Learning how to break the latest AI models is important, but security researchers should also question whether there are enough guardrails to prevent the technology's misuse.

Samsung has banned some uses of ChatGPT, Ford Motor and Volkswagen shuttered their self-driving car firm, and a letter calling for a pause in training more powerful AI systems has garnered more than 25,000 signatures.

Overreactions? No, says Davi Ottenheimer, the vice president of trust and digital ethics at Inrupt, a startup creating digital identity and security solutions. A pause is needed to develop better approaches to testing, not just of the security, but the safety of machine-learning and artificial-intelligence models. These include ChatGPT, self-driving vehicles, and autonomous drones.

A steady stream of security researchers and technologists have already found ways to circumvent protections placed on AI systems, but society needs to have broader discussions about how to test and improve safety, say Ottenheimer, who will give a presentation on the topic at the RSA Conference in San Francisco next week.

"Especially from the context of a pentest, I'm supposed to go in and basically assess \[an AI system\] for safety, but what's missing is that we're not making a decision about whether it is safe, whether the application is acceptable," he says. A server's security, for example, does not speak to whether the system is safe "if you are running the server in a way that's unacceptable ... and we need to get to that level with AI."

With the introduction of ChatGPT in November, interest in artificial intelligence and machine learning — already surging due to applications in the data science field — took off. The eerie capabilities of the large language model (LLM) to seemingly understand human language and to synthesize coherent responses has led to a surge in proposed applications based on the technology and other forms of AI. ChatGPT has already been used to triage security incidents,  and a more advanced LLM forms the core of Microsoft's Security Copilot.

Yet the generative pre-trained transformer (GPT) is just one form of AI model, and all of them can have significant problems with bias, false positives, and other issues.

**Exploiting Robots Is Easy**

These shortcomings, and a general lack of explainability in AI models, means that any model can be attacked in ways that the creators may not have imagined, Inrupt's Ottenheimer will say in his RSA Conference presentation, Pentesting AI: How to Hunt a Robot. If AI models are quickly adopted without adequate study, they may make their way into critical application, where they could be attacked or fail spectacularly, he says.

"It's actually super easy to make them fail," Ottenheimer says. "Most people are looking at it as, 'Can I fool it in this one area?' but that's not the discussion you should be having, because — oh my god — you're using this technology in a totally inappropriate way."

Recent research demonstrates how simple attacking AI can be. Asking ChatGPT to mimic specific people, also known as assigning it a persona, can result in the AI model breaking its guardrails, according to a team of researchers from the Allen Institute for AI, the Georgia Institute of Technology, and Princeton University. The researchers had ChatGPT assume a variety of personas, and even a general persona — such as a "bad person" — can result in the large language model using toxic language, the team stated in a paper published on April 11.

With a plethora of products already shipping using ChatGPT, the researchers warn that it can unexpectedly result in harmful behavior.

"We hope that our findings inspire the broader AI community to rethink the efficacy of current safety guardrails and develop better techniques that lead to robust, safe, and trustworthy AI systems," the researchers stated in their paper.

**Time to Turn Off the Tech & Do a Reset**

Ottenheimer breaks down AI tests into six categories based on the traditional CIA triad: Confidentiality, integrity, and availability. False positives, for example, can lead to significant costs for society, such as emergency responders who are overtaxed because skiers' Apple watches are dialing 9-1-1 due to jarring runs down slopes. The academic research on using personas to jailbreak ChatGPT's content protections is similar to other research, which created a persona DAN (Do Anything Now) that allowed users to bypass safeguards.

Companies and researchers need to find ways to do a hard reset of such systems, to purge any toxic inputs, but at the same time teach the AI to take such actions in the future.

"You actually have to reset it, such that the harms don't happen again, or you have to reset it in a way that the harms can be undone," Ottenheimer says.

Finally, the threat to privacy is a significant threat as well as large language models use a vast data set, typically copied from the Internet, without the permissions of the publishers of that data. Italy has given OpenAI until the end of April to find ways to protect people's data and allow correction or deletion. And the efforts may grow as the European Data Protection Board (EDPB) has launched a task force dedicated to studying the issue and fostering cooperation.

