The Coalition for Secure AI (CoSAI) expanded its roster of members with the addition of threat intelligence management, collaboration and response orchestration vendor Cyware this week.

Source: ElenaBS via Alamy

The Coalition for Secure AI is a collaborative open-source initiative that seeks to aid those looking to create secure-by design AI technologies. Its network of stakeholders in business and academia work together to develop holistic approaches and best practices, tools and methodologies to secure AI development and deployment. 

This week, threat intelligence management, collaboration and response orchestration vendor Cyware became a member of CoSAI. Google is one of the founding members. Existing members include OpenAI, Anthropic, Microsoft, IBM, Intel, Nvidia, and PayPal.

The coalition has established three work streams that focus on different areas: software supply chain security for AI systems, preparing defenders for a changing cybersecurity landscape, and AI risk governance. In the future it expects to expand into additional areas. Cyware will contribute as an expert in AI-enabled security solutions to help develop industry standards that prioritize safety, ethics and transparency in AI development, the company said.

CoSAI operates under OASIS Open, an international standards and open source consortium that seeks to help members advance projects in areas including cybersecurity, blockchain, IoT, emergency management, cloud computing and legal data exchange.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Coalition for Secure AI Promotes Safe, Ethical AI Development

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.
The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494,

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.

The tech giant's threat intelligence team is tracking the activity under the name **Vanilla Tempest** (formerly DEV-0832).

"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool," it said in a series of posts shared on X.

In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.

The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.

It's worth noting that the threat actor is also tracked under the name Vice Society, which is known for employing already existing lockers to carry out their attacks, as opposed to building a custom version of their own.

The development comes as ransomware groups like BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an attempt to evade detection.

"This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage," modePUSH researcher Britton Manahan said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector

**Is the Preview Pane an attack vector for this vulnerability?**

No, the Preview Pane is not an attack vector.

CVE-2024-38016: Microsoft Office Visio Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?**

The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2024-43489: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2024-43496: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What does that mean for this vulnerability?**

Successful exploitation requires the victim to perform multiple steps to trigger the vulnerability.

CVE-2024-38221: Microsoft Edge (Chromium-based) Spoofing Vulnerability

By accessing the MSSQL, threat actors gain admin-level access to the application, allowing them to automate their attacks.

Source: ADDICTIVE STOCK CREATIVES via Alamy Stock Photo

Threat actors have been targeting Foundation accounting software commonly used by general contractors in the construction industry, leveraging active exploits within the plumbing, HVAC, and concrete sub-industries, among others.

Researchers at Huntress initially discovered the threat when tracking activity on Sept. 14. "What tipped us off was host/domain enumeration commands spawning from a parent process of sqlservr.exe," the researchers wrote in their advisory.

The software that the application uses includes a Microsoft SQL Server (MSSQL) instance for handling its database operations. According to the researchers, while it's common to keep database servers on an internal network or behind a firewall, Foundation software contains features that allow access through a mobile app. Because of this, "the TCP port 4243 may be exposed publicly for use by the mobile app. This 4243 port offers direct access to MSSQL."

In tandem, Microsoft SQL Server has a default system admin account, known as "sa," which has full administrative privileges over the entire server. With such high privileges, these accounts can enable users to run shell commands and scripts.

The threat actors targeting the application have been observed brute-forcing the application at scale as well as using default credentials to gain access to victim accounts. In addition, threat actors appear to be using scripts to automate their attacks.

It's recommended that organizations rotate their credentials associated with Foundation software and keep installations disconnected from the Internet to prevent falling victim to these attacks.

**About the Author**

Contractor Software Targeted via Microsoft SQL Server Loophole

Criminal actors are finding their niche in utilizing QR phishing codes, otherwise known as "quishing," to victimize unsuspecting tourists in Europe and beyond.

Source: Westend61 GmbH via Alamy Stock Photo

In what seems to be an increasingly popular method of attack, two threat groups have been identified as utilizing QR code parking scams in the UK and throughout the world.

The researchers at Netcraft believe that one of the groups is active across Europe, especially in France, Germany, Italy, Switzerland, and the UK. According to initial reports of the threat, threat actors trick unsuspecting victims into scanning malicious QR codes and entering their personal information. And the damage doesn't stop there — ultimately, because the QR codes are fake, users aren't registering their cars for parking, meaning that they're likely to be hit with a double whammy: potential financial fraud and a parking ticket.

