Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.

Wednesday, May 22, 2024 08:17

*   Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.
*   Talos has discovered a wide range of techniques threat actors use to embed and deliver brand logos via emails to their victims.
*   Talos is providing new statistics and insights into detected brand impersonation cases over one month (March - April 2024).
*   In addition to deploying Cisco Secure Email, user education is key to detecting this type of threat.

Brand impersonation could happen on many online platforms, including social media, websites, emails and mobile applications. This type of threat exploits the familiarity and legitimacy of popular brand logos to solicit sensitive information from victims. In the context of email security, brand impersonation is commonly observed in phishing emails. Threat actors want to deceive their victims into giving up their credentials or other sensitive information by abusing the popularity of well-known brands.

**Brand logo embedding and delivery techniques**

Threat actors employ a variety of techniques to embed brand logos within emails. One simple method involves inserting words associated with the brand into the HTML source of the email. In the example below, the PayPal logo can be found in plaintext in the HTML source of this email.

An example email impersonating the PayPal brand.

Creating the PayPal logo via HTML.

Sometimes, the email body is base64-encoded to make their detection harder. The base64-encoded snippet of an email body is shown below.

An example email impersonating the Microsoft brand.

A snippet of the base64-encoded body of the above email.

The decoded HTML code is shown in the figure below. In this case, the Microsoft logo has been built via an HTML 2x2 table with four cells and various background colors.

Creating the Microsoft logo via HTML.

A more advanced technique is to fetch the brand logo from remote servers at delivery time. In this technique, the URI of the resource is embedded in the HTML source of the email, either in plain text or Base64-encoded. The logo in the example below is fetched from the below address:  
hxxps://image\[.\]member.americanexpress\[.\]com/.../AMXIMG\_250x250\_amex\_logo.jpg

An example email impersonating the American Express brand.

The URI from which the American Express brand is being loaded.

Another technique threat actors use is to deliver the brand logo via attachments. One of the most common techniques is to only include the brand logo as an image attachment. In this case, the logo is normally base64-encoded to evade detection. Email clients automatically fetch and render these logos if they’re referenced from the HTML source of the email. In this example, the Microsoft logo is attached to this email as a PNG file and referenced in an <img> HTML tag.

An example email impersonating the Microsoft brand (the logo is attached to the email and is rendered and shown to the victim at delivery time via <img> HTML tag).

The Content-ID (CID) reference of the attached Microsoft brand logo is included inline in the HTML source of the above email.

In other cases, the whole email body, including the brand logo, is attached as an image to the email and is shown to the victim by the email client. The example below is a brand impersonation case where the whole body is included in the PNG attachment, named “shark.png”. Also, an “inline” keyword can be seen in the HTML source of this email. When Content-Disposition is set to "inline," it indicates that the attached content should be displayed within the body of the email itself, rather than being treated as a downloadable attachment.

An example email impersonating the Microsoft Office 365 brand (the whole email body, including the brand logo, is attached to the email as a PNG file).

The whole email body is in the attachment and is included in the above message.

A brand logo may also be embedded within a PDF attachment. In the example shown below, the whole email body is included in a PDF attachment. This email is a QR code phishing email that is also impersonating the Bluebeam brand.

An example email impersonating the Bluebeam brand (the whole email body, including the brand logo, is attached to the email as a PDF file).

The whole email body is included in a PDF attachment.

**The scope of brand impersonation**

An efficient brand impersonation detection engine plays a key role in an email security product. The extracted information from correctly convicted emails is valuable for threat researchers and customers. Using Cisco Secure Email Threat Defense’s brand impersonation detection engine, we uncovered the true scope of how widespread these attacks are. All data reflects the period between March 22 and April 22, 2024.

Threat researchers can use this information to block future attacks, potentially based on the sender’s email address and domain, the originating IP addresses of brand impersonation attacks, their attachments, the URLs found from such emails, and even phone numbers.

The chart below demonstrates the top sender domains of emails curated by attackers to convince the victims to call a number (i.e., as in Telephone-Oriented Attack Delivery) by impersonating the Best Buy Geek Squad, Norton and PayPal brands. Free email services are widely used by adversaries to send such emails. However, other domains can also be found that are less popular.

Top sender domains of emails impersonating Best Buy Geek Squad, Norton and PayPal brands.

Sometimes, similar brand impersonation emails are sent from a wide range of domains. For example, as shown in the below heatmap, emails impersonating the DocuSign brand were sent from two different domains to our customers on March 28. In other cases, emails are sent from a single domain (e.g., emails impersonating Geek Squad and McAfee brands).

Count of convictions by the impersonated brand and sender domain on March 28.(Note: This is only a subset of convictions we had on this date.)

Brand impersonation emails may target specific industry verticals, or they might be sent indiscriminately. As shown in the chart below, four brand impersonation emails from _hotmail.com_ and _softbased.top_ domains were sent to our customers that would be categorized as either educational or insurance companies. On the other hand, emails from _biglobe.ne.jp_ targeted a wider range of industry verticals.

Count of convictions by industry verticals from different sender domains on April 2nd (note: this is only a subset of convictions we had in this date).

Cisco customers can also benefit from information provided by the brand impersonation detection engine. By sharing the list of the most frequently impersonated brands with them regularly, they can train their employees to stay vigilant when they observe specific brands in emails.

Top 30 impersonated brands over one month.

Microsoft was the most frequently impersonated brand over the month we observed, followed by DocuSign. Most emails that contained these brands were fake SharePoint and DocuSign phishing messages. Two examples are provided below.

Other top frequently impersonated brands such as NortonLifeLock, PayPal, Chase, Geek Squad and Walmart were mostly seen in callback phishing messages. In this technique, the attackers include a phone number in the email and try to persuade recipients to call that number, thereby changing the communication channel away from email. From there, they may send another link to their victims to deliver different types of malware. The attackers normally do so by impersonating well-known and familiar brands. Two examples of such emails are provided below.

