TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

If exploited, bad actors can execute arbitrary code while evading detection thanks to a renamed process.

Source: B Christopher via Alamy Stock Photo

A zero-day vulnerability, tracked as CVE-2024-44068, has been discovered in Samsung's mobile processors and is being used in an exploit chain for arbitrary code execution.

The vulnerability was given a critical CVSS score of 8.1 out of 10 and was patched in Samsung's October set of security fixes.

A National Institute of Standards and Technology (NIST) advisory on the bug describes it as "an issue \[that\] was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920." A use-after-free bug in the mobile processor ultimately leads to privilege escalation, the agency added.

Google researcher Xingyu Jin was credited with reporting the flaw earlier this year, and Google TAG researcher Clement Lecigne warned that an exploit exists in the wild.

"This zero-day exploit is part of an EoP chain," Jin and Lecigne noted. "The actor is able to execute arbitrary code in a privileged camera server process. The exploit also renamed the process name itself to '\[email protected\]', probably for anti-forensic purposes."

**About the Author**

Samsung Zero-Day Vuln Under Active Exploit, Google Warns

PRESS RELEASE

CHARLOTTE, N.C. and SUNNYVALE, Calif., Oct. 21, 2024 /PRNewswire/ -- Honeywell (NASDAQ: HON) and Google Cloud announced a unique collaboration connecting artificial intelligence (AI) agents with assets, people and processes to accelerate safer, autonomous operations for the industrial sector.

This partnership will bring together the multimodality and natural language capabilities of Gemini on Vertex AI – Google Cloud's AI platform – and the massive data set on Honeywell Forge, a leading Internet of Things (IoT) platform for industrials. This will unleash easy-to-understand, enterprise-wide insights across a multitude of use cases. Honeywell's customers across the industrial sector will benefit from opportunities to reduce maintenance costs, increase operational productivity and upskill employees. The first solutions built with Google Cloud AI will be available to Honeywell's customers in 2025.

"The path to autonomy requires assets working harder, people working smarter and processes working more efficiently," said Vimal Kapur, Chairman and CEO of Honeywell. "By combining Google Cloud's AI technology with our deep domain expertise--including valuable data on our Honeywell Forge platform--customers will receive unparalleled, actionable insights bridging the physical and digital worlds to accelerate autonomous operations, a key driver of Honeywell's growth."

"Our partnership with Honeywell represents a significant step forward in bringing the transformative power of AI to industrial operations," said Thomas Kurian, CEO of Google Cloud. "With Gemini on Vertex AI, combined with Honeywell's industrial data and expertise, we're creating new opportunities to optimize processes, empower workforces and drive meaningful business outcomes for industrial organizations worldwide."

With the mass retirement of workers from the baby boomer generation, the industrial sector faces both labor and skills shortages, and AI can be part of the solution – as a revenue generator, not job eliminator. More than two-thirds (82%) of Industrial AI leaders believe their companies are early adopters of AI, but only 17% have fully launched their initial AI plans, according to Honeywell's 2024 Industrial AI Insights report. This partnership will provide AI agents that augment the existing operations and workforce to help drive AI adoption and enable companies across the sector to benefit from expanding automation.

Honeywell and Google Cloud will co-innovate solutions around:

Purpose-Built, Industrial AI Agents   
Built on Google Cloud's Vertex AI Search and tailored to engineers' specific needs, a new AI-powered agent will help automate tasks and reduce project design cycles, enabling users to focus on driving innovation and delivering exceptional customer experiences.

Additional agents will utilize Google's large language models (LLMs) to help technicians to more quickly resolve maintenance issues (e.g., "How did a unit perform last night?" "How do I replace the input/output module?" or "Why is my system making this sound?"). By leveraging Gemini's multimodality capabilities, users will be able to process various data types such as images, videos, text and sensor readings, which will help its engineers get the answers they need quickly – going beyond simple chat and predictions.

Enhanced Cybersecurity  
Google Threat Intelligence – featuring frontline insight from Mandiant – will be integrated into current Honeywell cybersecurity products, including Global Analysis, Research and Defense (GARD) Threat Intelligence and Secure Media Exchange (SMX), to help enhance threat detection and protect global infrastructure for industrial customers. 

