**What privileges could be gained by an attacker who successfully exploited this vulnerability?**

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2024-35250: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

**According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?**

Exploiting this vulnerability requires an attacker to be within proximity of the target system to send and receive radio transmissions.

CVE-2024-30075: Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability

**What type of information could be disclosed by this vulnerability?**

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.

CVE-2024-30069: Windows Remote Access Connection Manager Information Disclosure Vulnerability

In response to recent public outcry, Recall is getting new security accouterments. Will that be enough to quell concerns?

Source: Photo 12 via Alamy Stock Photo

Microsoft is adding new security measures to assuage widely publicized concerns over its new "Recall" AI feature. Some, though, still aren't convinced the company went far enough.

It's now just eight days until Microsoft releases Recall, a new artificial intelligence (AI)-driven program that will periodically take, store, and analyze screenshots of Copilot+ PCs as they're being used day-to-day. Recall is supposed to act like a kind of memory bank, allowing users to instantly find and reference things they've come across recently: apps, websites, images, and documents.

From the outset, Recall has been criticized as a potential goldmine for personal data theft. The noise got loud enough that, on Friday, Microsoft announced three new security-oriented updates for it:

*   In a reversal of its initial stance, Microsoft will now ship Recall turned off by default.
    
*   Users will need to enroll in Windows Hello in order to enable it, and so-called "proof of presence" will be required to use its primary features.
    
*   Recall data will be encrypted, and only decrypted and accessible once a user authenticates via Windows Hello.
    

Though they may represent a step in the right direction, experts remain skeptical that these changes will be enough to protect users' most sensitive passwords, photos, personally identifying information (PII), and financial information from hackers.

**Risks in Recall: A Case Study**

Many security experts cringed when Recall was announced, but few more than Marc-André Moreau, CTO of Devolutions. He worried that Windows' newest toy would inevitably capture and store visible passwords from his company's software for managing remote connections. With such passwords in hand, hackers would be able to easily connect to and manipulate any victim PC.

"Looking at documentation for how Recall works," he recalls, "it literally said that it wouldn't make an effort of removing sensitive information, credentials, or PII — anything which you would want scraped out, it would just keep in local files."

Microsoft's logic, it seemed, was that because Recall screenshots were stored only on the user's machine, they would remain safe from remote access. "Microsoft has this new chip which makes it possible to do the processing locally, and they thought that everybody would be fine since the data isn't uploaded to the cloud," Moreau explains. "But you wouldn't install a keylogger on your machine just because the files are stored locally. Files can be grabbed by malware. So why would you enable Recall?"

To demonstrate the point, he performed a simple red team exercise. In his telling, "I didn't have to do much. I just set up an environment, used some tool that somebody made online to force-install it, and then I installed \[Devolutions'\] Remote Desktop Manager. I clicked 'view password,' then 'record,' and then I found the database. I opened it, and I could see the extracted password alongside the screenshot that includes the password."

> Here's Recall capturing temporarily visible passwords from Remote Desktop Manager in a test Azure VM. It's less effective that I would have thought, the search results are screenshots, and it's unclear how one can obtain the full OCR text it used for the match pic.twitter.com/RUiLs57bKz  
> — Marc-André Moreau (@awakecoding) June 3, 2024

Other researchers have also found simple ways of accessing sensitive data in Recall screenshots. One has already developed and released an open source tool to help speed up the job.

To try to protect his customers, Moreau next looked for a way to exclude his company's software from Recall by default. He came up short.

**Are Microsoft's New Updates Enough?**

Users will have more control over their data privacy now, thanks to Microsoft's turning off Recall by default.

Moreau is skeptical, though, that Windows Hello can be fully and properly integrated into Recall without delaying its preview release, which is mere days away. "I'm in software, things don't happen that fast," he says.

