Search This Blog

Showing posts with label Microsoft. Show all posts

Microsoft Offers Guidelines on Detecting Outlook Zero-day Exploits

 

Microsoft has released a detailed guide to assist customers in detecting signs of compromise by exploiting a recently patched Outlook zero-day vulnerability. This privilege escalation security flaw in the Outlook client for Windows, tracked as CVE-2023-23397, enables attackers to steal NTLM hashes without user interaction in NTLM-relay zero-click attacks. 

It can be used by threat actors to send messages with extended MAPI properties containing UNC paths to attacker-controlled SMB shares. In the report, Microsoft shared several techniques for determining whether credentials were compromised by CVE-2023-23397 exploits, as well as mitigation measures to protect against future attacks.

While the company also released a script to assist administrators in determining whether any Exchange users have been targeted, Redmond stated that defenders must look for other signs of exploitation if the threat actors have cleaned up their traces by deleting any incriminating messages.

Alternative sources of indicators of compromise associated with this Outlook flaw include telemetry extracted from multiple sources such as firewall, proxy, VPN, and RDP Gateway logs, as well as Azure Active Directory sign-in logs for Exchange Online users and IIS Logs for Exchange Server.

Forensic endpoint data such as Windows event logs and endpoint telemetry from endpoint detection and response (EDR) solutions are other places security teams should look for signs of compromise (if available).

Post-exploitation indicators in compromised environments are associated with the targeting of Exchange EWS/OWA users and malicious mailbox folder permission changes that allow the attackers to gain persistent access to the victim's emails.

CVE-2023-23397 mitigation strategies
 
Microsoft also provided instructions on how to prevent future attacks on this vulnerability, urging organizations to install the recently released Outlook security update.

"To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication," the Microsoft Incident Response team said.

Other measures at-risk organizations can take to mitigate such attacks and post-exploitation behavior include:
  • For organizations leveraging on-premises Microsoft Exchange Server, apply the latest security updates to ensure that defense-in-depth mitigations are active.
  • Where suspicious or malicious reminder values are observed, make sure to use the script to remove either the messages or just the properties, and consider initiating incident response activities.
  • For any targeted or compromised user, reset the passwords of any account logged in to computers of which the user received suspicious reminders and initiate incident response activities.
  • Use multifactor authentication to mitigate the impact of potential Net-NTLMv2 Relay attacks. NOTE: This will not prevent a threat actor from leaking credentials and cracking them offline.
  • Disable unnecessary services on Exchange.
  • Limit SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist.
  • Disable NTLM in your environment.
CVE-2023-23397 has been actively exploited since at least April 2022, and it has been used to breach the networks of at least 15 European government, military, energy, and transportation organizations.

While Microsoft publicly blamed the attacks on "a Russia-based threat actor," Redmond also stated in a private threat analytics report obtained by BleepingComputer that the hacking group is APT28 (also tracked as STRONTIUM, Sednit, Sofacy, and Fancy Bear).

This threat actor has previously been linked to Russia's military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). These stolen credentials were used for lateral movement and to change Outlook mailbox folder permissions, allowing them to exfiltrate emails.

"While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy. Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity. Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability," the Microsoft Incident Response team added.


Bill Gates Says AI is the Biggest Technological Advance in Decades

 


The business advisor Bill Gates, who co-founded Microsoft and has been a business advisor for decades, has claimed that artificial intelligence (AI) is the greatest technological advancement since the development of the internet. He made such a claim in an article he published on his blog earlier in the week. 

Microsoft's co-founder and technology industry thought leader, Bill Gates, has hailed the emergence of artificial intelligence as the most significant technological achievement in decades. Gates argues that AI might even outperform the human brain. Several important points were raised by Mr. Gates in his blog post dated Tuesday in which he made this critical assertion. He further considered AI to be an important component of the evolution of technology as advanced as computers, the internet, and the smartphone, a comparison that he makes with previous notable developments. 

He described it as being just as essential as the invention of microprocessors, the personal computer, the Internet, and mobile phones in a post on his blog on Tuesday. "It will change the way people work, learn, travel, get health care, and communicate with each other," he said. He wrote about the technology used by tools such as chatbots and ChatGPT. Developed by OpenAI, ChatGPT is an AI chatbot programmed to answer user questions using natural, human-like language. 

The team behind it in January 2023 received a multibillion-dollar investment from Microsoft - where Gates still serves as an advisor. But it was not the only AI-powered chatbot available, with Google recently introducing rival Bard. Gates said he had been meeting with OpenAI - the team behind artificial intelligence that powers chatbot ChatGPT - since 2016. 

This technology has endless potential. As more organizations explore and invest in AI solutions, we will likely see more extraordinary advancements in this field in the years to come. This will make it even more critical than ever! 

Artificial intelligence cannot be underestimated, and Bill Gates believes this. With such a heavy weight behind this technology, it's no wonder why so many companies are turning towards AI solutions for their businesses - and why it is widely considered one of our most significant technological advances. 

Recently, Bill Gates gave OpenAI the daunting task of creating an AI that could easily pass a college-level biology exam without specialized instruction. OpenAI nailed it. Not only did their successful project receive nearly flawless grades, but even Bill Gates acknowledged its potential as one of technology's most revolutionary breakthroughs since the graphical user interface, when it was asked to answer from a parent's perspective on how to help care for their unwell child (GUI). 

William Gates urged governments to collaborate with businesses to reduce the threats posed by AI technology. By assisting health professionals in being more productive while handling repetitive duties like note-taking, paperwork, and insurance claims, AIs are believed to be employed as an efficient instrument against global inequality and poverty through this focused approach. 

With the appropriate funding or policy adjustments, these benefits might be available to those who need them most; hence, government and philanthropy must collaborate to ensure their provision. Further, the authorities must have a clear understanding of AI's actual potential and its limitations. 

For those without a technical background, navigating the complexities of AI technology cannot be easy. Creating an accessible user interface (GUI) is essential for making AI applications available to everyone. Artificial intelligence solutions are projected to receive even greater attention and investment in the coming years as more companies explore and invest in this field. There will be even more of a need for it than ever before because of this factor! 

Despite Bill Gates' assertion to the contrary, artificial intelligence is not something to be underestimated. The technological advancement of AI is widely considered to be one of our greatest technological advancements because of the intensity with which it is backed, and because of the wide adoption of this technology, it's no wonder that there are so many companies moving towards AI solutions for their businesses. 

It came as no surprise to me that Bill Gates recently asked OpenAI to create artificial intelligence that was capable of passing a biology exam without any specialized instruction at a college level. 

It was an outstanding performance by OpenAI. In addition to receiving nearly perfect grades, they also acknowledged the potential of their successful project as one of the most revolutionary breakthroughs in technology ever, since the graphical user interface was used when parents were asked to provide tips on how to help care for their unwell child (GUI), leading to its recognition as one of the most revolutionary achievements in modern technology. 

