Weaponizing Microsoft's own services for command-and-control is simple and costless, and it helps attackers better avoid detection.

Source: Robert K Chin Storefronts via Alamy Stock Photo

Nation-state espionage operations are increasingly using native Microsoft services to host their command-and-control (C2) needs.

A number of unrelated groups in recent years have all come to the same realization: Rather than building and maintaining their own infrastructure, it's more economical and effective to simply use Microsoft's own services against their targets. Besides the costs and headaches saved from not having to set up and maintain their own infrastructure, using legitimate services allows attackers' malicious behavior to more subtly mix in with legitimate network traffic.

This is where Microsoft Graph comes in handy. Graph offers an application programming interface (API) that developers use to connect to a wide range of data — email, calendar events, files, etc. — across Microsoft cloud services. Harmless on its own, it provides an easy means for hackers to run C2 infrastructure using those same cloud services.

Recently, for example, Symantec threat hunters discovered a novel malware they call "BirdyClient," used against an organization in Ukraine. BirdyClient's purpose is to connect to the Graph API in order to upload and download files using OneDrive.

Dark Reading is awaiting comment on this story from Microsoft.

**Hackers Abuse Microsoft Graph**

Long before BirdyClient, there was Bluelight, a second-stage tool for command-and-control via several different Microsoft cloud services. It was first discovered in 2021, having been developed by North Korea's APT37 (aka ScarCruft, Reaper, Group123).

"We see it frequently with cybercrime groups and espionage groups: Somebody hits on a new technique, and everybody copies it," says Dick O'Brien, principal intelligence analyst at Symantec. "This is the case here. They've realized how they can leverage this, and now all of these major players are jumping on board."

After Bluelight came Backdoor.Graphon, used by the Harvester group in a nation-state-backed espionage operation against organizations in southern Asia. Then, there was Graphite, spread via spear-phishing attacks against governments in Europe and Asia, and SiestaGraph, which made an appearance in a December 2022 breach of a southeast Asian foreign affairs office.

Last June brought Backdoor.Graphican, used by APT15 (aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) against foreign affairs ministries in the Americas. A month later, researchers spotted Russia's Cozy Bear (aka APT29, Cloaked Ursa, UAC-0004, Midnight Blizzard/Nobelium) using the same trick in attacks against global diplomatic missions, and Symantec identified a further case from November involving a target in Asia it has yet to disclose.

Despite their myriad differences, all the malware in these cases share the use of Graph API to make C2s out of 365 services, primarily OneDrive.

"From an organization's perspective, you need to start being a lot more aware of people using unsanctioned cloud accounts," O'Brien says. And this doesn't just apply to malicious attacks. For example, "It's quite common to hear people say that they access their personal OneDrive account from a work network. The danger in allowing wholesale access to these cloud platforms is that malware may be less likely to raise red flags," he says.

"Look at ensuring that any connections are to your own tenants — accounts that belong to your enterprise — and lock down everything else."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft

A recent campaign targeting Middle Eastern government organizations plays standard detection tools like a fiddle. With cyberattackers getting more creative, defenders must start keeping pace.

Source: incamerastock via Alamy Stock Photo

If a recent wily cyber-espionage campaign against Middle Eastern government entities is any indication, cyber defenders will need to upgrade their malware detection capabilities soon.

Cybersecurity, the trope goes, is a cat-and-mouse game. Companies move to Linux and macOS, so attackers follow them there. Attackers deliver malware in phishing attachments, so Microsoft blocks Internet macros, so attackers adjust. As cybersecurity tooling grows stronger, attackers' methods for circumventing them grow more creative and effective.

So it was that in February, Kaspersky researchers discovered a threat actor spying on a Middle Eastern government organization. By the time Kaspersky reached the attack, at least 30 infections had already been recorded against other organizations, primarily around the Middle East. Despite that, the campaign — dubbed "DuneQuixote" — had managed to remain obscured for at least a year, thanks in large part to a combination of classic and novel stealth techniques.

As experts are quick to point out, cyberattackers across the board have been upgrading their stealth. Perhaps they're once again gaining the edge?

"It's absolutely trivial to create new malware that evades anti-malware detection," says David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure. "Even 'advanced' behavioral analysis is pretty easy to fool with a few tricks. That means there is a huge volume of malware that would need manual analysis to really figure out what is happening. And of course, with all the custom tricks, that makes it really hard to do."

