OroPlatform is prone to open redirection which could allow attackers to redirect users to external website.

**OroPlatform Forced Redirect to External Website**

Moderate severity GitHub Reviewed Published May 20, 2024 to the GitHub Advisory Database • Updated May 20, 2024

GHSA-3vhm-q4w3-rw8q: OroPlatform Forced Redirect to External Website

OroCRM is prone to open redirection which could allow attackers to redirect users to external website.

**OroCRM Forced Redirect to External Website**

Moderate severity GitHub Reviewed Published May 20, 2024 to the GitHub Advisory Database • Updated May 20, 2024

GHSA-v8hp-239v-9367: OroCRM Forced Redirect to External Website

Having real-time protection is like having guards stationed all around your castle, ready to defend. Here's how it works.

The constant barrage of cyber threats can be overwhelming for all of us. And, as those threats evolve and attackers find new ways to compromise us, we need a way to keep on top of everything nasty that’s thrown our way. 

Malwarebytes’ free version tackles and reactively resolves threats already on your system, but the real-time protection you get with Malwarebytes Premium Security goes one step further and actively monitors your computer’s files, processes, and system memory in real time to block threats before they have a chance to do any damage. You don’t need to worry about what happens after your initial scan, because real-time protection is actively waiting to combat new threats and keep you safe. 

Imagine your computer is like a castle, and you want to protect your people from potential invaders. Having real-time protection is like having guards stationed all around your castle, constantly watching for signs of trouble and stopping them in their path before they can cause harm. 

Here’s how guarding that castle looks like in cybersecurity terms: 

**1\. Proactive and continuous monitoring**

We monitor your files, processes, and system memory, your incoming and outgoing data, and the behavior of applications on your system. All in real time. 

**2\. Dynamic detection**

Unlike traditional approaches that rely heavily on detecting malware that is already known to exist, Malwarebytes employs dynamic detection techniques, such as heuristic analysis, behavior monitoring, and machine learning to detect and block threats based on their behavior and characteristics, even if the threats have never been seen before.  

**3\. Multi-layered defense**

Malwarebytes real-time protection offers a multi-layered approach to security, combining various technologies to provide comprehensive protection against a variety of threats. This includes protection against viruses, ransomware, potentially unwanted programs (PUPs), spyware, trojans, exploits, and other forms of malware.  

**4\. Rapid response** 

When Malwarebytes detects suspicious activity or potential threats, it responds quickly. Malwarebytes quarantines or removes malicious files, protects you from harmful websites, and blocks unauthorized access to your system.  

**5\. Minimal impact** 

Malwarebytes runs quietly in the background and protects you without hogging your device’s resources.  

**6\. Regular updates to malware detection database** 

To ensure our program is equipped to detect and block the latest threats, we continuously update our database and algorithms.  

In short, real-time protection serves as a proactive defense layer against constantly evolving cyber threats. Having this layer improves your cybersecurity and gives you peace of mind in this increasingly digital world.  

Don’t just take our word for it: Malwarebytes Premium Security was awarded “Product of the Year” in a recent AVLab test. 

Keep yourself protected and upgrade to Malwarebytes Premium Security.

 What is real-time protection and why do you need it?  

Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-4rr6-gf59-ggw5

**namshi/jose - Verification bypass**

Critical severity GitHub Reviewed Published May 17, 2024 to the GitHub Advisory Database • Updated May 17, 2024

**Package**

**Affected versions**

< 2.2.0

**Description**

Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).

