Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November's patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.

**Microsoft** today released updates to plug at least 89 security holes in its **Windows** operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.

The zero-day flaw tracked as CVE-2024-49039 is a bug in the **Windows Task Scheduler** that allows an attacker to increase their privileges on a Windows machine. Microsoft credits Google’s **Threat Analysis Group** with reporting the flaw.

The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451, a spoofing flaw that could reveal Net-NTLMv2 hashes, which are used for authentication in Windows environments.

**Satnam Narang**, senior staff research engineer at **Tenable**, says the danger with stolen NTLM hashes is that they enable so-called “pass-the-hash” attacks, which let an attacker masquerade as a legitimate user without ever having to log in or know the user’s password. Narang notes that CVE-2024-43451 is the third NTLM zero-day so far this year.

“Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems,” Narang said.

The two other publicly disclosed weaknesses Microsoft patched this month are CVE-2024-49019, an elevation of privilege flaw in **Active Directory Certificate Services** (AD CS); and CVE-2024-49040, a spoofing vulnerability in **Microsoft Exchange Server**.

**Ben McCarthy**, lead cybersecurity engineer at **Immersive Labs**, called special attention to CVE-2024-43639, a remote code execution vulnerability in **Windows Kerberos**, the authentication protocol that is heavily used in Windows domain networks.

“This is one of the most threatening CVEs from this patch release,” McCarthy said. “Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain.”

McCarthy also pointed to CVE-2024-43498, a remote code execution flaw in **.NET** and **Visual Studio** that could be used to install malware. This bug has earned a CVSS severity rating of 9.8 (10 is the worst).

Finally, at least 29 of the updates released today tackle memory-related security issues involving **SQL server**, each of which earned a threat score of 8.8. Any one of these bugs could be used to install malware if an authenticated user connects to a malicious or hacked SQL database server.

For a more detailed breakdown of today’s patches from Microsoft, check out the SANS Internet Storm Center’s list. For administrators in charge of managing larger Windows environments, it pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.

As always, if you experience any problems applying any of these updates, consider dropping a note about it in the comments; chances are excellent that someone else reading here has experienced the same issue, and maybe even has found a solution.

Microsoft Patch Tuesday, November 2024 Edition

The essays are to focus on the impact that artificial intelligence will have on European policy.

Source: Deco via Alamy Stock Photo

The Munich Security Conference is partnering with the European Cyber Conflict Research Initiative's Binding Hook on the AI-Cybersecurity Essay Prize Competition to explore the intersection of cybersecurity and artificial intelligence (AI).

As cyber threats rapidly evolve, AI is at the forefront, shaping the next generation of cyber defenses and bringing new challenges and opportunities, said Max Smeets, co-director of the European Cyber Conflict Research Initiative (ECCRI) and the European Cyber Conflict Research Incubator, in a statement. Researchers are invited to submit essays on how AI will change cybersecurity, its implications for Europe, and actionable recommendations for policymakers. Essays can reference previously published research, but the content should be reworked to provide new insights.

"Launching this competition is, for me, about opening the door to voices from a range of disciplines - encouraging contributions that speak to both the opportunities and risks AI presents for cybersecurity," Smeets said. "I also hope we will see not just analysis but ideas that policymakers can consider seriously; thoughtful pieces that get at the heart of what AI could mean for cybersecurity policy in Europe."

Essays will be reviewed by a board led by co-chairs Kersti Kaljulaid, former president of Estonia, and Shashank Joshi, defense editor at The Economist. Board members include Heather Adkins, vice president of security engineering and head of office of cybersecurity resilience at Google; Klaus Hommels, founder of Lakestar and chair of the board of directors at the NATO Innovation Fund; Mikko Hyppönen, a security and privacy expert; Maria Markstedter, founder of Azeria Labs; Eva Maydell, member of the European Parliament; and ECCRI's Smeets. Prizes will be awarded for the top five essays, starting at €10,000 (US$10,628) for the top prize and €5,000 (US$5314) for the runner-up. The winning author will also be invited to attend the 2025 Munich Security Conference.

Essays should be 800 to 1,200 words. The deadline for submissions is Jan. 2, 2025. 

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

New Essay Competition Explores AI's Role in Cybersecurity

Adaptive Shield is the third security posture management provider the company has acquired in the last 14 months as identity-based attacks continue to rise.

Source: Artemis Diana via Alamy Stock Photo

CrowdStrike's spending spree for security posture management capabilities continued with a deal to buy Adaptive Shield, an Israeli startup  that specializes in securing organizations' SaaS ecosystems and protecting against identity-based attacks.

Last week's deal calls for CrowdStrike to pay cash and stock for Adaptive Shield; CrowdStrike expects to complete the transaction by the end of January 2025. Press reports estimate the value of the deal at around $300 million.

Founded in 2019, Adaptive Shield is one of many companies in the SaaS security posture management (SSPM) sector; others include AppOmni, DoControl, Obsidian, and Reco. 

Adaptive Shield's platform supports more than 150 SaaS applications including Adobe, Google Workspace, Microsoft 365, Salesforce, Slack, and Zoom. It monitors for misconfigurations and identity threats, and offers a no-code tool for custom SaaS applications called Integration Builder.

