Application Block is now free for all ThreatDown users.

Malwarebytes continues to add value to its ThreatDown Bundles with the inclusion of Application Block as free for all ThreatDown Nebula accounts (excluding Mobile only accounts). Users don’t need to activate this new feature: the policy has been enabled in their account by default.

For as many applications out there that help you keep business running as usual, there are just as many that can spell big trouble for your network security. Threat actors can embed malicious code in seemingly legitimate applications, which end users then innocently execute on their Windows endpoints. (And the bad guys are in).

Or threat actors can find an application on your network with a known vulnerability for which no patch has been developed. (And again, they’re in.) 

Application threats also don’t just stop at cybercriminal gangs: organizations also just might not want employees using unproductive or unapproved applications and the security risks that follow.

All of this is to say that having the ability to blocklist certain applications from running is a key part of an effective layered defense. Malwarebytes is adding **Application Block** for free in all ThreatDown Bundles to make it easier for under-resourced orgs to meet this important security requirement.

Let’s dive in to see how it works!

**Features**

*   Log and monitor blocked application activity on endpoints.
*   Block device access to specified software applications, though this does not include cloud applications.
*   Block list rules are created and applied to policies across the console or sites.
*   Dashboard and reporting for blocked applications.

For a technical overview of Application Block for Nebula, click here: https://service.malwarebytes.com/hc/en-us/sections/10604417341587-Application-Block

**Enable Blocking**

When setting or modifying a policy in the Nebula console, go to the **Software management** tab at the bottom.

There you’ll find the **Application block** option for Windows. Let’s go ahead and check it and then save this policy.

**Block Rule Creation/Management**

Heading over to the Monitor tab, we’ll find Application Block near the bottom of the drop-down menu. Let’s click into that. 

We’re taken to an activity log dashboard of blocked applications. Find the **Rules** tab near the top and click “New rule”. 

Rules in Application Block for Nebula define which software applications and executables are blocked across your endpoints. We can apply this rule globally or to specific policies only.

Basic application block rules select the Application or Vendor name to block the service. Advanced rules are available to use file information to block the service including Certificate property, File path, File property, and Hash value.

Let’s save this rule and head back over to our activity log!

**Application Block Activity Log**

The Activity Log tab displays blocked applications across all your managed endpoints. Blocked records are retained for approximately 90 days.

View the following information for each endpoint’s activity record, including agent version, application data, and time blocked!

For auditing or external reporting purposes, you can even download Application Block activity information to your local machine by selecting all or checking specific boxes for the rows you want to export and clicking Export.

We can get a full and quick picture of our endpoint data by heading over to the Nebula Dashboard. Here we can add, remove, and rearrange widgets—including one for Application Block—that give us insight into what applications were blocked and their frequency.

**Plugging the holes in your Windows endpoint security**

Together with free Vulnerability Assessment, which effectively identifies and prioritizes critical security vulnerabilities, Application Block enhances overall security protection by preventing unauthorized software usage, offering a comprehensive security solution at no additional cost in all ThreatDown Bundles.

 Free access to ThreatDown Application Block: Elevate your Windows security at no cost 

Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.

Google has released an update for Chrome which includes four security fixes, including one for a vulnerability that has reportedly already been exploited.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

After the update, the version should be 120.0.6099.224, or later

**Technical details**

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

Three vulnerabilities found by external researchers all lie in Chrome’s V8 JavaScript engine.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three V8 vulnerabilities are listed as:

CVE-2024-0517: an out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written.

CVE-2024-0518: a type confusion in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In this case, it can lead to heap corruption.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap.

CVE-2024-0519: out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds memory access means that the software has access to data past the end, or before the beginning, of the intended buffer.

Google notes that it is aware of reports that an exploit for CVE-2024-0519 exists in the wild.

V8 is an open-source JavaScript and WebAssembly engine developed by the Chromium Project for Chromium and Google Chrome web browsers, so users of other Chromium based browsers, like Microsoft Edge, can expect to see similar updates in the near future.

Microsoft says it’s actively working on releasing a security patch and added:

> “It’s worth highlighting that Microsoft Edge’s enhanced security mode feature mitigates this vulnerability. You can opt-in into this security feature and have peace of mind that Microsoft Edge is protecting you against this exploit.”

