ESET NOD32 Antivirus version 17.1.11.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET NOD32 Antivirus 17.1.11.0 - Unquoted Service Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2024-04-27# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# Vendor : https://www.eset.com# Version : 17.1.11.0# Tested on OS: Microsoft Windows 10 pro x64About Unquoted Service Path :==============================When a service is created whose executable path contains spaces and isn'tenclosed within quotes, leads to a vulnerability known as Unquoted ServicePath which allows a user to gain SYSTEM privileges.(only if the vulnerable service is running with SYSTEM privilege levelwhich most of the time it is).C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "c:\windows\\" |findstr /i /v """ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESETSecurity\ekrn.exeC:\>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

By Deeba Ahmed
Beware! Agent Tesla & Taskun Malware are targeting US Education & Gov. This cyberattack steals data & exploits vulnerabilities. Learn how to protect schools & government agencies from this double threat!
This is a post from HackRead.com Read the original post: Agent Tesla and Taskun Malware Targeting US Education and Govt Entities

A new wave of cyberattacks has set its sights on the sensitive data within the US education and government sectors, discovered cybersecurity researchers at the cybersecurity platform, Veriti. This campaign leverages a combination of two malware strains: Agent Tesla and Taskun.

****Agent Tesla and Taskun- The Deceptive Duo****

Agent Tesla is an infamous malware and sophisticated spyware, designed to steal a user’s most valuable data. The malware is known for capturing keystrokes, screenshots, and even login credentials for various applications including browsers and VPNs. With this stolen information, attackers gain unauthorized access to user’s accounts and potentially sensitive systems.

On the other hand, according to Veriti’s blog post, Taskun serves as the perfect accomplice for Agent Tesla’s malicious activities. It works by compromising a system’s integrity, creating a backdoor for Agent Tesla to infiltrate and establish persistence. This allows Agent Tesla to remain undetected for extended periods, deepening its hold on the system and maximizing data theft.

It’s important to highlight that Taskun and Agent Tesla were recently discovered as accomplices in a similar campaign. Researchers observed TicTacToe Dropper targeting Windows devices, subsequently infecting them with Leonem, AgentTesla, SnakeLogger, LokiBot, Remcos, RemLoader, Sabsik, Taskun, Androm, and Upatre.

****Attackers’ Calculated Approach****

As for the latest, campaign, the attack is launched through malicious email attachments exploiting vulnerabilities in Windows OS software like Microsoft Office, one of the most exploited software in malware attacks.

The attackers’ strategy centers around performing reconnaissance to identify vulnerabilities within the targeted systems. This approach often exploits weaknesses in commonly used office applications and operating systems. By targeting these widespread vulnerabilities, the attackers can maximize the impact of their attack, potentially compromising a vast number of devices within an organization.

Phishing emails as observed by Veriti

****Why Education and Government Sectors are Vulnerable****

Educational institutions and government agencies often hold a treasure trove of sensitive data, making them prime targets for cybercriminals. This data can include student records, research findings, social security numbers, and other confidential information.

Moreover, schools have been identified as highly lucrative targets for cybercriminals. Both in the past and recently, hackers have targeted over 900 schools in the United States by exploiting the notorious MOVEit vulnerability.

A successful attack using Agent Tesla and Taskun could result in a significant data breach, causing immense financial loss, reputational damage, and even identity theft for affected individuals.

****How to Fight Back?****

Institutions can strengthen their cybersecurity defences against cyber threats by applying security patches promptly, educating users on cybersecurity awareness, and implementing a multi-layered security approach. Regularly patching vulnerabilities, providing cybersecurity awareness training, and implementing a multi-layered security approach can help protect sensitive data.

1.  Microsoft Outlook Flaw Exploited by Russian Forest Blizzard
2.  Retired Software Exploited To Target Power Grids, Microsoft
3.  Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
4.  Researchers Warn of New Microsoft Office 0-Day Flaw Follina
5.  NodeStealer Mimics ‘Microsoft’ to Hack Facebook, Browser Data

Agent Tesla and Taskun Malware Targeting US Education and Govt Entities

The business intelligence servers contain vulnerabilities that Qlik patched last year, but which Cactus actors have been exploiting since November. Swathes of organizations have not yet been patched.

Source: S. Bonaime via Shutterstock

Nearly five months after security researchers warned of the Cactus ransomware group leveraging a set of three vulnerabilities in Qlik Sense data analytics and business intelligence (BI) platform, many organizations remain dangerously vulnerable to the threat.