The threat first came to public notice in August when British car insurer RAC published a warning advising drivers to be vigilant and only pay with card, cash, or official parking apps already installed on their phones. The potential victim count so far is roughly 10,000 within just a two-month span, according to their report released today.

The scams are gaining so much traction that they're stretching beyond Europe, to Canada and the United States, prompting the FBI to issue alert number I-011822-PSA, "Cybercriminals Tampering with QR Codes to Steal Victim Funds," to bring awareness to an issue they suspect will only continue to grow.

**No-Parking Zone**

In the United Kingdom, it first began with what the researchers called a "wave of malicious QR codes appearing across the city center" of London. The fake QR codes would be found printed on adhesive stickers and posted on parking meters. After scanning the QR code, the user turned victim would be directed to a phishing website impersonating a legitimate parking payment app, PayByPhone.

The scams spread across Britain, and peaked from June to September, with the threat actors were getting traction with, or perhaps specifically targeting, tourists in areas such as Blackpool, Brighton, Portsmouth, Southampton, Conwy, and Aberdeen.

With roughly 30 parking apps currently being used in the UK, these criminals are likely to find success preying on tourists who need to access public parking with easy and accessible payment options. 

And though the current research focuses on how these schemes impact parking and tourists in particular, Robert Duncan, vice president of product strategy at Netcraft, stresses to Dark Reading that the threats carry risk in business context, pointing out a rash of corporate Microsoft 365 "quishing" attempts that exploited corporate users who used their own devices, thus excluding them from the enterprise's security perimeter and leaving them open to any potential threats. 

**PayByQuish?**

One criminal group using these methods is specifically impersonating PayByPhone, and follow a series of steps to execute their scam.

First, the threat actor "deploys boots on the ground resources" to set up the attack and affix the QR codes to parking payment machines, Duncan explains. Next, the victims scan the malicious, fake QR code and are unknowingly directed to a phishing website. The victim then follows the steps to enter their personal details: the parking lot location code, their vehicle details, parking duration, and lastly — and most damaging — their payment-card details.

Once this is completed, the website will display a "processing" page to simulate the legitimate user experience. The payment is then "accepted," and the phishing website confirms the entered details before directing the victim to the real PayByPhone website. 

According to the researchers, in some cases the phishing group sends the victim to a failed payment page, asking them for an alternative payment method. This only exacerbates the issue by collecting more card info and further adding to the funds that the threat actors can steal from.

Evading criminal groups' schemes seems a difficult task when it presents itself so well as a legitimate operation. But the researchers have found that there are certain markers that can help potential victims detect a scam. For instance, 32 domain names with the same scam all displayed the following characteristics:

1.  Registered with NameSilo.
    
2.  Using .info, .click, .live, .online, and .site top-level domains (TLDs) rather than .com or common country-specific TLDs.
    
3.  The sites appeared to be protected by Cloudflare.
    

**How Businesses Can Avoid the Quish Hook**

As these kinds of threat continue to grow, and possibly develop into new business sectors (such as quishing threats infiltrating restaurants or retail stores), Duncan notes that it won't be easy to defend against. 

"It's quite difficult for businesses to defend against rogue QR codes being placed over existing ones," he says. "It's also harder to protect customers using mobile devices who may not have as many built-in security measures as on desktop devices. In this case, an online brand protection platform with broad URL-based threat intelligence with QR code support can help."

Ultimately, Duncan says, there is no foolproof solution to preventing these threats as "both fake and legitimate QR codes often use URL shorteners, which makes it very hard to tell apart." Instead, he recommends that users avoid scanning QR codes and instead look up parking apps in official app stores.

"There's a lot of potential for QR code misuse," he adds. "You're often on a mobile device, where controls can be weaker. Watch this space."