**DuneQuixote and Spanish Poetry**

The DuneQuixote campaign consists of two separate malware droppers and two separate payloads.

One dropper mimics the Total Commander software installer, packaging the legitimate software with its malicious contribution. Once inside a targeted machine, it runs through a series of anti-analysis checks, including, for example, whether any known security software is present on the device. Should any of its checks fail, the malware will return a value of "1," which has a coded meaning. When it comes time to decrypt the attackers' command-and-control (C2) server address, the 1 value will remove the "h" from "https," so that the C2 URL will begin with only "ttps," and no connection will be made at all.

The second DuneQuixote dropper is even more clever. When executed, its first act is to make a series of application programming interface (API) calls which at first appear to serve no actual purpose. Instead they contain strings with snippets from Spanish poems, which have a secret effect. Each instance of the dropper contains different lines of poetry, which earns each instance its own, unique signature. This makes things difficult for simple detection solutions, which rely on common signatures to identify new instances of known malware.

Like the first dropper, this second one also has a method for concealing its infrastructure from analysts. It takes the malicious file name plus a line from a Spanish poem, combines them, and runs them through the MD5 algorithm. The resulting hash acts as a key that decrypts the C2 address.

As for payloads: The two in this campaign are straightforward-enough backdoors that facilitate uploading and downloading files, executing commands, and modifying files. To avoid leaving a footprint, each is written directly into memory.

"Among emerging techniques, fileless malware \[is worrying\]," says Callie Guenther, senior manager of cyber-threat research at Critical Start. "This form of malware significantly reduces the digital footprint and evades traditional antivirus solutions that scan for file-based signatures, complicating post-breach analysis and forensics. It is particularly concerning due to its stealth and effectiveness, making it a likely candidate to become increasingly prevalent."

**How to Thwart Advanced Stealth Tactics**

Besides malware in-memory, "The most notable \[stealth tactics\] I've seen were tricks used in supply chain attacks, where malicious code blended with the legitimate code of comprehensive applications. Tough to identify," says Sergey Lozhkin, principal security researcher with Kaspersky's Global Research and Analysis Team.

As much as any individual tricks, threat actors have mastered how to adapt to their targeted environments — staggering at which points they drop their various tools, under what conditions, and to what ends. "At the highest level, you can't analyze what you don't have. Malware authors use this idea and incrementally download new components, perhaps only when given a specific command by the author. Until those components are downloaded, we don't know what they do," Brumley says.

"Beyond that," he adds, "the problem isn't one single anti-analysis technique; it's the sheer number and ability to mix and match them. They may embed 'weird machines,' where the malware has a custom language interpreter and the malware logic runs on top of it. This is hard to analyze because when you try to analyze it, you see the weird machine, not the malware logic itself. Malware authors may encrypt and pack components of the malware, and only incrementally decrypt them. And some parts of the malware may be encrypted with a key that isn't in the malware itself, but is part of the C2 command. Or they could mix all of the above."

To combat all of the stealth tactics and techniques at attackers' disposal, Guenther and Lozhkin recommend layered security: endpoint detection and response (EDR), behavioral analytics and anomaly detection technologies, and a broader zero-trust approach to system access.

For his part, Brumley is less optimistic. "Throughout the ages people have proposed whitelist-only. This means locking down machines hard, and then making sure they only install approved apps (or apps from approved vendors that are signed). Apple is the most famous for taking this approach, at least on mobile, with their walled garden approach," he says.

"Beyond that, this is a place where the attacker just has an asymmetric advantage," Brumley adds. "That's why most effort isn't put on malware analysis, but good hygiene to try and limit what gets installed."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'DuneQuixote' Shows Stealth Cyberattack Methods Are Evolving. Can Defenders Keep Up?

The Biden administration is asking tech companies to sign a pledge, obtained by WIRED, to improve their digital security, including reduced default password use and improved vulnerability disclosures.

The pledge offers examples of how companies can meet the goals, although it notes that companies “have the discretion to decide how best” to do so. The document also emphasizes the importance of companies publicly demonstrating “measurable progress” on their goals, as well as documenting their techniques “​​so that others can learn.”

CISA developed the pledge in consultation with tech companies, seeking to understand what would be feasible for them while also meeting the agency’s goals, according to Goldstein. That meant making sure the commitments were feasible for companies of all sizes, not just Silicon Valley giants.

