This post explains how to remove additional users and accounts from your Windows device

There will be times when you need to remove a user from a device. In this article we’ll show you how to remove a user from Windows 10 or 11.

On Windows you can create a local user account (an offline account) for anyone who will frequently use your PC. But the best option in most cases, is for everyone who uses your PC to have a Microsoft account. With a Microsoft account, you can access your apps, files, and Microsoft services across your devices.

Should you want to remove an additional user account from Windows 10 or 11, you can:

*   Select **Start** \> **Settings** \> **Accounts** \> **Family & other users.** 
*   Under **Other users**, select the flyout for the account you want to remove.
*   Next to **Account and data**, select **Remove**. Note: this will not delete their Microsoft account, it will just remove their sign-in info from your Windows device.

Please note that Windows devices can have more than one administrator account. A user with an administrator account can access everything on the system, and any malware they encounter can use the administrator permissions to potentially infect or damage any files on the system. Only grant that level of access when absolutely necessary and to people you trust.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 How to remove a user from a shared Windows device 

Microsoft on Monday confirmed its plans to deprecate NT LAN Manager (NTLM) in Windows 11 in the second half of the year, as it announced a slew of new security measures to harden the widely-used desktop operating system.
"Deprecating NTLM has been a huge ask from our security community as it will strengthen user authentication, and deprecation is planned in the second half of 2024," the

Windows 11 to Deprecate NTLM, Add AI-Powered App Controls and Security Defenses

By Deeba Ahmed
"Linguistic Lumberjack" Threatens Data Breaches (CVE-2024-4323). Patch now to shield your cloud services from information disclosure, denial-of-service, or even remote takeover.
This is a post from HackRead.com Read the original post: Fluent Bit Tool Vulnerability Threatens Billions of Cloud Deployments

Tenable Research’s cloud research team has discovered a critical memory corruption vulnerability tracked as CVE-2024-4323 and dubbed “Linguistic Lumberjack” residing within Fluent Bit, a widely used logging utility employed by all major cloud providers with over 3 billion downloads in 2022.

****What is Linguistic Lumberjack?****

Researchers explained in their blog post that Fluent Bit is “a lightweight, open-source data collector and processor” that plays a vital role in cloud security by collecting and processing logs from various applications and systems.

These logs provide valuable insights into system health and potential security threats. Linguistic Lumberjack specifically targets Fluent Bit’s built-in HTTP server, which receives log data.

Tenable researchers discovered that they could access metrics and logging endpoints within cloud services, including Fluent Bit instances, potentially leading to cross-tenant information leakage. However, testing in a separate environment revealed a memory corruption issue.

Fluent Bit‘s monitoring API allows administrators to query and monitor internal service information, with endpoints like /api/v1/traces allowing end-users to enable, disable, or retrieve configured traces.

**CVE-2024-4323 Threat Scope**

This vulnerability could be exploited by an attacker to cause damage in three ways: Denial-of-Service (DoS), Information Disclosure, and Remote Code Execution. The attacker could crash the Fluent Bit service, preventing it from processing logs, which could blind cloud security teams.

They could also access sensitive information within logs, including passwords and PII. In the worst-case scenario, the attacker could gain remote access to the system and execute malicious code, enabling them to install malware, steal data, or control the cloud environment.

****Mitigation Strategies****

The issue was reported to the project’s maintainers on April 30, 2024, and fixes were released on 15 May, in version 3.0.4, available here. Tenable also notified Microsoft, Amazon, and Google of the issue via their vulnerability disclosure mechanisms on May 15, 2024, to begin internal triage processes.

If Fluent Bit is deployed in your infrastructure, it is recommended to upgrade to the latest version. If upgrading is not possible, review configurations that allow access to Fluent Bit’s monitoring API to ensure only authorized users and services can query it. If unused, disable this endpoint. If relying on cloud services that use Fluent Bit, contact your provider to ensure timely updates or mitigations are deployed.

1.  Massive Cloud Database Leak Exposes 380 Million Records
2.  Qubitstrike Malware Hits Jupyter Notebooks for Cloud Data
3.  OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  New Vulnerability “LeakyCLI” Leaks AWS and Google Cloud Credentials

Fluent Bit Tool Vulnerability Threatens Billions of Cloud Deployments

By Waqas
New HP report reveals cybercriminals are increasingly leveraging "cat-phishing" techniques, exploiting open redirects in legitimate websites to deceive users and deliver malware.
This is a post from HackRead.com Read the original post: HP Exposes Low-Effort, High-Impact Cat-Phishing Targeting Users

A new report from HP has revealed a troubling trend where cybercriminals are increasingly using “cat-phishing” tactics to deceive unsuspecting victims. The report, published on May 16, 2024, as part of the quarterly HP Wolf Security Threat Insights series, exposes how attackers are exploiting **open redirect vulnerabilities** and other Living-off-the-Land techniques to bypass traditional security measures.