According to William Gates, governments must work with businesses to reduce Artificial Intelligence threats by collaborating with them. Through the utilization of artificial intelligence (AI) as an instrument to combat global inequality and poverty in a targeted manner, AIs are believed to be used as a tool to help health professionals become more productive while handling repetitive tasks like note-taking, paperwork, and insurance claims. 

This group might be able to benefit from these benefits as a result of providing them with the appropriate funding or making policy adjustments; therefore, governments and philanthropies must work together to ensure they are provided to those who need them most. Authorities need to understand AI's actual potential and limitations. 

The complexity of artificial intelligence technology cannot be easily understood by individuals who do not have a technical background. AI applications need to be accessible to a large audience by developing a user interface designed to make them easily understandable.

Cyber Scammers now Experimenting With QR Codes


Microsoft started limiting macros in Office files by default in February 2022, making it more difficult for attackers to execute malicious code. According to data gathered by the HP Threat Research team, attackers have been changing their methods since Q2 2022 in an effort to identify new ways to hack devices and steal data. 

The Rise of QR Scan Scams 

The research findings were based on data collected from millions of endpoints using HP Wolf Security: 

Since October 2022, HP has witnessed QR code “scan scam” campaigns almost daily. These frauds persuade users to scan QR codes with their mobile devices while connected to their PCs, potentially exploiting the lack of phishing protection and detection on such devices. Users can access fraudulent websites that request credit and debit card information by scanning QR codes. Examples from Q4 include phishing attempts that pose as parcel delivery services seeking money. 

38% Rise in Malicious PDF Attachment: 

The recent assaults avoid web gateway scanners by using embedded images that link to malicious ZIP files that are encrypted. The PDF instructions fool the user into providing a password to unpack a ZIP file, allowing QakBot or IcedID malware to gain access to systems unauthorization and serve as beachheads for ransomware. 

42% of Malware was Delivered Inside Archives Files Like ZIP, RAR, and IMG: 

Archives have gained a whooping 20% rise in popularity since Q1 2022, as threat actors use scripts to execute their payloads. In contrast, 38% of malware is distributed via Office documents like Microsoft Word, Excel, and PowerPoint. 

Alex Holland, Senior Malware Analyst at HP Wolf Security threat research team said, “We have seen malware distributors like Emotet try to work around Office’s stricter macro policy with complex social engineering tactics, which we believe are proving less effective. But when one door closes, another opens – as shown by the rise in scan scams, malvertising, archives, and PDF malware.” 

“Users should look out for emails and websites that ask to scan QR codes and give up sensitive data, and PDF files linking to password-protected archives,” added Holland. 

Threat Actors Still Rely on Social Engineering 

HP researchers also discovered eight malware families imitated in 24 popular software projects in Q4's malvertising efforts, as compared to just two such operations in Q3's. The attacks rely on people clicking on search engine adverts that take them to malicious websites that resemble legitimate websites nearly identity. 

Dr. Ian Pratt, Global Head of Security for Personal Systems, HP says “While techniques evolve, threat actors still rely on social engineering to target users at the endpoint.” 

“Organizations should deploy strong isolation to contain the most common attack vectors like email, web browsing and downloads. Combine this with credential protection solutions that warn or prevent users from entering sensitive details onto suspicious sites to greatly reduce the attack surface and improve an organization’s security posture,” concludes Pratt.  

ChatGPT Sparking Security Concerns

 

Cyberhaven, a data security company, recently released a report in which it found and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million employees at its client companies due to the potential leakage of sensitive information to the LLM, including client data, source code, and regulated information.

The appeal of ChatGPT has skyrocketed. It became the fastest-growing consumer application ever released after only two months of release when it reached 100 million active users. Users are drawn to the tool's sophisticated skills, but they are also concerned about its potential to upend numerous industries.ChatGPT was given 300 billion words by OpenAI, the firm that created it. These words came from books, articles, blogs, and posts on the Internet, as well as personally identifiable information that was illegally stolen.

Following Microsoft's $1 billion investment in the parent company of ChatGPT, OpenAI, in January, ChatGPT is expected to be rolled out across all Microsoft products, including Word, Powerpoint, and Outlook.

Employees are providing sensitive corporate data and privacy-protected information to large language models (LLMs), like ChatGPT, which raises concerns that the data may be incorporated into the models of artificial intelligence (AI) services, and that information may be retrieved at a later time if adequate data security isn't implemented for the service.

The growing acceptance of OpenAI's ChatGPT, its core AI model, the Generative Pre-trained Transformer, or GPT-3, as well as other LLMs, businesses, and security experts have started to be concerned that sensitive data consumed as training data into the models could reemerge when prompted by the appropriate queries. Some are acting: JPMorgan, for instance, restricted employees' access to ChatGPT, and Amazon, Microsoft, and Wal-Mart cautioned staff to use generative AI services carefully.

Some AI-based services, outside of those that are GPT-based, have sparked concerns about whether they are risky. For example, Otter.ai, an automated transcription service, converts audio files into text while automatically identifying speakers, allowing for the tagging of crucial words and phrases, and underlining of key phrases. Journalists have raised concerns about the company's storage of that information in its cloud.

Cyberhaven's Ting predicts that the adoption of generative AI apps will continue to grow and be used for a variety of tasks, including creating memos and presentations, identifying security incidents, and interacting with patients. His predictions are based on conversations with the clients of his company.

Because only a few individuals handle the majority of the dangerous requests, education could have a significant impact on whether data leaks from a particular organization. According to Ting of Cyberhaven, less than 1% of employees are accountable for 80% of the instances of providing critical data to ChatGPT.

The LLM's access to sensitive data and personal information is also being restricted by OpenAI and other businesses: Nowadays, when ChatGPT is asked for personal information or sensitive corporate data, canned responses are used as an excuse not to cooperate.


The Ukraine Invasion Blew up Russian Cybercrime Alliances

 


Over the years, Russia has built up one of the world’s most formidable cybercriminal ecosystems. Russian hacker groups are linked to disruptive cyberattacks including one of the United States’ most critical oil pipelines and the world’s largest meat producers.  

A recently released study suggests that the conflict between Russia and the former Soviet Union disrupted the criminal ecosystem in Russia and its former Soviet satellite states. This was a year after the illegal invasion. Alexander Leslie, the associate threat intelligence analyst at Recorded Future's Insight Group, believes this is one of the most significant developments in the history of cybercrime. It has broad implications affecting nearly every aspect of the world of cybercrime.

In a recent interview with The Register, Leslie told them that these fractures can be felt in all facets of the Russian-speaking underground: digital fraud, dark web forums and marketplaces, ransomware gangs, and hacktivists, all of whom derive their revenue from Russian-speaking underground activities. 