Qlik disclosed the vulnerabilities in August and September. The company's August disclosure involved two bugs in multiple versions of Qlik Sense Enterprise for Windows tracked as CVE-2023-41266 and CVE-2023-41265. The vulnerabilities, when chained, give a remote, unauthenticated attacker a way to execute arbitrary code on affected systems. In September, Qlik disclosed CVE-2023-48365, which turned out to be a bypass of Qlik's fix for the previous two flaws from August.

Gartner has ranked Qlik as one of the top data visualization and BI vendors in the market.

**Continued Exploitation of Qlik Security Bugs**

Two months later, Arctic Wolf reported observing operators of Cactus ransomware exploiting the three vulnerabilities to gain an initial foothold in target environments. At the time, the security vendor said it was responding to multiple instances of customers encountering attacks via the Qlik Sense vulnerabilities and warned of the Cactus group campaign as being rapidly developing.

Even so, many organization appear not to have received the memo. A scan by researchers at Fox-IT on April 17 uncovered a total of 5,205 Internet-accessible Qlik Sense servers, of which 3,143 servers were still vulnerable to Cactus group's exploits. Of that number, 396 servers appeared to be located in the US. Other countries with a relatively high number of vulnerable Qlik Sense servers include Italy with 280, Brazil with 244 and Netherlands and Germany with 241 and 175 respectively.

Fox-IT is among a group of security organizations in the Netherlands — including the Dutch Institute for Vulnerability Disclosure (DIVD) — working collaboratively under the aegis of an effort called Project Melissa, to disrupt Cactus group operations.

Upon discovering the vulnerable servers, Fox-IT relayed its fingerprints and scan data to DIVD, which then began contacting administrators of the vulnerable Qlik Sense servers about their organization's exposure to potential Cactus ransomware attacks. In some instances, DIVD sent the notifications out directly to potential victims while in others the organization attempted to relay the information to them via their respective country computer emergency response teams.

**Security Orgs Are Notifying Potential Cactus Ransomware Victims**

The ShadowServer Foundation is also reaching out to at-risk organizations. In a critical alert this week, the nonprofit threat intelligence service described the situation as one where a failure to remediate could leave organizations at a very high likelihood of compromise.

"If you receive an alert from us on a vulnerable instance detected in your network or constituency, please also assume compromise of your instance and possibly your network," ShadowServer said. "Compromised instances are determined remotely by checking for the presence of files with .ttf or .woff file extension."

Fox-IT said it had identified at least 122 Qlik Sense instances as likely compromised via the three vulnerabilities. Forty-nine of them were in the US; 13 in Spain; 11 in Italy; and the rest scattered across 17 other countries. "When the indicator of compromise artefact is present on a remote Qlik Sense server, it can imply various scenarios," Fox-IT said. It could for instance, suggest that the attackers executed code remotely on the server, or it could simply be an artifact from a previous security incident.

"It's crucial to understand that 'already compromised' can mean that either the ransomware has been deployed and the initial access artifacts left behind were not removed, or the system remains compromised and is potentially poised for a future ransomware attack," Fox-IT said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Thousands of Qlik Sense Servers Open to Cactus Ransomware

By Deeba Ahmed
Hackers are dusting off old tricks! A recent attack exploited vulnerabilities in systems running outdates Microsoft Office to deliver Cobalt Strike malware. Learn how to protect yourself!
This is a post from HackRead.com Read the original post: 7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike

Cybersecurity firm Deep Instinct has discovered that attackers are using the Cobalt Strike loader to deploy old zero-day exploits, a relatively new trend. Let’s delve deeper into this.

Deep Instinct Threat Lab has discovered a targeted operation against Ukraine in which hackers are using an old zero-day vulnerability, CVE-2017-8570, as the initial vector and a custom loader for Cobalt Strike Beacon, a professional pen-testing tool designed for evaluating computer security by red teams. However, in this attack, hackers have used a cracked version with no legitimate user. 

They’ve exploited CVE-2017-8570, an old Microsoft Office vulnerability identified in 2017, to launch the Cobalt Strike Beacon, targeting Ukraine’s systems. They used a malicious PPSX (PowerPoint Slideshow) file disguised as an old US Army instruction manual for mine-clearing tank blades, bypassing traditional security measures and allowing them to hide the payload and complicate analysis. The file used a “script:” prefix before the HTTPS URL to hide the payload and complicate analysis. 