On-the-Edge Device Advances   
Looking ahead, Honeywell will explore using Google's Gemini Nano model to enhance Honeywell edge AI devices' intelligence multiple use cases across verticals, ranging from scanning performance to voice-based guided workflow, maintenance, operational and alarm assist without the need to connect to the internet and cloud. This is the beginning of a new wave of more intelligent devices and solutions, which will be the subject of future Honeywell announcements.

By leveraging AI to enable growth and productivity, the integration of Google Cloud technology also further supports Honeywell's alignment of its portfolio to three compelling megatrends, including automation.

About Honeywell  
Honeywell is an integrated operating company serving a broad range of industries and geographies around the world. Our business is aligned with three powerful megatrends – automation, the future of aviation and energy transition – underpinned by our Honeywell Accelerator operating system and Honeywell Forge IoT platform. As a trusted partner, we help organizations solve the world's toughest, most complex challenges, providing actionable solutions and innovations through our Aerospace Technologies, Industrial Automation, Building Automation and Energy and Sustainability Solutions business segments that help make the world smarter and safer as well as more secure and sustainable. For more news and information on Honeywell, please visit www.honeywell.com/newsroom.

About Google Cloud  
Google Cloud is the new way to the cloud, providing AI, infrastructure, developer, data, security, and collaboration tools built for today and tomorrow. Google Cloud offers a powerful, fully integrated, and optimized AI stack with its own planet-scale infrastructure, custom-built chips, generative AI models, and development platform, as well as AI-powered applications, to help organizations transform. Customers in more than 200 countries and territories turn to Google Cloud as their trusted technology partner.

Honeywell and Google Cloud to Accelerate Auto Operations With AI Agents for the Industrial Sector

GoDaddy flagged a ClickFix campaign that infected 6,000 sites in a one-day period, with attackers using stolen admin credentials to distribute malware.

Source: Primakov via Shutterstock

Threat actors have taken a campaign that uses fake browser updates to spread malware to a new level, weaponizing scores of WordPress plug-ins to deliver malicious infostealing payloads, after using stolen credentials to log in to and infect thousands of websites.

Domain registrar GoDaddy is warning that a new variant of malware disguised as a fake browser update known as ClickFix infected more than 6,000 WordPress sites in a one-day period from Sept. 2 to Sept. 3.

Threat actors used stolen WordPress admin credentials to infect compromised websites with malicious plug-ins as part of an attack chain unrelated "to any known vulnerabilities in the WordPress ecosystem," GoDaddy principal security engineer Denis Sinegubko wrote in a recent blog post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users," he wrote.

The campaign leverages fake WordPress plug-ins that inject JavaScript leading to ClickFix fake browser updates, which use blockchain and smart contracts to obtain and deliver malicious payloads. Attackers use social engineering strategies to trick users into thinking they are updating their browser, but instead they are executing malicious code, "ultimately compromising their systems with various types of malware and information stealers," Sinegubko explained.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

**Related, Yet Separate Campaigns**

It should be mentioned that ClearFake, widely identified in April, is another fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript. Initially it targeted Windows systems, but later spread to macOS as well.

Researchers have linked ClickFix to ClearFake, but the campaigns as described by various analysts have numerous differences and are likely separate activity clusters. GoDaddy claims to have been tracking ClickFix malware campaign since August 2023, spotting it on more than 25,000 compromised sites worldwide. Other analysts at Proofpoint detailed ClickFix for the first time earlier this year.

The new ClickFix variant as described by GoDaddy is spreading fake browser update malware via bogus WordPress plug-ins with generic names such as "Advanced User Manager" and "Quick Cache Cleaner," according to the post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end users," Sinegubko wrote.

Related:Bad Actors Manipulate Red-Team Tools to Evade Detection

All information in the plug-in metadata is fake, including the plug-in name, URL, description, version, and author, but appears plausible at first glance and wouldn't raise suspicion immediately, according to GoDaddy.

**Automation Used to Scale Campaign**

Further analysis detected automation in the naming convention of the plug-ins, with researchers noting a JavaScript file naming pattern consisting of the first letter of each word in the plug-in name, appended with "-script.js."

For example, the Advanced User Manager plug-in contains the aum-script.js file, according to the researchers, who used this naming convention to detect other malicious plug-ins related to the campaign, such as Easy Themes Manager, Content Blocker, and Custom CSS Injector.

