More than two years after a major takedown by law enforcement, the threat group is once again proving just how impervious it is against disruption attempts.

Like the proverbial bad penny that constantly keeps turning up, the Emotet malware operation has resurfaced yet again — this time after a lull of about three months.

Security researchers this week noted that the group is once again posing a threat to organizations everywhere, with malicious email activity associated with Emotet resuming early on March 7. The emails have been arriving in victim inboxes as innocuous-looking replies to existing email conversations and threads, so recipients are more likely to trust their content. Some of the Emotet emails have been landing as new messages as well.

**Very Large File & Payload**

The emails contain a .zip attachment, which, when opened, delivers a Word document that prompts the user to enable a malicious macro. If enabled, the macro, in turn, downloads a new version of Emotet from an external site and executes it locally on the machine.

Researchers from Cofense and Hornet Security who observed the fresh malicious activity described the Word documents and the malicious payload as inflated in size and coming in at more than 500MB each. Overall, the volume of the activity has remained unchanged since early March 7, and all of the emails have been attachment-based spam, the researchers said.

"The malicious Office documents and the Emotet DLLs we're seeing are very large files," says Jason Muerer, senior research engineer at Cofense. "We have not yet observed any links with the emails."

Hornet Security ascribed the large file and payload sizes as a likely attempt by the group to try and sneak the malware past endpoint detection and response (EDR) tools. "The latest iteration of Emotet uses very large files to bypass security scans that only scan the first bytes of large files or skip large files completely," according to a post by Hornet researchers. "This new instance is currently running at a slow pace, but our Security Lab expects it to pick up."

**A Malware That Refuses to Die**

Emotet is a malware threat that first surfaced as a banking Trojan in 2014. Over the years, its authors — variously tracked as Mealbug, Mummy Spider, and TA542 — have turned the erstwhile banking Trojan into a sophisticated and lucrative malware delivery vehicle that other threats actors can use to deliver different malicious payloads. These payloads have in recent years included highly prolific ransomware strains, such as Ryuk, Conti, and Trickbot.

The threat actors' preferred mode for delivering Emotet has been via spam emails and phishing, crafted to get users to open attached files or to click on embedded links to malware delivery sites. Once the threat actor compromises a system, Emotet is used to download other malware on it for stealing data, installing ransomware, or for other malicious activities such as stealing financial data. Emotet's command-and-control infrastructure (C2) presently runs on two separate botnets that security vendors have designated as epoch 4 (E4) and epoch 5 (E5)

In early 2021, law enforcement officials from multiple countries disrupted Emotet's infrastructure in a major collaborative effort that has done little to stop the threat actor from continuing its malware-as-a-service. At the time, the US Department of Justice assessed that Emotet's operators had comprised over 1.6 million computers worldwide between April 2020 and January 2021. Victims included organizations in healthcare, government, banking, and academia.

**New Activity, Same Tactics**

An October 2022 analysis of the Emotet threat group by security researchers at VMware identified multiple reasons for the group's continued ability to operate after the massive law enforcement takedown. These included more complex and subtle execution chains, constantly evolving methods to obfuscate its configuration, and using a hardened environment for its C2 infrastructure.

"Emotet has been used to deliver a range of secondary payloads," Muerer says. "While it was predominantly delivering other malware families in the past, there is evidence that the current endgame for these actors will likely be focused on ransomware."

There's nothing about the new Emotet activity that suggests that the threat group has deployed any new tactic or technique, Muerer says. The email-thread hijacking tactic and the macro-enabled Word documents are both tactics that the operators have been using for some time. And, as always, the primary infection vector remains spam and phishing emails.

"Nothing major has shifted that we are aware of," Muerer says. "Emotet remains a threat to everyone, with a disproportionately high impact on small businesses and individuals."

Emotet Resurfaces Yet Again After 3-Month Hiatus

By Deeba Ahmed
Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in…
This is a post from HackRead.com Read the original post: BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows

Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in the wild, which can bypass Secure Boot on fully-updated UEFI systems. It can even bypass it on fully-updated Windows 10 and 11 versions.

**ESET’s Deep-Dive Analysis of UEFI Bootkit**

According to researchers, there is no indication of who created this bootkit or its name, so they concluded that it corresponds to the BlackLotus bootkit. This bootkit has been promoted in underground cybercrime forums since 2022 for $5,000, with an additional $200 for updates.

**Understanding BlackLotus Capabilities**

BlackLotus is written in assembly and C programming languages, so developers can insert a suite of powerful features into an 80kb file. It not only disables Secure Boot but many other OS security mechanisms, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender.

This bootkit can run on fully-updated systems running Windows 11 with UEFI Secure Boot enabled. It targets the firmware’s low-level chain called the Unified Extensible Firmware Interface (UEFI). This complex chain is responsible for booting modern computers. The UEFI bridges the computer’s firmware with the OS while serving as an OS itself.

Since the UEFI is located in the SPI-connected flash storage chip present on the computer’s motherboard, it is extremely hard to inspect or patch it. The difference between the way BlackLotus targets UEFI and other bootkits like MoonBounce, CosmicStrand, and MosaicRegressor is that these target the UEFI firmware stored in the flash storage chip whereas BlackLotus targets the software in the EFI system partition.

**How Does BlackLotus Defeats Secure Boot?**

It is achieved by exploiting a vulnerability found in all supported versions of Microsoft Windows and patched in January 2022. It is tracked as **CVE-2022-21894**. This is a logic flaw, dubbed “Baton Drop” by the researcher who discovered it, which can be exploited for removing Secure Boot functions entirely from the boot sequence when the PC starts.