Dark Reading reached out to Microsoft for comment on how it will be able to marry Windows Hello and Recall in time for June 18. In response, Microsoft said in a statement: "As we shared in our May 3 blog, security is our top priority at Microsoft, in line with our ⁠Secure Future Initiative (SFI), and we are evaluating Recall through that lens. As we implement SFI across Microsoft, we may shift some feature release dates and will update our public roadmaps as this happens."

In the barely a month since that blog post, and Satya Nadella's letter "prioritizing security above all else," for some critics, Recall recalls other AI products that are getting rushed to market.

Ironically, AI could well solve these programs' most pressing security flaws. "I could upload a Recall screenshot to ChatGPT today and tell it to identify the data which looks sensitive, and it will be able to," Moreau notes. "They could have used their AI chip to help solve this \[data leakage\] but they didn't even try. They were too eager to ship."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Modifies 'Recall' AI Feature Amid Privacy, Security Failings

The threat environment will continue to grow in complexity. Now is the time for organizations to streamline how they manage and mitigate overlooked vulnerabilities.

Source: Stephen Parker via Alamy Stock Photo

According to Coalition's research, Common Vulnerabilities and Exposures (CVEs) are expected to increase by 25% in 2024 to a shocking height of 34,888 vulnerabilities, or roughly 2,900 per month. As attack surfaces continue to expand rapidly, business leaders face mission-critical choices in increasing their cyber defenses to improve vulnerability warning, patch management, and incident response.

Through our honeypot data and view into our cyber insurance policyholders' attack surfaces, security tools, and workflows, Coalition has identified the key technology choices that place businesses at risk — as well as the choices that are proving most effective.

**Short-Sighted Business Choices**

Several factors contribute to the current state of weak vulnerability management, making organizations more susceptible to cyberattacks.

First, companies often leave security teams under-resourced and overworked. These cyber workforce challenges — from worker shortages and cyber skill gaps to security burnout — continue weighing down security teams. Information security professionals are enduring extreme alert fatigue, inhibiting their ability to quickly track, patch, and remediate vulnerabilities.

Second, choosing to use disparate flagging systems keeps critical information on the latest threats siloed. Companies and their customers are at risk because key resources are managed separately: The National Institute of Standards and Technology's (NIST) Common Vulnerability Scoring System (CVSS) scores, the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog, and miscellaneous (and often belated) security advisories from vendors all come from distinct sources. The onus then is transferred to each organization to stay on top of all these different information sources. Worse, now that NIST is facing major backlog issues, its National Vulnerability Database can no longer be seen as a source of truth, complicating the picture further.

Third, companies don't always put business resources into closing the talent gap. ISC2 found that while the cybersecurity workforce grew 8.7% year over year in 2023, the workforce gap grew an additional 12.6%. Supply is outpacing demand, and security teams are simply strapped.

Finally, choosing to ignore technical debt keeps old and outdated software a high-risk target. Legacy technologies and companies' massive lists of technology subscriptions not only take up security budgets, but they also expand businesses' attack surfaces. Many businesses don't have the budget to explore new security tools or approaches because they are weighed down by technical debt.

**Risky Technical Choices**

Security teams must make smarter choices about the overlooked risks threat actors continue to successfully target and exploit year after year: unpatched vulnerabilities, Internet-exposed technologies, and end-of-life (EOL) technology.

First, understand that vulnerabilities can turn seemingly small software flaws into active attacks, so putting off patching is a risky decision. In a recent example, a nation-state attack from a North Korean threat group targeted a Windows zero-day vulnerability left unpatched for six months. This vulnerability's scale and business impacts are still unknown but pose a massive, ongoing risk for organizations.

Second, organizations need to pay more attention to their easily exploitable, Internet-exposed technologies. For example, Coalition found scans from unique IP addresses looking for Remote Desktop Protocol (RDP) increased by 59% from January 2023 to October 2023, indicating that cybercriminals are still targeting this vulnerable technology to gain operating system access.