"Russia's military intervention in Ukraine has ushered in the era of volatility and unpredictability in the world of international cybercrime, which carries a multitude of implications for the defense community," Leslie said in a statement. 

As per the report, Russian cybercrime refers to a wide range of crimes perpetrated by miscreants who speak Russian languages in a variety of parts of the world, including Russia, Ukraine, Belarus, the Baltics, the South Caucasus, and Central Asia.  Leslie, during the time before the war, all of these criminal elements shared a common goal. This goal was refusing to target entities located in the Commonwealth of Independent States. This was so as not to draw attention from law enforcement. The day after the Russian government began attacking critical infrastructure on February 24, 2022, the Conti ransomware gang immediately declared its "full support" for the Russian government and pledged to use all the resources at its disposal to take back the critical infrastructure that had been destroyed. There were later claims that the country had condemned the war, but the damage had already been done at that point. 

Hundreds of internal documents from Conti's internal domains were leaked by a Ukrainian security researcher on February 27, 2022. It was the so-called Conti leaks that led to the Trickbot leaks, which were able to reveal Trickbot's senior leadership by using the information revealed in the Conti data dump, which was appropriated by the Trickbot leaks. According to reports, Conti closed down its operations in the weeks that followed. 

Moreover, Conti's rival gangs such as ALPHV (BlackCat) and LockBit neither declared their loyalty to the Kremlin to any significant extent, while on the other hand, some of his rival gangs did. 

There is also a decrease in the number of ransomware attacks in the context of the war in general, which may be attributable to fewer Russian cyberattacks as well. It has been a year since the war started and fears of large-scale disruptions of Ukrainian and Western infrastructure have not yet been realized. Although Russia has not given up, Google reported that it would increase the targeting of Ukrainian users by 250 percent by the year 2022 compared to 2020. In contrast, it will increase the targeting of NATO users by 300 percent.  

As experts point out, this is not necessarily an indictment of Russia's cyber capabilities. Instead, it is an indication of the effectiveness of Ukrainian cyber defense backed up by its Western allies and companies such as Google, Microsoft, and Amazon on the ground. This is a largely successful strategy.  

The Georgia Institute of Technology's Nadiya Kostyuk, who specializes in modern warfare and cyber conflict, has said that that support was "crucial" to Ukraine's cyberspace remaining relatively unscathed, despite the geopolitical turmoil around the world. 

It is currently apparent that Ukraine's cyber capabilities haven't kept up with those of Russia even though it has been developing them since 2014. According to her, Microsoft, along with other companies, had played a huge part in building more resilient networks and systems as well as defending Ukraine's cyberspace. 

Forum Rules for the Russian Dark Web. 

The war did not only expose the fault lines of ransomware gangs, but also other criminals associated with these gangs. It would appear that the invasion of Ukraine also violates an unwritten rule on Russian-language dark web forums, which holds that criminals would not target organizations in former Soviet states unless they were inside the country. 

Despite the increased geographical decentralization of cybercriminal groups, Leslie predicts that the industry will become more centralized in the future.

During the kinetic war and in the immediate aftermath of it, there was also an increase in pro-Russian hacktivist groups. The 'second wave' of hacktivism took place around March 22, 2022, when Killnet's campaign against the Latvian government was initiated, following the initial wave of hacktivism, which included pre-existing groups such as the Stormous ransomware gang as well as new crews that were created to support the Russian war effort. 

An Increase in the Number of Killnets

Despite that, Recorded Future claims that Killnet dominated this second wave of electronic music. 

As a consequence of these attacks, the gang and its subgroups have expanded their targets beyond Europe. They have in recent years targeted the Americas, Asia, and other parts of the world. 

Recorded Future says that most of the pro-Russian hacktivist groups active since the end of the war are no longer active despite estimates by security researchers such as @Cyberknow20 that there were 70 or more such groups active at the beginning of the war. 

As the authors point out, although they identified about 100 such groups between February 24, 2022, and February 10, 2023, only a few remain active today. This is even though a total of about 100 groups were identified. 

Even those that remain are not very effective, as there are only a few left. A new FBI report describes Killnets' distributed denial of service attacks as having "limited success" in the course of their attacks. Additionally, the researchers point out that their impact on the overall war effort has been "minimal" at best, in terms of the effects on the war effort. 

Is 2023 Going to be a Year of Change?

A second year of the war is expected to bring more of the same from security researchers, with insider criminal gangs leaking information, hacktivist attacks making headlines, and database dumps being sold on dark-web forums - possibly with a rise in Russian and Belarusian databases that have been leaked - as well as credential leaks targeting .ru and .by domains that have been targeted by hackers.  As a result of the malware-as-a-service threat landscape and the ongoing changing of the criminal forums on the dark web, "volatility and instability" are predicted to persist through 2023 throughout the Russian-speaking dark web market. 

In the short term, Leslie predicts that the cyber efforts of Ukraine are likely to be stepped up in 2023. The public-private partnership has helped foster increased collaboration between intelligence agencies and the provision of active defensive support, and we anticipate that this will only increase in the years to come, Leslie added. 

The majority of offensive operations are likely to be undertaken by the IT Army of Ukraine. This is expected to maintain support to enable a method of crowdsourced hacktivism that will continue to dominate offensive operations. 

He says he expects more hack-and-leak attacks from the Ukrainian IT Army in the future, but the most dominant methods of attack will likely remain DDoS attacks and website defacement.

Cybercrime Utilizes Screenshotter to Find Targets in US

Organizations in Germany and the United States are targets of a new threat actor identified as TA886 that requires new, proprietary malware to spy on users and steal their data from affected devices. Proofpoint reported that it initially identified the previously unidentified cluster of activity in October 2022 and that it persisted into 2023.

Malicious Microsoft Publisher (.pub) attachments with macros, URLs leading to.pub files with macros, or PDFs with URLs that download risky JavaScript files are some of the ways the threat actor targets victims.

According to the researchers, which gave the operation the name Screentime, it is being carried out by a brand-new malicious attacker known as TA866. Although it is possible that the group is well-known to the larger cybersecurity sector, no one has been able to connect to any other groups or initiatives.

According to Proofpoint, TA866 is an "organized actor capable of performing well-planned attacks at scale based on their availability of custom tools, ability and connections to buy tools and services from other vendors, and increasing activity volumes."

As a result of some variable names and phrases in their stage-two payloads being written in Russian, the researchers further speculate that the threat actors may be Russian. In Screentime, TA866 would send phishing emails in an effort to get victims to download the harmful WasabiSeed payload. According to the stage-two payloads that the threat actors deem appropriate at the time, this malware develops persistence on the target endpoint.

AHK Bot has been seen downloading and loading the Rhadamanthys information thief into memory while also deploying a script to inspect the victim's computer's Active Directory (AD) domain. According to Proofpoint, the AD profile may result in the compromising of additional domain-joined hosts.

