The IT Nerd

From the “this might not be a good idea” department comes the announcement by Microsoft of VASA-1. Here’s the TL:DR on this:

We introduce VASA, a framework for generating lifelike talking faces of virtual charactors with appealing visual affective skills (VAS), given a single static image and a speech audio clip. Our premiere model, VASA-1, is capable of not only producing lip movements that are exquisitely synchronized with the audio, but also capturing a large spectrum of facial nuances and natural head motions that contribute to the perception of authenticity and liveliness. The core innovations include a holistic facial dynamics and head movement generation model that works in a face latent space, and the development of such an expressive and disentangled face latent space using videos. Through extensive experiments including evaluation on a set of new metrics, we show that our method significantly outperforms previous methods along various dimensions comprehensively. Our method not only delivers high video quality with realistic facial and head dynamics but also supports the online generation of 512×512 videos at up to 40 FPS with negligible starting latency. It paves the way for real-time engagements with lifelike avatars that emulate human conversational behaviors.

I’ll get to why I am lukewarm at best with this. But first, let’s see what Kevin Surace, Chair, Token has to say on this:

Before Microsoft there have already been several other demonstrations of animating single face images and cloning voices. So we have been able to experience this for many months. Microsoft’s entry here is excellent and state of the art across all models I have seen. The implications for personalizing emails and other business mass communication is fabulous. Even animating older pictures as well. To some extent this is just fun and to another it has solid business applications we will all use in the coming months and years.

Of course one can replace a live webcam with a virtual version of yourself especially when you have a bad hair day. But of course the images we see today are already a digital reproduced image of you. Meaning the webcam is gathering pixels processing them compressing them sending them across the country and recomposing it on someone’s screen. This is arguably the next extension of that by manipulating the pixels in real-time so that you can truly look your best. And its still your voice and your words.

All synthetic media is democratizing what Hollywood could do with CGI for many years. All of this will lead to low cost content creation at a scale we have never seen. And that’s great for creators…even if overloading for the viewers.

Of course we continue down a road of being able to produce more convincing deep fakes at many levels. Arguably that train left the station when Photoshop was introduced. This continues to take us closer to perfect video and audio representations of ourselves with and without our permission. Of course the major models will include a watermark stating this is AI generated. But in time open source models will emerge which don’t.

We have been photoshopping ourselves for decades. Improving our looks and erasing blemishes. Is that ethical? Where does it become unethical? We all want to be and look our best. And multiply ourselves. When used properly by us, this tech does that amazingly well.

CS and entertainment are obvious. As is marketing and mass communications. Its basically a digital twin of ourselves or perhaps of our relative or a coworker (all with permission). How about birthday cards fully customized for you from a celebrity? Or when you are sick sending a video of you looking your best? Its all becoming possible and will be right in our pockets in the coming year.

Here’s my $0.02 worth. I can see scenarios where the following can happen:

• This could allow people to fake video chats
• This could make real people appear to say things they never actually said
• This could allow harassment from a single social media photo

I think that Microsoft needs to demonstrate and speak to how they will gatekeep this so that it’s used with the best of intentions rather than the worst of intentions. That would take me from being lukewarm to something more positive.

It is being reported that Microsoft fixed 60 vulnerabilities in this month’s Patch Tuesday security update round. This includes two critical bugs CVE-2024-21407 that enables attackers to escape from a Hyper-V guest virtual machine and achieve remote code execution on the Hyper-V host, and CVE-2024-21408, a denial of service vulnerability in Windows Hyper-V.

Melvin Lammerts, Hacking Lead at cybersecurity firm Hadrian had this comment:

This Patch Tuesday underscores the critical importance of timely system patching. The Hyper-V vulnerabilities are particularly concerning, as they could enable attackers to execute arbitrary code on the Hyper-V host or cause a complete system crash.  Administrators relying on Hyper-V should prioritise these patches without delay.Furthermore, the Microsoft Defender bypass vulnerability serves as a reminder that no single security solution is foolproof. A robust defence-in-depth strategy is essential, incorporating patching, firewalls, intrusion detection systems, and reliable endpoint protection.Finally, staying informed through resources like the Microsoft Security Bulletins is the best way to stay on top of the latest threats and helps you maintain a strong security posture.

This highlights what I tell every client that I have. Which is patch everything the second it becomes available as it’s an easy way to protect yourself.

Remember when Microsoft got pwned by Midnight Blizzard and Microsoft said this:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.  

The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.  

Well, Microsoft has altered their tune. Now they’re saying this:

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised. 

It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024. 

Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.  

 Shawn Loveland, COO, Resecurity had this to say:

It is well known that Microsoft expends significant resources to protect its assets. Their security posture is world-class. However, this example shows that even world-class security processes and technologies can be bypassed by threat actors ranging from opportunistic script kiddies to well-resourced state actors. Microsoft, as with most defenders, has become overly reliant on legacy technologies and processes, a digital version of the Maginot Line. Companies need to evolve to a defense in-depth strategy, which includes offensive defenses that incorporates what threat actors are doing and preparing for outside of their perimeter, which gives them visibility from the attacker’s perspective.

It will not surprise me if Microsoft changes its tune again when more information about what happened is discovered. While the ideal situation is not to get pwned in the first place, this incident illustrates why you need to really go deep into the weeds if you do get pwned.

Microsoft Research has put out a report on the Mint Sandstorm phishing campaign targeting high profile individuals at universities and research orgs:

Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.

Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures. Additionally, Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection.

