Red Hat Security Advisory 2024-1834-03 - An update for shim is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.2 Telecommunications Update Service. Issues addressed include buffer overflow, bypass, integer overflow, and out of bounds read vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1834.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: shim security update  
Advisory ID:        RHSA-2024:1834-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1834  
Issue date:         2024-04-16  
Revision:           03  
CVE Names:          CVE-2023-40546  
====================================================================

Summary: 

An update for shim is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.2 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The shim package contains a first-stage UEFI boot loader that handles chaining to a trusted full boot loader under secure boot environments.

Security Fix(es):

* shim: RCE in http boot support may lead to Secure Boot bypass (CVE-2023-40547)

* shim: Interger overflow leads to heap buffer overflow in verify_sbat_section on 32-bits systems (CVE-2023-40548)

* shim: Out-of-bounds read printing error messages (CVE-2023-40546)

* shim: Out-of-bounds read in verify_buffer_authenticode() malformed PE file (CVE-2023-40549)

* shim: Out-of-bound read in verify_buffer_sbat() (CVE-2023-40550)

* shim: out of bounds read when parsing MZ binaries (CVE-2023-40551)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-40546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2234589  
https://bugzilla.redhat.com/show_bug.cgi?id=2241782  
https://bugzilla.redhat.com/show_bug.cgi?id=2241796  
https://bugzilla.redhat.com/show_bug.cgi?id=2241797  
https://bugzilla.redhat.com/show_bug.cgi?id=2259915  
https://bugzilla.redhat.com/show_bug.cgi?id=2259918

Red Hat Security Advisory 2024-1834-03

Red Hat Security Advisory 2024-1832-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1832.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid:4 security updateAdvisory ID:        RHSA-2024:1832-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1832Issue date:         2024-04-16Revision:           03CVE Names:          CVE-2024-25111====================================================================Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supportingFTP, and HTTP data objects.Security Fix(es):* squid: Denial of Service in HTTP Chunked Decoding (CVE-2024-25111)* squid: denial of service in HTTP header parser (CVE-2024-25617)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-25111References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264309https://bugzilla.redhat.com/show_bug.cgi?id=2268366

Red Hat Security Advisory 2024-1832-03

A cybercriminal gang called RansomHub claims to be selling highly sensitive patient information stolen from Change Healthcare following a ransomware attack by another group in February.

Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claims is Americans’ sensitive medical and financial records stolen from the health care giant.

“For most US individuals out there doubting us, we probably have your personal data,” the RansomHub gang said in an announcement seen by WIRED.

The stolen data allegedly includes medical and dental records, payment claims, insurance details, and personal information like Social Security numbers and email addresses, according to screenshots. RansomHub claimed it had health care data on active-duty US military personnel.

The sprawling theft and sale of sensitive health care data represents a dramatic new form of fallout from the February cyberattack on Change Healthcare that crippled the company’s claims-payment operations and sent the US health care system into crisis as hospitals struggled to stay open without regular funding.

Change Healthcare, a subsidiary of UnitedHealth Group, previously acknowledged that a ransomware gang known as BlackCat or AlphV breached its systems, and told WIRED last week that it is investigating RansomHub’s claims about possessing the company’s stolen data. Change Healthcare did not immediately respond to a request for comment about the group’s alleged sale of its data.

The wide variety of patient data that RansomHub claims to be selling is a testament to Change Healthcare’s role as a critical intermediary between insurers and health care providers, facilitating payments between both parties and collecting reams of sensitive information about patients and their medical procedures in the process.

Among the sample records that RansomHub posted are a list of open claims handled by the company’s EquiClaim subsidiary that includes patient and provider names; a hospital record for a 74-year-old woman in Tampa, Florida; and part of a database record related to US military service members’ health care.

RansomHub said it would allow individual insurance companies that worked with Change Healthcare and had their data compromised to pay ransoms to prevent the sale of their records. It specified that it was selling data belonging to MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.

Change Healthcare’s “processing of sensitive data for all of these companies is just something unbelievable,” RansomHub said in its announcement.

Most firms whose data RansomHub claims to possess did not immediately respond to WIRED's request for comment.

Mike DeAngelis, the executive director of corporate communications for CVS Health says the company is “aware of unsubstantiated claims from threat actors that confidential data, including personal information of patients and members belonging to multiple organizations, was accessed as part of Change Healthcare’s cyber security incident.”

