Strap yourself in because it's time for this weeks episode of "Microsoft being dedicated to security".
tl;dr wtf bro lol
Previously Microsoft unveiled 'Recall' – which will be deployed on Windows 11. Recall will take screenshots of your computer desktop, in unspecified intervals, and allow users to search through Recall data (aka your Desktop screenshots) using AI to allow users to ... find things they may have forgotten (???).
When Recall was announced numerous security researchers, cybersecurity firms, and privacy advocates called it a nightmare because Microsoft explicitly stated that Recall will make no attempt to perform content moderation. It will take screenshots of plain text passwords, financial data, etc. Users also expressed concerns over Recall recording sexual fetishes (i.e. them watching pornography) and called it a gross invasion of privacy.
Microsoft's retort was that Recall can be disabled in settings and Microsoft does not have access to any of the data. It is all stored locally. Researchers then questioned whether or not end users, who may not be as tech savvy, would even understand or know Recall is present and may not be able to disable it.
Microsoft also stated today to the BBC that because Recall is stored locally, the only way a Threat Actor would be able to access Recall data is if they have physical access to the machine, unlocked it, and then signed in.
This did little to persuade security researchers because, if the data is stored locally, they expressed concern of the possibility of Recall data being harvested by infostealer malware (e.g. Redline, FormBook, Rhad, etc.) or the data being exfiltrated in the event of a ransomware attack. Furthermore, if Recall is deployed on Enterprise environments, this may make Recall an even larger security risk due to the lack of content moderation (i.e. exposing crown jewels).
With Recall present, and if data can be imported or exported, it could essentially allow Threat Groups the ability to visually inspect and review victims machines using AI search.
Will researchers find a way to abuse Recall? Will Threat Actors find a way to abuse Recall? Will there be 'for educational uses only' proof-of-concepts on GitHub? Find out on the next episode of Dragon Ball Z
In Japan – the Fukui Prefectural Police Echizen Police Station have created the "Virus/Trojan horse removal fee payment card" and the "Unpaid charges/delinquent charges payment card".
The fake cards, designed to combat telephone scammers, are positioned intentionally at convenience stores to assist police at identifying victims and safeguarding them from financial harm. When someone tries to purchase the card the police are immediately notified.
Upon placement in stores in November 2023, it immediately stopped 3 elderly people from being scammed in November and December.
No additional information has been released regarding the success rate. However, the police officers who came up with the idea were given a promotion in February, 2024.
Information via @TopiLaron, @ten_forward, and @fukuinpmedia
Proofpoint is a proud sponsor of @Botconf 2024, The Botnet & Malware Ecosystems Fighting Conference, happening on 23 – 26 April in Nice, #France. 🇫🇷
https://t.co/xWtegPkoRL
Attending on behalf of Proofpoint are our industry experts and senior members of our @threatinsight team.
1/4: New macOS stealer sample detected. First submission: 2023-12-04. Undetected by VirusTotal. Pretends to be a legit Mac app. Uses PyInstaller and parts of base64 https://t.co/TmKsHAwDo3 #macos#malware#stealer
Proofpoint cloud threat researchers have been monitoring a sophisticated hybrid campaign named VodkaNimbus, featuring #Microsoft365 themed #credential phishing, #Cloud Account Takeover (#ATO), and post-compromise usage of dedicated cloud malware.
1/ "Mimikatz Security Support Provider mimilib.dll will be registered as a Windows Security Package.
Once the Security Package is registered and the system is rebooted, the mimilib.dll will be loaded into lsass.exe process memory and intercept all logon passwords next time someone logs onto the system or otherwise authenticates, say, via runas.exe." [1]
A TA used exactly this technique outlined above, to register a malicious DLL as a Security Package (see the screenshot below). [2]
You've probably heard a lot of NTLM leaking techniques by now, but have you wondered leaking NTLM info via ports other than 445/SMB? This long-overdue blog post from me reveals an interesting trick which could leak NTLM via any port (e.g. port 80). https://t.co/7g55VnHU7O
LocalPotato
Another Local Windows privilege escalation using a new potato technique ;)
The LocalPotato attack is a type of NTLM reflection attack that targets local authentication. This attack allows for arbitrary file read/write and elevation of privilege.
https://t.co/LuObFtRIHZ
Details:
https://t.co/StGMETOsUT
#cybersecurity #infosec #pentesting #redteam #bugbounty
If you're a French citizen and have received an Apple threat notification, feel free to reach out to your local authorities for help (if you work for gov or regulated org https://t.co/PNqPpOWGfK), you may be in danger.
Proofpoint @threatinsight researchers shared findings on a new malware strain that is distributed via bogus installation packages of the Bitwarden password manager.
@TheHackersNews covered the analysis of this malware named ZenRAT. https://t.co/3aW1COv0Uk
A #phishing campaign has targeted business executives with #EvilProxy to defeat multifactor authentication (#MFA). Proofpoint cloud threat researchers reported seeing a 100% rise in successful cloud #accounttakeover incidents over the past six months. https://t.co/xCOWFDAnRV
Proofpoint observed the HTML attachment campaign described in this report on October 31, 2022. Together with 10+ other HTML Smuggling campaigns leading to IcedID from September to November, we attribute to TA551.
Great work on detailing follow-on activity by @TheDFIRReport!
Today it was reported an unknown Threat Actor successfully compromised Poland's railway system.
The Threat Actors triggered an emergency stop signal which brought 20 trains to a stop near the city of Szczecin
More information: https://t.co/OtjqEpSmwF