**References**

*   https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
*   https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries
*   https://github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-03-10.yaml

Published to the GitHub Advisory Database

May 17, 2024

Last updated

May 17, 2024

GHSA-4rr6-gf59-ggw5: namshi/jose - Verification bypass

namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-hxhc-wmg8-xrqf

**namshi/jose insecure JSON Web Signatures (JWS)**

High severity GitHub Reviewed Published May 17, 2024 to the GitHub Advisory Database

**Package**

**Affected versions**

< 1.1.2

\>= 1.2.0, < 1.2.2

\>= 2.0.0, < 2.0.3

\>= 2.1.0, < 2.1.2

**Patched versions**

1.1.2

1.2.2

2.0.3

2.1.2

**Description**

Published to the GitHub Advisory Database

May 17, 2024

GHSA-hxhc-wmg8-xrqf: namshi/jose insecure JSON Web Signatures (JWS)

By Deeba Ahmed
North Korea targeted US companies with stolen identities in a cybercrime scheme. The Justice Department cracks down, seizes websites, and disrupts revenue streams.
This is a post from HackRead.com Read the original post: Feds Bust N. Korean Identity Theft Ring Targeting US Firms

The U.S. Department of Justice (DoJ) has cracked down on a large-scale identity theft scheme allegedly orchestrated by North Korea (aka Democratic People’s Republic of Korea or DRPK)

On Thursday, the DoJ unsealed charges, seizures, and other court-authorized actions brought forth by two criminal prosecutions from the US Attorney’s Office for the District of Columbia and the Computer Crime and the DOJ’s Intellectual Property Section.

The charges reveal how North Korea-based cybercriminals deployed thousands of IT workers overseas, primarily in China and Russia, using stolen American identities to gain remote employment with Fortune 500 firms.

The targeted organisations included a major television network, a Silicon Valley technology company, an aerospace manufacturer, a car manufacturer, a luxury retail store, and a media company.

These workers allegedly gained access to sensitive corporate data and secured lucrative paychecks by assuming fake identities while earning significant salaries that were then funnelled back to North Korea. 

It is worth noting that as per US authorities, this is the largest case ever charged by the DoJ involving IT workers, allegedly part of an extensive scheme generating significant profits for North Korea, including its weapons program. 

Among those arrested is US citizen Christina Marie Chapman, 49, for defrauding US companies through running a “laptop farm.” Chapman and her accomplices allegedly compromised over 60 US identities, impacted over 300 US companies, created false tax liabilities for 35 US persons, and generated at least $6.8 million in revenue for the workers.

The Department of Homeland Security also seized funds related to Chapman’s scheme and wages and monies accrued by over 19 overseas IT workers. 

Additionally, three foreign nationals were charged with money laundering. A Ukrainian national Oleksandr Didenko, 27, was arrested in Poland and his website domain was seized for creating fake job search accounts and selling them to overseas workers who applied for jobs at US companies. Vietnamese national Minh Phuong Vong was arrested in Maryland for fraudulently obtaining jobs at a US company.

_“_The fraud scheme exploits factors such as a high-tech labour shortage in the US and the proliferation of remote telework,_“_ states Marshall Miller, the DoJ’s principal associate deputy attorney general.

> — Criminal Division (@DOJCrimDiv) May 17, 2024

Assistant Director Kevin Vorndran of the FBI’s Counterintelligence Division stated that on the surface it appears a “typical white collar or economic crime scheme,” but in reality, it is an attempt to “evade US sanctions, victimize US businesses, and steal US identities,” but the FBI will use all available resources to bring those who help North Korea evade sanctions to justice.

1.  US charges 3 North Korean hackers for extorting $1.3+ billion
2.  179 Dark Web vendors arrested, 500kg worth of drugs seized
3.  MIT Graduate Brothers Arrested for $25 Million Ethereum Heist
4.  Ex-army admin jailed for 12 years over US military health data theft
5.  Man convicted for identity theft & fraud against US Military, veterans

Feds Bust N. Korean Identity Theft Ring Targeting US Firms

By Waqas
Breach Forums, a notorious cybercrime hub, could be back online with the same domain even after the FBI seizure. Hackers claim to have regained access to the clear web domain, while the dark web version remains in a tug-of-war.
This is a post from HackRead.com Read the original post: Breach Forums Admin ShinyHunters Claims Domain Reclaimed from FBI

ShinyHunters, the hacker group and **primary administrator of Breach Forums** informed Hackread.com that they regained access to the forum’s clear net and dark web domains on May 16, 2024. This also included the Escrow domain and a parked domain, Breached.in.