The agency originally tried using its Joint Cyber Defense Collaborative to prod companies into signing the pledge, according to the tech industry official, but that backfired when companies questioned the use of an operational cyberdefense collaboration group for “a policy and legal issue,” the industry official says.

“Industry expressed frustration about trying to use the JCDC to obtain pledges,” the official says, and CISA “wisely pulled back on that effort.”

CISA then held discussions with companies through the Information Technology Sector Coordinating Council and tweaked the pledge based on their feedback. Originally, the pledge contained more than seven goals, and CISA wanted signatories to commit to “firm metrics” for showing progress, according to the industry official. In the end, this person says, CISA removed several goals and “broadened the language” about measuring progress.

John Miller, senior vice president of policy, trust, data, and technology at the Information Technology Industry Council, a major industry trade group, says that change was smart, because concrete progress metrics—like the number of users using multi-factor authentication—could be “easily misconstrued.”

Goldstein says the number of pledge signatories is “exceeding my expectations about where we’d be” at this point. The industry official says they’re not aware of any company that has definitively refused to sign the pledge, in part because vendors want to “keep open the option of signing on” after CISA’s launch event at RSA. “Everyone’s in a kind of wait-and-see mode.”

Legal liability is a top concern for potential signatory companies. “If there ends up being, inevitably, some type of security incident,” Miller says, “anything \[a\] company has said publicly could be used in lawsuits.”

That said, Miller predicts that some global companies facing strict new European security requirements will sign the US pledge to “get that credit” for something they already have to do.

CISA’s Secure by Design campaign is the centerpiece of the Biden administration’s ambitious plan to shift the burden of cybersecurity from users to vendors, a core theme of the administration’s National Cybersecurity Strategy. The push for corporate cyber responsibility follows years of disruptive supply-chain attacks on critical software makers like Microsoft, SolarWinds, Kaseya, and Change Healthcare, as well as a mounting list of widespread software vulnerabilities that have powered ransomware attacks on schools, hospitals, and other essential services. White House officials say the pattern of costly and often preventable breaches demonstrates the need for increased corporate accountability.

The US Government Is Asking Big Tech to Promise Better Cybersecurity

Lonial Con discovered that the netfilter subsystem in the Linux kernel contained a memory leak when handling certain element flush operations. A local attacker could use this to expose sensitive information (kernel memory). Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

Lonial Con discovered that the netfilter subsystem in the Linux kernel  
contained a memory leak when handling certain element flush operations.  
A local attacker could use this to expose sensitive information (kernel  
memory). (CVE-2023-4569)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel  
did not properly handle inactive elements in its PIPAPO data structure,  
leading to a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-6817)

It was discovered that a race condition existed in the AppleTalk  
networking subsystem of the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-51781)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel  
did not properly check deactivated elements in certain situations,  
leading to a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2024-0193)

Lonial Con discovered that the netfilter subsystem in the Linux kernel  
did not properly handle element deactivation in certain cases, leading  
to a use-after-free vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2024-1085)

Notselwyn discovered that the netfilter subsystem in the Linux kernel  
did not properly handle verdict parameters in certain cases, leading to  
a use- after-free vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2024-1086)

In the Linux kernel, the following vulnerability has been resolved:   
net: qualcomm: rmnet: fix global oob in rmnet_policy The variable   
rmnet_link_ops assign a bigger maxtype which leads to a global out-of-  
bounds read when parsing the netlink attributes. (CVE-2024-26597)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 103.1  
    aws - 103.2  
    aws - 103.3  
    azure - 103.3  
    gcp - 103.2  
    gcp - 103.3  
    generic - 103.1  
    generic - 103.2  
    generic - 103.3  
    gke - 103.3  
    ibm - 103.2  
    lowlatency - 103.1  
    lowlatency - 103.2  
    lowlatency - 103.3

Ubuntu 18.04 LTS  
    aws - 103.3  
    azure - 103.3  
    gcp - 103.3  
    generic - 103.3  
    lowlatency - 103.3

Ubuntu 22.04 LTS  
    aws - 103.1  
    aws - 103.2  
    aws - 103.3  
    azure - 103.1  
    azure - 103.2  
    azure - 103.3  
    gcp - 103.1  
    gcp - 103.2  
    generic - 103.1  
    generic - 103.2  
    generic - 103.3  
    gke - 103.1  
    gke - 103.2  
    gke - 103.3  
    ibm - 103.1  
    ibm - 103.2  
    ibm - 103.3

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-4569  
-   CVE-2023-6817  
-   CVE-2023-51781  
-   CVE-2024-0193  
-   CVE-2024-1085  
-   CVE-2024-1086  
-   CVE-2024-26597

Kernel Live Patch Security Notice LSN-0103-1

There is yet another attack possible against Protected Media Path process beyond the one involving two global XOR keys. The new attack may also result in the extraction of a plaintext content key value.