As per Proofpoint, the activity continued into 2023 after the first indications of Screentime advertisements appeared in October 2022. The campaigns have an indiscriminate impact on all industries in terms of verticals.


Cybersecurity and the Cloud in Modern Times

 


Due to the advent of remote work, most companies - even those in heritage industries - have had to adopt SaaS (software as a service) and other cloud tools to remain competitive and agile in the market. Several modern cloud-based platforms, including Zoom, Slack, and Salesforce have become critical to the effective collaboration of knowledge workers from their homes, which will allow them to work more efficiently. In the last few years, public cloud hosting providers like Amazon Web Services, Microsoft Azure, and Google Cloud have seen phenomenal growth and success. This is a consequence of this tailwind. As per Gartner's predictions, by 2022, $178 billion will be spent on cloud providers, up from $141 billion in 2021. 

The shift to the cloud has led to lots of challenges when it comes to cybersecurity, although public cloud providers have made it easy to use modern software tools. Cloud-first security represents a paradigm shift from traditional, on-premise security in the modern day. Before this change, customers had complete control over their environments and security. They hosted their applications in their own data centers and were responsible for controlling the environment. Customers operated their network in a "walled castle" - where they controlled and secured the network and applications themselves. 

Nevertheless, when customers consume public cloud services, they are obligated to share responsibility for security with the cloud service providers as a shared responsibility. 

If your company stores data in a cloud data center provided by Amazon Web Services, you will be responsible for configuring and managing your cybersecurity policies. This is part of your compliance program. The customer is responsible for monitoring security breaches regardless of whether they have complete control over the data in the Amazon Web Services data center. As a result, when customers adopt public clouds, they no longer have full control over their security in terms of what they do with their data. A major barrier to adopting the cloud is concern about security, which is often among the most common. 

In addition, it is more difficult to secure cloud environments than traditional environments. As a result of today's cloud computing architecture, many cloud service providers utilize what is known as microservices, a design that allows each component of an application (for example, a search bar, a recommendation page, a billing page, etc.) to be created independently. On-premise systems can support as many as ten times the amount of workloads (for example, virtual machines, servers, containers, microservices) that the cloud can support. As a result of this fragmentation and complexity, there is a tendency for access control issues to develop, as well as a higher chance of developer errors - such as leaving a sensitive password in an AWS database. This information can be exposed to the public. Simply put, there is a wider and more complex attack surface area in the cloud than there is in local computing environments. 

Embrace the cloud-first era of cybersecurity

There are not just complexities associated with the cloud, but there has also been an inversion from a top-down to a bottom-up sales model, leading to security buying decisions being made not by CISOs or CISMs, but rather by developers (Chief Information and Security Officers). 

Two reasons have contributed to this happening. Due to the cloud, applications can be developed more efficiently. Therefore, the importance of cybersecurity has become a part of the development process rather than just an afterthought in the past few years. Responsibility for creating code and product releases was traditionally assigned to developers, while the team that works with the CISO is in charge of the cybersecurity aspect. As a result, the responsibilities of each party were split. It has become so easy to update code or to release product updates every day or every week in modern companies due to the cloud. This has made it much easier for them to do so. It's common nowadays for our favorite apps to update themselves frequently. For instance Netflix, Amazon, and Uber, but not so long ago, this wasn't the norm. We had to manually patch them to get them to run smoothly. With the increased frequency of deploying revised code, cybersecurity has become a problem that developers now have to care about because of the increased frequency of application development. 

In the second place, the early adopters and the power users of the cloud are primarily digital start-ups and medium-sized businesses, which are more decentralized in their decision-making processes. Traditionally, CISOs at large enterprises have played an active role in making security decisions about the organization. A CISO, acting as the chief executive officer of the company, makes purchasing decisions on behalf of the rest of the organization. This was after rigorous proof of concept, negotiation, and cost-benefit processes. The different techniques used by start-ups and mid-scale customers to make security buying decisions are very different, and many often, they leave security decision-making to their developer team. 

As a result of this revolutionary top-down sales model, cybersecurity software is about to be built and sold in a completely different way. Developing a sales model that is suitable for developers is different from one designed for CISOs. There is no doubt that developers prefer self-serve features - they often like to try and offer their products to their customers before they have to purchase them. To achieve this goal, we need to build a self-serve and freemium sales model, so we can attract a large number of inbound, free users at the top of the funnel and build a customer base around them. In comparison with the traditional sales model used by security incumbents, this model is completely different, as the incumbents have hired huge sales teams that are responsible for outbound selling large deals to their CIOs in a sales-led approach.

Microsoft Announces New OpenAI-Powered Bing


Microsoft has recently launched the newest version of its search engine Bing, which includes an upgraded version of the same AI technology that powers chatbot ChatGPT. 

The organization announces the product launch alongside the new AI-enhanced features for its Edge browser, promising users that the two will offer a fresh experience for acquiring information online. 

Microsoft, in a blog post, claims the new version as a technical breakthrough with its next-generation OpenAI model. “We’re excited to announce the new Bing is running on a new, next-generation OpenAI large language model that is more powerful than ChatGPT and customized specifically for search. It takes key learnings and advancements from ChatGPT and GPT-3.5 – and it is even faster, more accurate, and more capable,” the blog post states.  

In regards to the product launch, Microsoft CEO Satya Nadella says “race starts today, and we’re going to move and move fast […] “Most importantly, we want to have a lot of fun innovating again in search, because it’s high time.” at a special event at Microsoft headquarters in Redmond, Washington. 

According to Nadella, he believed it was ready to transform how people interact with other applications and do online searches. "This technology will reshape pretty much every software category that we know," he said. 

With the latest advancements, Bing will now respond to search queries in a more detailed manner, rather than just links and websites. 

Additionally, Bing users can now interact with bots to efficiently customize their queries. On the right side of a search results page, more contextual responses will be added. 

The announcement comes a day after Google unveiled information regarding Bard, its own brand-new chatbot. 

With both companies striving to launch their products to the market, Microsoft's investment, according to analyst Dan Ives of Wedbush Securities, will "massively increase" the company's capacity to compete, he said in a note to investors following the news. 

"This is just the first step on the AI front ... as [the] AI arms race takes place among Big Tech," he added. Microsoft has been spending billions on artificial intelligence and was an early supporter of San Francisco-based OpenAI. 

It declared last month that it will be extending its partnership with OpenAI through a "multiyear, multibillion-dollar investment." 

Bing will employ OpenAI technology, according to Microsoft, which is even more sophisticated than the ChatGPT technology announced last year. Additionally, the powers will be added to its Edge web browser.   

Microsoft: Iran Unit Responsible for Charlie Hebdo Hack-and-Leak Operation

 

After the French satirical magazine Charlie Hebdo launched a cartoon contest mocking Iran's ruling cleric, a state-backed Iranian cyber unit retaliated with a hack-and-leak campaign designed to instill fear with the alleged theft of a large subscriber database, according to Microsoft security researchers. 