“We are closely monitoring Change Healthcare’s response to this issue and will provide updates with more information as appropriate,” DeAngelis adds, noting that Change Healthcare has not yet confirmed that patient data “was impacted by this incident.”

Brett Callow, a threat analyst at the security firm Emsisoft who closely tracks ransomware gangs, says the new sale of stolen data was probably “less about actually selling the data” and more about putting Change Healthcare—and the partner companies whose records it failed to protect—“under additional pressure to pay.”

Change Healthcare appears to have paid a $22 million ransom to AlphV to stop it from leaking terabytes of stolen data.

Two months into the crisis spawned by the ransomware attack, Change Healthcare has faced mounting losses. The company recently reported spending $872 million responding to the incident as of March 31.

At the same time, Change is under increasing pressure from lawmakers and regulators to explain its cybersecurity lapse and the steps it’s taking to prevent another hack.

A subcommittee of the House Energy and Commerce Committee held a hearing on the health sector’s cyber posture on Tuesday, with key lawmakers saying they were disappointed that UnitedHealth Group declined to make an executive available to testify. And the Department of Health and Human Services is investigating whether Change Healthcare’s failure to prevent hackers from accessing and stealing its data violated federal data-security rules.

_Updated 4/16/2024, 5:38 pm ET: Added additional details about the firms whose data RansomHub claims to possess._

Change Healthcare’s New Ransomware Nightmare Goes From Bad to Worse

By Uzair Amir
Worried about prying eyes? We explain how messenger apps keep your chats confidential with features like encryption & multi-factor authentication.  Learn about security risks & emerging technologies for a safer digital future.
This is a post from HackRead.com Read the original post: Texting Secrets: How Messenger Apps Guard Your Chats

In today’s digital age, conversations are more online than face-to-face; hence, we must be careful with our messages. The widely used **messenger applications** designed for modern communication have advanced greatly in ensuring that our chat remains confidential. However, what measures are taken by such systems to keep our conversations safe from any malicious activity?

****End-to-End Encryption****

This security measure ensures that messages are decrypted only by the intended users. With end-to-end encryption, decryption is only possible by the receiver – the third party cannot intercept or **eavesdrop on the message**.

WhatsApp and Telegram are some chat applications that employ this encryption to secure user chat. Encryption of messages occurs “at the end” with the sender, and it can only be decrypted when it reaches the intended receiver “at the other end”; therefore creating a problem even for the messaging companies that would wish to decrypt and read the messages.

****Security Measures Beyond Encryption****

*   **Two-Factor Authentication (2FA):** To improve security, two-factor authentication requires users to enter a code that is sent to their mobile phone apart from the usual login details. This makes it much safer against unauthorized hackers when passwords get stolen to send **messenger hacked** links and gain access to sensitive accounts.
*   **Biometric Authentication:** Messenger applications can benefit from convenient and safe biometric authentication options like fingerprint and facial recognition. Through the use of individual biological attributes, it guarantees that only the authorized user can unlock their conversations.
*   **Secure Messaging Protocols:** Messenger applications are built on secure messaging protocols (like the Signal Protocol or the Off-the-Record Messaging protocol), enabling encrypted communication channels among different individuals. These protocols ensure that the message remains private even during any attack on the network.

****Challenges and Vulnerabilities********Phishing Attacks****

The security of messenger apps is still seriously threatened by **phishing attacks** when cybercriminals make efforts to deceive people and disclose their login details as well as other important data. Mitigation of this risk requires education as well as awareness about phishing techniques.

**Messenger app security** is also at risk from social engineering tactics like impersonation or manipulation. People must stay alert and suspicious of any odd messages or friend requests coming from unfamiliar ones; rather, they must confirm that the sender is who they claim to be before giving out any confidential data.

****Device Security Risks****

Messenger app communication may be unsafe due to weaknesses in device security, such as malware or **insecure Wi-Fi networks**. To prevent this, it is important to have regular software updates, antivirus software and secure network connections.