**Competitive Impact?**

Omdia senior principal analyst Rik Turner wonders whether the deal will prompt CrowdStrike's competitors like Cisco, Palo Alto Networks, and Sentinal One to follow suit with their own deals. Overall, it's been an active time for acquisitions of cloud and data security posture management (DSPM) startups, he noted. 

Adaptive Shield is CrowdStrike's third security posture management provider in the last 18 months. In October 2023, CrowdStrike bought Bionic, an early provider of application security posture management (ASPM), extending security risk visibility from code development to cloud deployment. 

Earlier this year, CrowdStrike bought Flow Security, another DSPM cloud platform that protects data at rest and in motion. "In contrast, there has been no such buying frenzy with SSPMs. CrowdStrike's acquisition of Adaptive Shield is the first deal of this kind, raising the question of whether it might start a trend among the purchaser’s competitors," Turner note in a recent report.

CrowdStrike emphasizes that the addition of Adaptive Shield will boost the capability of its Falcon platform to protect organizations against identity-based attacks by adding SaaS applications to the mix. 

Once integrated into Falcon, Adaptive Shield's SSPM platform will give organizations visibility into misconfigurations, unnecessary or rogue privileges, and activities undertaken among accounts of on-premises and cloud identity providers as well as SaaS security applications. The addition "provides organizations with granular visibility into their growing cloud environments, enables them to manage and secure their SaaS security posture and their human and non-human identities, and helps them detect and prevent identity-centric, cloud-focused cyberattacks," CrowdStrike president Michael Sentonas explained in a blog post.

CrowdStrike senior product manager for identity Ryan Terry buttressed that message at a company meeting last week in Amsterdam. "Our vision is to unify identity protection across the entire Falcon security platform that includes cloud security," he said. "That will bring ISPM, CIEM, and ITDR together in an integrated way, in one single platform to help you address today's modern identity challenges."

**Keying in on Identity**

SaaS connectors will improve visibility into threat activity and precursors to identity-based attacks, says Forrester Research principal analyst Andras Cser. And he believes adding SSPM to CrowdStrike Falcon will fill a gap in the platform's identity protection module.

"Identity-wise, CrowdStrike claims they have ITDR, but in reality, it's mainly cloud infrastructure entitlement management, addressing how admins have access to policies that drive privileges on things like \[AWS\] S3 buckets and Azure Blobs and things like that," Cser says. "It's not true \[identity and access management\] in the sense of user account provisioning-deprovisioning, federation, token service, and all these other types of things."

The Adaptive Shield SSPM and ITDR platform promises to provide a broad range of protection against such attacks by providing unified, hybrid identity management for SaaS-based apps and on-premises authentication, notably Microsoft's Active Directory.

Adaptive Shield's platform also continuously monitors generative AI-based SaaS applications for configuration shifts and enforces security standards and privileges. And it's designed to prevent data exfiltration and discover unauthorized AI applications. "Beyond identities, it also provides visibility into misconfigurations and other risks affecting SaaS applications so organizations can better manage these issues and detect and respond to threats," Sentonas added.

Identity-Based Attacks Continue to Mount

Vendor focus on identity isn't happening in a vacuum. Threat actors such as Scattered Spider and Cozy Bear (also known as APT29 and Midnight Blizzard) have actively exploited identity through various techniques, including password spraying, phishing, stealing legitimate credentials, and exploiting misconfigurations. 

After managing to get global administrator rights to MGM Resorts' Azure instances last year, Scattered Spider was able to exfiltrate data and disrupt its operations. Earlier this year, Microsoft was among the victims of a password spray attack by Russia-based Midnight Blizzard, compromising its corporate email systems. Overall, CrowdStrike has claimed that 80% of breaches now have an identity component.  

At the RSA Conference earlier in the year, Sentonas and CrowdStrike co-founder and CEO George Kurtz demonstrated how hackers exploit identity provider misconfigurations with phish-able authentication factors to gain access to highly privileged accounts. "They move laterally once they're inside an organization to achieve their outcome," Sentonas said.

**More Identity Features in the Wings**

Ross Penny, a principal technical strategist for CrowdStrike, said the company plans to roll out several tools to bolster CrowdStrike Falcon Identity by February 2025. Among recent and current deliverables include integration with AWS Identity Center, which reports on the "full picture" of risks associated with federated AWS accounts. 

"If you're only looking within AWS because it's federated, you lack a lot of information about it," Penny explained. "The fact that we know where that account lives and originates means you have a much wider variety of risk that you're able to use to calculate those access decisions and detections."

Penny said that CrowdStrike is also readying a policy management API that can be integrated into external workflows. CrowdStrike developed this API because many of its customers also use ServiceNow.

Early next year, CrowdStrike will extend integration with other identity providers, including Okta Universal Directory, Google Workspace, and AWS permission usage analysis. CrowdStrike also plans to add attack path detection across those multiple identity providers in 2025.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, Dr. Max Smeets from ETH Zurich, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CrowdStrike Spends to Boost Identity Threat Detection

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon,…

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon, 3M, HP, and Delta, exposing cybersecurity flaws across major firms.

A “Data Vigilante” using the alias Nam3L3ss has leaked millions of employee records from global industry giants, in connection with the widespread **MOVEit vulnerability**. For your information, the MOVEit flaw is a security vulnerability in the MOVEit file transfer software, which many organizations use to share sensitive data.

