A critical security flaw in Dell Power Manager has been discovered that could allow attackers to compromise your systems and execute arbitrary code.

****SUMMARY:****

*   **Critical Vulnerability Alert:** Dell Power Manager versions before 3.17 have a high-severity access control flaw (CVE-2024-49600) allowing attackers to gain elevated privileges.

*   **Exploitation Risk:** Attackers with local access can execute arbitrary code, bypass security measures, and compromise system confidentiality, integrity, and availability.

*   **Software Update:** Dell has released Power Manager version 3.17 to address this vulnerability; users should update immediately as no workaround is available.

*   **Vulnerability Discovery:** The flaw was identified and responsibly disclosed by TsungShu Chiu from CHT Security.

*   **Dell’s Recent Breaches:** Dell faced multiple data breaches in September 2024, exposing sensitive information of employees and projects, further emphasizing the need for robust security measures.

Dell has issued a critical security alert (DSA-2024-439) regarding an Improper Access Control vulnerability discovered in its Power Manager software. This vulnerability, identified as CVE-2024-49600, could potentially allow attackers to execute malicious code and gain elevated privileges on affected systems. The vulnerability affects versions of Dell Power Manager released before 3.17.

For your information, Dell Power Manager is a software widely used to manage power settings on Dell systems. This application extends system battery life and provides customizable battery maintenance settings. It also alerts users about power adapter, battery, docking, and USB Type-C device incompatibility.

The vulnerability occurs from improper access control within the software, making it exploitable by low-privileged users with local access. Attackers can bypass security measures, execute arbitrary code, and gain unauthorized access to sensitive system functions. The severity of this vulnerability is rated as high, with a CVSS Base Score of 7.8.

If exploited, it could lead to significant security risks to compromised systems, jeopardizing their confidentiality, integrity, and availability. Execution of arbitrary code can lead to malware installation, data theft, or system compromise, and gaining higher-level system privileges would enable unauthorized actors to perform actions that were otherwise restricted. 

Dell has released an updated version of Power Manager (version 3.17) that addresses the vulnerability. Users are strongly advised to update their software immediately to protect their systems as no workaround is currently available.

“Dell Technologies highly recommends applying this important update as soon as possible. The update contains critical bug fixes and changes to improve functionality, reliability, and stability of your Dell system,” the advisory read.

TsungShu Chiu from CHT Security identified this vulnerability and responsibly disclosed it to Dell Technologies, which in turn acknowledged and appreciated Chiu’s efforts. 

Dell has been in the news for all the wrong reasons lately. Hackread.com recently reported a series of Dell data breaches involving the exposure of sensitive information. Between 19 and 24 September 2024, a hacker, known as “grep,” was revealed to have breached Dell thrice (once with fellow hacker “Chucky”) stealing confidential data related to Jira files, database tables, and schema migrations, totalling 3.5 GB of uncompressed data, data for 10,863 employees, and approximately 500 MB of sensitive data, including project documents and Multi-Factor Authentication (MFA) data.

1.  **Dell resets all customer passwords after security breach**
2.  **Critical Vulnerabilities Found in Pre-Installed Dell Software**
3.  **8 Million Employee Records from Amazon, HP, Others Leaked**
4.  **30M Dell devices at risk by BIOSConnect code execution bugs**
5.  **Flashpoint Uncovers 100,000+ Hidden Flaws, Including Zero-Days**

Dell Urges Immediate Update to Fix Critical Power Manager Vulnerability

The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Source: GK Images via Alamy Stock Photo

Cybercriminal gangs have exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations, in a mass cyber operation that involved scanning millions of sites for vulnerable endpoints.

Independent cybersecurity researchers Noam Rotem and Ran Locar of the loosely organized research group CyberCyber Labs uncovered the operation in August, and reported it to vpnMentor, which published a blog post on Dec. 9 about their findings. Attackers appear to be connected to known threat groups Nemesis and ShinyHunters, the latter of which is probably best known for a cloud breach earlier this year that stole data from half a million Ticketmaster customers.

“Both of these 'gangs' represent a technically sophisticated cybercriminal syndicate that operates at scale for profit and uses their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing," notes Jim Routh, chief trust officer at Saviynt, a cloud identity and security management firm.

Ironically, however, the researchers discovered the operation when the French-speaking attackers committed a cloud-based faux pas of their own — they stored some of the data harvested from the victims in an AWS Simple Storage Service (S3) bucket that contained 2TB of data and was left open due to a misconfiguration by its owner, according to the post.

Related:Attackers Can Use QR Codes to Bypass Browser Isolation

"The S3 bucket was being used as a 'shared drive' between the attack group members, based on the source code of the tools used by them," the vpnMentor research team wrote in the post.

Among the data stolen in the operation included infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services. The bucket also included the code and software tools used to run the operation, as well thousands of keys and secrets lifted from victim networks, the researchers said.

**Two-Part Attack Sequence**

The researchers ultimately reconstructed a two-step attack sequence of discovery and exploitation. Attackers began with a series of scripts to scan vast ranges of IPs belonging to AWS, looking for "known application vulnerabilities as well as blatant mistakes," according to the vpnMentor team.

Attackers employed the IT search engine Shodan to perform a reverse lookup on the IP addresses, using a utility in their arsenal to get the domain names associated with each IP address that exists within the AWS ranges to expand their attack surface. In an effort to further extend the domains list, they also analyzed the SSL certificate served by each IP to extract the domain names associated with it.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

After determining the targets, they began a scanning process, first to find exposed generic endpoints and then to categorize the system, such as Laravel, WordPress, etc. Once this was done, they would perform further tests, attempting to extract database access information, AWS customer keys and secrets, passwords, database credentials, Google and Facebook account credentials, crypto public and private keys (for CoinPayment, Binance, and BitcoinD), and more from product-specific endpoints.

"Each set of credentials was tested and verified in order to determine if it was active or not," according to the post. "They were also written to output files to be exploited at a later stage of the operation."

