Microsoft today released updates to fix more than 50 security vulnerabilities in Windows and related software, a relatively light Patch Tuesday this month for Windows users. The software giant also responded to a torrent of negative feedback on a new feature of Redmond’s flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

Last month, Microsoft debuted Copilot+ PCs, an AI-enabled version of Windows. Copilot+ ships with a feature nobody asked for that Redmond has aptly dubbed Recall, which constantly takes screenshots of what the user is doing on their PC. Security experts roundly trashed Recall as a fancy keylogger, noting that it would be a gold mine of information for attackers if the user’s PC was compromised with malware.

Microsoft countered that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data. But that claim rang hollow after former Microsoft threat analyst Kevin Beaumont detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

“I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade,” Beaumont said on Mastodon.

In a recent Risky Business podcast, host Patrick Gray noted that the screenshots created and indexed by Recall would be a boon to any attacker who suddenly finds himself in an unfamiliar environment.

“The first thing you want to do when you get on a machine if you’re up to no good is to figure out how someone did their job,” Gray said. “We saw that in the case of the SWIFT attacks against central banks years ago. Attackers had to do screen recordings to figure out how transfers work. And this could speed up that sort of discovery process.”

Responding to the withering criticism of Recall, Microsoft said last week that it will no longer be enabled by default on Copilot+ PCs.

Only one of the patches released today — CVE-2004-30080 — earned Microsoft’s most urgent “critical” rating, meaning malware or malcontents could exploit the vulnerability to remotely seize control over a user’s system, without any user interaction.

CVE-2024-30080 is a flaw in the Microsoft Message Queuing (MSMQ) service that can allow attackers to execute code of their choosing. Microsoft says exploitation of this weakness is likely, enough to encourage users to disable the vulnerable component if updating isn’t possible in the short run. CVE-2024-30080 has been assigned a CVSS vulnerability score of 9.8 (10 is the worst).

Kevin Breen, senior director of threat research at Immersive Labs, said a saving grace is that MSMQ is not a default service on Windows.

“A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly,” Breen said.

CVE-2024-30078 is a remote code execution weakness in the Windows WiFi Driver, which also has a CVSS score of 9.8. According to Microsoft, an unauthenticated attacker could exploit this bug by sending a malicious data packet to anyone else on the same network — meaning this flaw assumes the attacker has access to the local network.

Microsoft also fixed a number of serious security issues with its Office applications, including at least two remote-code execution flaws, said Adam Barnett, lead software engineer at Rapid7.

“CVE-2024-30101 is a vulnerability in Outlook; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition,” Barnett said. “CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.”

Separately, Adobe released security updates for Acrobat, ColdFusion, and Photoshop, among others.

As usual, the SANS Internet Storm Center has the skinny on the individual patches released today, indexed by severity, exploitability and urgency. Windows admins should also keep an eye on AskWoody.com, which often publishes early reports of any Windows patches gone awry.

A threat actor is selling the data belonging to BlackBerry’s Cylance cybersecurity unit, he demanded $750,000.

A threat actor, that goes online with the moniker Sp1d3r, is selling the stolen data for $750,000. The data includes 34 million customer and employee emails, customer / prospect email and PII, products used by organizations, sales prospect list with activity status, Cylance partners list and users list.

MAJOR DATA FOR SALEA threat actor is allegedly selling data belonging to Cylance customers, partners, and employees database. Price: $750,000.#DarkWeb #Cybersecurity #Security #Cyberattack #Cybercrime #Privacy #Infosec

A total of 34,000,000 million customer and employee… pic.twitter.com/D5BBUATBkJ

— Dark Web Informer (@DarkWebInformer) June 7, 2024

BlackBerry told several media outlets that it’s aware of the potential data breach and is investigating the alleged incident.

The company states that data was stolen from a third-party platform and appears to be old.

“Based on our initial reviews of the data in question, no current Cylance customers are impacted, and no sensitive information is involved,” BlackBerry told SecurityWeek. “The data in question was accessed from a third-party platform unrelated to BlackBerry and appears to be from 2015-2018, predating BlackBerry’s acquisition of the Cylance product portfolio.”

“We continue to monitor this situation closely and will take all necessary precautions to maintain the integrity of our products and systems and the trust of our customers,” it added

While several experts believe attackers may have obtained the data from the cloud data platform Snowflake, Cylance pointed out that it is currently not a Snowflake customer.

Data claimed to relate to #Blackberry #Cylance customers, partners, and employees has been put up for sale. The same account is also selling data claimed to relate to QuoteWizard and Advance Auto Parts. #Snowflake? pic.twitter.com/vF1zksnGfH

— Brett Callow (@BrettCallow) June 7, 2024

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Managed service providers (MSPs) are on the front lines of soaring demand for cybersecurity services as cyberattacks increase in volume and sophistication. Cynet has emerged as the security vendor of choice for MSPs to capitalize on existing relationships with SMB clients and profitably expand their client base. By unifying a full suite of cybersecurity capabilities in a simple, cost-effective

Cybersecurity researchers have shed more light on a Chinese actor codenamed SecShow that has been observed conducting Domain Name System (DNS) on a global scale since at least June 2023. The adversary, according to Infoblox security researchers Dr. Renée Burton and Dave Mitchell, operates from the China Education and Research Network (CERNET), a project funded by the Chinese government. "These

Semiconductor and software design company Arm warns of an actively exploited zero-day vulnerability in Mali GPU Kernel Driver.

Arm is warning of an actively exploited zero-day vulnerability, tracked as CVE-2024-4610, in Mali GPU Kernel Driver.

The vulnerability is a use-after-free issue issue that impacts Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) and Valhall GPU Kernel Driver (all versions from r34p0 to r40p0).

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.” reads the advisory published by the company. “Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue”

Bifrost and Valhall GPU Kernel Driver r41p0, which were released on November 24, 2022, address the vulnerability.

A local non-privileged attacker can prepare the system’s memory to issue improper GPU memory processing operations to gain access to already freed memory.

The company recommends users upgrade if this issue impacts them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mali GPU Kernel Driver)

One of the most effective ways for information technology (IT) professionals to uncover a company’s weaknesses before the bad guys do is penetration testing. By simulating real-world cyberattacks, penetration testing, sometimes called pentests, provides invaluable insights into an organization’s security posture, revealing weaknesses that could potentially lead to data breaches or other security

Apple has announced the launch of a "groundbreaking cloud intelligence system" called Private Cloud Compute (PCC) that's designed for processing artificial intelligence (AI) tasks in a privacy-preserving manner in the cloud. The tech giant described PCC as the "most advanced security architecture ever deployed for cloud AI compute at scale." PCC coincides with the arrival of new generative AI (

A proof-of-concept (PoC) exploit code for a Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 is publicly available.

Researcher Sina Kheirkha analyzed the Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 and a proof of concept exploit for this issue.

The flaw CVE-2024-29849 is a critical vulnerability (CVSS score: 9.8) in Veeam Backup Enterprise Manager that could allow attackers to bypass authentication.

Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.

“This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.” reads the advisory published by the vendor.

The vulnerability was addressed with the release of version 12.1.2.172. The company also provided the following mitigation:

• This vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
  To do this, stop and disable the following services:
  • VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
  • VeeamRESTSvc (Veeam RESTful API Service)
    _{Note: Do not stop the ‘Veeam Backup Server RESTful API Service’.}
• Veeam Backup Enterprise Manager is compatible with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.
• Veeam Backup Enterprise Manager can be uninstalled if it is not in use.

Administrators are urged to apply the latest security updates as soon as possible due to the availability of the PoC.

Kheirkha explained that the issue resides in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service (vVeeamRESTSvc ), which is installed during the setup of the Veeam enterprise manager software.

“When I started to analyze this vulnerability, first I was kind of disappointed on how little information veeam provided, just saying the authentication can be bypassed and not much more, however, just knowing it’s something to do with Authentication and the mitigation suggesting the issue has something to do with the either “VeeamEnterpriseManagerSvc” or “VeeamRESTSvc” services, I began my patch diffing routine and realized the entry point, I’ll introduce VeeamRESTSvc also known as Veeam.Backup.Enterprise.RestAPIService.exe” reads the post published by the researcher.

The service listens on port TCP/9398 and operated as a REST API server, which is basically an API version of the main web application that listens on port TCP/9443

The exploit targets Veeam’s API by sending a specially crafted VMware single-sign-on (SSO) token to a vulnerable service. The expert used a token impersonating an administrator and used an SSO service URL that Veeam failed to verify. The token is initially base64-encoded, then decoded into XML and validated through a SOAP request to an attacker-controlled URL. Then a server under the control of the attack responds positively to the validation, granting the attacker administrator access.

To detect exploitation attempts, the researcher recommends to analyze the following log file:

C:\ProgramData\Veeam\Backup\Svc.VeeamRestAPI.log

searching for Validating Single Sign-On token. Service enpoint URL: 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PoC exploit)

Cybersecurity researchers have uncovered an updated version of malware called ValleyRAT that's being distributed as part of a new campaign. "In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs," Zscaler ThreatLabz researchers Muhammed Irfan V A and Manisha Ramcharan Prajapati said. ValleyRAT

As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, indicating the operation has broader implications than previously thought. Google-owned Mandiant, which is assisting the cloud data warehousing platform in its incident response efforts, is tracking the

Arm is warning of a security vulnerability impacting Mali GPU Kernel Driver that it said has been actively exploited in the wild. Tracked as CVE-2024-4610, the use-after-free issue impacts the following products - Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) Valhall GPU Kernel Driver (all versions from r34p0 to r40p0) "A local non-privileged user can make improper GPU memory

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-06-03 to 2024-06-10.

News

• [X/Twitter] CSS injection in GitHub profiles - Not a lot of detail on this but apparently using LaTeX you can include external CSS in your GitHub profile.

• Features removed or no longer developed starting with Windows Server 2025 (preview) - "All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated." Backwards compatibility will keep NTLM relaying alive for at least another decade.

• Microsoft Recall

  • Update on the Recall preview feature for Copilot+ PCs - Microsoft says Recall will now be opt-in. For how long one wonders, until they flip it back to opt-out.
  • Add Recall module for dumping all users Microsoft Recall DBs & screenshots #335 - Recall extraction feature added to netexec.
  • TotalRecall - This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots.

• FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out - A lot of keys! Pretty cool!

Techniques and Write-ups

• No Way, PHP Strikes Again! (CVE-2024-4577) - On Windows (specifically the Chinese and Japanese locales), a '%AD' in a URL gets interpreted as '-' which can lead to remote code execution depending on how PHP is configured. By default, the XAMPP project is vulnerable.
• How to Train Your Large Language Model - Ever wondered how people 'fine tune' large language models for specific tasks? This post walks through training a local model and GPT-4 to assist with making sense of the pseudo-code output in the IDA Pro disassembler. The model and plugin code can be found at aidapal.
• WHFB and Entra ID: Say Hello to Your New Cache Flow - With Windows Hello for Business and Entra ID, there still needs to be a way to authenticate the user on the device if the device is offline. This cache can be used by attackers to bruteforce passwords. The use of a trusted platform module (TPM), or better yet a TPM v2, will slow down this bruteforce considerably.
• An Introduction to Chrome Exploitation - Maglev Edition - Besides mobile devices, Chrome is probably the next hardest target. This post covers Chromium Security Architecture and the V8 Pipeline, with a focus on the Maglev Compiler. It also covers the root cause analysis of CVE-2023-4069 and how to exploit it with JIT-spraying shellcode.
• Inside the Box: Malware's New Playground - Malware groups are using the BoxedApp product to evade detection. This mirrors earlier efforts that used VMprotect. If you can pay a modest price for a commercial packer that will help you evade EDR, many financially motivated actors will do so. Are you using commercial packers in your adversary simulations?
• Hacking Millions of Modems (and Investigating Who Hacked My Modem) - A hacker discovers his modem is compromised, and through the course of investigating finds a way to hack any Cox customer's modem.
• Becoming any Android app via Zygote command injection - Meta's red team discovered a vulnerability in Android (now patched) that allows an attacker with the WRITE_SECURE_SETTINGS permission, which is held by the ADB shell and certain privileged apps, to execute arbitrary code as any app on a device. By doing so, they could read and write any app's data, make use of per-app secrets and login tokens, change most system configuration, unenroll or bypass Mobile Device Management, and more. The exploit involves no memory corruption, meaning it worked unmodified on virtually any device running Android 9 or later, and persists across reboots. This feels like a vulnerability that will make some advanced actors very upset to see patched.
• Deep diving into F5 Secure Vault - After Exploiting an F5 Big-IP, @myst404_ set their sights on the "Secure Vault." Spoiler: it isn't all that secure.
• Windows Internals: Dissecting Secure Image Objects - Part 1 - The king of technical deep dives is back! Funny that this is actually a third order blog post spawned from research originally into the Kernel Control Flow Guard (Kernel CFG) feature. As always, Connor delivers a great, highly technical post.
• Bypassing Veeam Authentication CVE-2024-29849 - "This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user. - Critical"
• [PDF] Paged Out! #4 (14MB, beta1 build) - A great modern zine.
• Spray passwords, avoid lockouts - A very compreshensive look at Windows password policy. conpass is the new tool dropped to implement the ideas presented in the post.
• Develop your own C# Obfuscator - Sure, you've used ConfuserEx, but what if you wrote your own C# obfuscator?
• Bypassing EDR NTDS.dit protection using BlueTeam tools. - Love to see traitorware in the wild.
• One Phish Two Phish, Red Teams Spew Phish - How to give your phishing domains a reputation boost.

