Kategorie

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to privileged identity management aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to privileged identity management aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with The Hacker Newshttp://www.blogger.com/profile/[email protected]

The previous Kaspersky research focused on a detailed analysis of the LockBit 3.0 builder leaked in 2022. Since then, attackers have been able to generate customized versions of the threat according to their needs. This opens up numerous possibilities for malicious actors to make their attacks more effective, since it is possible to configure network spread options and defense-killing functionality. It becomes even more dangerous if the attacker has valid privileged credentials in the target infrastructure.

In a recent incident response engagement, we faced this exact scenario: the adversary was able to get the administrator credential in plain text. They generated a custom version of the ransomware, which used the aforementioned account credential to spread across the network and perform malicious activities, such as killing Windows Defender and erasing Windows Event Logs in order to encrypt the data and cover its tracks.

In this article, we revisit the LockBit 3.0 builder files and delve into the adversary’s steps to maximize impact on the network. In addition, we provide a list of preventive activities that can help network administrators to avoid this kind of threat.

Revisiting the LockBit 3.0 builder files

The LockBit 3.0 builder has significantly simplified creating customized ransomware. The image below shows the files that constitute it. As we can see, keygen.exe generates public and private keys used for encryption and decryption. After that, builder.exe generates the variant according to the options set in the config.json file.

LockBit builder files

This whole process is automated with the Build.bat script, which does the following:

IF exist Build (ERASE /F /Q Build\*.*) ELSE (mkdir Build) keygen -path Build -pubkey pub.key -privkey priv.key builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll

The config.json file allows enabling impersonation features (impersonation) and defining accounts to impersonate (impers_accounts). In the example below, the administrator account was used for impersonation. The configuration also allows enabling the encryption of network shares (network_shares), killing Windows Defender (kill_defender), and spreading across the network via PsExec (psexec_netspread). After a successful infection, the malicious sample can delete Windows Event Logs (delete_eventlogs) to cover its tracks.

Custom configuration

Besides this, the builder allows the attacker to choose which files, in which directories, and in which systems they do not want to encrypt. If the attacker knows their way around the target infrastructure, they can generate malware tailored to the specific configuration of the target’s network architecture, such as important files, administrative accounts, and critical systems. The images below show the process of generating customized ransomware according to the above configuration, and the resulting files. As we can see, LB3.exe is the main file. This is the artifact that will be delivered to the victim. The builder also generates LB3Decryptor.exe for recovering the files, as well as several different variants of the main file. For example, LB3_pass.exe is a password-protected version of the ransomware, while the reflective DLL can be used to bypass the standard operating system loader and inject malware directly into memory. The TXT files contain instructions on how to execute the password-protected files.

Creation of a customized LockBit version

Generated LockBit files

When we executed this custom build on a virtual machine, it performed its malicious activities and generated custom ransom note files. In real-life scenarios, the note will include details on how the victim should contact the attackers to obtain a decryptor. It is worth noting that negotiating with the attackers and paying ransom should not be an option. Besides the ethical issues involved, there is doubt whether a tool for recovering the files will ever be provided.

Custom ransom note

However, as we generated the ransomware sample and a corresponding decryptor ourselves in a controlled lab environment, we were able to test if the latter actually worked. We tried to decrypt our encrypted files and found out that if the decryptor for the sample was available, it was indeed able to recover the files, as shown in the image below.

LB3Decryptor execution

That said, we must once again underscore that even a correctly working decryptor is no guarantee that the attackers will play fair.

The recent LockBit takedown and custom LockBit builds

In February 2024, the international law enforcement task force Operation Cronos gained visibility into LockBit’s operations after taking the group down. The collaborative action involved law enforcement agencies from 10 countries, which seized the infrastructure and took control of the LockBit administration environment. However, a few days after the operation, the ransomware group announced that they were back in action.