When exposed AWS customer credentials were found and verified, the attackers also tried to check for privileges on key AWS services, including: identity and access management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

**Cyberattacker Attribution & AWS Response**

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The researchers tracked the perpetrators via tools used in the operation, which "appear to be the same" as those used by ShinyHunters. The tools are documented in French and signed by "Sezyo Kaizen," an alias associated with Sebastien Raoult, a ShinyHunters member who was arrested and pleaded guilty to criminal charges earlier this year.

The researchers also recovered a signature used by the operator of a Dark Web market called "Nemesis Blackmarket," which focuses on selling stolen access credentials and accounts used for spam.

The researchers, who work out of Israel, reported their findings to the Israeli Cyber Directorate in early September, and then notified AWS Security in a report sent on Sept. 26. The company immediately took steps to mitigate the impact and alert affected customers of the risk, according to vpnMentor.

Ultimately, the AWS team found that the operation targeted flaws present on the customer application side of the shared responsibility cloud model and did not reflect any fault of AWS, which the researchers said they "fully agree with." The AWS security team confirmed they completed their investigation and mitigation on Nov. 9 and gave the researchers the green light to disclose the incident.

**How to Secure the Cloud IT Footprint**

Some steps organizations can take to avoid a similar attack against their respective cloud environments include making sure hardcoded credentials are never present in their code or even in their filesystem, where they might be accessed by unauthorized parties.

Organizations also should conduct simple Web scans using open source tools like "dirsearch" or  "nikto," which are often used by lazy attackers to identify common vulnerabilities. This will allow them to find holes in their environment before a malicious actor does, the researchers noted.

A Web application firewall (WAF) also is a relatively low-cost solution to block malicious activity, and it's also worthwhile to "roll" keys, passwords, and other secrets periodically, they said. Organizations also can create CanaryTokens in their code in secret places, the researchers noted, which act as tripwires to alert administrators that an attacker may be poking around where they shouldn't be.

Routh says the incident also provides a learning opportunity for organizations which, when presented with new technology options, should adjust and design cyber controls to achieve resilience rather than go with conventional control methods.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cybercrime Gangs Abscond With Thousands of AWS Credentials

The Digital Operational Resilience Act (DORA) sets strict EU rules for financial institutions and IT providers, emphasizing strong…

The Digital Operational Resilience Act (DORA) sets strict EU rules for financial institutions and IT providers, emphasizing strong cyber risk management, reporting, red teaming, and testing by 2025.

The Digital Operational Resilience Act (DORA) is a set of EU rules around how companies handle disruptions. Each half-decade, digital security requirements seem to ramp up, and the EU is a big part of these growing demands. 

Financial entities need to now demonstrate a new approach to risk management, with January 2025 being when the new framework kick starts. It will govern banks, insurers, investment firms, and other financial companies. Third-party IT providers face similar scrutiny, too.

One fallout from this is that security validation through red teaming has become more important than ever. But before looking at how these assessments mirror actual cybersecurity threats, let’s dig into the DORA requirements.

****DORA Requirements****

DORA’s framework can be split into five elements, with IT risk management leading these pillars. Institutions ultimately need clear protocols to spot, block, and tackle cyber threats. Strong governance isn’t optional, of course, and written strategies must exist.

Quick incident reporting has more emphasis than before. Major IT issues require prompt notification to authorities, and financial entities must undergo threat-led testing. Service providers can’t escape oversight, as they ought to match the institution’s resilience standards.

Testing protocols demand thoroughness, and networks need assessment. Vulnerabilities require identification so that security plans can evolve. DORA ultimately pushes for constant vigilance and enhancement of protective measures.

****What is Red Teaming?****

To understand how red teaming helps, let’s quickly run through what it is. Red teaming is when expert professionals replicate sophisticated attack patterns, so it transcends basic checks. They even blend technical expertise with social manipulation, and physical security falls within this scope.

Teams will combine diverse talents so that a broad mix of skills is weaponised. Some focus on network penetration, while others excel at social engineering. Threat analysts tie this all together, and unexpected scenarios are launched. No warnings precede their attempts, either, so it creates genuine challenge conditions.

****How Red Teaming Aligns with DORA Requirements****

This methodology happens to precisely align with DORA’s testing demands, proving operational resilience through action – not documents. 

Under DORA, financial firms must conduct regular attack exercises. The first two must be done internally, but the third must be by an external red teaming expert.

DORA also mandates purple teaming, which is a collaboration between red teams and the defenders (blue team) to boost the response capabilities.

Teams probe critical functions systematically and exploit complex attack chains. Supply chain vulnerabilities emerge clearly.

Documentation flows naturally as a result, with each attack path generating new evidence. Organizations gain compliance proof while strengthening defenses and incident response procedures improve through practical application.

****Benefits of Red Teaming****

Red teaming delivers substantial benefits for financial firms seeking DORA compliance by providing a comprehensive evaluation of their security posture. This proactive approach helps identify and remediate vulnerabilities that might otherwise remain undetected through conventional testing.

The methodology isn’t only for DORA – it existed long before these new EU rules. This is because it strengthens incident response procedures by testing them under realistic conditions, and this methodology dates back decades.

Red teaming exercises also help validate the effectiveness of security investments and demonstrate due diligence to regulators. 

****Final Word****

Red teaming delivers vital DORA compliance support, but it ultimately proves one’s security capabilities through rigorous testing. Documentation satisfies regulatory requirements naturally, and as 2025 approaches, this methodology is becoming increasingly valuable.

1.  Best Paid and Free OSINT Tools for 2024
2.  Vulnerability Risk Management for External Assets
3.  Russia Hackers Abusing BRc4 Red Team Penetration Tool
4.  What is Stakeholder-Specific Vulnerability Categorization?
5.  Features of Cybersecurity Management Software for MSPs

How Red Teaming Helps Meet DORA Requirements

It’s easy to tick the checkboxes on a compliance checklist with the mindset that your system is protected and not exposed to risk. If it is this simple, why do we continue to invest billions of dollars in developing security controls and software development lifecycle (SDL) practices that help harden software and minimize risk? What is the value in configuring services, tuning firewalls, and enforcing access policies only to accept a risk rating for a vulnerability directly mapped to a base score that seemingly ignores all the work done?This contradictory model of focusing on security featur

It’s easy to tick the checkboxes on a compliance checklist with the mindset that your system is protected and not exposed to risk. If it is this simple, why do we continue to invest billions of dollars in developing security controls and software development lifecycle (SDL) practices that help harden software and minimize risk? What is the value in configuring services, tuning firewalls, and enforcing access policies only to accept a risk rating for a vulnerability directly mapped to a base score that seemingly ignores all the work done?