Pen Testers Need to Hack AI, but Also Question Its Existence

A little preconference reconnoitering of upcoming seminars, keynotes, and track sessions makes plotting your days easier. Here's one attendee's list.

San Francisco's Moscone Center will soon be overrun by cybersecurity's biggest conference of the year. Next week, RSAC 2023 will bring together the best and brightest cybersecurity leaders and innovators from around the world to partake in a packed schedule of introductions, meetings, and cocktail parties — not to mention a laundry list of panel sessions led by the biggest names in the industry covering just about every topic in the field.

It can be difficult to decide which sessions to pick out of RSAC 2023's list of 500-plus options. This is why it's important to plan in advance and select sessions strategically.

**My Top Five Picks**

As a founder of an early-stage data security company, I've focused my selection on sessions that will be most useful to my company-building journey. This includes those that might help hone my value propositions and product direction as well as any that could keep me ahead of my field's top trends. After careful consideration, here are my top five picks.

****Achieving Privacy and Data Protection Through Careful Design****

Monday, April 24

**Why you should attend:** This session promises an interactive discussion about privacy-by-design and other solutions that both prevent privacy harm and deliver business value. This underscores a larger trend in enterprise need for security and protection solutions to offer at least one business-related value proposition beyond ROI for risk aversion. I'm hoping that this session will provide new insight into how enterprise data security postures and business needs converge.

****The Perfect Storm: Preparing Today for the Future State of Cloud Security****

Monday, April 24

**Why you should attend:** The CSA Summit is one of RSA's largest events, taking place as a series of sessions over the course of one day. Exploring the themes of resilience, compliance, state of the art, and confidential computing, the summit will cover all angles of the cloud's increasing mission-critical role in keeping businesses productive. Keen on staying ahead of the market, the panel I'm particularly interested in will predict the future threat landscape of cloud security and corresponding enterprise needs. Given that cloud data stores house the majority of today's enterprise data, this is a session data security entrepreneurs can't miss.

****Cyber Defense Matrix Learning Lab****

Thursday, April 27

**Why you should attend:** This session will feature an overview of the Cyber Defense Matrix (CDM) by its creators. The CDM was developed to help cybersecurity leaders better contextualize and organize their security programs. Understanding it can provide direct insight into how cybersecurity customers think as well as the decision-making processes they use. I recommend this session to anyone looking to build a product message that will resonate with their target audience.

****The Path Forward for the United States' Data Security and Privacy Gap****

Wednesday, April 26

**Why you should attend:** In another interactive discussion, attendees will have the opportunity to explore how data security and privacy converge, as well as discover emerging federal compliance trends. Security and privacy are often conflated, and this can cause confusion when it comes to delegating clear risk owners. In addition to discussing updates in federal policies for each field, this session will provide insight into the latest best practice interpretations of their relationship and boundaries.

****Cybersecurity as a Strategic Asset****

Wednesday, April 26

**Why you should attend:** I recommend this session for entrepreneurs who want a look into how cybersecurity actually operates within an organization. This is key to understanding how cybersecurity responsibilities and stakeholders are delegated, as well as how cybersecurity culture forms, to design a seamless integration process for your product.

**Final Thoughts**

In truth, between all the shoulder-rubbing, I believe the audience chair of these sessions is the perfect place to seek refuge for recharging my social battery. These sessions can also be easy opportunities to meet peers who share my interests. I hope these sessions will prove useful and interesting for you, too!

Top 5 Data Security RSAC 2023 Sessions to Attend

Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.

Thursday, April 13, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.

On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site’s founder and main administrator.

Then last week we had “Operation Cookie Monster” in which several international agencies worked together to take down Genesis Market, a similar dark web forum, arresting dozens of suspected users and administrators.

These arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.’s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.

But the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.

So while it’s great that these sites have been disrupted, I can’t help but assume that two more sites are going to pop up to service these cyber criminals. It’s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.

Some of the same agencies celebrated in March 2021 that they disrupted Emotet, one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn’t actually go anywhere and was recently rebooted as recently as last month, according to our research.

RaidForums, a forefather of BreachForums, was also disrupted in April 2022, along with the arrest of several administrators and accomplices.