**Protect against brand impersonation****Strengthening the weakest link**

Humans are still the weakest link in cybersecurity. Therefore, educating users is of paramount importance to reduce the amount and effects of security breaches. Educating people does not only concern employees within a specific organization but in this case, it also involves their customers.

Employees should know an organization’s trusted partners and the way that their organization communicates with them. This way, when an anomaly occurs in that form of communication, they will be able to identify any issues faster. Customers need different communication methods that your organization would use to contact them. Also, they need to be provided with the type of information you will be asking for. When they know these two vital details, they will be less likely to share their sensitive information over abnormal communication platforms (e.g., through emails or text messages).

Brand impersonation techniques are evolving in terms of sophistication, and differentiating fake emails from legitimate ones by a human or even a security researcher demands more time and effort. Therefore, more advanced techniques are required to detect these types of threats.

**Asset protection**

Well-known brands can protect themselves from this type of threat through asset protection as well. Domain names can be registered with various extensions to thwart threat actors attempting to use similar domains for malicious purposes. The other crucial step brands can take is to conceal their information from WHOIS records via privacy protection. Last, but not least, domain names need to be updated regularly since expired domains can be easily abused by threat actors for illicit activities that can harm your business reputation. Brand names should be registered properly so that your organization can take legal action when a brand impersonation occurs.

**Advanced detection methods**

Detection methods can be improved to delay the exposure of users to the received emails. Machine learning has improved significantly over the past few years due to advancements in computing resources, the availability of data, and the introduction of new machine learning architectures. Machine learning-based security solutions can be leveraged to improve detection efficacy.

Cisco Talos relies on a wide range of systems to detect this type of threat and protect our customers, from rule-based engines to advanced ML-based systems. Learn more about Cisco Secure Email Threat Defense's new brand impersonation detection tools here.

From trust to trickery: Brand impersonation over the email attack vector

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference.

Thursday, May 16, 2024 14:00

While I one day wish to make it to the RSA Conference in person, I’ve never had the pleasure of making the trek to San Francisco for one of the largest security conferences in the U.S. 

Instead, I had to watch from afar and catch up on the internet every day like the common folk. This at least gives me the advantage of not having my day totally slip away from me on the conference floor, so at least I felt like I didn’t miss much in the way of talks, announcements and buzz. So, I wanted to use this space to recap what I felt like the top stories and trends were coming out of RSA last week.  

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference. 

**AI is the talk of the town** 

This is unsurprising given how every other tech-focused conference and talk has gone since the start of the year, but everyone had something to say about AI at RSA.  

AI and its associated tools were part of all sorts of product announcements (either to be used as a marketing buzzword or something that is truly adding to the security landscape).  

Cisco’s own Jeetu Patel gave a keynote on how Cisco Secure is using AI in its newly announced Hypershield product. In the talk, he argued that AI needs to be used natively on networking infrastructure and not as a “bolt-on” to compete with attackers.  

U.S. Secretary of State Anthony Blinken was the headliner of the week, delivering a talk outlining the U.S.’ global cybersecurity policies. He spent a decent chunk of his half hour in the spotlight also talking about AI, in which he warned that the U.S. needed to maintain its edge when it comes to AI and quantum computing — and that losing that race to a geopolitical rival (like China) would have devastating consequences to our national security and economy.  

Individual talks ran the gamut from “AI is the best thing ever for security!” to “Oh boy AI is going to ruin everything.” The reality of how this trend shakes out, like most things, is likely going to be somewhere in between those two schools of thought.  

An IBM study released at RSA highlighted how headstrong many executives can be when embracing AI. They found that security is generally an afterthought when creating generative AI models and tools, with only 24 percent of responding C-suite executives saying they have a security component built into their most recent GenAI project.  

**Vendors vow to build security into product designs** 

Sixty-eight new tech companies signed onto a pledge from the U.S. Cybersecurity and Infrastructure Security Agency, vowing to build security into their products from earliest stages of the design process.  

The list of signees now includes Cisco, Microsoft, Google, Amazon Web Services and IBM, among other large tech companies. The pledge states that the signees will work over the next 12 months to build new security safeguards for their products, including increasing the use of multi-factor authentication (MFA) and reducing the presence of default passwords.  

However, there’s looming speculation about how enforceable the Secure By Design pledge is and what the potential downside here is for any company that doesn’t live up to these promises.  

**New technologies countering deepfakes** 

Deepfake images and videos are rapidly spreading online and pose a grave threat to the already fading faith many of us had in the internet. 

It can be difficult to detect when users are looking at a digitally manipulated image or video unless they’re educated on common red flags to look for, or if they’re particularly knowledgeable on the subject in question. They’re getting so good now that even targets’ parents are falling for fake videos of their loved ones.  

Some potential solutions discussed at RSA include digital “watermarks” in things like virtual meetings and video recordings with immutable metadata.  

A deep fake-detecting startup was also named RSA’s “Most Innovative Startup 2024” for its multi-modal software that can detect and alert users of AI-generated and manipulated content. McAfee also has its own Deepfake Detector that it says, “utilizes advanced AI detection models to identify AI-generated audio within videos, helping people understand their digital world and assess the authenticity of content.” 

Whether these technologies can keep up with the pace that attackers are developing this technology and deploying it on such a wide scale, remains to be seen.  

**The one big thing **

Microsoft disclosed a zero-day vulnerability that could lead to an adversary gaining SYSTEM-level privileges as part of its monthly security update. After a hefty Microsoft Patch Tuesday in April, this month’s security update from the company only included one critical vulnerability across its massive suite of products and services. In all, May’s slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which are of “important” severity. There is only one moderate-severity vulnerability. 

**Why do I care? **

The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. An authenticated attacker who obtains Site Owner permissions or higher could exploit this vulnerability by uploading a specially crafted file to the targeted SharePoint Server. Then, they must craft specialized API requests to trigger the deserialization of that file’s parameters, potentially leading to remote code execution in the context of the SharePoint Server. The aforementioned zero-day vulnerability, CVE-2024-30051, could allow an attacker to gain SYSTEM-level privileges, which could have devastating impacts if they were to carry out other attacks or exploit additional vulnerabilities. 