Threat actors can easily exploit this flaw to obtain keys for BitLocker, which encrypts hard drives. For BlackLotus creators, this flaw has proven immensely useful because, despite being patched, the vulnerable signed binaries haven’t yet been added to the UEFI revocation list, which alerts about untrusted boot files.

**According to researchers**, hundreds of vulnerable bootloaders are currently in use, and if these signed binaries are revoked, it would render millions of devices useless. That’s why fully updated devices are still vulnerable because threat actors can replace patched software with vulnerable, old software.

**Why UEFI Bootkits are a Threat?**

UEFI bootkits are powerful threats because the UEFI has complete control over the operating system’s boot process. That is how it can disable various OS security mechanisms and deploy its own kernel-mode and user-mode payloads in early OS startup stages. This lets the attackers stealthily operate and gain high privileges.

**How the Bootkit is Deployed?**

The way this bootkit is deployed is unclear, but the attack chain involves an installer component that writes files to the EFI system partition and disables HVCI and BitLocker, after which it reboots the host.

BlackLotus disables protection solutions to deploy a kernel driver, which protects against the bootkit file deletion, and an HTTP loader. Conversely, the bootloader establishes communication with the control server and executes the payload.

1.  **New Python Malware Hits Windows Devices**
2.  **ElectroRat hits MacOS, Windows, Linux devices**
3.  **96% of New Malware in 2022 Targeted Windows**
4.  **Chinese Hackers Hide Malware in Windows Logo**
5.  **LodaRAT Windows malware hits Android Phones**
6.  **OpenAI’s ChatGPT Creates Polymorphic Malware**

BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows

Led by growth in Russia, more than 40% of global ICS systems faced malicious activity in the second half of 2022.

More than 40% of the total number of global industrial control systems (ICS) computers saw some kind of malicious attack during the course of 2022.

This volume of cyberattacks against industrial systems was led by growth in Russia, which, as a region, saw a full 9 percentage-point increase in malicious activity in 2022, according to research into telemetry statistics this week from Kaspersky. Blocked malicious scripts were a particularly common threat within the firm's data for the period, which, along with phishing pages targeting ICS, saw an 11% rise over 2021, the analysis added.

However, Russia, which saw 39.2% of the ICS machines in Kaspersky's telemetry attacked, was not the top target overall. Rather, Ethiopia took the crown with 59% of its ICS footprint seeing malicious activity.

"In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions," the Kaspersky report said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

40% of Global ICS Systems Attacked With Malware in 2022

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to versions 3.8 and was fixed in versions 3.7.7, 3.6.10, 3.5.14, and 3.4.17. This vulnerability was reported via the GitHub Bug Bounty program.

*   **Administration Changes**
*   Users can now choose the number of spaces a tab is equal to, by setting their preferred tab size in the "Appearance" settings of their user account. All code with a tab indent will render using the preferred tab size.
    
*   The GitHub Connect data connection record now includes a count of the number of active and dormant users and the configured dormancy period.
    
*   You can now give users access to enterprise-specific links by adding custom footers to GitHub Enterprise Server. For more information, see "Configuring custom footers."
    
*   **Performance Changes**
*   WireGuard, used to secure communication between GitHub Enterprise Server instances in a High Availability configuration, has been migrated to the Kernel implementation.
    
*   **Notification Changes**
*   Organization owners can now unsubscribe from email notifications when new deploy keys are added to repositories belonging to their organizations. For more information, see "Configuring notifications."
    
*   Notification emails from newly created issues and pull requests now include (Issue #xx) or (PR #xx) in the email subject, so you can recognize and filter emails that reference these types of issues.
    
*   **Organization Changes**
*   Organizations can now display a README.md file on their profile Overview. For more information, see the "GitHub changelog."
    
*   Members of organizations can now view a list of their enterprise owners under the organization's "People" tab. The enterprise owners list is also now accessible using the GraphQL API. For more information, see the "enterpriseOwners" field under the Organization object in the GraphQL API documentation.
    
*   **Repositories changes**
*   A "Manage Access" section is now shown on the "Collaborators and teams" page in your repository settings. The new section makes it easier for repository administrators to see and manage who has access to their repository, and the level of access granted to each user. Administrators can now:
    
    *   Search all members, teams and collaborators who have access to the repository.
    *   View when members have mixed role assignments, granted to them directly as individuals or indirectly via a team. This is visualized through a new "mixed roles" warning, which displays the highest level role the user is granted if their permission level is higher than their assigned role.
    *   Manage access to popular repositories reliably, with page pagination and fewer timeouts when large groups of users have access.
*   GitHub Enterprise Server 3.4 includes improvements to the repository invitation experience, such as notifications for private repository invites, a UI prompt when visiting a private repository you have a pending invitation for, and a banner on a public repository overview page when there is an pending invitation.
    
*   You can now use single-character prefixes for custom autolinks. Autolink prefixes also now allow ., -, _, +, =, :, /, and # characters, as well as alphanumerics. For more information about custom autolinks, see "Configuring autolinks to reference external resources."
    
*   A CODE_OF_CONDUCT.md file in the root of a repository is now highlighted in the "About" sidebar on the repository overview page.
    
*   **Releases changes**
*   GitHub Enterprise Server 3.4 includes improvements to the Releases UI, such as automatically generated release notes which display a summary of all the pull requests for a given release. For more information, see the "GitHub changelog."
    
*   When a release is published, an avatar list is now displayed at the bottom of the release. Avatars for all user accounts mentioned in the release notes are shown. For more information, see "Managing releases in a repository."
    