This contradictory model of focusing on security features yet discounting those security features has, over time, gone unchecked and unchallenged for several reasons. For many, that reason is likely the fear of what’s at risk. Others may be victims of policies that are built to ease compliance. Regardless of the reason, almost everyone we speak to reiterates that they wish their circumstance was different, and they truly understand the value of a proper risk-based impact assessment. So how did we get here?

**Aging vulnerability standards need continuous evolution**

In 2005, the Internet Category of Attacks Toolkit (ICAT) was rebranded as the National Vulnerability Database (NVD) with the primary purpose of standardizing how vulnerability data is shared as an initial reference for the US government. I doubt anyone would argue against the impact that the NVD has had in providing easily accessible and standardized data. In an effort to provide the US federal civilian government with a simple risk classification for vulnerabilities, the NVD began mapping Common Vulnerability Scoring System (CVSS) base scores with risk levels and has maintained this method ever since. In the early 2000s, computer systems were still relatively simple. While this mapping of risk levels had merit in 2005, the same is not true today.

Here are two scenarios to illustrate this point.

1.  Suppose that component-x.y.z, developed by the open source community, is used by three different software vendors. Each vendor then builds or uses the component in a different way. One vendor may disable a key feature at compile time, while another may limit usage with configuration. A third vendor may disable access to that feature. Why would it then make sense to expect a vulnerability to affect the Confidentiality, Integrity, and Availability (CIA) of a system in a similar manner across each vendor offering?
2.  In late 2000, we saw an expansion of Linux-centric security tooling emerge, which were, in part, built to address early iterations of the Federal Information Processing Standards (FIPS. The National Security Agency (NSA) introduced SELinux and the security feature swing started in earnest, with Linux security modules, two-factor authentication and packet filtering enhancements, as well as new tools like fapolicyd and roles like realmd system. Vulnerable code is still vulnerable code; however, the conditions needed for that vulnerable code to be executed are subject to the security and mitigation controls that are in place. These new controls limited the exploitability of that component and thus changed the risk levels.

When I joined Red Hat back in 2005, I remember questioning the business model for open source software when it was available for free. Why pay a subscription fee? The answer is trust and accountability. Who’s responsible for the maintenance? Who’s responsible for the security posture of the product or service?

The answer to both those questions is the vendor. The vendor is accountable for an impact assessment of vulnerabilities based on the default builds and configurations provided in the subscription. It is the job of a Product Security Incident Response Team (PSIRT) to identify and assess impact. We are accountable to customers and these assessments are intended to help prioritize and minimize security risk. This is part of the value of software subscription. There are many vendors just like Red Hat who do impact assessments on vulnerabilities and do them well. These impact assessments aren’t just intended for customers, but are how vendor engineering teams prioritize as well. If a vendor CVE rating is moderate, per lifecycle policies, that CVE is not likely to be fixed in product versions that are in maintenance.

**Break the contradiction**

In order to break the contradictory model we’re in, vendor assessments must be trusted over the ease of broad impact assessments based on merely the base score, which really only represents the base characteristics of the vulnerability. This does not imply that the vendor rating is always applicable. Most users do not run a default configuration for everything and some opt to add additional applications and libraries or replace what was provided. Users who create these scenarios accept the accountability for the impact assessment.

A good security practitioner, namely one who is accountable for prioritizing vulnerability remediation in a Computer Security Incident Response Team (CSIRT) environment, should use the vendor base CVSS as intended and leverage the additional temporal and environmental scores. Why? Because relying solely on the base score wastes company focus and resources, ignores hardening and systems / data risk, and could mask a greater impact. This is such an important point that first.org highlights this in the CVSS user guide.

Minimizing risk and exposure to vulnerabilities must remain a multi-pronged approach. Security teams should continue to scan for and remediate vulnerability findings. However, this effort must not compete with or devalue the investment in software features that effectively harden systems and minimize exposure. There is no easy button.

Enter keywords here to search blogs

UI\_Icon-Red\_Hat-Close-A-Black-RGB

**Browse by channel**

**Automation**

The latest on IT automation for tech, teams, and environments

**Security**

The latest on how we reduce risks across environments and technologies

**Edge computing**

Updates on the platforms that simplify operations at the edge

**Infrastructure**

The latest on the world’s leading enterprise Linux platform

**Applications**

Inside our solutions to the toughest application challenges

**Original shows**

Entertaining stories from the makers and leaders in enterprise tech

Do software security features matter in the world of vulnerability remediation?

Luigi Mangione, a 26-year-old graduate of the University of Pennsylvania, was apprehended on Monday after visiting a McDonald's in Altoona, Pennsylvania.

Authorities arrested a man in Pennsylvania on Monday who police say is connected to the shooting death of UnitedHealthcare CEO Brian Thompson in New York City last week.

Police apprehended Luigi Mangione, 26, in Altoona five days after Thompson was shot in Midtown Manhattan in the early hours of Wednesday, December 4, setting off a manhunt for the shooter, whose identity remained unknown. Mangione was detained after he visited a McDonald’s location in Altoona, where other guests noticed his resemblance to images of the suspected shooter released by the New York Police Department and contacted authorities, according to The New York Times.

The NYPD did not immediately respond to WIRED’s request for comment.

Prior to Mangione’s arrest, NYPD investigators mapped the alleged shooter’s movements around New York City since late November, including his stay at a Manhattan hostel, where an image of the suspect was captured without a face mask. Police later found the suspect’s backpack in Central Park, where he fled following the shooting, according to the NYPD. Authorities reportedly believe he left New York City on a bus.

Online records show that Luigi Mangione is an app developer who graduated with bachelor's and master's of science in engineering degrees from the University of Pennsylvania in May 2020. A GitHub account that appears to be Mangione’s and an Instagram account for the game development company AppRoarr Studios indicate that he is a cofounder there. AppRoarr did not immediately respond to WIRED’s request for comment.