In an exclusive conversation with Hackread.com, ShinyHunters revealed that one of the Breach Forums’ administrators, operating under the alias **Baphomet**, had been apprehended by law enforcement. Consequently, authorities gained access to login credentials for the entire infrastructure of Breach Forums, including the backend.

However, on Friday, ShinyHunters contacted the domain registrar of Breach Forums and successfully regained access. Hence, at the time of writing, the seizure notice from the clear net domain of Breach Forums was removed, and it was replaced with a “_Site Temporarily Unavailable_” message. Additionally, a link to a Telegram group chat operated by ShinyHunters and other moderators of the forum was provided.

What Breach Forums look like at the time of writing (Screenshot: Hackread.com)

****A Quick Background:****

ShinyHunters’ claims emerged just a day following **Hackread.com’s report** on the FBI’s seizure of Breach Forums, a platform notorious for cybercrime, hacking, data breaches, and leaks.

While widely circulated, there has been no official confirmation of the operation from law enforcement agencies. On May 15, 2024, all domains associated with Breach Forums were defaced with a seizure notice by the FBI.

The notice on these sites revealed the involvement of the Federal Bureau of Investigation (FBI), the Department of Justice (DoJ), and international partners from New Zealand, Australia, the United Kingdom, Switzerland, Ukraine, and Iceland.

This is what the forum’s dark web domain looks like at the time of writing – ShinyHunters alleges that authorities have private keys for the dark web domains which will allow them to access it so expect a tug-of-war between both parties (Screenshot: Hackread.com)

****Breach Forums Goes Down, New Forums Gearing Up to Surface****

The cycle of cybercrime continues unabated. Authorities dismantle one forum, only for another to emerge within days. This trend is evident in the case of Breach Forums. A member of Breach Forums and a notorious threat actor known as USDoD has announced plans to resurrect the forum with the same theme and format but under a different name.

According to USDoD, the new forum will be called Breach Nation instead of Breach Forums. This mirrors the pattern seen with the **takedown of Raid Forums** and the subsequent emergence of Breach Forums. However, it’s worth noting that this trajectory did not end well for the administrator PomPomPurin, who was **arrested in New York** and **received** a 20-year supervised sentence.

Commenting on this, **Omri Weinberg**, Co-founder and CRO at **DoControl**, a New York City-based provider of automated SaaS security said _“_Despite the FBI’s successful seizure of BreachForums, its swift reappearance is no surprise, as it has resurfaced before reflecting the ongoing challenge faced by law enforcement in the digital age._“_

_“_While law enforcement can temporarily disrupt these illicit activities, the underlying infrastructure and financial motivation of cybercriminals remain robust, while the re-emergence of BreachForums means that previously compromised data may once again be at risk of exposure,_“_ Omri warned.

He also advised that _“_Organizations must remain proactive in monitoring and securing their digital assets, ensuring they have processes in place to assess the materiality of exposed data and respond appropriately._“_

Nevertheless, Hackread.com continues to monitor the situation closely. This article will be updated accordingly, and readers can expect new reports as soon as federal authorities in the United States release official confirmation and provide clarity on the situation.

1.  US charges 3 North Korean hackers for extorting $1.3+ billion
2.  179 Dark Web vendors arrested, 500kg worth of drugs seized
3.  MIT Graduate Brothers Arrested for $25 Million Ethereum Heist
4.  Ex-army admin jailed for 12 years over US military health data theft
5.  Man convicted for identity theft & fraud against US Military, veterans

Breach Forums Admin ShinyHunters Claims Domain Reclaimed from FBI

By Uzair Amir
Discover time-saving document merging strategies for professionals. Learn how to streamline workflows, enhance collaboration, and protect document integrity for increased productivity and peace of mind.
This is a post from HackRead.com Read the original post: Efficient Document Merging Strategies for Professionals

Professionals often struggle with managing huge amounts of data spread across various files. A study from COVEO found that employees spend 3.6 hours a day — nearly half their workday — just looking for documents. This means 45% of the workday is spent just on finding documents, a time that could be used more effectively.