> _“The lure contained military-related content, suggesting it was targeting military personnel. But the domain names weavesilk(.)space and petapixel(.)fun are disguised as an obscure generative art site (weavesilk(.)com) and a popular photography site (petapixel(.)com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.”_
> 
> Deep Instinct

The use of the Cobalt Strike loader, a malicious, versatile toolset commonly employed in targeted attacks, suggests a sophisticated approach by the attackers. Cobalt Strike allows adversaries to deploy malware, steal data, and maintain persistence on compromised systems. In the context of Ukraine, it is used as a delivery mechanism for these zero-day exploits, maximizing their impact.

Deep Instinct’s research indicates that attackers are actively leveraging zero-day exploits, which are vulnerabilities unknown to security software vendors. This makes them particularly dangerous as traditional defences may not be able to detect and block them.

Researchers couldn’t attribute the attacks to any known threat actor or rule out the possibility of a red team exercise. Evidence indicates the sample was uploaded from Ukraine, the second stage was hosted under a Russian VPS provider, and the Cobalt beacon C&C was registered in Warsaw, Poland.

_“_Given the n-day exploitation trends against > 12-month-old edge device and email server CVEs we’ve seen over the past 4 years, seeing a threat actor exploit a Wine vulnerability from 2017 is weirdly refreshing,_“_ stated Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd

_“_The use of undocumented low-level WinAPI calls is unusual as well. I can understand why threat analysts are having difficulty with attribution, it’s an esoteric and somewhat nerdy kill chain._“_ Casey explained.

“Aside from the technical pieces, the fact that it’s not Russia is noteworthy, and the TTPs suggest a previously unknown player. Cobalt Strike usage as a C2 is fairly commonplace and the key takeaway here is that old vulnerabilities in easily forgotten software still matter._“_

**How to Stay Safe?**

Deep Instinct’s research suggests that traditional security solutions may not be enough for zero-day exploits. Organizations should adopt advanced threat detection through behavioural analysis and machine learning. Vigilance is also crucial, especially for cyber threats targeting Ukraine, and a proactive defence strategy combining firewalls and antivirus software.

1.  APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
2.  5 year old vulnerability used for Monero mining on Linux servers
3.  Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine
4.  12-Year-Old vulnerability in Windows Defender risked 1 billion devices
5.  17-year-old “wormable” SigRed vulnerability found in Windows servers

7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike

Ubuntu Security Notice 6752-1 - It was discovered that FreeRDP incorrectly handled certain memory operations. If a user were tricked into connecting to a malicious server, a remote attacker could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6752-1April 25, 2024freerdp2 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in FreeRDP.Software Description:- freerdp2: RDP client for Windows Terminal ServicesDetails:It was discovered that FreeRDP incorrectly handled certain memoryoperations. If a user were tricked into connecting to a malicious server, aremote attacker could possibly use this issue to cause FreeRDP to crash,resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   libfreerdp2-2                   2.10.0+dfsg1-1.1ubuntu1.3Ubuntu 22.04 LTS:   libfreerdp2-2                   2.6.1+dfsg1-3ubuntu2.7Ubuntu 20.04 LTS:   libfreerdp2-2                   2.6.1+dfsg1-0ubuntu0.20.04.2After a standard system update you need to restart your session to make allthe necessary changes.References:   https://ubuntu.com/security/notices/USN-6752-1   CVE-2024-32658, CVE-2024-32659, CVE-2024-32660, CVE-2024-32661Package Information:   https://launchpad.net/ubuntu/+source/freerdp2/2.10.0+dfsg1-1.1ubuntu1.3   https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-3ubuntu2.7   https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-0ubuntu0.20.04.2

Ubuntu Security Notice USN-6752-1

Eight out of nine apps that people use to input Chinese characters into mobile devices have weakness that allow a passive eavesdropper to collect keystroke data.

Source: badboydt7 via Shutterstock

Nearly all keyboard apps that allow users to enter Chinese characters into their Android, iOS, or other mobile devices are vulnerable to attacks that allow an adversary to capture the entirety of their keystrokes.

This includes data such as login credentials, financial information, and messages that would otherwise be end-to-end encrypted, a new study by Toronto University's Citizen Lab has uncovered.