The takedown operation allowed LEAs to seize the group’s infrastructure, obtain private decryption keys and prepare a decryption toolset based on a known-victim ID list obtained by the authorities. The check_decryption_id utility checks if the ransom ID enabled for the victim is on the list of known decryption keys:

check_decryption_id.exe execution

The check_decrypt tool assesses decryptability: while there is a possibility that the files will be recovered, the outcome of the process depends on multiple conditions, and this tool just checks which of these conditions are met in the systems being analyzed. A CSV file is created, listing files that can be decrypted and providing an email address to reach out to for further instructions on restoring the files:

check_decrypt.exe execution

This toolset caught our attention because we had investigated several cases relating to the LockBit threat. We normally recommend that our customers save their encrypted critical files and wait for an opportunity to decrypt them with the help of threat researches or artifacts seized by the authorities, which is merely a matter of time. We ran victim IDs and encrypted files analyzed by our team through the decryption tool, but most of them showed the same result:

Testing the tool on a victim ID obtained by our team

The check_decrypt also confirmed that it was not possible to decrypt the files by using the database of known keys:

Testing the check_decrypt.exe tool on encrypted files

Our analysis and previous research confirmed that files encrypted with a payload generated with the help of the leaked LockBit builder could not be decrypted with existing decryption tools, essentially because the independent groups behind these attacks did not share their private keys with the RaaS operator.

Geography of the leaked LockBit builder-based attacks

Custom LockBit builds created with the leaked builder were involved in a number of incidents all over the world. These attacks were most likely unrelated and executed by independent actors. The leaked builder apparently has been used by LockBit ransomware competitors to target companies in the Commonwealth of Independent States, violating the group’s number one rule to avoid compromising CIS nationals. This triggered a discussion on the dark web, where LockBit operators tried to explain that they had nothing to do with these attacks.

In our incident response practice, we have come across ransomware samples created with the help of the leaked builder in incidents in Russia, Italy, Guinea-Bissau, and Chile. Although the builder provides a number of customization options, as we have shown above, most of the attacks used the default or slightly modified configuration. However, one incident stood out.

A real-life incident response case involving a custom LockBit build

In a recent incident response engagement, we faced a ransomware scenario involving a LockBit sample built with the leaked builder and featuring impersonation and network spread capabilities we had not seen before. The attacker was able to exploit an internet-facing server that exposed multiple sensitive ports. Somehow, they were able to obtain the administrator password – we believe that it may have been stored in plain text inside a file, or that the attacker may have used social engineering. Then, the adversary generated custom ransomware using the privileged account they had access to. Our team was able to obtain the relevant fields present in the config.json file that the attacker used:

"impersonation": true, "impers_accounts": "Administrator:************", "local_disks": true, "network_shares": true, "running_one": false, "kill_defender": true, "psexec_netspread": true, "delete_eventlogs": true,

As we can see, the custom version has the ability to impersonate the administrator account, affect network shares, and spread easily across the network via PsExec.

Moreover, it is configured to run more than once on each host. One of the first steps that the executable does when started is check for, and create, a unique mutex based on a hash sum of the ransomware public key in the format: “Global\%.8x%.8x%.8x%.8x%.8x”. If the running_one flag is set to true in the configuration and the mutex is already present in the operating system, the process will exit.

In our case, the configuration allowed concurrent executions of several ransomware instances on the same host. This behavior, combined with the use of configuration flags for automatic network propagation with high-privileged domain credentials, led to an uncontrolled avalanche effect: each host that got infected then started trying to infect other hosts on the network, including those already infected. From an incident response point of view, this means finding evidence, if available, of different origins for the same threat. See below the evidence found on one host of remote service creation by PsExec with authentication completed from multiple infected hosts.

Remote service creation by PsExec

Although this evidence was present in the infected systems, most of the logs had been deleted by the ransomware immediately after the initial infection. Because of that, it was not possible to determine how the attacker was able to gain access to the server and to the administrator password. The remote service creation logs remained because when the malware was performing lateral movement on the network, it generated new logs, which it did not delete, and which were helpful in detecting its spread across the infrastructure.

Event logs cleared

By analyzing some of the traces that were not erased on the initial affected server, we identified compressed Gzip data in a memory stream. The data was encoded in Base64. After decoding and decompression, we found evidence of the use of Cobalt Strike. We were able to identify the C2 server used by the attacker to communicate with the affected machine and promptly sent this indicator to the customer for blacklisting.