One of the solutions to this challenge is to merge PDF files. By combining files that go together, you simplify workflows and save time in your daily processes.

In this article, we’ll offer practical strategies and tips for efficient document merging, helping professionals focus on producing quality work for their clients. 

****Manual Merging Techniques****

Manual merging allows you to pick and choose the pages you want to join together to determine how your final PDF document will appear.

****Using built-in software features for document merging****

For Mac users, utilizing the built-in preview tool makes document merging a breeze. Windows users will need a third-party application or an online tool for this task.

To merge PDFs on Mac using Preview:

*   Open the PDFs you want to combine in the Preview app on your Mac.
*   In each open PDF, go to View > Thumbnails to see page thumbnails in the sidebar.
*   Simply drag and drop the thumbnails you wish to include into the thumbnail sidebar of another PDF.
*   Rearrange pages by dragging thumbnails as needed. You can choose which pages should be excluded from the final document.
*   To save your final file, navigate to File > Export as PDF.

****Step-by-step guide for manual merging in various applications****

Wondering how merging works with other systems? The process is surprisingly straightforward and doesn’t demand any technical know-how. Moreover, it tends to follow a similar pattern across various applications.

This is a typical step-by-step guide.

*   Select and install your preferred tool or access an online platform. Be sure to go for the best PDF editor online when choosing.
*   Choose the PDF files you want to combine from either your device or cloud services such as Google Drive or Dropbox.
*   Customize the settings like page sequence, compression levels, security features, etc. You can also remove unwanted pages from the list or rearrange them as necessary.
*   Initiate the merge operation by clicking on “Merge.” The duration may vary from seconds to minutes, depending on file sizes.
*   Once done, save your final PDF in a location of your choice for future reference.

****Best practices for ensuring accuracy and consistency in manual merging****

When manually merging PDF documents, it’s important to follow best practices to ensure accuracy and consistency in the merged document. 

Here are some tips:

*   Review each document thoroughly before combining them to ensure content accuracy and proper order. While there are tools that allow you to do text editing online, it’s always best to be sure from the beginning.
*   Maintain consistent formatting and layout throughout the merged document.
*   Double-check for any errors or inconsistencies after process completion.
*   Always keep a backup of the original PDFs to prevent data loss.

****Automated Merging Solutions****

Technology has transformed document management with the creation of automated merging solutions. These tools make it easy to edit PDF file types and combine multiple documents or data sources into one, saving significant time and effort. Traditionally manual tasks, like compiling reports from various departments or joining different types of correspondence, are now more efficient.

Automated merging tools use algorithms and artificial intelligence (AI) to find, match, and combine content. This ensures the final document is coherent and consistently formatted. They’re compatible with many file types, including Word documents, PDFs, and spreadsheets (for when you want to make a fillable PDF), making them a versatile addition to any professional’s toolkit.

****Comparison of popular software solutions for automated merging****

Let’s compare some of the popular tools that professionals can use to merge PDF files.

**Tool**

**Adobe Acrobat**

**PDFsam (PDF Split and Merge)**

**Smallpdf**

**Lumin**

Features

Comprehensive PDF solution with advanced tools to edit PDF text, convert, review, merge, etc.

Open-source with basic and advanced merging capabilities

Web-based solution with various PDF tools

Web-based PDF solution with editing capabilities and Google Drive integration

Ease of Use

Feature-rich but with a steeper learning curve

Relatively straightforward for basic tasks. Advanced features may require familiarity

Simple drag-and-drop interface for quick merging

User-friendly interface, integrates with Google

Platforms

Windows, macOS

Windows, macOS, Linux

Windows, Mac, iOS, or Android device

Web-based, integrates with Google Drive

Pricing

Subscription-based plans

Free (PDFsam Basic), paid (PDFsam Enhanced)

Free and paid subscription plans with additional features

Free and paid subscription plans with additional features

****Benefits and limitations of automation in document merging******Benefits:**

*   **Efficiency:** Automation boosts efficiency, saving time for strategic tasks.
*   **Accuracy:** Automated tools enhance accuracy, reducing errors in merged documents.
*   **Scalability:** These solutions are scalable and can handle large document volumes.
*   **Flexibility:** Supports a wide range of document formats and merging scenarios, accommodating diverse professional needs.

****Limitations****

*   **Setup complexity:** Advanced tools may have a steep learning curve.
*   **Cost:** Premium tools’ fees may be high for small businesses.
*   **Privacy and security:** Online tools risk data confidentiality.
*   **Software dependence:** Reliance may cause compatibility or obsolescence issues.

****Advanced Merging Strategies********Customizing merging processes for specific needs****

Customization is key in document management because documents vary widely in format, purpose, and complexity. Tailoring tools to specific needs ensures accuracy. For example, you can program software to handle different sections of documents, like headers or footers. You can also merge documents based on criteria like date, author, or relevance.

This approach helps preserve important details such as the document’s author, creation date, and history. Using advanced tools for scripting and automation simplifies the process. It saves time and reduces the chance of errors.

****Implementing batch merging and bulk processing techniques****

Batch merging and bulk processing help manage large document volumes effectively. This method merges many documents at once, using specific criteria to speed up work on big projects or regular tasks. Understanding the software well is necessary, and sometimes specialized software is needed for handling lots of documents.

Organizations like law firms, banks, and research groups find these techniques very useful. They automate joining large document batches, cutting down manual work significantly. This saves time and improves workflow, letting teams focus on other important tasks.

****Integrating merging tools into existing workflows for maximum efficiency****

Integrating merging tools directly into existing workflows transforms document management, automating the process for increased efficiency. By syncing with project management, CRM, and ERP systems, documents automatically update with key events, like project completions or new clients. 

This integration also enables users to edit PDF form types seamlessly, boosting collaboration. While setup demands planning and development, the result is a significant boost in productivity and streamlined operations.

****Collaboration and Sharing Considerations****

**Compatibility and consistency**: For effective collaboration, it’s essential to ensure document compatibility and maintain consistency by standardizing formats and tools. This prevents formatting issues and data loss, making cross-platform tools key for merging documents smoothly across diverse sources.

**Sharing and distribution of merged documents:** Securing merged documents, especially those with sensitive information, requires encrypted transfers and strict access controls to ensure only authorized access. Use platforms with robust security protocols and customizable permissions for safe distribution.

**Version control and tracking changes:** Effective version control and change tracking ensure document integrity and transparency among collaborators. Using systems that log version history and changes help everyone stay aligned and informed, especially when there is a need to edit scanned PDF documents, enhancing collaboration and keeping the document current.

**Conclusion**

As we close, remember document merging does more than organize files. It saves time for crucial work, boosts team collaboration, and protects your documents’ integrity. The strategies shared equip you to confidently manage large volumes of documents, turning chaos into order. 

Another important key is to choose a reliable tool that can help with your document management processes. The good news is that there are lots of them to choose from – PC, Mac, Mobile, and Cloud-based. Even if you want to create a fillable PDF free from your files, rest assured that there is a suitable tool for your needs.

By adopting these practices, you can increase productivity and achieve peace of mind, knowing that your document management tasks are efficiently handled.

1.  Best Paid and Free OSINT Tools for 2024
2.  Top 3 Cybersecurity Tools to Protect Business Data
3.  PDF Security – How To Keep Data Secure in a PDF File
4.  The new Wondershare PDFelement with added features
5.  The Essential Tools and Plugins for WordPress Development

Efficient Document Merging Strategies for Professionals

By Waqas
New HP report reveals cybercriminals are increasingly leveraging "cat-phishing" techniques, exploiting open redirects in legitimate websites to deceive users and deliver malware.
This is a post from HackRead.com Read the original post: HP Exposes Low-Effort, High-Impact Cat-Phishing Targeting Users

A new report from HP has revealed a troubling trend where cybercriminals are increasingly using “cat-phishing” tactics to deceive unsuspecting victims. The report, published on May 16, 2024, as part of the quarterly HP Wolf Security Threat Insights series, exposes how attackers are exploiting **open redirect vulnerabilities** and other Living-off-the-Land techniques to bypass traditional security measures.

****What is Cat-Phishing?****

The term “cat-phishing” refers to a method where cybercriminals manipulate seemingly legitimate links to **redirect users to malicious websites** without their knowledge. This deceptive practice makes it nearly impossible for the average user to distinguish between a safe and a compromised site, thus facilitating the success of phishing attacks.

****Notable Campaigns Identified by HP Threat Researchers****

1.  **WikiLoader Campaign:** In a sophisticated operation, attackers leveraged open redirect vulnerabilities within reputable websites, often through compromised ad embeddings, to redirect users to malicious domains. This technique exploits the trust users have in well-known sites, making it difficult for security systems to flag malicious activity.
2.  **Living-off-the-BITS:** Several campaigns abused the Windows Background Intelligent Transfer Service (BITS) – a legitimate mechanism used by programmers and system administrators to download or upload files to web servers and file shares. This LotL technique helped attackers remain undetected by using BITS to download the malicious files.
3.  **Abuse of Windows BITS:** Several campaigns were found to misuse the Windows Background Intelligent Transfer Service to download malicious files covertly. By utilizing a legitimate system component, attackers can maintain a low profile, evading standard detection mechanisms.
4.  **Fake Invoices Leading to HTML Smuggling Attacks:** HP identified a tactic where threat actors concealed malware within HTML files disguised as delivery invoices. Once opened in a web browser, these files initiate a series of events that deploy open-source malware like **AsyncRAT**. The lack of effort in designing the lure suggests a low-cost, high-volume approach.
5.  **Ursnif Returns:** **Ursnif**, also known as Gozi or IFSB malware targets Windows devices and first appeared in 2006. In the first quarter of 2024, HP researchers identified the return of Ursnif as part of different malicious spam campaigns against users in Italy.

A fake invoice dropping Ursnif malware (Screenshot: HP)

****Other Findings****

Other findings in the report highlight that at least 12% of email threats managed to evade detection. The primary threat vectors identified during the first quarter included email attachments, accounting for 53%, followed by downloads from browsers at 25%, and other infection vectors at 22%.

Notably, there has been a notable growth in document threats, with **exploits surpassing macros** as the preferred method of executing malicious code, constituting at least 65% of document-based threats.

****Expert Insights****

In a **press release,** Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., emphasized the limitations of relying solely on detection in the face of Living-off-the-Land techniques. He advocated for a defence-in-depth approach, including threat containment, to mitigate risks effectively.

_“_Targeting companies with invoice lures is one of the oldest tricks in the book, but it can still be very effective and hence lucrative. Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them. If successful, attackers can quickly monetize their access by selling it to cybercriminal brokers, or by deploying ransomware.”

**Patrick Harr**, CEO at SlashNext, pointed out the prevalence of open redirects and other deceptive techniques in email and messaging platforms. He underscored the need for AI-based security solutions that utilize computer vision and URL sandboxing/behavioural analysis to counter these advanced threats.

****Conclusion****

The HP Wolf Security Threat Insights Report is just another piece of evidence showing how cybercriminals have mastered the art of deceiving unsuspecting businesses and individuals. Organizations must move beyond detection-centric security and adopt a defence-in-depth strategy, incorporating threat mitigation and **advanced technologies like AI** to effectively combat sophisticated attacks, including the growing threat of “cat-phishing.”