A LinkedIn account that appears to be Mangione's lists his employer as TrueCar, an online used vehicle retailer, where he claims to have started work as a data engineer in November 2020. The company confirmed his previous employment but told The New York Times that he has not worked at TrueCar since 2023. The company did not immediately respond to WIRED's request for comment.

At the scene of Thompson’s shooting outside the New York Hilton Midtown, NYPD investigators discovered bullet casings bearing the words “delay,” “depose,” and “deny,” likely references to the ways in which health insurance companies refuse to cover customers’ medical claims. According to the Times, authorities say Mangione was carrying a “manifesto” that included passages “criticizing health care companies for putting profits above care.”

UnitedHealthcare did not immediately respond to a request for comment from WIRED. In a statement provided to other media outlets, a company spokesperson said: “Our hope is that today’s apprehension brings some relief to Brian’s family, friends, colleagues and the many others affected by this unspeakable tragedy. We thank law enforcement and will continue to work with them on this investigation. We ask that everyone respect the family’s privacy as they mourn.”

A search of Mangione’s online footprint paints a picture of a typical twentysomething, including accounts on Pinterest, Skype, Instagram, and Facebook. On X, what appears to be his account featured an image of what looks to be an X-ray following major spinal cord surgery, one of the few explicit references to health care in his online account history.

A GoodReads account featuring a photo of the suspect that also shares a username with an email address and GitHub account linked to Mangione includes several books related to back pain, including _Crooked: Outwitting the Back Pain Industry and Getting on the Road to Recovery_. Other titles include _Hillbilly Elegy_, by US vice president-elect JD Vance, and “Industrial Society and Its Future,” the anti-technology diatribe colloquially known as the Unabomber Manifesto. The GoodReads account has since been set to private.

Mangione, who was valedictorian of his private high school in the Baltimore area, appears to have been an avid gamer, with dozens of game titles listed on an Xbox Live account that shares his name. In 2018, Mangione described himself as passionate about making video games, and helped to found a game development club at Penn that was quickly joined by roughly 60 students, according to a since-deleted article on the university's news hub.

On a GitHub page believed to belong to Mangione, he shared code repositories that focused on machine learning and human-computer interaction. Among these is a project titled "Meccanoid-Imitate,” which apparently uses Arduino—an open source and easy-to-use electronics platform—and a programmable Meccanoid robot. The repository, last updated four years ago, includes animated GIFs showing Mangione in what appears to be a classroom, moving his arms while a Meccanoid robot behind him mimics his gestures.

_Updated at 5:30 pm EST, December 9, 2024, to include additional information about Mangione's employment history._

Police Arrest UnitedHealthcare CEO Shooting Suspect, App Developer Luigi Mangione

Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.

Source: Sasin Paraska via Shutterstock

Security researchers have found a way to bypass three types of browser isolation, which would allow a cyberattacker to send malicious data to a remote device by using QR codes.

Researchers from Mandiant demonstrated a proof-of-concept (PoC) that gets around remote, on-premises, and local browser isolation by overriding HTTP request-based communication with machine-readable QR codes. In this way, the technique allows attackers to send commands from a command-and-control (C2) server to a victim's device.

Browser isolation is often used by organizations to fight phishing threats, protect a device from browser-delivered attacks, and deter typical C2 tactics used by attackers. The technique runs a browser in a secure environment — such as a cloud server or virtual machine — and then streams the visual content to the user's device.

When browser isolation is being used, the remote browser handles everything from page rendering to executing JavaScript, with only the visual appearance of the webpage sent back to the user's local browser.

As attackers generally send commands to and from a victim's device through HTTP requests, browser isolation makes it challenging for attackers to remotely control a device in the typical way. That's because the HTTP response returned to the local browser contains only the streaming engine to render the remote browser's visual page contents, "and only a stream of pixels is sent to the local browser to visually render the webpage," Mandiant principal security consultant Thibault Van Geluwe de Berlaere wrote in the post. "This prevents typical HTTP-based C2 because the local device cannot decode the HTTP response."

Related:Cybercrime Gangs Abscond With Thousands of AWS Credentials

**Bypassing Browser Isolation With QR Codes**

Mandiant researchers developed a PoC that demonstrates how to get around browser isolation using the Puppeteer JavaScript library and the Google Chrome browser in headless mode. However, any modern browser can be used to achieve the PoC, Van Geluwe de Berlaere noted.

Instead of returning the C2 data in the HTTP request headers or body, as a typical attacker-controlled attempt to send commands to a device might, the C2 server returns a valid webpage that visually shows a QR code. "The implant then uses a local headless browser … to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data," Van Geluwe de Berlaere wrote.

"By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the webpage is rendered in a remote browser."

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

In the attack sequence, the malicious implant visually renders the webpage from the browser isolation's pixel streaming engine and decodes the command from the QR code displayed on the page. It then retrieves a valid HTML webpage from the C2 server with the command data encoded in a QR code visually shown on the page.

The remote browser then returns the pixel-streaming engine back to the local browser, starting a visual stream that shows the rendered page obtained from the C2 server. The implant waits for the page to fully render, then grabs a screenshot of the local browser that contains the QR code, which the malicious implant reads to execute the C2 command on the compromised device.

The implant then goes through the local browser again to navigate to a new URL that includes the command output encoded in a URL parameter. This parameter is passed through to the remote browser and ultimately to the C2 server, which decodes the command output as in traditional HTTP-based C2.

**Challenges to Implementing the Bypass**

Though the PoC demonstrates how attackers can get around browser isolation, there are some limitations and challenges to consider when using it, the researchers noted.

One is that it's not feasible to use the PoC with QR codes that have the maximum data size — i.e., 2,953 bytes, 177x177 grid, Error Correction Level "L" — as "the visual stream of the webpage rendered in the local browser was of insufficient quality to reliably read the QR code contents," Van Geluwe de Berlaere explained. Instead, the researchers used QR codes containing a maximum of 2,189 bytes of content.

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

Moreover, the requests take at least five seconds to reliably show and scan the QR code due to the processing involved when using Chrome in headless mode, as well as the time it takes for the remote browser to start up, page-rendering requirements, and the stream of visual content from the remote browser back to the local browser. "This introduces significant latency in the C2 channel," he wrote.