Nam3L3ss, who denies being a hacker, began leaking the data on Friday, November 8, 2024. So far, sensitive and non-sensitive records from 27 companies, totalling 7,952,414 employee records, have been exposed. This includes 2,861,111 records from Amazon employees, a breach acknowledged by the company.

“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” Amazon spokesperson Adam Montgomery told Hackread.com. “The only Amazon information involved was employee work contact information, for example, work email addresses, desk phone numbers, and building locations.”

****Data Analysis****

The Hackread.com research team conducted an in-depth analysis of each file leaked by Nam3L3ss, revealing that the data includes full names, email addresses, phone numbers, office addresses, residential addresses, company names, location coordinates, and more.

****List of Affected Companies and Employee Counts****

    3M: 48,630 employees
    
    HP: 104,119 employees
    
    Delta: 57,317 employees
    
    MetLife: 585,130 employees
    
    Amazon: 2,861,111 employees
    
    McDonald's: 3,295 employees
    
    Lenovo: 45,522 employees
    
    TIAA: 2,464,625 employees
    
    CalSTRS: 422,311 employees
    
    BT: 15,347 employees
    
    URBN: 17,553 employees
    
    Leidos: 52,610 employees
    
    UBS: 20,462 employees
    
    HSBC: 280,693 employees
    
    Firmenich: 13,248 employees
    
    U.S. Bank: 114,076 employees
    
    Canada Post: 69,860 employees
    
    Westinghouse: 18,193 employees
    
    Rush University: 15,853 employees
    
    Omnicom Group: 37,320 employees
    
    Charles Schwab: 49,356 employees
    
    City National Bank: 9,358 employees
    
    Applied Materials: 53,170 employees
    
    Cardinal Health: 407,437 employees
    
    Bristol-Myers Squibb: 37,497 employees
    
    TIAA (additional listing): 23,857 employees
    
    Fidelity Investments: 124,464 employees

List of targeted companies (Screenshot credit: Hackread.com)

****Nam3L3ss’s Manifesto: Motivation and Methodology****

In a post on Breach Forums, Nam3L3ss outlined their “manifesto” to explain who they are and why they’re leaking data. According to the post, they monitor misconfigured and unsecured cloud databases across various services, including AWS Buckets, Azure, Digital Ocean, Google, and FTP and MongoDB servers, to extract and make this data public.

Nam3L3ss also claims to monitor ransomware groups, analyze stolen data, clean it by removing duplicates and irrelevant information, and then release it online. For example, the leaked MetLife employee directory originated from MetLife, a global financial services firm that suffered a ransomware attack in 2023.

Nam3L3ss intro and Manifesto (Screenshot credit: Hackread.com)

The Cl0p ransomware gang exploited MOVEit extensively, targeting hundreds of organizations worldwide. They even **created clear web websites to leak** the stolen data in July 2024.

**Ferhat Dikbiyik**, chief research and intelligence officer at Black Kite, weighed in on the recent Amazon data breach, explaining, that Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities.

“Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities. The MOVEit flaw initially hit hundreds, but the shockwave extended across 2,700+ organizations as the ripple effects reached third and even fourth-party vendors,” Ferhat said.

“We’ve identified over 600 MOVEit servers that were likely caught in this “spray” attack—leaving a vast field of potential targets,” he explained. “CL0P ransomware, the group exploiting this flaw, named 270 victims within three months, and the count is still rising.”

“With 200 to 400 organizations speculated to have paid ransoms, the real impact stretches far beyond these numbers. This breach emphasizes that ransomware risk doesn’t stop at your company’s doorstep. In today’s ecosystem, exposure management must extend across the entire supply chain to truly defend against the next big attack.”

****Data Vigilante?****

Although the term Data Vigilante is debatable, Nam3L3ss expresses frustration with companies and government institutions for failing to secure their networks. By leaking this data, they aim to raise awareness about data security and encourage better cybersecurity practices.

****Implications of the Data Leak and Advice to Employees****

Although passwords and financial details weren’t included in the leaked files, the exposure poses significant risks to companies and employees. Threat actors, especially state-sponsored groups like **North Korea’s Lazarus Group**, are known to exploit such data to initiate phishing scams, steal cryptocurrency, and access financial information that could aid their **country’s economy**.

If you work for one of the affected companies, be on the lookout for phishing scams via email, SMS phishing (smishing), and voice phishing (vishing) attempts, as attackers may try to exploit this data for further scams.

1.  Hacker Leaks Thousands of Microsoft and Nokia Employee Details
2.  Hackers Calling Employees to Steal VPN Credentials from US Firms
3.  Hacker Leaks Data of 33K Accenture Employees in 3rd-Party Breach
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  Indian Ex-Employee Jailed for Wiping 180 Virtual Servers in Singapore

Data Vigilante Leaks 8 Million Employee Records from Amazon, HP and Others

CISA should make its recommended goals mandatory and perform audits to ensure compliance.

Gary Barlet, Public Sector Chief Technology Officer, Illumio

November 12, 2024

5 Min Read

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY  
Companies across the country are lining up to join the latest cybersecurity trend: the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on. 

On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as "implement multifactor authentication (MFA)" are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA. 

The problem is that this pledge is entirely voluntary. Companies are free to sign it — or not — as they wish. And there's no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.   

Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.    

**Is the Honor System Good Enough?**

With data breaches up 72% in 2023 and the average cost of a breach estimated at $4.88 million, can we afford for our nation's technological infrastructure to be governed by the honor system? What happens when the next big cyberattack takes down a pillar of our society because the company responsible failed to implement MFA?  

