The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

Source: Eric Anthony Johnson via Alamy Stock Photo

The North Korea-backed advanced persistent threat known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.

While IE reached end of life in 2022 and many organizations don't use it anymore, there are plenty of legacy applications that do. In this case, APT37 (aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). "Toasts" are pop-up notifications that appear at the right-bottom of a PC screen.

"Many Toast ad programs use a feature called WebView to render Web content for displaying ads," according to AhnLab researchers. "However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program."

**A Hot-Buttered Zero-Click Toast Exploit**

According to AhnLab's analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as CVE-2024-38178 (CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to people's desktops. Instead of ads, the script began delivering malware.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

"This vulnerability is exploited when the ad program downloads and renders the ad content," the researchers explained in their report on the attack, which they called "Code on Toast." "As a result, a zero-click attack occurred without any interaction from the user."

The malware delivered is the RokRAT, which APT37 has consistently used in the past.

"After infecting the system, various malicious behaviors can be performed, such as remote commands," the researchers noted, adding, "In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server."

The campaign had the potential to cause significant damage, they said, but the attack was detected early. "In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released," according to AhnLab.

**IE Lurks in Apps, Remains a Cyber Threat**

Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire IE zero-day vulnerabilities.

Related:BlankBot Trojan Targets Turkish Android Users

"Such attacks are not only difficult to defend against with users' attention or antivirus, but can also have a large impact depending on the exploited software," AhnLab researchers explained in the report (PDF, Korean).

They added, "Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing."

Accordingly, users should make sure to keep operating systems and software up to date, but "software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products," they concluded.

Translation provided by Google Translate.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access…

Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access to sensitive data like the camera and microphone. Patch now to stay protected.

A vulnerability discovered by cybersecurity researchers at Microsoft Threat Intelligence in macOS allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, granting unauthorized access to sensitive user data.

Dubbed “HM Surf” by researchers; researchers warned that active exploitation may be taking place. The vulnerability has been assigned CVE-2024-44133.

The HM Surf vulnerability involves removing the TCC protection for the **Safari browser** directory and modifying a configuration file, enabling attackers to access users’ browsing history, camera, microphone, and location without their consent. The vulnerability is serious as it also allows attackers to gather sensitive information and use it for malicious purposes.

****How the Vulnerability Works****

The **TCC technology** prevents apps from accessing users’ personal information without their prior consent and knowledge. However, the HM Surf vulnerability exploits a weakness in the way TCC protects the Safari browser directory. By removing the TCC protection and modifying the configuration file, attackers can gain access to sensitive user data.

Microsoft’s blog post shared with Hackread.com ahead of publishing on October 18, 2024, detected “potential exploitation” activity associated with **Adload**, a prevalent macOS malware (adware) family.

The company’s behavioural monitoring protections in Microsoft Defender for Endpoint have identified suspicious activity, including anomalous modification of the Preferences file through HM Surf or other methods.

**John Bambenek**, President at Bambenek Consulting weighed in on the situation, urging users to install patches and save their data, especially their videos.

_“_In essence, this is a privilege escalation vulnerability that requires executing malicious instructions on the victim machine, which running malware could do and the most obvious risk here is to target home users to try to capture video of a victim in a compromising position for later sextortion use,_“_ John warned. _“_Security teams should update, however, it is important to have defences in place that prevent malware getting on the machines in the first place._“_

****Apple’s Response****

Apple has released a fix for the vulnerability as part of **security updates for macOS Sequoia**, which was released on September 16, 2024. The company has also introduced new APIs for App Group Containers that make System Integrity Policy (SIP) protect configuration files from being modified by an external attacker.

To protect themselves from this vulnerability, macOS users are urged to apply the security updates as soon as possible. Additionally, users should be cautious when granting permissions to apps and ensure that they only allow access to sensitive information when necessary.

****Install Patches ASAP!****

The identification, reporting, and patching of the HM Surf vulnerability highlight one key point: cross-platform threat intelligence sharing is essential for a secure cybersecurity future. Businesses and users should install the security patches released by Apple in September. For the future, it’s recommended to enable auto-updates on macOS devices so that such threats are automatically addressed with new security updates.