**So now what? **

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63419, 63420, 63422 - 63432, 63444 and 63445. There are also Snort 3 rules 300906 - 300912. 

**Top security headlines of the week **

**A massive network intrusion is disrupting dozens of hospitals across the U.S., even forcing some of them to reroute ambulances late last week.** Ascension Healthcare Network said it first detected the activity on May 8 and then had to revert to manual systems. The disruption caused some appointments to have to be canceled or rescheduled and kept patients from visiting MyChart, an online portal for medical records. Doctors also had to start taking pen-and-paper records for patients. Ascension operates more than 140 hospitals in 19 states across the U.S. and works with more than 8,500 medical providers. The company has yet to say if the disruption was the result of a ransomware attack or some sort of other targeted cyber attack, though there was no timeline for restoring services as of earlier this week. Earlier this year, a ransomware attack on Change Healthcare disrupted health care systems nationwide, pausing many payments providers were expected to receive. UnitedHealth Group Inc., the parent company of Change, told a Congressional panel recently that it paid a requested ransom of $22 million in Bitcoin to the attackers. (CPO Magazine, The Associated Press) 

**Google and Apple are rolling out new alerts to their mobile operating systems that warn users of potentially unwanted devices tracking their locations.** The new features specifically target Bluetooth Low Energy (LE)-enabled accessories that are small enough to often be unknowingly tracking their specific location, such as an Apple AirTag. Android and iOS users will now receive the alert when such a device, when it's been separated from the owner’s smartphone, is moving with them still. This alert is meant to prevent adversaries or anyone with malicious intentions from unknowingly tracking targets’ locations. The two companies proposed these new rules for tracking devices a year ago, and other manufacturers of these devices have agreed to add this alert feature to their products going forward. “This cross-platform collaboration — also an industry first, involving community and industry input — offers instructions and best practices for manufacturers, should they choose to build unwanted tracking alert capabilities into their products,” Apple said in its announcement of the rollout. (Security Week, Apple) 

**The popular Christie’s online art marketplace was still down as of Wednesday afternoon after a suspected cyber attack.** The site, known for having many high-profile and wealthy clients, was planning on selling artwork worth at least $578 million this week. Christie’s said it first detected the technology security incident on Thursday but has yet to comment on if it was any sort of targeted cyber attack or data breach. There was also no information on whether client or user data was potentially at risk. Current items for sale included a Vincent van Gogh painting and a collection of rare watches, some owned by Formula 1 star Michael Schumacher. Potential buyers could instead place bids in person or over the phone. (Wall Street Journal, BBC) 

**Can’t get enough Talos? **

*   Talos joins CISA to counter cyber threats against non-profits, activists and other at-risk communities 
*   Click Here Ep. #130: A wrinkle in time: GPS jamming in Ukraine and its ripple effects 
*   Talos Takes Ep. #184: Why CoralRaider is looking to steal your login credentials 
*   Generative AI’s disinformation threat is ‘overblown,’ top cyber expert says 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent

Rounding up some of the major headlines from RSA

Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties.

Talos releases new macOS open-source fuzzer

By Waqas
In a major blow to cybercrime, Breach Forums, a notorious online marketplace for stolen data, has been seized by the FBI and Department of Justice (DoJ). This unprecedented takedown includes not just the clear web domain, but also the dark web, escrow sections and Telegram accounts.
This is a post from HackRead.com Read the original post: Popular Cyber Crime Forum Breach Forums Seized by Police

The FBI and the Department of Justice (DoJ) have seized the infamous cybercrime and hacker forums **Breach Forums**. This breaking development occurred just an hour ago when the forum’s homepage was replaced by a message from the authorities announcing the seizure.

This seizure differs from previous ones, as Hackread.com can confirm. Authorities have not only managed to take over Breach Forums’ clear net domain, but they have also seized its Escrow domain and dark web domain accessible through the Tor browser.

> _“Breach Forums is under the control of the FBI. The website has been taken down by the FBI and DoJ with assistance from international partners. We are reviewing the site’s backend data. If you have information to report about cybercriminal activity on BreachForums, please contact us.”_
> 
> FBI on Breach Forums

Since this was an international law enforcement operation, the countries involved included New Zealand, Australia, the United Kingdom, Switzerland, Ukraine, and Iceland.

Screenshot: Hackread.com

Furthermore, the FBI has taken over additional communication channels associated with the forum. This includes the official Telegram account of the forum @Breachforums, the group chat Telegram account @Baphchat, and the official Telegram group used by its main administrator Baphomet @OfficialBaphomet to announce critical updates.

> _“This Telegram chat is under the control of the FBI. The BreachForums website has been taken down by the FBI and DOJ with assistance from international partners. We are reviewing the site’s backend data. If you have information to report about cybercriminal activity on BreachForums, please contact us.”_
> 
> FBI on Telegram

Screenshot: Hackread.com

****Arrest Made?****

As of now, the FBI and the DoJ have not disclosed any details regarding arrests. However, ShinyHunters confirmed to _Hackread.com_ that Baphomet is one of the administrators who was arrested and shared Breach Forums’ credentials with the authorities.

****History of Breach Forums After Raid Forums****

Breach Forums drew inspiration from the now-seized Raid Forums (RF), which was created and administered by Omnipotent, also known as **Diogo Santos Coelho**. Following the **shutdown of Raid Forums**, a member known as “Pompompurin” created a new version, opting to name it Breach Forums instead of continuing Raid Forum’s legacy.

After a brief period of success, Breach Forums met the same fate as Raid Forums when it was taken down by the FBI. Its administrator, **Pompompurin**, also known as Conor Brian Fitzpatrick, **was arrested in New York**.

It’s noteworthy that while Coelho continues to face legal battles in the United Kingdom, Fitzpatrick was **charged** and received a 20-year supervised sentence.

