Daily Brief

The NFL announced the expansion of facial recognition technology for credential checking, affecting all 32 teams. The technology, provided by Wicket, will be used to verify identities of staff, media, and some fans, especially in restricted areas. This program follows after a successful pilot involving six stadiums, including the Cleveland Browns, in 2023. Wicket's tech also allows for functionalities like touchless ticketing and quicker purchases in venues, demonstrated in the "Express Beer" lane. Beyond the NFL, other leagues such as the NBA, MLB, MLS, and NHL also utilize Wicket’s facial recognition software. Data privacy concerns are raised by advocates warning of the risks of mass surveillance and potential for privacy violations with such technology. Critics urge for stringent safeguards including opt-in consent, alternative access methods, prompt deletion of data, and restricted data sharing. The NFL has not yet responded to inquiries about the data privacy measures and the impact of using such technology.

Google's Android updates fix 46 vulnerabilities, including a critical remote code execution zero-day. The zero-day exploit, identified as CVE-2024-36971, impacts the Linux kernel's network route management through a use-after-free vulnerability. The exploitation, which allows network behavior alterations without user interaction, seems to be part of limited, targeted attacks. Identified and reported by Google's Threat Analysis Group, this vulnerability is indicative of state-sponsored surveillance efforts. The patches will be applied to the Android Open Source Project (AOSP) soon, enhancing security for all users. Additional security updates include a fix for an earlier zero-day in Pixel firmware and a critical flaw in Qualcomm components. Despite the immediacy of updates like these for Google Pixel, other manufacturers may delay patches due to necessary compatibility testing.

The Hunters International group has launched a new C# RAT known as SharpRhino to infiltrate corporate networks. SharpRhino is spread through a website imitating Angry IP Scanner, tricking IT professionals into downloading a malicious installer. The malware facilitates initial access, privilege escalation, execution of PowerShell commands, and ransomware deployment. Victims of this malware include U.S. Navy contractor Austal USA and other notable organizations, highlighting its widespread impact. Analysis indicates the malware is capable of stealthy execution by compiling C# into memory and can manipulate Windows systems extensively. Researchers advocate for increased vigilance regarding sponsored search results and stress the importance of network segmentation and timely software updates to mitigate ransomware risks. Hunters International currently ranks as the tenth most active ransomware operation globally, with 134 declared attacks in 2024.

CrowdStrike's software update caused over 8.5 million Windows devices to crash, preventing them from booting. Delta Air Lines experienced a five-day IT outage, significantly disrupting flights and stranding passengers. Delta's CEO claimed the outage resulted in a $500 million loss, leading to a lawsuit against CrowdStrike to protect stakeholders. CrowdStrike offered Delta free onsite help to resolve the issue, which Delta reportedly declined. Delta has hired high-profile litigator David Boies, signaling readiness for intense legal proceedings against CrowdStrike and possibly Microsoft. CrowdStrike insists on its lack of gross negligence and disputes sole responsibility for Delta's prolonged outage. The cybersecurity firm urged Delta to preserve all related communications for potential use in court, indicating escalating legal tensions. Aside from Delta, CrowdStrike faces a class-action lawsuit from its investors, accusing the firm of making false claims about its product's reliability.

A design flaw in Windows Smart App Control and SmartScreen has allowed attackers to bypass these security features since at least 2018. Smart App Control, which replaced SmartScreen in Windows 11, uses reputation-based security to block untrusted applications but can be circumvented using manipulated LNK files. These LNK files, when opened, reformat to erase the MotW label, a key trigger for security checks. The issue, described as LNK stomping, involves altering parts of LNK files to prevent detection and execution of potentially harmful applications without warnings. Elastic Security Labs detected and reported the issue, finding that it had been exploited in the wild for years, based on analysis of malware samples in VirusTotal. Microsoft has acknowledged the issue and indicated it may be addressed in a future update. Elastic Security Labs emphasized the need for enhanced scrutiny of downloads and not solely relying on OS-native security features. A tool for checking a file's Smart App Control trust level has been released by Elastic Security Labs to help defenders identify and address this vulnerability.