1.  **Apple Safari Safest, Google Chrome Riskiest Browser**
2.  **Apple Issues Device Updates to Patch Critical Vulnerability**
3.  **Hackers Could Exploit Microsoft Teams on macOS to Steal Data**
4.  **Scylla Ad Fraud on iOS, Android Users Halted by Apple and Google**
5.  **Apple Shortcuts Vulnerability Exposes Sensitive Data, Update Now!**

“HM Surf” macOS Flaw Lets Attackers Access Camera and Mic – Patch Now!

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials.
Russian cybersecurity company Positive Technologies said it discovered last month that an email was sent to an unspecified governmental organization located in one of the Commonwealth of

Vulnerability / Email Security

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials.

Russian cybersecurity company Positive Technologies said it discovered last month that an email was sent to an unspecified governmental organization located in one of the Commonwealth of Independent States (CIS) countries. However, it bears noting that the message was originally sent in June 2024.

"The email appeared to be a message without text, containing only an attached document," it said in an analysis published earlier this week.

"However, the email client didn't show the attachment. The body of the email contained distinctive tags with the statement eval(atob(...)), which decode and execute JavaScript code."

The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser.

Put differently, a remote attacker could load arbitrary JavaScript code and access sensitive information simply by tricking an email recipient into opening a specially-crafted message. The issue has since been resolved in versions 1.5.7 and 1.6.7 as of May 2024.

"By inserting JavaScript code as the value for "href", we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email," Positive Technologies noted.

The JavaScript payload, in this case, saves the empty Microsoft Word attachment ("Road map.docx"), and then proceeds to obtain messages from the mail server using the ManageSieve plugin. It also displays a login form in the HTML page displayed to the user in a bid to deceive victims into providing their Roundcube credentials.

In the final stage, the captured username and password information is exfiltrated to a remote server ("libcdn\[.\]org") hosted on Cloudflare.

It's currently not clear who is behind the exploitation activity, although prior flaws discovered in Roundcube have been abused by multiple hacking groups such as APT28, Winter Vivern, and TAG-70.

"While Roundcube webmail may not be the most widely used email client, it remains a target for hackers due to its prevalent use by government agencies," the company said. "Attacks on this software can result in significant damage, allowing cybercriminals to steal sensitive information."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials

Plus: The alleged SEC X account hacker gets charged, Kroger wriggles out of a face recognition scandal, and Microsoft deals with missing customer security logs.

In what may be a first, the US Department of Justice this week charged a hacker with attempting to cause injury and death by launching distributed denial-of-service (DDoS) attacks against hospitals. Ahmed Omer and his brother Alaa are accused of carrying out a cyberattack spree that targeted hundreds of victims under the hacktivist banner Anonymous Sudan. The group’s DDoS victims included Microsoft’s Azure cloud services, OpenAI’s ChatGPT, and Israel’s missile alert system, according to prosecutors. It was the brothers’ alleged attacks on hospitals, however, that drew the most serious accusations from the Justice Department, which singled out Ahmed for allegedly seeking to kill people with the crude cyberattacks that overwhelm systems, knocking them offline.

If someone told you there’s a tool that can—using only open source information—create a “cyber profile” of you that can locate your phone in real time or place you at the scene of a crime at any date in the past, would you believe them? Canadian firm Global Intelligence claims to have created such a tool, dubbed Cybercheck, which it has sold to police departments across the US. Cybercheck-generated reports have been used to help convict at least two people of murder. However, a WIRED investigation found that Cybercheck’s reports have produced information that is either inaccurate or impossible to verify. And open source experts say some of the information Cybercheck claims to include—such as a device’s pings to a specific wireless network—would be impossible to obtain from publicly available sources.

The scourge of nonconsensual deepfake images has continued to proliferate, including on Telegram, where millions of people used “nudify” bots to “remove the clothes” of anyone—usually women and girls. A WIRED investigation identified 50 such bots and 25 channels linked to the creation of these abusive AI-generated explicit images. Telegram removed all 75 channels and bots after WIRED reached out, but many of them will likely respawn.

The slow death of the password may have gotten a speed boost this week. The FIDO Alliance, a tech industry association, announced new efforts to help hasten the adoption of passkeys, the cryptographically generated codes that are already replacing less-secure passwords. These efforts include a new Credential Exchange Protocol, which makes it easier to migrate passkeys between platforms and devices, and Passkey Central, a resource for company IT departments that aims to make it easier for organizations to adopt passkeys.

