A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication.

**What's New**

Updated logo

The logo for Ivanti Automation has been updated to reflect the latest design.

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

93334

Automation team based on Operating System Version Microsoft Windows 11 rule also includes Windows 10 computers.  
More information

93646

Dispatchers are stuck at random times.  
More information

93652

Building block created using 'Automation/API/BuildingBlocks/Create' is missing the Run Elevated info: <runelevated>yes</runelevated>.  
More information

94122

Runbook containing multiple projects are giving visual inconsistency.  
More information

94218

Netbios name resolve is not working anymore in task Install Windows Installer package with a resource located on fileshare (UNC).  
More information

94406

The previously used Root certificate information still resides in the Automation Agent MSI file.  
More information

Resolved an Automation Manager authentication bypass vulnerability

**Release Notes for previous versions of Ivanti Automation 2023**

Ivanti Automation 2023.3

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

92405

Projects still runs in prepare for image task, regardless if the project is enabled or disabled.  
More information

92597

The File Operations task fails when wildcards are used in the path.  
More information

93108

Option grab log file in perform unattended installation task does not work in Ivanti Automation.  
More information

93464

The Install Windows Installer Package task fails after upgrade to 10.22.0.0  
More information

93850

The spelling of the word 'following' is incorrect in the pop-up that appears when deleting a team that has a task in it.  
More information

Ivanti Automation 2023.2.0.1

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

93451

Runbook is not fully processed when a Project is used in the Runbook job in Ivanti Automation 2023.2.0.0  
More information

Resolved in release 2023.2(.0.0):

 

Problem ID

Title

90177

The View button for Resulting Tasks in scheduled recurring Jobs is not working.  
More information

92477

Task Install Windows Installer Package fails after upgrade to Ivanti Automation 2023.1 (10.22.0.0).  
More information

92587

After installing Ivanti Automation 2022.4: File Operations task to move folder content fails: Access to the path is denied.  
More information

92868

The Perform Unattended Installation task fails after updating Ivanti Automation.  
More information

92929

Task Apply Registry Settings using Expandable String Values adds additional backslashes in the data value.  
More information

93038

Module Conditions in a Project are not visible when viewed via the Job History.  
More information

Released in 2023.2(.0.0), but reverted:

 

Problem ID

Title

92405  
(reverted)

Projects still run in Prepare for Image task regardless if the project is enabled or disabled.  
More information  

Ivanti Automation 2023.1

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

92110

The PowerShell Core (Execute) task does not show the Console Output tab in the executed job details.  
More information

92144

After editing a configured Condition based on a registry value, the following error is shown: A string literal was not closed.  
More information

91747

After an Ivanti Automation upgrade is performed, the C:\\IA\_RecycleBin folder not auto-cleaned up.  
More information

91932

The order of jobs scheduled on multiple agents is incorrect in the Activity and Job History tabs.  
More information

91976

The Query Parameters task behaves differently, causing Execute Commands tasks to fail.  
More information

91966

When the Set Environment Variables task is used, the Variable name is changed to case-sensitive.  
More information

**Release Notes for Ivanti Automation 2022**

Ivanti Automation 2022.4

**What's New**

Tracing optimizations

Starting with Ivanti Automation 2022.4, you have more control over how much disk space tracing takes up. By implementing the MaxLogFileSizeMB, FreeDiskspacePercent, and FileLogThreshold registers, you can set up the maximum amount of megabytes a trace file can take up before rewriting itself, how much space needs to be available in order for the trace entries to be written in the trace file, and control what trace levels should be written.

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

91488

If the date/time information stored in the TelemetryLastSend registry key has an incorrect format, the Automation Dispatcher logs the following error in the Microsoft Windows Event Viewer: String was not recognized as a valid DateTime.  
More information

91321

Handles on agent.exe are not completely released after running Powershell tasks in Ivanti Automation.  
More information

91010

Missing Global option in the drop down menu within Topology > Teams settings in Ivanti Automation.  
More information

91513

The REST Request task fails with the following error: An error has occurred.  
More information

91138

The Deploy Automation Components task does not contain connection information when used to deploy the Ivanti Automation Console.  
More information

91477

When upgrading the Automation environment, the upgrade pack requests credentials to continue.  
More information

91079

Recurring schedule stops and is not reschedules as expected.  
More information

91362

The Apply Registry Settings task fails when the REG\_MULTI\_SZ registry entry is set with an empty Data field.  
More information

90574

When the use of Comments on Versioning is avoided when editing a Runbook, it causes the Ivanti Automation Console to freeze.  
More information

91170

Filtering the Job History in Ivanti Automation does not work since version 2022.3.  
More information

91011

The Perform Single File Operation task in Ivanti Automation does not accept \* to delete subfolders and content in subfolders.  
More information

91020

Tasks using Global Variables of type Credentials fail with the following error: 1326 The username or password is incorrect.  
More information

91212

When an Automation Resource Package is used in the Perform Unattended Installation task, the task fails with the following errors: Process failed to start or Timeout expired - Process terminated.  
More information

91476

Visual view in the Ivanti Automation Console seems not to be correct, order is not as it should be.  
More information  

Ivanti Automation 2022.3.1

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

90807

When using the Download Resource task to download an Ivanti Automation Resource Package, the task fails with the following error: Failed (completely or partly) to extract 'ResourcePackage' to 'C:\\<PATH>\\DestinationFolder.  
More information

90796

Changing the Windows Defender Firewall service startup type with Ivanti Automation fails.  
More information

90753

The AutoCreate button for RunBook and Project parameters only works in combination with AutoLink.  
More information

90767

After upgrading to Ivanti Automation 2022.3, the Perform Unattended Installation task fails to download linked resources.  
More information