In June 2023, Hackread.com exclusively reported on the revival of Breach Forums **under the leadership of ShinyHunters**, a highly notorious hacker group. Since then, the group has been operational, making headlines for several high-profile data breaches and leaks. Notable incidents include:

*   **Dell**
*   **AT&T**
*   **Acuity**
*   **Europol**
*   **Space-Eyes**
*   **Home Depot**
*   **Robert Half**
*   **Hathway ISP**
*   **LA Intl. Airport**
*   **Weee! Grocery**
*   **General Electric**
*   **Facebook Marketplace**
*   **HSBC & Barclays Banks**
*   **Cybersecurity firm Zscaler**

_and 100s of others._

Narayana Pappu, CEO at Zendata, a San Francisco-based provider of data security and privacy compliance solutions commented on the seizure stating, _“_It is highly likely that the forum will eventually reappear under the same or different name. As far as the previously stolen data leaked on the site, I expect that multiple local copies of it have been downloaded by actors participating in the forums, so there’s continued exposure. Beyond that, the forum operators may have backups of this information, unless the FBI/DOJ also got the operators/backups,_“_ Narayana explained.

_“_Most people participating in these forums are fairly sophisticated and would have protected their identities, however, some folks could be tracked based on their IP addresses, telegram account information, email addresses, etc… Therefore, this will likely be a deterrent to some extent._“_

Nevertheless, Hackread.com is closely monitoring the situation. Once there is an official update from either of the agencies involved, this article will be updated accordingly with the latest information.

1.  Finnish Dark Web Marketplace PIILOPUOTI Seized
2.  NetWire Malware Site and Server Seized, Admin Arrested
3.  Hive Ransomware Gang Disrupted; Servers, Dark Web Site Seized
4.  Genesis Market’s Clearnet domain seized; Dark Web site still online
5.  WT1SHOP Cybercrime Market Seized by US, Portuguese Authorities

Popular Cyber Crime Forum Breach Forums Seized by Police

The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server.

Tuesday, May 14, 2024 13:57

After a relatively hefty Microsoft Patch Tuesday in April, this month’s security update from the company only included one critical vulnerability across its massive suite of products and services.  

In all, May’s slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which are considered to be of “important” severity. There is only one moderate-severity vulnerability. 

The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. An authenticated attacker who obtains Site Owner permissions or higher could exploit this vulnerability by uploading a specially crafted file to the targeted SharePoint Server. Then, they must craft specialized API requests to trigger the deserialization of that file’s parameters, potentially leading to remote code execution in the context of the SharePoint Server. 

The Windows Mobile Broadband Driver also contains multiple remote code execution vulnerabilities: 

*   CVE-2024-29997 
*   CVE-2024-29998 
*   CVE-2024-29999 
*   CVE-2024-30000 
*   CVE-2024-30001 
*   CVE-2024-30002 
*   CVE-2024-30003 
*   CVE-2024-30004 
*   CVE-2024-30005 

However, to successfully exploit this issue, an adversary would need to physically connect a compromised USB device to the victim's machine. 

Microsoft also disclosed a zero-day vulnerability in the Windows DWM Core Library, CVE-2024-30051. Desktop Window Manager (DWM) is a Windows operating system service that enables visual effects on the desktop and manages things like transitions between windows.   

An adversary could exploit CVE-2024-30051 to gain SYSTEM-level privileges.  

This vulnerability is classified as having a “low” level of attack complexity, and exploitation of this vulnerability has already been detected in the wild.  

One other issue, CVE-2024-30046, has already been disclosed prior to Patch Tuesday, but has not yet been exploited in the wild. This is a denial-of-service vulnerability in ASP.NET, a web application framework commonly used in Windows.  

Microsoft considers this vulnerability “less likely” to be exploited, as successful exploitation would require an adversary to spend a significant amount of time repeating exploitation attempts by sending constant or intermittent data to the targeted machine.   

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63419, 63420, 63422 - 63432, 63444 and 63445. There are also Snort 3 rules 300906 - 300912.

Only one critical vulnerability included in May’s Microsoft Patch Tuesday; One other zero-day in DWN Core

Commercial spyware tools can threaten democratic values by enabling governments to conduct covert surveillance on citizens, undermining privacy rights and freedom of expression.

Tuesday, May 14, 2024 08:42

Cisco Talos is delighted to share updates about our ongoing partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to combat cybersecurity threats facing civil society organizations.

Talos has partnered with CISA on several initiatives through the Joint Cyber Defense Collaborative (JCDC), including sharing intelligence on strategic threats of interest.

Adversaries are leveraging advancements in technology and the interconnectedness of the world’s networks to undermine democratic values and interests by targeting high-risk communities within civil society. According to CISA, these communities include activists, journalists, academics and organizations engaged in advocacy and humanitarian causes. Consequently, the U.S. government has elevated efforts in recent years to counter cyber threats that have placed the democratic freedoms of organizations and individuals at heightened risk.

The JCDC’s High-Risk Community Protection (HRCP) initiative is one such measure that brings together government, technology companies, and civil society organizations to strengthen the security of entities at heightened risk of cyber threat targeting and transnational repression.

The HRCP initiative’s outputs — including a threat mitigation guide for civil society, operational best practices, and online resources for communities at risk — aim to counter the threats posed by state-sponsored advanced persistent threats (APTs) and, increasingly, private-sector offensive actors (PSOA).

Our ongoing partnership with CISA and contributions to the JCDC’s HRCP initiative are consistent with Cisco’s security mission to protect data, systems, and networks, and uphold and respect the human rights of all.

**Spyware threats persist despite government and private sector measures**

As we’ve written about, the use of commercially available spyware to target high-profile or at-risk individuals and organizations is a global problem. This software can often track targets’ exact location, steal their messages and personal information, or even listen in on phone calls. Private companies, commonly referred to as “PSOAs” or “cyber mercenaries,” have monetized the development of these offensive tools, selling their spyware to any government willing to pay regardless of the buyer's intended use.