The FBI has blamed the same Iranian cyber operators, Emennet Pasargad, for an influence operation aimed at interfering in the 2020 U.S. presidential election, according to an blog post published Friday by the tech giant. In recent years, Iran has increased the use of false-flag cyber operations to discredit adversaries. According to Microsoft, a group calling itself "Holy Souls" and posing as hacktivists claimed in early January to have acquired personal details on 200,000 subscribers and Charlie Hebdo merchandise buyers.

As evidence of the data theft, "Holy Souls" published a 200-record sample of Charlie Hebdo subscribers' names, phone numbers, home and email addresses, which "could put the magazine's subscribers at danger for online or physical targeting" by extremists. The group then marketed the alleged complete data cache for $340,000 on several dark web sites. Microsoft stated that it had no knowledge of anyone purchasing the cache.

A Charlie Hebdo representative stated on Friday that the newspaper would not comment on the Microsoft study. Iran's UN mission did not immediately respond to a request for comment Friday. The release of the sample on January 4 coincided with the publication of Charlie Hebdo's cartoon contest issue. Participants were asked to create offensive caricatures of Iran's supreme leader, Ayatollah Ali Khamenei.

The operation coincided with Tehran's verbal attacks condemning Charlie Hebdo's "insult." The controversially irreverent magazine has a long history of publishing vulgar cartoons that critics regard as deeply insulting to Muslims. In 2015, two French-born al-Qaida extremists attacked the newspaper's office, killing 12 cartoonists, and Charlie Hebdo has been the target of other attacks in the past.

The magazine promoted the Khamenei caricature contest as a gesture of solidarity for the nationwide antigovernment protests that have erupted in Iran since the death of Mahsa Amini, a 22-year-old woman detained by Iran's morality police for allegedly violating the country's strict Islamic dress code, in mid-September.

Following the publishing of the cartoon issue, Iran closed down a decades-old French research institute. It announced sanctions last week against more than 30 European individuals and entities, including three senior Charlie Hebdo employees. The sanctions are mostly symbolic, as they prohibit travel to Iran and allow Iranian authorities to freeze bank accounts and seize property there.

Installing Software via Google Poses Concerns

Researchers and a keystream sample of inquiries claim that while browsing Google for downloads of well-known software has always had certain dangers, in recent months it has become downright risky. 
On Thursday, volunteers at Spamhaus stated that threat researchers were accustomed to receiving a moderate volume of malicious advertising through Google Ads. 

Multiple malware groups, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader, are responsible for the rise. In the past, these groups frequently depended on spam attachments with malicious Microsoft Word papers that had booby-trapped macros. The past month has seen Google Ads develop into the preferred channel for thieves to disseminate their malicious software, which is disguising itself as a legitimate download by mimicking well-known companies including Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, and Thunderbird.

This week, researchers from the security firm Saiflow discovered two flaws in older versions of the Open Charge Point Standard, an open-source protocol used to operate many electric vehicle charging stations (OCPP). An attacker might take control of a charger, disable groups of chargers, or steal electricity from a charger for their own use by utilizing weak instances of the OCPP standard, which is used to communicate between charges and management software. To reduce the risks posed by the vulnerabilities, Saiflow claims to be collaborating with manufacturers of EV chargers.

Hegel from Sentinel One provides one case: Real C2 traffic is masked by Formbook and XLoader's HTTP requests to several sites that are randomly chosen from an embedded list and sent with encoded and encrypted content. The rest of the domains are merely ruses; only one is the actual C2 server. A sample that we examined sent HTTP GET and/or POST requests to the 17 domains (16 endpoints) specified in the IOC table below while encoding and encrypting the HTTP data. The implementation of this technology in particular by XLoader is covered in length in prior research.

The strategy of disguising the genuine C2 domain by beaconing to many domains continues to be supported by earlier studies. The malicious software sends beacons to websites that have valid or unregistered domains. The accompanying figure, which is a snapshot of some of the domains the virus contacts, demonstrates the vast range of domain ages, hosting companies, and registration dates.

The use of decoy domains or other obfuscation techniques to hide the real control servers used in the pervasive MalVirt and other malvertising campaigns continues to be effective unless Google develops new protections. MalVirt also spreads malware that is difficult to detect.


Info-stealing Ads Spread by Malvertising

HP Wolf Security's cybersecurity researchers have issued a warning about various ongoing activities that aim to use typosquatting domains and malicious advertising to spread different types of malware to unwitting victims.

Additionally, the scammers paid various ad networks to broadcast ads promoting these bogus websites. Search engines can end up presenting harmful versions of the websites alongside trustworthy ones when users search for these programs in this manner. Users risk being misdirected if they are not careful and double-check the URL of the website they are viewing.

Bogus installers

A total of 92 domains that look like other software and may have been used to spread IcedID were found. If victims do find themselves in the incorrect location, they would not likely notice the difference.

The websites are meticulously created to resemble the real ones in practically every way. In the context of Audacity, the website hosts a malicious.exe file that poses as the installation for the program. 'audacity-win-x64.exe' is the file's name, and it is larger than 300MB in size. The attackers strive to avoid detection by being this large, in addition to antivirus software. The researchers found that several antivirus products' automatic scanning functions do not check really huge files.

According to Cyble security experts, Rhadamanthys was used to steal data from web browsers, crypto wallets, and messaging apps. It was spread using Google Ads that imitated AnyDesk, Zoom, Bluestacks, and Notepad++.

Another issue involved DEV-0569 abusing Google Ads to distribute BatLoader, according to Microsoft researchers. As part of the spreading process, the group imitated LogMeIn, Adobe Flash Player, and Microsoft Teams.

Due to their extensive capabilities, info-stealers are now a common type of malware utilized by hackers. The demand for this malware is so great that it rules many underground market forums.

Increased sales of victim data on the dark net will result from selling these new malware strains and the accessibility of info-stealer malware source code.

Users should double-check the integrity of these websites before downloading any installers as the most recent assault campaign mostly uses bogus websites that look legal to distribute malware. To reduce the risk of info-stealer malware, it is also advised to deploy MFA across all accounts.




Microsoft Quietly Revealed a New Kind of AI


In the tangible future, humans will be interfacing their flesh with chips. Therefore, perhaps we should not have been shocked when Microsoft's researchers appeared to have hastened a desperate future. 

It was interestingly innocent and so very scientific. The headline of the researcher’s article read “Neural Codec Language Models are Zero-Shot Text to Speech Synthesizers.” 

What do you think this may possibly mean? Is there a newer, faster method for a machine to record spoken words? 

The abstract by the researchers got off to a good start. It employs several words, expressions, and acronyms that many layman's language models would find unfamiliar. 

