By Waqas
Another day, another cybersecurity threat hits unsuspected users!
This is a post from HackRead.com Read the original post: New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

New high-performance malware “BunnyLoader 3.0” steals logins, crypto & lurks undetected. Palo Alto Unit 42 reveals its tricks to help businesses & individuals fight back. Learn how to protect yourself from this evolving cyber threat.

In the scenario where cybersecurity threats are peeking, staying one step ahead of malicious actors is crucial to protecting your online business and identity. Recently, Palo Alto’s Unit 42 released a report shedding light on a dangerous new malware called BunnyLoader, and its latest version, BunnyLoader 3.0. Here’s what you need to know:

****The BunnyLoader Menace:****

BunnyLoader is not your average malware. It’s a sophisticated tool developed by cybercriminals to steal sensitive information, credentials, and even cryptocurrency from unsuspecting victims. What’s more, it’s constantly evolving, making it a challenging threat for the cybersecurity community.

****A Constantly Evolving Threat:****

Since its discovery in September 2023 on **Breach Forums**, BunnyLoader has undergone multiple updates and enhancements, each aimed at outsmarting security measures and staying under the radar of cybersecurity researchers. From bug fixes to advanced keylogging capabilities, the creators of BunnyLoader are constantly tweaking their creation to maximize its effectiveness.

****The Release of BunnyLoader 3.0:****

On February 11, 2024, the threat actors behind BunnyLoader unveiled their latest version, BunnyLoader 3.0, boasting a 90% improvement in performance. This new iteration comes with a reduced payload size and enhanced keylogging capabilities, making it even more dangerous than before.

****Behind the Scenes of BunnyLoader:****

Unit 42’s **technical write-up** provides a glimpse into the inner workings of BunnyLoader, revealing the tactics and techniques used by its creators to evade detection. From changing file names to mimicking legitimate applications, BunnyLoader employs various strategies to stay hidden from cybersecurity experts.

****Protecting Yourself Against BunnyLoader:****

With the threat of BunnyLoader looming large, it’s more important than ever to stay vigilant and take proactive measures to protect yourself and your online assets. By staying informed about the latest cyber threats and implementing robust security measures, you can minimize the risk of **falling victim to malicious actors**.

1.  95.6% of New Malware in 2022 Targeted Windows
2.  SpyNote Android Spyware Poses as Legit Crypto Wallets
3.  Malware Turns Windows, macOS Devices into Proxy Nodes
4.  Mispadu Stealer’s New Variant Targets Browser Data of Mexicans
5.  Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

Debian Linux Security Advisory 5632-1 - It was discovered that composer, a dependency manager for the PHP language, processed files in the local working directory. This could lead to local privilege escalation or malicious code execution. Due to a technical issue this email was not sent on 2024-02-26 like it should have.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5632-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondFebruary 26, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : composerCVE ID         : CVE-2024-24821Debian Bug     : 1063603It was discovered that composer, a dependency manager for the PHPlanguage, processed files in the local working directory. This couldlead to local privilege escalation or malicious code execution. Due toa technical issue this email was not sent on 2024-02-26 like it shouldhave.For the oldstable distribution (bullseye), this problem has been fixedin version 2.0.9-2+deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 2.5.5-1+deb12u1.We recommend that you upgrade your composer packages.For the detailed security status of composer please refer toits security tracker page at:https://security-tracker.debian.org/tracker/composerFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmX0DyUACgkQEL6Jg/PVnWSBoggAmRdaBN8p7agJH0S2fvEJWuF+gFAAY4112EeOzbHwk/Bm6EuTY9VcGTtjHlW8X3t/H1+NW5xejcm1gEaXIE2HHIc1KTaG3ui/kKC2T3ybx0cmnqYWu/TJWmw+nbaneBK74PkXukzFvjuYaOy7a6EgnpNcMhc0b2tc/IqIUOYiePKbg4lio8u6q5rP5uFIJydeqI0IXja6H4N0ub/zOAn6I6C3ToKMa0WnfllmrMaj/JnBbgam3VrT06n63NoW6xZepdMDP3QofOVWWP5HshF/0CH1BGEcKS6AtAaIgARalFMgbP6SU8NDsgNFQ3UCiuR+sTjZc2YA0muIpmBGSPVyAw===y4my-----END PGP SIGNATURE-----

Debian Security Advisory 5632-1

Red Hat Security Advisory 2024-1335-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1335.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dnsmasq security updateAdvisory ID:        RHSA-2024:1335-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1335Issue date:         2024-03-14Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for dnsmasq is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.Security Fix(es):* dnsmasq: bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)* dnsmasq: bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1335-03