****What is Cat-Phishing?****

The term “cat-phishing” refers to a method where cybercriminals manipulate seemingly legitimate links to **redirect users to malicious websites** without their knowledge. This deceptive practice makes it nearly impossible for the average user to distinguish between a safe and a compromised site, thus facilitating the success of phishing attacks.

****Notable Campaigns Identified by HP Threat Researchers****

1.  **WikiLoader Campaign:** In a sophisticated operation, attackers leveraged open redirect vulnerabilities within reputable websites, often through compromised ad embeddings, to redirect users to malicious domains. This technique exploits the trust users have in well-known sites, making it difficult for security systems to flag malicious activity.
2.  **Living-off-the-BITS:** Several campaigns abused the Windows Background Intelligent Transfer Service (BITS) – a legitimate mechanism used by programmers and system administrators to download or upload files to web servers and file shares. This LotL technique helped attackers remain undetected by using BITS to download the malicious files.
3.  **Abuse of Windows BITS:** Several campaigns were found to misuse the Windows Background Intelligent Transfer Service to download malicious files covertly. By utilizing a legitimate system component, attackers can maintain a low profile, evading standard detection mechanisms.
4.  **Fake Invoices Leading to HTML Smuggling Attacks:** HP identified a tactic where threat actors concealed malware within HTML files disguised as delivery invoices. Once opened in a web browser, these files initiate a series of events that deploy open-source malware like **AsyncRAT**. The lack of effort in designing the lure suggests a low-cost, high-volume approach.
5.  **Ursnif Returns:** **Ursnif**, also known as Gozi or IFSB malware targets Windows devices and first appeared in 2006. In the first quarter of 2024, HP researchers identified the return of Ursnif as part of different malicious spam campaigns against users in Italy.

A fake invoice dropping Ursnif malware (Screenshot: HP)

****Other Findings****

Other findings in the report highlight that at least 12% of email threats managed to evade detection. The primary threat vectors identified during the first quarter included email attachments, accounting for 53%, followed by downloads from browsers at 25%, and other infection vectors at 22%.

Notably, there has been a notable growth in document threats, with **exploits surpassing macros** as the preferred method of executing malicious code, constituting at least 65% of document-based threats.

****Expert Insights****

In a **press release,** Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., emphasized the limitations of relying solely on detection in the face of Living-off-the-Land techniques. He advocated for a defence-in-depth approach, including threat containment, to mitigate risks effectively.

_“_Targeting companies with invoice lures is one of the oldest tricks in the book, but it can still be very effective and hence lucrative. Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them. If successful, attackers can quickly monetize their access by selling it to cybercriminal brokers, or by deploying ransomware.”

**Patrick Harr**, CEO at SlashNext, pointed out the prevalence of open redirects and other deceptive techniques in email and messaging platforms. He underscored the need for AI-based security solutions that utilize computer vision and URL sandboxing/behavioural analysis to counter these advanced threats.

****Conclusion****

The HP Wolf Security Threat Insights Report is just another piece of evidence showing how cybercriminals have mastered the art of deceiving unsuspecting businesses and individuals. Organizations must move beyond detection-centric security and adopt a defence-in-depth strategy, incorporating threat mitigation and **advanced technologies like AI** to effectively combat sophisticated attacks, including the growing threat of “cat-phishing.”

1.  Check Point Research: Microsoft the Most Phished Brand
2.  Google, Microsoft and Oracle generated most vulnerabilities
3.  Microsoft Office Most Exploited Software in Malware Attacks
4.  Malicious Office documents make up 43% of all malware downloads
5.  HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk

HP Exposes Low-Effort, High-Impact Cat-Phishing Targeting Users

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference.

Thursday, May 16, 2024 14:00

While I one day wish to make it to the RSA Conference in person, I’ve never had the pleasure of making the trek to San Francisco for one of the largest security conferences in the U.S. 

Instead, I had to watch from afar and catch up on the internet every day like the common folk. This at least gives me the advantage of not having my day totally slip away from me on the conference floor, so at least I felt like I didn’t miss much in the way of talks, announcements and buzz. So, I wanted to use this space to recap what I felt like the top stories and trends were coming out of RSA last week.  

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference. 

**AI is the talk of the town** 

This is unsurprising given how every other tech-focused conference and talk has gone since the start of the year, but everyone had something to say about AI at RSA.  

AI and its associated tools were part of all sorts of product announcements (either to be used as a marketing buzzword or something that is truly adding to the security landscape).  

Cisco’s own Jeetu Patel gave a keynote on how Cisco Secure is using AI in its newly announced Hypershield product. In the talk, he argued that AI needs to be used natively on networking infrastructure and not as a “bolt-on” to compete with attackers.  