All of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it’s important to remember that we as a security community can’t take our foot off the gas and assume that because there were a few big wins that dark web forums are just going to go away forever.

**The one big thing**

Microsoft’s Patch Tuesday for April included another zero-day vulnerability in the Windows Common Log File System Driver. CVE-2023-28252, which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.

**Why do I care?**

Security researchers say that the vulnerability has already been exploited in Nokoyawa ransomware attacks, so it’s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets’ files and then threaten to leak them unless the ransom is paid.

**So now what?**

Microsoft has a patch available, so all Windows users should update now if they haven’t already. Talos also has new Snort detection coverage available for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.

**Top security headlines of the week**

**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia’s invasion of Ukraine and China’s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. (Bellingcat, New York Times)

**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. (SC Media, Security Week)

**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to “introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI’s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. (Axios, NBC News)

**Can’t get enough Talos?**

*   How threat actors are using AI and other modern tools to enhance their phishing attempts
*   How do you hunt cybersecurity threats in a war zone? Like this
*   Cisco unveils latest security trends from Cisco Talos report at GISEC 2023
*   Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

Talos also alerted Lenovo that the clock’s hardcoded root password is weak and easily guessed or cracked.

Thursday, April 13, 2023 10:04

_Kelly Leuschner and Thorsten Rosendahl discovered this vulnerability._

Cisco Talos researchers recently discovered a vulnerability in the Lenovo Smart Clock Essential that could allow an attacker to completely take over the device if they have access to the network the clock is connected to.

TALOS-2023-1692 (CVE-2023-0896) exists because the smart clock does not change its hardcoded credentials once it's set up and connected to the network. Therefore, an attacker could use a specially crafted command line argument to gain full control of the device using SSH or telnet if they already have network access.

Talos also alerted Lenovo that the clock’s hardcoded root password is weak and easily guessed or cracked. Even on low-end hardware, and with a basic dictionary, the brute force took less than a second.

The default username is “root” and the default password is “123456”.

The clock includes a built-in microphone to accept voice commands and connects to the popular Amazon Alexa smart home system and AI assistant.

The file system is accessible and offers enough room to install undesired software/services.

Cisco Talos worked with Lenovo to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Lenovo Group Ltd. Smart Clock Essential, version 4.9.113. Talos tested and confirmed this version of the clock could be exploited by this vulnerability. Users should update to Lenovo Smart Clock Essential software version 90 or later to fix this vulnerability, according to Lenovo. (The version information can be checked in your Alexa App under “Devices.”)

The following Snort rule will detect exploitation attempts against this vulnerability: 61094. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Hard-coded password vulnerability could allow attacker to completely take over Lenovo Smart Clock

Tools like ChatGPT aren't making social engineering attacks any more effective, but it does make it faster for actors to write up phishing emails.

Thursday, April 13, 2023 00:04

*   Phishing attacks are increasingly more targeted and customized than in the past.
*   The proliferation of additional communications channels such as mobile devices and social media provides attackers with new avenues to phish users.
*   The technology behind phishing attacks evolves as necessary for cybercriminals to bypass content filters and successfully transmit and display the phishing content to the victims.
*   Artificial Intelligence (AI) apps provide attackers with the means to generate highly customized content that makes phishing lures even more convincing.

Cybercriminals often find it easier to trick users into compromising their own security rather than utilizing exploits or highly technical attacks to break into networks. Deceiving users to convince them into divulging sensitive information or take inappropriate actions is known as “social engineering” and this tactic can be extremely effective, regardless of whatever technological defenses have been deployed. As a result, social engineering has become a mainstay in cybercriminals’ arsenals.

Social engineering can take many forms. However, by far the most popular type of contemporary social engineering is phishing. Phishing is the practice of sending victims fraudulent communications that appear to come from a reputable source. It is most often performed through email though other communications platforms such as phone calls and text messages on mobile devices, social media, or chat rooms can also play host to phishing attacks.

The goal of a phishing attack is to steal sensitive data like credit card and/or login information or to install malware on the victim's machine. Phishing has evolved considerably over the past dozen-or-so years. We now have many different subtypes of phishing, including spear phishing (targeting specific users in phishing attacks), whaling (phishing specific high-profile users who have considerable resources or access privileges), smishing (phishing users via SMS messages), quishing (phishing using QR codes) and vishing (telephone-based phishing).