90736

After upgrading to Ivanti Automation 2022.3, the Perform Unattended Installation task fails if the resource is located on FileShare.  
More information

90786

After upgrading to Ivanti Automation 2022.3, the Perform Unattended Installation task fails when using an Ivanti Automation Resource Package.  
More information

Ivanti Automation 2022.3

**What's New****Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

90055

When an automated installation using Chef tool is started, communication between the Agent and the Dispatcher fails and the resamad.xml file is not created.  
More information

90346

The Download Resource task fails when the destination path is set to C:\\.  
More information

90091

Intermittently, the Project Parameter value is cleared during Job activity.  
More information

90431

Ivanti Automation tasks with linked Resources fail with the following error: StartIndex cannot be less than zero.  
More information

90012

When an Automation Agent has a Primary Team set, the Download Resource task fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

90531

A module containing the task Perform File Operation: Action Edit/Create INI file and having the file path set to C:\\fails with the following error: Failed to rename, file or folder "C:\\placeholder.ini" does not exist.  
More information

When a string used to filter Job History or Audit Trail entries contains a single quote character ('), the filtering returns no records.  
More information

When the Automation Console is used to configure the maximum number of parallel jobs that an Agent can execute to 100, the agent will only execute 50 Jobs in parallel.  
More information

When Auto-Refresh is enabled and many entries are present, deadlocks occur in the Scheduling and Activity nodes.  
More information

When the Agent Alias feature is enabled, but no paths are configured, CheckForChanges errors are logged and no jobs are picked by the Agents.  
More information

The Evaluator is not functional for the Parameters (Query) and Microsoft System Center Configuration Manager (Query Server) tasks.  
More information

Ivanti Automation 2022.2.2

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

90037

The Perform Single File Operation task fails if the destination folder does not exist.  
More information

90091

Intermittently, the Project Parameter value is cleared during Job activity.  
More information

90012

When an Automation Agent has a Primary Team set, the Download Resource task fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

90130

The exit code in an Execute Command task is always 0.  
More information

90271

The Manage Service task does not work if the service name contains a space.  
More information

The Dispatcher is not updated after upgrading the Automation environment.  
More information

An Execute Command task configured with credentials and referencing a resource file fails.  
More information  

Unicode characters are incorrectly presented in job results in the Automation Console.  
More information  

Ivanti Automation 2022.2.1

**Known issues**

The list below contains known issues for this release:

 

Problem ID

Title

90037

The Perform Single File Operation task fails if the destination folder does not exist.  
More information

90091

Intermittently, the Project Parameter value is cleared during Job activity.  
More information

90012

When an Automation Agent has a Primary Team set, the Download Resource task fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

90130

The exit code in an Execute Command task is always 0.  
More information

90271

The Manage Service task does not work if the service name contains a space.  
More information

The Dispatcher is not updated after upgrading the Automation environment.  
More information

An Execute Command task configured with credentials and referencing a resource file fails.  
More information  

Unicode characters are incorrectly presented in job results in the Automation Console.  
More information  

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

89803

The Manage Service Properties task fails with the following error: Invalid access to memory location.  
More information

89821

An Execute Command task fails when Execute command using the Windows command interpreter is unchecked.  
More information

89818

The variable in the Execute Command task is case sensitive.  
More information

89819

The Copy - File/Folder action of a single file in the Perform File Operations task fails.  
More information

 

Stopping a service by using the Manage Service Properties task fails without returning an error.  
More information

Ivanti Automation 2022.2

**What's new**

Automation tasks migrated to a newer code base

For continued maintainability of the code, the following tasks have been migrated to a newer code base:

*   Files (Perform Operations);
    
*   Environment Variables (Set, Delete);
    
*   Service Properties (Manage);
    
*   Resource (Download);
    
*   Command (Execute).
    

**Known issues**

The list below contains known issues for this release:

 

Problem ID

Title

89803

The Manage Service Properties task fails with the following error: Invalid access to memory location.  
More information

89821

An Execute Command task fails when Execute command using the Windows command interpreter is unchecked.  
More information

89818

The variable in the Execute Command task is case sensitive.  
More information

89819

The Copy - File/Folder action of a single file in the Perform File Operations task fails.  
More information

 

Stopping a service by using the Manage Service Properties task fails to report the actual error message.  
More information

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

89428

Automation jobs scheduled via the Dispatcher to an empty team stay in the Scheduled state indefinitely.  
More information

88869

Automation jobs are incorrectly processed on Agents installed on non-persisted machines.  
More information  

89331

After upgrading to Ivanti Automation 2021.4, the Automation Console is not responding when scheduling runbooks.  
More information  

89381

Downloading resource fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

89376

Automation Agents show an increase in memory usage while no jobs are being executed.  
More information

89406

After selecting a new Automation Module or Project in Environment Manager, the following error is shown: Unable to connect to the selected Dispatcher service.  
More information

89113

The operation of checking if the LanmanWorkstation service is running fails on non-English operating systems.  
More information

88752

When choosing the option Change settings for multiple Agents in the Automation console, the Global <value> is visible and the Team <value> is not available.  
More information

89484

When selecting the Variables node in the Ivanti Automation Console, the following error is shown: clsVariable.Load\_Internal: 13 - Type mismatch.  
More information

89216

When a condition checking a parameter has to check a value containing 5 or more digits, the following error appears when opening the task and condition: Error in sharedEncryption.fstrLegecyDecrypt: 5 - Invalid procedure call or argument.  
More information

 

The license overview now displays license points correctly when old and new license types are combined.  
More information  

Ivanti Automation 2022.1

**What's new****New team membership rules**

Automatically add Agents to Teams with new file/folder and registry key detection rules. More information.

**Service triggers**

Start and stop Windows services based on trigger events. More information.