****Emerging Technologies in Chat Security****

*   **Quantum Cryptography:** Quantum mechanics is used in quantum cryptography to ensure that data is stored in quantum states, resulting in high levels of safety. Although it is still being considered as an attempt, quantum cryptography provides a potential solution to secure messaging encryption.
*   **Blockchain-Based Messaging Platforms:** With blockchain technology, it becomes possible to have messaging systems which do not centralize message data but rather store it across a distributed network, making it almost impossible for someone to corrupt or prevent certain messages from passing through. The **blockchain messaging applications** enhance safety as well as confidentiality through open and unchangeable message logs.
*   **AI-Powered Threat Detection:** In messenger applications today, there is a growing trend of utilizing artificial intelligence as well as machine learning algorithms to identify and deal with security threats. These systems analyze user activities, messages exchanged, as well as network flow metadata to detect, prevent and respond immediately to any breaches of security.

****Balancing Security and Usability****

Although it is important to have strong security systems, messenger applications need to balance between security and ease of use to be convenient. The flow of messages must not be disrupted, and there should be no negative impact on user experience as a result of complicated security protocols.

****The Future of Secure Messaging****

The landscape of chat security will change with advancing technology. The security of messenger applications will be improved by developments in **encryption algorithms**, authentication mechanisms, and threat detection technologies to guarantee that our conversations remain confidential and safe within cyberspace.

To promote secure communication, it is crucial to educate people on how they can stay safe and why privacy matters. Messaging platforms take part in user awareness programs that emphasize risks posed by hackers and promote preventative security steps.

The security of our conversations is very important at a time when digital communication is dominant. Many security features are used by messaging applications such as end-to-end encryption, biometric authentication, etc., to protect our conversations against any threats.

Nonetheless, the pace at which cyber threats change and develop means that new forms of securing chats must be continuously created. To achieve this, we have to keep on guard and adopt new technologies so that our conversations will stay private and safe.

1.  Zama Secures $73M Series A Lead for Homomorphic Encryption
2.  WhatsApp Encryption Explained — “Everything is not what it seems”
3.  Encrypted Email Service ProtonMail Supports Physical Security Keys

Texting Secrets: How Messenger Apps Guard Your Chats

By Deeba Ahmed
Apple has issued iPhone security alerts to 92 countries, stating that their devices have been targeted by a mercenary spyware attack, expressing high confidence in the warning.
This is a post from HackRead.com Read the original post: iPhone Users in 92 Countries Targeted by Mercenary Spyware Attacks

Apple has issued security alerts to millions of iPhone users across 92 countries, stating that their devices are being targeted by mercenary spyware. The alerts suggest that the attack is likely targeting users based on their identity or activities.

Apple has been informing users of threats for years, targeting journalists and politicians in over 150 countries since 2021. Some users have found invasive Pegasus spyware on their iPhones, created by Israeli spyware maker NSO Group. However, the company hasn’t provided any official numbers in the current case.

Apple’s threat notification (Read Apple’s updated statement here)

****Apple Requests Users to Take It Seriously!****

As reported by The Economic Times, Apple has stated in the warning email that the attack is likely targeted due to specific characteristics or actions, urging users to take it seriously.

A targeted mercenary spyware attack could remotely access sensitive data, communications, or even the camera and microphone, according to Apple’s threat notification email.

Despite the Indian government’s opposition to security alerts by Apple, India is among the countries affected by this issue, and it’s unclear if US iPhone owners were targeted, as Apple hasn’t provided any further details.

Apple has sent multiple alerts to over 150 countries since 2021 and it previously sued Israeli firm NSO Group for aiding adversaries in targeting iPhone users. Moreover, Apple has been releasing iOS updates to address potential spyware attacks, often as emergency security measures, especially when an iPhone flaw is already being exploited.

If you have received this notification, remember that Apple has dedicated a page to offer guidance on changing passwords and enabling two-factor authentication to enhance security.

****What are Mercenary Attacks?****

Mercenary attacks are targeted spyware attacks, which are a unique type of cyberattacks that targets specific individuals based on their profession, social status, or access to sensitive information. They use sophisticated spyware, like Pegasus, to infiltrate devices and gather vast amounts of data.

These attacks, are expensive and require extensive resources to execute. Mercenary attacks are rare and complex cybercrimes, costing millions and targeting a small number of people worldwide, according to a company email.

Brian Higgins, security specialist at Comparitech commented on the issue. _“_There have been enough periodic Pegasus activations in recent years for those who are regularly targeted to hopefully have some kind of response or mitigation plans in place,_“_ he said.

_“_Most often journalists and activists in jurisdictions of risk are targeted as they are vulnerable to intervention, prosecution and attack by the regimes they challenge – and data harvested in these breaches can facilitate all of these activities,_“_ Brain warned.