*   **Markdown changes**
*   You can now use the new "Accessibility" settings page to manage your keyboard shortcuts. You can choose to disable keyboard shortcuts that only use single characters like S, G C, and . (the period key). For more information, see the "GitHub changelog."
    
*   You can now choose to use a fixed-width font in Markdown-enabled fields, like issue comments and pull request descriptions. For more information, see the "GitHub changelog."
    
*   You can now paste a URL on selected text to quickly create a Markdown link. This works in all Markdown-enabled fields, such as issue comments and pull request descriptions. For more information, see the "GitHub changelog."
    
*   An image URL can now be appended with a theme context, such as #gh-dark-mode-only, to define how the Markdown image is displayed to a viewer. For more information, see the "GitHub changelog."
    
*   When creating or editing a gist file with the Markdown (.md) file extension, you can now use the "Preview" or "Preview Changes" tab to display a Markdown rendering of the file contents. For more information, see the "GitHub changelog."
    
*   When typing the name of a GitHub user in issues, pull requests and discussions, the @mention suggester now ranks existing participants higher than other GitHub users, so that it's more likely the user you're looking for will be listed.
    
*   Right-to-left languages are now supported natively in Markdown files, issues, pull requests, discussions, and comments.
    
*   **Issues and pull requests changes**
*   The diff setting to hide whitespace changes in the pull request "Files changed" tab is now retained for your user account for that pull request. The setting you have chosen is automatically reapplied if you navigate away from the page and then revisit the "Files changed" tab of the same pull request.
    
*   When using auto assignment for pull request code reviews, you can now choose to only notify requested team members independently of your auto assignment settings. This setting is useful in scenarios where many users are auto assigned but not all users require notification. For more information, see the "GitHub changelog."
    
*   **Branches changes**
*   Organization and repository administrators can now trigger webhooks to listen for changes to branch protection rules on their repositories. For more information, see the "branch\_protection\_rule" event in the webhooks events and payloads documentation.
    
*   When configuring protected branches, you can now enforce that a required status check is provided by a specific GitHub App. If a status is then provided by a different application, or by a user via a commit status, merging is prevented. This ensures all changes are validated by the intended application. For more information, see the "GitHub changelog."
    
*   Only users with administrator permissions are now able to rename protected branches and modify branch protection rules. Previously, with the exception of the default branch, a collaborator could rename a branch and consequently any non-wildcard branch protection rules that applied to that branch were also renamed. For more information, see "Renaming a branch" and "Managing a branch protection rule."
    
*   Administrators can now allow only specific users and teams to bypass pull request requirements. For more information, see the "GitHub changelog."
    
*   Administrators can now allow only specific users and teams to force push to a repository. For more information, see the "GitHub changelog."
    
*   When requiring pull requests for all changes to a protected branch, administrators can now choose if approved reviews are also a requirement. For more information, see the "GitHub changelog."
    
*   **GitHub Actions changes**
*   GitHub Actions workflows triggered by Dependabot for the create, deployment, and deployment_status events now always receive a read-only token and no secrets. Similarly, workflows triggered by Dependabot for the pull_request_target event on pull requests where the base ref was created by Dependabot, now always receive a read-only token and no secrets. These changes are designed to prevent potentially malicious code from executing in a privileged workflow. For more information, see "Automating Dependabot with GitHub Actions."
    
*   Workflow runs on push and pull_request events triggered by Dependabot will now respect the permissions specified in your workflows, allowing you to control how you manage automatic dependency updates. The default token permissions will remain read-only. For more information, see the "GitHub changelog."
    
*   GitHub Actions workflows triggered by Dependabot will now be sent the Dependabot secrets. You can now pull from private package registries in your CI using the same secrets you have configured for Dependabot to use, improving how GitHub Actions and Dependabot work together. For more information, see "Automating Dependabot with GitHub Actions."
    
*   You can now manage runner groups and see the status of your self-hosted runners using new Runners and Runner Groups pages in the UI. The Actions settings page for your repository or organization now shows a summary view of your runners, and allows you to deep dive into a specific runner to edit it or see what job it may be currently running. For more information, see the "GitHub changelog."
    
*   Actions authors can now have their action run in Node.js 16 by specifying runs.using as node16 in the action's action.yml. This is in addition to the existing Node.js 12 support; actions can continue to specify runs.using: node12 to use the Node.js 12 runtime.
    
*   For manually triggered workflows, GitHub Actions now supports the choice, boolean, and environment input types in addition to the default string type. For more information, see "on.workflow_dispatch.inputs."
    
*   Actions written in YAML, also known as composite actions, now support if conditionals. This lets you prevent specific steps from executing unless a condition has been met. Like steps defined in workflows, you can use any supported context and expression to create a conditional.
    
*   The search order behavior for self-hosted runners has now changed, so that the first available matching runner at any level will run the job in all cases. This allows jobs to be sent to self-hosted runners much faster, especially for organizations and enterprises with lots of self-hosted runners. Previously, when running a job that required a self-hosted runner, GitHub Actions would look for self-hosted runners in the repository, organization, and enterprise, in that order.
    
*   Runner labels for GitHub Actions self-hosted runners can now be listed, added and removed using the REST API. For more information about using the new APIs at a repository, organization, or enterprise level, see "Repositories", "Organizations", and "Enterprises" in the REST API documentation.
    
*   **Dependabot and Dependency graph changes**
*   Dependency graph now supports detecting Python dependencies in repositories that use the Poetry package manager. Dependencies will be detected from both pyproject.toml and poetry.lock manifest files.
    