Commercial spyware tools can threaten democratic values by enabling governments to conduct covert surveillance on citizens, undermining privacy rights and freedom of expression. Lacking any international laws or norms around the use of commercial spyware, this surveillance can lead to the suppression of dissent, erosion of trust in democratic institutions, and consolidation of power in the hands of authoritarian governments.

The U.S. and its partners have taken steps to curb the proliferation of these dangerous tools. These include executive orders banning the use of certain spyware by U.S. government agencies, export restrictions and sanctions on companies or individuals involved in the development and sale of spyware (such as the recent sanctioning of members of the Intellexa Commercial Spyware Consortium), and diplomatic efforts with international partners and allies to pressure countries that harbor or support such firms.

Private industry has also played a substantial role in countering this threat, including by publishing research and publicly attributing PSOAs and countries involved in digital repression. Some companies have also developed countersurveillance technologies (such as Apple’s Lockdown Mode) to protect high-risk users and have initiated legal challenges through lawsuits against PSOAs alleging privacy violations. In March 2023, Cisco proudly became principal co-author of the Cybersecurity Tech Accord principles limiting offensive operations in cyberspace, joining several technology partners in calling for industry-wide principles to counter PSOAs.

**Talos intelligence fuels HRCP threat mitigation guide for civil society**

Talos has tracked the evolution of the commercial spyware industry and APT targeting of high-risk industries, placing us in a strong position to contribute our knowledge to the HRCP effort. Our research on two key threat actors — the Intellexa Commercial Spyware Consortium and the China state-sponsored Mustang Panda group — informed the HRCP guide’s overview of tactics commonly used against high-risk communities.

Talos has closely monitored threats stemming from the Intellexa Consortium, an umbrella group of organizations and individuals that offer commercial spyware tools to global customers, including authoritarian governments. In May 2023, we conducted a technical analysis of Intellaxa’s flagship PREDATOR spyware which was initially developed by a PSOA known as Cytrox. Our research specifically looked at two components of Intellexa's mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the organization’s implant.

Our findings included an in-depth walkthrough of the infection chain, including the implant’s various information-stealing capabilities and evasion techniques. Over time, we learned more about Intellexa’s inner workings, including their spyware development timelines, product offerings, operating paradigms and procedures.

Our research on Mustang Panda also contributed to the mitigation guide by illustrating how government-sponsored threat actors have targeted civil society organizations with their own signature tools and techniques. This APT is heavily focused on political espionage and has targeted non-governmental organizations (NGOs), religious institutions, think tanks, and activist groups worldwide. Mustang Panda commonly sends spear phishing emails using enticing lures to gain access to victim networks and install custom implants, such as PlugX, that enable device control and user monitoring. The group has continuously evolved its delivery mechanisms and payloads to ensure long-term uninterrupted access, underscoring the threat posed to civil society and others.

**What is next for this growing threat?**

Threat actors with ties to Russia, China, and Iran have primarily been responsible for this heightened threat activity, according to industry reporting. But the threat is not limited to them. Last year, a U.K. National Cyber Security Centre (NCSC) estimate found that at least 80 countries have purchased commercial spyware, highlighting how the proliferation of these tools enables even more actors to join the playing field.

Yet we are staying ahead of the game. Talos researchers are continuously identifying the latest trends in threat actor targeting which include not only the use of commercial spyware but other tools and techniques identified in the HRCP guide, such as spear phishing and trojanized applications. Our intelligence powers Cisco’s security portfolio, ensuring customer safety.

Talos created a reporting resource where individuals or organizations suspected of being infected with commercial spyware can contact Talos’ research team (no-spyware@external.cisco.com) to assist in furthering the community’s knowledge of these threats.

We are determined to continue our work with CISA, other agencies, and industry leaders, leveraging the power of partnerships to protect Cisco customers and strengthen community resilience against common adversaries.

Talos joins CISA to counter cyber threats against non-profits, activists and other at-risk communities

By Cyber Newswire
London, United Kingdom, May 13th, 2024, CyberNewsWire Logicalis, the global technology service provider delivering next-generation digital managed services,…
This is a post from HackRead.com Read the original post: Logicalis enhances global security services with the launch of Intelligent Security

**London, United Kingdom, May 13th, 2024, CyberNewsWire**

Logicalis, the global technology service provider delivering next-generation digital managed services, has today announced the launch of Intelligent Security, a blueprint approach to its global security portfolio designed to deliver proactive advanced security for customers worldwide. 

Intelligent Security has been designed by Logicalis’ worldwide team of security specialists to give customers the most comprehensive observability and protection available. It is based on tracking and analysing cyber threats and knowledge of the latest prevention methods deployed across its customer base. 

Logicalis’ tenth annual CIO report surveyed 1,000 CIOs globally and found that of the 83% of CIOs who experienced cyber-attacks in the last 12 months, only 43% feel prepared for another breach. Designed to help CIOs manage these pressures, Intelligent Security will leverage Logicalis’s security capabilities as well as its relationships with global partners such as Cisco and Microsoft, where it has the highest levels of security accreditations. 

Logicalis CTO Toby Alock said:

“Many organisations focus on one area of the security fabric; we recognise in today’s cyber security landscape there are no silos; organisations must look across the entire footprint, from secure connectivity, securing the cloud, securing the hybrid worker and weaving secure operations across the entire organisation”. 

**The Intelligent Security global portfolio delivers a concise and comprehensive proposition for customers, including:**

● **Advisory:** Providing customers with a range of advisory services dedicated to helping them understand their security needs and identify the right solutions for their business.

● **Secure workplace:** Securing worker communications and devices as remote working continues to impact the workplace security landscape.

● **Secure connectivity:** Enforcing zero trust security from edge-to-edge, ensuring networks are robust enough to enable safe IoT, 5G and edge computing.

●  **Secure hybrid cloud:** Safeguarding cloud environments to ensure data, applications, and IT resources are safe.