I'd argue for a much more aggressive approach from our federal government. Given the potential for widespread disruptions inherent with any cybersecurity failure, we can't afford to take such a lax attitude toward securing our systems. The sanctity of our nation's airlines, power grids, and other critical infrastructure relies on stringent cybersecurity measures. Merely "suggesting" that companies institute basic protocols is not enough. We need to mandate it — and punish those who fail. 

**The EU's Higher Standard**

I look at the European Union's approach to setting standards for its electronic devices. In 2022,  the EU passed a law mandating electronics manufacturers move to a standardized charging port for their mobile devices. The EU's stance toward Apple, which famously used a proprietary Lightning charging port for its iPhones, was simply: Adapt or die. Apple adapted. As a result, iPhones in Europe are now sold with the standardized USB-C charging port, alongside every other mobile device. 

The EU did not fool around with vague suggestions or pledges. It saw the value to consumers of a standardized charging port and demanded that manufacturers make the change. Those that failed to comply were not allowed to sell their devices in Europe. Simple. Effective. 

You can also look closer to home, to California, for an example of this kind of confident action by the government. The government of California adopted the Zero Emissions Vehicle requirements in 1990, and has adjusted the rules over the ensuing decades as technology has evolved. The purpose was to protect the state's air from automotive pollution. The result has been a near industrywide reduction in auto emissions for the past 30 years. 

For vehicle manufacturers that want to sell cars in California, the largest economy in the United States, the equation was the same one facing Apple in the EU: Adapt or die. They could either engineer their vehicles to produce fewer emissions or simply not sell them in California. Most elected for the former option, and, as a result, automotive emission control technology has advanced further in the past 30 years than at any point since the automobile was introduced. 

**Adopting a Similar Approach**

To protect our cyber infrastructure, we need to adopt a similar approach. Instead of simply making recommendations, our nation's cybersecurity agency should be empowered to make regulations.  

CISA should begin by making its recommended goals mandatory, forcing software companies to do the following: 

●      Increase the use of MFA 

●      Reduce default passwords 

●      Enable a significant measurable reduction in the prevalence of one or more vulnerability classes 

●      Increase the installation of security patches by customers 

●      Publish a vulnerability disclosure policy 

●      Demonstrate transparency in vulnerability reporting. 

●      Increase the ability for customers to gather evidence of cybersecurity intrusions 

Next, CISA should perform audits to ensure compliance. Relying on companies to self-report is no different from giving them permission not to report. Look closely at CISA's list of pledgees and come back in a year to see how many of these vaunted companies will have willingly admitted they aren't taking the most basic steps toward protecting their users' data. 

Finally, CISA should be empowered to make a simple statement to software manufacturers that want to sell products in the US similar to what the EU said to electronics manufacturers and what California said to automobile manufacturers: Adapt or die. 

If you want to sell software in the US, you should have to follow basic principles that will ensure your software is safe. This should not be a "nice to have." It should be mandatory. The stakes are as high if not higher than with charging ports and automobile emissions. As we witnessed with the recent failure of cybersecurity software, the impact was felt across entire industries and resulted in billions of dollars in lost productivity. This is not a realm for timidity.    

Hi all -- please add this to all of your content at the bottom between now and Thursday -- I'm adding it to this week's news items now. Rashid, Fahmida Donahue, Jim Bracken, Becky Spiegelman, Karen Beek, Kristina

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Public Sector Chief Technology Officer, Illumio

Gary Barlet has nearly three decades of cloud, cybersecurity, and network experience in the US federal government leading security and IT teams in both civilian agencies and the Department of Defense (DoD). At Illumio, Gary works with government agencies, contractors, and the broader ecosystem to build in zero-trust segmentation as a strategic component of the government’s zero-trust architecture. Before joining Illumio, Gary served as the chief information officer at the Office of the Inspector General for the US Postal Service and served in the Air Force in several technology leadership capacities, retiring from his role as cyber operations officer.

The Power of the Purse: How to Ensure Security by Design

Donald Trump has vowed to deport millions and jail his enemies. To carry out that agenda, his administration will exploit America’s digital surveillance machine. Here are some steps you can take to evade it.

The WIRED Guide to Protecting Yourself From Government Surveillance

Privacy advocates worry banning masks at protests will encourage harassment, while cops’ high-tech tools render the rules unnecessary.

“There are lots of different tools that are available to law enforcement. Facial recognition is one of those tools that it's about expediency,” said Nicole Napolitano, director of research at the Center for Policing Equity. But it’s not without its pitfalls. Like PimEyes, tools like Clearview AI can make mistakes and incorrectly identify people, leading to erroneous arrests. “Police have become increasingly reliant on and then biased by what the model tells them,” said Napolitano.

“There's no constitutional right to cover your face in public,” charged Meyers, the Manhattan Institute’s policing director.

Indeed, the legal landscape surrounding how law enforcement can use surveillance technologies has been hazy, explained Beth Haroules, a staff attorney for the New York branch of the American Civil Liberties Union, largely because the law hasn’t kept up with the pace with technological development.

For Haroules, the potential for omnipresent surveillance means people never really have a reasonable expectation of privacy—an important historic legal standard. “\[Surveillance\] cameras aren't just the eyes of a police officer,” she said. “They are being monitored, perhaps 24/7, in real time. They're feeding images into artificial intelligence, aided by algorithms that then kick out and match you to a number of faces and places that you've been.”