A group of researchers revealed this week that they created an algorithm that generates a malicious prompt capable of instructing an AI chatbot to identify personal information fed into it by a user and secretly send it to an attacker.

Finally, we went back in time to explore how well the US Army’s “solider of tomorrow,” unveiled 65 years ago this week, predicted the future of US military tech.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

If you use uBlock Origin’s Chrome extension to filter out online ads, expect to get mildly annoyed in the near future. Google has begun implementing new Chrome extension standards, called Manifest V3, that will disable the legacy version of uBlock Origin’s extension that most users likely have installed. And while you might be thinking, “Google is a silverback gorilla of online advertising, of course they’re finally forcing me to see ads!” there is some good news. A new version of the ad-filtering extension that meets the Manifest V3 standards, uBlock Origin Lite, is now available. Then again, it won’t block as much as the previous iteration of uBlock. Still, as a Google spokesperson told The Verge, you have options: “The top content filtering extensions all have Manifest V3 versions available — with options for users of AdBlock, Adblock Plus, uBlock Origin and AdGuard.” Either way, you’ll need to install a new extension soon.

**Alabama Man Charged in Hack of the SEC’s X Account**

US authorities announced charges this week against a 25-year-old Alabama man accused of hacking the Security and Exchange Commission’s X account. Prosecutors claim Eric Council Jr. obtained personal information and the materials for a fake ID of a person who controlled the @SECGov account from unidentified coconspirators. Council allegedly used the fake ID to carry out a SIM-swapping attack, duping AT&T retail store staff into giving him a new SIM card, which he ultimately used to take control of the victim’s phone account. The coconspirators used that to gain access to the SEC’s X account, where they posted a fake announcement about Bitcoin’s regulatory status, which was followed by a price jump of $1,000 per bitcoin. Council stands charged of conspiracy to commit aggravated identity theft and access device fraud.

**Kroger Says It Won’t Use Facial Recognition in Its Grocery Stores**

The grocery store chain Kroger has never used facial-recognition technology broadly in its stores and has no current plans to, a spokesperson told Fast Company this week. The company has been facing a firestorm over its use of electronic shelving labels over concerns that ESLs could be used to impose surge pricing on popular items, and fears that the devices could also be deployed with facial recognition. The company did a single-store facial-recognition pilot of a technology called EDGE in 2019, but it did not move forward with the service. US lawmakers including Rashida Tlaib, Elizabeth Warren, and Robert Casey have publicly raised concerns about Kroger’s use of ESLs.

**Microsoft Is Missing More Than 2 Weeks of Cloud Customers’ Security Logs**

Microsoft told customers that it failed to capture more than two weeks of security logs from certain cloud services in September, including Microsoft Entra, Sentinel, Defender for Cloud, and Purview. News of the lost logs was first reported by Business Insider. The company said in the notification that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform.” The blank extends from September 2 to September 19. A Microsoft executive confirmed to TechCrunch that the incident was caused by an “operational bug within our internal monitoring agent.”

System activity logs are crucial for all sorts of operations and are particularly used for security monitoring and investigations, because they can expose breaches and malicious activity. After Russian hackers breached US government networks through SolarWinds software in 2020, many agencies couldn’t detect the activity in their Microsoft Azure cloud services because they weren’t paying for Microsoft’s premium tier features, so they didn’t have adequate network activity logs. Lawmakers were outraged about the up-charge, and the Biden administration worked for more than two years to get Microsoft to make the logging services free. The company ultimately announced the change in July 2023.

Google Chrome’s uBlock Origin Purge Has Begun

A nascent threat actor known as Crypt Ghouls has been linked to a set of cyber attacks targeting Russian businesses and government agencies with ransomware with the twin goals of disrupting business operations and financial gain.
"The group under review has a toolkit that includes utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others,"

Network Security / Data Breach

A nascent threat actor known as **Crypt Ghouls** has been linked to a set of cyber attacks targeting Russian businesses and government agencies with ransomware with the twin goals of disrupting business operations and financial gain.

"The group under review has a toolkit that includes utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others," Kaspersky said. "As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk."