Use the following steps to configure enhanced security in Edge.

1.  In Microsoft Edge, go to **Settings and more** > **Settings** > **Privacy, search, and services**.
2.  Under **Security**, verify that **Enhance your security on the web** is enabled.
3.  Select the option that’s best for your browsing.

The following toggle settings are available:

*   Toggle Off (Default): Feature is turned off
*   Toggle On – Balanced (Recommended): Microsoft Edge will apply added security protections when users visit unfamiliar sites but bypass those protections for commonly visited sites. This combination provides a practical level of protection against attackers while preserving the user experience for a user’s usual tasks on the web.
*   Toggle On – Strict: Microsoft Edge will apply added security protections for all the sites a user visits. Users may report some challenges accomplishing their usual tasks.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update Chrome! Google patches actively exploited zero-day vulnerability 

Two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateways are subject to massive exploitation despite an available workaround.

Last week we wrote about two vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways that were being actively exploited.

The researchers that discovered the active exploitation are warning that these attacks are now very widespread.

> “Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals.”

At first, the scans by the researchers showed only limited exploitation. But later they observed scans made by an unknown party that revealed compromised devices which had a different variant of the web shell on them. The latest numbers indicate some 1700 compromised devices.

The fact that there are no patches available and users were asked to apply a workaround and monitor their network traffic for suspicious activity, may have contributed to the slow response to the sounded alarms. Almost 7000 devices remain vulnerable according to the latest count.

The workaround requires importing a mitigation.release.20240107.1.xml file which can be obtained via the download portal (login required). The XML file is in the zipped format, so you’ll need to unzip and then import the XML file.

*   Navigate to **Maintenance** > **Import/Export** > **Import XML**
*   Use the **Browse** button to point to the unzipped XML file
*   Click the **Import** Button

Importing this XML into any one node of a Cluster is enough. A FAQ and more detailed instructions can be found in the Ivanti advisory article.

It is important to note that applying the workaround or a patch, when they are made available, is not enough to undo the effects of an attack.

To find out whether your devices have been compromised, you can run the Integrity Checker Tool provided by Ivanti. This integrity tool allows an administrator to verify the integrity of the ICS / IPS Image installed on Virtual or Hardware Appliances This tool checks the complete file system and finds any additional/modified file(s).

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Ivanti vulnerabilities now actively exploited in massive numbers 

AI is being used by shock call spammers to emulate the voice of a loved one claiming to be involved in an accident.

The San Francisco Chronicle tells a story about a family that almost got scammed when they heard their son’s voice telling them he’d been in a car accident and hurt a pregnant woman.

Sadly, this is becoming more common. Scammers want to spread panic among their victims, and to do this, they feign an emergency situation. That may be a car accident, unexpected hospitalization, or any other scenarios which instantly cause concern and cause victims to act quickly.

Sometimes it’s a pregnant woman who is hurt, sometimes it’s a diplomat.

In earlier days of scams like these, success depended a great deal on the criminal’s skills at social engineering, but rapid advancements in Artificial Intelligence (AI) mean scammers can now easily and convincingly fake the “voice” of the relative that is the supposed victim of the accident.

What better way to make the victim believe that something bad has happened than hearing their loved one cry out for help in their own voice. With the help of various AI powered tools, criminals can easily compose fragments based on a short voice clip they found online.

FBI Special Agent Robert Tripp said:

> “Now criminals can fabricate a voice using AI tools that are available either in the public domain for free, or at a very low cost.”

The criminals will keep that part of the communication short, so the target is unable to ask the relative any questions about what happened. While it is possible to fake entire conversations with the help of AI, the tools that can do that are much harder to operate. The criminal would have to type out the responses very quickly and the target might get suspicious. In the story from the San Francisco Chronicle, the phone was “taken over” by the so-called police officer at the scene of the accident, who told the parents that their son would be taken into custody.

This was later followed a cold call by someone posing as legal representative for their son, asking for money to for bail. The intended victims got suspicious when the so-called lawyer said he’d send a courier to pick up the bail money.