**Interactive job execution**

Use this task to create interactive multipart jobs, where the user sees a Windows notification and can choose to continue, skip, or abort job actions. More information.

**New Automation component deployment logs**

When deploying Ivanti Automation components, the Job History has a new **Log** tab that displays the MSI installation log. This can help troubleshoot deployment issues. In **Job History > Tasks**, double-click the task you want and then click the **Log** tab.

**The database revision level remains at 83**

There was no database revision level update for this release.

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

87369

Agents will not pick up jobs after recreating a global variable that is used on a Teams or Agents level.  
More information

87675

Scheduled Jobs based on a CRON expression return the following error: Please enter a valid cron expression.  
More information

87561

Opening a scheduled job results in the error: Error in clsParamters.Load: 452 This key is already associated with an element of this collection.  
More information

87739

The drop-down list for the RunbookWho parameter in a runbook contains an additional entry.  
More information

88147

Using functions in an Automation task results in the error that the task contains illegal characters.  
More information

87960

Error in modWMC.MoveListItemTop:13 Type mismatch appears when changing the order of a Runbook job.  
More information

88048

The Date/Time information in some of the columns of the Automation Console is presented with an incorrect order of the day and month.  
More information

88229

World writable permissions on the resamad.log are marked as violations by third party security scanners.  
More information

88250

Windows 10 21H2 - v2009 (19044.1348) is not detected when using as condition OS Windows 10.  
More information

88292

Using PowerCLI to manage a VMWare vCenter environment via Ivanti Automation results in the error: Could not load file or assembly 'Newtonsoft.Json'.  
More information

88341

Could not load file or assembly server error on opening Ivanti Automation Management Portal.  
More information

87107

Error during the creation of a building block: ERROR in modBuildingBlocks.FillCustomSettings: 91 - Object variable or With block variable not set.  
More information

 

The Automation Console connection registry values are changed when using Windows Authentication even though the user was not prompted to save them.  
More information

 

No error is presented when Windows Authentication is used and the impersonation is done using the logged on user instead of configured user.  
More information

 

The Automation Agent fails to auto update when the download of the new msi file takes too long.  
More information

**Release Notes for Ivanti Automation 2021 and older**

Ivanti Automation 2021 Release Notes

Ivanti Automation 2020 Release Notes

CVE-2022-44569: Ivanti Automation 2023.4 Release Notes

A security issue was discovered in kube-apiserver that allows an 
aggregated API server to redirect client traffic to any URL.  This could
 lead to the client performing unexpected actions as well as forwarding 
the client's API server credentials to third parties.


CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L (5.1, medium)

A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as forwarding the client's API server credentials to third parties.

This issue has been rated medium and assigned CVE-2022-3172

**Am I vulnerable?**

All Kubernetes clusters with the following versions that are running aggregated API servers are impacted. To identify if you have aggregated API servers configured, run the following command:

kubectl get apiservices.apiregistration.k8s.io -o=jsonpath='{range .items\[?(@.spec.service)\]}{.metadata.name}{"\\n"}{end}'

**Affected Versions**

*   kube-apiserver v1.25.0
*   kube-apiserver v1.24.0 - v1.24.4
*   kube-apiserver v1.23.0 - v1.23.10
*   kube-apiserver v1.22.0 - v1.22.13
*   kube-apiserver <= v1.21.14

**How do I mitigate this vulnerability?**

Aside from upgrading, no direct mitigation is available.

Aggregated API servers are a trusted part of the Kubernetes control plane, and configuring them is a privileged administrative operation. Ensure that only trusted cluster administrators are allowed to create or modify APIService configuration, and follow security best practices with any aggregated API servers that may be in use.

**Fixed Versions**

*   kube-apiserver v1.25.1 - fixed by Automated cherry pick of #112193: Add an option for aggregator #112330
*   kube-apiserver v1.24.5 - fixed by Automated cherry pick of #112193: Add an option for aggregator #112331
*   kube-apiserver v1.23.11 - fixed by Automated cherry pick of #112193: Add an option for aggregator #112358
*   kube-apiserver v1.22.14 - fixed by Automated cherry pick of #112193: Add an option for aggregator #112359

**Fix impact:** The fix blocks all 3XX responses from aggregated API servers by default. This may disrupt an aggregated API server that relies on redirects as part of its normal function. If all current and future aggregated API servers are considered trustworthy and redirect functionality is required, set the --aggregator-reject-forwarding-redirect Kubernetes API server flag to false to restore the previous behavior.

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade

**Detection**

Kubernetes audit log events indicate the HTTP status code sent to the client via the responseStatus.code field. This can be used to detect if an aggregated API server is redirecting clients.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

**Acknowledgements**

This vulnerability was reported by Nicolas Joly & Weinong Wang @weinong from Microsoft.

The issue was fixed and coordinated by Di Jin @jindijamie @enj @liggitt @lavalamp @deads2k and @puerco.

/area security  
/kind bug  
/committee security-response  
/label official-cve-feed  
/sig api-machinery  
/area apiserver  
/triage accepted

CVE-2022-3172: CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF) · Issue #112513 · kubernetes/kubernetes

By Deeba Ahmed
Microsoft's new AI-powered Secure Future Initiative aims to assist governments, businesses, and consumers in combatting cybersecurity threats.
This is a post from HackRead.com Read the original post: Microsoft’s Secure Future Initiative Boosts Cybersecurity Against Advanced Attacks

Microsoft’s new AI-powered Secure Future Initiative aims to assist governments, businesses, and consumers in combatting cybersecurity threats.