● **Secure Operations**: Providing 24/7/365 best practice proactive threat detection and incident response, across three global security regions, using AI and automation to identify and triage.

In addition to the Intelligent Security global portfolio, the company is announcing several key investments in cyber skills and capabilities to bolster its position as a global leader in security services. 

*   Expanding the Managed Security (SOC) team in Portugal, which currently serves customers across EMEA, including the UK, Ireland and Germany
*   Partnering with Cisco to develop a Cyber Academy and a pipeline of qualified cybersecurity graduates into the EMEA Security team
*   Partnering with local universities in Portugal to develop an Intern program, which helps develop cybersecurity skills to serve the EMEA region and beyond.

Logicalis continues to prove its robust security offer by achieving Microsoft-verified Managed Extended Detection and Response (MXDR) Partner Status, launching Cisco Powered Intelligent Connectivity, built on zero-trust security, and being one of only six partners globally working with Cisco to develop an XDR proposition and enhance its Cisco security capabilities. 

Intelligent Security will be underpinned by Logicalis’ Digital Fabric Platform, providing CIOs with deeper-level insights and recommendations to enhance the performance of their entire digital ecosystem.

Toby Alock concludes, “We are at a pivotal point as security threats grow in scale and sophistication. CIOs and IT leaders are rethinking security in the era of AI and considering whether they have the in-house skills necessary to operate safely. Logicalis has seen a 300% surge in demand globally for Managed Security services in the past 12 months. Our customers are looking for a holistic, proactive approach to navigating security; we believe our simplified portfolio, our partnerships, and our investments in cyber talent for the next generation will deliver customers what they need: AI ready Managed Security with governance and SOC Protection wherever they are in the world”. 

**For more information please contact:**

Logicalis Team at Another Word 

Email: \[email protected\]

Tel: 020 3176 0014

**About Logicalis** 

We are Architects of Change™. We help organisations succeed in a digital-first world. At Logicalis, we harness our collective technology expertise to help our clients build a blueprint for success, so they can deliver sustainable outcomes that matter.

Our lifecycle services across cloud, connectivity, collaboration and security are designed to help optimise operations, reduce risk and empower employees.

As a global technology service provider, we deliver next-generation digital managed services, to provide our clients with real-time visibility and actionable insights across the performance of their digital ecosystem including; availability, user experience, security, economic performance and sustainability.

Our 7000+ ‘Architects of Change’ are based in 30 territories around the globe, helping our 10,000+ clients across a range of industry sectors create sustainable outcomes through technology.

Logicalis has annualised revenues of $1.7 billion, from operations in Europe, North America, Latin America, Asia Pacific, and Africa.

It is a division of Datatec Limited, listed on the Johannesburg Stock Exchange, with revenues of over $5.1 billion.

**Contact**

**Katie Fraser**  
**ANOTHER WORD**  
**\[email protected\]**  
**07908229152**

Logicalis enhances global security services with the launch of Intelligent Security

By cybernewswire
Torrance, California, May 13th, 2024, CyberNewsWire Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by…
This is a post from HackRead.com Read the original post: Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence

**Torrance, California, May 13th, 2024, CyberNewsWire**

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking threats to end users. 

Criminal IP underwent rigorous data evaluation to integrate with Quad9’s threat-blocking service, demonstrating high data uniqueness and accuracy. Particularly, test results revealed a remarkable outcome: 99.1% of malicious domains identified by Criminal IP’s threat intelligence were found to be non-duplicative with other TI data.

Through this integration, Quad9 leverages the most up-to-date threat intelligence lists, incorporating data from Criminal IP’s database of malicious domains to block harmful hostnames. This process not only safeguards computers, mobile devices, and IoT systems from a diverse array of threats like malware, phishing, spyware, and botnets, ensuring privacy, but also optimizes performance.

**Quad9’s Threat Blocking Enhanced by Criminal IP’s Threat Intelligence**

Quad9 is a free anycast DNS platform delivering robust security protections and privacy guarantees that comply with rigorous Swiss Data Protection and GDPR rules. Quad9 is operated as a non-profit by the Quad9 Foundation in Switzerland for the purpose of improving the privacy and cybersecurity of Internet users.

Operating on a high-performance global network, Quad9 partners with Criminal IP, which offers extensive cyber threat information, including malicious IPs, domains, and CVEs, derived from sophisticated IP and domain scoring algorithms and big data analysis on a worldwide scale, enhances this mission.

<Results of the blocking test for the Quad9 threat-blocking security service integrated with Criminal IP TI>

The specially designed Criminal IP Malicious Domains Retrieval API is used to send the Domain Data Feed identified as malicious to Quad9 for integration. This feed is then utilized alongside other threat intelligence (TI) data sources integrated into the Quad9 platform, such as IBM, OpenPhish, F-Secure, RiskIQ, and Domain Tools, to create a comprehensive blocklist for user protection.

**Criminal IP’s specialized Domain Threat Intelligence**

In addition to these comprehensive threat-blocking results on Quad9, for those seeking more information about each component of domains, users can use Domain Search of Criminal IP. The vulnerability scanner tool meticulously analyzes a wide array of domain details including screenshots, WHOIS data, utilized technologies, page redirections, and certificates. It also identifies potentially malicious content and replicated phishing domains, providing an overall domain score and a Domain Generation Algorithm (DGA) score. This global threat intelligence is updated daily and can be accessed through flexible API integration enabling seamless incorporation of the data into existing security systems, such as SOAR and SIEM. 

<Results of searching malicious domain in Criminal IP Domain Search>

“Our partnership with Quad9 is a recognition of the accuracy of Criminal IP’s data,” stated Byungtak Kang, CEO of AI SPERA. “It is expected that our collaboration will contribute to the protection of Quad9’s end-users, who have a global reach, while simultaneously enhancing the quality of Criminal IP’s data.”