A class-action lawsuit has been filed against Jerico Pictures, also known as National Public Data, following a data breach involving 2.9 billion personal records. The plaintiff, Christopher Hofmann, alleges the Florida-based company negligently failed to secure sensitive information, leading to its theft and sale on a dark web marketplace for $3.5 million. The compromised data includes highly sensitive personal identifiers such as social security numbers, full names, addresses, and family connections, spanning several decades. National Public Data is accused of not encrypting or adequately protecting the personal information, which was subsequently stolen and sold by criminal entities identified as SXUL and USDoD. The lawsuit seeks comprehensive remedies, including the destruction of all improperly obtained personal data, implementation of enhanced security measures, and unspecified monetary damages for affected individuals. Hofmann's involvement began after being alerted by his identity-theft protection service that his personal information had been compromised and appeared on the dark web. The lawsuit emphasizes the long-term risks and continued threat posed by the stolen data, potentially affecting victims for their entire lifetimes.

South Korean NCSC warns that DPRK-backed hackers exploited VPN software updates to install malware. Attack linked to industrial modernization efforts announced by North Korean president Kim Jong-un. Two DPRK-sponsored groups, Kimsuky (APT43) and Andariel (APT45), implicated in targeting South Korean industries. Trojanized installers distributed through a South Korean construction trade organization's website. Malware deployed stole various sensitive data including credentials, SSH keys, and certificates. In a separate attack, Andariel hackers used fake VPN updates to install DoraRAT malware targeting construction and machinery companies. NCSC recommends companies to undergo security inspections and enforce strict software distribution policies to mitigate risks. Updated advisory includes emphasis on timely software updates and employee security training.

Keytronic experienced significant disruptions due to a ransomware attack in May, leading to operational shutdowns in the U.S. and Mexico. Direct financial impacts included $2.3 million in additional expenses and an estimated $15 million in lost revenue during the fourth quarter. Although $0.7 million was recouped through insurance, the net losses are substantial, with most delayed orders expected to be fulfilled by fiscal year 2025. The Black Basta ransomware gang claimed responsibility for the attack, leaking sensitive company data including employee and corporate information. Exfiltrated data by Black Basta included human resources, finance, engineering files, and screenshots of personal employee documents. To date, Keytronic has not attributed the attack to any specific individuals aside from the claims made by Black Basta. Black Basta, a Ransomware-as-a-Service operation, has targeted numerous high-profile organizations since its emergence in April 2022.

Palo Alto Networks is integrating generative AI (GenAI) across its cybersecurity services to automate and enhance protection efforts. The company's GenAI capabilities aim to simplify complex cybersecurity tasks across various IT environments, aiding specialists in network security, cloud security, and security operations. Through GenAI, Palo Alto Networks aggregates extensive documentation on its products to swiftly provide answers and configurations for cybersecurity teams. Demonstrations include the Strata copilot for network security, which suggests new rules to mitigate vulnerabilities and provides a visual tool to monitor assets and threats. The Prisma Cloud copilot is designed to quickly evaluate and respond to zero-day vulnerabilities with recommended actions or remediation workflows, manageable via a single-click fix. Cortex copilot supports SOC analysts by fetching detailed information about malware, helping assess threat severity and deciding on appropriate responses. These tools are depicted in a video presentation by Palo Alto Networks, showcasing how GenAI assists in proactive security management.

A new Android malware called LianSpy, disguised as the Alipay app or a system service, has been targeting Russian users since July 2021. LianSpy stays undetected by using a modified su binary for root access and bypassing Android’s security features like 'Privacy Indicators'. The malware can take screenshots, access files, call logs, and harvest sensitive data without the user's knowledge. It employs powerful features such as screen overlay, background activity permissions, and encrypts stolen data using AES to an SQL table. LianSpy avoids detection by not running in environments with debuggers and does not receive commands but periodically checks for new configurations from a Yandex Disk repository. The malware selectively captures screens of popular apps like WhatsApp, Facebook, and Instagram to minimize detection risks. Notifications about app activities like "using battery" or "running in the background" are suppressed to avoid raising suspicion.