Finally, the PoC does not consider other security features of browser isolation, such as domain reputation, URL scanning, data-loss prevention, and request heuristics, which may need to be overcome if they are present in the browser-isolation environment on which it is being used.

Despite the success of the bypass, Mandiant still recommends browser isolation as a strong protection measure against client-side browser exploitation and phishing attacks. However, Van Geluwe de Berlaere wrote, it should be used as one part of "a well-rounded cyber defense posture" that also includes monitoring for anomalous network traffic and browser in automation mode to defend against Web-based attacks.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Can Use QR Codes to Bypass Browser Isolation

Vanir automates the process of scanning source code to identify missing security patches.

Source: Art of Food via Alamy Stock Photo

NEWS BRIEF

Security updates in the Android ecosystem is a complex, multistage affair, with each downstream manufacturer responsible for incorporating security fixes and deploying them to individual user devices. Manufacturers have diverse device portfolios with different models running different versions of the Android operating system and related software, which means they are responsible for multiple update versions. As it currently stands, updating Android devices is both time-consuming and labor-intensive.

Vanir, Google's latest open source security patch validation tool, speeds up the process of figuring out which security patches are missing from the platform by scanning custom platform code using static code analysis. By automating this process, OEMs can identify missing security updates much faster than current methods, according to an announcement on the Google Security Blog.

Vanir, which has a 97% accuracy rate, covers 95% of all Android, Wear, and Pixel vulnerabilities that already have public fixes, the company said. Inside Google, Vanir is part of the build system and tests against over 1,300 vulnerabilities, saving internal teams "over 500 hours to date in patch fix time," according to Google.

The tool does not rely on metadata, such as version numbers, repository history, or build configurations, to identify which updates are missing. Instead, Vanir uses automatic signature refinement techniques and multiple pattern analysis algorithms. Google said these algorithms have low false-alarm rates, noting that in two years of testing Vanir, only 2.72% of signatures triggered false alarms.

"This allows Vanir to efficiently find missing patches, even with code changes, while minimizing unnecessary alerts and manual review efforts," the company said.

A single engineer used Vanir to generate signatures for over 150 vulnerabilities and verify missing security patches across downstream branches in just five days, Google noted.

While Vanir was originally introduced at Android Bootcamp back in April and is designed for Android, the tool can be adapted to other ecosystems and platforms with small modifications. Vanir can be used as a standalone application as well as a Python library. Users can integrate Vanir with their continuous builds or test chains by wiring the tool with Vanir scanner libraries.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Google Launches Open Source Patch Validation Tool

Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.

**Introduction**

In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.  

With the release of Windows Server 2025 earlier this month, we released a similar security improvement to Azure Directory Certificate Services (AD CS) by enabling EPA by default. Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default. These security enhancements mitigate risk of of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.

**Background**

NTLM relaying is a popular attack method used by threat actors that allows for identity compromise. An NTLM relay attack typically involves two steps:

1.  Coercing a victim to authenticate to an arbitrary endpoint.
    
2.  Relaying the authentication against a vulnerable target.
    

By forwarding or relaying credentials to a vulnerable endpoint, attackers can authenticate and perform actions on behalf of the victim. This gives attackers an initial foothold for further domain compromise. To stop exploitation in its tracks, it’s essential to address the first class of issues. These vulnerabilities provide attackers with an initial primitive for exploitation. However, to comprehensively mitigate relaying attacks, we need to holistically address vulnerable services by default. Since EPA or other channel binding mechanisms ensure that clients can only authenticate to their intended server, these mitigations play an important role in securing services against NTLM relay attacks.

**Enabling NTLM Relay mitigations**

In the past, Microsoft observed threat actors exploiting services that lack NTLM relaying protections. These include CVE-2023-23397 (an Outlook entry point relayed against Exchange server), CVE-2021-36942 (a LSARPC entry point relayed against Active Directory Certificate Services (AD CS)), and ADV190023 (a WPAD entry point relayed against Lightweight Directory Access Protocol (LDAP)). From these instances, attackers clearly leverage relaying attacks in their campaigns.

In response to these observed NTLM relaying attacks, Microsoft released guidelines for enabling EPA on AD CS, LDAP, and Exchange Server. While this measure does help protect domains against NTLM relaying attacks, it requires manual intervention from a network administrator, which may not be feasible in all environments. Therefore, we have been working to enable NTLM relaying protections by default, which would automatically safeguard environments against such attacks.  

**Exchange Server**

It is important to note the unique role that Exchange Server plays in the NTLM threat landscape, which is why we prioritized hardening it by default. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Recent vulnerabilities involving NTLM and Office applications include CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563. While we actively fix specific instances of NTLM authentication coercion, attackers often use these vulnerabilities to relay authentication against a vulnerable server, which can lead to compromise of a victim’s account. Exchange Server can be the prime target in such cases since it is a frequently used mail provider across enterprises.  

Earlier this year, with the release Exchange Server 2019 CU 14, Exchange Server now has EPA enabled by default. Exchange Server 2016 is in extended support, and no further CUs are planned for this version. Customers using Exchange Server 2016 can enable EPA via a script.

We recognize that EPA may not be trivial to enable for all environments. A significant portion of enabling EPA by default involved supporting additional scenarios that were not compatible with EPA before. For more information on EPA enablement in your environment, refer to the guidance provided in both the security advisory and the Exchange update blog.

**AD CS and LDAP**

We are also excited to announce that the latest Windows Server 2025, which is now generally available, ships with EPA enabled by default for both AD CS and LDAP. Note that the current default setting for EPA in Server 2025 is Enabled - When Supported, to allow clients that do not support channel bindings to omit them. A stronger EPA security setting for enterprises who do not need to support legacy clients is Enabled – Always, and we hope to move the needle further in future versions of Windows. Additionally, Administrators on Windows Server 2022 and 2019 can manually enable EPA for AD CS and Channel binding for LDAP. We have enabled auditing support for LDAP to identify machines that do not support channel binding to help IT administrators move towards enabling channel binding by default by upgrading to versions that support channel binding.  