**Phishing attacks have become more targeted**

The earliest phishing attacks, such as those conducted via instant messaging applications like AOHell, intentionally cast a broad net, aiming to snare as many victims as possible. However, phishing in this way has become less effective over time. In order for a phishing attack to succeed, an attacker must first deliver their phishing messages to the victims, and sending a large volume of similar-looking phishing messages to a large number of recipients attracts a considerable amount of attention from security devices and personnel.

On the other hand, only sending a handful of phishing emails is orders of magnitude more difficult for network defenders to prevent. This is the idea behind spear phishing: Attackers narrow the phishing target pool down to a smaller desired group of victims who can be sent a more customized phishing attack. The smaller volume of email increases the odds the message will be successfully delivered to the users and will not be filtered out or flagged by network security devices, and customization raises the likelihood the recipient will view the email as legitimate.

**More locations for phishing**

The proliferation of mobile devices and social media applications has provided phishers with multiple vehicles besides email in which to conduct their attacks. Phishers have been known to use applications such as LinkedIn, Instagram, Facebook, Telegram, Discord, Twitter and other social media apps to transmit phishing messages to victims. We also now regularly receive phishing messages transmitted over SMS and even using QR codes.  

A phishing link to “metamask.lc” is tweeted in reply to a tweet from the real @MetaMask Twitter account.‌ ‌

An example of an SMS phish using a link shortener to hide the true destination URL.

Not all phishing happens online. Some phishers now take a hybrid approach where phishing emails are transmitted, but rather than containing a link to a phishing website or malware, the email contains a phone number that the victim is meant to call where the victim can then be further socially engineered over the telephone.

**Evasion tactics help bypass security devices and fool users**

Security devices are constantly monitoring the network for signs of phishing content and then marking the content as fraudulent or even discarding phishing messages altogether. Today, a successful cybercriminal must find ways around the anti-phishing security technology in place. There are several ways today’s cybercriminals attempt this:

*   Placing text information or links inside images.
*   Using large attachments that cannot be scanned due to their size.
*   HTML smuggling.
*   Using various attachment file types (.doc, .one, .lnk, password-protected .zip).
*   Hiding phishing links behind link-shortening services.
*   Varying the phishing message content by including hidden garbage text pulled from books.
*   Using links to lookalike domain names, known as typosquatting, or domain names that have specially crafted subdomains, ex. www.office.com.login.evilbadguy.com.
*   Transmitting messages from compromised legitimate accounts.
*   Using the browser-in-the-browser technique.

**More convincing phishing lures**

Contemporary phishing lures tend to fall into two basic categories. Many phishing messages attempt to replicate transactional messages, for example, an invoice or receipt for a purchase. Other phishing messages tend to target victims who are eager for news about specific topics, such as current events, natural disasters or the latest celebrity gossip.

With readily accessible open-source information and publicly available breach data, there can be a substantial trove of sensitive information concerning individuals/groups that is freely available online to attackers who are motivated enough to search. This information can be used to customize phishing emails and make phishing content even more relevant to the victims.

To aid in customizing phishing content, attackers are increasingly turning to AI apps such as ChatGPT that can be used to generate phishing content that sounds quite convincing. Fortunately, the designers of ChatGPT have built some guardrails so that attackers cannot simply ask ChatGPT to generate a phishing lure.

However, by phrasing the question a little differently, ChatGPT will help generate convincing content for use in phishing attacks.

Over the past few years, we have seen how some attackers, such as those behind Emotet, have leveraged existing email threads to compel targets to open attachments or click links. Using AI applications similar to ChatGPT, those malicious emails could be customized based on the context of those prior threads.

Voice cloning is another piece of AI technology that is expected to play a role in future phishing attacks. Deepfake technology has already progressed to the point that users can be fooled by a familiar voice over the telephone and once deepfake tools become more widely available, we expect attackers to deploy this as an additional mechanism to phish users.

**Protecting users from today’s phishing attacks**

Of course, as phishing content becomes easier to generate and customize to a specific victim, it becomes increasingly harder to defend. Educating users about how to recognize a phishing attack can be helpful. Additionally, deploying multi-factor authentication such as Cisco Duo is a solid defense that can thwart phishing attacks. Understanding regular network traffic patterns using products like Cisco Secure Network Analytics can help your network security personnel recognize unusual activity that could be related to a successful phishing attack. It is also a good idea to have your email delivered through a secure gateway such as Cisco Secure Email that can scan the email contents for phishing, malware and other email-based attacks. DNS security products such as Cisco Umbrella can help prevent users from navigating to or downloading content from phishing domains.

How threat actors are using AI and other modern tools to enhance their phishing attempts

If attackers use your stolen login information or set up wire transfers, you might be out of luck.

Banking laws designed to protect Federal Deposit Insurance Corp. (FDIC)-insured accounts contain loopholes that strip consumers of coverage against certain cyberattacks.

Less than a month before the US Consumer Financial Protection Bureau hit Wells Fargo & Co. with the largest financial civil penalty ever for mismanagement of car loans, mortgages, and bank accounts In December 2022, a Wells Fargo customer suffered an account takeover of his consumer checking account that cost him $45,000. Well Fargo chose not to reimburse that customer, Kartik Gada, CFO and chief economist at a San Francisco-area company.

Documents show the attackers breached Gada's cell phone account, then accessed his bank login credentials from the phone's backup data. The attackers changed the bank login information, added the ability to send wire transfers and Zelle money transfers to the checking account, then used two traditional wire transfers to move $45,000 to a New York-based bank. The thieves then removed the funds from the other bank's account by the thieves. Wells Fargo maintained that since the attackers obtained Gada's valid bank login credentials, that was sufficient to deny reimbursing Gada.

Account takeovers are not uncommon. A Marina del Rey couple faced a similar attack but had their funds returned to them by Wells Fargo at roughly the same time as the Gada attack. However, the modus operandi of the attackers was different, as were the results.

Gada tells Dark Reading that Well Fargo denied his request to funds to be returned because the bank claims he "failed to protect his password security." Gada says a bank representative told him that while it acknowledged the attack, it still declined to reimburse him.

In the final resolution letter Wells Fargo sent to Gada, the bank wrote, "According to the Online Access Agreement, you are responsible for keeping your username and password confidential, and for actions taken by anyone using the Service after signing in with your username and password, or any other Wells Fargo approved authentication control, except as otherwise provided by law or regulation. We are entitled to rely and act upon instructions received under your username and password."

**Inadequate Bank Oversight**

Jay Hack, a partner at the New York law firm Gallet Dreyer & Berkey, LLP, says the bank's "procedures for due diligence with respect to customers is obviously failing and the filtering software to filter out suspicious transactions is obviously failing. This transaction has all of the conditions of being a theft."

Once the bank's systems recognized the change in how the customer had been using the personal checking account and the swift changes to the account the night of the account takeover, the bank's monitoring software should have alerted authorities, he asserts. There are two possible reasons why it might not have done so, he notes. The first is the software was misconfigured to not "kick out suspicious transactions." Another is that even if the alert was noted, it could have been ignored.

A major bank, Hack says, should have software that identifies account takeovers and unusual actions — such as changing passwords and then adding and immediately using wire transfer capabilities — and kicks out an alert.

**Finessed Legal Justifications**

Wells Fargo ignored multiple requests by Dark Reading to comment on its decision not to compensate Gada. It also would not comment on why the bank's security controls did not flag the anomalies occurring on the account and why no bank employee tried to confirm the unusual changes to the account before processing the transactions.

While the Comptroller of the Currency's office and the Consumer Financial Protection Bureau both declined to discuss the specifics of Gada's situation, both organizations directed Dark Reading to documents concerning the Electronic Fund Transfer Act and Regulation E. One carve-out that Wells Fargo used as a reason to deny compensating the customer is that the attackers implemented wire-transfer capabilities, which specifically is not covered under Regulation E.