FortiGuard Labs reported a surge in SnakeKeylogger infections targeting Windows users, capable of keylogging and stealing credentials. Once activated, the malware logs keystrokes, extracts usernames and passwords, takes screenshots, and sends the collected data to attackers. The malware exhibits capabilities like gathering clipboard data, conducting system reconnaissance, and can transfer stolen data via FTP, SMTP, or Telegram. Fortinet noted the malware was not previously in their database, indicating that it is a new strain of SnakeKeylogger. SnakeKeylogger uses various methods to obfuscate itself, including cryptors and loaders, making it difficult for antivirus systems to detect. Typical infection vectors include phishing campaigns with the malware hidden in office documents or PDFs that execute once opened. FortiGuard Labs recommends precautions like being wary of opening emails, updating security protocols, and employing comprehensive endpoint security. Additional protective measures include enabling antivirus and sandbox features to defend against such sophisticated malware threats.

Mandiant's mWISE 2024 cybersecurity conference will take place from September 18-19 in Denver, Colorado. Attendees have a limited time to save $300 on registration for this specialized, practitioner-focused event. The conference promotes real-world cybersecurity strategies and firsthand narratives from industry leaders. Keynote speaker David Eagleman will discuss AI intelligence and propose a new test for evaluating it. Sessions will explore diverse topics, including AI-driven security operations, ransomware trends, and cybersecurity counterintelligence. mWISE distinguishes itself by being a smaller, intimate event offering direct access to cybersecurity experts and industry peers. All session content is curated by an independent panel of recognized cybersecurity leaders and community members.

Cybersecurity researchers have identified significant vulnerabilities in Microsoft's Windows Smart App Control (SAC) and SmartScreen. SAC, a feature of Windows 11, is designed to prevent the execution of malicious or untrusted applications by using cloud-based algorithms. SmartScreen, introduced with Windows 10, assesses the safety of sites and downloaded applications using a reputation-based system. The research indicates vulnerabilities that allow attackers to bypass these security measures through methods such as using legitimately signed applications with Extended Validation (EV) certificates. Modified LNK files with unusual paths can also evade detection by altering their structure so that security features do not recognize them as threats. While both systems provide foundational protection against common malware, their effectiveness can be diminished through specific evasion techniques recommended for increased scrutiny by security teams. The investigation underscores the importance of not solely relying on native OS security tools to defend against advanced security threats.

Organizations in Kazakhstan are being targeted by a malware campaign known as Bloody Wolf, employing STRRAT malware. The STRRAT malware, priced at $80 on the dark web, allows attackers to hijack corporate computers and steal sensitive data. Attack methods include phishing emails impersonating Kazakhstani government agencies, urging targets to open malicious PDF attachments. The malware establishes persistence on infected Windows systems through Registry modifications and ensures its execution every 30 minutes. Upon system reboot, the malware automatically launches through copies placed in the Windows startup folder. Compromised machines connect to a Pastebin server to exfiltrate sensitive information such as OS details, installed antivirus, and web browser account data. STRRAT can also download additional payloads, log keystrokes, execute system commands, and self-delete to evade detection. Attackers use Java archive (JAR) files and legitimate web services like Pastebin to bypass network security measures.

CrowdStrike expressed disappointment over Delta Airlines’ potential lawsuit following a major IT outage that affected global operations. Delta is exploring legal options against CrowdStrike and potentially Microsoft, claiming their software contributed to system failures. CrowdStrike offered Delta immediate support post-incident, which was declined by the airline, potentially delaying recovery. The IT security company maintains that public accusations from Delta are misleading and distract from the collaborative repair efforts. A letter from CrowdStrike to Delta’s attorney reiterates their quick, transparent handling of the incident opposed to Delta's response. The cybersecurity firm also faces challenges with its share price declining significantly, alongside a federal lawsuit from the Plymouth County Retirement Association. CrowdStrike insists on its focus on customer service and urges Delta to reconsider a cooperative approach to resolve the issue. Most CrowdStrike customers, except some affected by the outage, are fully operational, while Delta has lagged in complete recovery.