The FBI says it has received more than 195 complaints about this type of scam that it refers to as “grandparent scams.” It reports nearly $1.9 million in losses, from January through September of 2023.

**How to avoid scams like this**

One of the main tools for the imposters is the amount of information they can round up about the target. Their main sources will include social media and phishing.

There are a few simple precautions to lessen the chances of falling victim to such scams:

*   Avoid letting third parties know too many personal details about you.
*   Do not answer telephone calls from numbers you do not recognize or calls from private numbers.
*   Ask for the caller’s telephone number and check it.
*   If necessary, try to reach your allegedly implicated family member by phone. If you can’t reach them directly, call someone else who might know where they are.
*   Hang up if in doubt and never give financial or personal information to the caller.
*   If you receive or have received such a call, please notify the police immediately and under no circumstances respond to the perpetrators’ demands.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 AI used to fake voices of loved ones in “I’ve been in an accident” scam 

This week on the Lock and Code podcast, we tell the true story of a virtual kidnapping scam from December of last year.

_This week on the Lock and Code podcast…_

On Thursday, December 28, at 8:30 pm in the Utah town of Riverdale, the city police began investigating what they believed was a kidnapping.

17-year-old foreign exchange student Kai Zhuang was missing, and according to Riverdale Police Chief Casey Warren, Zhuang was believed to be “forcefully taken” from his home, and “being held against his will.”

The evidence leaned in police’s favor. That night, Zhuang’s parents in China reportedly received a photo of Zhuang in distress. They’d also received a ransom demand.

But as police in Riverdale and across the state of Utah would soon learn, the alleged kidnapping had a few wrinkles.

For starters, there was no sign that Zhuang had been forcefully removed from his home in Riverdale, where he’d been living with his host family. In fact, Zhuang’s disappearance was so quiet that his host family was entirely unaware that he’d been missing until police came and questioned them. Additionally, investigators learned that Zhuang had experienced a recent run-in with police officers nearly 75 miles away in the city of Provo. Just eight days before his disappearance in Riverdale, Zhuang caught the attention of Provo residents because of what they deemed strange behavior for a teenager: Buying camping gear in the middle of a freezing winter season. Police officers who intervened at the residents’ requests asked Zhuang if he was okay, he assured them he was, and a ride was arranged for the teenager back home.

But what Zhuang didn’t tell Provo police at the time was that, already, he was being targeted in an extortion scam. But when Zhuang started to push back against his scammers, it was his parents who became the next target.

Zhuang—and his family—had become victims of what is known as “virtual kidnapping.”

For years, virtual kidnapping scams happened most frequently in Mexico and the Southwestern United States, in cities like Los Angeles and Houston. But in 2015, the scams began reaching farther into the US.

The scams themselves are simple yet cruel attempts at extortion. Virtual kidnappers will call phone numbers belonging to affluent neighborhoods in the US and make bogus threats about a holding a family member hostage.

As explained by the FBI in 2017, virtual kidnappers do not often know the person they are calling, their name, their occupation, or even the name of the family member they have pretended to abduct:

“When an unsuspecting person answered the phone, they would hear a female screaming, ‘Help me!’ The screamer’s voice was likely a recording. Instinctively, the victim might blurt out his or her child’s name: ‘Mary, are you okay?’ And then a man’s voice would say something like, ‘We have Mary. She’s in a truck. We are holding her hostage. You need to pay a ransom and you need to do it now or we are going to cut off her fingers.’”

Today, on the Lock and Code podcast with host David Ruiz, we are presenting a short, true story from December about virtual kidnapping. Today’s episode cites reporting and public statements from the Associated Press, the FBI, ABC4.com, Fox 6 Milwaukee, and the Riverdale Police Department.

Tune in today to listen to the full story.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 A true tale of virtual kidnapping: Lock and Code S05E02 

Almost seven years after alleged FruitFly author Phillip Durachinsky’s arrest, judge Solomon Oliver has ruled he's incompetent to stand trial.

On January 4, 2017, Case Western Reserve University (CWRU), located in Cleveland, Ohio, became aware of an infection on more than 100 of its computers. The university was notified by an undisclosed third party, who provided information to help the team find and identify the malware.