Victims of the malicious attacks span government agencies, as well as mining, energy, finance, and retail companies located in Russia.

The Russian cybersecurity vendor said it was able to pinpoint the initial intrusion vector in only two instances, with the threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN.

The VPN connections are said to have originated from IP addresses associated with a Russian hosting provider's network and a contractor's network, indicating an attempt to fly under the radar by weaponizing trusted relationships. It's believed that the contractor networks are breached by means of VPN services or unpatched security flaws.

The initial access phase is succeeded by the use of NSSM and Localtonet utilities to maintain remote access, with follow-on exploitation facilitated by tools such as follows -

*   XenAllPasswordPro to harvest authentication data
*   CobInt backdoor
*   Mimikatz to extract victims' credentials
*   dumper.ps1 to dump Kerberos tickets from the LSA cache
*   MiniDump to extract login credentials from the memory of lsass.exe
*   cmd.exe to copy credentials stored in Google Chrome and Microsoft Edge browsers
*   PingCastle for network reconnaissance
*   PAExec to run remote commands
*   AnyDesk and resocks SOCKS5 proxy for remote access

The attacks end with the encryption of system data using publicly available versions of LockBit 3.0 for Windows and Babuk for Linux/ESXi, while also taking steps to encrypt data present in the Recycle Bin to inhibit recovery.

"The attackers leave a ransom note with a link containing their ID in the Session messaging service for future contact," Kaspersky said. "They would connect to the ESXi server via SSH, upload Babuk, and initiate the encryption process for the files within the virtual machines."

Crypt Ghouls' choice of tools and infrastructure in these attacks overlaps with similar campaigns conducted by other groups targeting Russia in recent months, including MorLock, BlackJack, Twelve, Shedding Zmiy (aka ExCobalt)

"Cybercriminals are leveraging compromised credentials, often belonging to subcontractors, and popular open-source tools," the company said. "The shared toolkit used in attacks on Russia makes it challenging to pinpoint the specific hacktivist groups involved."

"This suggests that the current actors are not only sharing knowledge but also their toolkits. All of this only makes it more difficult to identify specific malicious actors behind the wave of attacks directed at Russian organizations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks

Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well.

Source: Delphotos via Alamy Stock Photo

A security weakness in the Safari browser on macOS devices might have exposed users to spying, data theft, and other forms of malware.

The issue is enabled by the special permissions Apple gives to its proprietary apps — in this case, its browser — and the ease with which an attacker can reach important app configuration files. In the end, it allows an attacker to bypass the Transparency, Consent, and Control (TCC) security layer that MacBooks use to guard sensitive data. Its CVE entry, CVE-2024-44133, has earned a "medium" severity 5.5 rating in the Common Vulnerability Scoring System (CVSS).

Researchers from Microsoft have named their exploit of CVE-2024-44133 "HM Surf." In a new blog post, they described how HM Surf could open the door to a user's browsing data, camera, and microphone, as well as their device's location, among other things. And the threat doesn't only appear to be theoretical: There's already inconclusive but not insignificant evidence to suggest that one adware program has already exploited CVE-2024-44133, or something quite like it, in the wild.

Apple released a fix for CVE-2024-44133 in its update to macOS Sequoia back on Sept. 16.

"It's a serious concern, because of the unauthorized access it gives," says Xen Madden, cybersecurity expert at Menlo Security, emphasizing the need for organizations to update their macOS devices. But, she adds, "By the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it."

**Exploiting HM Surf**

In any and all Apple devices, TCC is there to manage what sensitive data and features apps can access. If some app wants to access your camera, for example, thanks to TCC, you can rest assured that your Mac will ask for your permission first.

Unless your app has a special "entitlement." Some of Apple's proprietary apps possess entitlements — special permissions, approved by Apple, which allow them unique privileges compared to other apps. The core of why HM Surf works is Safari's entitlement, "com.apple.private.tcc.allow," which allows it to bypass TCC at an app level, and apply it only on a per website ("per origin") basis. In other words, Safari can freely access your camera and microphone as it wishes, but any given website you visit through Safari likely cannot.

Safari's configuration — including the rules that define per-origin TCC protections — are stored in various files under ~/Library/Safari, within the user's home directory. Manipulating these files could provide a path to TCC bypass, though the home directory is itself TCC protected.