QR Phishing Scams Gain Motorized Momentum in UK

Ubuntu Security Notice 7021-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7021-1September 18, 2024linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15,linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15,linux-kvm, linux-nvidia, linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-intel-iotg-5.15: Linux kernel for Intel IoT platformsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - BTRFS file system;  - F2FS file system;  - GFS2 file system;  - BPF subsystem;  - Netfilter;  - RxRPC session sockets;  - Integrity Measurement Architecture(IMA) framework;(CVE-2024-39496, CVE-2024-41009, CVE-2024-26677, CVE-2024-42160,CVE-2024-27012, CVE-2024-42228, CVE-2024-39494, CVE-2024-38570)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1053-gkeop   5.15.0-1053.60  linux-image-5.15.0-1063-ibm     5.15.0-1063.66  linux-image-5.15.0-1063-raspi   5.15.0-1063.66  linux-image-5.15.0-1065-intel-iotg  5.15.0-1065.71  linux-image-5.15.0-1065-nvidia  5.15.0-1065.66  linux-image-5.15.0-1065-nvidia-lowlatency  5.15.0-1065.66  linux-image-5.15.0-1067-gke     5.15.0-1067.73  linux-image-5.15.0-1067-kvm     5.15.0-1067.72  linux-image-5.15.0-1068-oracle  5.15.0-1068.74  linux-image-5.15.0-1069-gcp     5.15.0-1069.77  linux-image-5.15.0-1070-aws     5.15.0-1070.76  linux-image-5.15.0-1073-azure   5.15.0-1073.82  linux-image-5.15.0-122-generic  5.15.0-122.132  linux-image-5.15.0-122-generic-64k  5.15.0-122.132  linux-image-5.15.0-122-generic-lpae  5.15.0-122.132  linux-image-aws-lts-22.04       5.15.0.1070.70  linux-image-azure-lts-22.04     5.15.0.1073.71  linux-image-gcp-lts-22.04       5.15.0.1069.65  linux-image-generic             5.15.0.122.122  linux-image-generic-64k         5.15.0.122.122  linux-image-generic-lpae        5.15.0.122.122  linux-image-gke                 5.15.0.1067.66  linux-image-gke-5.15            5.15.0.1067.66  linux-image-gkeop               5.15.0.1053.52  linux-image-gkeop-5.15          5.15.0.1053.52  linux-image-ibm                 5.15.0.1063.59  linux-image-intel-iotg          5.15.0.1065.65  linux-image-kvm                 5.15.0.1067.63  linux-image-nvidia              5.15.0.1065.65  linux-image-nvidia-lowlatency   5.15.0.1065.65  linux-image-oracle-lts-22.04    5.15.0.1068.64  linux-image-raspi               5.15.0.1063.61  linux-image-raspi-nolpae        5.15.0.1063.61  linux-image-virtual             5.15.0.122.122Ubuntu 20.04 LTS  linux-image-5.15.0-1053-gkeop   5.15.0-1053.60~20.04.1  linux-image-5.15.0-1065-intel-iotg  5.15.0-1065.71~20.04.1  linux-image-5.15.0-1069-gcp     5.15.0-1069.77~20.04.1  linux-image-5.15.0-1070-aws     5.15.0-1070.76~20.04.1  linux-image-5.15.0-1073-azure   5.15.0-1073.82~20.04.1  linux-image-5.15.0-122-generic  5.15.0-122.132~20.04.1  linux-image-5.15.0-122-generic-64k  5.15.0-122.132~20.04.1  linux-image-5.15.0-122-generic-lpae  5.15.0-122.132~20.04.1  linux-image-aws                 5.15.0.1070.76~20.04.1  linux-image-azure               5.15.0.1073.82~20.04.1  linux-image-azure-cvm           5.15.0.1073.82~20.04.1  linux-image-gcp                 5.15.0.1069.77~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.122.132~20.04.1  linux-image-generic-hwe-20.04   5.15.0.122.132~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.122.132~20.04.1  linux-image-gkeop-5.15          5.15.0.1053.60~20.04.1  linux-image-intel               5.15.0.1065.71~20.04.1  linux-image-intel-iotg          5.15.0.1065.71~20.04.1  linux-image-oem-20.04           5.15.0.122.132~20.04.1  linux-image-oem-20.04b          5.15.0.122.132~20.04.1  linux-image-oem-20.04c          5.15.0.122.132~20.04.1  linux-image-oem-20.04d          5.15.0.122.132~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.122.132~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7021-1  CVE-2024-26677, CVE-2024-27012, CVE-2024-38570, CVE-2024-39494,  CVE-2024-39496, CVE-2024-41009, CVE-2024-42160, CVE-2024-42228Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-122.132  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1070.76  https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1073.82  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1069.77  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1067.73  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1053.60  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1063.66  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1065.71  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1067.72  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1065.66  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1068.74  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1063.66  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1070.76~20.04.1  https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1073.82~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1069.77~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1053.60~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-122.132~20.04.1  https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1065.71~20.04.1

Ubuntu Security Notice USN-7021-1

Despite security updates to protect data, 45% of total enterprise instances of the cloud-based IT management platform leaked PII, internal system details, and active credentials over the past year.