It explains why VALL-E is the name of the neural codec language model. This name must be intended to soothe you. What could be terrifying about a technology that resembles the adorable little robot from a sentimental movie? 

Well, this perhaps: "VALL-E emerges in-context learning capabilities and can be used to synthesize high-quality personalized speech with only a 3-second enrolled recording of an unseen speaker as an acoustic prompt." 

The ChatGPT revolution: Microsoft Seems to Have Big Plans for This AI Chatbot 

The researchers often wanted to develop learning capabilities, while they have to settle for just waiting for them to show up. And what emerges from the researchers’ last sentence is quite surprising. 

Microsoft's big brains (AI, for an instance) can now create longer words and maybe lengthy speeches that were not actually said by you but sound remarkably like you with just three seconds of what one is saying. 

Through this, researchers wanted to shed light on how VALL-E utilizes an audio library assembled by Meta, one of the most reputable and recognized businesses in the world. It has a memory of 7,000 people conversing for 60,000 hours and is known as LibriLight. 

Also: Use AI-powered Personalization to Block Unwanted Calls And Texts 

This as well seems another level of sophistication. Taking the example of Peacock’s “The Capture,” in which deepfakes pose as a natural tool for the government. Perhaps, one should not really be worried since Microsoft is such a nice, inoffensive company these days. 

However, the idea that someone, anyone, can easily be conned into believing that a person is saying something he actually did not (perhaps, would never) itself is alarming. Especially when the researchers claim their capabilities to replicate the “emotions and acoustic behavior” of someone’s initial three-second speech as well. 

While this will be comforting when the researchers claim to have spotted this potential for distress. They offer: "Since VALL-E could synthesize speech that maintains speaker identity, it may carry potential risks in misuse of the model, such as spoofing voice identification or impersonating a specific speaker." 

One may as well stress enough to find a solution to these issues. An answer to this, according to the researchers is ‘Building a detection system.’ But this also leaves a few individuals wondering: “Why must we do this, at all?” Well, quite often in technology, the answer remains “Because we can.”  

Emails are Vulnerable to Cyber Threat

Small businesses and organizations of various sizes worldwide rushed to upload patches and assess what had been compromised. Hacks expose the vulnerability of the 32 million small businesses, which are largely unable to afford to work with cybersecurity firms and also who primarily rely on built-in security measures of software and hardware providers.

As per Iram, a former Israeli intelligence officer, large tech firms can improve their systems prior to being released in order to block hackers before they impact small and medium-sized firms. He adds that cybercrime reduced each time major software companies modified default settings or other general updates with cybersecurity in mind.

According to market research company Gartner, Microsoft has more than 86% of the enterprise e - mails processing market whereas Google has just under 13%.

Challenges with email 

The notion that several components of today's technological stack were created before cybercriminals became a concern is the root of many of its problems. Big firms that predominate the industry typically have still not added security as a default feature to basic software, leaving it to the cybersecurity market to do so. This has led to explosive growth in a new category of companies.

Microsoft Defender for Office 365 finds and stops thousands of user compromise actions each month in addition to nearly 40 million emails with Business Email Compromise, or BEC, and 100 million emails with harmful credential phishing links.

Some cybersecurity enterprises with a focus on the small business sector have launched in the last three to five years, such as Huntress and SolCyber. Even the slightest flaws in one organization, in a highly networked society, can spread to another. An NPR investigation into the significant Microsoft Exchange data breach came to the conclusion that Chinese hackers were targeting American businesses in an effort to collect consumer data on Americans for an unidentified reason.

The American government has so far adopted a conservative stance; a representative for the U.S. Cybersecurity Infrastructure Agency claimed that the agency does not regulate software for small businesses.


Mass Data Scraping Lawsuit Filed by Meta

 


As part of a lawsuit filed against the digital surveillance firm Voyager Labs, Meta claims that the company created 38,000 fake, unauthorized accounts to collect 600,000 Facebook users' personal information. 

A federal lawsuit filed by Microsoft has asked a California court for Voyager to be banned from Facebook and Instagram, claiming that the company scraped the “viewable profile information” of Facebook and Instagram users. They claim the company scraped posts, likes, friend lists, photos, and comments from Facebook and Instagram users. It has been reported that Facebook groups and pages were allegedly tapped for data. 

After the company approached companies interested in monitoring social media without being detected, Voyager sold the company's tool to the highest bidder, according to Gizmodo. 

In addition, Twitter, YouTube, LinkedIn, and Telegram accounts were created to scrape data. So far, Meta, the company that owns Facebook, is the only social media firm that has taken legal action against Voyager. 

The company wrote in a blog post about the legal filing. It said that Voyager had violated Facebook's terms of service regarding fake accounts and automated scraping and automating of user accounts. To hide its activity, Voyager used a network of computers and networks spread across many different countries to scrape user data, Meta further explained. 

A free trial of Voyager's software was used by the Los Angeles Police Department in 2019, according to The Guardian in 2021. 

Following a pitch from the company, they purchased it as a surveillance tool to monitor thousands of online friends of potential suspects.  

It has been reported in the Guardian that LAPD was told that through this tool, officers would be able to "predict" crimes before they occur and communicate with potential victims.  

PCMag's request for comment from Voyager was not immediately answered. The Supreme Court allowed Meta earlier this week to pursue a lawsuit against Israeli spyware company NSO Group, which had gained access to WhatsApp servers "unlawfully" when installing spyware on users' devices through their WhatsApp accounts. 

Last month, Meta accepted a one-year settlement from a class-action lawsuit in which the plaintiffs accused Meta of sharing personal data about their users without their consent, a move that did not end well for Meta. The lawsuit alleges the company shared users' data without their consent with third parties.  

A lawsuit filed by Facebook in 2018 was filed after it was revealed that the company had shared up to 87 million Facebook users' Personal Information with a British consulting firm, Cambridge Analytica.

To Get Around Security, Hackers Use This Old Trick

 


An old vulnerability in Intel drivers is being exploited by cybercriminals in an attempt to gain access to networks. This is in the form of a security flaw that enables them to get around cybersecurity measures and bypass security systems.  

According to cybersecurity researchers at CrowdStrike, one of the groups tracking the attack is Scattered Spider, also known as Roasted 0ktapus and UNC3944. This group is responsible for the attack on Windows PCs. The campaign has been identified as the work of a cybercriminal group. 

As a financially motivated cybercrime operation, Scattered Spider is described by researchers as especially interested in targeting business outsourcing companies and telecom companies. Obtaining access to the mobile carrier network is the project's main objective.  

Attackers may have initially used phishing attacks using SMS messages to gain access to networks by stealing usernames and passwords. This is to get into them. Several instances have been recorded where attackers have hacked into devices and exploited this access to gain access to other credentials. The group appears to be engaged in SIM-swapping attacks as well.   