We also spotted the use of the SessionGopher script. This tool uses WMI to extract saved session information for remote desktop access tools, such as WinSCP, PuTTY, FileZilla, and Microsoft Remote Desktop. This is accomplished by querying HKEY_USERS for PuTTY, WinSCP, and Remote Desktop saved sessions. In Thorough mode, the script can identify .ppk, .rdp, and .sdtid files in order to extract private keys and session information. It can be run remotely by using the -iL option followed by the list of computers. The -AllDomain flag allows running it against all AD-joined computers. As shown in the image below, the script can easily extract saved passwords for remote connections. The results can be exported to a CSV file for later use.

Password extraction using SessionGopher

Although SessionGopher is designed for collecting stored credentials, it was not the tool used by the attackers for initial credential dumping. Instead, they employed SessionGopher to collect additional credentials and services in the infrastructure at a later stage.

Once we identified the C2 domains and some other IP addresses related to the attacker and extracted details about the impersonated accounts and tools implemented for automatic deployment, the customer changed all affected users’ credentials and configured security controls to avoid PsExec execution, thus stopping the infection. Monitoring network and user account activities allowed us to identify the infected systems and isolate them for analysis and recovery.

This case shows an interesting combination of techniques used to gain and maintain access to the target network, as well as encrypt important data and impair defenses. Below are the TTPs identified for this scenario.

Tactic Technique ID Impact Data Encrypted for Impact T1486 Defense Evasion, Persistence, Privilege Escalation, Initial Access Valid Accounts T1078.002 Credential Access Credentials from Password Stores T1555 Lateral Movement Remote Services T0886 Discovery Network Service Discovery T1046 Defense evasion Clear Windows Event Logs T1070.001 Defense evasion Impair Defenses T1562 Preventive actions against ransomware attacks

Ransomware attacks can be devastating, especially if the attackers manage to get hold of high-privileged credentials. Measures for mitigating the risk of such an attack may vary depending on the technology used by the company. However, there are certain infrastructure-agnostic techniques:

• Using a robust, properly-configured antimalware solution, such as Kaspersky Endpoint Security
• Implementing Managed Detection and Response (MDR) to proactively seek out threats
• Disabling unused services and ports to minimize the attack surface
• Keeping all systems and software up to date
• Conducting regular penetration tests and vulnerability scanning to identify vulnerabilities and promptly apply appropriate countermeasures
• Adopting regular cybersecurity training, so that employees are aware of cyberthreats and ways to avoid them
• Making backups frequently and testing them

Conclusion

Our examination of the LockBit 3.0 builder files shows the alarming simplicity with which attackers can craft customized ransomware, as evidenced by a recent incident where adversaries exploited administrator credentials to deploy a tailored ransomware variant. This underscores the need for robust security measures capable of mitigating this kind of threat effectively, as well as adoption of a cybersecurity culture among employees.

Kaspersky products detect the threat with the following verdicts:

• Trojan-Ransom.Win32.Lockbit.gen
• Trojan.Multi.Crypmod.gen
• Trojan-Ransom.Win32.Generic

And the SessionGopher script, as:

• HackTool.PowerShell.Agent.l
• HackTool.PowerShell.Agent.ad

While generative artificial intelligence (genAI) models are expected to shrink down in size to fit more defined needs and corporate budgets, a large number of service providers are still plotting their revenue course based on delivering AI cloud services.

In his annual letter to shareholders last week, Amazon CEO Andy Jassy said the company will focus less on building consumer-facing genAI applications and more on delivering AI models it can sell via web services to enterprise customers.

“Sometimes, people ask us, ‘What’s your next pillar? You have Marketplace, Prime, and AWS, what’s next?,’” Jassy wrote. “If you asked me today, I’d lead with generative AI. We’re optimistic that much of this world-changing AI will be built on top of AWS.”

Jassy’s expectations for revenue streams from AI services are not misplaced. Organizations plan to invest 10% to 15% more on AI initiatives over the next year and a half compared to calendar year 2022, according to an IDC survey of more than 2,000 IT and line-of-business decision makers.

Last fall, Amazon launched Bedrock, which delivers a variety of large language models (LLMs) via the AWS cloud through which organizations can build genAI applications. The company also recently launched Amazon Q, a cloud-based AI-assisted software coding assistant.

Amazon’s Bedrock offers AI “foundational models” from AI21 Labs, Anthropic, Cohere, Meta, Mistral AI, Stability AI, along with Amazon’s own LLM via a single API.