U.S. Secretary of State Anthony Blinken was the headliner of the week, delivering a talk outlining the U.S.’ global cybersecurity policies. He spent a decent chunk of his half hour in the spotlight also talking about AI, in which he warned that the U.S. needed to maintain its edge when it comes to AI and quantum computing — and that losing that race to a geopolitical rival (like China) would have devastating consequences to our national security and economy.  

Individual talks ran the gamut from “AI is the best thing ever for security!” to “Oh boy AI is going to ruin everything.” The reality of how this trend shakes out, like most things, is likely going to be somewhere in between those two schools of thought.  

An IBM study released at RSA highlighted how headstrong many executives can be when embracing AI. They found that security is generally an afterthought when creating generative AI models and tools, with only 24 percent of responding C-suite executives saying they have a security component built into their most recent GenAI project.  

**Vendors vow to build security into product designs** 

Sixty-eight new tech companies signed onto a pledge from the U.S. Cybersecurity and Infrastructure Security Agency, vowing to build security into their products from earliest stages of the design process.  

The list of signees now includes Cisco, Microsoft, Google, Amazon Web Services and IBM, among other large tech companies. The pledge states that the signees will work over the next 12 months to build new security safeguards for their products, including increasing the use of multi-factor authentication (MFA) and reducing the presence of default passwords.  

However, there’s looming speculation about how enforceable the Secure By Design pledge is and what the potential downside here is for any company that doesn’t live up to these promises.  

**New technologies countering deepfakes** 

Deepfake images and videos are rapidly spreading online and pose a grave threat to the already fading faith many of us had in the internet. 

It can be difficult to detect when users are looking at a digitally manipulated image or video unless they’re educated on common red flags to look for, or if they’re particularly knowledgeable on the subject in question. They’re getting so good now that even targets’ parents are falling for fake videos of their loved ones.  

Some potential solutions discussed at RSA include digital “watermarks” in things like virtual meetings and video recordings with immutable metadata.  

A deep fake-detecting startup was also named RSA’s “Most Innovative Startup 2024” for its multi-modal software that can detect and alert users of AI-generated and manipulated content. McAfee also has its own Deepfake Detector that it says, “utilizes advanced AI detection models to identify AI-generated audio within videos, helping people understand their digital world and assess the authenticity of content.” 

Whether these technologies can keep up with the pace that attackers are developing this technology and deploying it on such a wide scale, remains to be seen.  

**The one big thing **

Microsoft disclosed a zero-day vulnerability that could lead to an adversary gaining SYSTEM-level privileges as part of its monthly security update. After a hefty Microsoft Patch Tuesday in April, this month’s security update from the company only included one critical vulnerability across its massive suite of products and services. In all, May’s slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which are of “important” severity. There is only one moderate-severity vulnerability. 

**Why do I care? **

The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. An authenticated attacker who obtains Site Owner permissions or higher could exploit this vulnerability by uploading a specially crafted file to the targeted SharePoint Server. Then, they must craft specialized API requests to trigger the deserialization of that file’s parameters, potentially leading to remote code execution in the context of the SharePoint Server. The aforementioned zero-day vulnerability, CVE-2024-30051, could allow an attacker to gain SYSTEM-level privileges, which could have devastating impacts if they were to carry out other attacks or exploit additional vulnerabilities. 

**So now what? **

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63419, 63420, 63422 - 63432, 63444 and 63445. There are also Snort 3 rules 300906 - 300912. 

**Top security headlines of the week **

**A massive network intrusion is disrupting dozens of hospitals across the U.S., even forcing some of them to reroute ambulances late last week.** Ascension Healthcare Network said it first detected the activity on May 8 and then had to revert to manual systems. The disruption caused some appointments to have to be canceled or rescheduled and kept patients from visiting MyChart, an online portal for medical records. Doctors also had to start taking pen-and-paper records for patients. Ascension operates more than 140 hospitals in 19 states across the U.S. and works with more than 8,500 medical providers. The company has yet to say if the disruption was the result of a ransomware attack or some sort of other targeted cyber attack, though there was no timeline for restoring services as of earlier this week. Earlier this year, a ransomware attack on Change Healthcare disrupted health care systems nationwide, pausing many payments providers were expected to receive. UnitedHealth Group Inc., the parent company of Change, told a Congressional panel recently that it paid a requested ransom of $22 million in Bitcoin to the attackers. (CPO Magazine, The Associated Press) 