With the security-focused default settings for EPA on Exchange Server 2019 CU14 released earlier this year and for AD CS and LDAP released as part of Windows Server 2025, we have enforced strong defenses against preventing NTLM relay attacks on those versions. Additional changes to default EPA enablement are currently in the pipeline for more Windows services. Moving forward, we will continue our efforts to enable EPA across more services by default in future versions, aiming to eliminate this class of NTLM relay attacks entirely.

**Looking ahead: The future of NTLM**

NTLM is a legacy protocol and we have been recommending users to prepare for NTLM being disabled by default in a future version of Windows. We have also been encouraging customers to catalogue and reduce dependencies of NTLM usage and explore moving over to modern authentication protocols like Kerberos. In the interim, we are exploring various strategies to harden against NTLM attacks. A notable development is that in Windows Server 2025 and Windows 11 24H2, NTLMv1 has been removed and the more commonly used NTLM v2 is deprecated. Additionally, admins now have the option to configure SMB to block NTLM.  

The progress towards enforcing secure by default across the ecosystem is aligned with principles from Microsoft’s Secure Future Initiative. As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks. We look forward to investing in more secure-by-default NTLM hardening measures across supported versions in the near future.

The security mitigations here are a result of the tremendous work across multiple teams and organizations within Microsoft, notably, Exchange and Windows. Special thanks to Nino Bilic, Matthew Palko, and Wayne McIntyre for their help and support with this blog.

_Rohit Mothe_

_George Hughey_

_MSRC Vulnerabilities & Mitigations Team_

Mitigating NTLM Relay Attacks by Default

The new film about an FBI agent chasing a white supremacist terror cell is based on a true story—and one that connects the headlines of 30 years ago to those of today.

In _The Order,_ director Justin Kurzel’s electric new film, Terry Husk, a haggard, possessed FBI veteran played by Jude Law, pores over a thin paperback with a blood-red cover, paging through diagrams of targeted killings, bombings, and a gallows erected in front of the United States Capitol.

“There are six steps in that book,” says a young sheriff deputized as his assistant, played by Tye Sheridan. He gives the Cliff Notes version as he scours the book, his eyes riveted.

“Recruiting,” he says. “Fundraising. Armed revolution. Domestic terror. Assassination.

“Number six is the day of the rope.”

The book is _The Turner Diaries_, a 1978 novel that depicts the violent overthrow of the American government by armed white supremacist insurgents and the extermination of people of color and Jews in a race war. Photocopied pages from it were found in Oklahoma City bomber Timothy McVeigh’s getaway car when he was apprehended by law enforcement.

Along with Husk and Bob Mathews—the founder of a murderous underground white supremacist guerrilla outfit that counterfeited money and robbed banks and armored cars, played by Nicholas Hoult—_The Turner Diaries_ is the third major character in _The Order_. Though Mathews formally named his group the Silent Brotherhood and claimed he took little inspiration from William Luther Pierce’s incendiary novel, he and his comrades did refer to their group as “The Order”—the same term used in the book for the protagonist’s genocidal militants.

The book’s crimson cover and lurid drawings resurface time and time again. Mathews reads excerpts to his young son before bedtime; a pastor at a neo-Nazi compound in Idaho proffers it to visiting law enforcement agents; and it turns up in the hands of FBI agents desperately seeking to plot out the insurgents’ next moves.

_The Order_ unearths a critical chapter in the history of the American extreme right largely forgotten by the general public. The murder of Jewish talk radio host Alan Berg in 1984 by two of Mathews’ acolytes brought the Order to national attention 30 years ago and inspired not one but two Hollywood films in that decade—_Betrayed_ and Oliver Stone’s _Talk Radio_. Since then, though, only close observers of prison gang and skinhead culture have had cause to track mentions of the Silent Brotherhood by tweaked-out Aryan Brotherhood killers or the annual “Martyrs Day” pilgrimage of Hammerskins from across the West Coast to Whidbey Island in the Puget Sound, where Mathews met his fiery death during a shootout with the FBI.

Now, as the country ponders a return to the 2016-2020 period, when Mathews’ ideological offspring ran riot from Oregon to Washington, DC, his saga is getting marquee billing.

While the film debuts almost a full decade into the American extreme right’s current revival, screenwriter Zach Baylin and producer Bryan Haas began developing the project back in 2016, before the deadly 2017 Unite the Right rally in Charlottesville, Virginia. Baylin tells WIRED that he and Haas stumbled on _The Turner Diaries_ while researching Ruby Ridge, the 1990s militia movement, and McVeigh (who slept with the book under his pillow) and casting around for a lesser-known story to explore the origins of American extremism.

“We were looking to encase the story of one of these groups inside a classic crime thriller,” Baylin says. They stumbled across _The Silent Brotherhood_, a 1989 book by reporters Kevin Flynn and Gary Gerhardt that traced the entire arc of Mathews’ crime spree, from his teenage radicalization through the John Birch Society and Phoenix militias all the way through his death and the subsequent criminal trials of his followers.

“The crimes the Order committed and the way the investigation unfolded, it had the framework of the kind of film that we’d been talking about,” he said.

Flynn and Gerhart’s book, which began with their coverage of Berg’s assassination in his driveway and followed the Order’s saga through the federal pursuit, investigation, and prosecution, is remarkably detailed. Once members of the group were up for trial, Flynn and Gerhart spent hours interviewing them in the Arapahoe County jail, gathering priceless material that allowed them to reconstruct the terrorist group’s inner workings in minute detail. Readers of the book, which is back in print (with a new title) after three decades off the shelves, will note the film’s fidelity to life, particularly in the robbery and heist scenes. However, for Flynn and Gerhardt—who died in 2015—the minutiae of Mathews’ terror campaign were a mechanism to engage audiences with a deeper, darker reality.

“We didn’t write the book for the details. We wrote it to expose the banality of evil, so readers could understand where these folks come from and how endemic it is in American society,” says Flynn, who reported for the Rocky Mountain News for nearly three decades before it shuttered in 2009. Since 2015, he has served as a city councilman in Denver.