Microsoft has announced its first-ever Secure Future Initiative to improve cybersecurity protection. This initiative will help government agencies, unsuspected users and organizations tackle cybercriminals and state-sponsored hackers with advanced response measures. The Secure Future Initiative consists of three pillars:

****AI-based cyber defences****

According to Microsoft, the future of cybersecurity is driven by artificial intelligence (AI). Therefore, the company invests heavily in innovative ways to detect and respond to cyberattacks.

Microsoft is planning to improve AI-based cyber defences in three key areas. These include threat intelligence, in which the company intends to use AI to detect/analyze cyber threats. Secondly, it will use AI to encourage analytical productivity by helping cybersecurity analysts to become more responsive. 

Thirdly, the company will utilize AI for endpoint protection by offering real-time protection against cyberattacks on endpoint services, including phones, laptops, and servers. Moreover, the company is committed to securing AI in its services based on Responsible AI principles and building more powerful AI-based protection for governments, countries, consumers, and organizations.

****Advances in fundamental software engineering:****

Through this initiative, Microsoft aims to improve its software security. In this regard, the company is developing new security technologies and incorporating security mechanisms into every phase of software development. This also entails three areas of improvement. 

Firstly, the company intends to develop a dynamic Security Development Lifecycle (dSDL) to integrate cybersecurity protection uninterruptedly to counter emerging threat patterns. It will encourage using AI-powered secure code analysis and GitHub Copilot to audit/test source code against advanced threats and offer secure default settings for MFA (multi-factor authentication) out-of-the-box.

Secondly, the company aims to strengthen identity protection against sophisticated attacks by introducing/applying the most advanced features and adopting a unified and consistent process that will verify and manage the identities and access rights of users, devices, and services across all platforms/products. 

Another addition will be making these capabilities freely available to non-Microsoft application developers. Microsoft also intends to migrate to a fully automated consumer/enterprise key management system to ensure that keys remain inaccessible even when underlying processes are compromised. Furthermore, the company will cut cloud vulnerability mitigation time by 50%.

****Advocacy for stronger application of international norms to protect civilians from cyber threats:****

According to Microsoft’s blog post, the company wants to promote international cooperation on cybersecurity. This initiative also entails advocacy for stricter norms to provide enhanced protection to innocent users against cyber threats.

To ensure this, Microsoft is calling for a new international norm that would make it illegal for governments to plant malware or create/exploit cybersecurity vulnerabilities in critical infrastructure providers’ networks. This new norm would recognize cloud services as critical infrastructure protecting against attacks under international law.

“We need governments to do more together to foster greater accountability for nation-states that cross these red lines,” the company noted.

What is an OSINT Tool – Best OSINT Tools 2023

CVSS v4.0 Released with New OT/ICS/IoT Support

Microsoft’s Windows File Recovery tool recovers your lost data

Microsoft’s new tool detects & reports pedophiles from online chats

Microsoft launches free Linux memory forensics tool for detecting malware

Microsoft’s Secure Future Initiative Boosts Cybersecurity Against Advanced Attacks

Here is what matters most when it comes to artificial intelligence (AI) in cybersecurity: Outcomes. 
As the threat landscape evolves and generative AI is added to the toolsets available to defenders and attackers alike, evaluating the relative effectiveness of various AI-based security offerings is increasingly important — and difficult. Asking the right questions can help you spot solutions

Here is what matters most when it comes to artificial intelligence (AI) in cybersecurity: Outcomes.

As the threat landscape evolves and generative AI is added to the toolsets available to defenders and attackers alike, evaluating the relative effectiveness of various AI-based security offerings is increasingly important — and difficult. Asking the right questions can help you spot solutions that deliver value and ROI, instead of just marketing hype. Questions like, "Can your predictive AI tools sufficiently block what's new?" and, "What actually signals success in a cybersecurity platform powered by artificial intelligence?"

As BlackBerry's AI and ML (machine learning) patent portfolio attests, BlackBerry is a leader in this space and has developed an exceptionally well-informed point of view on what works and why. Let's explore this timely topic.

****Evolution of AI in Cybersecurity****

Some of the earliest uses of ML and AI in cybersecurity date back to the development of the CylancePROTECT® EPP (endpoint protection platform) more than a decade ago. Predicting and preventing new malware attacks is arguably more crucial today, as generative AI helps threat actors rapidly write and test new code. The most recent BlackBerry Global Threat Intelligence Report uncovered a 13% surge in novel malware attacks, quarter over quarter. Preventing these attacks is an ongoing challenge but thankfully, the evolution in attacks is being met by an evolution in technology.

BlackBerry's data science and machine learning teams are dedicated to enhancing the performance of their predictive AI tools. Recent third-party tests confirm that Cylance ENDPOINT® successfully blocks 98.9% of threats by actively predicting malware behavior, even for new variants. This achievement is the result of a decade of innovation, experimentation, and evolution in AI techniques, including a shift from supervised human labeling to a composite training approach. This approach, which combines unsupervised, supervised, and active learning in both cloud and local environments, has been refined by analyzing extensive data over time, resulting in a highly effective model capable of accurately predicting and anticipating new threats.

****Temporal Advantage: Taking Time Into Account****

The quality and effectiveness of ML models are often discussed in terms of size, parameters, and performance. However, the critical aspect of ML models, particularly in cybersecurity, is their ability to detect and respond to threats in real-time. In the context of malware pre-execution protection, where threats must be identified and blocked before execution, the temporal aspect is crucial.

Temporal resilience, which measures a model's performance against both past and future attacks, is essential for threat detection. Temporal Predictive Advantage (TPA) is a metric used to assess a model's ability to perform over time, especially in detecting zero-day threats.

This testing involves training models with past malware classes and testing them against newer malware, validating their performance over time. This is particularly important for endpoints that are not always cloud-connected, where frequent model updates may not be feasible.