That legal haze, though, may finally be starting to clear.

This summer, a federal appeals court judge declared that geofence warrants were violations of the Constitution’s protections against unreasonable searches and seizures, though this decision only holds in Texas, Mississippi, and Louisiana. Similarly, a New York judge ruled warrantless phone searches at border crossings are unconstitutional. While the ruling only applies to a portion of New York, it does cover John F. Kennedy International Airport, one of the country’s busiest airports.

Phone manufacturers have also been making strides with regard to technological solutions to subvert surveillance methods. Google announced changes to how it stores users’ location data, making it unable to comply with future geofence warrants.

Even so, determining when police use surveillance technology can be difficult. Tushar Jois, a City College of New York professor studying the intersection of privacy, technology, and censorship, said that police departments “would routinely drop evidence in their cases rather than share data” about their surveillance technology use.

Beryl Lipton, a senior investigative researcher at the Electronic Frontier Foundation, a tech-focused civil liberties nonprofit, said that many of the things law enforcement officials used to only dream of are now increasingly possible.

“I think there's been a big shift in how we need to think about what it means to have an expectation of privacy in a public space,” Lipton said.

Half a century ago, Lipton explained, you'd potentially be able to see someone following you down the street, listening to your conversation. Now, that type of surveillance isn't so obvious.

“That's something we, as a country, really need to reevaluate,” she added. “We don't want to be in a position, either as protesters, or just as regular individuals, trying to live a life where we're essentially being followed and listened to all the time.”