    Hello All,There is yet another attack possible against Protected Media Pathprocess beyond the one involving two global XOR keys [1]. The newattack may also result in the extraction of a plaintext content keyvalue.The attack has its origin in a white-box crypto [2] implementation.More specifically, one can devise plaintext content key from white-boxcrypto data structures of which goal is to make such a reconstructiondifficult / not possible. This alone breaks one of the main securityobjective of white-box cryptography which is to protect the secret key(unbreakability) [3].Contrary to the initial (XOR key) attack, the white-box crypto attackis not limited to the given narrow time window (white-box datastructures need to be present for the time of a movie decryption /playback). Fixing it might require a completely new approach /implementation (current one is obviously flawed).In that context, white-box crypto attack seems to be more severe thanthe XOR key one.Additionally, a cryptographic check proving that extracted key valuescorrespond to real keys has been conducted for Canal+ Online, Netflix,HBO Max, Amazon Prime Video and Sky Showtime.The check relies on a digital cryptographic signature verification.Such a signature is appended at the end of each license issued byPlayReady license server.The crypto check works as following:- plaintext value of a digital signature key encrypted through ECC isextracted from a Protected Media Path process- the extracted signature key is used to calculate the AES-CMAC valueof a binary licence XMR blob- the calculated signature value is checked against the signatureappended at the end of the issued license- correct AES-CMAC value implicates correct signature key (and correctcontent key)The above mechanism is also used by Microsoft to verify thecorrectness of decrypted content keys received from a license server.It relies on the fact that signature key is part of the same encryptedlicense blob as content key. Thus, successful extraction of asignature key implicates successful extraction of a content key.In the context of no confirmation / denial [4] from the platformsindicated above as being affected, the crypto check should constitutesufficient proof to support that claim alone.Thank you.Best Regards,Adam Gowdiak----------------------------------Security Explorations -AG Security Research Labhttps://security-explorations.com----------------------------------References:[1] Microsoft Warbird and PMP security research    https://security-explorations.com/microsoft-warbird-pmp.html[2] White-box cryptography, Wikipedia    https://en.wikipedia.org/wiki/White-box_cryptography[3] White-Box Security Notions for Symmetric Encryption Schemes    https://eprint.iacr.org/2013/523.pdf[4] Microsoft DRM Hack Could Allow Movie Downloads From PopularStreaming Services    https://www.securityweek.com/microsoft-drm-hacking-could-allow-movie-downloads-from-popular-streaming-services/

Microsoft PlayReady Cryptography Weakness

Architecting, deploying, and managing hybrid cloud environments can be a challenging and time-consuming process. It starts with processor selection, operating system configuration, application management, and workload protection, and it never ends. Every step requires a reliable, trusted software foundation with a comprehensive set of features and capabilities to fuel optimal performance, greater consistency, and enhanced security capabilities for your environment. With new features in Red Hat Enterprise Linux 9.4 (RHEL), you can speed-up and simplify many infrastructure life cycle operations

Architecting, deploying, and managing hybrid cloud environments can be a challenging and time-consuming process. It starts with processor selection, operating system configuration, application management, and workload protection, and it never ends. Every step requires a reliable, trusted software foundation with a comprehensive set of features and capabilities to fuel optimal performance, greater consistency, and enhanced security capabilities for your environment. With new features in Red Hat Enterprise Linux 9.4 (RHEL), you can speed-up and simplify many infrastructure life cycle operations across your entire hybrid cloud environment, from on-site datacenters to public cloud infrastructure to edge devices.