CWRU began working with the FBI, who determined that the systems had been infected for several years. Together, CWRU and the FBI were able to identify that an IP address with which the malware was communicating had also been used to access the alumni email account of a man called Phillip Durachinsky.

On January 10 2017, and unaware of this ongoing investigation, Malwarebytes became aware of the Mac version of the malware that would become known as FruitFly. We shared our investigation with Apple, and learned that it was working with the FBI and calling the malware “FruitFly” internally.

On January 25, 2017, Durachinsky was arrested for involvement with the FruitFly malware. On December 7, 2023 – nearly 7 years later – a judge ruled that Durachinsky is incompetent to stand trial.

****Who is Phillip Durachinsky?****

Durachinsky, a resident of northeast Ohio, was seen by his peers as “awkward and eccentric” throughout grade school and college. Despite this, he was active in extracurricular activities. In high school, he participated in a computer club. As a member of the club, he competed in a local programming competition, helping the team to win in both 2005 and 2006. Interviewed by a local newspaper reporter following one of these wins, Durachinsky said, “It’s about teamwork, knowing your strengths and weaknesses to help the team.”

In college at CWRU, he participated in a philosophy club, where he was “interested in the philosophy behind mathematics.” In 2012, as a senior soon to graduate with a physics degree, he worked on a project with faculty member Robert W. Brown regarding nanoparticle behavior, assisting with software to visualize the behavior in 3D.

However, Durachinsky was frequently in trouble for his other computing activities. He was rumored to have hacked into his high school’s computer system, although those rumors were never confirmed. While at CWRU, he was accused of “cracking passwords” on a CWRU network. In an interview following his 2017 arrest, a local law enforcement representative said that Durachinsky was “not unknown to the authorities.”

Initial investigation of the FruitFly malware showed something very interesting: some of the code in the malware was extremely old. There were many references to functions that dated back to the early days of the Macintosh, and that had been deprecated in macOS for years. (This led to Malwarebytes initially using the name “Quimitchin” for the malware, after the name for ancient Aztec spies that infiltrated enemy tribes. This name did not catch on.)

FruitFly included a number of very powerful capabilities, including file exfiltration, screen capture, execution of arbitrary commands, and remote access to the webcam and microphone. The FBI found more than 20 million files collected from victim machines on hardware confiscated from Durachinsky’s home.

According to an FBI Flash document released to affected organizations on March 27, 2017, machines were infected with FruitFly via brute force attacks, using weak passwords or passwords from breaches of other systems. (The latter is referred to as “credential stuffing.”)

> “The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches.”
> 
> FBI Flash

In this manner, thousands of computers were infected over more than a decade.

****Arrest and arraignment****

Apple had been acting as an intermediary, coordinating with both the FBI and Malwarebytes. On January 18, 2017, all three organizations took simultaneous actions. Apple released a security update to protect users against FruitFly, Malwarebytes published a blog post with technical details about the malware, and the FBI knocked on the door of the house linked to the IP address used by the malware. (The IP address was linked to the malware using data collected by CWRU, Malwarebytes, and AT&T.)

The house, as it turned out, was the home of Durachinsky’s parents, who allowed the agents to enter and mentioned that Durachinsky had been in trouble in high school for breaking into his high school’s website and hacking into teachers’ email.

The FBI found a laptop in Durachinsky’s room. When they entered the room, the laptop lid was slightly ajar, and agents were able to see that the cursor was moving – indicating that it was being remotely accessed – and that the control panel for the malware was visible on the screen. Agents disconnected the network router to prevent further remote access, which could have resulted in deletion of evidence. Also found were numerous hard drives.

On January 19, a judge signed a warrant allowing the FBI to examine the contents of the laptop and hard drives. As a result of the evidence found, Durachinsky was arrested on January 25. Following numerous requests by the defense and changes in Durachinsky’s legal representation, he was finally arraigned nearly a year later, on January 19, 2018.

Durachinsky was charged with 16 counts, including accessing and damaging computers without authorization, accessing a non-public government computer without authorization, production of child pornography, three counts of wire fraud, four counts of aggravated identity theft, and five counts of illegal wiretapping.