The plug-in and author URIs also frequently reference GitHub, but analysis showed that repositories associated with the plug-in don't actually exist. Moreover, the GitHub usernames followed a systematic naming convention linked to the plug-in names, which "indicates an automated process behind the creation of these malicious plugins," Sinegubko wrote.

Indeed, the researchers eventually discovered that the plug-ins are systematically generated using a common template, allowing "threat actors to rapidly produce a large number of plausible plugin names, complete with metadata and embedded code designed to inject JavaScript files into WordPress pages," Sinegubko wrote. This allowed attackers to scale their malicious operations and add an additional layer of complexity for detection.

Related:The Lingering 'Beige Desktop' Paradox

**Credential Theft as Initial Entry?**

GoDaddy isn't clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, but it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames. 

Moreover, as the payloads of the campaign itself are the installation of various infostealers on compromised end-user systems, it's possible that the threat actors are collecting admin credentials in this way, Sinegubko observed.

"When talking about infostealers, many people think about bank credentials, crypto-wallets and other things of this nature, but many stealers can collect information and credentials from a much wider range of programs," he noted.

Another possible scenario is that the residential IP addresses from which the fake plug-ins were installed could belong to a botnet of infected computers that the attackers use as proxies to hack websites, according to GoDaddy.

Because the campaign includes the theft of legitimate credentials to log in to WordPress sites, people are urged to follow general best practices for protecting their passwords as well as avoid interacting with any unknown websites or messages that ask them to divulge private credentials.

GoDaddy also included a long list of indicators of compromise (IoCs) for the campaign — including names of plug-ins and malicious JavaScript files, endpoints to which smart contracts in the campaign connect, and associated GitHub accounts — in the blog post, so defenders can identify if a website has been compromised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers

Anti-bot services on the dark web allow phishers to bypass Google’s Red Page warnings, evading detection and making…

Anti-bot services on the dark web allow phishers to bypass Google’s Red Page warnings, evading detection and making phishing campaigns harder to stop. Tools like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot are raising concerns among cybersecurity experts.

Cybercriminals are constantly innovating, and their latest weapon is a new breed of services called the anti-bot services, reveals the latest research from SlashNext. These services are advertised on the Dark Web to help phishers bypass Google’s “_Red Page_” warnings.

****The Power of Google’s Red Page****

Phishing attacks have become more sophisticated with the rise of PhaaS (phishing-as-a-service) platforms. These platforms make it easy for even inexperienced criminals to launch large-scale phishing campaigns. However, a major hurdle for phishers has been detection by security services like Google’s Safe Browsing.  

Google Red Page is a feature of Google Safe Browsing that warns users of potential dangers, such as phishing attempts. The page, displayed in red, warns users that a site they are navigating may be deceptive and advises them to avoid it. This can significantly limit the success of phishing attacks, as these campaigns rely on high click-through rates, which are significantly lowered when Google’s detection flags a phishing page and adds it to a blocklist.

****Anti-Bot Services: A New Challenge for Security Teams****

New anti-bot services aim to circumvent Google’s Red Page warnings. These services, including Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, help phishers evade detection. Here is how these work:  

*   **Filtering Out Security Crawlers:** Anti-bot services analyze user-agent strings and IP addresses to identify and block security bots that scan for malicious websites.   
*   **Cloaking Techniques:** Some anti-bot services use techniques like JavaScript obfuscation or context-switching to serve different content to humans and bots. Real users see the phishing page, while security bots might see harmless content.  
*   **Geolocation-Based Targeting:** These services can restrict access to specific regions, ensuring the phishing site remains hidden from international security entities.
*   **CAPTCHAs and Challenges:** By introducing CAPTCHAs or challenge pages, anti-bot services block automated scanners that cannot solve them.

SlashNext researchers note that these services are effective against less sophisticated security bots. However, advanced security measures and manual analysis by security professionals can still detect these phishing sites.

Via SlastNext

“These services represent the latest evolution in the ongoing cat-and-mouse game between cybercriminals and security measures,” SlashNext researchers explained in the blog post.

Anti-bot services are constantly evolving to stay ahead of security measures. As new detection techniques emerge, these services will likely adapt to counter them. Cybersecurity teams must remain vigilant and adopt advanced threat detection methods to combat the growing sophistication of phishing attacks.