Amazon’s list of AI cloud clients now includes ADP, Delta Air Lines, GoDaddy, Intuit, Pfizer, and Siemens.

Currently, cloud computing leads all other methods for delivering genAI applications to enterprises; that’s because of the high cost of building out proprietary infrastructure. Amazon Web Services, Google, IBM, Microsoft and Oracle have invested billions of dollars in AI cloud offerings since OpenAI set off a firestorm of adoption with the launch of ChatGPT in November 2022.

“No one but the hyperscalers and mega large companies can afford to train and operate the very large LLMs and foundation models,” said Avivah Litan, Gartner distinguished vice president analyst. “The costs are in the hundreds of millions of dollars.”

By “large” Litan was referring to models with hundreds of billions of parameters, as opposed, to say, those with fewer than 100 billion parameters. The costs to use LLMs supplied over cloud services, however, “are relatively manageable by enterprises and for now are also subsidized by the hyperscalers,” Litan said.

However, as enterprises continue to grow their pilots of genAI applications, the cost of cloud services can become a limiting factor. Instead, many organizations are looking to deploy smaller, on-premises LLMs aimed at handling specific tasks.

Smaller domain-specific models trained on more data will eventually challenge the dominance of today’s leading LLMs, including OpenAI’s GPT 4, Meta AI’s LLaMA 2, and Google’s PaLM 2. Smaller models would also be easier to train for specific use cases, according to Dan Diasio, Ernst & Young’s Global Artificial Intelligence Consulting Leader.

Through 2025, 30% of genAI projects will be abandoned after proof of concept (POC) due to poor data quality, inadequate risk controls, escalating costs, or unclear business value, according to Gartner Research. And by 2028, more than half of enterprises that have built their own LLMs from scratch will abandon their efforts due to costs, complexity and technical debt in their deployments.

Current vendor pricing models that pass on the high cost of innovation and developing, training and running LLMs could also mean enterprises won’t see ROI for their AI projects, according to a recent report by Gartner. Even when pricing is subsidized by vendors hoping to gain early market share, it’s often not enough to produce a quick payback, Gartner said. Instead, organizations should take the long approach to productivity gains and ROI from genAI.

Lee Sustar, a principal analyst at Forrester Research, said AI services via cloud will continue to grow as products such as AWS Bedrock, Azure AI and Google Cloud Vertex lower the barrier to entry.

“Given the data gravity in the cloud, it is often the easiest place to start with training data. However, there will be a lot of use cases for smaller LLMs and AI inferencing at the edge. Also, cloud providers will continue to offer build-your-own AI platform options via Kubernetes platforms, which have been used by data scientist for years now,” Sustar said. “Some of these implementations will take place in the data center on platforms such as Red Hat OpenShift AI. Meanwhile, new GPU-oriented clouds like Coreweave will offer a third option. This is early days, but managed AI services from cloud providers will remain central to the AI ecosystem.”

And while smaller LLMs are on the horizon, enterprises will still use major companies’ AI cloud services for when they need access to very large LLMs, according to Litan. Even so, more organizations will eventually be using small LLMs that run on much smaller hardware, “even as small as a common laptop.

“And we will see the rise of services companies that support that configuration along with the privacy, security and risk management services that will be required,” Litan said. “There will be plenty of room for both models — the very large foundation model cloud service delivery and the small foundation model private cloud service delivery on your GPU/CPU of choice.”

One of Amazon’s earliest AI-cloud services was Sagemaker, an integrated development environment (IDE) for developers and engineers to build, train, and deploy machine learning and AI models.

“Bedrock is off to a very strong start with tens of thousands of active customers after just a few months,” Jassy wrote. “Unlike the mass modernization of on-premises infrastructure to the cloud…, this genAI revolution will be built from the start on top of the cloud.”