As soon as Scattered Spider has gained access to a network, it makes use of a technique called "Bring Your Own Vulnerable Driver" (BYOD), which is designed to exploit security loopholes within the Windows platform.  Microsoft tries to limit the ability of malware to gain access to systems by preventing unsigned kernel-mode drivers from being run by default, but hackers can get around this by installing a legitimately signed but malicious driver, enabling them to carry out attacks despite this. The BYOVD system allows attackers to use unsigned kernel-mode drivers to carry out attacks.   

An attacker may find a way to hack legitimately signed certificates while taking advantage of workarounds to be able to self-sign their own certificates or obtain certificates through deception. Regardless of how they were obtained, the malware may then secretly run on computers, install their own drivers, and disable the security products on them. This is so that their activity can easily be hidden.  

They do not use any malware for this purpose to operate as discreetly as possible. They instead install a large number of legitimate remote access tools that will ensure persistence on the compromised system after they have been compromised. 

There is a vulnerability in the Intel Ethernet diagnostics driver for Windows, which has been identified by CrowdStrike as one of how attackers can deliver malicious kernel drivers.

This vulnerability has been known for a long time, as the ID number suggests. If the security update that closes the vulnerability has not been applied to the system, cybercriminals will still be able to exploit it on the system.  

To combat this and other attacks involving abused signed drivers in the future, researchers urge users to patch vulnerable drivers as a priority.  

There have been several tools that have been compromised by attackers. These include Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne, as well as CrowdStrike's own Falcon security product that attackers have attempted to bypass. Researchers at CrowdStrike claim that Falcon can detect and prevent malicious activity that is being performed by cybercriminals when trying to install and run their own code.  

It has been warned previously by Microsoft that attacks are increasingly targeting legitimate drivers in the ecosystem and infecting computers through their vulnerabilities. Despite Microsoft's efforts to prevent abuse, this attack technique is still successfully used today. 

Scattered Spider seems to be targeting a specific set of industries with this campaign. In contrast, CrowdStrike recommends that security professionals in every industry develop a strategy to ensure the security of their networks against attack, irrespective of their industry type. As an example, this can be achieved by applying the old security patch that has been installed.  

Microsoft also provides advice on how you can help harden services by blocking drivers according to the recommended rules. As with any software or hardware, removing drivers from a device may lead to the malfunctioning of the device or software, and, in some cases, a blue screen of death. A vulnerable driver blocklist cannot guarantee that all drivers found to have vulnerabilities will be identified and eliminated from the list.  

Microsoft Discloses Methods Employed by 4 Ransomware Families Targeting MacOS


Microsoft has recently revealed information on the four different ransomware families, i.e. KeRanger, FileCoder, MacRansom, and EvilQuest that are apparently impacting Apple macOS systems. 

These ransomware families first spread through what the Windows makers refer to as "user-assisted methods," in which the victim downloads and sets up trojanized software. 

Besides, it may also show up as part of a supply chain attack payload or as a second-stage payload delivered by already-existing malware on the attacked host. 

"While these malware families are old, they exemplify the range of capabilities and malicious behavior possible on the platform," said the tech giant’s Security Threat Intelligence team, in a Thursday report.

Regardless of the approach of attack used, the attacks follow a similar pattern in which threat actors use legitimate operating system features and vulnerabilities to gain access to the computers and encrypt important documents. 

This includes the use of the Unix operating system, along with library functions like opendir, readdir, and closedir in order to enumerate files. Microsoft mentioned another approach, but the ransomware strains did not use it, says the NSFileManager Objective-C interface. 

In an attempt to thwart analysis and debugging efforts, malware such as KeRanger, MacRansom, and EvilQuest have also been seen to employ a combination of hardware- and software-based tests to establish whether the malware is operating in a virtual environment. 

KeRanger utilizes an approach known as delayed execution to evade detection. It achieves this by sleeping upon its launch for three days before resuming its destructive operations. 

While KeRanger uses AES encryption in cipher block chaining (CBC) mode to accomplish its objectives, FileCoder uses the ZIP programme to encrypt files. On the other hand, both MacRansom and EvilQuest use a symmetric encryption technique. 

Moreover, EvilQuest, which was first detected in July 2020, includes various trojan-like functions, such as keylogging, compromising Mach-O files by inserting arbitrary code, and disabling the security software, in addition to the standard ransomware features. 

Additionally, it has the ability to run any file directly from memory, effectively eliminating any evidence of the payload from the disk. 

"Ransomware continues to be one of the most prevalent and impactful threats affecting organizations, with attackers constantly evolving their techniques and expanding their tradecraft to cast a wider net of potential targets," Microsoft added.  

Rackspace: Ransomware Bypasses ProxyNotShell Mitigations

 


According to Rackspace Technology, a cloud hosting company that provides managed cloud services, the massive December 2 attacks have caused the company to take action. As part of the attack, thousands of small and midsized businesses suffered disruption in their email services due to a zero-day exploit against a vulnerability in Microsoft Exchange Server called server-side request forgery (SSRF), or CVE-2022-41080. 

According to Karen O'Reilly-Smith, the chief security officer at Rackspace, in an email response, the root cause of this vulnerability is a zero-day exploit associated with CVE-2022-41080. It has been reported that Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include any notes on the fact that it was part of a remote execution chain that was exploitable. 

According to a third-party advisor to Rackspace, the company had yet to apply the ProxyNotShell patch because the company was concerned that it may cause "authentication errors" that could take down its Exchange servers, as well as other potential issues. As part of its mitigation strategies for the vulnerabilities, Rackspace had already implemented Microsoft's mitigation recommendations, which the software giant had deemed as a means of preventing attacks. 

A security firm called CrowdStrike was hired by Rackspace for its breach investigation, and CrowdStrike posted its findings in an open blog post on its findings. CrowdStrike explained how the Play ransomware group had used a newly developed technique to exploit a new ProxyNotShell RCE vulnerability called CVE-2022-41080 and CVE-2022-41082. 

According to a report, CrowdStrike's post about who beat Backdoor Play was the outcome of the company's investigation into the attack against Rackspace. However, the company's external advisor told us that the research about Play's bypass method was the result of CrowdStrike's investigation into the attack. 

Last month, Microsoft informed Dark Reading that while the attack bypasses mitigations provided by previous releases of ProxyNotShell, it does not bypass the actual patch that is being applied to the system.  

'Patching - if you can do so - is the answer,' says an external advisor, pointing out that the company had weighed the risks and benefits of patching at the time when mitigations were said to have been effective and on the other hand, the patch had the potential to take their servers down. The external advisor's report states that at the time when the risk was being evaluated, considered, and weighed, they were aware of it. Because the patch has not yet been applied, the servers remain unavailable.  

According to a Rackspace spokesperson, the company has not responded to questions about whether or not the ransomware attackers have been paid.