1.  EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA
2.  Cybercriminals Beta Test New Attack to Bypass AI Security
3.  Trio Run “OTP Agency” Enabling Bank Fraud and 2FA Bypass
4.  Phishing Attacks Bypass Microsoft 365 Email Safety Warnings
5.  Unicode QR Code Phishing Scam Bypasses Traditional Security

Dark Web Anti-Bot Services Let Phishers Bypass Google’s Red Page

Ubuntu Security Notice 7072-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7072-2October 21, 2024linux-gke vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gke: Linux kernel for Google Container Engine (GKE) systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Network traffic control;(CVE-2024-38630, CVE-2024-27397, CVE-2024-45016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1068-gke     5.15.0-1068.74  linux-image-gke                 5.15.0.1068.67  linux-image-gke-5.15            5.15.0.1068.67After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7072-2  https://ubuntu.com/security/notices/USN-7072-1  CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1068.74

Ubuntu Security Notice USN-7072-2

Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns.
Bumblebee and Latrodectus, which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts.
Tracked under the names BlackWidow, IceNova, Lotus,

Malware / Threat Intelligence

Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns.

Bumblebee and Latrodectus, which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts.

Tracked under the names BlackWidow, IceNova, Lotus, or Unidentified 111, Latrodectus, is also considered to be a successor to IcedID owing to infrastructure overlaps between the two malware families. It has been used in campaigns associated with two initial access brokers (IABs) known as TA577 (aka Water Curupira) and TA578.

In May 2024, a coalition of European countries said it dismantled over 100 servers linked to several malware strains such as IcedID (and, by extension, Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.

"Although Latrodectus was not mentioned in the operation, it was also affected and its infrastructure went offline," Bitsight security researcher João Batista noted back in June 2024.

Cybersecurity firm Trustwave, in an analysis published earlier this month, described Latrodectus as a "distinct threat" that has received a boost following Operation Endgame.

"While initially impacted, Latrodectus quickly rebounded. Its advanced capabilities filled the void left by its disabled counterparts, establishing itself as a formidable threat," the cybersecurity company said.

Attack chains typically leverage malspam campaigns, exploiting hijacked email threads and impersonating legitimate entities like Microsoft Azure and Google Cloud to activate the malware deployment process.

The newly observed infection sequence by Forcepoint and Logpoint takes the same route, with the DocuSign-themed email messages bearing PDF attachments containing a malicious link or HTML files with embedded JavaScript code that are engineered to download an MSI installer and a PowerShell script, respectively.

Regardless of the method employed, the attack culminates in the deployment of a malicious DLL file that, in turn, launches the Latrodectus malware.

"Latrodectus leverages older infrastructure, combined with a new, innovative malware payload distribution method to financial, automotive, and business sectors," Forcepoint researcher Mayur Sewani said.

The ongoing Latrodectus campaigns dovetail with the return of the Bumblebee loader, which employs a ZIP archive file likely downloaded via phishing emails as a delivery mechanism.

"The ZIP file contains an LNK file named 'Report-41952.lnk' that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk," Netskope researcher Leandro Fróes said.

The LNK file is intended to execute a PowerShell command to download an MSI installer from a remote server. Once launched, the MSI samples, which masquerade as installers from NVIDIA and Midjourney, serve as a channel to launch the Bumblebee DLL.

"Bumblebee uses a stealthier approach to avoid the creation of other processes and avoids writing the final payload to disk," Fróes pointed out.

"It does so by using the SelfReg table to force the execution of the DllRegisterServer export function present in a file in the File table. The entry in the SelfReg table works as a key to indicate what file to execute in the File table and in our case it was the final payload DLL."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Bumblebee and Latrodectus Malware Return with Sophisticated Phishing Strategies

34 sessions from 54 presenters representing 20 organizations! We are thrilled to reveal the lineup of speakers and presentations for the 23rd BlueHat Security Conference, in Redmond WA from Oct 29-30. This year’s conference continues the BlueHat ethos and Secure Future Initiative mission of “Security Above All Else”.
Security researchers and responders from inside and outside of Microsoft will gather on the Microsoft campus in Redmond, WA to share, debate, and challenge each other, with the shared goal of creating a safer and more secure world for all.

**34 sessions from 54 presenters representing 20 organizations!**

We are thrilled to reveal the lineup of speakers and presentations for the 23rd BlueHat Security Conference, in Redmond WA from Oct 29-30.  