1.  Check Point Research: Microsoft the Most Phished Brand
2.  Google, Microsoft and Oracle generated most vulnerabilities
3.  Microsoft Office Most Exploited Software in Malware Attacks
4.  Malicious Office documents make up 43% of all malware downloads
5.  HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk

HP Exposes Low-Effort, High-Impact Cat-Phishing Targeting Users

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference.

Thursday, May 16, 2024 14:00

While I one day wish to make it to the RSA Conference in person, I’ve never had the pleasure of making the trek to San Francisco for one of the largest security conferences in the U.S. 

Instead, I had to watch from afar and catch up on the internet every day like the common folk. This at least gives me the advantage of not having my day totally slip away from me on the conference floor, so at least I felt like I didn’t miss much in the way of talks, announcements and buzz. So, I wanted to use this space to recap what I felt like the top stories and trends were coming out of RSA last week.  

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference. 

**AI is the talk of the town** 

This is unsurprising given how every other tech-focused conference and talk has gone since the start of the year, but everyone had something to say about AI at RSA.  

AI and its associated tools were part of all sorts of product announcements (either to be used as a marketing buzzword or something that is truly adding to the security landscape).  

Cisco’s own Jeetu Patel gave a keynote on how Cisco Secure is using AI in its newly announced Hypershield product. In the talk, he argued that AI needs to be used natively on networking infrastructure and not as a “bolt-on” to compete with attackers.  

U.S. Secretary of State Anthony Blinken was the headliner of the week, delivering a talk outlining the U.S.’ global cybersecurity policies. He spent a decent chunk of his half hour in the spotlight also talking about AI, in which he warned that the U.S. needed to maintain its edge when it comes to AI and quantum computing — and that losing that race to a geopolitical rival (like China) would have devastating consequences to our national security and economy.  

Individual talks ran the gamut from “AI is the best thing ever for security!” to “Oh boy AI is going to ruin everything.” The reality of how this trend shakes out, like most things, is likely going to be somewhere in between those two schools of thought.  

An IBM study released at RSA highlighted how headstrong many executives can be when embracing AI. They found that security is generally an afterthought when creating generative AI models and tools, with only 24 percent of responding C-suite executives saying they have a security component built into their most recent GenAI project.  

**Vendors vow to build security into product designs** 

Sixty-eight new tech companies signed onto a pledge from the U.S. Cybersecurity and Infrastructure Security Agency, vowing to build security into their products from earliest stages of the design process.  

The list of signees now includes Cisco, Microsoft, Google, Amazon Web Services and IBM, among other large tech companies. The pledge states that the signees will work over the next 12 months to build new security safeguards for their products, including increasing the use of multi-factor authentication (MFA) and reducing the presence of default passwords.  

However, there’s looming speculation about how enforceable the Secure By Design pledge is and what the potential downside here is for any company that doesn’t live up to these promises.  

**New technologies countering deepfakes** 

Deepfake images and videos are rapidly spreading online and pose a grave threat to the already fading faith many of us had in the internet. 

It can be difficult to detect when users are looking at a digitally manipulated image or video unless they’re educated on common red flags to look for, or if they’re particularly knowledgeable on the subject in question. They’re getting so good now that even targets’ parents are falling for fake videos of their loved ones.  

Some potential solutions discussed at RSA include digital “watermarks” in things like virtual meetings and video recordings with immutable metadata.  

A deep fake-detecting startup was also named RSA’s “Most Innovative Startup 2024” for its multi-modal software that can detect and alert users of AI-generated and manipulated content. McAfee also has its own Deepfake Detector that it says, “utilizes advanced AI detection models to identify AI-generated audio within videos, helping people understand their digital world and assess the authenticity of content.” 

Whether these technologies can keep up with the pace that attackers are developing this technology and deploying it on such a wide scale, remains to be seen.  