Wells Fargo's response to the breach was to redefine the personal checking account as a brokerage account due to the attackers' actions and subsequently told the client different rules applied to the brokerage account, Gada said. The bank chose to follow Universal Commercial Code (UCC) 4A-202, which addresses wire transfers and has different "good faith" rules than does Regulation E. A short PowerPoint description of the regulations can be found on the FDIC's website.

Wells Fargo's position is that a customer is responsible for losses if the attackers use a wire transfer to steal money from the customer's checking account. Should the attackers have chosen a different approach, such as a money transfer application such as Zelle or PayPal or an Automated Clearing House (ACH) transfer, the FDIC would have required the bank to reimburse Gada under Regulation E.

The bank chose not to address why the victim of a crime would be subject to UCC 4A, which requires an agreement between the bank and the customer. As the attackers caused the change in account status and not Gada, this raised the question of whether this was a legal contract between the customer and bank.

Hack says that banks can get away with such denials because the cost of litigation is often far higher than the consumer's loss. It does not become profitable for specialty law firms to file lawsuits until the customer's losses are $1 million or more, he notes.

When Banking Laws Don't Protect Consumers From Cybertheft

Categories: Exploits and vulnerabilities
Categories: News
Tags: Microsoft

Tags:  Apple

Tags:  Google

Tags:  Adobe

Tags:  Cisco

Tags:  SAP

Tags:  Mozilla

Tags:  CVE-2023-28252

Tags:  CVE-2023-28231

Tags:  CVE-2023-21554

Tags:  Word

Tags:  Publisher

Tags:  Office

One fixed vulnerability is being actively exploited by a ransomware gang and many others were fixed in this month's Patch Tuesday updates.



(Read more...)




The post Update now! April’s Patch Tuesday includes a fix for one zero-day appeared first on Malwarebytes Labs.

Posted: April 12, 2023 by

It’s Patch Tuesday again. Microsoft and other vendors have released their monthly updates. Among a total of 97 patched vulnerabilities there is one actively exploited zero-day.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited zero day is listed as CVE-2023-28252.

CVE-2023-28252 is an elevation of privilege (EoP) vulnerability in the Windows Common Log File System (CLFS) driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges, which is the highest level of privilege on Windows systems. This is the type of vulnerability that we can expect to see chained with other vulnerabilities. Once an attacker has access, EoP vulnerabilities allow them to exploit that access to the fullest.

CISA has already added the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities, which means federal (FCEB) agencies have until May 2, 2023 to patch against it.

Given the reach and simplicity of exploitation, this vulnerability is bound to be very popular among cybercriminals, and so it should be patched as soon as possible. CLFS is present in all Windows versions and so is the vulnerability. Exploitation does not require any user interaction and the vulnerability is already in use by at least one ransomware gang.

Another vulnerability to keep an eye on is CVE-2023-28231, a DHCP Server Service remote code execution (RCE) vulnerability. It is rated as critical with a CVSS score of 8.8 out of 10. Even though the attacker would need access to the network to successfully exploit this vulnerability, Microsoft has it listed as “Exploitation more likely.”

Another one that Microsoft deems more likely to be exploited is CVE-2023-21554, an RCE vulnerability in Microsoft Message Queuing (MSMQ) with a CVSS score of 9.8 out of 10. To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side.

A few others we can expect to see, especially in the form of email attachments, are several RCE vulnerabilities in Microsoft Office, Word, and Publisher \[2\]. All these vulnerabilities require the user to open a malicious file. So this is something we can typically expect to see a lot in phishing campaigns.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates for several products:

*   Digital Editions
*   InCopy 
*   Acrobat and Reader
*   Substance 3D Stager
*   Dimension 
*   Substance 3D Designer

Apple released emergency updates for two known-to-be-exploited vulnerabilities.

Cisco released security updates for multiple products.

Google has released updates for the Chrome browser and for Android.

Mozilla has released security advisories for vulnerabilities affecting multiple Mozilla products:

*   Firefox 112, Firefox for Android 112, Focus for Android 112
*   Firefox ESR 102.10
*   Thunderbird 102.10

SAP has released its April 2023 updates.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

Update now! April’s Patch Tuesday includes a fix for one zero-day

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.
Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20

Patch Tuesday / Software Updates

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.

Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.

The security flaw that's come under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.