During the lengthy trial, it was the child pornography charge that seemed to be of most concern to the defense. Repeated attempts were made to evade it, including an attempt to suppress evidence due to claims of improper seizure, an attempt to suppress a confession made by Durachinsky, and an attempt to separate that charge from all the others and try it separately.

****Ruling****

Almost seven years after Durachinsky’s arrest, judge Solomon Oliver ruled that Durachinsky was incompetent to stand trial, by reason of being unable to assist in his own defense due to autism spectrum disorder (ASD). If psychologists determine that his “condition” can be treated to restore his competency, the trial will continue. Otherwise, he will be civilly committed.

Interestingly, although both prosecuting and defense attorneys agree on the competency ruling, Durachinsky himself does not. He has been cited as saying, “I don’t challenge the autism disorder diagnosis, but I disagree with the way this has been prosecuted.”

This ruling has caused some concerns in the information security community. ASD is not something that can be “cured,” though therapy can help to teach people on the spectrum how to improve social and communication skills. This can take years, however.

Some have expressed skepticism about the ruling, arguing that Durachinsky’s activities and public statements suggest that, like many affected by high-functioning ASD, he appears to be fully capable of understanding his situation and knowing the difference between right and wrong.

Others have expressed concerns about how this case has proceeded. Seven years of jail time without ever having been found guilty in a court of law is concerning. Although the evidence seems pretty damning, and it has been fully expected that Durachinsky would be found guilty, the US justice system is supposed to presume a defendant to be innocent until proven guilty.

****What next?****

It’s unclear what’s next for Mr. Durachinsky, but it would seem the saga is not yet over. Presumably he will be – or has been – released from jail, but there’s still the question of civil commitment. It’s unclear exactly what that will mean – whether this would require time in an institution and, if so, for how long. It’s also unclear whether there will be any kind of treatment that the court deems successful at restoring his competency, in which case the trial could resume.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Alleged FruitFly malware creator ruled incompetent to stand trial 

We found a Facebook scam that aims to redirect victims to sites promoting PUPs, adware, or other fraudulent sites.

Facebook scams are a constant nuisance and vary from like-farming to scams that can cost you some serious money. The latest one we found is a bit morbid.

Recently, I’ve seen quite a few posts on my timeline that looked like this:

Without going into details the post says:

> “I can’t believe he’s gone. I’ll miss him so much”

In all the posts I’ve seen, one of my Facebook friends was tagged. When I noticed that happen to two friends that do not know each other, the post did what it was intended to do, trigger my curiosity.

When you follow the posted link, which is a Facebook permalink to a post made by what is probably a compromised account, you’ll see a fake BBC news item about a fatal road accident. The permalink of any post on Facebook is hidden under its time stamp and can be used to share content on or outside of Facebook.

This post features a slightly different text: “I can’t believe this, I’m going to miss him so much”

The BBC news logo in the picture and the BBCNEWS part of the URL are obviously intended to gain your trust, and suggest that it’s safe to play the video.

In reality you will be redirected to the link displayed directly below the movie. We found several variations of that URL. All composed like this “BBCNEWS-{6 characters}.OMH4.XYZ”

Clicking the play button takes you through several redirects, very likely to perform fingerprinting, where sites gather information about your browser, your location, and other sites you’ve visited. The scammers do this to make sure you are redirected to a site that is likely to generate the most profit from people fitting your profile.

During my testing, I was not logged in on Facebook and surfing from a Dutch IP address, I ended up at polo\[.\]thegadgetguru\[.\]club which was unreachable at the time of writing. However, our archives show it’s a known source of pop-ups and has been for at least two years. These pop-ups can lead visitors to potentially unwanted programs, adware, and fraudulent sites.

It’s very likely that changing my IP address to a different location with a VPN and logging in to Facebook will change the outcome of the redirects, but I’m pretty sure none of them will be up to any good.

**How to avoid Facebook scams**

In this case I was able to spot the scam because it made me suspicious that two unrelated friends might be tagged in a similar post. But there are some other pointers to help you spot Facebook scams.