Microsoft Announced the End of Support for Windows 7 & 8

Microsoft has published a warning over the imminent end of support for Windows 8.1, which would not receive any updates or patches after January 10th, 2023.

According to the research, over 100 million computers were still running Windows 7 as of 2021, giving their owners little time to update them before they face the security hazards associated with utilizing an antiquated browser and operating system.

Windows 8.1 is still the fourth most popular Microsoft operating system in the world, according to the Statcounter team, with 2.45% of all Windows users having it installed on their computers. Given the fact that it will affect millions of individuals and expose numerous PCs to attack, this end of support is quite concerning. 

PCs running Windows XP, 7, or 8 were more prevalent than those running Windows 11 according to a Lansweeper survey of 27 million Windows devices conducted in October.

For systems running Windows 10 2004 or 20H2, Windows 10 21H1 was a minor feature update that was designed to be simple to install. It contained improvements to Windows Defender Application Guard, Windows Management Instrumentation via Group Policy, and support for several Windows Hello-enabled cameras. 

Along with the release of a new Chrome version, Google also disclosed that it will discontinue support for Windows 7 and Windows 8.1 in early 2023. For users to continue receiving new Chrome updates, their device must be running Windows 10 or later.

It would be wise for anyone running an outdated version of Windows to inspect their computers and make some critical adjustments this week. Microsoft has issued the warning because Windows 8.1 will soon stop receiving security updates and patches after January 10, 2023.

50% of KEV Catalog Were Big Corporations

According to Grey Noise, almost 50% of the upgrades to the KEV catalog in 2022 were due to actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products. The KEV catalog's earlier vulnerabilities from before 2022 made up 77% of the updates. 

In the initial year of the catalog's existence, CISA identified over 850 vulnerabilities, excluding   300 vulnerabilities reported in November and December 2021. As per CSW's Decoding of the CISA KEV study, "the fact they are a part of CISA KEV is rather significant as it suggests that many businesses are still using these outdated systems and therefore are ideal targets for attackers."

Based on a study by a team from Cyber Security Works, a handful of the vulnerabilities in the KEV catalog come from devices that have already reached End-of-Life (EOL) and End-of-Service-Life (EOSL). Despite the fact that Windows Server 2008 and Windows 7 are EOSL products, the KEV catalog identifies 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

The catalog has evolved into the official source for information on vulnerabilities by attackers, even though it was initially designed for vital infrastructure and public service firms. It is crucial since, by 2022, the National Vulnerability Database assigned Common Vulnerabilities and Exposures (CVE) identifiers to over 12,000 vulnerabilities.  Corporate teams can establish customized priority lists using the catalog's curated list of CVEs that are currently being attacked. 

In reality, CSW discovered there was a slight delay between the time a CVE Numbering Authority (CNA) like Mozilla or MITRE issued a CVE to a flaw and the time the vulnerability was posted to the NVD. For instance, the BitPaymer ransomware took advantage of a vulnerability in Apple WebKitGTK (CVE-2019-8720), which Red Hat assigned a CVE for in October 2019 but was added to the KEV catalog in March. As of the beginning of November, it has not been included in the NVD.  

According to CSW, 22% of the vulnerabilities in the catalog are privileging execution issues while 36% of the vulnerabilities are remote code execution problems. Whenever a vulnerability is actively being exploited, has a CVE assigned to it, and is supported by clear mitigation instructions, does CISA update the KEV catalog. 


MacOS Gatekeeper Bypass Known as Achilles: Microsoft Warns



It is possible that an Apple gatekeeper bypass vulnerability in macOS could allow cyber-attackers to install malicious programs on target Macs, regardless of the Lockdown mode the user has enabled in macOS. 

In addition to discussing the details of the bug (CVE-2022-42821), which Microsoft has dubbed "Achilles," researchers were also able to construct a working exploit by exploiting the Access Control Lists (ACLs) feature of macOS, which allows applications to be governed by finely tuned permissions. 

Apple Gatekeeper is a popular target for application vetting

Apple Gatekeeper is a security technology that was created by Apple, as a way to ensure that only "trusted apps" are allowed to run on Mac devices - that is, those that are approved by Apple and signed by a legitimate authority. A blocking pop-up is shown to the user when Gatekeeper cannot validate the software, explaining that the app cannot be run due to security concerns. 

As a result of this development, users are less likely to be vulnerable to malicious sideloaded applications from pirate sites or third-party app stores, which may have been accidentally downloaded. 

Microsoft researchers noted, however, that con men have spent quite some time attempting to find ways around the feature that could allow them to bypass it, as indicated by previously exploited vulnerabilities, such as CVE-2022-22616, CVE-2022-32910, CVE-2021-1810, CVE-2021-30657, CVE-2021-30853, CVE-2019-8656, and CVE-2014-8826. 

It is not surprising that the user base is being bothered by such kinds of problems. Gatekeeper bypasses such as these are sometimes exploited by malware and other threats to gain initial access to macOS systems. This in turn increases the success rate of malicious campaigns and attacks on the system or the success rate of these programs. In our analysis, the data shows that fake apps will remain one of the most popular entry points for attackers on macOS over the coming years. This indicates that Gatekeeper bypass techniques will be a crucial element for attackers to leverage. 

The discovery of a new gatekeeper bypass

The Microsoft team took advantage of details surrounding CVE-2021-1810 to create a security bypass - and they succeeded in doing so by adding permissioning rules (using the ACL mechanism) to malicious files as part of the process. 

A quarantine mechanism is employed by Apple for downloaded apps, according to the advisory: "When you download an app from a browser, such as Safari, the browser automatically gives it an attribute called a special extended attribute." During enforcing policies such as Gatekeeper, com.apple.quarantine is used in the context of implementing the policy." 

As an additional feature, the macOS file system provides the opportunity for you to apply a special extended attribute known as com. apple. al. text. This extended attribute can be used to set arbitrary access control lists. 

According to Microsoft researchers, each ACL has a certain number of Access Control Entries (ACEs) that govern what each principal can and cannot do, much like firewall rule sets do for addresses. Accordingly, we decided to limit the complexity of these downloaded files by adding very restrictive Access Control Lists. These ACLs prohibit Safari (and any other program) from setting any newly extended attributes, such as the com. apple.quarantine attribute in the downloaded files. 

In addition, without the quarantine attribute, the Gatekeeper is unaware that the file needs to be checked. Therefore, it is easily bypassed by bypassing the security mechanism entirely. 

The researchers at Microsoft discovered that Apple's Lockdown feature, which Microsoft debuted in July to protect at-risk targets from state-sponsored spyware, cannot prevent the Achilles attack from obtaining the necessary exploits. 

"We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed at stopping zero-click remote code execution exploits, and therefore does not defend against Achilles," according to Microsoft. 

In July, Apple received an alert about the issue and was able to fix it in the latest macOS version. For maximum protection against cybercrime, Mac operating systems must be updated as soon as possible.