Getting around that roadblock is simple, though, using the autological directory service command line utility (DSCL), a tool in macOS for managing directory services from the command line. In HM Surf, DSCL is used to temporarily change the home directory, removing the TCC umbrella shielding ~/Library/Safari. Now they could modify Safari's per-origin TCC configurations — allowing all kinds of permissions for a malicious website of their own creation — before ultimately reinstating the home directory. Thereafter, if a user visited the malicious site, the site would have full rein to capture screenshots, location data, and more, without ever triggering a permission pop-up.

**Was CVE-2024-44133 Already Exploited?**

After concocting their exploit, Microsoft started scanning customer environments for activity that aligned with what they'd found. On one device, lo and behold, they spotted something quite closely resembling what they were looking for.

It was a program digging into the victim's Chrome configuration settings, adding approval for microphone and camera access to a specific URL. It also did more: gathering user and device information, laying the groundwork for a second-stage payload.

This program, it turned out, was a well-known macOS adware program called "AdLoad." AdLoad hijacks and redirects browser traffic, pestering users with unwanted advertisements. It also goes further: harvesting user data, turning infected devices into nodes in a botnet, and acting as a staging ground for further malicious payloads.

In its blog post, Microsoft noted that though AdLoad's activity closely resembled the HM Surf technique, "Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself." Still, it added, "Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique."

Dark Reading has contacted both Apple and Microsoft for further comment on this story.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MacOS Safari 'HM Surf' Exploit Exposes Camera, Mic, Browser Data

Adoption of the email authentication and policy specification remains low, and only about a tenth of DMARC-enabled domains enforce policies. Everyone is waiting for major email providers to get strict.

Source: TierneyMJ via Shutterstock

The state of DMARC email authentication and security standard looked so promising at the beginning of 2024.

Google and Yahoo had set a deadline of February 2024 for bulk email senders to adopt a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy, and as companies scrambled to meet the deadline, the number of email domains with a valid DMARC record jumped 60% in two months. As of September, nearly 6.8 million domains have email sender authentication configured.

Even with that surge earlier in the year, the reality is that businesses continue to be slow in setting up email authentication on their domains. The adoption lag is especially pronounced in making the switch from DMARC's minimum-baseline policy of 'p=none' to more stringent policies. Enforcement means non-authenticated emails get quarantined or rejected. The share of DMARC-enabled domains with an enforced policy has actually gone down from a high of 18% a year ago, to less than 14% today.

While Google's and Yahoo's actions forced many companies to adopt DMARC, most of them — spurred by concerns about blocking legitimate messages — haven't adopted the quarantine or reject policies, says Seth Blank, chief technology officer at Valimail, a provider of email security services.

"Google and Yahoo put the requirements out, the ecosystem got a shot in the arm, and the message was heavily about security — so the people who cared about security did something," Blank says. "There's still a large part of this market that has not moved, hasn't taken any steps, even this bare minimum that we're seeing here."

The DMARC protocol aims to add authentication to the Internet's email infrastructure, requiring that email senders adopt two verification technologies — Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) — and specify a policy for how other servers should handle mail from a sender not part of an authorized domain. In October 2023, Google and Yahoo required that email marketers — anyone sending more than 5,000 emails daily through the services — set up DMARC. The move resulted in a significant reduction in non-authenticated emails, with Google seeing two-thirds less (65%) unauthenticated messages sent to Gmail users and 265 billion fewer unauthenticated message sent so far this year, according to company data released last week.

**Fear, Uncertainty, and DMARC**

The adoption rate of DMARC has roughly doubled over the past year — from about 55,000 domains adding new DMARC records each month in 2023, to 110,000 domains per month in Q3 2024, according to Valimail data. Yet, even at that rate, it would still take nearly 15 more years for the top 25 million domains to get on board.

Source: Author, with data from Valimail

Moreover, DMARC adoption has been spotty. While more than 60% of the organizations in some industries, such as manufacturing and healthcare, have adopted DMARC, only one in five have actually moved from the lowest security policy ('p=none') to the highest ('p=reject,') according to data from EasyDMARC, an email-authentication services firm. Some sectors, such as non-profits and charity organizations, have increased adoption over the year, but fewer than 8% of domains are using DMARC.