CVE-2023-28252 is the fourth privilege escalation flaw in the CLFS component that has come under active abuse in the past year alone after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). At least 32 vulnerabilities have been identified in CLFS since 2018.

According to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

"CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block," Larin said. "The vulnerability gets triggered by the manipulation of the base log file."

In light of ongoing exploitation of the flaw, CISA added the Windows zero-day to its catalog of Known Exploited Vulnerabilities (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.

Also patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ).

The MSMQ bug, tracked as CVE-2023-21554 (CVSS score: 9.8) and dubbed QueueJumper by Check Point, could lead to unauthorized code execution and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.

"The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801," Check Point researcher Haifei Li said. "In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability."

Two other flaws discovered in MSMQ, CVE-2023-21769 and CVE-2023-28302 (CVSS scores: 7.5), could be exploited to cause a denial-of-service (DoS) condition such as a service crash and Windows Blue Screen of Death (BSoD).

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

Microsoft has also updated its advisory for CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions -

*   Windows Server 2008 for 32-bit Systems Service Pack 2
*   Windows Server 2008 for x65-based Systems Service Pack 2
*   Windows Server 2008 R2 for x64-based Systems Service 1
*   Windows Server 2012
*   Windows Server 2012 R2
*   Windows Server 2016
*   Windows Server 2019, and
*   Windows Server 2022

The development comes as North Korea-linked threat actors have been observed leveraging the flaw to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors in the last few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Arm
*   Aruba Networks
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SonicWall, and
*   Sophos

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Tuesday, April 11, 2023 15:04

Microsoft released its monthly round of security updates and patches today, continuing its trend of fixing zero-day vulnerabilities on Patch Tuesday.

April's security update includes one vulnerability that’s actively being exploited in the wild. There are also eight critical vulnerabilities and the remaining 90 are considered “important.”

CVE-2023-28252, an elevation of privilege vulnerability in the Windows Common Log File System Driver, is actively being exploited in the wild, according to Microsoft, though proof of concept code is not currently available. An adversary could exploit this vulnerability to gain SYSTEM privileges.

The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible.

Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969. April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Two of the critical vulnerabilities Microsoft also patched are in the Layer 2 Tunneling Protocol: CVE-2023-28219 and CVE-2023-28220. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine. These vulnerabilities do not require any user interaction to be exploited, but the adversary would need to win a race condition to be successful.

One of the most severe issues is CVE-2023-21554, a remote code execution vulnerability in the Microsoft Message queuing system. Microsoft considers exploitation of this vulnerability to be “more likely,” and it received a CVSS severity score of 9.8 out of 10. Users who want to check to see if they’re being targeted by the exploitation of this vulnerability can run a check to see if there’s a service named “Message Queuing” on their machine, and if TCP port 1801 is listening on the machine.

CVE-2023-28231, a remote code execution vulnerability on the DHCP server service, is also considered “more likely” to be exploited. An attacker could exploit this vulnerability by sending a specially crafted RCP call to the targeted DHCP server. However, the adversary first must gain access to the restricted network.

There are four other critical vulnerabilities, though Microsoft considers them “less likely” to be exploited:

*   CVE-2023-28232: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability

*   CVE-2023-28240: Windows Network Load Balancing remote code execution vulnerability    
    CVE-2023-28250: Windows Pragmatic General Multicast (PGM) remote code execution vulnerability
*   CVE-2023-28291: Raw Image Extension remote code execution vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61606, 61607 and 61613 - 61620. There are also Snort 3 rules 300496, 300499 and 300500.

Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities

A stored Cross-Site Scripting (XSS) vulnerability in the Chat gadget in Upstream Works Agent Desktop for Cisco Finesse through 4.2.12 and 5.0 allows remote attackers to inject arbitrary web script or HTML via AttachmentId in the file-upload details.

**UPSTREAM WORKS NOTIFICATIONS**

**Upstream Works Not Affected by Apache Log4j Library Vulnerabilities**

December 17, 2021 – This notification is in reference to the recent report about potential vulnerabilities in the Apache Log4j Logging library affecting all Log4j2 versions prior to 2.15.0.

Tag

#cisco