**Ubiquitous Problem**

For the study, researchers at the lab considered cloud-based Pinyin apps (which render Chinese characters into words spelled with roman letters) from nine vendors selling to users in China: Baidu, Samsung, Huawei, Tencent, Xiaomi, Vivo, OPPO, iFlytek, and Honor. Their investigation showed all but the app from Huawei to be transmitting keystroke data to the cloud in a manner that enabled a passive eavesdropper to read the contents in clear text and with little difficulty. Citizen Lab researchers, who have earned a reputation over the years for exposing multiple cyber espionage, surveillance, and other threats targeted at mobile users and civil society, said each of them contain at least one exploitable vulnerability in how they handle transmissions of user keystrokes to the cloud.

The scope of vulnerabilities should not be underestimated, Citizen Lab researchers Jeffrey Knockel, Mona Wang and Zoe Reichert wrote in a report summarizing their findings this week: The researchers from Citizen Lab found that 76% of keyboard app users in mainland China, in fact, use a Pinyin keyboard to input Chinese characters.

"All of the vulnerabilities that we covered in this report can be exploited entirely passively without sending any additional network traffic," the researchers said. And to boot, the vulnerabilities were easy to discover and do not require any technological sophistication to exploit, they noted.  "As such, we might wonder, are these vulnerabilities actively under mass exploitation?"

Each of the vulnerable Pinyin keyboard apps that Citizen Lab examined had both a local, on-device component and a cloud-based prediction service for handling long strings of syllables and particularly complex characters. Of the nine apps they looked at, three were from mobile software developers — Tencent, Baidu, and iFlytek. The remaining five were apps that Samsung, Xiaomi, OPPO, Vivo, and Honor — all mobile device manufacturers — had either developed on their own or had integrated into their devices from a third-party developer.

**Exploitable via Active & Passive Methods**

Methods of exploitation differ for each app. Tencent's QQ Pinyin app for Android and Windows for instance had a vulnerability that allowed the researchers to create a working exploit for decrypting keystrokes via active eavesdropping methods. Baidu's IME for Windows contained a similar vulnerability, for which Citizen Lab created a working exploit for decrypting keystroke data via both active and passive eavesdropping methods.

The researchers found other encrypted related privacy and security weaknesses in the Baidu's iOS and Android versions but did not develop exploits for them. iFlytek's app for Android had a vulnerability that allowed a passive eavesdropper to recover in plaintext keyboard transmissions because of insufficient mobile encryption.

On the hardware vendor side, Samsung's homegrown keyboard app offered no encryption at all and instead sent keystroke transmissions in the clear. Samsung also offers users the option of either using Tencent's Sogou app or an app from Baidu on their devices. Of the two apps, Citizen Lab identified Baidu's keyboard app as being vulnerable to attack.

The researchers were unable to identify any issue with Vivo's internally developed Pinyin keyboard app but had a working exploit for a vulnerability they discovered in a Tencent app that is also available on Vivo's devices.

The third-party Pinyin apps (from Baidu, Tencent, and iFlytek) that are available with devices from the other mobile device makers all had exploitable vulnerabilities as well.

These are not uncommon issues, it turns out. Last year, Citizen Labs had conducted a separate investigation in Tencent's Sogou — used by some 450 million people in China — and found vulnerabilities that exposed keystrokes to eavesdropping attacks.

"Combining the vulnerabilities discovered in this and our previous report analyzing Sogou's keyboard apps, we estimate that up to one billion users are affected by these vulnerabilities," Citizen Lab said.

The vulnerabilities could enable mass surveillance of Chinese mobile device users — including by signals intelligence services belonging to the so-called Five Eyes nations — US, UK, Canada, Australia, and New Zealand — Citizen Lab said; the vulnerabilities in the keyboard apps that Citizen Lab discovered in its new research are very similar to vulnerabilities in the China-developed UC browser that intelligence agencies from these countries exploited for surveillance purposes, the report noted.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Chinese Keyboard Apps Open 1B People to Eavesdropping

Plus, new details emerge on the Scattered Spider cybercrime network and ArcaneDoor.

Thursday, April 25, 2024 14:00

I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database.  

Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability that’s disclosed and/or patched is now so far behind, it could take up to 100 days for the National Institute of Standards and Technology (NIST) to catch up, and that would be assuming no new vulnerabilities are disclosed during that period. 

While the U.S. government and NIST try to sort out a potential solution, and hopefully await more funding and restructuring, NIST says it’s hoping to launch a consortium to help either rebuild the NVD or create a replacement.  