Red Hat Security Advisory 2024-1334-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1334.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dnsmasq security updateAdvisory ID:        RHSA-2024:1334-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1334Issue date:         2024-03-14Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for dnsmasq is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.Security Fix(es):* dnsmasq: bind9: KeyTrap - Extreme CPU consumption in DNSSECvalidator (CVE-2023-50387)* dnsmasq: bind9: Preparing an NSEC3 closest encloser proof canexhaust CPU resources (CVE-2023-50868)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1334-03

Red Hat Security Advisory 2024-1332-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1332.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security update  
Advisory ID:        RHSA-2024:1332-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1332  
Issue date:         2024-03-14  
Revision:           03  
CVE Names:          CVE-2022-42896  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* sched/membarrier: reduce the ability to hammer on sys_membarrier (CVE-2024-26602)

* use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c (CVE-2022-42896)

* use-after-free in sch_qfq network scheduler (CVE-2023-4921)

* IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)

* fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)

* nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-42896

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2147364  
https://bugzilla.redhat.com/show_bug.cgi?id=2230042  
https://bugzilla.redhat.com/show_bug.cgi?id=2244723  
https://bugzilla.redhat.com/show_bug.cgi?id=2245514  
https://bugzilla.redhat.com/show_bug.cgi?id=2262126  
https://bugzilla.redhat.com/show_bug.cgi?id=2267695

Red Hat Security Advisory 2024-1332-03

Red Hat Security Advisory 2024-1327-03 - An update for the gimp:2.8 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1327.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: gimp:2.8 security updateAdvisory ID:        RHSA-2024:1327-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1327Issue date:         2024-03-14Revision:           03CVE Names:          CVE-2023-44442====================================================================Summary: An update for the gimp:2.8 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo.Security Fix(es):* gimp: PSD buffer overflow RCE (CVE-2023-44442)* gimp: psp off-by-one RCE (CVE-2023-44444)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44442References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249942https://bugzilla.redhat.com/show_bug.cgi?id=2249946

Red Hat Security Advisory 2024-1327-03

Debian Linux Security Advisory 5640-1 - Two vulnerabilities were discovered in Open vSwitch, a software-based Ethernet virtual switch, which could result in a bypass of OpenFlow rules or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5640-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 14, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openvswitchCVE ID         : CVE-2023-3966 CVE-2023-5366 Debian Bug     : 1063492Two vulnerabilities were discovered in Open vSwitch, a software-basedEthernet virtual switch, which could result in a bypass of OpenFlowrules or denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 2.15.0+ds1-2+deb11u5. This update also adresses a memory leaktracked as CVE-2024-22563.For the stable distribution (bookworm), these problems have been fixed inversion 3.1.0-2+deb12u1.We recommend that you upgrade your openvswitch packages.For the detailed security status of openvswitch please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openvswitchFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXy+NgACgkQEMKTtsN8TjasEQ//V4q2/qeHlZk+Sr/73jLvDOA7u6O+FxGGi+LHBiYIoUlD+E2jEq/pAzaK/hlpHCKO1g5bkf7/TcA9TaMyxo498LmT6/TX6SNB+lxOcJQlS8KyT/JtNQt31nk4LND1IU/WFliMdNQoqwYgZVp6innCmb2hTYcxTKeGeQndnaTRIGo/FShxgCBZHwOJKB39eg0hQCDgx1DzfkA0e9u/I7Vq4MKEitV5u1H+Uf9embZaUsfwJCSaeshuxmp4U20r2V9hxXVYrhAeFWYGiDEY+Di4O9fDOVLw2An19ncQjDquLfRYqdys8AMxzi3+Vm0VasMAmZlEhdjcSjtotMI3tjgLcWGOz8BGdBUTAKK0FMtzPHLMhjfJ/cpC6jxZ19ZJcD3OUDIA6nf4CZjW4BOCImukqm9EUJtcQFZAGONdkelNYiz6V5R6IpbAVtLPVkx5yyWWEPXau6eZKhKO0aMcBiAGUYs2LI0rmrmPBdTtQcZJmTx7U+jZiPO6Dx0YP5DMwY23Z8GWPZeDX/2C8HBPqAMKfsWzIOEcXJ0HlAnVyJnC7XGBb+q4W+RFDWhcXYbi40SyyHrDqYBg/ne7WxEnmzfMk3F9cqRCn+owV2lbYxYRKIDZngyg2JK3sdjMUfnFE+5D8QRvxQQMYM9H8q3iBzR1KVEi6cpUUoTZCz6qI5rcH6E==ZEHS-----END PGP SIGNATURE-----

Debian Security Advisory 5640-1

There are a few reasons why we’re so ready to jump to the “it’s a cyber attack!”