End users interested in utilizing the integrated threat-blocking security service of Quad9, which is linked with Criminal IP threat intelligence, can automatically activate the service simply by using the Quad9 DNS server (9.9.9.9).

**About AI SPERA**

AI SPERA launched its global cybersecurity service, Criminal IP, on April 17, 2023, following a successful year-long beta phase. The company has established technical and business partnerships with acclaimed global security firms and educational institutions, including VirusTotal, Cisco, Tenable, and Sumo Logic.

Criminal IP offers personalized plan options, also suitable for company use. Users can check their own credit usage for specific features (Web, Vulnerability Scanner, Tags, etc.) and API on the dashboard, and upgrade the plan anytime according to their needs.

Criminal IP is available in five languages (English, French, Arabic, Korean, and Japanese), providing a powerful and accurate CTI search engine for users worldwide. AI SPERA has been delivering cybersecurity solutions worldwide through a range of products, including Criminal IP CTI Search Engine, Criminal IP ASM, and Criminal IP FDS.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence

Refuge robbed: Car location tracking is becoming a tool of control in situations of domestic abuse. It's time car companies responded.

Across America, survivors of domestic abuse and stalking are facing a unique location tracking crisis born out of policy failure, unclear corporate responsibility, and potentially risky behaviors around digital sharing that are now common in relationships.

No, we’re not talking about stalkerware. Or hidden Apple AirTags. We’re talking about cars.

Modern cars are the latest consumer “device” to undergo an internet-crazed overhaul, as manufacturers increasingly stuff their automobiles with the types of features you’d expect from a smartphone, not a mode of transportation.

There are cars with WiFi, cars with wireless charging, cars with cameras that not only help while you reverse out of a driveway, but which can detect whether you’re drowsy while on a long haul. Many cars now also come with connected apps that allow you to, through your smartphone, remotely start your vehicle, schedule maintenance, and check your tire pressure.

But one feature in particular, which has legitimate uses in responding to stolen and lost vehicles, is being abused: Location tracking.

It’s time car companies do something about it.  

In December, The New York Times revealed the story of a married woman whose husband was abusing the location tracking capabilities of her Mercedes-Benz sedan to harass her. The woman tried every avenue she could to distance herself from her husband. After her husband became physically violent in an argument, she filed a domestic abuse report. Once she fled their home, she got a restraining order. She ignored his calls and texts.

But still her husband could follow her whereabouts by tracking her car—a level of access that Mercedes representatives reportedly could not turn off, as he was considered the rightful owner of the vehicle (according to The New York Times, the husband’s higher credit score convinced the married couple to have the car purchased in his name alone).

As reporter Kashmir Hill wrote of the impasse:

> “Even though she was making the payments, had a restraining order against her husband and had been granted sole use of the car during divorce proceedings, Mercedes representatives told her that her husband was the customer so he would be able to keep his access. There was no button she could press to take away the app’s connection to the vehicle.”

This was far from an isolated incident.

In 2023, Reuters reported that a San Francisco woman sued her husband in 2020 for allegations of “assault and sexual battery.” But some months later, the woman’s allegations of domestic abuse grew into allegations of negligence—this time, against the carmaker Tesla.

Tesla, the woman claimed in legal filings, failed to turn off her husband’s access to the location tracking capabilities in their shared Model X SUV, despite the fact that she had obtained a restraining order against her husband, and that she was a named co-owner of the vehicle.

When The New York Times retrieved filings from the San Francisco lawsuit above, attorneys for Tesla argued that the automaker could not realistically play a role in this matter:

“Virtually every major automobile manufacturer offers a mobile app with similar functions for their customers,” the lawyers wrote. “It is illogical and impractical to expect Tesla to monitor every vehicle owner’s mobile app for misuse.”

Tesla was eventually removed from the lawsuit.

In the Reuters story, reporters also spoke with a separate woman who made similar allegations that her ex-husband had tracked her location by using the Tesla app associated with her vehicle. Because the separate woman was a “primary” account owner, she was able to remove the car’s access to the internet, Reuters reported.

****A better path****

Location tracking—and the abuse that can come with it—is a much-discussed topic for Malwarebytes Labs. But the type of location tracking abuse that is happening with shared cars is different because of the value that cars hold in situations of domestic abuse.

A car is an opportunity to physically leave an abusive partner. A car is a chance to start anew in a different, undisclosed location. In harrowing moments, cars have also served as temporary shelter for those without housing.

So when a survivor’s car is tracked by their abuser, it isn’t just a matter of their location and privacy being invaded, it is a matter of a refuge being robbed.

In speaking with the news outlet CalMatters, Yenni Rivera, who works on domestic violence cases, explained the stressful circumstances of exactly this dynamic.

“I hear the story over and over from survivors about being located by their vehicle and having it taken,” Rivera told CalMatters. “It just puts you in a worst case situation because it really triggers you thinking, ‘Should I go back and give in?’ and many do. And that’s why many end up being murdered in their own home. The law should make it easier to leave safely and protected.”

Though the state of California is considering legislative solutions to this problem, national lawmaking is slow.

Instead, we believe that the companies that have the power to do something act on that power. Much like how Malwarebytes and other cybersecurity vendors banded together to launch the Coalition Against Stalkerware, automakers should work together to help users.

Fortunately, an option may already exist.

When the Alliance for Automobile Innovation warned that consumer data collection requests could be weaponized by abusers who want to comb through the car location data of their partners and exes, the automaker General Motors already had a protection built in.

According to Reuters, the roadside assistance service OnStar, which is owned by General Motors, allows any car driver—be they a vehicle’s owner or not—to hide location data from other people who use the same vehicle. Rivian, a new electric carmaker, is reportedly working on a similar feature, said senior vice president of software development Wassym Bensaid in speaking with Reuters.

Though Reuters reported that Rivian had not heard of their company’s technology being leveraged in a situation of domestic abuse, Wassym believed that “users should have a right to control where that information goes.”

We agree.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Why car location tracking needs an overhaul 

Under a pilot program, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s KEV catalog.

