Google patches Android kernel zero-day
As part of its Android security update for August, Google patched 46 vulnerabilities. This included a use-after-free vulnerability in the Android network route management stack that could allow for alternating network connection behavior. Google didn’t give much more detail but did say it saw evidence of “limited, targeted exploitation,” likely allowing attackers to get arbitrary code execution with no user interaction.
Researchers find flaws in Georgia voter portal
Security researcher Jason Parker alerted ProPublica and Atlanta News First of a flaw in a portal run by the Georgia Secretary of State’s Office. This would allow someone to submit a voter cancellation request for anyone in the state. Parker said they attempted to contact the Secretary of State’s Office but did not receive a response. The portal launched on July 29th and already garnered attention for exposing driver’s license numbers. Parker found that by inspecting the portal’s source HTML, anyone could delete code requiring them to submit a driver’s license number and proceed to request a voter cancellation. The state eventually patched the issues, but security researcher Zach Edwards told ProPublica “It’s shocking to have one of these bugs occur on a serious website.”
Law would make ransomware a terrorist threat
A bill sponsored by Senate Intelligence Committee chair Mark Warner contains language that would brand ransomware groups named in it as “hostile foreign cyber actors” and impose sanctions on counties harboring them as “state sponsors of ransomware.” The bill would also place ransomware as a national intelligence priority, giving the intelligence community greater legal latitude to pursue operators. Currently, the bill lists 18 ransomware groups. Experts speaking to Cyberscoop questioned whether the fluid nature of ransomware organizations would make enforcing any specific list feasible long-term.
Cryptonator wallet shuttered by law enforcement
A combined operation from the US FBI, IRS, and German police shut down the digital wallet and crypto exchange Cryptonator. The IRS claims Bitcoin wallet addresses controlled by the service were used to transfer over $71 million in assets to sanctioned entities, as well as holding $54 million in “hacked or stolen funds.” The FBI began targeting the service with adjacent sting operating going back to at least July 2021. The alleged CEO of the site, Roman Boss, is a Russian national living in Germany. He faces charges of money laundering and conspiracy.
Thanks to today’s episode sponsor, Vanta
It turns out MDM works both ways
The education-focused mobile device management company Mobile Guardian detected unauthorized platform access on August 4th, providing access to enrolled iOS and Chrome OS devices. Before shutting down its servers to contain the incident, the attackers unenrolled and remotely wiped thousands of devices in North America, Europe, and Singapore. Mobile Guardian said the incident impacted a “small percentage” of customers. We don’t have an understanding of the full scope, but the Singapore Ministry of Education said 13,000 students in 26 schools had devices wiped. Mobile Guardian said it found no evidence that the attackers accessed any device data.
Dozens of French museums hit with ransomware
The French newspaper Le Parisien reported that the Grand Palais museum in Paris detected a cyberattack. In response, the museum cut off access to its servers, which impacted services at 36 bookstores and boutiques at associated museums, including the Louvre and Palace of Versailles. Louvre chief of staff, Matthias Grolier was quick to say this wasn’t a ransomware attack, but several news outlets report that an unnamed threat group is extorting the museum, demanding a cryptocurrency ransom to not release stolen data. No word if the attack is related to the Olympics happening in Paris, but the Grand Palais was hosting fencing and martial arts events when it was reportedly attacked.
Illinois softens privacy law’s teeth
The state passed the Biometric Information Privacy Act back in 2008, which imposed penalties for using and collecting biometric information without consent. Up until now, the law imposed fines based on each misuse of the data. This fine structure survived a challenge with the Illinois Supreme Court, which upheld the per violation fine structure in a 2023 ruling. However Illinois passed an amended to the law this week that now limits liability to a single violation per person, regardless of the amount of misuse. The law also allows companies to obtain written consent for collecting biometric information electronically, rather than require handwritten agreements.
(Reuters)
A resiliency plan for critical infrastructure
At BSides Las Vegas, security strategic Josh Corman announced a project to coordinate efforts around securing critical infrastructure called UnDisruptable27. Rather than a top-down government-led effort, the project will communicate directly with people working at US critical infrastructure facilities, with an initial focus on water, food, emergency medical care, and power. The idea is to prepare these facilities for cyberattacks without having the government impose cybersecurity standards. Wired pointed out that an effort to do so by the EPA was recently repealed after a lawsuit. Corman will use appearances at BSides and Black Hat to make a call to volunteers to work on producing engaging content for information campaigns to get these facilities ready.
(Wired)
2023 was a good year for bug bounties
Microsoft announced it paid out $16.6 million in bug bounties in the past year. The company paid out in the $13 million range between 2020 and 2023, so this 20% annual increase is notable. The biggest single bug paid out $200,000, with Microsoft paying out 343 researchers across 55 countries. Samsung also announced it paid out $828,000 to 113 researchers in 2023 for its bug bounty program. Its high single reward was $57,190 to TASZK Security Labs. Both companies also added discrete AI security bug bounties in the past year.