Because email is critical to business operations, organizations worry that stricter enforcement will result in lost messages, especially because DMARC is not necessary an easy technology to implement and maintain, says Kelly Molloy, director of network development for DomainTools, an internet intelligence firm.

"The fear is, especially if you are a company who depends on leads via email, is that you're going to miss messages from interested parties — from customers and potential customers — if you start doing \[strict enforcement\]," she says, adding: "A lot of companies are being conservative and are not going farther than they really need to ... because it does take resources."

**Waiting for the Other Shoe to Drop**

The stalled adoption cycle will likely attract another major move by Google, Yahoo and other large consumer email services, says Hagop Khatchoian, technical services team lead at EasyDMARC.

"They \[Google and Yahoo\] are just forcing everyone to have at least 'p=none' ... to just have a basic policy without any enforcement — we foresee that will be changed in the next few years," he says. "But you can't just go on and tell everyone, 'Hey, you need 'p=reject,' ... because if you have a small misconfiguration in your email ecosystem, and you have an enforced policy, then your own legitimate emails will be blocked as well."

Valimail's Blank agrees, noting that the major email services — Google, Microsoft and Yahoo, as well as major email providers in other countries — are unlikely to wait long before again turning the screws on unauthenticated email.

"The sending community or the receiving community will mandate the next steps, because they know \[authentication\] is the single most important input into their system — being able to know who sent an email with far more certainty," he says. "We're going to see more action there ... and it will take years, but it's not going to be five to ten years. It's probably two, three, maybe four."

**None's Not Nothing, But Close to It**

With another DMARC-push in the cards from major email services, organizations should plan to shift their DMARC policy from 'none' to a higher level of enforcement.

The three levels of enforcement are:

*   p=none — Mail that fails authentication checks are still delivered.
    
*   p=quarantine — Any authentication failure results in email being quarantined, possibly delivered to a user's spam folder or to an organization's quarantine storage.
    
*   p=reject — Authentication failure leads to the email being discarded, although some service providers may instead quarantine the email in a separate folder.
    

Every enforcement level can produce reports, and companies should monitor the reports to check for issues and anomalies, says Valimail's Blank.

"DMARC at 'p=none' with no reporting is syntactically equivalent to not having DMARC at all," he says. "The value of DMARC comes from reporting and working towards a policy that is not 'none.' If you have 'p=none', and you're not getting reports, there is nothing you can do, there is nothing you can see, there is nothing you can fix."

Getting reports from the DMARC infrastructure is important level of visibility for companies as they pursue better email security. Large companies are not the only organizations to see significant abuse of email, so any firms that sends email should monitor their DMARC reports, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Time to Get Strict With DMARC

Microsoft disclosed details about the HM Surf vulnerability that  could allow an attacker to gain access to the user’s data in Safari

The Microsoft Threat Intelligence team disclosed details about a macOS vulnerability, dubbed “HM Surf,” that could allow an attacker to gain access to the user’s data in Safari. The data the attacker could access without users’ consent includes browsed pages, along with the device’s camera, microphone, and location.

The vulnerability, tracked as CVE-2024-44133 was fixed in the September 16 update for Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).

It is important to note that this vulnerability would only impact Mobile Device Management (MDM) managed devices. MDM managed devices are typically subject to centralized management and security policies set by the organization’s IT department.

Microsoft has dubbed the flaw “HM Surf.” By exploiting this vulnerability an attacker could bypass the macOS Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data.

Users may notice Safari’s TCC in action when they browse a website that requires access to the camera or the microphone. They may see a prompt like this one:

Image courtesy of Microsoft

What Microsoft discovered was that Safari maintains its own separate TCC policy which it maintains in various local files.

At that point Microsoft figured out it was possible to modify the sensitive files, by swapping the home directory of the current user back and forth. The home directory is protected by the TCC, but by changing the home directory, then change the file, and then making it the home directory again, Safari will use the modified files.

The exploit only works on Safari because third-party browsers such as Google Chrome, Mozilla Firefox, or Microsoft Edge do not have the same private entitlements as Apple applications. Therefore, those apps can’t bypass the macOS TCC checks.

Microsoft noted that it observed suspicious activity in the wild associated with the Adload adware that might be exploiting this vulnerability. But it could not be entirely sure whether the exact same exploit was used.

