at Vectra AI, initially reported the flaw in April, was initially denied a bug bounty which was later granted at $3133.70. Google marked the vulnerability as "fixed" following the bug bounty award, yet Traxler disputes its resolution, maintaining that the security flaw persists. The issue involves overly permissive settings which can be exploited if the attacker gains access to the user’s project, regardless of the intended access controls. Traxler demonstrated a proof-of-concept showing how Document AI's access controls could be bypassed, enabling unauthorized data movements within Google Cloud environments. Google's approach to rectifying the bug involved updating documentation rather than addressing the core permission issues, according to Traxler’s investigations. Traxler has scheduled a public demonstration of the Document AI vulnerability for a high-profile event in 2024, maintaining pressure on Google for a resolution. Google has not yet responded to queries regarding their stance or any future planned mitigation strategies related to this continuing security concern.