A model's reliance on frequent updates can indicate its immaturity. In contrast, BlackBerry Cylance's model has demonstrated a strong temporal predictive advantage, maintaining high detection rates without frequent model updates, as illustrated in the chart showing the TPA over months for the fourth-generation Cylance model.

Chart 1 — The temporal predictive advantage for the fourth-generation Cylance AI model reveals how long into the future protection continues without a model update – in this case for six to 18 months.

Protection continued for up to 18 months without a model update and reveals model maturity and precise model training. This does not happen by accident.

Mature AI Predicts and Prevents Future Evasive Threats has a novel ML model inference technology that sets it apart. It can deduce, or "infer" whether something is a threat, even when it has never seen it before. BlackBerry's approach utilizes a unique hybrid method of distributed inference, a concept conceived seven years ago, before the availability of ML libraries and model-serving tools. The result of this approach is our latest model, which represents the pinnacle of innovation and improvements over the many generations of this technology.

****Predicting Malware: The Most Mature Cylance Model****

Built upon vast and diverse datasets with extensive malware behavior insights, our latest model surpasses all previous versions in performance, particularly in temporal predictive advantage. With over 500 million samples and billions of features evaluated, BlackBerry Cylance AI delivers outstanding results and operates with impressive speed for distributed inference.

As we continue to advance in applying ML to cybersecurity, our commitment to innovation remains strong. Given the increasing use of AI by adversaries, it's essential to prioritize effective defensive cybersecurity measures that yield meaningful outcomes.

With a multi-year predictive advantage, Cylance AI has protected businesses and governments globally from cyberattacks since its inception. BlackBerry's Cylance AI helps customers stop 36% more malware, 12x faster, and with 20x less overhead than the competition These outcomes demonstrate that not all AI is created the same. And not all AI is Cylance AI.

_Want to learn more about predictive AI? Click_ **_here_** _to read the detailed BlackBerry research article and explore related content and for similar articles and news delivered straight to your inbox,_ _subscribe to the_ **_BlackBerry Blog_**_._

****Related Reading****

*   BlackBerry Supports Canada's Voluntary Code of Conduct for Generative AI
*   Microsoft Defender vs. CylanceENDPOINT®
*   Why Are So Many Organizations Banning ChatGPT?
*   Tolly Test Report on BlackBerry CylanceENDPOINT

**Note -** This article has been expertly written by Shiladitya Sircar, SVP, Product Engineering & Data Science at BlackBerry, where he leads Cyber Security R&D teams.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Predictive AI in Cybersecurity: Outcomes Demonstrate All AI is Not Created Equally

An issue was discovered in the Boomerang Parental Control application through 13.83 for Android. The child can use Safe Mode to remove all restrictions temporarily or uninstall the application without the parents noticing.

**Full Disclosure mailing list archives****SEC Consult SA-20230628-0 :: Stored XSS & Privilege Escalation in Boomerang Parental Control App**

_From_: "SEC Consult Vulnerability Lab, Research via Fulldisclosure" <fulldisclosure () seclists org>  
_Date_: Wed, 28 Jun 2023 07:29:21 +0000  

SEC Consult Vulnerability Lab Security Advisory < 20230628-0 >
=======================================================================
               title: Stored XSS & Privilege Escalation
             product: Boomerang Parental Control App
  vulnerable version: <13.83
       fixed version: >=13.83 (only issue 1), rest not fixed
          CVE number: CVE-2023-36620, CVE-2023-36621
              impact: High
            homepage: https://nationaledtech.com
               found: 2022-09-29
                  by: Fabian Densborn (Office Vienna)
                      Bernhard Gründling (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"National Education Technologies Inc. is a manufacturer of mobile
applications. Their portfolio ranges from parental control apps, to
safe browsing apps, to digital wellbeing apps."

Source: https://nationaledtech.com

Business recommendation:
------------------------
The vendor only provides an update for one of the identified security issues,
but it effectively reduces the risk of some of the other vulnerabilities, which
are currently not fixed yet. The vendor could not provide a timeline when the
rest of the issues will be patched.
If possible, limit the possibility to boot into Android safe mode. Otherwise
children are always able to bypass any restrictions.

An in-depth security analysis performed by security professionals is
highly advised, to identify and resolve potential further critical security
issues.


Vulnerability overview/description:
-----------------------------------
1) ADB Backup allowed (CVE-2023-36620)
The app is missing the android:allowBackup="false" attribute in the
manifest which allows the user to backup the internal memory of the
app to a PC. This gives the user access to the device (in case ADB is enabled)
and API token which are used to authenticate requests to the API.

2) Stored XSS
The customizable name of the child's device can be used to trigger a XSS
payload in the parent web dashboard. Children might be able to attack
their parents' account.

3) Trigger parent control functions from child device (Privilege Escalation)
A device token in the form of a UUID is used as a session token for the parent
and the child device. The parent device token is leaked on an endpoint which
is accessible by the child, which is equivalent to leaking the session token.
This token can then be used to authenticate requests to the API and get the same
access rights as the parent. This would allow a child to bypass restrictions
and access device settings.

4) Disable Child App Restriction without Parent's notice (CVE-2023-36621)
The child can remove all restrictions temporarily or uninstall the application
without the parents noticing.


Proof of concept:
-----------------
1) ADB Backup allowed (CVE-2023-36620)
The internals of the app can be backed up to a PC by connecting the device
and running the following commands. As a prerequisite, the ADB feature
must be enabled or being used via recovery. Children could bypass any Android
setting restrictions via vulnerability 3).

--------------------------------------------------------------------------------
adb backup -apk com.nationaledtech.Boomerang
dd if=backup.ab bs=24 skip=1 | zlib-flate -uncompress | tar xf -
--------------------------------------------------------------------------------

The internal data contains the device and API token which are used to
communicate with the API.