Tools and Exploits

• MAT - This tool, programmed in C#, allows for the fast discovery and exploitation of vulnerabilities in MSSQL servers.
• AmperageKit - One stop shop for enabling Recall in Windows 11 version 24H2 on unsupported devices.
• omakub - Opinionated Ubuntu Setup.
• chromedb - Read Chromium data (namely, cookies and local storage) straight from disk, without spinning up the browser.
• The_Shelf - Retired TrustedSec Capabilities. See Introducing The Shelf for more.
• RflDllOb - Reflective DLL Injection Made Bella.
• CVE-2024-29849 - Veeam Backup Enterprise Manager Authentication Bypass (CVE-2024-29849).
• rsescan - RSEScan is a command-line utility for interacting with the RSECloud. It allows you to fetch subdomains and IPs from certificates for a given domain or organization.
• MDE_Enum - comprehensive .NET tool designed to extract and display detailed information about Windows Defender exclusions and Attack Surface Reduction (ASR) rules without Admin privileges.
• Disable-TamperProtection - A POC to disable TamperProtection and other Defender / MDE components.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• How Malware Can Bypass Transparency Consent and Control (CVE-2023-40424) - CVE-2023-40424 is a vulnerability that allows a root-level user to create a new user with a custom Transparency Consent and Control (TCC) database in macOS, which can then be used to access other users' private data. It was fixed in 2023 in macOs Sonoma (but not backported to older versions!).
• PsMapExec - A PowerShell tool that takes strong inspiration from CrackMapExec / NetExec.
• Evilginx-Phishing-Infra-Setup - Evilginx Phishing Engagement Infrastructure Setup Guide.
• File-Tunnel - Tunnel TCP connections through a file.
• awesome-cicd-attacks - Practical resources for offensive CI/CD security research. Curated the best resources I've seen since 2021.
• JA4+ Database - Download, read, learn about, and contribute to augment your organization's JA4+ network security efforts
• detection-rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security's Detection Engine.
• openrecall - OpenRecall is a fully open-source, privacy-first alternative to proprietary solutions like Microsoft's Windows Recall. With OpenRecall, you can easily access your digital history, enhancing your memory and productivity without compromising your privacy.
• knock - Knock Subdomain Scan.
• ubiquity-toolkit - A collection of statically-linked tools targeted to run on almost any linux system.
• SOAPHound - A fork of SOAPHound that uses an external server to exfiltrate the results vs dropping them on disk for improved OPSEC.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

The Japanese video-sharing platform, Niconico, was forced to suspend its services following a cybersecurity incident.

The Japanese video-sharing platform, Niconico, temporarily suspended its services following a large-scale cyberattack on June 8, 2024.

“Due to the effects of a large-scale cyber attack, Niconico has been unavailable since early morning on June 8th” reads the incident notice published by the company. “We sincerely apologize for the inconvenience.”

In response to the incident, the company temporarily suspended Niconico Family Services such as Niconico Video, Niconico Live Broadcast, Niconico Channel, etc. The company also suspended the Niconico Account login on external services.