This year’s conference continues the BlueHat ethos and Secure Future Initiative mission of “Security Above All Else”.

Security researchers and responders from inside and outside of Microsoft will gather on the Microsoft campus in Redmond, WA to share, debate, and challenge each other, with the shared goal of creating a safer and more secure world for all.

For those unable to attend in-person sessions will be available to view on demand in the weeks following the conference.

_Please note that session times and order are still subject to change. The final schedule will be published and provided to attendees in advance of the conference._

**Day 1, Tuesday, October 29, 2024**

**Keynote: Chris Wysopal (Weld Pond)**  
Co-founder & Chief Security Evangelist, Veracode

**Track A: Cloud & Identity Security**

**Track B: OS & App Security**

**The two sides of UnOAuthorized** Presented by Eric Woodruff from Semperis and Cameron Vincent from Microsoft

**DCOM Research for Everyone!** Presented by James Forshaw from Google

**Tokens & Takeovers: Cloud-Powered Supply Chain Attacks** Presented by Nitesh Surana from Trend Micro and Gaurav Mathur from Microsoft

**Outlook Unleashing RCE Chaos CVE-2024-30103 & CVE-2024-38021 & CVE-2024-38173** Presented by Michael Gorelik from Morphisec

**Double Agent: Exploiting Pass-through Authentication Credential Validation in Azure AD** Presented by Cymulate

**Pointer Problems – Why We’re Refactoring the Windows Kernel** Presented by Joe Bialek from Microsoft

**Lightning Talks**

**World of Scams - A systematic analysis of online scams using the Scam Tactics and Techniques Framework** Presented by Amit Tambe from F-Secure

**A Security Engineer’s Journey: Creating a Developer-Friendly Security Tool** Presented by Susan Krkasharian from Microsoft

**My Best Frenemy: A Synergy Between Red Team and Blue Team in Oracle's SaaS Security** Presented by Svetlana Gaivoronski and David B. Cross from Oracle

**Lessons Learned: Scaling Out Securing Open Source** Presented by Zachary Steindler from Microsoft

**Entitlements on macOS and why they matter** Presented by Yves Younan from Cisco Talos

**Creating a Transparent Cloud Industry** Presented by Justin T Mourfield and Sesha Machiraju from Microsoft

**How Microsoft is Scaling DAST** Presented by Jason Geffner from Microsoft

**Echoes of Intrusion: Demystifying MS Graph API Attacks** Presented by Miriam Wiesner from Microsoft

**When the Levee Breaks: Exposing Critical Flaws in Wi-Fi Camera Ecosystems** Presented by Mark Mager and Eric Forte from Elastic

**Deprecating Azure AD Graph API is Easy and Other Lies We Tell Ourselves** Presented by Nestori Syynimaa from Microsoft

**Sweet QuaDreams or Nightmare Before Christmas? Dissecting an iOS 0-day** Presented by Christine Fossaceca from Microsoft and Bill Marczak from Citizen Lab

**Day 2, Wednesday, October 30, 2024**

**Keynote: Amanda Silver**  
CVP & Head of Product, Developer Division, Microsoft

**Track C: Threat Hunting & Intel**

**Threat D: AI & ML Security**

**Patterns in the Shadows: Scaling Threat Hunting and Intelligence for Modern Adversaries** Presented by Mark Parsons and Colin Cowie from Sophos

**Lessons Learned from Red Teaming 100 Generative AI Applications** Presented by Ram Shankar Siva Kumar and Blake Bullwinkel from Microsoft

**Scaling AppSec With an SDL for Citizen Development** Presented by Michael Bargury from Zenity/OWASP and Don Willits from Microsoft

**Isolation or Hallucination? Hacking AI Infrastructure Providers for Fun and Weights** Presented by Hillai Ben-Sasson and Sagi Tzadik from Wiz

**Embedding Sysmon Logs for Enhanced Threat Detection: A Practical Approach to Using RAG in Cybersecurity** Presented by Jose Rodriguez from George Mason University

**Breaking LLM Applications - Advances in Prompt Injection Exploitation** Presented by Johann Rehberger from embracethered.com

**Lightning Talks**

**Getting "In Tune" with an Enterprise: Detecting Microsoft Intune Lateral Movement** Presented by Brett Hawkins from IBM