Amazon Web Services, Cloud Computing, Emerging Technology, ROI and Metrics, Vendors and Providers

Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy. "The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team said in a report published last

Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy. "The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team said in a report published lastNewsroomhttp://www.blogger.com/profile/[email protected]

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root Newsroomhttp://www.blogger.com/profile/[email protected]

A former security engineer has been sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million. Shakeeb Ahmed, the defendant in question, pled guilty to one count of computer fraud in December 2023 following his arrest in July. "At the time of both attacks,

A former security engineer has been sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million. Shakeeb Ahmed, the defendant in question, pled guilty to one count of computer fraud in December 2023 following his arrest in July. "At the time of both attacks, Newsroomhttp://www.blogger.com/profile/[email protected]

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday announced sanctions against an official associated with Hamas for his involvement in cyber influence operations. Hudhayfa Samir ‘Abdallah al-Kahlut, 39, also known as Abu Ubaida, has served as the public spokesperson of Izz al-Din al-Qassam Brigades, the military wing of Hamas, since at least 2007. "He publicly

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday announced sanctions against an official associated with Hamas for his involvement in cyber influence operations. Hudhayfa Samir ‘Abdallah al-Kahlut, 39, also known as Abu Ubaida, has served as the public spokesperson of Izz al-Din al-Qassam Brigades, the military wing of Hamas, since at least 2007. "He publicly Newsroomhttp://www.blogger.com/profile/[email protected]

Threat actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday. The network security company's Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single threat actor of

Threat actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday. The network security company's Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single threat actor of Newsroomhttp://www.blogger.com/profile/[email protected]

The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide. Recently, its adoption across various industries has increased significantly.

Microsoft released 149 updates in this month’s Patch Tuesday release, though there were no reports of public disclosures or other zero-days for the Microsoft ecosystem (Windows, Office, .NET). This update is very large, complex and will require some testing time, especially for the OLE, ODBC and SQL focused updates and their impact on complex applications. 

Microsoft also moved to make it easier to understand security-related CVE entries much easier by adopting the new CWE vulnerability reporting standard. The team at Application Readiness has provided this infographic detailing the risks associated with the April updates. 

Known issues 

Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms included in the latest update cycle, including these two reported minor issues:

• After you install KB5034203 or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft is actively working on this issue, and so we should expect an update soon.

• Some users of Windows Server 2008 will see messages that say, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” when attempting to update legacy devices. This may be a result of an improperly configured ESU configuration. Microsoft has recently updated its guidelines on acquiring and configuring ESU keys, which may help those still struggling.

Major revisions 

This month, Microsoft published these revisions to past updates:

• CVE-2022-0001: Branch History Injection. Reason for revision: Corrected one or more links in the FAQ. This is an informational change only. No further action required.
• CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability: Updated FAQs to include information on how to be protected from this vulnerability for customers running Windows 11 23H2 or Windows Server 2022, 23H2 Edition. No further action required.
• CVE-2013-3900: WinVerifyTrust Signature Validation Vulnerability.

Microsoft has updated the FAQ documentation to inform customers that EnableCertPaddingCheck is data type REG_SZ (a string value) and not data type dword. When you specify ‘EnableCertPaddingCheck” as in “DataItemName1″=”DataType1:DataValue1” do not include the date type value or colon. This will mitigate the impact of this vulnerability.

There was a significant update to the Kerberos security system within Windows, too, with a change to an existing patch (CVE-2024-21427). Microsoft has removed all supported versions of Windows 11 as they are no longer affected by the vulnerability. (Looks like another reason to upgrade to the latest Windows desktop.)

Mitigations and workarounds

Microsoft released the following vulnerability-related mitigation:

• CVE-2024-26232: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability. Microsoft helpfully notes that the MSMQ feature is rarely needed and can be disabled, reducing exposure to this vulnerability. Yep.

Each month, the Readiness team analyzes the latest updates and provides detailed, actionable testing guidance; the recommendations are based on a large application portfolio and detailed analysis of the patches and their potential impact on Windows and apps.

For this release cycle, we \ grouped the critical updates and required testing efforts into functional area including:

File management

• Test scenarios involving tar.exe or the native support of archives in Windows.
• Test end-to-end scenarios involving File Management Tasks and Storage Reports Management.

Crypto (local security mechanisms)

• Test scenarios that utilize Crypto APIs. Please pay special attention to any operation that relies on CryptDecodeObject or CryptDecodeObjectEx. 
• Test your cryptographic operations and key generation, particularly in VTL1 environments.
• Test out variations of replications on different types and sizes of files and folders. 

Networking (DHCP and DNS)

• Test functional scenarios where Client DUID is a required parameter. 
• Send Message with VendorOption of DomainName. 
• Check whether the client UID is provided to the RPC API.
• Test DNS virtual instance and zone management scenarios.

Remote desktop and connections

• Test out point-to-point connections and RRAS servers using the MPRAPI protocols. 
• Test your VPN connections with a connect/disconnect, delete and repeat test cycle.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” for comparison between builds). However, for your line-of-business apps getting the application owner (doing UAT) to test and approve the results is absolutely essential. 

There have been a large number (24 of this month’s total of 164) of updates to Microsoft SQL components in Windows and to how OLE operates with other Windows features. Applications that require these kinds of “cooperative” interactions are generally complex line-of-business applications. Trouble-shooting these update scenarios requires specialist application expertise and can be very time consuming. 

To prevent downtime, expensive faults and potentially damaging compliance issues, we fully recommend an audit of your application portfolio, identifying SQLOLE, OLEDB, and ODBC dependencies with an assessment and testing plan before general deployment of this month’s patches.

Windows lifecycle update 

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

• Windows 10 21H2 (E) ends in June 2024.
• Microsoft .NET 7.0.18 (support ends this month).
• Microsoft Visual Studio (2022 – 17.4 LTSC) support ends this month.
• PowerShell 7.3 main support ends May 8, 2024.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft SQL Server (not Exchange Server);
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
• Adobe (if you get this far).

Browsers

Microsoft released just five updates to its Chromium-based browser, all rated important. Note that the next release for this browser platform is the week of April 18. Chromium releases are now out of sync with Microsoft Patch Tuesday updates. Add these updates to your standard patch release schedule. 

Windows

For this (mammoth) release to the Windows platform, the following broad areas have been updated.

• Windows RAS, ICS, RRAS.
• Windows Message Queuing.
• Windows Cryptographic Services, BitLocker, Kerberos and LSASS.
• Windows Distributed File System (DFS).
• Windows DHCP Server.
• Microsoft WDAC OLE DB provider for SQL.
• Windows Telephony Server.

This month we do not see any reports of publicly reported vulnerabilities or exploits in the wild and if you are on a modern platform (Windows 10/11) all these reported security vulnerabilities are difficult to exploit. Please add this update to your standard Windows release schedule. 

Microsoft Office

Microsoft released only two patches (CVE-2024-26251 and CVE-2024-26257) for the Microsoft Office suite affecting Excel and SharePoint. Both updates are rated important by Microsoft and should be included in your standard Office update schedule.

Microsoft SQL Server (not Exchange Server)

In place (and instead) of Microsoft Exchange Server, we have a special guest this month: Microsoft SQL Server. Microsoft released 38 patches for its database platform, making it one of the largest, most complex and technically challenging updates in memory. 

The important thing to note here is that these updates affect how OLE (object linking and embedding), ODBC and SQL Server operate. As a critical middle layer for most business applications, this update will require significant attention from your in-house development, testing and deployment teams. It is not just a big update. It’s the multiplicative, interdependent nature of multiple cooperating systems that are being updated. Really, really. 

Microsoft development platforms 

Microsoft released 11 updates to the development platform, with 10 focused on Microsoft SQL ODBC issues within Microsoft Visual Studio and the other update impacting Microsoft .NET (CVE-2024-21409). This month’s .NET vulnerability has remote in the name, but it requires a local account (and permissions) and so can be added to your standard developer release schedule. The other 10 affecting SQL and ODBC? Your in-house development team will have to have an in-depth look at these updates. It could be really messy, so take your time.

Adobe Reader (if you get this far) 

No Adobe updates from Microsoft this month. And (lucky us) there are no other updates to third-party tools or platforms included in this update cycle.

Microsoft, Security, Windows, Windows 10, Windows 11, Windows Security

The UK’s antitrust regulator has put tech giants on notice after expressing concern that developments in the AI market could stifle innovation.

Sarah Cardell, CEO of the UK’s Competition and Markets Authority (CMA), delivered a speech on the regulation of artificial intelligence in Washington DC on Thursday, highlighting new AI-specific elements of a previously announced investigation into cloud service providers.

The CMA will also investigate how Microsoft’s partnership with OpenAI might be affecting competition in the wider AI ecosystem. Another strand of the probe will look into the competitive landscape in AI accelerator chips, a market segment where Nvidia holds sway.

While praising the rapid pace of development in AI and numerous recent innovations, Cardell expressed concerns that existing tech giant are exerting undue control.

“We believe the growing presence across the foundation models value chain of a small number of incumbent technology firms, which already hold positions of market power in many of today’s most important digital markets, could profoundly shape these new markets to the detriment of fair, open and effective competition,” Cardell said in a speech to the Antitrust Law Spring Meeting conference.

Vendor lock-in fears

Anti-competitive tying or bundling of products and services is making life harder for new entrants. Partnerships and investments — including in the supply of critical inputs such as data, compute power and technical expertise — also pose a competitive threat, according to Cardell.

She criticised the “winner-take-all dynamics” that have resulted in the domination of a “small number of powerful platforms” in the emerging market for AI-based technologies and services.

“We have seen instances of those incumbent firms leveraging their core market power to obstruct new entrants and smaller players from competing effectively, stymying the innovation and growth that free and open markets can deliver for our societies and our economies,” she said.

The UK’s pending Digital Markets, Competition and Consumers Bill, alongside the CMA’s existing powers, could give the authority the ability to promote diversity and choice in the AI market.

Amazon and Nvidia declined to comment on Cardell’s speech while the other vendors name-checked in the speech —Google, Microsoft, and OpenAI — did not immediately reply.

Dan Shellard, a partner at European venture capital firm Breega and a former Google employee, said the CMA was right to be concerned about how the AI market was developing.

“Owing to the large amounts of compute, talent, data, and ultimately capital needed to build foundational models, by its nature AI centralises to big tech,” Shellard said.

“Of course, we’ve seen a few European players successfully raise the capital needed to compete, including Mistral, but the reality is that the underlying models powering AI technologies remain owned by an exclusive group.”

The recently voted EU AI Act and the potential for US regulation in the AI marketplace make for a shifting picture, where the CMA is just one actor in a growing movement. The implications of regulation and oversight on AI tooling by entities such as the CMA are significant, according to industry experts.

“Future regulations may impose stricter rules around the ‘key inputs’ in the development, use, and sale of AI components such as data, expertise and compute resources,” said Jeff Watkins, chief product and technology officer at xDesign, a UK-based digital design consultancy.

Risk mitigation

It remains to be seen how regulation to prevent market power concentration will influence the existing concentrations — of code and of data — around AI.

James Poulter, CEO of AI tools developer Vixen Labs, suggested that businesses looking to develop their own AI tools should look to utilise open source technologies in order to minimise risks.

“If the CMA and other regulatory bodies begin to impose restrictions on how foundation models are trained — and more importantly, hold the creators liable for the output of such models — we may see an increase in companies looking to take an open-source approach to limit their liability,” Poulter said.

While financial service firms, retailers, and others should take time to assess the models they choose to deploy as part of an AI strategy, regulators are “usually predisposed to holding the companies who create such models to account — more than clamping down on users,” he said.

Data privacy is more of an issue for businesses looking to deploy AI, according to Poulter.

Poulter concluded: “We need to see a regulatory model which encourages users of AI tools to take personal responsibility for how they use them — including what data they provide to model creators, as well as ensuring foundation model providers take an ethical approach to model training and development.”

Developing AI market regulations might introduce stricter data governance practices, creating additional compliance headaches.

“Companies using AI for tasks like customer profiling or sentiment analysis could face audits to ensure user consent is obtained for data collection and that responsible data usage principles are followed,” Mayur Upadhyaya, CEO of APIContext said. “Additionally, stricter API security and authorisation standards could be implemented.”

Dr Kjell Carlsson, head of AI strategy, Domino Data Lab, said “Generative AI increases data privacy risks because it makes it easier for customers and employees to engage directly with AI models, for example via enhanced chatbots, which in turn makes it easy for people to divulge sensitive information, which an organisation is then on the hook to protect. Unfortunately, traditional mechanisms for data governance do not help when it comes to minimising the risk of falling afoul of GDPR when using AI because they are disconnected from the AI model lifecycle.”

APIContext’s Upadhyaya suggested integrating user consent mechanisms directly into interactions with AI chatbots and the like offers an approach to mitigate risks of falling out of compliance with regulations such as GDPR.