2) Stored XSS
As the internal memory including the device and API token is backup-able (see 1),
it is possible to construct arbitrary requests to the API in the name
of the child. The following payload can be used to change the device name
and trigger an alert box in the dashboard of the parent:

--------------------------------------------------------------------------------
POST /services/DeviceService.svc/RenameDevice HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 1470
Host: app.useboomerang.com

{
     "DeviceToken": <child-device-token>,
     "ApiToken": <child-api-token>,
     "DeviceTitle":"\\"\\/><img src=\\"x\\" onerror=\\"alert(1)\\"\\/>",
     "TargetDeviceToken": <child-device-token>
}
--------------------------------------------------------------------------------


3) Access parent control functions from child device (Privilege Escalation)
When visiting the Family Messenger Tab within the application on the device, a GET
request to API endpoint \`/services/FamilyService.svc/GetAllFamilyDevices\` will be
sent and the response contains all DeviceTokens associated with the account
(including the ones of parent devices).

To be able to query the \`/services/FamilyService.svc/GetAllFamilyDevices\`
endpoint an attacker first needs to backup their device and get access to their
own device and API token. Then an attacker is able to create their own request
querying the device token of the parent.

--------------------------------------------------------------------------------
POST /services/FamilyService.svc/GetAllFamilyDevices HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 54
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 4a Build/RQ2A.210305.006)
Host: app.useboomerang.com
Connection: close
Accept-Encoding: gzip, deflate

{"DeviceToken":"<child-token>"}
--------------------------------------------------------------------------------

Response:
--------------------------------------------------------------------------------
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Connection: close
Content-Length: 450

{
        "content":null,
        "isSuccessful":true,
        "Devices":\[
                {
                        "DeviceToken":"\[parent-token\]",
                        \[...\]
                }
        \]
}
--------------------------------------------------------------------------------

With the DeviceToken of the parent, the API token can be retrieved from the
\`/services/DeviceService.svc/UpdateStatus\` endpoint:

--------------------------------------------------------------------------------
POST /services/DeviceService.svc/UpdateStatus HTTP/1.1
Host: app.useboomerang.com
Accept: application/json
Content-Type: application/json
User-Agent: Boomerang/234 CFNetwork/1240.0.4 Darwin/20.5.0
Accept-Language: en-us
Content-Length: 55
Accept-Encoding: gzip, deflate
Connection: close


{"DeviceToken": <parent-token>,}
--------------------------------------------------------------------------------

As the device token combined with the API token are used to authenticate requests
to the API, the child now has the same access rights as the parent.


4) Disable Child App Restriction without Parent's notice (CVE-2023-36621)
The child can disable the restrictions of the application without the parents
noticing. For this, the following steps are necessary:
a) Turn off Internet connectivity on the child device or block access to the
    API server (e.g. on the router).
b) Reboot into Android Safe Mode.
c) Disable Device Admin, "Display over other apps", Usage Access, Accessibility
    Permissions for the app in Android settings.
d) After rebooting in to normal mode, the child device can be used without
    restrictions. For example, previously locked apps can now be used. The parent's
    application will show that Protection is still on and the last check-in time.
    Internet must stay off on the child device during this.
e) After usage of the restricted apps is finished, the mentioned permissions are
    turned back on.
f) The device is restarted to clear any cached HTTP requests of the app that might
    inform the parent.
g) Internet is re-enabled. The parent's device will not see an indication of these
    activities on their device.

Alternatively, the Boomerang app can also be uninstalled after disabling the Device
Admin permission in step 3. Internet can then be turned on as well on the child's
device without any notification to the parent. The only way for the parent to notice
this would be to manually check the last check-in time.

The "Safe Mode Bypass" cannot be exploited on Samsung KNOX capable devices, as
special restrictions can be set in order to disable booting into safe mode.


Vulnerable / tested versions:
-----------------------------
The following version has been tested and downloaded from the Google Play store,
which was the most recent version available at the time of the initial test:
\* Android app version 13.53

Later on, version 13.61 (2022-10-25) and 13.68 (2022-12-13) have been verified to be
vulnerable as well.


Vendor contact timeline:
------------------------
2022-11-23: Contacting vendor through support () useboomerang com and
             support () nationaledtech com
2022-11-23: Response from vendor: "We got your email but can't
             understand it - maybe it was sent by accident? How can we help?"
2022-11-24: Explaining that our email was no accident and that we want
             to send our security advisory over encrypted channels to the vendor .
             No response.
2022-12-05: Notifying vendor again that we found critical security
             issues and where to send the advisory to.
             No response.
2022-12-15: Still no response, informing vendor again about the planned
             release date of 12th January, informing them that a blog post
             is planned with an overview about security issues in
             parental control apps for next week.
2022-12-15: Vendor response: "Hi. I can't understand this attachment. What
             is the issue?"
2022-12-16: Explaining "responsible disclosure" to the vendor again, asking
             where to send the advisory and that a blog post is planned, as
             well as the advisory release for 12th January.
2022-12-20: Published blog post (https://r.sec-consult.com/parents), asked
             vendor again where to send the security advisory.
2022-12-21: Vendor reply, please send advisory via email. Seems like all
             previous answers from the vendor were not properly received
             (mail server problem).
2022-12-21: Advisory was sent to vendor.
2023-01-11: Advisory was sent directly to mail addresses of vendor, not via
             support mail address. Vendor confirms receipt now.
2023-02-14: Asking for a status update; no response.
2023-02-28: Asking for a status update again, vendor answers that "some issues"
             have been fixed but they are still checking what is pending.
2023-03-02: Vendor responds that local backup vulnerability will be fixed soon,
             backend changes are reviewed, no timeline.
2023-05-09: Asking for a status update, informing vendor about security advisory
             release plan for May.
2023-05-19: Vendor: Only local backup vulnerability is fixed, backend parts
             are on the roadmap.
2023-05-22: Asking about a timeline/estimation for this roadmap to fix the backend
             vulnerabilities and which version includes the fix for issue 1).
2023-05-30: Vendor: latest version on Google Play v13.83 has ADB backup fix
2023-05-31: Sending current advisory version to vendor, setting preliminary
             release date to end of June, asking for timeline again, asking whether
             there are any issues in incorporating the fixes for the other
             vulnerabilities.
             No response.
2023-06-28: Release of security advisory.