*   Scrutinize URLs closely. Not every scam campaign is sophisticated or difficult to spot. Start with the URL – if it’s obviously not for the website in question then step away.
*   Reach out to friends and family outside of Facebook or Instagram. If you’re not sure if a message is from the person it says it’s from, give them a call or send them a text message to check they really did send it.
*   Be wary of “free” stuff. Sure, free things are nice—but they shouldn’t cost you anything, and that includes your personal details or a small amount of money that you must pay first. If you see a giveaway doing the rounds on Facebook, go to that company’s official webpage to verify it, or give them a call.
*   Update your browser regularly. This keeps new vulnerabilities at bay, and is another layer of protection you can depend on.
*   Change your login credentials if you think your account may be compromised. And if you’ve used the same password on other sites, change them.
*   Install browser protection, like Malwarebytes Browser Guard, which can alert you to scams and other nasties in the browser.
*   If you’ve decided you’ve had it with Facebook you may like this post on how to deactivate or delete your Facebook account.

Report any posts you may find that are suspicious, scammy, illegal, or downright harmful to other Facebook users’ wellbeing. You can find this feature by clicking in the upper right hand corner of the Facebook post in question and picking either “Report post” or “Report photo”.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 “I&#8217;ll miss him so much” Facebook scam uses BBC branding to lure victims 

GitLab has warned about a critical vulnerability that allows an attacker to change passwords without user interaction.

GitLab has issued a warning about a critical vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). GitLab is an online DevOps platform that allows developers to collaborate on creating software. Organizations have a choice to install GitLab on their own server(s) or under GitLab’s control on GitLab.com.

The vulnerability allows a successful attacker to easily take over users’ accounts without any interaction. To remediate the problem, users of self-managed instances must upgrade to a patched version following the specified upgrade path. Do not skip upgrade stops as this could create instability. GitLab.com is already running the patched version.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. As we can see from the description in the database, the root of the problem is that it’s possible to direct password reset emails to unverified email addresses.

CVE-2023-7028 (CVSS score 10 out of 10): an issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

A GitLab account takeover can have serious consequences since the attacker could introduce unsafe code or get access to an organization’s API keys.

The account takeover won’t work if the target has 2FA enabled, since the attacker will not be able to log in if they don’t have control of the second authentication factor.

GitLab supports as a second factor of authentication:

*   Time-based one-time passwords (TOTP). When enabled, GitLab prompts you for a code when you sign in. Codes are generated by your one-time password authenticator (for example, a password manager on one of your devices).
*   WebAuthn devices. You’re prompted to activate your WebAuthn device (usually by pressing a button on it) when you supply your username and password to sign in. This performs secure authentication on your behalf.

Another critical vulnerability is listed as CVE-2023-5356 (CVSS score 9.6 out of 10): incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse Slack/Mattermost integrations to execute slash commands as another user.

Instructions on how to enable 2FA for GitLab can be found on GitLab docs. Enabling 2FA is recommended, even if you upgrade immediately.

GitLab states it has not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 GitLab warns zero-click vulnerability could lead to account takeovers 

Fidelity National Financial has suffered a ransomware attack and resulting data breach which involved 1.3 million of its customers' data.

In November 2023, real estate services company Fidelity National Financial (FNF) got its systems knocked offline for a week after a cyberincident.

As is often the case these days, it turns out that the cyberincident was very likely a ransomware attack that included a data breach. Ransomware operators typically steal data from the compromised systems to use as extra leverage against the victim.

The attack on FNF was claimed by ransomware group ALPHV/BlackCat on its leak site. ALPHV is typically in the top five most active ransomware gangs in our monthly ransomware reviews and is one of the most dangerous ransomware groups in the world.

The listing on ALPHV’s leak site has since been removed which might indicate that the ransom was paid. But it could also be another reason: In December 2023, the gang’s infrastructure was taken down by law enforcement. Unfortunately the gang did re-appear soon after.

In a form 8-K, FNF said it had notified applicable state attorneys general and regulators, and approximately 1.3 million potentially impacted consumers. Form 8-K is known as a “current report” and it is the report that companies must file with the SEC to announce major events that shareholders should know about.

The company has not so far specified the type of data that may have been stolen. FNF is providing credit monitoring and identity theft services to affected customers.

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

Source

Malwarebytes