Generative AI, Regulation

Consider this: Apple has been working with artificial intelligence (AI) in specific domains for many years. Then OpenAI’s ChatGPT emerged and made Apple look bad. Today as WWDC approaches, the company is expected to deliver souped-up AI across all its devices — and as competitors struggle to catch up in processor design, we expect fresh M4 Macs to appear this fall.

What this means is that Apple may soon offer computationally advanced mass market computers in a range of configurations (iPhone, iPad, Mac, Vision Pro), software with built-in AI to run on those devices, and the integration between hardware, software, and operating systems it needs to make everything work pretty well.

Survivalism

Apple needs to succeed in this gamble. Stung by claims it has fallen behind in AI development, the company wants to regain lost face and restore its reputation at the leading edge of tech. 

That’s not the only reason. With Apple’s former chief designer, Jony Ive, allegedly working with OpenAI’s Sam Altman to design and build what is already being called “the iPhone of AI” and new devices such as Humane’s AI Pin generating interest, the iPhone maker must urgently also seek to consolidate its existing reputation for cutting-edge consumer products. 

Together, both challenges add up to more than the sum of their parts; they also emerge within the framework of multiple existential challenges at the company. Not only is it pressed by the need to burnish its reputation as a tech powerhouse, but it is also enduring heavy-handed regulation as governments seek to break the hold of Big Tech firms over the industry.

Move faster

This even extends to AI. In the UK, the Competition Markets Authority has already begun monitoring Big Tech and its place in the evolving AI market, which will prompt further evolution in the space as companies seek to build solid presences there.

Apple also faces the same existential challenges as everyone else, including the impact of climate change and its already visible effect on crop yields, economic weakness in many markets, and increasing international tension eroding what has been a happy and mutually profitable relationship with China.

Any of these many problems is challenging in its own right, but together they represent a range of long-term threats to the future of the company.

Apple is no stranger to existential threat. Surviving these is core to the company’s own history, and the track record of triumph in adversity it possesses is second to few. But all these threats need a response, and once again Apple Silicon could turn out to be the wind beneath the company’s wings.

Move fast, make things

That Apple already plans M4 Macs isn’t terribly surprising. The cadence of its Mac processor upgrades seems to be around 12 to 18 months across the four processors in any M range (M-, M- Pro, M- Max, and M- Ultra). With each processor being around 20% improved on the previous generation, the company is making huge strides, setting industry expectations for computational performance and energy requirements for the chip price.

The processors also boast on-chip GPUs and Neural Engines, meaning that all existing Macs already have plenty of computational capability to pump into AI.

Apple Silicon isn’t just inside Macs, either. You also find it inside iPhones. We already anticipate Apple will field the world’s biggest personal AI ecosystem once it ships iOS 18 this fall, and there are claims the next iPhone will also deliver a big bump in computational performance. 

Playing its hand

With WWDC weeks away, it’s becoming clear how Apple is going to approach its next big release cycle. First, it will woo users back to that loving feeling with new and hopefully powerful AI features in its operating systems.

Second, it will introduce iPhones, iPads, and Macs that are faster than any other devices in their class and built to be perfectly capable of demanding generative AI (genAI) tasks on the device itself. We may even see an App Store for AI, where Apple device users can pick and choose between third-party solutions as they seek the perfect smart companion. 

If Apple gets this right, it will convince its already loyal audiences to stick with its hardware, enabling it to continue building sales of additional products and services to a happy user audience. Burnished by the rich patina of AI, iPhones and Macs will remain seriously attractive tools for work and play, and even as economic challenges continue Apple will be able to maintain a strong bottom line.

But if Apple doesn’t make the grade, it will find itself with limited time to turn the Cupertino spaceship around, though it should be more than adequately cushioned for a soft landing.

Probably.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Apple, Artificial Intelligence, Generative AI, iOS, Mac, Vendors and Providers

"Test files" associated with the XZ Utils backdoor have made their way to a Rust crate known as liblzma-sys, new findings from Phylum reveal. liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The

"Test files" associated with the XZ Utils backdoor have made their way to a Rust crate known as liblzma-sys, new findings from Phylum reveal. liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The Newsroomhttp://www.blogger.com/profile/[email protected]