A list of topics we covered in the week of January 8 to January 14 of 2024

January 15, 2024 - Fidelity National Financial has suffered a ransomware attack and resulting data breach which involved 1.3 million of its customers' data.

January 12, 2024 - The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

January 12, 2024 - A vulnerability in the popular Joomla! CMS has been added to CISA's known exploited vulnerabilities catalog.

January 11, 2024 - Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.

January 11, 2024 - This month in ransomware: ALPHV and LockBit joining forces?

 A week in security (January 8 &#8211; January 14) 

The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

Most new model cars are not just cars anymore. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. Some of them are basically smartphones on wheels.

Even if we assume these new features were all created with your convenience in mind, some of them can have some adverse effects on your privacy, and sometimes even your safety.

Addressing the use of connected cars to stalk, intimidate, and harass survivors of domestic violence, the Federal communications Commission (FCC) has issued a press release calling on carmakers and wireless companies to help ensure the independence and safety of domestic violence survivors.

Chairwoman Jessica Rosenworcel of the FCC said:

> “No survivor of domestic violence and abuse should have to choose between giving up their car and allowing themselves to be stalked and harmed by those who can access its data and connectivity.”

We have previously talked about cars spying on you, and the poor privacy policies that allow manufacturers to sell the data they gather for targeted advertising. We have also written about a federal judge that ruled it’s fine for car makers to intercept your text messages. But those are privacy concerns. Valid and serious, but on a different level from running the risk of being harassed by a jealous ex.

For readers focused on the privacy issues of connected cars, we can recommend the Mozilla report It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. And when you are parting with a car in the US, you may want to look at the Privacy4Cars app that can provide a Vehicle Privacy Report and claims to be able to delete your data. You will need your Vehicle Identification Number (VIN).

The FCC also asked wireless service providers (AT&T, T-Mobile and Verizon) to describe their partnerships with car manufacturers, seeking information on how the wireless providers work with them and what their policies are for handling geolocation data provided by car manufacturers.

The FCC press release includes statistics showing that more than 12 million people each year are the victims of rape, physical violence, and stalking.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone, rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data by using any “remote access” apps for the car and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If the suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 FCC wants cars to make life harder for stalkers 

A vulnerability in the popular Joomla! CMS has been added to CISA's known exploited vulnerabilities catalog.

The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability for the Joomla! Content Management System (CMS) to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by January 29, 2024 in order to protect their devices against active threats.

Joomla! is an open-source CMS that’s been around since 2005, and has been one of the most popular CMS platforms by market share for much of that time. Many companies, from small outfits to large enterprises, use a CMS in some form to manage their websites. There are lots of advantages to using a popular CMS, but if you do you need to keep an eye out for updates.

Take for example the vulnerability that has been added to the CISA catalog: CVE-2023-23752 was reported, and a fix was created in February 2023. But here we are, active exploitation is upon us.

The vulnerability allows a successful attacker to access an application programming interface (API) through which they can obtain Joomla-related configuration information. The attacker has to construct specially crafted requests, which can eventually lead to the disclosure of sensitive information.

The vulnerability is the result of an improper access check that allows unauthorized access to webservice endpoints that exist in Joomla! versions 4.0.0-4.2.7.

If the database is exposed publicly, the attacker can change the Joomla! Super User’s password. After which the attacker can log in to the administrative web interface and modify a Joomla! template to include a web shell, or install a malicious plugin, giving themselves the ability execute code remotely.

But even if the database is not exposed publicly, exploitation can be used to get the Joomla! user database (usernames, emails, assigned group). This could open up options for credential stuffing. Credential stuffing is a special type of password attack that exploits password reuse by using username and password combinations found on one service to log in to other, unrelated services.

Users are advised to upgrade their CMS to version 4.2.8 or later. The latest version (5.0.1 at the moment of writing) and upgrade packages can be downloaded here.

**Secure your CMS**

There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security. They are as follows:

*   Choose a CMS that actively looks for and fixes security vulnerabilities.
*   If it has a mailing list for informing users about patches, join it.
*   Enable automatic updates if the CMS supports them.
*   Use the fewest number of plugins you can, and do your due diligence on the ones you use.
*   Keep track of the changes made to your site and its source code.
*   Secure accounts with two-factor authentication (2FA).
*   Give users the minimum access rights they need to do their job.
*   Limit file uploads to exclude code and executable files, and monitor them closely.
*   Use a Web Application Firewall (WAF).

If your CMS is hosted on your own servers, be aware of the dangers that this setup brings and keep it separated from other parts of your network.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Joomla! vulnerability is being actively exploited 

Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.

Software vendor Ivanti has warned customers about two actively exploited vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways. Successful exploitation would give an attacker the ability to run arbitrary code on Ivanti’s Virtual Private Network (VPN) system.

The warning is echoed by several international security agencies like CISA and the German BSI. Both are flagging active exploitation of these two chained vulnerabilities. Ivanti Connect Secure is a widely used VPN solution that allows users to connect to their organization’s network.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs mentioned in these reports are:

CVE-2023-46805 (CVSS score 8.2 out of 10): an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure, which allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887 (CVSS score 9.1 out of 10): A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Ivanti Neurons for Secure Access is not vulnerable to these CVEs. However, the gateways being managed are independently vulnerable to them.

After attackers have used the authentication bypass to authenticate as an administrator they are able to install webshells on the VPN system to gain persistence, allowing them to execute commands on the compromised devices.

Active exploitation has been seen as far back as December 3, 2023. These attackers erased log files and turned logging off on the compromised system. Besides that, they had stolen configuration files, altered existing files, dropped remote files, and established a reverse tunnel allowing them unrestricted access.