**The one big thing **

Microsoft disclosed a zero-day vulnerability that could lead to an adversary gaining SYSTEM-level privileges as part of its monthly security update. After a hefty Microsoft Patch Tuesday in April, this month’s security update from the company only included one critical vulnerability across its massive suite of products and services. In all, May’s slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which are of “important” severity. There is only one moderate-severity vulnerability. 

**Why do I care? **

The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. An authenticated attacker who obtains Site Owner permissions or higher could exploit this vulnerability by uploading a specially crafted file to the targeted SharePoint Server. Then, they must craft specialized API requests to trigger the deserialization of that file’s parameters, potentially leading to remote code execution in the context of the SharePoint Server. The aforementioned zero-day vulnerability, CVE-2024-30051, could allow an attacker to gain SYSTEM-level privileges, which could have devastating impacts if they were to carry out other attacks or exploit additional vulnerabilities. 

**So now what? **

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63419, 63420, 63422 - 63432, 63444 and 63445. There are also Snort 3 rules 300906 - 300912. 

**Top security headlines of the week **

**A massive network intrusion is disrupting dozens of hospitals across the U.S., even forcing some of them to reroute ambulances late last week.** Ascension Healthcare Network said it first detected the activity on May 8 and then had to revert to manual systems. The disruption caused some appointments to have to be canceled or rescheduled and kept patients from visiting MyChart, an online portal for medical records. Doctors also had to start taking pen-and-paper records for patients. Ascension operates more than 140 hospitals in 19 states across the U.S. and works with more than 8,500 medical providers. The company has yet to say if the disruption was the result of a ransomware attack or some sort of other targeted cyber attack, though there was no timeline for restoring services as of earlier this week. Earlier this year, a ransomware attack on Change Healthcare disrupted health care systems nationwide, pausing many payments providers were expected to receive. UnitedHealth Group Inc., the parent company of Change, told a Congressional panel recently that it paid a requested ransom of $22 million in Bitcoin to the attackers. (CPO Magazine, The Associated Press) 

**Google and Apple are rolling out new alerts to their mobile operating systems that warn users of potentially unwanted devices tracking their locations.** The new features specifically target Bluetooth Low Energy (LE)-enabled accessories that are small enough to often be unknowingly tracking their specific location, such as an Apple AirTag. Android and iOS users will now receive the alert when such a device, when it's been separated from the owner’s smartphone, is moving with them still. This alert is meant to prevent adversaries or anyone with malicious intentions from unknowingly tracking targets’ locations. The two companies proposed these new rules for tracking devices a year ago, and other manufacturers of these devices have agreed to add this alert feature to their products going forward. “This cross-platform collaboration — also an industry first, involving community and industry input — offers instructions and best practices for manufacturers, should they choose to build unwanted tracking alert capabilities into their products,” Apple said in its announcement of the rollout. (Security Week, Apple) 

**The popular Christie’s online art marketplace was still down as of Wednesday afternoon after a suspected cyber attack.** The site, known for having many high-profile and wealthy clients, was planning on selling artwork worth at least $578 million this week. Christie’s said it first detected the technology security incident on Thursday but has yet to comment on if it was any sort of targeted cyber attack or data breach. There was also no information on whether client or user data was potentially at risk. Current items for sale included a Vincent van Gogh painting and a collection of rare watches, some owned by Formula 1 star Michael Schumacher. Potential buyers could instead place bids in person or over the phone. (Wall Street Journal, BBC) 

**Can’t get enough Talos? **

*   Talos joins CISA to counter cyber threats against non-profits, activists and other at-risk communities 
*   Click Here Ep. #130: A wrinkle in time: GPS jamming in Ukraine and its ripple effects 
*   Talos Takes Ep. #184: Why CoralRaider is looking to steal your login credentials 
*   Generative AI’s disinformation threat is ‘overblown,’ top cyber expert says 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent

Tag

#web