Source: Rafa Press via Shutterstock

One-thousand instances of enterprise knowledge bases (KBs) hosted by ServiceNow were found to be exposing sensitive corporate data over the past year, despite improvements in data protection that the company put in place last year to avoid such security issues.

Based on security research conducted by software-as-a-service (SaaS) security firm AppOmni, nearly 45% of total enterprise instances of ServiceNow KBs leak sensitive data, including personally identifiable information (PII), internal system details, and active credentials/tokens to live production systems.

AppOmni chief of SaaS security research Aaron Costello in an analysis published on Sept. 17 attributed the security holes to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning," he wrote.

In fact, in many of the cases, organizations with more than one instance of ServiceNow had consistently misconfigured KB access controls across each one, the researchers found.

ServiceNow is a cloud-based IT service management platform. Last year, the company introduced security updates to its platform to prevent unauthenticated users from getting access to data, including default enhancements to access control lists (ACLs). However, the improvements didn't seem to have a great impact on its KBs, a "treasure trove of sensitive internal data" not meant to be seen by those outside of the organization, Costello noted.

**Why Leaks Despite Security Improvements?**

AppOmni revealed its findings to ServiceNow, which worked with its customers to evaluate the instances of customer data leaks and "appropriately configure the accessibility of KB articles," ServiceNow CISO Ben De Bont said in a statement published with AppOmni's analysis.

"We are committed to protecting our customers' data, and security researchers are important partners in our ongoing efforts to improve the security of our products," De Bont said. He thanked Costello and AppOmni not only for identifying the security gap, but also delaying publication of their findings until ServiceNow could coordinate mitigations with customers.

As mentioned, ServiceNow made two key changes to its data protections last year in an effort to improve the security of data hosted on its platform. One was to add properties to prevent select widgets from granting unauthenticated users access to data unless explicitly set to do so, while the second was a new feature called Security Attributes, which is applied to most ACLs by default. It includes specific verifications to ensure unauthenticated users are not allowed access to data.

These updates did not protect data in KBs for two reasons, Costello noted. One is that public widgets that can be used to access the content of KB articles did not receive the update, he wrote. The second reason is that the majority of KBs are secured using a feature called User Criteria as opposed to ACLs, "rendering the addition of the 'UserIsAuthenticated' Security Attribute redundant since it is an ACL-exclusive feature," Costello noted.

Though this may explain the issues found with ServiceNow's KB exposure, it doesn't necessarily explain why organizations in general struggle to lock down KBs. What Costello found in his research is that most enterprise instances — or 60% of the cases he examined — retain an insecure KB security property to "allow public access by default," Costello said.

Moreover, many administrators are unaware that there are various criteria that grant access to unauthenticated users in KB configurations, allowing "external users to slip through the cracks and be granted access," Costello wrote.

**How to Mitigate KB Data Exposure**

Indeed, ServiceNow isn't the only hosting provider to have issues with data leakage from KBs, notes Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4. Microsoft, too, experienced a similar issue with leaking client data, "including complete memory dumps, exposed in help desk-type data," he says.

However, pointing fingers at SaaS providers when security issues like KB data leaks arise isn't going to help combat the problem, and organizations also need to take responsibility for the security of their own KBs.

"The reality is that we are all learning how to best secure our data in this world of hyper-connectivity and always online accessible content," he says. "Instead of blaming the vendor, let's use this additional instance of the type of problem to examine our own policies and processes."

Costello suggested ways organizations can do that, including running regular diagnostics on KB access controls to keep security configurations updated, and using business rules to deny unauthenticated access to KB content by default.

They also should be aware of the relevant security properties of KBs, which act as important security guardrails affecting how access control is dictated when both internal and external users attempt to access data, he said.

Keeping in contact with ServiceNow (as well as other SaaS providers that are responsible for hosting sensitive corporate data), and ensuring security updates and efforts are up-to-date can help prevent data exposure, Costello added.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#microsoft