_The Order_ is the sort of film America does not produce anymore. Its taut action scenes hearken back to _Heat_, _To Live and Die in L.A._, _The French Connection_, and Sidney Lumet’s police corruption canon (_Serpico_, _Prince of the City_, _Q&A_); the droning soundtrack does not overwhelm viewers; and Adam Arkapaw’s washed-out cinematography encapsulates both the grandeur and the intimidating solitude of the interior Pacific Northwest. The dialog is sparing, direct, and—in spite of Mathews’ grandiose promises of a renewed whites-only bastion in the Pacific Northwest—remarkably free of proselytizing.

For a movie shot in such wide-open landscapes, _The Order_ is tinged through with claustrophobia, a testament to the tension rife throughout Baylin’s writing and Kurzel’s meticulous direction. Like Al Pacino and Robert DeNiro in Michael Mann’s _Heat_, Hoult and Law only come face to face with each other a few times before their penultimate confrontation. However, Kurzel had both actors follow each other for a day and compile dossiers on their opposite number to develop a granular sense of how a manhunt actually functions.

“I wanted them to ask themselves, what does that feel like having a relationship with someone you’re trying to take down? You’re living with a phantom, in a way,” Kurzel says.

Law, whose slow-burn performance is unlike any prior role from his four decades on stage and screen, says the similarities between Husk and Mathews as two opposites of the same coin are at the core of _The Order_’s dramatic tension.

“They’re more alike than they’d ever admit—both are driven, charismatic, and know exactly how to manipulate those around them to achieve their goals,” he says. “Nicholas and I really leaned into that symmetry during our scenes together. It’s almost like they’re looking into a dark mirror—each recognizing qualities in the other that they either admire or fear. That underlying connection adds layers to their conflict, making it not just a clash of ideologies but also a deeply personal battle. It was fascinating to explore that tension with Nicholas.”

Mathews’ brief campaign of armed insurgency and domestic terrorism has continued to inspire generations of extremists in the United States and beyond, from McVeigh and the neo-Nazi bankrollers of the Aryan Republican Army to the killers of Germany’s National Socialist Underground, all the way through to contemporary groups like Atomwaffen Division, the Base and the Terrorgram Collective. The latter group, which federal law enforcement believes to be a “bold-letter, category one” domestic terrorism threat, circulates voluminous propaganda booklets that meld the ethos of _The Turner Diaries_ with Ted Kaczynski’s anti-industrial-civilization ethos and neo-Nazi occultism.

Terrorgram’s materials, which include viable bomb-making instructions, camouflage and tactical guides, and instructions on how to disable critical infrastructure like electrical substations, water treatment plants and dams, have radicalized at least one so-called “saint,” or mass shooter, and are alleged to have been connected to a series of power grid attacks in North Carolina as well as several active federal prosecutions.

“William Pierce doesn’t build bombs,” Mark Potok of the Southern Poverty Law Center, told Rolling Stone a quarter of a century ago. “He builds bombers.” In many ways, the Terrorgram Collective fulfills the same role now, and its publications have become the modern-day version of the _Turner Diaries_. Disseminated worldwide through the moderation-free wilderness of Telegram, the group’s message of hate and violence is now circulating independently of any organized group or ideology for disaffected, unbalanced “lone wolves” to latch onto as justification for future atrocities.

While _The Order_ remains firmly rooted in the past save for one passing reference to the 1995 Oklahoma City bombing in a title card, during production there was no escaping the drumbeat of resurgent far-right militancy in the United States. Kurzel, the director, recalls watching news coverage of the January 6 insurrection and remarking on the gallows erected outside the Capitol building—a drawing of which features in the book and the exposition scene with law. “_The Turner Diaries_ started to become more visible in a present-day setting in a way I was kind of shocked by,” he says, speaking to WIRED from his Tasmania residence. Indeed, following January 6, Amazon removed _The Turner Diaries_ from its online inventory.

Hoult’s bravura portrayal of an ice-cool, controlled yet menacing Mathews through the Order’s campaign of armed robbery, counterfeiting, murder, and armed confrontation with the FBI is one of the film’s dual anchors. Aside from a striking physical resemblance to the Silent Brotherhood’s founder, Hoult closely studied his subject, aping Mathews’ mannerisms and movements from old documentary footage, studying texts that radicalized his subject, lifting weights, and cutting alcohol from his diet.

“Mathews was someone who thought and planned so in advance of what his ultimate goal was, I think he always kept in sight. That’s something Justin and I spoke about, that he wouldn’t lose his head on trivial things or things that would potentially harm his cause. In his mind, he’d already, in some ways, planned his destiny,” Hoult tells WIRED.

By choosing to play Mathews with reserve instead of bombast, as more of a watcher who carefully observes his surroundings and other people to better understand how to turn situations to his advantage, Hoult aimed to show audiences how someone with the charisma of his villain could attract followers and build a movement.

“I think that shows how they penetrate communities and societies in a different way, and perhaps people in the future might be less susceptible to people who behave like him,” he says.

As with any artistic project that focuses on extremism and mass violence, _The Order_’s production team walked a fine line between showing Mathews’ magnetism and the murderous project at the heart of his ideology and actions.

“I think you need to understand the pull of a figure like this,” says Kurzel, whose prior films _Snowtown_ and _Nitram_ depicted, respectively, youthful serial killers and Australia’s worst mass shooting, the 1996 Port Arthur massacre. “Mathews is definitely someone who understands their reach and how to communicate and gather people. There’s gonna be a certain kind of charisma about that.”

Haas, one of the film’s producers, echoed Kurzel's remarks about art pushing the boundaries of acceptability. “It felt like part of the movie was to show the appeal of Bob. He was someone who had charisma, and that tied to these really toxic ideas is really dangerous,” Haas says, praising the “unrelenting realism” the cast brought to their performances.

Ultimately, the hope of slipping an unsparing portrayal of domestic extremism—produced outside of the Hollywood studio system—into the December award season is to reintroduce a discussion of radicalization to American society. “If you don’t learn from history, you’re doomed to repeat it—how a guy that, in the way Nick depicted him, could live down anybody’s street,” says Haas. “There are lots of people right now who are hurting and struggling and looking for answers.”

