News

US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack

Posted on | by admin

US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior U.S. government officials.

From the executive summary:

The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on:

  1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;
  2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;
  3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not;
  4. Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;
  5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction;
  6. the Board’s observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and
  7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.

The report includes a bunch of recommendations. It’s worth reading in its entirety.

The board was established in early 2022, modeled in spirit after the National Transportation Safety Board. This is their third report.

Here are a few news articles.

—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains

The Top Tax Scams of 2024

Posted on | by admin

While last-minute tax filers stare down the clock, scammers look for easy pickings. Tax scams are in full swing as April 15th approaches, and we have a rundown of the top ones making the rounds this year.

For starters, the stakes this year remain the same as ever. Scammers are taking advantage of the stress and uncertainty that comes with tax season as they target people’s personal info, money, or both. Their avenues of attack remain the same as well, via email, texts, direct messages, and the phone.

Yet there’s a new wrinkle this year. Scammers have tapped into AI tools that make their scams look and feel far more sophisticated than ever.

We saw the first stirrings of AI-driven scams last year as AI tools first entered the marketplace. This year, AI-driven scams feature more and more in the landscape of threats. Scammers use them to generate images, write copy, and build websites in a fraction of the time that it once took. While they still make some of the design and writing mistakes they’ve made in the past, they make far fewer of them.

Examples of tax scams we’ve spotted this year.

We have a couple of tax scams to share from the many we’ve uncovered. The first one involves a popular brand of tax software here in the U.S.

Example of a scammer email

At first blush, this bogus email looks pretty legit. At first. The layout, photograph, and link all look like standard fare for an email. Though looking more closely, you can spot several AI fingerprints all over it.

For one, big brands like TurboTax have writers, editors, and reviewers who comb over copy before it gets approved for release. Here, the headline breaks a pretty standard formatting rule. In “headline case” writing, the “with” should be lowercase. Sure, mistakes get made, and this might be one example. Yet the problems go deeper than that.

Read the fine print. You’ll see that the grammar is off. The paragraph overall has a broken feel to it. You’ll also see that the copy mentions “market leader” twice — and awkwardly so. And what company mentions its competitors in an email like this? They’re not out to boost competitors.

Lastly, the email spells out the company’s name wrong in the fine print. It’s “TurboTax,” not “Turbo Tax with License Code.” All of this points to an obvious fake. But only by looking closely at it. It’s as if the scammers prompted an AI chatbot with “Describe what TurboTax is” and got this as a response.

Granted, that represents an example of rather sloppy work. The next example looks more convincing. This time, the scammers impersonate the IRS:

Example of a scammer website

We discovered this fake IRS site when our McAfee Labs team investigated a link sent in an email. The bait is the promise of getting a tax ID number for a business or organization. The hook is this bogus site designed to harvest personal and business info.

If you’ve visited the IRS site recently, you’ll recognize the look and feel of an IRS webpage quickly. It seems familiar enough, yet once again a closer look reveals a few things.

First, a small grammatical error rears its head in the copy. The term “setup” is a noun, yet the copy uses it as a verb. It should read “set up” instead. Granted, this is a common error. Many sites make it, yet it’s a red flag nonetheless. Next, the contact method in the top right raises yet another. Contact “an EIN expert” via email during set hours? Set hours are for phone calls, not email.

We omitted the final telltale sign — the URL. It was clearly a fake and not the official irs.gov address.

In all, it shows just how cagey tax scammers can be today. Particularly with AI. It puts a fresh look on some old tactics, making scams tougher to spot.

Now, onto our top tax scams for 2024.

Sketchy email attachments — the five most popular types.

This classic is back. Scammers spread all manner of malware with email attachments. One example: spyware that steals info as you type usernames and passwords as you log into your accounts. Another: ransomware that holds the data on your device hostage until you pay. Maybe. The list goes on, yet scammers always try to package it up in a way that looks legit.

One way they pull that off is with a phony tax document bundled up in a .pdf document. In fact, the .pdf format marks the number one file type that hackers and scammers use in their attacks. By our count, it tops the number two file type by a ratio of roughly 6 to 1.

Here are the top five file types used by scammers and hackers:

  1. .pdf
  2. .exe
  3. .zip
  4. .html
  5. .text

What makes the .pdf format so popular? People trust it. It gets commonly used in business, and many legitimate tax forms come in that format. However, it also offers a versatile platform for exploits. Hackers and scammers can embed malicious links and content within them. So clicking what’s inside that .pdf doc can lead to trouble, say in the form of a malicious website designed to steal personal info.

Starting in the second half of last year, we noted a spike in malicious attachments that used the .pdf format. Another reason that makes .pdf files so popular, email filters tend to focus on other file types like the executable .exe format. So, a .pdf has a better shot at slipping through.

Our advice:

As always, strong antivirus software can detect and protect you from malicious email attachments. Our Next-gen Threat Protection found in all our McAfee+ plans once again proves itself as a top option for antivirus. Results from the independent lab AV-TEST in December 2023 saw it block 100% of entirely new malware attacks in real-world testing. It likewise scored 100% against malware discovered in the previous four weeks. In all, it received the highest marks for protection, performance, and usability — earning it the AV-TEST Top Product certification.

Tax time phishing scams.

Phishing scams crop up in plenty of places and take plenty of forms. As in years past, we see scammers cranking up their bogus texts, direct messages, and emails. They all follow the tax season theme, yet they take different approaches to roping in victims. Some include:

  • Attachments with phony tax documents, like W2 and 1099 forms.
  • Scam texts that alert the taxpayer of an unclaimed refund.
  • Imposter schemes, like social media messages from people who pose as legitimate IRS agents.
  • Fake offers for tax prep software (like the TurboTax example above).