****Choose your processor architecture****

From performance and scalability to reliability and cost, every application brings its own unique requirements to modern IT environments. As part of the complete RHEL platform portfolio, RHEL for ARM gives you the flexibility to deploy critical applications and services on the optimal processor architecture for each workload. With reduced power consumption and operating costs, enhanced uptime, and more predictable performance, RHEL for ARM helps you deploy a software foundation across your entire IT environment with greater consistency and efficiency.

RHEL for ARM now includes support for virtualization with both RHEL 9.4 ARM 64 hosts and RHEL 9.4 ARM 64 guests, all using the 64k page size kernel, allowing you to consolidate workloads and increase operational efficiency. With virtualization capabilities now available across 64-bit Arm, x86, and IBM Z host architectures, you can choose the most effective and efficient hardware for each of your virtual machines, and manage everything through a single, standardized toolset.

Hardware certification testing is a critical activity in the RHEL life cycle, providing improved interoperability and supportability for your infrastructure foundation. Ongoing testing and certification of virtualization capabilities in RHEL for ARM 9.4 helps confirm that your infrastructure is optimized to run virtualized workloads efficiently and reliably.

****More consistently build and deploy operating system images****

Consistent infrastructure configurations can help you streamline operations, enhance agility, and simplify management tasks across your hybrid cloud environment. As part of Red Hat Insights, and included with RHEL subscriptions, image builder lets you more consistently provision RHEL hosts to support standardized operating environments (SOE). Coming soon, with new proactive guidance for Insights image builder, you can access recommendations and information to help you build RHEL images more efficiently, and in less time. Based on an analysis of your selected packages, the image builder can suggest additional, relevant packages so you don’t miss critical components. And if you can’t find a package, then the image builder can suggest additional repositories to help speed up your search. As you select RHEL releases, the image builder displays relevant life cycle information to help you plan upgrades and migrations.

With the Red Hat Hybrid Cloud Console virtual assistant, you can now receive guidance on creating, customizing, and deploying images in public cloud environments. And when you create RHEL images for edge devices, you can now include certified cryptographic modules in compliance with Federal Information Processing Standard (FIPS) Publication 140-2.

****Manage systems across your network****

Fast and efficient server management is crucial for maintaining operational efficiency, driving compliance, and minimizing downtime. New features and capabilities in the RHEL 9.4 web console let you interactively configure and manage both local systems and networked servers across your environment. Simplify and standardize virtual machine operations with enhanced external virtual machine snapshot capabilities, including support for live snapshots. Automate kernel crash dump (kdump) configurations to improve consistency across your environment. Improve login security with WireGuard, a high-performance virtual private network (VPN) solution that runs in the Linux kernel. Pin rpm-ostree deployments, reset current deployments, and perform clean-up tasks to simplify the management of RHEL edge devices.  Best of all, you can do all of this from a single web-based interface.

****Protect your systems, workloads, and data****

Automation helps you enforce standardized configurations, address security vulnerabilities, and better adhere to security policies. With RHEL system roles, you can automate many common management tasks across on-site infrastructure, cloud resources, and even edge devices. Enhance security across your hybrid cloud with the fapolicydsystem role by automatically deploying and configuring fapolicydto allow or deny application executions at scale. Increase efficiency by using the ad\_integration system role to configure dynamic domain name system (DNS) updates on RHEL hosts integrated with Microsoft Active Directory. Gain flexibility when systems become unresponsive by customizing quorum device (qdevice) options and fencing topologies with the **high availability clustering** system role. The new **snapshot** system role provides for more rapid, predictable and repeatable data backup and recovery operations at scale, letting you create and manage point-in-time snapshots of logical volume manager (LVM) storage volumes. You can even better protect sensitive data with the **Microsoft SQL Server** system role, which automatically installs, configures, and deploys Microsoft SQL Server 2022 as a confined application using SELinux.

Beyond system roles, other new features and capabilities of RHEL 9.4 help protect your critical infrastructure and data. Passkey authentication, a component of the zero trust architecture (ZTA) security model, allows for passwordless and multifactor authentication (MFA) with Fast IDentity Online 2 (FIDO2) passkeys for centrally managed users. This feature has been tested and verified with Yubico YubiKey devices, and works with FIDO2-compliant hardware key devices.

Finally, new capabilities in the RHEL High Availability Add-On can automatically detect SAP HANA index server failures and switch to secondary nodes, shortening recovery times and increasing data availability.