**AI's got Muffins- the RAG-a-muffins!!!** Presented by Vivek Vinod Sharma from Microsoft

**Ransomware Resilience: Turning the Tide Against Cyber Extortion** Presented by Tom Williams from True Zero Technologies

**SafeChatAI: Enhancing Cybersecurity Awareness Using Artificial Intelligence** Presented by Ayobami Olatunji from Microsoft

**Firmware Security: The Middle Child of Security** Presented by Nithin Sade from Google

**Three Decades of Network Security Evolution** Presented by Vern Paxson from Corelight

**PyRIT: From LLM Security Research to Practical Attacks** Presented by Richard Lundeen from Microsoft

**MSTIC Ghost Stories - A Threat Intelligence Year in Review** Presented by Rachel Giacobozzi from Microsoft

**SLIP: Securing LLMs IP Using Weights Decomposition** Presented by Adam Hakim from Microsoft

**Minting Silver Bullets is Challenging** Presented by Josh Brown-White from Microsoft

**Automate AI Red Teaming in your existing tool chain with PyRIT** Presented by Joris de Gruyter and Shiven Chawla from Microsoft

To join the conversation and follow along with BlueHat 2024 please follow us on X/Twitter @MSFTBlueHat and on LinkedIn at aka.ms/MSRC-LinkedIn

Looking forward to seeing you all at BlueHat!

_Nic Fillingham, BlueHat Program Manager_

Announcing the BlueHat 2024 Sessions 

These types of "long-lived" credentials pose a risk for users across all major cloud service providers, and must meet their very timely ends, researchers say.

Source: Artur Marciniec via Alamy Stock Photo

Almost half of organizations have users with "long-lived" credentials in cloud services, making them more likely to be victimized in a data breach.

Long-lived credentials are authentication tokens or keys in the cloud that remain for a long period of time — sometimes valid and sometimes not — ultimately causing major data breaches where attackers have a lengthy open window to compromise credentials.

In Datadog's 2024 "State of Cloud Security" report, the researchers found that long-lived credentials are a widespread issue across all major cloud services, including Google Cloud, Amazon Web Services (AWS), and Microsoft Entra. Not just that, but many of these are even unused, and often are leaked in source code, where they can open access to images and build logs and application artifacts, never expiring and becoming major security risks. 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications have an access key older than one year, the researchers found.

Ultimately, organizations struggle to manage these types of credentials, especially at scale, so the researchers at Datadog recommend that long-lived credentials be avoided altogether in order to mitigate this issue. 

"The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed," said Andrew Krug, head of security advocacy at Datadog. "To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use."

**About the Author**

Unmanaged Cloud Credentials Pose Risk to Half of Orgs

Immigration and Customs Enforcement's contract with Paragon Solutions faces scrutiny over whether it complies with the Biden administration's executive order on spyware, WIRED has learned.

A $2 million contract that United States Immigration and Customs Enforcement signed with Israeli commercial spyware vendor Paragon Solutions has been paused and placed under compliance review, WIRED has learned.

The White House’s scrutiny of the contract marks the first test of the Biden administration’s executive order restricting the government’s use of spyware.

The one-year contract between Paragon’s US subsidiary in Chantilly, Virginia, and ICE’s Homeland Security Investigations (HSI) Division 3 was signed on September 27 and first reported by WIRED on October 1. A few days later, on October 8, HSI issued a stop-work order for the award “to review and verify compliance with Executive Order 14093,” a Department of Homeland Security spokesperson tells WIRED.

The executive order signed by President Joe Biden in March 2023 aims to restrict the US government’s use of commercial spyware technology while promoting its “responsible use” that aligns with the protection of human rights.

DHS did not confirm whether the contract, which says it covers a “fully configured proprietary solution including license, hardware, warranty, maintenance, and training,” includes the deployment of Paragon’s flagship product, Graphite, a powerful spyware tool that reportedly extracts data primarily from cloud backups.

“We immediately engaged the leadership at DHS and worked very collaboratively together to understand exactly what was put in place, what the scope of this contract was, and whether or not it adhered to the procedures and requirements of the executive order,” a senior US administration official with first-hand knowledge of the workings of the executive order tells WIRED. The official requested anonymity to speak candidly about the White House’s review of the ICE contract.