“Beginning in the early hours of Saturday, June 8th, an issue occurred that prevented access to multiple servers in our group. In response to this incident, we immediately shut down the relevant servers to protect the data. Based on the scope of our internal analysis and investigation that was conducted on the same day, we have determined that there is a high possibility that we were the victim of a cyber attack.” reads a statement from the company.

The video-sharing platform also canceled/postponed programs scheduled from June 10th to June 16th.

The company is investigating the security incident with the help of law enforcement and external experts to determine the full extent of the damage.

The company has yet to determine if threat actors have stolen any information from its systems.

The Japanese firm did not reveal the type of cyberattack it suffered; however, the problems it is facing and the incident response procedure adopted suggest it was the victim of a ransomware attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cyber attack)

The UK NHS issued an urgent call for O-type blood donations following the recent ransomware attack that hit several London hospitals.

The UK National Health Service (NHS) issued an urgent call for O-type blood donations due to the recent ransomware attack on Synnovis that disrupted operations at several healthcare organizations in London.

In early June, a ransomware attack on pathology and diagnostic services provider Synnovis severely impacted the operations at several major NHS hospitals in London. The attack forced the impacted hospitals to cancel some healthcare procedures, in some cases, patients were redirected to other hospitals.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics.

In a post published on its website, Synnovis disclosed it was the victim of a ransomware attack.

“On Monday 3 June, Synnovis – a partnership between two London-based hospital Trusts and SYNLAB – was the victim of a ransomware cyberattack. This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” reads the statement published by the company. “Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised.”

Synnovis has yet to release a new update and hasn’t provided any information on the scope of the attack.

Law enforcement suspects that Qilin extortion gang is behind the attack.

The NHS London published a statement on Synnovis ransomware attack confirming that the incident is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London.

“On Monday 3 June Synnovis, a provider of lab services, was the victim of a ransomware cyber attack. This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families.” reads the statement published by NHS London.

“All urgent and emergency services remain open as usual and the majority of outpatient services continue to operate as normal.” continues the NHS. “Unfortunately, some operations and procedures which rely more heavily on pathology services have been postponed, and blood testing is being prioritised for the most urgent cases, meaning some patients have had phlebotomy appointments cancelled.”

The NHS confirmed that the ransomware attack has disrupted blood matching tests, for this reason, affected hospitals are using O Negative and O Positive blood for patients who can’t wait for alternative matching methods. For this reason, the NHS is calling for O-type blood donations.

“England’s top doctor has today (Monday 10 June) backed calls from NHS Blood and Transplant (NHSBT) for O Positive and O Negative blood donors to urgently book appointments to donate in one of the 25 town and city centre NHS Blood Donor Centres in England, to boost stocks of O type blood following the cyber incident in London.” reads the announcement published by the NHS Blood and Transplant.

“The IT incident affecting a pathology provider means the affected hospitals cannot currently match patients’ blood at the same frequency as usual. For surgeries and procedures requiring blood to take place, hospitals need to use O type blood as this is safe to use for all patients and blood has a shelf life of 35 days, so stocks need to be continually replenished. That means more units of these types of blood than usual will be required over the coming weeks to support the wider efforts of frontline staff to keep services running safely for local patients.”

O Negative blood is a universal blood type, anyone can receive it, for this reason, it is crucial in emergencies or when a patient’s blood type is unknown. Despite only 8% of the population having O Negative, it accounts for about 15% of hospital orders. O Positive, the most common blood type, can be given to anyone with a positive blood type, benefiting 76% of the population. 35% of blood donors have O Positive blood.

“To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability.

“We have availability for donors who know they are type O but we also welcome new donors who don’t yet know their blood type. You might have one of these special types that can be used in emergencies.”

“To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability.” said Dr Gail Miflin, Chief Medical Officer, NHS Blood and Transplant. “We have availability for donors who know they are type O but we also welcome new donors who don’t yet know their blood type. You might have one of these special types that can be used in emergencies.””

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, London hospitals)

Cybersecurity researchers have spotted a phishing attack distributing the More_eggs malware by masquerading it as a resume, a technique originally detected more than two years ago. The attack, which was unsuccessful, targeted an unnamed company in the industrial services industry in May 2024, Canadian cybersecurity firm eSentire disclosed last week. "Specifically, the targeted individual was a