_“_It’s rather a disappointing buck-passing exercise for Apple to direct them to a third party, non-profit Security Helpline, given the history of implications for individual targets in previous incidents. You’d think as proprietors of a vulnerable platform, they would offer to help out themselves._“_

1.  Apple Issues Urgent Security Patches for Zero-Day Flaws
2.  iLeakage Attack: Theft of Data from Apple’s Safari Browser
3.  QuaDream, Israeli iPhone hacking spyware firm, to shut down
4.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
5.  iPhone Spyware Exploits Obscure Chip Feature, Hits Researchers

iPhone Users in 92 Countries Targeted by Mercenary Spyware Attacks

Change Healthcare ransomware hackers already received a $22 million payment. Now a second group is demanding money, and it has sent WIRED samples of what they claim is the company's stolen data.

For months, Change Healthcare has faced an immensely messy ransomware debacle that has left hundreds of pharmacies and medical practices across the United States unable to process claims. Now, thanks to an apparent dispute within the ransomware criminal ecosystem, it may have just become far messier still.

In March, the ransomware group AlphV, which had claimed credit for encrypting Change Healthcare’s network and threatened to leak reams of the company’s sensitive health care data, received a $22 million payment—evidence, publicly captured on Bitcoin’s blockchain, that Change Healthcare had very likely caved to its tormentors’ ransom demand, though the company has yet to confirm that it paid. But in a new definition of a worst-case ransomware, a _different_ ransomware group claims to be holding Change Healthcare’s stolen data and is demanding a payment of their own.

Since Monday, RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment.

RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.

While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.

Change Healthcare didn’t immediately respond to WIRED’s request for comment on RansomHub’s extortion demand.

Brett Callow, a ransomware analyst with security firm Emsisoft, says he believes AlphV did not originally publish any data from the incident, and the origin of RansomHub’s data is unclear. “I obviously don't know whether the data is real—it could have been pulled from elsewhere—but nor do I see anything that indicates it may not be authentic,” he says of the data shared by RansomHub.

Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is “telling the truth and does have Change HealthCare’s data,” after reviewing the information sent to WIRED. While RansomHub is a new ransomware threat actor, DiMaggio says, they are quickly “gaining momentum.”

If RansomHub’s claims are real, it will mean that Change Healthcare’s already catastrophic ransomware ordeal has become a kind of cautionary tale about the dangers of trusting ransomware groups to follow through on their promises, even after a ransom is paid. In March, someone who goes by the name “notchy” posted to a Russian cybercriminal forum that AlphV had pocketed that $22 million payment and disappeared without sharing a commission with the “affiliate” hackers who typically partner with ransomware groups and often penetrate victims’ networks on their behalf.

Notchy’s post suggested that Change Healthcare faced an unprecedented situation: It had allegedly already paid a ransom, yet jilted partners of the gang extorting it still felt they were owed money—and still possessed Change Healthcare’s stolen data. RansomHub tells WIRED it is associated with notchy.

Now, RansomHub has claimed “the data remains with the affiliate,” and AlphV did not directly have the data originally. WIRED could not verify these claims. “For everyone speculating and theorizing on the situation, AlphV stole our share of the payment and performed an exit scam,” a RansomHub representative wrote to WIRED. “AlphV performed the exit scam before we get to the data deletion part.”

Callow says the incident reinforces that cybercriminals can’t be trusted to delete data, even when they are paid. For example, when a global law enforcement operation disrupted the notorious LockBit ransomware group, in February, police said they discovered that the cybercriminals still had data that investigators had paid to be deleted.

“Sometimes they use the undeleted data to extort victims for a second time, and the risk of re-extortion will only increase as law enforcement up their disruption efforts and throw the ransomware ecosystem into chaos,” Callow says. “What were always unpredictable outcomes will now be even more unpredictable.”

Similarly, DiMaggio says victims of ransomware attacks need to learn they can’t trust cybercriminals. “Victims need to understand that paying a criminal who promises to delete their data permanently is a myth,” DiMaggio says. “They are paying to have their data taken off the public side of the ransomware attackers data leak site. They should assume it is never actually deleted.”

UnitedHealth Group’s website says it is continuing to “make progress in mitigating the impact” of the attack and expanding financial assistance to health care providers that have been impacted. However, the attack has sent long-lasting ripples across medical facilities in the United States, demonstrating how disruptive ransomware attacks can be and the difficulties in restoring services. Clinicians and patients alike have been impacted, with extra strain being placed upon medical business owners.