Thursday, May 9, 2024 14:00

One of the great cybersecurity challenges organizations currently face, especially smaller ones, is that they don’t know what they don’t know. 

It’s tough to have your eyes on everything all the time, especially with so many pieces of software running and IoT devices extending the reach of networks broader than ever.  

One potential (and free!) solution seems to be a new program from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that alerts companies and organizations of unpatched vulnerabilities that attackers could exploit.  

Under a pilot program that’s been running since January 2023, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog. For those that don’t know, the KEV catalog consists of any security issues that threat actors are known to actively exploit in the wild, and often include some of the most serious vulnerabilities disclosed on a regular basis, some of which have been around for years. 

Jen Easterly, CISA’s director, said last month that 49 percent of those vulnerabilities that CISA sent alerts about were mitigated — either through patching or other means. The program will launch in earnest later this year, but more than 7,000 organizations have already registered for the pilot program. 

Everything about this makes sense to me — it comes at no cost to the consumer or business, it allows the government to inform organizations of something they very likely aren’t aware of, and these issues are easy enough to fix with software or hardware patches.  

I’m mainly wondering how we’ll get more potential targets to sign up for this program and receive these alerts. 

According to CISA’s web page on the program, the alerts are only currently available to “Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations.” 

I would imagine that, at some point, the scope of this will be expanded if it continues to be successful, and there are no clear guidelines for what “critical infrastructure” means in this context, exactly. (For example, would something like a regional ISP would be eligible for this program? I’d consider this CI, but I’m not sure the federal government would.) 

Currently, signing up for the alerts seems to be as simple as sending an email. CISA’s also been sending alerts to any vulnerable systems that appear on Shodan scans. I don’t think there’s a way to make something like this compulsory unless it’s codified into law somewhere, but it almost seems like it should be. 

Who wouldn’t want to just get free alerts from the federal government telling you when your network has a vulnerability that’s being exploited in the wild? For many of the local and state government teams, the pilot program targets are understaffed and underfunded, and sometimes the act of patching can get so overwhelming that it can take months to keep current. But this type of organization may also be stretched thin to the point they haven’t even heard of this program from CISA. So if the most I can do is shout out this government program in this newsletter and one extra company signs up, I’ll feel good about that.  

**The one big thing **

Cisco Talos’ Vulnerability Research team recently disclosed three zero-day vulnerabilities two of which are still unpatched as of Wednesday, May 8. Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb\_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10. While we were unable to reach the maintainers, the Tinyproxy maintainers have since patched the issue. Another zero-day exists in the Milesight UR32L wireless router. These vulnerabilities have all been disclosed in adherence to Cisco’s third-party vulnerability disclosure timeline after the associated vendors did not meet the 90-day deadline for a patch or communication.   

**Why do I care? **

Tinyproxy is meant to be used in smaller networking environments. It was originally released more than a dozen years ago. A use-after-free vulnerability, TALOS-2023-1889 (CVE-2023-49606), exists in the \`Connection\` header provided by the client. An adversary could make an unauthenticated HTTP request to trigger this vulnerability, setting off the reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. Four of these issues that Talos disclosed this week still do not have patches available, so anyone using affected software should find other potential mitigations. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Several international law enforcement agencies have identified, sanctioned and indicted the alleged leader of the LockBit ransomware group.** Russian national Dmitry Yuryevich Khoroshev has been unmasked as the person behind the operator of the username “LockBitSupp,” LockBit’s creator and mastermind. The ransomware group has extorted an estimated $500 million from its victims over its several years of activity. Khoroshev allegedly took 20 percent of each ransom payment and operated the group’s data leak site. The U.S. federal government is offering up to a $10 million reward for anyone who can provide information leading to Khoroshev’s arrest. In all, he is charged with 26 crimes in the U.S. that carry a maximum punishment of 185 years in prison. LockBit, founded around 2018, operates under the ransomware-as-service model in which other actors can pay to access LockBit’s malware and infection tools. The group has been linked to several major ransomware attacks over the years, including against the U.K.’s Royal Mail service, a small Canadian town in Ontario and a children’s hospital in Chicago. (Wired, The Verge) 

**The U.K. blamed Chinese state-sponsored actors for a recent data breach at a military contractor that led to the theft of personal information belonging to around 270,000 members of the British armed forces.** Potentially affected information includes names and banking information for full-time military personnel and part-time reservists, as well as veterans who left the military after January 2018. Some of those affected are also current members of parliament. A top official at the U.K.’s Ministry of Defense called the breach a “very significant matter” and that the contractor immediately took the affected systems offline. While the British government has yet to formally attribute the attack to a specific threat actor, several reports indicate they believe an actor emanating from China was responsible. While the actors may have been present on the network for up to weeks, there is currently no evidence that the information was copied or removed. (The Guardian, Financial Times) 

**Security researchers found a new attack vector that could allow bad actors to completely negate the effect of VPNs.** The method, called “TunnelVision,” can force VPN services to send or receive some or all traffic outside of the encrypted tunnel they create. Traditionally users will rely on VPNs to protect their traffic from snooping or tampering, or to hide their physical locations. The researchers believe TunnelVision affects every VPN application available if it connects to an attacker-controlled network. There is currently no way to avoid or bypass these attacks unless the VPN runs on Linux or Android. TunnelVision has been possible since at least 2002, though it's unclear how often it's been used in the wild. VPN users who are concerned about this attack can run their VPN inside a virtual machine whose network adapter isn’t in bridged mode or connect via the Wi-Fi network of a cellular device. However, for the attack to be effective, the attacker would need complete control over a network. If a connection is affected, though, the user would be completely unaware, and the VPN would not alert them to a change. (Ars Technica, ZDNet) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #182: 4 takeaways from what Talos IR is seeing in the field 
*   ClamAV 1.4.0 release candidate now available! 
*   Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution 
*   Vulnerabilities in employee management system could lead to remote code execution, login credential theft 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** W32.File.MalParent 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

Tag

#cisco