****Try RHEL 9.4****

To find out more about the new features provided in RHEL 9.4, you can read the official documentation and release notes. And there's no better way to find out about new features than by downloading it and trying it yourself.

Simplify hybrid cloud operations with Red Hat Enterprise Linux 9.4

PRESS RELEASE

SAN DIEGO, April 29, 2024/PRNewswire/ -- ESET, a global leader in cybersecurity solutions, today announced the launch of two new Managed Detection and Response (MDR) subscription tiers: ESET PROTECT MDR for small and medium businesses (SMBs) and ESET PROTECT MDR Ultimate for enterprises. These offerings are built on the foundation of ESET PROTECT Elite and ESET PROTECT Enterprise, offering businesses of all sizes the most comprehensive, AI-powered threat detection and response capabilities, in combination with expert human analysis and comprehensive threat intelligence.

ESET's MDR offerings are designed to cater to the specific needs of both SMBs and Enterprises. To that end, ESET PROTECT MDR delivers a comprehensive cybersecurity package, offering 24/7/365 superior protection that addresses the most common challenges of small and medium-sized businesses. This includes modern protection for endpoints, email, and cloud applications, vulnerability detection and patching, and managed threat monitoring, hunting, and response. It addresses the cybersecurity talent shortages and ensures compliance with cyber insurance and regulations, offering a remarkable 20-minute average time to detect and respond, a comprehensive MDR dedicated dashboard and regular reporting for complete peace of mind.

For enterprises, ESET PROTECT MDR Ultimate offers continuous proactive protection and enhanced visibility, coupled with customized threat hunting and remote digital forensic incident response assistance. This comprehensive service is designed to support overstretched SOC teams, providing them with 24/7 access to world-class cybersecurity expertise. It ensures enterprises stay one step ahead of all known and emerging threats, effectively closing the cybersecurity skills gap, and facilitating expert consultations for incident management and containment in a fully managed experience.

ESET also sets itself apart with its own telemetry and unique global coverage, leveraging its detections and ESET Research to gather unique data about attacks, a competitive edge not offered by many players in the market.

"With the update of our business offering, we want to make ESET products accessible to customers without the necessary skill set or resources to operate them, but to also empower organizations to navigate the digital landscape confidently, safeguarded by our expertise and continuous, comprehensive coverage," stated Michal Jankech, Vice President of SMB and MSP segment at ESET.

Enhancements to the ESET business portfolio

Additionally, all ESET PROTECT subscription tiers, starting from ESET PROTECT Advanced, are now enhanced with ESET Mobile Threat Defense (EMTD). This new value-added, standalone module extends attack vector coverage to an organization's entire mobile fleet, seamlessly integrating into the ESET PROTECT Platform for efficient management, ensuring comprehensive protection for mobile devices. EMTD also includes a Mobile Device Management (MDM) functionality, with added support for Microsoft Entra ID.

Moreover, ESET Server Security introduces a firewall specifically designed for Windows servers, and Vulnerability & Patch Management, offering manual patch management and a 60-second delay of application process kill.

Finally, ESET LiveGuard Advanced now also offers advanced behavioral reports for our detection and response customers, providing an in-depth look into how our cloud sandboxing technology analyzes suspicious files, offering better visibility and context for security operators like cybersecurity and threat analysts, security engineers, or threat responders.

"This significant launch underscores ESET's unwavering dedication to delivering superior protection and services, effectively responding to the dynamic challenges faced by customers to stay one step ahead of threats," added Michal Jankech, Vice President of SMB and MSP segment at ESET.

For more detailed information about ESET and its updated portfolio, please visit the dedicated offering pages for SMBs and Enterprises.

About ESET  
ESET provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyber threats — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, its AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

ESET PROTECT Portfolio Now Includes New MDR Tiers and Features

Tracking code used for keeping tabs on how members navigated through the healthcare giant's online and mobile sites was oversharing a concerning amount of information.

Source: Wirestock, Inc. via Alamy Stock Photo

Hard on the heels of a significant data theft at UnitedHealth, fellow healthcare behemoth Kaiser Permanente publicly announced a data breach affecting 13.4 million current and former insurance members.

Kaiser's systems inadvertently shared patient data with third-party advertisers, including Google, Microsoft, and social platform X, the company said, thanks to the presence of improperly implemented tracking code that Kaiser used to see how its members navigated through its Web and mobile sites.

"Certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors," the company said in a media statement.

The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia.

Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata.

"The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome — an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."

**About the Author(s)**

13.4M Kaiser Insurance Members Affected by Data Leak to Online Advertisers

ESET NOD32 Antivirus version 17.1.11.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET NOD32 Antivirus 17.1.11.0 - Unquoted Service Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2024-04-27# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# Vendor : https://www.eset.com# Version : 17.1.11.0# Tested on OS: Microsoft Windows 10 pro x64About Unquoted Service Path :==============================When a service is created whose executable path contains spaces and isn'tenclosed within quotes, leads to a vulnerability known as Unquoted ServicePath which allows a user to gain SYSTEM privileges.(only if the vulnerable service is running with SYSTEM privilege levelwhich most of the time it is).C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "c:\windows\\" |findstr /i /v """ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESETSecurity\ekrn.exeC:\>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Red teaming is a crucial part of proactive GenAI security that helps map and measure AI risks.

Source: josefotograf via Alamy

Generative artificial intelligence (GenAI) has emerged as a significant change-maker, enabling teams to innovate faster, automate existing workflows, and rethink the way we go to work. Today, more than 55% of companies are currently piloting or actively using GenAI solutions.

But for all its promise, GenAI also represents a significant risk factor. In an ISMG poll of business and cybersecurity professionals, respondents identified a number of concerns around GenAI implementation, including data security or leakage of sensitive data, privacy, hallucinations, misuse and fraud, and model or output bias.

For organizations looking to create additional safeguards around GenAI use, red teaming is one strategy they can deploy to proactively uncover risks in their GenAI systems. Here's how it works.

**Unique Considerations When Red Teaming GenAI**

GenAI red teaming is a complex, multistep process that differs significantly from red teaming classical AI systems or traditional software.

For starters, while traditional software or classical AI red teaming is primarily focused on identifying security failures, GenAI red teaming must account for responsible AI risks. These risks can vary widely, ranging from generating content with fairness issues to producing ungrounded or inaccurate information. GenAI red teaming has to explore potential security risks and responsible AI failures simultaneously.

Additionally, GenAI red teaming is more probabilistic than traditional red teaming. Executing the same attack path multiple times on traditional software systems is likely to yield similar results.

However, due to its multiple layers of nondeterminism, GenAI can provide different outputs for the same input. This can happen due to app-specific logic or the GenAI model itself. Sometimes the orchestrator that controls the output of the system can even engage different extensibility or plug-ins. Unlike traditional software systems with well-defined APIs and parameters, red teams must account for the probabilistic nature of GenAI systems when evaluating the technology.

Finally, system architectures vary widely between different types of GenAI tools. There are standalone applications, integrations with existing applications, and input and output modalities, like text, audio, images, and videos, for teams to consider.

These different system architectures make it incredibly difficult to conduct manual red-team probing. For example, to surface violent content generation risks on a browser-hosted chat interface, red teams would need to try different strategies multiple times to gather sufficient evidence of potential failures. Doing this manually for all types of harm, across all modalities and strategies, can be exceedingly tedious and slow.

**Best Practices for GenAI Red Teaming**

While manual red teaming can be a time-consuming, labor-intensive process, it's also one of the most effective ways to identify potential blind spots. Red teams can also scale certain aspects of probing through automation, particularly when it comes to automating routine tasks and helping identify potentially risky areas that require more attention.

At Microsoft, we use an open automation framework — known as the Python Risk Identification Tool for generative AI (PyRIT) — to red team GenAI systems. It is not intended to replace manual GenAI red teaming, but it can augment red teamers' existing domain expertise, automate tedious tasks, and create new efficiency gains by identifying hot spots for potential risks. This allows security professionals to control their GenAI red-teaming strategy and execution while PyRIT provides the automation code to generate potentially harmful prompts based on the initial dataset of harmful prompts provided by the security professional. PyRIT can also change tactics based on the GenAI system's response and generate its next input. 

Regardless of the method you use, sharing GenAI red-teaming resources like PyRIT across the industry raises all boats. Red teaming is a crucial part of proactive GenAI security, enabling red teamers to map AI risks, measure identified risks, and build out scoped mitigations to minimize their impact. In turn, this empowers organizations with the confidence and security they need to innovate responsibly with the latest AI advances.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Tag

#microsoft