Finally, companies often decide to keep outdated and EOL technologies running until they break down completely — or get penetrated. Threat actors upped their attacks on outdated, out-of-date software this last year. Coalition's report found that 10,000 businesses are running EOL database Microsoft SQL Server 2000, while over 100,000 businesses are running EOL Microsoft SQL servers. If left unaddressed, outdated technology and technical debt will cost organizations in the US trillions of dollars in the coming years.

As threat actors continue to search for the easiest risks to exploit and monetize, strengthening an organization's cyber resilience can be as simple as identifying the most easily addressable risks.

**Smarter Choices for Security Teams**

Our research shows that choosing to implement a few leading solutions improves vulnerability management and will continue to do so in the foreseeable future.

First, security professionals can leverage threat intelligence tools, like honeypots, to identify hackers' tactics, techniques, and procedures. These tools help serve as an early warning system for new threats. For example, Coalition uncovered cybercriminal activity related to the 1,000% 2023 MOVEit vulnerability spike in mid-May, two weeks before Progress Software and CISA issued their advisories. This early alerting helped our policyholders remediate the vulnerability and avoid related cyber incidents and impending cyber insurance claims. Meanwhile, the vulnerability cost the broader cyber ecosystem $15.6 billion.

Second, defenders should employ artificial intelligence (AI) to help them generate and contextualize alerts across the security ecosystem. While the cyber industry works to overcome the cybersecurity risks of AI, vendors are also finding new ways to battle adversaries with the technology. For example, Coalition's Exploit Scoring System incorporates multiple data sets and analyzes them with AI to help companies manage and prioritize risk mitigation.

Finally, remember to pair continuous threat detection and response management with a human traffic guard. The human power of security teams will lift cogent businesses over risky ones. While AI and machine learning are key to catching vulnerabilities, patching with intelligence requires people — strategic human partners who can act on the AI's automated insights.

**About the Author(s)**

Vice President of Research, Coalition

Tiago Henriques has had a rich career across the cybersecurity industry as an entrepreneur, CEO, pen tester, security analyst and auditor. In 2015 he founded BinaryEdge, a cybersecurity company specializing in enterprise infrastructure scanning and attack surface management. Since Coalition's acquisition of BinaryEdge in 2020, Tiago led customer security efforts across the organization as Director of Engineering for Security, recently becoming Vice President of Research.

Making Choices that Lead to Stronger Vulnerability Management

Cryptocurrency users beware: A malicious ComfyUI node steals sensitive data like passwords, crypto wallet addresses, etc. Stay safe…

Cryptocurrency users beware: A malicious ComfyUI node steals sensitive data like passwords, crypto wallet addresses, etc. Stay safe by using reputable sources and enabling two-factor authentication.

Cryptocurrency enthusiasts, beware! Security researchers at VPNMentor have reported a malicious custom node on the popular Stable Diffusion user interface_,_ ComfyUI to steal sensitive data like passwords, credit card details, and crypto wallet addresses.

According to VPNMentor’s report shared with Hackread.com, this malicious custom node, dubbed “ComfyUI\_LLMVISION,” has been uploaded by a user named “u/AppleBotzz” on Reddit, and is potentially putting users at risk by stealing sensitive data.

Another Reddit user, u/\_roblaughter\_, discovered and reported it after noticing login attempts on their accounts after installing the compromised node.

For your information, the ComfyUI interface is designed for workflow customization and productivity enhancement, enhancing user experience and productivity when working with the powerful AI text-to-image generation model. It, by default, uses Python-built mini-programs called custom nodes to extend its functionality, automate tasks, perform computations, or connect to external services not natively supported by ComfyUI.

“ComfyUI\_LLMVISION” presents itself as a user-friendly ComfyUI extension but in reality, it is programmed to steal sensitive data like passwords, credit card details, and browsing history, and transfer it to the attacker’s Discord server.

According to VPNMentor’s investigation, ComfyUI\_LLMVISION’s installation on ComfyUI forces the Python package manager to install several packages, including malicious versions of OpenAI and anthropic Python. 