*   When configuring Dependabot security and version updates on GitHub Enterprise Server, we recommend you also enable Dependabot in GitHub Connect. This will allow Dependabot to retrieve an updated list of dependencies and vulnerabilities from GitHub.com, by querying for information such as the changelogs of the public releases of open source code that you depend upon. For more information, see "Enabling the dependency graph and Dependabot alerts for your enterprise."
    
*   Dependabot alerts alerts can now be dismissed using the GraphQL API. For more information, see the "dismissRepositoryVulnerabilityAlert" mutation in the GraphQL API documentation.
    
*   **Code scanning and secret scanning changes**
*   The CodeQL CLI now supports including markdown-rendered query help in SARIF files, so that the help text can be viewed in the code scanning UI when the query generates an alert. For more information, see the "GitHub changelog."
    
*   The CodeQL CLI and Visual Studio Code extension now support building databases and analyzing code on machines powered by Apple Silicon, such as Apple M1. For more information, see the "GitHub changelog."
    
*   The depth of CodeQL's analysis has been improved by adding support for more libraries and frameworks from the Python ecosystem. As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks where the data could end up. This results in an overall improvement of the quality of code scanning alerts. For more information, see the "GitHub changelog."
    
*   Code scanning with CodeQL now includes beta support for analyzing code in all common Ruby versions, up to and including 3.02. For more information, see the "GitHub changelog."
    
*   Several improvements have been made to the code scanning API:
    
    *   The fixed_at timestamp has been added to alerts. This timestamp is the first time that the alert was not detected in an analysis.
    *   Alert results can now be sorted using sort and direction on either created, updated or number. For more information, see "List code scanning alerts for a repository."
    *   A Last-Modified header has been added to the alerts and alert endpoint response. For more information, see Last-Modified in the Mozilla documentation.
    *   The relatedLocations field has been added to the SARIF response when you request a code scanning analysis. The field may contain locations which are not the primary location of the alert. See an example in the SARIF spec and for more information see "Get a code scanning analysis for a repository."
    *   Both help and tags data have been added to the webhook response alert rule object. For more information, see "Code scanning alert webhooks events and payloads."
    *   Personal access tokens with the public_repo scope now have write access for code scanning endpoints on public repos, if the user has permission.
    
    For more information, see "Code scanning" in the REST API documentation.
    
*   GitHub Advanced Security customers can now use the REST API to retrieve private repository secret scanning results at the enterprise level. The new endpoint supplements the existing repository-level and organization-level endpoints. For more information, see "Secret scanning" in the REST API documentation.
    
*   **Mobile changes**
*   Support for GitHub Mobile is now enabled by default for new GitHub Enterprise Server instances. If you have not explicitly disabled or enabled GitHub Mobile, GitHub Mobile will be enabled when you upgrade to GitHub Enterprise Server 3.4.0 or later. If you previously disabled or enabled GitHub Mobile for your instance, your preference will be preserved upon upgrade. For more information, see "Managing GitHub Mobile for your enterprise."

CVE-2023-23760: Release notes - GitHub Enterprise Server 3.4 Docs

By Deeba Ahmed
Currently, scammers are using DBatLoader malware loader to distribute Remcos RAT to businesses and institutions across Eastern Europe. 
This is a post from HackRead.com Read the original post: Phishing Attack Uses UAC Bypass to Drop Remcos RAT Malware

****The phishing attack commences by sending malicious emails disguised as financial files, such as invoices.****

The cybersecurity researchers at SentinelOne have observed a new phishing campaign in which attackers are abusing the Windows User Account Control (UAC) bypass to distribute the DBatLoader and **Remcos RAT malware**. The primary targets of this campaign are organizations in Eastern Europe.

**New Phishing Campaign Delivering Remcos RAT**

According to SentinelOne, scammers are using DBatLoader malware loader to distribute Remcos RAT to businesses and institutions across **Eastern Europe**. The attackers use emails that seem to have come from authentic sources, such as reputed institutions in their target regions, to lure victims.

When they are successful in luring users into clicking on the malicious link included in the email’s content, the attackers easily leverage the malware loader, bypass Windows UAC, and drop Remcos RAT.

**How Does the Attack Occur?**

The attack commences by sending **phishing emails** disguised as financial files, such as invoices. These emails include a tar.lz archive containing the DBatLoader executable.

The phishing email as seen by SentinelOne

When the victim checks this email, they are lured into opening the DBatLoader’s initial stage payload, which is disguised as a LibreOffice, PDF, or MS Office document. Once this is done, the second-stage payload is retrieved from Google Drive or Microsoft OneDrive, one of which has been active for at least a month.

“When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public cloud location,” said SentinelOne’s Aleksandar Milenkoski.

According to SentinelOne’s **blog post**, the RAT is loaded only when DBatLoader executes a Windows batch script through a Windows UAC evasion technique involving **DLL hijacking** and mocking trusted directories. Through easinvoker.exe, Windows automatically elevates the process without issuing a UAC prompt when located in a trusted directory—the mock %SystemRoot%System32 directory.

**About Remcos RAT and DBatLoader**

DBatLoader abuses public cloud infrastructure for hosting its malware-loading capabilities. Remcos is a feature-rich RAT, which is frequently used by cybercriminals in espionage campaigns and is typically distributed via phishing emails.

Ukrainian CERT recently reported about **Remcos-based phishing campaigns** targeting state institutions for conducting espionage. In this instance, the attackers used password-protected archives as malicious email attachments.

This malware can collect keystrokes, video, audio, screenshots, and device or system-related information. Moreover, it can also deliver additional malware to the system.