Thursday, March 14, 2024 14:00

Some of my Webex rooms recently have been blowing up with memes about blaming Canada or wild speculation that a state-sponsored actor is carrying out some sort of major campaign.  

After a widespread outage of cellular service with AT&T and other carriers a few weeks ago, people were sure it was some sort of coordinated attack to disrupt Americans’ services that largely power our day-to-day lives. The outage lasted about 11 hours, and after the fact, the company announced they’d give customers a whopping $5 credit to make up for the issue. The Federal Communications Commission also announced last week that it was launching a formal investigation into the outage, requesting more information about the exact cause and how many users were affected.  

About two weeks later, the same kinds of messages and questions to our team came flooding in when Meta experienced an outage across many of its platforms, most notably Facebook, Instagram and Threads. Though this only lasted a few hours, any time Americans can’t access their Instagram feeds, it’s going to make headlines. 

In both cases, consumers immediately wanted to start pointing fingers — Which actor was behind these? Why is there so little information about this outage? Is this China getting revenge for talk of forcing a TikTok sale? What’s the broader conspiracy behind this? The outages also quickly opened the door for some of the world’s chief spreaders of misinformation and fake news to start spreading conspiracy theories. 

The problem is, not every technical issue can or needs to be explained away by a cyber attack. That’s not to undersell the danger that state-sponsored APTs pose currently, or the fact that they \*could\* one day cause a disruption like this. But jumping to that conclusion every time Down Detector pops off is only going to spread fear/FUD and help these outlets for disinformation reach a larger audience.  

It creates a “boy who cried wolf” situation for when a major cyber attack actually does happen, and the average consumer is forced to make an immediate update to some piece of software or hardware. 

There are a few reasons why we’re so ready to jump to the “it’s a cyber attack!” conclusion. One is that Hollywood has been “glamorizing” the idea of a major cyber attack or major disruption for years now. Movies and TV shows like Netflix’s “Leave the World Behind” have dramatized what a major cyber attack or internet outage may look like, and how quickly it could lead to the unraveling of civilization. Because of our current doomscrolling culture, the second something even looks like it could be a cyber event, we’re ready to declare the end of our economy and society. 

It’s also sexier when it’s a cyber attack. AT&T says its outage was caused by a technical error that occurred when it was trying to upgrade its network’s capacity, explicitly stating it was not caused by any sort of disruption campaign or cyber attack. Meta simply chalked their outage up to a “technical issue.”  

None of these things make for good headlines. But sometimes, the simplest explanation is the most obvious one — we’ve all pressed a wrong button here or there, and stuff breaks on the internet all the time for all sorts of reasons. But “Users logged out of Instagram after Meta employee hits ‘enter’ too soon” isn’t as eye-catching as “Are Instagram and Facebook down because of a cyber attack?” 

Could these multi-billion-dollar corporations be lying? Sure, but I also find it hard enough to believe that the truth would not have made it out to consumers by now if these outages weren’t simple technical issues, nor would AT&T feel compelled to reimburse customers for something that could be totally out of their control. 

And if you ever get logged out of Facebook or Instagram, maybe you’re just better off being offline for a few hours anyway than immediately assuming Mahershala Ali is going to be knocking on your vacation home’s door in any minute.   

**The one big thing **

We want to keep reminding users to update and upgrade their network infrastructure. Aging devices like switches and routers that are used across the globe are a consistently vulnerable surface for adversaries to gain an initial foothold onto targeted networks. Talos recently highlighted the three most common post-compromise attacks that adversaries carry out after compromising these types of vulnerable devices, including modifying the device’s firmware and downgrading the firmware to remove older patches and open the door to new exploitable vulnerabilities. Nick Biasini from Talos Outreach also spoke about this issue for an article in NetworkWorld.  

**Why do I care? **

As Hazel Burton puts it in the blog post linked above: “Adversaries, particularly APTs, are capitalizing on this scenario to conduct hidden post-compromise activities once they have gained initial access to the network. The goal here is to give themselves a greater foothold, conceal their activities, and hunt for data and intelligence that can assist them with their espionage and/or disruptive goals. Think of it like a burglar breaking into a house via the water pipes. They’re not using “traditional” methods such as breaking down doors or windows (the noisy smash-and-grab approach) — they’re using an unusual route, because no one ever thinks their house will be broken into via the water pipes. Their goal is to remain stealthy on the inside while they take their time to find the most valuable artefacts.” 