Within these limitations, a function runs an encoded PowerShell command, which downloads the third stage of the malware and runs it. The second stage can steal crypto wallets, screenshot the user’s screen, steal device information, get IP info, and steal files with specific keywords or extensions.

It becomes hard to detect since it is concealed within custom install files for OpenAI and Anthropic libraries. However, it must be noted that ComfyUI remains secure. 

The incident highlights the need for caution when integrating third-party components into AI workflows. Recent developments, like the sale of FraudGPT or WormGPT and hijacked Bing chat responses, show the versatile nature of risks associated with AI advancements.

To protect against risks associated with open-source, third-party AI tools, exercise caution when downloading and installing custom nodes or extensions, prefer reputable repositories and developers, regularly scan systems for malware, and use strong, unique passwords for all online accounts. Enabling two-factor authentication can further enhance security. 

1.  VMCONNECT: Malicious PyPI Package Mimick Python Tools
2.  AMOS Stealer Variant Targets Safari Cookies, Crypto Wallets
3.  New Malware “BunnyLoader 3.0” Steals Credentials and Crypto
4.  Python in Threat Intelligence: Analyzing, Mitigating Cyber Threats
5.  JaskaGO Malware Targets Mac, Windows for Crypto, Browser Data

Malicious Node on ComfyUI Steals Data from Crypto, Browser Users

Plus: A media executive is charged in an alleged money-laundering scheme, a ransomware attack disrupts care at London hospitals, and Google’s former CEO has a secretive drone project up his sleeve.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

At Apple’s Worldwide Developer Conference next week, the company will reportedly announce its own stand-alone password manager that will compete with apps like 1Password and LastPass. Dubbed simply Passwords, according to Bloomberg News, the app will reportedly have features that go well beyond the iCloud or Mac Keychain tools Apple already offers, allowing users to save passwords for Wi-Fi networks, store passkeys, and organize login credentials into categories. Passwords will also reportedly work on Windows machines, but it’s unclear whether people who use Android devices can get in on the security tool.

**Epoch Times Executive Charged With Money Laundering**

US prosecutors on Monday charged an executive at The Epoch Times newspaper with carrying out a massive money-laundering scheme. According to the US Department of Justice, Epoch Times chief financial officer Weidong “Bill” Guan engaged in “a transnational scheme to launder at least approximately $67 million of illegally obtained funds to benefit himself and the media company.”

The scheme, according to the indictment against Guan, largely involved using cryptocurrency to purchase prepaid debit cards “loaded with US dollars that had been obtained through various frauds”—including funds obtained through unemployment benefits fraud—for less than the funds on the prepaid debit cards. The purchase of the cards was carried out by members of The Epoch Times’ “Make Money Online” team, which Guan managed, according to the DOJ. The so-called MMO team would allegedly then use “stolen personal identification information” to open various accounts, which were used to transfer money from the prepaid debit cards to bank accounts associated with The Epoch Times and its employees. Guan faces one count of conspiring to commit money laundering, two counts of bank fraud, and could face decades in prison if convicted.

**Eric Schmidt Ramps Up His Secret AI Military Drone Business**

Google’s former CEO, billionaire Eric Schmidt, is quietly building a military drone company, reports Forbes. The company, called White Stork, has been testing devices at both its Hillspire office complex in Menlo Park, California, and in Ukraine. Relatively little has been publicly revealed about the company or the specifics of its technology. According to Forbes, however, “individuals flying small drones” have been spotted near the Hillspire property, and Schmidt has reportedly hired alumni from Google, SpaceX, and Apple to carry out his secretive project, providing some clues about its ambitions.

**Russian Cybercriminals Blamed for London Health Care Ransomware Attack**

A cyberattack against an organization that facilitates blood transfusions and other sensitive medical care disrupted hospitals and other health care entities across London this week. The attack targeted Synnovis, which manages a partnership between King’s College Hospitals trust and Guy’s and St Thomas’ hospital trust, and Synlab, a European medical testing firm. In a statement published on Tuesday, Synnovis said the attack “has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” This forced hospitals to cancel surgeries involving blood transfusions and other procedures. Ciaran Martin, a former top UK cybersecurity official, blamed the attack on Qilin, a cybercriminal gang believed to have ties to Russia.