> “Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.”

We encourage macOS users to apply these security updates as soon as possible if they haven’t already.

Malwarebytes for Mac takes out malware, adware, spyware, and other threats before they can infect your machine and ruin your day. It’ll keep you safe online and your Mac running like it should.

 Unauthorized data access vulnerability in macOS is detailed by Microsoft 

This year, the majority of developers have adopted AI assistants to help with coding and improve code output, but most are also creating more vulnerabilities that take longer to remediate.

Source: Gorodenkoff via Shutterstock

Less than two years after the general release of ChatGPT, most software developers have adopted AI assistants for programming. That's boosting efficiency, but at the same time, it's led to a higher cadence of software development that has made maintaining security more difficult.

Developers are on track to download more than 6.6 trillion software components in 2024, which includes a 70% increase in downloads of JavaScript components and a 87% increase in Python modules, according to the annual "State of the Software Supply Chain" report from Sonatype. At the same time, the mean time to remediate vulnerabilities in those open source projects has grown significantly over the past seven years, from about 25 days in 2017 to more than 300 days in 2024.

One likely reason: The advent of AI is driving speedier development cycles, making security more difficult, says Brian Fox, chief technology officer of Sonatype. The majority of developers now use AI tools in their development process according to a recent Stackoverflow survey, with 62% of coders saying they used an AI assistant, up from 44% last year.

"AI has quickly become a powerful tool for speeding up the coding process, but the pace of security has not progressed as quickly, and it’s creating a gap that is leading to lower-quality, less-secure code," he says. "We’re headed in the right direction, but the true benefit of AI will come when developers don’t have to sacrifice quality or security for speed."

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

Security researchers have warned that AI code generation could result in more vulnerabilities and novel attacks. For instance, a group of researchers demonstrated the ability to poison the large language models (LLMs) used for code generation with maliciously exploitable code at the USENIX Security Symposium in August. In March, researchers with an LLM security vendor showed that attackers could use AI hallucinations as a way to direct developers and their applications to malicious packages.

Developers also have growing concerns over the potential for AI assistants to suggest or propagate vulnerable code. While the majority of developers (56%) expect AI assistants to provide usable code, only 23% expect the code to be secure, while a larger group (40%) don't believe AI assistants provide secure code at all, according to research by software development firm JetBrains and the University of California at Irvine, published in June.

Open source projects take longer to remediate vulnerabilities. Source: Sonatype

Many developers remain nonplussed by the speed of change wrought by AI coding tools, and there is likely more to come, says Jimmy Rabon, senior product manager with Black Duck Software, a software-integrity tools provider.

Related:Chinese Researchers Tap Quantum to Break Encryption

"We haven't seen the long-term effects of adding something that can code at the level of a junior- or intermediate-level developer and at massive scale," he says. "My expectation is that we will see more intermediate mistakes — the basic mistakes that you would make as a junior or intermediate level developer — and \[issues with\] understanding the context of where some of the data flows."

**2024: The Year of the Developer's AI Assistant**

While AI assistants are now being used by the majority of developers, in business environments, adoption of AI tools is much higher — more than 90% of developers used AI assistants, according to Black Duck's 2024 Global State of DevSecOps survey. AI as a tool for developers is well-entrenched and "will never go away," Rabon says.

Yet many developers don't have the experience to judge whether code provided by an AI assistant is safe. Entry-level developers, for example, are more trusting of AI-produced code than their professional counterparts, with 49% trusting the accuracy of AI-generated code versus 42% for more experienced developers, according to Stackoverflow's annual developer survey.

Related:WP Engine Accuses WordPress of 'Forcibly' Taking Over Its Plug-in

In addition, AI tools will affect the education of developers and could make it harder for those entry-level developers to gain the skill needed to advance in their careers, experts say. The reliance on AI to complete simple programming projects could reduce the need for new or entry-level developers who typically tackle simpler coding tasks, removing a training path, Sonatype's Fox says.

"The development community is aging, and the introduction of AI poses potential risks to younger generations," he says. "If AI can handle the tasks previously assigned to budding developers, how will they gain the experience needed to replace older developers exiting the industry?"