The Real Problem With Banning Masks at Protests

Ubuntu Security Notice 7100-1 - Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde discovered that the Confidential Computing framework in the Linux kernel for x86 platforms did not properly handle 32-bit emulation on TDX and SEV. An attacker with access to the VMM could use this to cause a denial of service or possibly execute arbitrary code. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7100-1November 11, 2024linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm,linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle,linux-oracle-5.15, linux-raspi, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, andShweta Shinde discovered that the Confidential Computing framework inthe Linux kernel for x86 platforms did not properly handle 32-bitemulation on TDX and SEV. An attacker with access to the VMM could usethis to cause a denial of service (guest crash) or possibly executearbitrary code. (CVE-2024-25744)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - MIPS architecture;  - PowerPC architecture;  - RISC-V architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - Null block device driver;  - Character device driver;  - ARM SCMI message protocol;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - I3C subsystem;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - Thunderbolt and USB4 drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Host Controller drivers;  - USB Type-C Connector System Software Interface driver;  - USB over IP driver;  - VHOST drivers;  - File systems infrastructure;  - BTRFS file system;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - NTFS3 file system;  - Proc file system;  - SMB network file system;  - Core kernel;  - DMA mapping infrastructure;  - RCU subsystem;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - Ethernet bridge;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Multipath TCP;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Landlock security;  - Simplified Mandatory Access Control Kernel framework;  - FireWire sound drivers;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-43817, CVE-2024-42304, CVE-2024-46756, CVE-2024-42318,CVE-2024-41090, CVE-2024-41063, CVE-2024-44987, CVE-2024-46844,CVE-2024-46677, CVE-2024-44988, CVE-2024-42297, CVE-2024-26893,CVE-2024-46673, CVE-2024-26800, CVE-2024-42305, CVE-2024-46731,CVE-2024-41091, CVE-2024-46810, CVE-2024-41072, CVE-2022-48666,CVE-2024-38602, CVE-2024-46780, CVE-2024-46750, CVE-2024-43858,CVE-2024-41020, CVE-2024-46755, CVE-2024-46829, CVE-2024-41068,CVE-2024-45003, CVE-2024-42280, CVE-2024-42283, CVE-2024-43873,CVE-2024-46746, CVE-2024-44969, CVE-2024-46807, CVE-2024-41081,CVE-2024-44971, CVE-2024-26607, CVE-2024-43880, CVE-2024-42281,CVE-2024-42274, CVE-2024-43908, CVE-2024-42267, CVE-2024-47665,CVE-2024-45011, CVE-2024-46707, CVE-2024-42310, CVE-2024-42309,CVE-2024-44965, CVE-2024-46747, CVE-2024-42259, CVE-2024-46804,CVE-2024-46679, CVE-2024-45007, CVE-2024-45009, CVE-2024-46771,CVE-2024-46739, CVE-2024-41060, CVE-2024-46676, CVE-2024-46822,CVE-2024-42272, CVE-2024-41059, CVE-2024-43839, CVE-2024-46817,CVE-2024-47669, CVE-2024-44999, CVE-2024-42285, CVE-2024-44986,CVE-2024-43828, CVE-2024-43879, CVE-2024-44998, CVE-2024-46724,CVE-2024-41015, CVE-2024-45025, CVE-2024-43849, CVE-2024-46818,CVE-2024-43830, CVE-2024-46725, CVE-2024-43834, CVE-2024-42302,CVE-2024-36484, CVE-2024-43853, CVE-2024-46782, CVE-2024-46740,CVE-2024-46732, CVE-2024-43869, CVE-2024-42312, CVE-2024-42292,CVE-2024-43884, CVE-2024-44934, CVE-2024-44995, CVE-2024-43894,CVE-2024-46675, CVE-2024-43870, CVE-2024-44990, CVE-2024-42287,CVE-2024-41065, CVE-2024-42301, CVE-2024-42290, CVE-2024-46702,CVE-2024-46719, CVE-2024-46745, CVE-2024-46758, CVE-2024-46757,CVE-2024-44935, CVE-2024-42276, CVE-2024-43890, CVE-2023-52918,CVE-2024-41077, CVE-2024-43905, CVE-2024-38611, CVE-2024-42269,CVE-2024-42284, CVE-2024-41073, CVE-2024-46722, CVE-2024-41017,CVE-2024-47667, CVE-2024-45021, CVE-2024-43867, CVE-2024-41098,CVE-2024-43909, CVE-2024-46723, CVE-2024-45026, CVE-2024-42114,CVE-2024-44944, CVE-2024-43835, CVE-2024-44982, CVE-2024-43907,CVE-2024-46828, CVE-2024-43856, CVE-2024-46832, CVE-2024-44954,CVE-2024-43846, CVE-2024-41070, CVE-2024-43892, CVE-2024-44985,CVE-2024-42306, CVE-2024-43889, CVE-2024-44958, CVE-2024-46798,CVE-2024-44989, CVE-2024-42313, CVE-2024-46737, CVE-2024-42289,CVE-2024-43829, CVE-2024-46744, CVE-2023-52889, CVE-2024-46689,CVE-2024-47663, CVE-2024-46791, CVE-2024-43863, CVE-2024-43893,CVE-2024-43841, CVE-2024-46777, CVE-2024-46800, CVE-2024-45028,CVE-2024-44952, CVE-2024-43883, CVE-2024-44946, CVE-2024-43882,CVE-2024-44960, CVE-2024-38577, CVE-2024-46814, CVE-2024-42288,CVE-2024-44947, CVE-2024-41071, CVE-2024-41042, CVE-2024-41064,CVE-2024-42311, CVE-2024-42270, CVE-2024-43861, CVE-2024-46752,CVE-2024-42296, CVE-2024-41022, CVE-2024-42246, CVE-2024-43871,CVE-2024-42265, CVE-2024-43854, CVE-2024-41019, CVE-2024-46815,CVE-2024-46743, CVE-2024-42126, CVE-2024-26661, CVE-2024-41012,CVE-2024-46761, CVE-2024-45008, CVE-2024-46805, CVE-2024-45006,CVE-2024-42295, CVE-2024-46783, CVE-2024-42286, CVE-2024-46714,CVE-2024-42299, CVE-2024-46781, CVE-2024-43914, CVE-2024-44966,CVE-2024-44974, CVE-2024-45018, CVE-2024-46840, CVE-2024-46819,CVE-2024-40915, CVE-2024-46759, CVE-2024-43860, CVE-2024-47668,CVE-2024-39472, CVE-2024-47660, CVE-2024-47659, CVE-2024-46795,CVE-2024-43875, CVE-2024-46738, CVE-2024-42271, CVE-2024-26669,CVE-2024-44983, CVE-2024-41078, CVE-2024-46685, CVE-2024-46713,CVE-2024-46721, CVE-2024-46763, CVE-2024-41011, CVE-2024-43902,CVE-2024-42277, CVE-2024-44948)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1038-xilinx-zynqmp  5.15.0-1038.42  linux-image-5.15.0-1055-gkeop   5.15.0-1055.62  linux-image-5.15.0-1065-ibm     5.15.0-1065.68  linux-image-5.15.0-1065-raspi   5.15.0-1065.68  linux-image-5.15.0-1067-nvidia  5.15.0-1067.68  linux-image-5.15.0-1067-nvidia-lowlatency  5.15.0-1067.68  linux-image-5.15.0-1069-gke     5.15.0-1069.75  linux-image-5.15.0-1069-kvm     5.15.0-1069.74  linux-image-5.15.0-1070-oracle  5.15.0-1070.76  linux-image-5.15.0-1071-gcp     5.15.0-1071.79  linux-image-5.15.0-125-generic  5.15.0-125.135  linux-image-5.15.0-125-generic-64k  5.15.0-125.135  linux-image-5.15.0-125-generic-lpae  5.15.0-125.135  linux-image-5.15.0-125-lowlatency  5.15.0-125.135  linux-image-5.15.0-125-lowlatency-64k  5.15.0-125.135  linux-image-gcp-lts-22.04       5.15.0.1071.67  linux-image-generic             5.15.0.125.124  linux-image-generic-64k         5.15.0.125.124  linux-image-generic-lpae        5.15.0.125.124  linux-image-gke                 5.15.0.1069.68  