Additionally, many phishing attacks point people to malicious websites — once again that steal personal info. We’ve seen a spike in malicious tax-related URLs starting in the second half of last year as well.

Our advice:

You can absolutely protect yourself from phishing scams. Now with the help of AI. McAfee Scam Protection detects suspicious URLs with AI before they’re opened or clicked on. This takes the guesswork out of those sometimes convincing-looking messages by letting you know if they’re fakes. If you accidentally click or tap on a suspicious link in a text, email, social media, or browser search, it blocks the scam site from loading. You’ll find McAfee Scam Protection across our McAfee+ plans.

Fake charity scams also crop up this time of year.

Whether it’s for natural disaster aid, aiding refugees in war-torn regions, or even protecting animals and pets, scammers set up phony charities with the aim of pulling heartstrings. And then stealing money as a result.

Scammers reach out with the usual methods, by email, text, direct message, and sometimes phone calls as well. They all share one thing in common. They all give potential victims a chance to support a cause that they care for and get a tax credit in return. Yet with these scams, the charity doesn’t exist. Instead, money and personal info end up in the hands of scammers.

Our advice:

Yet you have several ways you can spot a fake charity. For one, the message often has a pressing, almost alarming, tone. One that urges you to “act now.” Before acting, take a moment. Research the charity. See how long they’ve been in operation, how they put their funds to work, and who truly benefits from them.

Likewise, note that some charities pass along more money to their beneficiaries than others. Generally, most reputable organizations only keep 25% or less of their funds for operations, while some less-than-reputable organizations keep up to 95% of funds, leaving only 5% for advancing the cause they advocate. In the U.S., the Federal Trade Commission (FTC) has a site full of resources so that you can make your donation truly count. Resources like Charity Watch and Charity Navigator, along with the BBB’s Wise Giving Alliance can also help you identify the best charities.

Keep an ear out for scam calls.

Scammers like to pick up the phone too. A popular form of attack involves “the call from the IRS.” Typically, a recorded message notifies the recipient that they owe money. And because scammers know just how jarring a call from the IRS can be, they apply heavy pressure in the message.

In the past, we’ve heard messages that threatened fines, jail time, and revoking driver’s licenses. They’ve mentioned the police and other law enforcement agents in them as well, just to turn up the heat.

Now with AI, scammers can create robocalls that sound highly realistic in only moments of time. It’s as simple as writing a few lines of a script, feeding it into an AI tool, and then generating an audio file. No need for another person to record the message. AI takes care of it all.

Our advice:

The best way you can avoid falling for this scam is by knowing what the IRS will and will not do when they contact you. From the irs.gov website, the IRS will not:

  • Initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial info.
  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card, or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
  • Demand that you pay taxes without the opportunity to question or appeal the amount they say you owe. You should also be advised of your rights as a taxpayer.
  • Threaten to bring in local police, immigration officers, or other law enforcement officers to have you arrested for not paying. The IRS also can’t revoke your driver’s license, business license, or immigration status. Threats like these are common tactics scam artists use to trick victims into buying into their schemes.

Lastly, also know that the IRS is here to help. The agency offers a full help page with online resources, along with several ways you can contact the IRS for help. If you have any questions about a notification that you received, contact them.

Even more protection from tax-time scams…

While scammers have a wealth of tools available to them, you have one tool that protects you from all kinds of threats. Comprehensive online protection software like McAfee+ offers yet more ways to steer clear of tax scams.

In addition to the antivirus and scam protection features we mentioned, it can make you more private on social media, which can prevent scammers from profiling you. It can also remove your personal info from the data broker sites scammers use to contact their victims. (Granted, scammers have to get your contact info from somewhere, and these sites offer that info, plus much more.) Also, a VPN can help you connect and file your taxes even more securely, so what you do stays private.

And if the unfortunate happens, our identity theft coverage can help you recover. It provides $2 million in identity theft coverage and a licensed recovery expert who can help restore your identity.

Yes, we’re seeing plenty of old scams with new twists this year. Yet the same ways you can protect yourself from them only get better and better.

The post The Top Tax Scams of 2024 appeared first on McAfee Blog.

—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains

April’s Patch Tuesday Brings Record Number of Fixes

Posted on | by admin

If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.

Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.

“This is the largest release from Microsoft this year and the largest since at least 2017,” said Dustin Childs, from Trend Micro’s Zero Day Initiative (ZDI). “As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time.”

Tempering the sheer volume of this month’s patches is the middling severity of many of the bugs. Only three of April’s vulnerabilities earned Microsoft’s most-dire “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.

Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important,” which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.

Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.

Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search.

“This along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,” McCarthy said. “Microsoft has updated their backend and notified any customers who have been affected by the credential leakage.”

CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one ZDI’s researchers found this vulnerability being exploited in the wild, although Microsoft doesn’t currently list CVE-2024-29988 as being exploited.

“I would treat this as in the wild until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.”

Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a “proxy driver spoofing” weakness.

Satnam Narang at Tenable notes that this month’s release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered “Exploitation Less Likely” according to Microsoft.

“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,” Narang said. “BlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”

For links to individual security advisories indexed by severity, check out ZDI’s blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.

Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.

KrebsOnSecurity needs to correct the record on a point mentioned at the end of March’s “Fat Patch Tuesday” post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps won’t use AI to auto-scan your documents, as the original language in its FAQ suggested.

“In practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,” Adobe said earlier this month.

—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains