adplus-dvertising
Connect with us

Tech

Microsoft Outlook Warning: Critical New Email Exploit Triggers Automatically—Update Now

Published

 on

March 16 Update below. This post was originally published on March 15

Microsoft has confirmed that a critical Outlook vulnerability, rated at 9.8 out of a maximum 10, is known to have already been exploited in the wild. If you think that sounds bad, it get’s worse: the exploit is triggered upon receipt of a malicious email, and so is executed before that email is read in the preview pane. That’s right; this is a no-user-interaction required exploit. Here’s what we know about the new Microsoft Outlook zero-day.

What is CVE-2023-23397, the critical Microsoft Outlook zero-day vulnerability?

CVE-2023-23397 is a Microsoft Outlook elevation of privilege vulnerability that, according to the Microsoft Security Resource Center (MSRC), has already been used by a “Russia-based threat actor” in targeted attacks against government, transport, energy, and military sectors in Europe. Indeed, the Ukrainian Computer Emergency Response Team (CERT) is credited as reporting the zero-day to Microsoft.

Full technical details are, as yet, fairly thin on the ground. However, an MSRC posting says that the critical Microsoft Outlook vulnerability is “triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No interaction is required.” The posting continues to explain that the connection to a remote SMB (server message block) server sends the user new technology LAN manager (NTLM) negotiation message which is then relayed for authentication against supporting systems. “Online services such as Microsoft 365 do not support NTLM authentication,” the MSRC posting confirms, so are not vulnerable to this exploit.

All currently supported versions of Outlook for Windows are impacted, but not Outlook for the web or those running on Android, iOS, or Mac.

March 16 Update:

Google-owned threat intelligence company, Mandiant, says that it believes the CVE-2023-23397 Microsoft Outlook zero-day vulnerability has been exploited for nearly a year in order to target both organizations and critical infrastructure.

Russian ‘Fancy Bear’ state-sponsored threat actors have been exploiting CVE-2023-23397

In an email statement, Mandiant says it created ‘UNC4697’ to track the early exploitation of CVE-2023-23397, publicly attributed to the Russian military intelligence (GRU) connected threat actor, APT28, which is better known as Fancy Bear. It claims that the vulnerability has been exploited since April 2022 against government, defense, logistics, transportation, and energy targets based in Poland, Romania, Turkey, and Ukraine. These targets could, Mandiant says, facilitate strategic intelligence collection and disruptive or destructive attacks aimed both win=thin and outside of Ukraine.

“This is more evidence that aggressive, disruptive, and destructive cyberattacks may not remain constrained to Ukraine and a reminder that we cannot see everything,” John Hultquist, head of Mandiant Intelligence Analysis at Google Cloud, said. “These are spies, and they have a long track record of successfully evading our notice. This will be a propagation event. This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun.”

Multiple proofs-of-concept now widely available

Furthermore, Mandiant says that multiple proofs-of-concept are now widely available. Given that this is a no-user-interaction exploit, the potential for harm is high. Indeed, Mandiant says that it “anticipates broad, rapid adoption of the CVE-2023-23397 exploit by multiple nation-state and financially motivated actors, including both criminal and cyber espionage actors.”

Pass the Hash attack

In order to exploit CVE-2023-23397, which Mandiant says is ‘trivial’ to execute, an attacker needs to send a malicious email with an “extended MAPI property that contains a UNC path to SMB (TCP 445) share on an attacker-controlled server.” This kicks off what is known as a ‘Pass the Hash’ attack, but in this case, is triggered upon receipt of the email by an unpatched Outlook client, without the target even viewing it.

What do you need to do now?

The good news is that the warning concerning CVE-2023-23397 coincides with the release of the latest Patch Tuesday round of security updates for Microsoft users. Applying the relevant patch is therefore recommended. That said, if your organization is unable to apply these security updates immediately, then Microsoft has published some workaround mitigations. Adding users to the Protected Users Security Group will prevent the use of NTLM for authentication, but Microsoft warns that this could “cause impact to applications that require NTLM.” Alternatively, you can block outbound TCP 445/SMB using a firewall or through VPN settings.

What is the security industry saying about the Microsoft Outlook zero-day?

“Administrators should patch within the day if possible since the vulnerability is relatively simple to exploit, doesn’t require user interaction, and is already being exploited in the wild,” Peter Pflaster, a technical product manager at Automox, said. “Microsoft has shared two temporary mitigations if you’re unable to patch immediately, both of which will impact NTLM and applications that use it, so proceed with caution.”

“Given the network attack vector, the ubiquity of SMB shares, and the lack of user interaction required, an attacker with a suitable existing foothold on a network may well consider this vulnerability a prime candidate for lateral movement,” Adam Barnett, lead software engineer at Rapid7, said.

“A threat actor is currently exploiting this vulnerability to deliver malicious MSI (Microsoft Installer) files,” Bharat Jogi, director of vulnerability and threat research at Qualys, said.

“The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server,” Mike Walters, VP of Vulnerability and Threat Research at Action1, said. “This can lead to exploitation before the email is even viewed in the Preview Pane. If exploited successfully, an attacker can access a user’s Net-NTLMv2 hash, which can be used to execute a pass-the-hash attack on another service and authenticate as the user. The best course of action is to install the Microsoft update on all systems after testing it in a controlled environment.”

728x90x4

Source link

Continue Reading

Tech

AI could help scale humanitarian responses. But it could also have big downsides

Published

 on

 

NEW YORK (AP) — As the International Rescue Committee copes with dramatic increases in displaced people in recent years, the refugee aid organization has looked for efficiencies wherever it can — including using artificial intelligence.

Since 2015, the IRC has invested in Signpost — a portfolio of mobile apps and social media channels that answer questions in different languages for people in dangerous situations. The Signpost project, which includes many other organizations, has reached 18 million people so far, but IRC wants to significantly increase its reach by using AI tools — if they can do so safely.

Conflict, climate emergencies and economic hardship have driven up demand for humanitarian assistance, with more than 117 million people forcibly displaced in 2024, according to the United Nations refugee agency. The turn to artificial intelligence technologies is in part driven by the massive gap between needs and resources.

To meet its goal of reaching half of displaced people within three years, the IRC is testing a network of AI chatbots to see if they can increase the capacity of their humanitarian officers and the local organizations that directly serve people through Signpost. For now, the pilot project operates in El Salvador, Kenya, Greece and Italy and responds in 11 languages. It draws on a combination of large language models from some of the biggest technology companies, including OpenAI, Anthropic and Google.

The chatbot response system also uses customer service software from Zendesk and receives other support from Google and Cisco Systems.

If they decide the tools work, the IRC wants to extend the technical infrastructure to other nonprofit humanitarian organizations at no cost. They hope to create shared technology resources that less technically focused organizations could use without having to negotiate directly with tech companies or manage the risks of deployment.

“We’re trying to really be clear about where the legitimate concerns are but lean into the optimism of the opportunities and not also allow the populations we serve to be left behind in solutions that have the potential to scale in a way that human to human or other technology can’t,” said Jeannie Annan, International Rescue Committee’s Chief Research and Innovation Officer.

The responses and information that Signpost chatbots deliver are vetted by local organizations to be up to date and sensitive to the precarious circumstances people could be in. An example query that IRC shared is of a woman from El Salvador traveling through Mexico to the United States with her son who is looking for shelter and for services for her child. The bot provides a list of providers in the area where she is.

More complex or sensitive queries are escalated for humans to respond.

The most important potential downside of these tools would be that they don’t work. For example, what if the situation on the ground changes and the chatbot doesn’t know? It could provide information that’s not just wrong, but dangerous.

A second issue is that these tools can amass a valuable honeypot of data about vulnerable people that hostile actors could target. What if a hacker succeeds in accessing data with personal information or if that data is accidentally shared with an oppressive government?

IRC said it’s agreed with the tech providers that none of their AI models will be trained on the data that the IRC, the local organizations or the people they are serving are generating. They’ve also worked to anonymize the data, including removing personal information and location.

As part of the Signpost.AI project, IRC is also testing tools like a digital automated tutor and maps that can integrate many different types of data to help prepare for and respond to crises.

Cathy Petrozzino, who works for the not-for-profit research and development company MITRE, said AI tools do have high potential, but also high risks. To use these tools responsibly, she said, organizations should ask themselves, does the technology work? Is it fair? Are data and privacy protected?

She also emphasized that organizations need to convene a range of people to help govern and design the initiative — not just technical experts, but people with deep knowledge of the context, legal experts, and representatives from the groups that will use the tools.

“There are many good models sitting in the AI graveyard,” she said, “because they weren’t worked out in conjunction and collaboration with the user community.”

For any system that has potentially life-changing impacts, Petrozzino said, groups should bring in outside experts to independently assess their methodologies. Designers of AI tools need to consider the other systems it will interact with, she said, and they need to plan to monitor the model over time.

Consulting with displaced people or others that humanitarian organizations serve may increase the time and effort needed to design these tools, but not having their input raises many safety and ethical problems, said Helen McElhinney, executive director of CDAC Network. It can also unlock local knowledge.

People receiving services from humanitarian organizations should be told if an AI model will analyze any information they hand over, she said, even if the intention is to help the organization respond better. That requires meaningful and informed consent, she said. They should also know if an AI model is making life-changing decisions about resource allocation and where accountability for those decisions lies, she said.

Degan Ali, CEO of Adeso, a nonprofit in Somalia and Kenya, has long been an advocate for changing the power dynamics in international development to give more money and control to local organizations. She asked how IRC and others pursuing these technologies would overcome access issues, pointing to the week-long power outages caused by Hurricane Helene in the U.S. Chatbots won’t help when there’s no device, internet or electricity, she said.

Ali also warned that few local organizations have the capacity to attend big humanitarian conferences where the ethics of AI are debated. Few have staff both senior enough and knowledgeable enough to really engage with these discussions, she said, though they understand the potential power and impact these technologies may have.

“We must be extraordinarily careful not to replicate power imbalances and biases through technology,” Ali said. “The most complex questions are always going to require local, contextual and lived experience to answer in a meaningful way.”

___

The Associated Press and OpenAI have a licensing and technology agreement that allows OpenAI access to part of AP’s text archives.

___

Associated Press coverage of philanthropy and nonprofits receives support through the AP’s collaboration with The Conversation US, with funding from Lilly Endowment Inc. The AP is solely responsible for this content. For all of AP’s philanthropy coverage, visit https://apnews.com/hub/philanthropy.

Source link

Continue Reading

Tech

Ottawa orders TikTok’s Canadian arm to be dissolved

Published

 on

 

The federal government is ordering the dissolution of TikTok’s Canadian business after a national security review of the Chinese company behind the social media platform, but stopped short of ordering people to stay off the app.

Industry Minister François-Philippe Champagne announced the government’s “wind up” demand Wednesday, saying it is meant to address “risks” related to ByteDance Ltd.’s establishment of TikTok Technology Canada Inc.

“The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners,” he said in a statement.

The announcement added that the government is not blocking Canadians’ access to the TikTok application or their ability to create content.

However, it urged people to “adopt good cybersecurity practices and assess the possible risks of using social media platforms and applications, including how their information is likely to be protected, managed, used and shared by foreign actors, as well as to be aware of which country’s laws apply.”

Champagne’s office did not immediately respond to a request for comment seeking details about what evidence led to the government’s dissolution demand, how long ByteDance has to comply and why the app is not being banned.

A TikTok spokesperson said in a statement that the shutdown of its Canadian offices will mean the loss of hundreds of well-paying local jobs.

“We will challenge this order in court,” the spokesperson said.

“The TikTok platform will remain available for creators to find an audience, explore new interests and for businesses to thrive.”

The federal Liberals ordered a national security review of TikTok in September 2023, but it was not public knowledge until The Canadian Press reported in March that it was investigating the company.

At the time, it said the review was based on the expansion of a business, which it said constituted the establishment of a new Canadian entity. It declined to provide any further details about what expansion it was reviewing.

A government database showed a notification of new business from TikTok in June 2023. It said Network Sense Ventures Ltd. in Toronto and Vancouver would engage in “marketing, advertising, and content/creator development activities in relation to the use of the TikTok app in Canada.”

Even before the review, ByteDance and TikTok were lightning rod for privacy and safety concerns because Chinese national security laws compel organizations in the country to assist with intelligence gathering.

Such concerns led the U.S. House of Representatives to pass a bill in March designed to ban TikTok unless its China-based owner sells its stake in the business.

Champagne’s office has maintained Canada’s review was not related to the U.S. bill, which has yet to pass.

Canada’s review was carried out through the Investment Canada Act, which allows the government to investigate any foreign investment with potential to might harm national security.

While cabinet can make investors sell parts of the business or shares, Champagne has said the act doesn’t allow him to disclose details of the review.

Wednesday’s dissolution order was made in accordance with the act.

The federal government banned TikTok from its mobile devices in February 2023 following the launch of an investigation into the company by federal and provincial privacy commissioners.

— With files from Anja Karadeglija in Ottawa

This report by The Canadian Press was first published Nov. 6, 2024.

The Canadian Press. All rights reserved.

Source link

Continue Reading

Health

Here is how to prepare your online accounts for when you die

Published

 on

 

LONDON (AP) — Most people have accumulated a pile of data — selfies, emails, videos and more — on their social media and digital accounts over their lifetimes. What happens to it when we die?

It’s wise to draft a will spelling out who inherits your physical assets after you’re gone, but don’t forget to take care of your digital estate too. Friends and family might treasure files and posts you’ve left behind, but they could get lost in digital purgatory after you pass away unless you take some simple steps.

Here’s how you can prepare your digital life for your survivors:

Apple

The iPhone maker lets you nominate a “ legacy contact ” who can access your Apple account’s data after you die. The company says it’s a secure way to give trusted people access to photos, files and messages. To set it up you’ll need an Apple device with a fairly recent operating system — iPhones and iPads need iOS or iPadOS 15.2 and MacBooks needs macOS Monterey 12.1.

For iPhones, go to settings, tap Sign-in & Security and then Legacy Contact. You can name one or more people, and they don’t need an Apple ID or device.

You’ll have to share an access key with your contact. It can be a digital version sent electronically, or you can print a copy or save it as a screenshot or PDF.

Take note that there are some types of files you won’t be able to pass on — including digital rights-protected music, movies and passwords stored in Apple’s password manager. Legacy contacts can only access a deceased user’s account for three years before Apple deletes the account.

Google

Google takes a different approach with its Inactive Account Manager, which allows you to share your data with someone if it notices that you’ve stopped using your account.

When setting it up, you need to decide how long Google should wait — from three to 18 months — before considering your account inactive. Once that time is up, Google can notify up to 10 people.

You can write a message informing them you’ve stopped using the account, and, optionally, include a link to download your data. You can choose what types of data they can access — including emails, photos, calendar entries and YouTube videos.

There’s also an option to automatically delete your account after three months of inactivity, so your contacts will have to download any data before that deadline.

Facebook and Instagram

Some social media platforms can preserve accounts for people who have died so that friends and family can honor their memories.

When users of Facebook or Instagram die, parent company Meta says it can memorialize the account if it gets a “valid request” from a friend or family member. Requests can be submitted through an online form.

The social media company strongly recommends Facebook users add a legacy contact to look after their memorial accounts. Legacy contacts can do things like respond to new friend requests and update pinned posts, but they can’t read private messages or remove or alter previous posts. You can only choose one person, who also has to have a Facebook account.

You can also ask Facebook or Instagram to delete a deceased user’s account if you’re a close family member or an executor. You’ll need to send in documents like a death certificate.

TikTok

The video-sharing platform says that if a user has died, people can submit a request to memorialize the account through the settings menu. Go to the Report a Problem section, then Account and profile, then Manage account, where you can report a deceased user.

Once an account has been memorialized, it will be labeled “Remembering.” No one will be able to log into the account, which prevents anyone from editing the profile or using the account to post new content or send messages.

X

It’s not possible to nominate a legacy contact on Elon Musk’s social media site. But family members or an authorized person can submit a request to deactivate a deceased user’s account.

Passwords

Besides the major online services, you’ll probably have dozens if not hundreds of other digital accounts that your survivors might need to access. You could just write all your login credentials down in a notebook and put it somewhere safe. But making a physical copy presents its own vulnerabilities. What if you lose track of it? What if someone finds it?

Instead, consider a password manager that has an emergency access feature. Password managers are digital vaults that you can use to store all your credentials. Some, like Keeper,Bitwarden and NordPass, allow users to nominate one or more trusted contacts who can access their keys in case of an emergency such as a death.

But there are a few catches: Those contacts also need to use the same password manager and you might have to pay for the service.

___

Is there a tech challenge you need help figuring out? Write to us at onetechtip@ap.org with your questions.

Source link

Continue Reading

Trending