Daily Brief

GitLab issued security patches for 17 vulnerabilities, including a critical flaw allowing unauthorized pipeline job execution by attackers. The critical vulnerability, indexed as CVE-2024-6678, has a high severity CVSS score of 9.9. Affected versions span from GitLab 8.14 to the latest releases before patched versions 17.1.7, 17.2.5, and 17.3.2. The flaw enables attackers to execute pipeline jobs as any user, increasing the risk of unauthorized actions and data breaches. Other vulnerabilities patched include three high-severity, 11 medium-severity, and two low-severity issues. There has been no reported active exploitation of CVE-2024-6678, but users are urged to update promptly to prevent potential threats. This vulnerability marks the fourth significant security issue addressed by GitLab within the past year with comparably high CVSS scores.

Transport for London (TfL) confirmed a cyberattack on September 1 has compromised customer data. Data stolen includes names, contact details, email and home addresses of TfL customers. Initial reports suggested no data was compromised, but further investigation revealed the breach. Operational disruptions persist at TfL, affecting customer services and online functionalities. Hackers also possibly accessed Oyster card refund data and banking information for about 5,000 customers. Affected individuals are being notified through personalized emails to check for potential impacts. TfL is continuing remediation efforts with enhanced data protection measures still in place. As of the latest updates, no specific ransomware group has claimed responsibility for the attack.

Transport for London (TfL) has acknowledged a cyber incident that potentially compromised customer bank data, including account numbers and sort codes of approximately 5,000 users. Initially denying customer data compromise, TfL has now confirmed that some customer data "might indeed have been accessed," specifically mentioning Oyster card refund information. As a response to the breach, TfL is undertaking a mass password reset, requiring 30,000 employees to reset their passwords in person due to accessed staff details including email addresses, job titles, and employee numbers. Significant portions of TfL's IT infrastructure have been taken offline to manage the situation, impacting services like live tube arrival updates, and suspending applications for new Oyster photocards and contactless journey refunds. TfL plans to contact affected customers as a precautionary measure and continues running its network despite the cyber incident. Additional security measures and an emergency management meeting have been enacted in response to another attempted attack and to reassess physical security around TfL facilities.

GitLab issued updates for versions 17.3.2, 17.2.5, and 17.1.7 to fix 18 security vulnerabilities, prominently including CVE-2024-6678. CVE-2024-6678, a critical vulnerability with a severity score of 9.9, allows attackers to execute pipelines as arbitrary users. The vulnerability does not require user interaction and can be exploited with minimal privileges, posing a significant threat for remote exploitation. Impacted versions span from GitLab CE/EE 8.14 to version 17.1.7, and all versions before 17.2.5 and 17.3.2. GitLab pipelines are crucial for automated workflows within the Continuous Integration/Continuous Delivery (CI/CD) system of software development. This latest patch follows several other recent critical security updates by GitLab, including patches for CVE-2024-6385, CVE-2024-5655, and CVE-2023-5009. The release also mentions four high-severity issues that could disrupt services, execute unauthorized commands, or compromise sensitive resources. Users and administrators are urged to access GitLab’s official download portal for update instructions and the latest patches.

Nearly 1.3 million Android TV boxes globally infected by Vo1d malware. Most affected devices run outdated Android versions and are located in 197 countries. Highest infection rates observed in Brazil, Morocco, Pakistan, Saudi Arabia, and several other countries. Malware operates by altering system files and deploying additional malicious files to maintain persistence and control. The malware is capable of downloading and installing third-party software without user consent. Attack methods may include exploitation of previously compromised devices or use of unofficial, rooted firmware versions. Malicious activity includes monitoring directories and automatically installing APK files found within them. Security risks heightened by manufacturers using older OS versions to cut costs.