Other security experts have floated the idea of other companies or organizations creating a brand-new solution of their own. The main problem with that is, what’s in it for them?  

What works about the NVD is that it’s funded by the U.S. government, so the money is always coming in to help fund the workforce and at least gives MITRE and the other private companies who contribute to the NVD motivation to keep working on it. 

To start up a whole new database of \*every\* CVE out there would take countless man-hours, and then what at the end? Would the company or person(s) who created it start charging for access? 

Several open-source solutions have_man-hours_ popped up over the past few weeks, such as “NVD Data Overrides,” which “is meant to provide additional data that is currently missing from NVD.” However, these types of volunteer projects still can’t assign CVSS scores, because only the NVD is authorized to hand out official NVD CVSS scores. 

This brings up another problem for private companies that may want to develop a solution: Do they want to play referee?  

Sometimes, when there’s a disagreement on how severe a vulnerability is and what severity score to assign it, the NVD will weigh in and provide their own, independently calculated CVSS score. Who really wants to be the “bad guy” to get between a massive tech company like Microsoft or Apple and a security researcher saying a vulnerability is a 9.5 out of 10 CVSS? 

I absolutely give major credit to any volunteers or open-source developers who are working on their own solutions for essentially nothing — but how long can we expect them to keep maintaining these databases? 

Unfortunately, I don’t have a great answer for this, either. I’m far from an expert on vulnerability management, nor do I have any connections to the federal government. But I do feel the onus is on the government to come up with a solution, and potentially provide incentives for companies and researchers to participate in this new proposed consortium because I don’t see the incentives there for the private sector to come up with their own solution.  

**The one big thing **

ArcaneDoor is a new campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Talos and Cisco PSIRT recently identified a previously unknown actor, now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.   

**Why do I care? **

Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect they may have been targeted in this campaign. First, organizations should look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided at the bottom of this blog. This is one indication that further investigation is necessary. Potential targets can also follow the steps detailed in the Cisco ASA Forensic Investigation Procedures for First Responders. When following these procedures, first responders should NOT attempt to collect a core dump or reboot the device if they believe that the device has been compromised, based on the lina memory region output. Talos also released some Snort signatures to detect the activity on the wire including access attempts. Snort Signatures 63139, 62949 and 45575 have been released to detect the implants or associated behaviors. 

**Top security headlines of the week **

**A previously known Windows print spooler bug is still being actively exploited, according to Microsoft.** The company’s threat research team recently disclosed that APT28, a well-known Russian state-sponsored actor, is exploiting the vulnerability to deliver a previously unknown malware called “GooseEgg.” Microsoft disclosed and patched CVE-2022-38028 in October 2022, but APT28 may have been exploiting it as far back as 2020. The actor’s exploitation involved modifying a JavaScript constraints file in the printer spooler and executing it with SYSTEM-level permissions. The new research prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2022-38028 to its Known Exploited Vulnerabilities (KEV) catalog. If installed, GooseEgg can load other applications with System-level permissions and allow the adversary to execute remote code on the targeted device or deploy other backdoors. Another set of print spooler vulnerabilities, called PrintNightmare, made headlines in July 2021, though no one reported active exploitation of that vulnerability at the time. (SC Magazine, Security Week) 

**A new investigation revealed how members of the group Scattered Spider are partnering with Russian state-sponsored actors to carry out ransomware attacks.** Scattered Spider is made up of younger individuals based out of the U.S., U.K. and Canada. They are primarily English speakers who have been blamed for several notable ransomware attacks, including one against MGM Casinos that disrupted operations at several casinos and hotels last year. The group specializes in social engineering, more recently using LinkedIn to steal employee information and use that to infiltrate corporate networks. Members, some as young as teenagers, are connecting over the dark web and online forums like Discord and use their advanced knowledge of Western civilization to provide crucial details to Russian actors. The “60 Minutes” investigation also included new details about The Community (aka “The Comm,” the online collection of hackers who like to brag about their recent cybercrimes, often through Telegram. (CBS News) 