1.  **New Python Malware Hits Windows Devices**
2.  **ElectroRat hits MacOS, Windows, Linux devices**
3.  **96% of New Malware in 2022 Targeted Windows**
4.  **Chinese Hackers Hide Malware in Windows Logo**
5.  **LodaRAT Windows malware hits Android Phones**
6.  **OpenAI’s ChatGPT Creates Polymorphic Malware**

Phishing Attack Uses UAC Bypass to Drop Remcos RAT Malware

Researchers warn that polymorphic malware created with ChatGPT and other LLMs will force a reinvention of security automation.

A proof-of-concept, artificial intelligence (AI)-driven cyberattack that changes its code on the fly can slip past the latest automated security-detection technology, demonstrating the potential for creating undetectable malware.

Researchers from HYAS Labs demonstrated the proof-of-concept attack, which they call BlackMamba, which exploits a large language model (LLM) — the technology on which ChatGPT is based — to synthesize a polymorphic keylogger functionality on the fly. The attack is "truly polymorphic" in that every time BlackMamba executes, it resynthesizes its keylogging capability, the researchers wrote.

The BlackMamba attack, outlined in a blog post, demonstrates how AI can allow the malware to dynamically modify benign code at runtime without any command-and-control (C2) infrastructure, allowing it to slip past current automated security systems that are attuned to look out for this type of behavior to detect attacks.

"Traditional security solutions like endpoint detection and response (EDR) leverage multi-layer, data intelligence systems to combat some of today’s most sophisticated threats, and most automated controls claim to prevent novel or irregular behavior patterns," the HYAS Labs researchers wrote. "But in practice, this is very rarely the case."

They tested the attack against an EDR system that was not identified specifically, but characterized as "industry leading," often resulting in zero alerts or detections.

Using its built-in keylogging ability, BlackMamba can collect sensitive information from a device, including usernames, passwords, and credit card numbers, the researchers said. Once this data is captured, the malware uses a common and trusted collaboration platform — Microsoft Teams — to send the collected data to a malicious Teams channel. From there, attackers can exploit the data in various nefarious ways, selling it on the Dark Web or using it for further attacks, the HYAS Labs researchers said.

"MS Teams is a legitimate communication and collaboration tool that is widely used by organizations, so malware authors can leverage it to bypass traditional security defenses, such as firewalls and intrusion detection systems," they wrote. "Also, since the data is sent over encrypted channels, it can be difficult to detect that the channel is being used for exfiltration."

Moreover, because BlackMamba's delivery system is based on an open source Python package, it allows developers to convert Python scripts into standalone executable files that can be run on various platforms, including Windows, macOS, and Linux, they wrote.

**What This Means for Modern Security**

AI-powered attacks like this will become more common now as threat actors create polymorphic malware that leverages ChatGPT and other sophisticated, data-intelligence systems based on LLM, according to the HYAS Labs researchers. This, in turn, will force automated security technology to evolve as well to manage and combat these threats.

“The threats posed by this new breed of malware are very real," the researchers wrote in the post. "By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today's predictive security solutions."

Typically, organizations that deploy EDR and other automated security controls as part of a modern security stack believe they're doing everything in their power to detect and prevent malicious activity. However, BlackMamba's use of AI now demonstrates that "they are not foolproof," the HYAS Labs researchers noted.

"The BlackMamba proof-of-concept shows that LLMs can be exploited to synthesize polymorphic keylogger functionality on-the-fly, making it difficult for EDR to intervene," they wrote.

The security landscape will have to evolve alongside attackers' use of AI to keep up with the more sophisticated attacks that are on the horizon, according to the researchers. Until then, it's imperative that organizations "remain vigilant, keep their security measures up to date," they advised, "and adapt to new threats that emerge by operationalizing cutting-edge research being conducted in this space."

AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security

Ubuntu Security Notice 5936-1 - Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos keys. A remote attacker could possibly use this issue to elevate privileges.

    ==========================================================================Ubuntu Security Notice USN-5936-1March 08, 2023samba vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Samba.Software Description:- samba: SMB/CIFS file, print, and login server for UnixDetails:Evgeny Legerov discovered that Samba incorrectly handled buffers incertain GSSAPI routines of Heimdal. A remote attacker could possibly usethis issue to cause Samba to crash, resulting in a denial of service.(CVE-2022-3437)Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberoskeys. A remote attacker could possibly use this issue to elevateprivileges. (CVE-2022-37966, CVE-2022-37967)It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon SecureChannel. A remote attacker could possibly use this issue to elevateprivileges. (CVE-2022-38023)Greg Hudson discovered that Samba incorrectly handled PAC parsing. On32-bit systems, a remote attacker could use this issue to escalateprivileges, or possibly execute arbitrary code. (CVE-2022-42898)Joseph Sutton discovered that Samba could be forced to issue rc4-hmacencrypted Kerberos tickets. A remote attacker could possibly use this issueto escalate privileges. This issue only affected Ubuntu 20.04 LTS andUbuntu 22.04 LTS. (CVE-2022-45141)WARNING: This update upgrades the version of Samba to 4.15.13. Please seethe upstream release notes for important changes in the new version:https://www.samba.org/samba/history/samba-4.15.0.htmlIn addition, the security fixes included in this new version introduceseveral important behavior changes which may cause compatibility problemsinteracting with systems still expecting the former behavior. Please seethe following upstream advisories for more information:https://www.samba.org/samba/security/CVE-2022-37966.htmlhttps://www.samba.org/samba/security/CVE-2022-37967.htmlhttps://www.samba.org/samba/security/CVE-2022-38023.htmlUpdate instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   samba                           2:4.15.13+dfsg-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. In general, a standard system update will make all the necessarychanges.References:   https://ubuntu.com/security/notices/USN-5936-1   CVE-2022-3437, CVE-2022-37966, CVE-2022-37967, CVE-2022-38023,   CVE-2022-42898, CVE-2022-45141Package Information:   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu0.20.04.1

Ubuntu Security Notice USN-5936-1

Red Hat Security Advisory 2023-1109-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Security Advisory 2023-1109-01

After successful autonomous flight tests in December, the military is ramping up its plans to bring artificial intelligence to the skies.

On the morning of December 1, 2022, a modified F-16 fighter jet codenamed VISTA X-62A took off from Edwards Air Force Base, roughly 60 miles north of Los Angeles. Over the course of a short test flight, the VISTA engaged in advanced fighter maneuver drills, including simulated aerial dogfights, before landing successfully back at base. While this may sound like business as usual for the US’s premier pilot training school—or like scenes lifted straight from _Top Gun: Maverick_—it was not a fighter pilot at the controls but, for the first time on a tactical aircraft, a sophisticated AI.

Overseen by the US Department of Defense, VISTA X-62A undertook 12 AI-led test flights between December 1 and 16, totaling more than 17 hours of autonomous flight time. The breakthrough comes as part of a drive by the United States Air Force Vanguard to develop unmanned combat aerial vehicles. Initiated in 2019, the Skyborg program will continue testing through 2023, with hopes of developing a working prototype by the end of the year. 

The VISTA program is a crucial first step toward these goals, M. Christopher Cotting, director of research at USAF Test Pilot School, explains. “This approach, combined with focused testing on new vehicle systems as they are produced, will rapidly mature autonomy for uncrewed platforms and allow us to deliver tactically relevant capability to our warfighter,” he says. 

With Ukraine’s use of semiautonomous drones, the US military’s first autonomous flight of a Black Hawk helicopter last November, and the successful testing of AI algorithms in US U-2 spy planes in 2020, it’s clear that autonomous combat represents the next front in modern warfare. But just how completely will AI take over our skies, and what does it mean for the human pilots left on the ground?

The VISTA X-62A (short for Variable In-flight Simulation Test Aircraft) has always been ahead of its time. Built in the 1980s and based on an F-16D Block 30 Peace Marble Il, the plane previously held the designation NF-16D and became the US Airforce Test Pilot School’s go-to simulation machine in the early 1990s. A versatile and adaptable training tool boasting open systems architecture, the VISTA can be fitted with software that allows it to mimic the performance characteristics of multiple aircraft, from heavy bombers to ultra-light fighter jets. 

Prior to last year’s autonomous flight tests, the VISTA received a much-needed update in the form of a “model following algorithm” (MFA) and a “system for autonomous control of the simulation” (SACS) from Lockheed Martin’s Skunk Works. Combined with the VISTA Simulation System from defense and aerospace company Calspan Corporation, these updates facilitated an emphasis on autonomy and AI integration. 

Utilizing General Dynamics’s Enterprise-wide Open Systems Architecture (E-OSA) to power the Enterprise Mission Computer version 2 (EMC2, or Einstein Box), the SACS system also integrates advanced sensors, a set of Getac tablet displays in both cockpits, and multilevel security features, all of which enhance VISTA’s capabilities, including its rapid-prototyping advantage, which allows for speedy software updates to meet the accelerating pace of AI development.

During testing in December, a pair of AI programs were fed into the system: the Air Force Research Laboratory’s Autonomous Air Combat Operations (AACO) and the Defense Advanced Research Projects Agency’s (DARPA) Air Combat Evolution (ACE). AACO’s AI agents focused on combat with a single adversary beyond visual range (BVR), while ACE focused on dogfight-style maneuvers with a closer, “visible” simulated enemy.

While VISTA requires a certified pilot in the rear cockpit as backup, during test flights, an engineer trained in the AI systems manned the front cockpit to deal with any technical issues that arose. In the end, these issues were minor. While not able to elaborate on the intricacies, DARPA program manager Lt. Col. Ryan Hefron explains that any hiccups were “to be expected when transitioning from virtual to live.” All in all, it was a significant step toward realizing Skyborg’s aim of getting autonomous aircraft off the ground as soon as possible.

The Department of Defense stresses that AACO and ACE are designed to supplement human pilots, not replace them. In some instances, AI copilot systems could act as a support mechanism for pilots in active combat. With AACO and ACE capable of parsing millions of data inputs per second, and having the ability to take control of the plane at critical junctures, this could be vital in life-or-death situations. For more routine missions that do not require human input, flights could be entirely autonomous, with the nose-section of planes being swapped out when a cockpit is not required for a human pilot.

“We’re not trying to replace pilots, we’re trying to _augment_ them, give them an extra tool,” Cotting says. He draws the analogy of soldiers of bygone campaigns riding into battle on horses. “The horse and the human had to work together,” he says. “The horse can run the trail really well, so the rider doesn’t have to worry about going from point A to B. His brain can be freed up to think bigger thoughts.” For example, Cotting says, a first lieutenant with 100 hours of experience in the cockpit could artificially gain the same edge as a much higher-ranking officer with 1,000 hours of flight experience, thanks to AI augmentation.

For Bill Gray, chief test pilot at the USAF Test Pilot School, incorporating AI is a natural extension of the work he does with human students. “Whenever we \[pilots\] talk to engineers and scientists about the difficulties of training and qualifying AI agents, they typically treat this as a new problem,” he says. “This bothers me, because I have been training and qualifying highly non-linear and unpredictable natural intelligence agents—students—for decades. For me, the question isn’t, ‘Can we train and qualify AI agents?’ It’s, ‘Why can we train and qualify humans, and what can this teach us about doing the same for AI agents?’

