Windows Update Exploit, Interpol Recovers $40M, Chrome Direct Payments – Cybersecurity News [August 05, 2024]
From the latest Windows update downgrade attack to the recovery of $40 million by Interpol, Google’s new website payment feature, the hack on the classroom management platform, and the US suing TikTok for violating child privacy laws, our weekly cybersecurity bulletin will share the top news that’s making headlines around the world.
Fully Updated Systems Exposed in Windows Update Downgrade Attack
Alon Leviev, a security researcher from SafeBreach, shared at the Black Hat 2024 event that there are two zero day flaws that threat actors could use in downgrade attacks to “unpatch” Windows devices.
Threat actors could force an updated target device to roll back to an older software version in a downgrade attack, which reintroduces patched vulnerabilities that they can compromise. Alon shared how the Windows update process could easily be compromised by threat actors to downgrade critical OS components like DLLs (Dynamic Link Libraries) without any detection by recovery or scanning tools. The researcher also shared his discoveries that highlighted how threat actors could disable VBS (Virtualization-Based Security), even with the enforced UEFI locks. Alon shared that these were disclosed after a 6-month waiting period from the time he reported these vulnerabilities to Microsoft.
The organization is still working on fixing the vulnerabilities and shared that there’s no evidence of them being exploited by threat actors in the wild. The vulnerabilities are being tracked as (CVE-2024-38202 and CVE-2024-21302) and also include actions you can take to protect yourself until permanent fixes are available.
Interpol Recovers Over $40 Million Stolen in Business Email Compromise
Interpol’s payment-stopping mechanism helped recover $40 million that was stolen by threat actors during a BEC (Business Email Compromise) attack on a Singapore-based organization.
According to Interpol, this is the largest recovery of funds that were stolen through a BEC attack. The attack was on a commodity enterprise where the threat actors sent an email impersonating a supplier of the organization. They requested a pending payment to be sent to a new bank account. The organization wired $42.3 million to the threat actor-controlled account but found out four days later that it was a fraudulent email with a slightly different address than that of their supplier. They reported the incident to the authorities, who took Interpol’s help, recovering $39 million and then an additional $2 million back from the threat actors.
I-GRIP (Interpol’s Global Rapid Intervention of Payments) was launched two years ago and has helped recover over half a billion dollars stolen by fraud artists and threat actors.
Google Chrome to Enable Direct Payments to Websites
Google has been releasing new features for its Chrome browser, and this week, they shared plans for a Web Monetization service that will allow owners of websites to get micro-payments as tips or rewards.
Web Monetization will allow content creators and website owners to be compensated without relying on ads or subscriptions and can be easily added via an HTML tag. It has been introduced for small scale payments that need no user interaction. Any visitor of the website will have complete control on the way and amount of the payment made but the service is still a work in progress. The Web Platform Incubator Community Group is developing the new feature.
Hacker Deletes 13,000 Devices in Classroom Management Platform Breach
This week, a hacker was able to breach a digital classroom management platform used globally and wiped data from iPads and Chromebooks of nearly 13,000 students.
The name of the platform is Mobile Guardian, and it is a cross-platform solution that allows K-12 schools to have a one-stop shop for device management, parental control, classroom management, communication, and secure web filtering. They suffered a security breach on 4 August 2024 when a threat actor gained access to the platform due to a misconfiguration that caused an IT outage on 30 July 2024. There is no evidence of data exfiltration or access, but a small percentage of iOS and ChromeOS devices were wiped by the threat actor. Mobile Guardian has been suspended, and you cannot log in to the platform. Students also have restricted access to their devices.
The Ministry of Education was quick to jump in on the situation and shared that about 13,000 students from 26 secondary schools lost their data based on their initial checks. As of now, the application is banned from all student learning devices and the government is taking steps to help the students that were impacted during the security incident.
US Government Sues TikTok for Violating Child Privacy Laws
The US DoJ (Department of Justice) filed a lawsuit this week against TikTok, the popular social media platform.
The lawsuit is against ByteDance, TikTok’s parent organization, and alleges that the application collects personal information of children below the age of 13 without any parental consent, which violates COPPA (Children’s Online Privacy Protection Act). TikTok has allowed children under 13 to create accounts outside Kids Mode and has failed to implement any policies or processes that could help identify/disable/delete any of these accounts. The DoJ believes that this practice exposes millions of children to “extensive data collection” and allows them to access adult content and users. But that’s not all; the lawsuit also revealed that ByteDance was aware of these violations but did not take any measures to stop data collection. They also failed to delete the personal information when parents requested it. TikTok also misled the parents and users about the data collection policies and did not provide any notice about the nature of the data being collected and how any of it was being used.
The Justice Department is seeking civil penalties and injunctive release against TikTok and the parent organization to prevent future violations. TikTok took to X and issued a response to the lawsuit, saying that the allegations relate to past events that were factually inaccurate.