Solution:
---------
According to the vendor, only issue 1) has been fixed in version 13.83, the other security
issues are still not fixed yet. Please contact the vendor for further information
regarding their timeline.


Workaround:
-----------
Be aware that children might be able to bypass any imposed restrictions.
If possible, disable booting into Android Safe Mode which works on Samsung Knox-
enabled smart phones.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF F. Densborn, B. Gründling / @2023
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20230628-0 :: Stored XSS & Privilege Escalation in Boomerang Parental Control App** _SEC Consult Vulnerability Lab, Research via Fulldisclosure (Jul 07)_

CVE-2023-36621: Stored XSS & Privilege Escalation in Boomerang Parental Control App

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-36034

CVE-2023-36022

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-36029

By Waqas
Software is the backbone of modern technology, serving various purposes across different sectors. The vast array of software…
This is a post from HackRead.com Read the original post: Exploring Software Categories: From Basics to Specialized Applications

Software is the backbone of modern technology, serving various purposes across different sectors. The vast array of software types caters to the complex and specific needs of users, ranging from basic applications to highly specialized programs.

Understanding the different categories of software and their respective uses is integral to learning and understanding the technological advances and their vast applications in our daily lives.

1.  **System Software:** System software forms the foundation of computer systems. Operating systems like Windows, macOS, and Linux are vital in managing hardware resources, providing essential services to other software, and enabling users to interact with their devices. Without these operating systems, applications wouldn’t function.
2.  **Application Software:** This category covers an extensive range of programs designed to perform specific tasks for users. From productivity suites like Microsoft Office and Google Workspace for creating documents, spreadsheets, and presentations to web browsers such as Chrome, Firefox, and Safari for accessing the internet, application software encompasses tools that support everyday activities.
3.  **Programming Software:** Programming software is used by developers to create other software. This includes text editors, compilers, debuggers, and integrated development environments (IDEs) that aid in writing, testing, and debugging code. Examples include Visual Studio, Eclipse, and Sublime Text.
4.  **Driver Software:** Drivers facilitate communication between the operating system and various hardware components, ensuring that devices like printers, scanners, and graphics cards work seamlessly with the computer. They provide the necessary instructions for the system to recognize and operate connected hardware.
5.  **Utilities:** Utilities encompass a wide range of software designed for system maintenance and optimization. These tools perform tasks like disk cleanup, antivirus scans, data backup, and file compression, ensuring smooth system operations and data security.
6.  **Middleware:** Middleware acts as an intermediary between different applications, enabling seamless communication and data management across multiple systems. It is used extensively in enterprise environments and in connecting disparate systems to streamline business processes.
7.  **Firmware:** Embedded into hardware devices, the firmware provides low-level control for the specific functions of the device. It’s integral to the functioning of devices such as routers, modems, and IoT (Internet of Things) devices.
8.  **Embedded software**: Embedded software refers to computer programs or software that are specifically designed to perform specific functions within a larger mechanical or electrical system. These programs are typically written to control or monitor the operation of embedded systems, which are specialized computing systems that perform dedicated functions within a larger system. Embedded software is commonly found in various devices and systems such as consumer electronics, automotive systems, industrial machines and equipment medical devices, aerospace and defense systems.

Each type of software serves distinct purposes, contributing to the advancement of technology in various fields:

**In business and industry**, Enterprise Resource Planning (ERP) software integrates various processes like finance, human resources, and supply chain management. Customer Relationship Management (CRM) software helps businesses manage interactions with customers and potential customers.

**Educational software** supports learning and teaching in classrooms and at home, offering interactive tools for various subjects and educational levels.

**Healthcare software** aids in patient management, electronic health records, diagnostic tools, and medical research.

**The entertainment industry** thrives on multimedia software for content creation, editing, and production, including video editing, animation, and music composition software.

The wide variety of software types highlights how much technology affects our daily lives. From handling simple computer tasks to running complex business operations, the software keeps changing and getting better, propelling advancements and developing how we engage with the world. Knowing about different kinds of software and what they do is essential in keeping up with the ever-growing world of technology.

****_RELATED ARTICLES_****

1.  Crucial Cybersecurity Software Features
2.  What Is Incident Management Software?
3.  The Role of Software Escrow in Mitigating Business Risks
4.  Antivirus Software: The Best Deals, Coupons and Discounts
5.  Integrating Pay-Per-Minute Chat Software in Customer Service

Exploring Software Categories: From Basics to Specialized Applications

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures.

Thursday, November 2, 2023 14:11

Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week. 

This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime.  

In 2020, Microsoft announced a clear migration path for devices using Windows CE and warned of its impending end-of-life (meaning there’d be no more support, security patches, etc.) by telling users to run a container on top of Windows 10 IoT. 

However, Microsoft says it will continue license sales for Windows Embedded Compact 2013 (the last time Windows CE received a full version update until 2028). I’ve written before about the dangers of people thinking it’s cool to still run Windows 7, which was already a surprise to me, but then by reading more about Windows CE this week, I found that some of the most important hardware the U.S. relies on still use Windows CE: voting machines. 