**Automatic Generation of Secure Code**

Until the companies behind AI assistants create training datasets that contain secure code suggestions, or put in place guardrails to protect against vulnerable and malicious code generation, companies will have to deploy automated software security tools to check the work of any coding assistant.

The good news is, between the additional security checks and the fast evolution of code-generation assistants, the security of software and applications could eventually become much stronger, says Black Duck's Rabon.

"There are certain basic security flaws that I think will disappear," he says. "If you asked an AI system to generate code, why should it ever \[suggest an insecure function?\] ... I don't think that we've had enough time to really see the dramatic effects of \[such capabilities\] or prove them out."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Vulnerabilities, AI Compete for Software Developers' Attention

Iranian hackers are targeting critical infrastructure organizations with brute force tactics. This article explores their techniques, including MFA…

Iranian hackers are targeting critical infrastructure organizations with brute force tactics. This article explores their techniques, including MFA push bombing and credential theft. Learn how to protect your organization from these advanced threats and implement effective security measures.

A joint cybersecurity advisory issued by CISA, FBI, NSA, and international partners warns critical infrastructure organizations about Iranian hackers targeting their networks. These threat actors gain unauthorized access to critical infrastructure across various sectors, including healthcare, government, IT, engineering, and energy.

The attackers primarily rely on brute force tactics like password spraying exploiting common password combinations across multiple accounts to gain access. However, they also employ other methods for initial compromise, which are currently unknown.

According to the advisory, hackers have been using valid email accounts, often obtained through brute force, to gain initial access to Microsoft 365, Azure, and Citrix systems. In some instances, the actors exploit vulnerabilities in multi-factor authentication (MFA) by bombarding users with login requests until they accidentally approve access. This technique is known as “MFA fatigue” or “push bombing.”

In two confirmed cases, attackers exploited a compromised user’s open MFA registration and a self-service password reset tool linked to a public-facing Active Directory Federation Service. These threat actors may also take advantage of expired passwords or compromised accounts to gain initial access.

****Credential Theft and Maintaining Persistence:****

Once inside the network, the Iranian actors take steps to maintain persistent access. This often involves registering their own devices with MFA using compromised accounts to maintain access even if the legitimate user’s password is changed.

In addition, they leverage techniques like Remote Desktop Protocol (RDP) to move laterally within the network, allowing them to access additional resources and potentially escalate privileges.

The attackers utilize various methods to steal additional credentials within the network. This may involve using open-source tools to harvest credentials or exploiting vulnerabilities to access Active Directory information. They may also attempt to escalate privileges, potentially granting them higher levels of control within the system. This could allow them to manipulate or disrupt critical systems.

****Living off the Land (LOTL):** **

Iranian threat actors leverage legitimate system tools and techniques to gather information about the network and identify valuable targets. This approach, known as “living off the land,” allows them to evade detection by appearing as legitimate users.

The actors can use various Windows command-line tools to gather information about domain controllers, trusted domains, and user accounts. Additionally, they may use specific queries to search Active Directory for detailed information about network devices.

Avishai Avivi, CISO at SafeBreach, emphasizes that the CISA alert on Iranian cyber actors is a timely reminder, especially during cybersecurity awareness month, about the abuse of “MFA Exhaustion.” He warns that malicious actors hope users will mindlessly approve MFA requests. Avivi advises users to always verify MFA prompts to ensure they initiated the session, as attackers frequently test stolen credentials and aim to exploit MFA fatigue. Although the alert focuses on critical infrastructure, this diligence applies to protecting both personal and work accounts.

****The End Goal****

The primary goal of this campaign is believed to be credential theft and information gathering. Once they gain access, they can steal user credentials and internal network information. They may download files related to gaining remote access to the organization or its inventory. This information could then be used for further malicious activity such as data exfiltration or sold on cybercriminal forums.

The advisory recommends critical infrastructure organizations implement strong password policies and enforce multi-factor authentication (MFA) for all user accounts, and MFA settings should be regularly reviewed to prevent vulnerabilities.

1.  Censys Uncovers Hidden Infrastructure of Iranian Fox Kitten Group
2.  Iran’s MuddyWater APT Hits Saudis, Israelis with BugSleep Backdoor
3.  Iranian State Hackers Team Up with Ransomware Gangs to Attack US
4.  Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes
5.  Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector

Tag

#microsoft