Shawn Loveland, COO, Resecurity had this comment:

Bespoke phishing attacks can be highly effective as they are difficult for victims to distinguish as malicious. If the phishing campaign has reasonable operational security (OpSec), it is difficult for security products and services to prevent the delivery of the lure. The next-generation AI-powered phishing campaigns will make bespoke phishing attacks low-cost, automated, and common. After the lure has been delivered and acted upon by the victim, threat actors motivated by geopolitics and money-making endeavors commonly use similar TTPs in their attack, as described by Microsoft.

The motivations behind the actions of threat actors based in Iran can vary between geopolitical and financial gain. The specific motivation behind their actions depends on the group and actors involved. For instance, some threat actors may be driven by geopolitical issues during the day but use the same or similar TTPs at night for personal financial gain. According to a report from Microsoft, this group is only motivated by geopolitics for the specific TTPs described in the report.

Individuals and organizations are vulnerable to various threat actors, with motivations such as personal gain, fame, revenge, challenge, and even geopolitics. It is worth noting that security products and processes can take months to detect and mitigate a new campaign, exposing companies to potential attacks. Therefore, companies must establish a robust CTI practice to detect and mitigate these TTPs before they become targeted.

Microsoft has a lot of advice that you should read and heed if you want to successfully defend against this. Because it’s clearly done by highly skilled threat actors who are willing to go to great lengths to get what they want.

This past “Patch Tuesday”, Microsoft released KB5034441 which has a fix for CVE-2024-20666, a vulnerability that allowed for BitLocker encryption bypass. Needless to say, this is serious and you should install this ASAP to address this issue.

However, shortly after this KB was released, reports started to appear that users were unable to install this KB. Investigation by numerous people and Microsoft determined that the issue was due to the recovery partition that is created when you install Windows 10 not being big enough. This happens because the WinRE (Windows recovery environment) image file deployed as part of the KB5034441 security update is too large for the recovery partition. Thus the fix is to resize the partition.

Here’s why you don’t want to go this route unless you are really brave.

Now you can do this manually using these detailed and very complex instructions that are way beyond the pay grade of the average user. Never mind an IT professional. And you can really screw up your PC if you do something wrong. Or you can use the a PowerShell script to help you automate updating the WinRE partition. But if you read through the instructions, it requires some prerequisites to be present for this to work. And frankly, it’s also meant for IT departments and not home users. And it too has the potential to screw up your PC. So that’s not a real option as well.

The thing is that I have encountered this issue with home and business users alike. Including on one of my own Windows 10 computers. So given how widespread this issue is, as in have a look at this Reddit post that illustrates how widespread this, a real solution from Microsoft needs to be released to address this. And that solution needs to be something that doesn’t include the gymnastics that Microsoft is recommending. In other words, it has to be a packaged fix that literally an exercise of clicking “next”, “next”, “next”, “done”. Because by the time you have to run PowerShell scripts or do things that 99% of users should have no business doing, it’s not a solution that is workable. And keep in mind that this is in relation to a security issue that Microsoft is trying to fix. Which means that threat actors are likely coming up with exploits to take advantage of this as there’s a whole lot of people out there who have the potential to get pwned the longer that this goes without being fixed. Hopefully Microsoft knows all of this and is working to address this properly and quickly.

Over to you Microsoft.

Here’s a great reason why you should always apply patches when they come out. There are two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction:

• Akamai researcher Ben Barnea found two vulnerabilities in Microsoft Windows, which were assigned CVE-2023-35384 and CVE-2023-36710.
• An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients.
• The first vulnerability lies in the parsing of a path by the MapUrlToZone function. Exploiting this vulnerability requires sending a crafted email to an Outlook client, which in turn will download a special sound file from an attacker-controlled server.
• The second vulnerability lies in the Audio Compression Manager (ACM). This vulnerability is exploited when the downloaded sound file is autoplayed, and it can lead to code execution on the victim machine. This vulnerability is described in detail in part 2 of this blog post.
• The vulnerabilities were responsibly disclosed to Microsoft and addressed on the August 2023 and October 2023 Patch Tuesdays.
• Windows machines with the October 2023 software update installed are protected from these vulnerabilities. Additionally, Outlook clients that use Exchange servers patched with March 2023 software update are protected against the abused feature.

Ariel Ropek, Principal Threat Researcher, Panther Labs had this comment:

Zero-click vulnerabilities are especially dangerous because they do not require any interaction from the user to be successful, bypassing the need to trick an unsuspecting human as is normally the case with phishing attacks.  The complexity of chaining multiple vulnerabilities plus the high probability of success means that zero-click vulnerabilities have historically been exploited by nation-state actors.  In September 2023, a similar zero-click vulnerability in iOS dubbed BLASTPASS was reportedly used to install Pegasus spyware targeting activists, government officials, and journalists.

Zero clicks are the worst type of exploit. Developers really need to test their code to see if there’s anything that could be used in attacks like this one.

The North Koreans are up to no good again. Microsoft is reporting that they have discover a supply chain attack by a group of threat actors named Diamond Sleet who are using a malicious variant of a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload:

Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.

Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet. More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.

 Ken Westin, Field CISO, Panther Labs had this to say:

North Korean APT groups continue to target the software supply chain because it’s proven to be successful repeatedly, instead of targeting individual systems, they infect software upstream giving them potential access to a larger number of systems. They continue to increase the level of sophistication in these attacks with strong knowledge of the tooling and techniques of modern DevOps teams. Most organizations are not monitoring their DevOps processes for these types of attacks and lack mechanisms to detect when code may be compromised. I predict more threat groups will follow this approach to infect a larger number of systems downstream as well as improve methods to bypass rudimentary security measures.

I encourage you to read the full report as it has a lot of detail as to what you can do to protect yourself from this threat actor. Because this group of North Koreans clearly mean business.