**Google and Apple are rolling out new alerts to their mobile operating systems that warn users of potentially unwanted devices tracking their locations.** The new features specifically target Bluetooth Low Energy (LE)-enabled accessories that are small enough to often be unknowingly tracking their specific location, such as an Apple AirTag. Android and iOS users will now receive the alert when such a device, when it's been separated from the owner’s smartphone, is moving with them still. This alert is meant to prevent adversaries or anyone with malicious intentions from unknowingly tracking targets’ locations. The two companies proposed these new rules for tracking devices a year ago, and other manufacturers of these devices have agreed to add this alert feature to their products going forward. “This cross-platform collaboration — also an industry first, involving community and industry input — offers instructions and best practices for manufacturers, should they choose to build unwanted tracking alert capabilities into their products,” Apple said in its announcement of the rollout. (Security Week, Apple) 

**The popular Christie’s online art marketplace was still down as of Wednesday afternoon after a suspected cyber attack.** The site, known for having many high-profile and wealthy clients, was planning on selling artwork worth at least $578 million this week. Christie’s said it first detected the technology security incident on Thursday but has yet to comment on if it was any sort of targeted cyber attack or data breach. There was also no information on whether client or user data was potentially at risk. Current items for sale included a Vincent van Gogh painting and a collection of rare watches, some owned by Formula 1 star Michael Schumacher. Potential buyers could instead place bids in person or over the phone. (Wall Street Journal, BBC) 

**Can’t get enough Talos? **

*   Talos joins CISA to counter cyber threats against non-profits, activists and other at-risk communities 
*   Click Here Ep. #130: A wrinkle in time: GPS jamming in Ukraine and its ripple effects 
*   Talos Takes Ep. #184: Why CoralRaider is looking to steal your login credentials 
*   Generative AI’s disinformation threat is ‘overblown,’ top cyber expert says 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent

Rounding up some of the major headlines from RSA

By Deeba Ahmed
Alerted by a recent discovery of employee personal GitHub repos exposing internal Azure and Red Hat secrets, this article dives into the dangers of Shadow IT and offers solutions to prevent cloud credential leaks and secure your cloud environment.
This is a post from HackRead.com Read the original post: Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets

An employee’s personal GitHub repository can act like a ticking timebomb, and could also lead to exposing the company’s secrets to the world. As per a report from Aqua Nautilus, a security research team at Aqua Security, employees using personal GitHub repositories for side projects, mainly at Microsoft Azure, Tigera, and Red Hat, are unknowingly exposing corporate secrets and credentials to threat actors. 

Believe it or not, personal repositories on GitHub can become corporate nightmares, as employees may use them to store or share work-related code, bypassing company security protocols.

This creates a “Shadow IT,” a dangerous blind spot for IT security teams. Shadow IT involves employees using IT systems without department approval or proper security controls, often installing unauthorized software on company computers, particularly in cloud-native development.

Researchers discovered that Microsoft was exposed to a privileged Azure Container Registry Token, allowing unauthorized access to internal Azure projects and potentially overwriting private images. 

Further probing revealed that a Microsoft employee’s git commit exposed credentials to an Azure Container Registry, allowing access to critical images for Azure projects like Azure IoT Edge, Akri, and Apollo. This privileged access allowed private images to be downloaded and uploaded, potentially allowing malicious code to run within the Azure environment. 

“We reported this issue to Microsoft, which then promptly invalidated the token, deleted the employee’s commit, and assigned this security incident an important severity,” report authors Yakir KadkodaAssaf Morag noted. 

Similar exposures were also identified at RedHat and Tigera personal GitHub repositories. RedHat employees accidentally exposed tokens for internal container registries, which could lead to information leakage and supply chain attacks. After being notified, RedHat promptly invalidated the tokens, reviewed their internal credentials, and informed relevant owners. 

Tigera’s internal container registry (quay.io/tigera) credentials were exposed in a Git commit of another company, containing images from various Tigera projects. When notified, Tigera invalidated the token and launched an investigation, which confirmed it was a scoped token, posing no risk to Tigera.

Successful access to Azure, Tigera and Red Hat registry (Screenshot: Aqua Nautilus)

Nevertheless, Cloud credentials act as digital keys, allowing access to sensitive data and resources. If exposed on GitHub, anyone with an internet connection could gain access to an organization’s Azure or Red Hat environments.

To mitigate security risks, regularly scan the internet for exposed environments or secrets, encourage employees to regularly scan personal accounts, implement least privilege with scoped keys, and limit secret lifespan with expiration dates.

1.  Warning: Fake GitHub Repos Delivering Malware as PoCs
2.  GitHub bot used to steal $1,200 in ETH within 100 seconds
3.  Mintlify Data Breach Through Compromised GitHub Tokens
4.  Thousands of GitHub Repositories Cloned in Supply Chain Attack
5.  GitHub Abused to Drop Malicious Packages on PyPI in Image Files

Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets

Microsoft Edge Channel

Microsoft Edge Version

Date Released

Based on Chromium Version

Stable

124.0.2478.109

5/16/2024

124.0.6367.221

Tag

#microsoft