Internet-exposed Selenium Grid instances are increasingly targeted for cryptocurrency mining and proxyjacking due to lack of authentication. Cado Security reported two distinct malicious campaigns exploiting this vulnerability in its honeypot setup. The first campaign involves injection of a Base64-encoded Python script that sets up a GSocket reverse shell to deploy further payloads. These payloads include bash scripts that fetch IPRoyal Pawn and EarnFM proxy services, which then misuse internet bandwidth for proxyjacking. A second campaign similarly uses a Python script to inspect system architecture and deploy a Golang-based ELF binary. This binary aims to elevate privileges via the PwnKit vulnerability and installs the XMRig miner to perform crypto mining. The exploitation underscores the necessity for organizations using Selenium Grid to enforce authentication measures to prevent unauthorized access and misuse. Cloud security firm Wiz previously identified and reported similar exploitation trends dubbed SeleniumGreed, highlighting the ongoing relevance of this security threat.

The EU's Data Protection Commission (DPC) has launched an inquiry into Google's AI model, PaLM 2, to investigate compliance with EU privacy laws. The investigation aims to ensure that Google's data handling practices, particularly the ingestion of personal data for AI training, adhere to the General Data Protection Regulation (GDPR). The DPC is scrutinizing whether Google's Data Protection Impact Assessment (DPIA) adequately addresses data protection risks associated with the PaLM 2 model. A DPIA is mandatory under GDPR and is designed to assess and mitigate high-risk data processing activities; it evaluates the necessity, proportionality, and safeguards of data use. Other tech giants like X and Meta have also faced regulatory scrutiny in the EU over how they use personal data to train their AI models. Google has expressed a commitment to fully cooperating with the DPC to demonstrate its compliance with GDPR regulations.

Microsoft recently issued a patch for a severe privilege escalation vulnerability in Windows Installer, identifiable as CVE-2024-38014. The bug allows malware or users to gain SYSTEM-level privileges through a flaw exposed during the repair process of installed software. Researchers at SEC Consult discovered the vulnerability and provided Microsoft adequate time to develop a patch, which was implemented this week, though initially planned for earlier. The exploit involves manipulating the repair process via a command-line interface that briefly appears, allowing the attacker to achieve SYSTEM-level command prompt access using specific browser functionalities. Microsoft has confirmed that this vulnerability has already been exploited, indicating active abuse in the wild. The exploit is detailed by SEC Consult on their blog and includes techniques like using SetOpLock.exe to stall the closing of necessary command-line windows. In response to ongoing risks, SEC Consult developed an open-source tool named msiscan to help administrators identify vulnerable .msi files on their systems. Although Microsoft has patched this issue, there exists concern over users who delay updating, thus prolonging the vulnerability's exploitability in the field.

Iranian state-sponsored group OilRig targeted Iraqi government networks including the Prime Minister's Office and Ministry of Foreign Affairs. OilRig utilized new malware families, Veaty and Spearal, enabling file harvesting and execution of PowerShell commands. The campaign involved unique C2 mechanisms such as custom DNS tunneling and email-based communication using compromised accounts. The threat actor maintained consistency with previously observed tactics, including the use of deceptive files and social engineering to initiate malware deployment. Analysis revealed additional malicious components including an SSH tunneling backdoor and an HTTP-based backdoor targeting Microsoft IIS servers. This sophisticated cyber attack reflects OilRig's ongoing focus and activity in the region, demonstrating a robust capability in developing and executing targeted cyber operations.

Cato CTRL's Q2 2024 report analyzed a significant 1.38 trillion network flows from over 2,500 global customers. IntelBroker, a primary threat actor on the dark web, continues to sell data and source codes from prominent companies like AMD, Apple, and Microsoft. Amazon faced the majority of brand spoofing incidents, with 66% of such attacks targeting the retail giant's domain in Q2. Persistent exploitation of Log4j and Oracle WebLogic vulnerabilities noted, with marked increases in attack attempts recorded. The report details a 61% increase in Log4j exploit attempts and a 114% rise in Oracle WebLogic vulnerability exploits in Q2. Cato CTRL emphasizes the need for enterprises to adapt and implement comprehensive security measures as suggested in their detailed recommendations.

The Irish Data Protection Commission (DPC) has initiated a cross-border statutory inquiry into Google's handling of European personal data in developing its AI model, PaLM 2. The investigation will assess whether Google complied with the EU's General Data Protection Regulation (GDPR) regarding data protection impact assessments prior to processing personal data. PaLM 2, unveiled in May 2023, is noted for its advanced multilingual, reasoning, and coding capabilities. This inquiry aims to protect individual rights and freedoms due to potential high risks associated with AI data processing. Google's European headquarters in Dublin places the DPC as its primary data privacy regulator. Related events include social media platform X agreeing not to train its AI systems on European users' data without consent following DPC's interventions. Meta and OpenAI also faced suspensions and bans in Europe over similar data privacy concerns linked to their AI developments.

Palo Alto's Unit 42 observed about 2,000 large-scale phishing campaigns exploiting HTTP header refresh entries between May and July. Phishers are embedding malicious URLs in HTTP response headers, causing automatic and unintended redirection of website visitors to spoofed pages. These spoofed pages mimic legitimate vendor login screens to steal user credentials, and the attack originates from seemingly trustworthy, albeit phishing, emails. Attackers leverage legitimate or compromised domains along with URL shortening and tracking services to conceal malicious URLs and increase attack effectiveness. Deep linking techniques are employed to pre-load some user details on the phishing forms, enhancing the chances of successful credential theft. Business and economy sectors are the primary targets, constituting 36.2% of the attacks, followed by a variety of other industries. The FBI reports a consistent prevalence of phishing, labeling it as the most frequent cybercrime, with related Business Email Compromise (BEC) losses exceeding $2.9 billion in 2023. Unit 42 advises increased awareness and caution regarding the usage of HTTP refresh headers due to their potential for malicious exploitation.

An upcoming SANS webinar on September 16, 2024, will address the latest cybersecurity regulations including NIS2, DORA, and Tiber-EU. The webinar aims to help cybersecurity leaders understand and implement these new frameworks effectively to enhance organizational security. Chris Dale, a Principal Instructor at SANS, will provide a comprehensive analysis of these regulations and their implications for IT security. Strategic advice will be offered on how to adapt to changes in the cybersecurity landscape caused by these regulations. Best practices for achieving cyber resilience under the new regulatory requirements will be discussed. Exclusive insights will be shared from the latest SANS Survey regarding readiness for NIS2, assisting participants in aligning their security strategies with current standards. The session is targeted at senior IT and cybersecurity professionals looking to stay current with evolving compliance and security challenges.

Security researcher David Buchanan has discovered vulnerabilities in the Common Encryption Scheme (CENC), which is used to protect streaming media from piracy. The newly exposed method, termed DeCENC, allows bypassing of DRM protection allowing unauthorized saving and distribution of media content from platforms like Amazon Prime, Netflix, and YouTube. Although DeCENC can undermine content security, Buchanan notes it’s less practical than other existing methods for pirating streamed content. He describes DeCENC as mainly an academic exercise and less likely to be employed by average users due to its complexity and the simpler alternatives available. Despite its impracticality, the technique provides a significant proof of concept by manipulating the streaming and decryption processes using documented interfaces without altering the content decryption module (CDM). Buchanan also emphasizes larger concerns should be directed towards more feasible security breaches, such as the Microsoft PlayReady client compromise, which pose larger risks for content providers. He criticizes the International Organization for Standardization (ISO) for keeping vital specifications like CENC behind paywalls, making it difficult for researchers to access and analyze security effectively.

Belarus defense ministry official Alexander Ilanov alleged on local TV that Pokémon GO was used by Western intelligence agencies. Ilanov claimed the game, especially popular, positioned digital creatures on strategic military sites like runways. Despite such claims, the concept of Pokémon GO as an espionage tool has been largely discredited, with previous accusations from Russia and concerns raised in Indonesia, Kuwait, and Egypt. Niantic, the developer of Pokémon GO, has consistently denied sharing user data and emphasizes compliance with local regulations. Military officials globally have expressed concerns over the potential for games that use location data to expose sensitive information. The game remains banned in China, although it is still accessed by determined local players. This type of conspiracy theory aligns with Belarus’s political alignment with Russia, echoing Russian skepticism of Western technologies and motives. Similar privacy concerns were highlighted with the fitness app Strava, which inadvertently revealed patterns of movement at sensitive sites in 2018.