Paragon Solutions did not respond to WIRED's request to comment on the contract's review.

The process laid out in the executive order requires a robust review of the due diligence regarding both the vendor and the tool, to see whether any concerns, such as counterintelligence, security, and improper use risks, arise. It also stipulates that an agency may not make operational use of the commercial spyware until at least seven days after providing this information to the White House or until the president's national security adviser consents.

“Ultimately, there will have to be a determination made by the leadership of the department. The outcome may be—based on the information and the facts that we have—that this particular vendor and tool does not spur a violation of the requirements in the executive order,” the senior official says.

While publicly available details of ICE’s contract with Paragon are relatively sparse, its existence alone raised alarms among civil liberties groups, with the nonprofit watchdog Human Rights Watch saying in a statement that “giving ICE access to spyware risks exacerbating” the department’s problematic practices. HRW also questioned what it calls the Biden administration’s “piecemeal approach” to spyware regulation.

The level of seriousness with which the US government approaches the compliance review of the Paragon contract will influence international trust in the executive order, experts say.

“We know the dangers mercenary spyware poses when sold to dictatorships, but there is also plenty of evidence of harms in democracies,” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has been instrumental in exposing spyware-related abuses. “This is why oversight, transparency, and accountability around any US agency attempt to acquire these tools is essential.”

International efforts to rein in commercial spyware are gathering pace. On October 11, during the 57th session of the Human Rights Council, United Nation member states reached a consensus to adopt language acknowledging the threat that the misuse of commercial spyware poses to democratic values, as well as the protection of human rights and fundamental freedoms. “This is an important norm setting, especially for countries who claim to be democracies,” says Natalia Krapiva, senior tech-legal counsel at international nonprofit Access Now.

Although the US is leading global efforts to combat spyware through its executive order, trade and visa restrictions, and sanctions, the European Union has been more lenient. Only 11 of the 27 EU member states have joined the US-led initiative stipulated in the “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware,” which now counts 21 signatories, including Australia, Canada, Costa Rica, Japan, and South Korea.

“An unregulated market is both a threat to the citizens of those countries, but also to those governments, and I think that increasingly our hope is that there is a recognition \[in the EU\] of that as well,” the senior US administration official tells WIRED.

The European Commission published on October 16 new guidelines on the export of cyber-surveillance items, including spyware; however, it has yet to respond to the EU Parliament's call to draft a legislative proposal or admonish countries for their misuse of the technology.

While Poland launched an inquiry into the previous government’s spyware use earlier this year, a probe in Spain over the use of spyware against Spanish politicians has so far led to no accusations against those involved, and one in Greece has cleared government agencies of any wrongdoing.

“Europe is in the midst of a mercenary spyware crisis,” says Scott-Railton. “I have looked on with puzzled wonderment as European institutions and governments fail to address this issue at scale, even though there are domestic and export-related international issues.”

With the executive order, the US focuses on its national security and foreign policy interests in the deployment of the technology in accordance with human rights and the rule of law, as well as mitigating counterintelligence risks (e.g. the targeting of US officials). Europe—though it acknowledges the foreign policy dimension—has so far primarily concentrated on human rights considerations rather than counterintelligence and national security threats.

Such a threat became apparent in August, when Google’s Threat Analysis Group (TAG) found that Russian government hackers were using exploits made by spyware companies NSO Group and Intellexa.

Meanwhile, Access Now and Citizen Lab speculated in May that Estonia may have been behind the hacking of exiled Russian journalists, dissidents, and others with NSO Group’s Pegasus spyware.

“In an attempt to protect themselves from Russia, some European countries are using the same tools against the same people that Russia is targeting,” says Access Now’s Krapiva. “By having easier access to this kind of vulnerabilities, because they are then sold on the black market, Russia is able to purchase them in the end.”

“It’s a huge mess,” she adds. “By attempting to protect national security, they actually undermine it in many ways.”

Citizen Lab’s Scott-Railton believes these developments should raise concern among European decisionmakers just as they have for their US counterparts, who emphasized the national security aspect in the executive order.

“What is it going to take for European heads of state to recognize they have a national security threat from this technology?” Scott-Railton says. “Until they recognize the twin human rights and national security threats, the way the US has, they are going to be at a tremendous security disadvantage.”

Tag

#google