A Windows CE phone was at the center of the “Hillary Clinton emails” drama during the 2016 presidential election, and since then, security researchers have found that some voting machines using Windows CE are vulnerable to various exploits.   

I found one DEF CON 25 attendee in 2017 who went to the conference’s first-ever “Voting Village” where researchers poked and prodded various voting systems, including the ExpressPoll 5000 voter registration system that used Windows CE 5.0. Needless to say, the ExpressPoll 5000 didn’t stand a chance. 

I couldn’t find any information on if there are still any ExpressPoll 5000s in the wild, but the Maryland State Board of Elections was still accepting the devices into their pool of devices that could be certified to be used in elections with an “acceptance test” as of 2016. 

Other Diebold voting machines used in the 2016 presidential election also ran outdated versions of Windows CE. (Vice News had a video segment on this topic that’s since been scrubbed from the internet, but there’s a great written recap of the segment here.)  

Again, there is no real proof that these systems are still being used in the wild. After the security concerns stemming from the 2016 election, the U.S. took a much tougher look at election security and continues to invest heavily in more secure voting machines, so there’s a possibility these devices are all now out of service, patched, or hopefully just buried in a ditch somewhere.  

But it does get to a larger point, that a lot of the technology our government relies on is \*old\*. Many voting systems used in the 2020 presidential election relied on Windows 7, which also is now at its end-of-life and isn’t receiving any security updates. Support for Windows 8.1 ended at the beginning of this year, and who knows what devices are floating out there still using versions of that OS, and Windows 10 will reach its end-of-life period in October 2025, so by the time we get to the 2028 election (I can’t even fathom that as a real year still), I suspect we’ll be seeing lots of stories of all the voting devices relying on that.  

**The one big thing **

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures. Although Arid Viper is believed to be based out of Gaza, Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war. The malicious apps Arid Viper uses are very similar to other legitimate apps, so it’s fairly easy for an unsuspecting user to get hit.  

**Why do I care? **

Spyware is very dangerous no matter how you twist it, but in this particular case, Arid Viper’s spyware collects the target’s sensitive personal information off their devices and disables security notifications so the actor can install more malware. The use of spyware across the globe continues to be a major issue that governments have had a hard time reigning in (and sometimes the governments themselves are the ones using it). 

**So now what? **

Our blog post has more details on the malicious apps being used in this campaign, so potential targets know what to be on the lookout for. We also have several new IOCs available for defenders to add to their blocklists. Potentially sensitive targets like politicians, journalists or activists may want to enable “safe” modes on their mobile devices, which can help protect against all types of spyware.  

**Top security headlines of the week **

**U.S. President Joe Biden signed a sweeping Executive Order this week attempting to regulate the use of AI and put several privacy safeguards in place.** The order also calls on Congress to pass national AI privacy legislation. Under the new rules, leading AI developers will need to share safety test results and other information about their software with the government. The National Institute of Standards and Technology will also create new standards to ensure AI tools are safe and secure before they’re publicly released. Federal agencies will now also need to change the way they use AI, with the hopes that the private sector will follow suit. Federal benefits programs and contractors will need to ensure that any AI tools they rely on do not deepen any racial biases in their activities. However, privacy experts only view the Executive Order as a small first step that needs to be augmented by national legislation and enforcement. (AP News, ABC News) 

**The U.S. government is preparing for an influx of Iranian-backed cyber attacks in retaliation for the U.S.’ support of Israel in its war against Hamas.** FBI Director Christopher Wray told a Congressional committee this week that, “The cyber targeting of American interests and critical infrastructure that we already see conducted by Iran and non-state actors alike we can expect to get worse if the conflict expands.” New research also indicates that Iranian threat actors have carried out a range of cyber espionage activities across the Middle East, looking to collect sensitive intelligence and disrupt important services. There may be up 15 different hacking groups affiliated directly with, or serving as a proxy for, the Iranian Revolutionary Guard Corps or the Iranian Ministry of Intelligence. (Politico, The New York Times) 

**Cloud computing company Citrix is warning of the mass exploitation of a critical vulnerability in its NetScaler ADC/Gateway devices.** Known as “Citrix Bleed,” CVE-2023-4966 is an information disclosure vulnerability that could allow attackers to steal valid session tokens from internet-facing Netscaler devices running vulnerable software. Citrix disclosed the vulnerability on Oct. 10, warning users to update affected devices immediately. However, security researchers soon found that attackers had been exploiting the vulnerability since August. Researcher Kevin Beaumont reported on his personal social media channels that he found an estimated 20,000 instances of exploited Citrix devices where session tokens were stolen. (HelpNet Security, Ars Technica) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #140: Chicken Soup and Contact Centers 
*   Talos Takes Ep. #160: Patching 101 
*   Cisco Talos Incident Response On Air for Q3 2023 
*   Arid Viper Campaign Targets Arabic-Speaking Users 
*   Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says 

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

Riyadh, Saudi Arabia 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

Lansing, Michigan 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 21d709b0593c19ad2798903ae02de7ecdbf8033b3e791b70d7595bca64b99721**   
**MD5:** af8a072f20c8e647f53eb735528f070d   
**Typical Filename:** Head Office.exe   
**Claimed Product:** Head Office   
**Detection Name:** Win.Dropper.Pykspa::100.sbx.vioc 

**SHA 256:** 032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe   
**MD5:** a5cc0738a563489458f6541c3d3dc722   
**Typical Filename:** wuauclt.exe   
**Claimed Product:** Microsoft® Windows® Operating System   
**Detection Name:** Win.Dropper.Vools::100.sbx.tg 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c      
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c      
**Typical Filename:** AAct.exe      
**Claimed Product:** N/A        
**Detection Name:** PUA.Win.Tool.Kmsauto::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd

Tag

#microsoft