Gray believes AI is “not a wonder tool that can solve all of the problems,” but rather that it must be developed in a balanced approach, with built-in safety measures to prevent costly mishaps. An overreliance on AI—a “trust in autonomy”—can be dangerous, Gray believes, pointing out failures in Tesla’s autopilot program despite Tesla asserting the need for the driver to be at the wheel as a backup. Cotting agrees, calling the ability to test AI programs in the VISTA a “risk-reduction plan.” By training AI on conventional systems such as the VISTA X-62—rather than building an entirely new aircraft—automatic limits and, if necessary, safety pilot intervention can help prevent the AI from endangering the aircraft as it learns.

The USAF’s technology is advancing rapidly. This past December, trial flights for ACE and ACCO were often completed within hours of each other, with engineers switching autonomy algorithms onboard the VISTA in minutes, without safety or performance issues, according to Cotting. In one instance, Cotting describes uploading new AI at 7:30 am and the plane being ready to test by 10 am.

“Once you get through the process of connecting an AI to a supersonic fighter, the resulting maneuvering is endlessly fascinating,” says Gray. “We have seen things that make sense, and completely surprising things that make no sense at all. Thanks to our safety systems, programmers are changing their models overnight, and we’re engaging them the next morning. This is unheard of in flight control system development, much less experimentation with unpredictable AI agents.”

Despite these successes, it will take some time before the curriculum at the USAF Test Pilot School undergoes an AI overhaul. Cotting explains that the newness of the AACO and ACE platforms means students will require a greater level of understanding before trying them out in the cockpit of the VISTA. “We’re basically building the bridge as we’re driving over,” Cotting says.

In the meantime, students will undergo a broader test this fall in which they’re exposed to a set of AI and have to figure out how to test it, then execute that test.

As for wider military applications, Cotting says that while he has no visibility into these areas, AI is already ubiquitous in image recognition technology used across the military. While AI-driven tanks may not be on the horizon just yet, the skies, it seems, are set to be home to a new kind of intelligence.

The US Air Force Is Moving Fast on AI-Piloted Fighter Jets

Red Hat Security Advisory 2023-1130-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include null pointer and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2023:1130-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1130  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-2964 CVE-2022-4269 CVE-2022-41222   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.8.6) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: memory corruption in AX88179_178A based USB ethernet device.  
(CVE-2022-2964)

* kernel: mm/mremap.c use-after-free vulnerability (CVE-2022-41222)

* kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
(CVE-2022-4269)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* WARNING: CPU: 116 PID: 3440 at arch/x86/mm/extable.c:105  
ex_handler_fprestore+0x3f/0x50 (BZ#2134587)

* fix for "CoW after fork() issue" aka "vmsplice child -> parent attack"  
aka "GUP after fork bug" (BZ#2137546)

* Hardware error: RIP: copy_user_enhanced_fast_string+0xe (BZ#2137593)

* i40e: orphaned-leaky memory when interacting with driver memory  
parameters (BZ#2138206)

* RHEL 8.7 - Outputs of lsmem, lparstat, numactl and /proc/meminfo show  
wrong value of memory when LMB size is set to 4GB. (BZ#2140091)

* RHEL8.7: tcp sessions hanging after ibmvnic failover on Denali  
(BZ#2140958)

* RHEL8: Practically limit "Dummy wait" workaround to old Intel systems  
(BZ#2142171)

* RHEL:8.6+ IBM Partner issue - Loopback driver with ABORT_TASKS causing  
hangs in scsi eh, this bug was cloned for RHEL8.6 and need this patch in  
8.6+ (BZ#2144584)

* i40e,iavf: SR-IOV VF devices send GARP with wrong MAC address  
(BZ#2149746)

* RHEL8.4 - boot: Add secure boot trailer (BZ#2151531)

* error 524 from seccomp(2) when trying to load filter (BZ#2152139)

* The "kernel BUG at mm/usercopy.c:103!" from BZ 2041529 is back on  
rhel-8.5 (BZ#2153231)

* kernel BUG: scheduling while atomic: crio/7295/0x00000002 (BZ#2154461)

* MSFT MANA NET Patch RHEL-8: Fix race on per-CQ variable napi_iperf panic  
fix (BZ#2155438)

* GSS: OCP 4.10.30 node crash after ODF upgrade : unable to handle kernel  
NULL pointer dereference at 0000000000000000 :  
ceph_get_snap_realm+0x68/0xa0 [ceph] (BZ#2155798)

* RHEL8.8: Backport upstream patches to reduce memory cgroup memory  
consumption and OOM problem (BZ#2157923)

* 'date' command shows wrong time in nested KVM s390x guest (BZ#2158814)

* Kernel FIPS-140-3 requirements - part 3 - AES-XTS (BZ#2160173)

* ethtool -m results in an out-of-bounds slab write in the be2net driver  
(BZ#2160183)

* i40e/iavf: VF reset task fails "Never saw reset" with 5 second timeout  
per VF (BZ#2160461)

* Mellanox: backport "net/mlx5e: TC NIC mode, fix tc chains miss table"  
(BZ#2161630)

* Kernel panic observed during VxFS module unload (BZ#2162764)

* iavf: It takes long time to create multiple VF interfaces and the VF  
interface names are not consistent (BZ#2163259)

* In FIPS mode, the kernel should reject SHA-224, SHA-384, SHA-512-224, and  
SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after  
2023-05-16 (BZ#2165133)