**The U.S. government has re-upped a law that expands government surveillance by opening the door for private companies to partner with the government on these types of activities.** The controversial Foreign Intelligence Surveillance Act (FISA) was re-approved just hours after it lapsed. The White House and proponents in U.S. Congress argued that the powers granted in Section 702 of the FISA helps prevent the spread of terrorism and cyber attacks and that any lapse in those powers would harm the government’s ability to gather crucial intelligence. However, privacy advocates say that the FISA is an overreach, and provides too much power for private companies to potentially spy on consumers. The bill also includes a new definition of “electronic communications service provider,” which could allow the U.S. government to force Big Tech companies and telecommunications providers to hand over users’ data if requested. (NBC News, TechCrunch) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #180: What are the dangers of enabling sideloading and third-party apps? 
*   Suspected CoralRaider continues to expand victimology using three information stealers 
*   Brute-force attacks surge worldwide, warns Cisco Talos    
*   Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs 
*   Rare Computer Virus Detected in Ukrainian Network, Confidential Document Potentially Compromised 

**Upcoming events where you can find Talos **

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._ _Several open-source solutions have_

The private sector probably isn’t coming to save the NVD

Caliptra 1.0 offers a blueprint for integrating security features directly into microprocessors.

Source: Alexmillos via Alamy Stock Vector

A consortium of top chip makers have finalized the first version of Caliptra, a specification to add zero-trust security features directly inside silicon.

The Caliptra 1.0 specification has hardware and software blocks providing multiple protection layers for encrypted data on chips.

"We believe Caliptra is a foundational aspect to the future of confidential computing and couldn't be more excited to reach our 1.0 milestone," says Andrés Lagar-Cavilla, a distinguished engineer at Google. Caliptra is currently being integrated by companies across the ecosystem into chips that will start to appear in the market in 2026.

Security-focused hardware exists, but usually as separate components on the hardware. At the moment, chips typically access security features that are available as separate hardware components on the motherboard. The Caliptra specification provides a blueprint to embed the security features into the chip instead of accessing those hardware cores.

For example, the Trusted Platform Module (TPM), which is required on all machines running Windows 11, is a secure processor carrying out cryptographic functions, such as Windows Hello authentication and BitLocker drive encryption. Caliptra could make possible an on-silicon version of TPM.

The specification was built around the concept of confidential computing, an emerging technology focused on building walls to protect data and programs during storage, transport, and execution. Users and code are verified before being allowed to enter the secure area, after which they can run programs.

**Caliptra-Spec Chips on the Way?**

The Caliptra specification aims to fend off cyberattacks and protect from vulnerabilities, such as Meltdown and Spectre, which exposed confidential user data to hackers.

Caliptra's protection layers on silicon include a root-of-trust block, in which code, users, and firmware are isolated, verified, and authenticated. The spec extends to protecting firmware and ROMs. The root-of-trust layer also detects and recovers data that may be corrupted.

The specification is now available for tape-in, which means it is also ready for testing for chips that may be going into production. Google's Lagar-Cavilla says the company is actively integrating Caliptra in first-party silicon designs and collaborating with suppliers to ensure their system-on-chips — across CPUs, GPUs, DPUs, BMCs, SSDs, and more — include Caliptra.

Caliptra is an open source technology, so chip makers can adopt and modify it for free.

A company called Antmicro is developing a Caliptra-based security core for an emerging chip architecture called RISC-V. The technology is an alternative to the dominant x86 and ARM instruction set architectures. RISC-V has a modular design that makes it easier to include technologies like Caliptra in production-level silicon.

Google is a lead developer of Caliptra, working alongside Advanced Micro Devices, Microsoft, Marvell, and NVIDIA. The Linux Foundation's CHIPS Alliance is managing the development of the specification.

Intel is one of the big names in chips missing from the group of companies developing Caliptra. Intel is pushing its own on-chip security technology to protect user data and chips from hackers.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Chip Giants Finalize Specs Baking Security Into Silicon