linux-image-gke-5.15            5.15.0.1069.68  linux-image-gkeop               5.15.0.1055.54  linux-image-gkeop-5.15          5.15.0.1055.54  linux-image-ibm                 5.15.0.1065.61  linux-image-kvm                 5.15.0.1069.65  linux-image-lowlatency          5.15.0.125.113  linux-image-lowlatency-64k      5.15.0.125.113  linux-image-nvidia              5.15.0.1067.67  linux-image-nvidia-lowlatency   5.15.0.1067.67  linux-image-oracle-lts-22.04    5.15.0.1070.66  linux-image-raspi               5.15.0.1065.63  linux-image-raspi-nolpae        5.15.0.1065.63  linux-image-virtual             5.15.0.125.124  linux-image-xilinx-zynqmp       5.15.0.1038.42Ubuntu 20.04 LTS  linux-image-5.15.0-1055-gkeop   5.15.0-1055.62~20.04.1  linux-image-5.15.0-1065-ibm     5.15.0-1065.68~20.04.1  linux-image-5.15.0-1070-oracle  5.15.0-1070.76~20.04.1  linux-image-5.15.0-1071-gcp     5.15.0-1071.79~20.04.1  linux-image-5.15.0-1072-aws     5.15.0-1072.78~20.04.1  linux-image-5.15.0-125-generic  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-generic-64k  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-generic-lpae  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-lowlatency  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-lowlatency-64k  5.15.0-125.135~20.04.1  linux-image-aws                 5.15.0.1072.78~20.04.1  linux-image-gcp                 5.15.0.1071.79~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-generic-hwe-20.04   5.15.0.125.135~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-gkeop-5.15          5.15.0.1055.62~20.04.1  linux-image-ibm                 5.15.0.1065.68~20.04.1  linux-image-lowlatency-64k-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-lowlatency-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-oem-20.04           5.15.0.125.135~20.04.1  linux-image-oem-20.04b          5.15.0.125.135~20.04.1  linux-image-oem-20.04c          5.15.0.125.135~20.04.1  linux-image-oem-20.04d          5.15.0.125.135~20.04.1  linux-image-oracle              5.15.0.1070.76~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.125.135~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7100-1  CVE-2022-48666, CVE-2023-52889, CVE-2023-52918, CVE-2024-25744,  CVE-2024-26607, CVE-2024-26661, CVE-2024-26669, CVE-2024-26800,  CVE-2024-26893, CVE-2024-36484, CVE-2024-38577, CVE-2024-38602,  CVE-2024-38611, CVE-2024-39472, CVE-2024-40915, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41019,  CVE-2024-41020, CVE-2024-41022, CVE-2024-41042, CVE-2024-41059,  CVE-2024-41060, CVE-2024-41063, CVE-2024-41064, CVE-2024-41065,  CVE-2024-41068, CVE-2024-41070, CVE-2024-41071, CVE-2024-41072,  CVE-2024-41073, CVE-2024-41077, CVE-2024-41078, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42114,  CVE-2024-42126, CVE-2024-42246, CVE-2024-42259, CVE-2024-42265,  CVE-2024-42267, CVE-2024-42269, CVE-2024-42270, CVE-2024-42271,  CVE-2024-42272, CVE-2024-42274, CVE-2024-42276, CVE-2024-42277,  CVE-2024-42280, CVE-2024-42281, CVE-2024-42283, CVE-2024-42284,  CVE-2024-42285, CVE-2024-42286, CVE-2024-42287, CVE-2024-42288,  CVE-2024-42289, CVE-2024-42290, CVE-2024-42292, CVE-2024-42295,  CVE-2024-42296, CVE-2024-42297, CVE-2024-42299, CVE-2024-42301,  CVE-2024-42302, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42312,  CVE-2024-42313, CVE-2024-42318, CVE-2024-43817, CVE-2024-43828,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43834, CVE-2024-43835,  CVE-2024-43839, CVE-2024-43841, CVE-2024-43846, CVE-2024-43849,  CVE-2024-43853, CVE-2024-43854, CVE-2024-43856, CVE-2024-43858,  CVE-2024-43860, CVE-2024-43861, CVE-2024-43863, CVE-2024-43867,  CVE-2024-43869, CVE-2024-43870, CVE-2024-43871, CVE-2024-43873,  CVE-2024-43875, CVE-2024-43879, CVE-2024-43880, CVE-2024-43882,  CVE-2024-43883, CVE-2024-43884, CVE-2024-43889, CVE-2024-43890,  CVE-2024-43892, CVE-2024-43893, CVE-2024-43894, CVE-2024-43902,  CVE-2024-43905, CVE-2024-43907, CVE-2024-43908, CVE-2024-43909,  CVE-2024-43914, CVE-2024-44934, CVE-2024-44935, CVE-2024-44944,  CVE-2024-44946, CVE-2024-44947, CVE-2024-44948, CVE-2024-44952,  CVE-2024-44954, CVE-2024-44958, CVE-2024-44960, CVE-2024-44965,  CVE-2024-44966, CVE-2024-44969, CVE-2024-44971, CVE-2024-44974,  CVE-2024-44982, CVE-2024-44983, CVE-2024-44985, CVE-2024-44986,  CVE-2024-44987, CVE-2024-44988, CVE-2024-44989, CVE-2024-44990,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45007, CVE-2024-45008, CVE-2024-45009,  CVE-2024-45011, CVE-2024-45018, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46702, CVE-2024-46707, CVE-2024-46713,  CVE-2024-46714, CVE-2024-46719, CVE-2024-46721, CVE-2024-46722,  CVE-2024-46723, CVE-2024-46724, CVE-2024-46725, CVE-2024-46731,  CVE-2024-46732, CVE-2024-46737, CVE-2024-46738, CVE-2024-46739,  CVE-2024-46740, CVE-2024-46743, CVE-2024-46744, CVE-2024-46745,  CVE-2024-46746, CVE-2024-46747, CVE-2024-46750, CVE-2024-46752,  CVE-2024-46755, CVE-2024-46756, CVE-2024-46757, CVE-2024-46758,  CVE-2024-46759, CVE-2024-46761, CVE-2024-46763, CVE-2024-46771,  CVE-2024-46777, CVE-2024-46780, CVE-2024-46781, CVE-2024-46782,  CVE-2024-46783, CVE-2024-46791, CVE-2024-46795, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46804, CVE-2024-46805, CVE-2024-46807,  CVE-2024-46810, CVE-2024-46814, CVE-2024-46815, CVE-2024-46817,  CVE-2024-46818, CVE-2024-46819, CVE-2024-46822, CVE-2024-46828,  CVE-2024-46829, CVE-2024-46832, CVE-2024-46840, CVE-2024-46844,  CVE-2024-47659, CVE-2024-47660, CVE-2024-47663, CVE-2024-47665,  CVE-2024-47667, CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-125.135  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1071.79  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1069.75  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1055.62  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1065.68  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1069.74  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-125.135  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1067.68  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1070.76  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1065.68  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.15.0-1038.42  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1072.78~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1071.79~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1055.62~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-125.135~20.04.1  https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1065.68~20.04.1  https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-125.135~20.04.1  https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1070.76~20.04.1