On Wednesday, the American Medical Association said “serious disruptions continue” across physician practices. A survey of AMA members, conducted between March 26 and April 3, found 80 percent of clinicians had lost revenue and many are using their own personal finances to cover a practice’s expenses. Medical practitioners responding to the survey said they were heading toward bankruptcy, were struggling to “manage pain care” for cancer patients, and that procedures had been delayed. “Practices will close because of this incident,” Jesse M. Ehrenfeld, the president of the AMA said in a statement, “and patients will lose access to their physicians.”

In a message to WIRED, the RansomHub contact claims—for whatever the word of a ransomware gang is worth—that they are different from other cybercriminals, and if Change Healthcare pays them, they wouldn’t try to extort it again. “We will delete the data,” they write. “This data is a bomb for us. If we can't get payment, we have no choice but to sell it. Of course, if we can reach an agreement, it will be better to delete the data and throw the bomb away.”

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

By Waqas
Cybercriminals using deepfakes to target businesses! LastPass narrowly avoids security breach after employee identifies fake CEO in WhatsApp call. Read how LastPass is urging awareness against evolving social engineering tactics.
This is a post from HackRead.com Read the original post: LastPass Dodges Deepfake Scam: CEO Impersonation Attempt Thwarted

Password management giant LastPass narrowly avoided a potential security breach after a company employee was targeted by a deepfake scam. The incident, detailed in a blog post by LastPass, involved an audio deepfake impersonating CEO Karim Toubba attempting to contact the employee via WhatsApp.

Deepfake technology, which can manipulate audio and video to create realistic forgeries, is increasingly being used by cybercriminals in elaborate social engineering schemes. In this instance, the scammer used a voice-altering program to impersonate Toubba’s voice, likely aiming to create a sense of urgency or trust with the employee.

Screenshot of actual WhatsApp scam and attempted contact using deepfake audio as part of LastPass CEO impersonation (Credit: LastPass)

However, not everyone is as fortunate as LastPass. In February 2024, an employee of a multinational company’s Hong Kong branch was tricked into paying out HK$200 million (approximately US$25.6 million) after scammers utilized an AI-generated CFO with deepfake technology.

In another incident reported in August 2022, scammers utilized an AI-generated deepfake hologram of Binance’s chief communications officer, Patrick Hillmann, to deceive users into participating in online meetings and to target Binance clients’ crypto projects.

As for LastPass, the company commended the employee’s vigilance in recognizing the red flags of the situation. The unusual use of WhatsApp, a platform not commonly used for official communication within the company, coupled with the impersonation attempt, encouraged the employee to report the incident to LastPass security. The company confirmed that the attack did not impact its overall security posture.

Toby Lewis, Global Head of Threat Analysis at Darktrace commented on the issue highlighting the risks of Generative-AI, _“_The prevalence of AI today represents new and additional risks. but arguably, the more considerable risk is the use of generative AI to produce deepfake audio, imagery, and video, which can be released at scale to manipulate and influence the electorate’s thinking._“_

_“_While the use of AI for deepfake generation is now very real, the risk of image and media manipulation is not new, with “photoshop” existing as a verb since the 1990s_,”_ Toby explained. _“_The challenge now is that AI can be used to lower the skill barrier to entry and speed up production to a higher quality. Defence against AI deepfakes is largely about maintaining a cynical view of material you see, especially online, or spread via social media,_“_ he advised.

Nevertheless, this attempted scam goes on to show how sophisticated cybercriminals have become in their attacks. On the other hand, LastPass emphasized the importance of employee awareness training in mitigating such attacks. Social engineering tactics often rely on creating a sense of urgency or panic, pressuring victims into making rushed decisions.

The incident also highlights the potential dangers deepfakes pose in the corporate domain. As the technology continues to develop, creating ever-more convincing fakes, companies will need to invest in robust security protocols and employee training to stay ahead of these sophisticated scams.

While deepfake scams targeting businesses are still relatively uncommon, the LastPass incident stresses the growing threat. The company’s decision to publicize the attempt serves as a valuable cautionary tale for other organizations, urging them to heighten awareness and implement preventative measures.