Ubuntu Security Notice 6749-1 - It was discovered that FreeRDP incorrectly handled certain context resets. If a user were tricked into connecting to a malicious server, a remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. Evgeny Legerov discovered that FreeRDP incorrectly handled certain memory operations. If a user were tricked into connecting to a malicious server, a remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6749-1April 24, 2024freerdp2 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in FreeRDP.Software Description:- freerdp2: RDP client for Windows Terminal ServicesDetails:It was discovered that FreeRDP incorrectly handled certain context resets.If a user were tricked into connecting to a malicious server, a remoteattacker could use this issue to cause FreeRDP to crash, resulting in adenial of service, or possibly execute arbitrary code. (CVE-2024-22211)Evgeny Legerov discovered that FreeRDP incorrectly handled certain memoryoperations. If a user were tricked into connecting to a malicious server, aremote attacker could use this issue to cause FreeRDP to crash, resultingin a denial of service, or possibly execute arbitrary code.(CVE-2024-32039, CVE-2024-32040)Evgeny Legerov discovered that FreeRDP incorrectly handled certain memoryoperations. If a user were tricked into connecting to a malicious server, aremote attacker could possibly use this issue to cause FreeRDP to crash,resulting in a denial of service. (CVE-2024-32041, CVE-2024-32458,CVE-2024-32460)Evgeny Legerov discovered that FreeRDP incorrectly handled certain memoryoperations. A remote attacker could possibly use this issue to causeFreeRDP clients and servers to crash, resulting in a denial of service.(CVE-2024-32459)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   libfreerdp2-2                   2.10.0+dfsg1-1.1ubuntu1.2Ubuntu 22.04 LTS:   libfreerdp2-2                   2.6.1+dfsg1-3ubuntu2.6Ubuntu 20.04 LTS:   libfreerdp2-2                   2.6.1+dfsg1-0ubuntu0.20.04.1After a standard system update you need to restart your session to make allthe necessary changes.References:   https://ubuntu.com/security/notices/USN-6749-1   CVE-2024-22211, CVE-2024-32039, CVE-2024-32040, CVE-2024-32041,   CVE-2024-32458, CVE-2024-32459, CVE-2024-32460Package Information:   https://launchpad.net/ubuntu/+source/freerdp2/2.10.0+dfsg1-1.1ubuntu1.2   https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-3ubuntu2.6   https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6749-1

By Waqas
Using Google Chrome? Update your browser to the latest version right now!
This is a post from HackRead.com Read the original post: Google Patches Critical Chrome Vulnerability and Additional Flaws

Google Chrome users beware! A critical vulnerability (CVE-2024-4058) has been patched in the latest update (version 124). This flaw could allow attackers to take control of your system.

Google addressed a critical vulnerability (CVE-2024-4058) in its Chrome web browser on Wednesday, April 24th, 2024. This flaw resides within the ANGLE graphics layer engine and carries a “critical” severity rating, indicating its potential for severe exploitation.

While the critical CVE-2024-4058 garnered the most attention, Google’s Chrome update (version 124) also patched two additional high-severity vulnerabilities:

*   **CVE-2024-4059:** This vulnerability is classified as an out-of-bounds read within the V8 JavaScript engine. An out-of-bounds read allows attackers to access memory locations they shouldn’t, potentially revealing sensitive information.
*   **CVE-2024-4060:** This vulnerability is a use-after-free issue in the Dawn component. Use-after-free vulnerabilities can lead to crashes or potentially code execution depending on how they are exploited.

****The Importance of Updating****

While the specific details and exploitability of CVE-2024-4059 and CVE-2024-4060 are not yet fully public, it’s important to update Chrome regardless. A high-severity rating suggests these vulnerabilities could also be weaponized by attackers, so patching promptly remains the best course of action.

Jason Soroko, Senior Vice President of Product at Sectigo commented on the update stating, _“_CVE-2024-4058, a Type Confusion in ANGLE, is a vulnerability categorized as critical because it could allow remote code execution (RCE), enabling attackers to put malware onto the victim’s device. This latest vulnerability is a bad one for sure, and therefore it would be critical to patch this immediately._”_

****How to Protect Yourself****

The safest course of action is to update your Google Chrome browser immediately. Google has released Chrome version 124 which addresses this vulnerability alongside other security fixes. Here’s how to update Chrome:

*   **Windows & Mac:** Open Chrome, click the three vertical dots in the top right corner, go to “Help” and then “About Chrome.” Chrome will automatically check for updates and install them if available.
*   **Linux:** The update process for Linux may vary depending on your distribution. Consult your distribution’s documentation for specific update instructions.

Updating to Chrome version 124 protects you from these critical, high-severity, and potentially dangerous vulnerabilities. For additional technical details and a full list of changes in this build visit the Log section.

1.  Critical Chrome Update Counters Spyware Vendor’s Exploits
2.  Google Chrome to Mask User IP Addresses to Protect Privacy
3.  Fake Chrome Browser Update Installs NetSupport Manager RAT
4.  CISA Warns of Chrome and Excel Parsing LibraryExploitable Flaws
5.  Fantom Foundation Suffers Wallet Hack Via Google Chrome 0-Day

Tag

#windows