**So now what? **

If you are using network infrastructure that is end of life, out of support, and now has vulnerabilities that cannot be patched, now really is the time to replace those devices. Using networking equipment that has been built with secure-by-design principles such as running secure boot, alongside having a robust configuration and patch management approach, is key to combatting these types of threats. Ensure that these devices are being watched very carefully for any configuration changes and patch them promptly whenever new vulnerabilities are discovered.   

**Top security headlines of the week **

**Security researchers have found a new vulnerability affecting chips made by nearly all major CPU makers dubbed “GhostRace.”** The vulnerability, identified as CVE-2024-2193, requires an adversary to win a race condition and to have physical or privileged access to the targeted machine. However, it could allow a malicious user to steal potentially sensitive information from memory like passwords and encryption keys. "The vulnerability affects many CPU architectures, including those made by Intel, AMD, Arm and IBM. It also affected some hypervisor vendors and the Linux operating system. AMD released an advisory this week that informed customers that they should follow previous defense guidance for other security flaws like Spectre that have affected CPUs in the past. “Our analysis shows all the other common write-side synchronization primitives in the Linux kernel are ultimately implemented through a conditional branch and are therefore vulnerable to speculative race conditions,” VU Amsterdam said in its blog post disclosing GhostRace. (SecurityWeek, Vrije Universiteit Amsterdam) 

**Health care providers are still reeling from a cyber attack on Change Healthcare**, a subsidiary of the United HealthGroup Inc. insurance provider. First Health Advisory, a digital health risk assurance firm, recently estimated that health care providers are losing an estimated $100 million daily as they still cannot process payments from insurance providers. Change first disclosed the suspected ransomware attack in late February, and on March 5, the U.S. government announced a plan to provide relief payments for providers who are facing financial shortfalls due to the outage. Many doctors' offices and care clinics are facing late rent payments and unpaid invoices. The attack has also limited some patients’ ability to obtain pre-authorization for certain services and surgeries, and others have not been able to refill their prescriptions at hospitals. U.S. Congress is also asking the CEO of United HealthGroup to appear before a committee to answer questions about the hack. (CBS News, Bloomberg) 

**The U.S. has placed formal sanctions against two individuals and five entities associated with the Intellexa Consortium,** responsible for developing and distributing the Predator spyware. Talos has previously reported on Intellexa’s tools, and how their spyware is silently loaded onto targeted devices. This is the first time the Treasury Department has sanctioned a spyware organization and announced it publicly. The sanctions include five vendors who work with Intellexa to sell the spyware, all of whom are spread across Europe. Intellexa itself is based in Greece. Predator and other spyware developed by private parties are often used to target high-risk individuals to track their communication and movement, including politicians, journalists, activists and political dissidents. Under the sanctions, anyone in the U.S. is forbidden from doing business with Intellexa or the associated companies and individuals. The Biden administration has long pushed for additional action against spyware makers, including Israel-based NSO Group, which distributes the Pegasus spyware. (Voice of America, Axios) 

**Can’t get enough Talos? **

*   Threat actors leverage document publishing sites for ongoing credential and session token theft 
*   Heather Couk is here to keep your spirits up during a cyber emergency, even if it takes the “Rocky” music 
*   Another Patch Tuesday with no zero-days, only two critical vulnerabilities disclosed by Microsoft 
*   Talos Takes Ep. #175: What's new about GhostSec's ransomware-as-a-service model 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_   

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe   
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a   
**Typical Filename:** nYzVlQyRnQmDcXk   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934   
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c   
**Typical Filename:** Wextract   
**Claimed Product:** Internet Explorer   
**Detection Name:** W32.File.MalParent

Not everything has to be a massive, global cyber attack

By Waqas
Microsoft's Copilot for Security will be accessible through a pay-as-you-use licensing model.
This is a post from HackRead.com Read the original post: Microsoft is Opening AI-Powered “Copilot for Security” to Public

Microsoft’s innovative security solution, Copilot for Security, will be available to the public from April 1, 2024, marking a significant advancement in the fight against cybercrime.

Microsoft Copilot for Security, initially accessible to select users through an exclusive early access initiative, is an innovative AI-driven tool aimed at fortifying defenders’ capabilities and efficiency in tackling security challenges. The feature is now becoming available to the public, enabling everyone to leverage its benefits.

****What is Microsoft Copilot?****

Copilot is an industry-first **generative AI** solution designed to empower security and IT professionals. It leverages the power of artificial intelligence to analyze vast amounts of data and provide crucial insights, allowing security teams to:

*   **Catch hidden threats:** Copilot’s AI capabilities can uncover subtle anomalies that human analysts might miss, bolstering overall threat detection.
*   **Respond faster:** By automating routine tasks and offering real-time guidance, Copilot streamlines security operations, enabling a quicker response to security incidents.
*   **Boost expertise:** The AI assistant serves as a valuable learning tool, helping security professionals stay up-to-date on the latest threats and best practices.

****Microsoft Copilot for Security: Tailored for the Modern Defender****

This specific feature of Copilot focuses on the unique needs of cybersecurity professionals. It integrates seamlessly with existing security workflows, offering features such as:

*   **Natural language interaction:** Security personnel can interact with Copilot using plain English, asking questions and receiving clear, actionable responses.
*   **Enhanced incident response:** Copilot assists in investigations by analyzing data, suggesting potential causes, and recommending next steps.
*   **Proactive threat hunting:** The AI proactively scans for vulnerabilities and suspicious activity, helping to identify potential threats before they escalate.
*   **Improved posture management:** Copilot continuously monitors an organization’s security posture, providing valuable insights for strengthening defences.

> _“Threat actors are getting more sophisticated. Things happen fast, so we need to be able to respond fast. With the help of Copilot for Security, we can start focusing on automated responses instead of manual responses. It’s a huge gamechanger for us.”_
> 
> Mario Ferket, Chief Information Security Officer, Dow Inc.

****General Availability and Beyond****

Microsoft **announced** the general availability of Copilot for Security on April 1, 2024. This means the solution is now accessible for purchase by any organization seeking to strengthen its cybersecurity efforts.

The future of Copilot appears bright, with Microsoft continuously developing new capabilities. The company emphasizes its commitment to working with security professionals to further refine the solution and ensure it remains a valuable asset in the growing cyber threat landscape.

1.  Microsoft’s new tool detects, reports pedophiles in chats
2.  Kali Linux 2023.4 is Out: Cloud ARM64, Hyper-V, Pi 5, & More!
3.  Microsoft’s Windows File Recovery tool recovers your lost data
4.  Microsoft launches Linux memory forensics tool to detect malware
5.  McAfee’s Mockingbird AI Tool Detects Deepfake with 90% accuracy

Microsoft is Opening AI-Powered “Copilot for Security” to Public

Debian Linux Security Advisory 5639-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5639-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMarch 13, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-2400Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), this problem has been fixed inversion 122.0.6261.128-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmXx7LIACgkQZF0CR8NudjcWZA/9E8Fv7qz1xdAfgt/f8Iueu24Ct3n2/0yIvZ7GZCEHhyeU7jPaieh3LKL2HIvafH9UWOlU643jHefoX4xQVos3uc8VuXjBAfX0AJrRl0N0JR4am7EpbKJ/WkQjSqpklh9QFbm+0g5iKbhWVA3KI+IZ8wkx/g4QUxYpmF2Pou6xZWIr3RkWX0T2x/Bb4nG9CrVOwQg5BltP6jPln269sU/5Olr6VL3S4KN+1CdBySmXrrhKVsxpbi7qLa9d+czGAjYhAp/2YGCEz67Ib55n/1mhaCL7fqU2cZHBdwqYjTBJqOnsGVJSm8Q7hbJ2i7SaETJkk9oVYIN8XUw2xzdONGS44Xd/rhUesJzsfduYNSD+Yhq+AhqKmxGILshMC+Vz6elNGgG7mKaUwj7/6FtN6VmP0jiVbHMLRpH1ROvph2uENUQYPE/slfkYluNhPTU4BefBnGghyfj6E9HBV3AjWTR/EmsrMUF9+kbs6AEwVlAiVArJorQ63kbRQ5KXFdvJnQ22XDztR+zWwfS5QhQAyEmpdhO/UoFfVyhWnzbfolEUkEmv/MlTFndCoiYWErmqpXLui7Iq66rEgjLJHv2V8s6jJvsT6a75XdjRCaZkCKab/f/pCI6xLZtn2JhL6LkGeY2qpmZOsEwieBbVvsix6ysmmmXIinEmE7Ckf66ENs7TKZw==RmDM-----END PGP SIGNATURE-----

Tag

#linux