Ubuntu Security Notice USN-7100-1

A list of topics we covered in the week of November 4 to November 10 of 2024

November 8, 2024 - The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While...

November 7, 2024 - Consumer group Which? found privacy issues in connected air fryers. How smart do we want and need our appliances to be?

November 7, 2024 - We have great news to share: Malwarebytes has acquired AzireVPN, a privacy-focused VPN provider.

November 6, 2024 - Consumers are being swamped by Google ads claiming to be eBay's customer service.

November 6, 2024 - Small businesses have the same security problems as big corporations, but not the budget or staff to match. Here are some tips to help.

 A week in security (November 4 &#8211; November 10) 

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While...

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While we noted a decrease in loaders distributed via malvertising for the past 3 months, today’s example is a reminder that threat actors can quickly switch back to tried and tested methods.

After months of absence, Fakebat (AKA Eugenloader, PaykLoader) showed up on our radar again via a malicious Google ad for the productivity application Notion. FakeBat is a unique loader that has been used to drop follow-up payloads such as Lumma stealer.

In this blog post, we detail how criminals are targeting their victims and what final malware payload they are delivering post initial infection. The incident was found and reported to Google on the same day as this publication.

**Google Ads distribution**

Last time we saw FakeBat was on July 25 2024, via a malicious ad for Calendly, a popular online scheduling application. In that instance, FakeBat’s command and control infrastructure ran from _utd-gochisu\[.\]com_.

Fast forward to November 8, 2024, and we have an ad appearing at the top of a Google search for ‘notion’. That sponsored result looks entirely authentic, with an official logo and website. We already know that criminals are able to impersonate any brand of their liking by simply using a click tracker — or tracking template — in order to bypass detection.

Below is the network traffic from the ad URL to the payload. We can see the use of the tracking template (_smart.link_), followed by a cloaking domain (_solomonegbe\[.\]com_), before landing on the decoy site (_notion\[.\]ramchhaya.com_):

Why does this work and bypasses Google? Likely because if the user is not an intended victim, the tracking template would redirect them to the legitimate _notion.so_ website.

**FakeBat drops LummaC2 stealer**

After extracting the payload, we recognize the classic first stage FakeBat PowerShell:

Security researcher and long time FakeBat enthusiast RussianPanda was kind enough to give us a hand by looking at this installer in closer detail.

After some fingerprinting to avoid sandboxes, we get this second stage PowerShell:

Of note, the threat actors are still using the same old RastaMouse AMSI bypass script from April 2024:

The loader is obfuscated with .NET Reactor, where it decrypts the embedded resource with AES and then injects it into _MSBuild.exe_ via process hollowing:

The decrypted payload is LummaC2 Stealer with user ID: 9zXsP2.

**Conclusion**

While malicious ads delivering malware payloads have been a little more rare for the past several weeks, today’s example shows that threat actors can and will make a comeback whenever the time is right.

Brand impersonation via Google ads remains problematic, as anyone can leverage built-in features to appear legitimate and trick users into downloading malware.

We appreciate and would like to thanks RussianPanda‘s quick analysis on the payload, as well as security researcher Sqiiblydoo for reporting the malicious certificate used to sign the installer.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malvertising chain

solomonegbe\[.\]com  
notion\[.\]ramchhaya.com

Malicious Notion installer

34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de

FakeBat C2

ghf-gopp1rip\[.\]com

1.jar (PaykRunPE)

373cd164bb01f77ad1e37df844010ee5

LummaC2 (decrypted payload)

3e8c406831a0021f76f02c704b68ee60

JwefqUQWCg (encrypted resource)

497dc11a77a4898b6b5e3cc28a586a38

Malicious URLs

furliumalerer\[.\]site/1.jar  
pastebin\[.\]pl/view/raw/a58044c5

LummaC2 Stealer C2s:

rottieud\[.\]sbs  
relalingj\[.\]sbs  
repostebhu\[.\]sbs  
thinkyyokej\[.\]sbs  
tamedgeesy\[.\]sbs  
explainvees\[.\]sbs  
brownieyuz\[.\]sbs  
slippyhost\[.\]cfd  
ducksringjk\[.\]sbs

Tag

#google