* panic in fib6_rule_suppress+0x22 with custom xdp prog involved in  
(BZ#2167604)

* net/mlx5e: Fix use-after-free when reverting termination table  
(BZ#2167641)

* Update intel_idle for Eaglestream/Sapphire Rapids support (BZ#2168357)

* GSS: Set of fixes in ceph kernel module to prevent OCS node kernel crash  
- -  blocklist the kclient when receiving corrupted snap trace (BZ#2168898)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2067482 - CVE-2022-2964 kernel: memory corruption in AX88179_178A based USB ethernet device.  
2138818 - CVE-2022-41222 kernel: mm/mremap.c use-after-free vulnerability  
2150272 - CVE-2022-4269 kernel: net: CPU soft lockup in TC mirred egress-to-ingress action

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.6):

Source:  
kernel-4.18.0-372.46.1.el8_6.src.rpm

aarch64:  
bpftool-4.18.0-372.46.1.el8_6.aarch64.rpm  
bpftool-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-core-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-cross-headers-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debug-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debug-core-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debug-devel-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debug-modules-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-devel-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-headers-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-modules-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-modules-extra-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-tools-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-tools-libs-4.18.0-372.46.1.el8_6.aarch64.rpm  
perf-4.18.0-372.46.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
python3-perf-4.18.0-372.46.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm

noarch:  
kernel-abi-stablelists-4.18.0-372.46.1.el8_6.noarch.rpm  
kernel-doc-4.18.0-372.46.1.el8_6.noarch.rpm

ppc64le:  
bpftool-4.18.0-372.46.1.el8_6.ppc64le.rpm  
bpftool-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-core-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-cross-headers-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debug-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debug-core-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debug-devel-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debug-modules-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-devel-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-headers-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-modules-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-modules-extra-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-tools-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-tools-libs-4.18.0-372.46.1.el8_6.ppc64le.rpm  
perf-4.18.0-372.46.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
python3-perf-4.18.0-372.46.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm

s390x:  
bpftool-4.18.0-372.46.1.el8_6.s390x.rpm  
bpftool-debuginfo-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-core-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-cross-headers-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-debug-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-debug-core-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-debug-debuginfo-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-debug-devel-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-debug-modules-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-debug-modules-extra-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-debuginfo-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-devel-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-headers-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-modules-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-modules-extra-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-tools-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-tools-debuginfo-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-zfcpdump-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-zfcpdump-core-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-372.46.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-372.46.1.el8_6.s390x.rpm  
perf-4.18.0-372.46.1.el8_6.s390x.rpm  
perf-debuginfo-4.18.0-372.46.1.el8_6.s390x.rpm  
python3-perf-4.18.0-372.46.1.el8_6.s390x.rpm  
python3-perf-debuginfo-4.18.0-372.46.1.el8_6.s390x.rpm

x86_64:  
bpftool-4.18.0-372.46.1.el8_6.x86_64.rpm  
bpftool-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-core-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-cross-headers-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debug-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debug-core-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debug-devel-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debug-modules-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-devel-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-headers-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-modules-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-modules-extra-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-tools-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-tools-libs-4.18.0-372.46.1.el8_6.x86_64.rpm  
perf-4.18.0-372.46.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
python3-perf-4.18.0-372.46.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.8.6):

aarch64:  
bpftool-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
kernel-tools-libs-devel-4.18.0-372.46.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.46.1.el8_6.aarch64.rpm

ppc64le:  
bpftool-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
kernel-tools-libs-devel-4.18.0-372.46.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.46.1.el8_6.ppc64le.rpm

x86_64:  
bpftool-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
kernel-tools-libs-devel-4.18.0-372.46.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.46.1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2964  
https://access.redhat.com/security/cve/CVE-2022-4269  
https://access.redhat.com/security/cve/CVE-2022-41222  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAiXMtzjgjWX9erEAQguWhAApNLcz2ltZLXkAZ/HPY3boTCnDVnFlYD6  
We5JcFRn45M//ACx7tuHfQIYU4STA+iJiACBf9IJjPaUYrfjJ13/XCV2OMQof6Or  
vEUemfX8pDIU4gMPWD6E4yffDRdW+e54inSGvSxc6IRPRefm5mcnEiWxlvF+Fc6U  
rsn8zdZahByGpMfocORIx9XjjBUgNR33KByYWKIvdmw4RSAOXblCmMzQWgRSr/iW  
j3HqNrR4wwgZE7hdtvOb9RJ70x/JPXtQEROr8nfZYtXJ10LqdyvmyCCVX4DmP89W  
5n4yWDaLHbeqWferMDLa3faCFIpXoHAWzMhX4FfriVdIMTx8f7B+p7jdeUhDg+PU  
/kv2tIQLy4QYADFaA5VCIEgPhgMFbmJqrwaW2Hec9H1w8wsLW8SV1HUxZyLJ1jKn  
fmgK71PlCG/emt1fXlNkeh8l+JXO0MfXb4KrGEjAWgVleQhiwXSh62EaIRiPfp77  
4byX1ZSFBbp6bno0NR5pmYSM8jgMR1JqpWP0eIOUBncAacEhZqzD+EXMZ2ZRfMLZ  
QrAGFkC3AG6KE3/UjIgdSf7QTiw7bozwAdhOZOn+X5IZfbqOykyI/g93QuIJcREl  
x4dcbL6jnnZCEEZ282yGrL4fQWjOdC0bGDrfw7qcCbjeEqKKiPyHffzTu/drDT29  
/EVM/7D12z8=  
=+U7d  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#mac