Apple Is Coming for Your Password Manager

Details have emerged about a new critical security flaw impacting PHP that could be exploited to achieve remote code execution under certain circumstances.
The vulnerability, tracked as CVE-2024-4577, has been described as a CGI argument injection vulnerability affecting all versions of PHP installed on the Windows operating system.
According to DEVCORE security researcher, the shortcoming makes

New PHP Vulnerability Exposes Windows Servers to Remote Code Execution

Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…

Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect yourself from this and other malware attacks.

FortiGuard Labs has discovered a phishing campaign targeting Spanish-speaking individuals to spread a new Agent Tesla malware variant. The campaign uses various techniques to target Windows-based systems and deliver the core module, including MS Office vulnerabilities, JavaScript code, PowerShell code, and fileless modules, wrote FortiGuard Labs’ researcher Xiapeng Zhang in their report.

****Here is how the attack works:****

A Spanish-language phishing email posing as a SWIFT transfer notification from a large financial institution is sent to MS Windows users. The email, translated into English, appears to be a message with a disguised Excel attachment in OLE format with crafted embedded data that exploits the CVE-2017-0199 vulnerability. 

The attachment contains an embedded OLE hyperlink, opened automatically once the victim starts the Excel file. Later, it automatically downloads an RTF document, which is opened by the Word program.

The phishing email and the embedded OLE hyperlink to an online RTF document (Credit: FortiGuard Labs)

Another vulnerability exploited in this attack is CVE-2017-11882, a Remote Code Execution vulnerability in Microsoft Office’s Equation Editor component, allowing attackers to execute arbitrary code on a victim’s computer by overriding a return address in the stack.

This Agent Tesla variant is a powerful, versatile 32-bit, .NET-based Remote Access Trojan (RAT) granting attackers complete control over infected devices.  Once installed, it can steal sensitive information from 80 software applications, focusing on login credentials, banking details, and email contacts.

Additionally, it checks if the email client is Thunderbird, cookies from a wide range of web browsers such as Chromium-based and Mozilla-based browsers, system clipboard data, computer name, OS/CPU/RAM information, and saved credentials. It can also spy on you by capturing keystrokes and screenshots. The malware is assigned a critical severity level. 

As per the report published by FortiGuard Labs, the Agent Tesla core module is a fileless module downloaded by a malicious JavaScript base64-encoded Powershell code as a normal JPG file from this URL:

    uploaddeimagens[.]com[.]br/images/004/773/812/original/js.jpg?1713882778.

This module is never saved in the local folder, making it difficult for researchers to detect. Surprisingly, this variant uses FTP protocol for data submission, unlike past variants that used HTTP POST and SMTP protocols.

Moreover, it “detects whether it’s running in an analysis environment, like sandboxes, virtual machines, etc., or where there is AV software running, like Avast, Comodo, etc.,” Zhang noted.

To stay protected, be cautious of phishing emails, update the operating system regularly, use strong passwords, and invest in reputable anti-malware solutions.

1.  Agent Tesla, Taskun Malware Targeting US Education Orgs
2.  Agent Tesla variant steals passwords from, browsers, VPNs
3.  Konni RAT Exploiting Word Docs to Steal Data from Windows
4.  Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
5.  Hackers Use Word documents to drop NetSupport Manager RAT

New Phishing Campaign Uses Stealthy JPGs to Drop Agent Tesla

Failing to properly encode user input, notifications shown in modal windows in the TYPO3 backend are vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.

**TYPO3 Cross-Site Scripting in Backend Modal Component**

Moderate severity GitHub Reviewed Published Jun 7, 2024 to the GitHub Advisory Database • Updated Jun 7, 2024

Tag

#windows