1.  AI Generated Fake Obituary Websites Hit Grieving Users
2.  Deepfakes are Circumventing Facial Recognition Systems
3.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
4.  Deepfake Attack Hits Russia: Fake Putin Message Broadcasted
5.  QR Code Scam: Fake Voicemails Hit Users, 1000 Attacks in 14 Days

LastPass Dodges Deepfake Scam: CEO Impersonation Attempt Thwarted

Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against **state-sponsored attacks**” to “About Apple threat notifications and protecting against **mercenary spyware**.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

*   Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
*   Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

**How to stay safe**

Apple advises iPhone users to:

*   Enable Lockdown mode.
*   Keep devices up to date.
*   Protect devices with a passcode.
*   Use Multi-Factor-Authentication (MFA) for your Apple ID.
*   Only install apps from the App Store.
*   Use strong and unique passwords online.
*   Don’t click on links or attachments from unknown senders.

We’d like to add:

*   Use an anti-malware solution on your device.
*   If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
*   Use a password manager.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple warns people of mercenary attacks via threat notification system 

Phony call center company conducted online fraud and other Internet scams.

Source: JJ Gouin via Alamy Stock Photo

Law enforcement in Zambia this week raided a Chinese company that hired unsuspecting young Zambian citizens purportedly for positions at a call center that instead was a front for cybercrime and money laundering.

The so-called Golden Top Support services company directed the employees "with engaging in deceptive conversations with unsuspecting mobile users across various platforms such as WhatsApp, Telegram, chatrooms and others, using scripted dialogues," Nason Banda, director general of Zambia's Drug Enforcement Commission (DEC) told the BBC, which reported on the case. The DEC, law enforcement, immigration, and anti-terrorism units assisted in the investigation and arrests at the shell company.

A recent rise in bank fraud in Zambia raised alarms and led authorities there to investigate and ultimately raid the company. Banda said the "illicit operations extended beyond Zambia's borders," including victims in Singapore, Peru, the United Arab Emirates (UAE), and other parts of Africa.

Authorities found some 13,000 SIM cards, 11 SIM boxes for disguising the caller's location, and firearms, and 22 Chinese citizens were arrested. Banda said Zambian workers were charged and release in order to cooperate in the investigation.

**About the Author(s)**

Zambia Busts 77 People in China-Backed Cybercrime Operation

Microsoft has fixed 149 vulnerabilities, two of which are reportedly being exploited in the wild.

The April 2024 Patch Tuesday update includes patches for 149 Microsoft vulnerabilities and republishes 6 non-Microsoft CVEs. Three of those 149 vulnerabilities are listed as critical, and one is listed as actively exploited by Microsoft. Another vulnerability is claimed to be a zero-day by researchers that have found it to be used in the wild.

Let’s first have a look at the two zero-days. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs for these two vulnerabilities are:

CVE-2024-26234 (CVSS score 6.7 out of 10): a proxy driver spoofing vulnerability that Microsoft listed as “Exploitation detected” hours after it initially listed it as non-exploited.

In fact, the patch is a revocation of a Microsoft Windows Hardware Compatibility Publisher signature that was used to sign a file which contained a backdoor using an embedded proxy server to monitor and intercept network traffic on an infected Windows machine. Apparently, the software, designed to remote-control phones, was used to make them act like online bots, collectively liking posts, following people on social media, and posting comments.

CVE-2024-29988 (CVSS score 8.8 out of 10): a SmartScreen prompt security feature bypass vulnerability. Microsoft still has this listed as “Exploitation More Likely” and acknowledges the fact that functional exploit code is available. Which means that the exploit code works in most situations where the vulnerability exists.

One reason for the contradiction could be that the exploitation requires some form of user interaction. It requires an attacker to get the victim to click on a link or open a file. If the victim falls for that, the bug allows the attacker to bypass the SmartScreen security feature in Windows that’s supposed to alert users to any untrusted websites or other threats.

Researchers said that attackers are using the weakness to send targets exploits in a zipped file which bypasses the Mark of the Web (MotW) warnings, a warning message users should see when trying to open a file downloaded from the internet.

The exploit for the vulnerability was called “trivial” and “embarrassingly easy” by the researchers that wrote about it.

A few applications that deserve some of your attention if you’re using them are SQL Server (38 vulnerabilities), and Windows Remote Access Connection Manager (9).

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

The **Android** Security Bulletin for April 2024 contains details of security vulnerabilities for patch level 2024-04-05 or later.

Google also updated **Chrome** to patch a zero-day vulnerability.

**SAP** has released its April 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Tag

#sap