_Updated: 12/6/2024 4:01 pm EST: This story was updated to clarify which character reads out six steps given in_ The Turner Diaries.

The Real Story of “The Order”

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.

  

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.g., “please summarize the last emails about project X”), which prompts the retrieval of relevant emails from a simulated email database. The inclusion of the attacker’s email in these retrievals varies depending on the scenario. The LLMail service is equipped with tools, and the attacker’s objective is to manipulate the LLM into executing a specific tool call as defined by the challenge design, while bypassing the prompt injection defenses in place. The challenge contains several scenarios that require the attacker to ensure that their email is retrieved by the client under certain conditions. Teams with the highest scores will win awards from a total pool of $10,000 USD. 

Since this challenge takes place in a simulated environment, submissions will not be part of Microsoft’s Zero Day Quest. However, since this is a realistic environment, the prompt injection techniques you develop might be applicable to real systems. We encourage you to apply your learnings from this challenge and participate in the Zero Day Quest!  

**What are Prompt Injection Attacks (PIA)?**

In prompt injection attacks against large language models (LLMs), an attacker crafts a specific input (prompt) designed to manipulate the behavior of the model in unintended ways. In such attacks, the attacker exploits the model’s ability to follow instructions embedded within text inputs. By embedding possibly malicious instructions within the input data, the attacker aims to bypass the model’s intended functionality, often to execute unauthorized commands, leak sensitive information, or manipulate outputs. Understanding and defending against prompt injection attacks is crucial for maintaining the security and reliability of LLM-based systems. 

**How does PIA work?**

Prompt injection attacks work by exploiting the inherent design of LLMs, which are trained to follow instructions and generate coherent and contextually appropriate responses based on the input they receive. Attackers craft inputs that include injected commands, which the model then interprets and executes as part of its response generation process. These commands can be embedded in various ways, such as through straight-forward instructions, cleverly phrased questions, statements, or code snippets that the model processes without recognizing them as injected instructions. For instance, an attacker might insert a command within a seemingly benign email message that tricks the model into performing actions like unauthorized data access or executing specific functions. The success of these attacks hinges on the model’s lack of context about the legitimacy of the instructions embedded in the input, making it crucial for developers to implement robust defenses and validation mechanisms to detect and mitigate such manipulative inputs. 

**What are the challenge scenarios and levels in LLMail-Inject?**

The LLMail-Inject challenge is structured into various scenarios based on retrieval configurations and the attacker’s objectives, resulting in a total of 40 levels. Each level is a unique combination of Retrieval-Augmented Generation (RAG) configuration, an LLM (GPT-4o mini or Phi-3-medium-128k-instruct), and a specific defense mechanism. 

Each level and scenario in LLMail-Inject tests different aspects of the LLM’s ability to withstand prompt injection attacks and aims to highlight the importance of robust defense mechanisms. 

**What defenses are included in LLMail-Inject?**

Despite prompt injection attacks being relatively new, researchers have already proposed several defenses to mitigate their effect. The LLMail-Inject challenge incorporates various state-of-the-art defenses to test the robustness of LLMs against prompt injection attacks. These include: 

*   Spotlighting \[1\]: A preventative defense that “marks” data (as opposed to instructions) that is provided to an LLM using methods like adding special delimiters, encoding data (e.g., in base64), or marking each token in the data with a special preceding token. 
    
*   PromptShield \[2\]: A black-box classifier designed to detect prompt injections, ensuring that malicious prompts are identified and mitigated. 
    
*   LLM-as-a-judge: This defense uses an LLM to detect attacks by evaluating prompts instead of relying on a trained classifier. 
    
*   TaskTracker \[3\]: Based on analyzing the model’s internal states to detect task drift, this defense extracts activations when the user first prompts the LLM and again when the LLM processes external data. It then contrasts these activation sets to detect drift via a linear probe on the activation deltas. 
    
*   Combination of all: A variant in the challenge where multiple defenses are stacked together, requiring an attack to evade all defenses simultaneously with a single prompt. 
    

**How do I participate?**

To participate in the LLMail-Inject challenge, please follow the instructions below and visit the official challenge website at LLMail-Inject.  

1.  Create a team by signing in with your GitHub account.  
    
2.  Start playing! You can make a submission through the website UI or programmatically via our competition API. 
    

If using the API for programmatic submissions: 

*   We have API documentation on the website and your API key is already injected into the example Python client. 
    
*   Your API key is also available on your user profile page. 
    
*   We have rate limits in place to ensure a great experience for all participants. The website also provides comprehensive information on how to get started, including how to configure your environment and submit your entries. This setup ensures that participants can easily join the competition and contribute, regardless of their level of experience or preferred method of interaction. 
    

**Scoring, winners, and awards**

The Contest starts at 11:00 a.m. Coordinated Universal Time (UTC) on December 9, 2024, and ends at 11:59 a.m. UTC on January 20, 2025 (“Entry Period”). If at least 10% of the levels have not been solved by at least four (4) teams on the end date listed above, we may opt to extend the challenge. Check LLMail-Inject for any updates to the schedule. 

Throughout the event, a live scoreboard will be displayed (here along with the scoring details). The challenge has a total prize pool of $10,000 USD, with awards distributed as follows:  

*   $4,000 USD for the top team 
    
*   $3,000 USD for the second-place team 
    
*   $2,000 USD for the third-place team 
    
*   $1,000 USD for the fourth-place team.  
    

The winning teams will be invited to co-present with the organizers at the IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) 2025.  

**References**

\[1\] Keegan Hines et al. Defending Against Indirect Prompt Injection Attacks With Spotlighting 

\[2\] Azure AI announces Prompt Shields for Jailbreak and Indirect prompt injection attacks 

\[3\] Sahar Abdelnabi et al. Are you still on track!? Catching LLM Task Drift with Activations 

_This challenge is co-organized by Aideen Fay\*, Sahar Abdelnabi\*, Benjamin Pannell\*, Giovanni Cherubin\*, Ahmed Salem, Andrew Paverd, Conor Mac Amhlaoibh, Joshua Rakita, Santiago Zanella-Beguelin, Egor Zverev, Mark Russinovich, and Javier Rando_

(\*: Core contributors).

Tag

#ios