One of the dropped files contained a JavaScript that stole the credentials of users that logged in, which could also be used for lateral movement.

**Mitigation**

Patches will be released on a schedule based on versions, with the first coming out in the week of January 22. The last version will come out the week of February 19.

> “We are releasing patches based upon telemetry information available to us from current installed solutions that notify us of the version number they are running. We are releasing patches for the highest number of installs first and then continuing in declining order.”

Until then, customers are under advice to apply a workaround and monitor their network traffic for suspicious activity and analyze the logs on their Connect Secure device.

The workaround requires importing a mitigation.release.20240107.1.xml file which can be obtained via the download portal (login required). The XML file is in the zipped format, so you’ll need to unzip and then import the XML file.

*   Navigate to **Maintenance** > **Import/Export** > **Import XML**
*   Use the **Browse** button to point to the unzipped XML file
*   Click the **Import** Button

Import of this XML into any one node of a Cluster is enough. A FAQ and more detailed instructions can be found in the Ivanti advisory article.

It is important to note that applying the workaround or a patch, when they are made available, is not enough to undo the effects of an attack. If you see signs that your instances have been compromised you should investigate or hire a specialized investigator to find out what the attackers may have obtained and what needs to be done to regain the required safety level.

CISA has added CVE-2023-46805 and CVE-2024-21887 to its Known Exploited Vulnerabilities Catalog, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by January 21, 2024 to protect FCEB networks against active threats.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Act now! Ivanti vulnerabilities are being actively exploited 

This month in ransomware: ALPHV and LockBit joining forces?

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In December, the ransomware scene saw 334 attacks, with the ALPHV shutdown saga continuing to grab the spotlight. In last month’s review, when we wrote about ALPHV’s infrastructure going offline, there was widespread speculation about law enforcement involvement, but no concrete evidence to confirm this. Now, the picture is becoming clearer. 

The previous theories about hardware failures within ALPHV are now overshadowed by the confirmed law enforcement action: recent updates revealed that the FBI played a pivotal role in disrupting ALPHV’s operations. This intervention led to the seizure of their URLs and enabled the recovery of decryption keys for many victims. 

The FBI’s recent operation against ALPHV has been a game-changer, not only disrupting the group’s activities but also denting their reputation in the cybercriminal community. The ripple effects? ALPHV affiliates are showing signs of mistrust, with some resorting to direct victim contact via email, and others shifting alliances to rival groups like LockBit. 

Adding to the intrigue, there’s talk of an emerging “cartel” between LockBit and ALPHV, according to messages on the dark web forums. This potential alliance could mark a new era in ransomware operations, where rivals look to pool resources and expertise in response to increasing law enforcement pressure. 

Known ransomware attacks by gang, December 2023

Known ransomware attacks by country, December 2023

Known ransomware attacks by industry, December 2023

In other news, LockBit’s attack on Capital Health last month was starkly reminiscent of events from a year prior. In December 2022, LockBit audaciously targeted SickKids (a hospital for sick children), impacting the hospital’s internal and corporate systems, phone lines, and website. Back then, LockBit’s unexpected apology for the hospital attack—blamed on a rogue affiliate, and self-forgiven with a free decryptor—was a rare moment of contrition in the otherwise ruthless world of cybercrime. 

Fast forward to December 2023, and the echoes of LockBit’s past actions were resonate.  

Despite their previous promises and operational policies against targeting healthcare institutions, LockBit has claimed the recent attack on Capital Health. And even though the gang claims they did not encrypt the hospital’s files, that didn’t leave the hospital unharmed.  

As we wrote recently:  

“\[The\] hospitals and physicians’ offices experienced IT outages that forced them to resort to emergency protocols designed for system outages. Several surgeries were moved to later dates and outpatient radiology appointments were canceled.” 

Or what ransomware gangs probably call a classic case of “no encryption, no problem” for creating havoc. 

This juxtaposition of LockBit’s 2022 apology with their ongoing aggressive actions in 2023 highlighted the duplicity inherent in the ransomware landscape. LockBit’s activities served as a sobering reminder that despite occasional gestures that seem to indicate restraint or remorse, the fundamental nature of ransomware operations remains unchanged—driven by disruption, data theft, and financial gain at the expense of vulnerable targets, including critical healthcare services. 

More broadly speaking, December saw a continuation of an unnerving trend of healthcare sector attacks we touched upon in last month’s review, with disruptive attacks on Massachusetts-based Anna Jaques Hospital and Liberty Hospital in Missouri. In a sector where timing and information can be a matter of life and death, such disruptions are more than mere inconveniences; they are potentially life-threatening. 

**New ransomware gangs****DragonForce**

DragonForce is a new ransomware gang that published 21 victims to their leak site last month, including a significant attack on the Ohio Lottery on Christmas Eve. In that attack, the group claims to have encrypted devices and stolen sensitive data amounting to over 600GB. including personal information of Ohio Lottery customers and employees.

While details about DragonForce are limited, their Ohio Lottery attack and their sophisticated negotiation methods suggest that DragonForce might be a rebranded version of a previous gang.

DragonForce leak site

**WereWolves**

WereWolves is a new ransomware group that posted 15 victims last month across various countries, including Russia, the USA, and parts of Europe. WereWolves is unusual for targeting Russian entities and employs a variant of LockBit3 ransomware in its attacks. They are known to target a range of sectors, with a particular focus on large-scale businesses. 

WereWolves leak site

**Preventing Ransomware**

Fighting off ransomware gangs requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough.

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through.

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood.

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—choose an EDR solution with ransomware rollback to undo changes and restore files.

****How ThreatDown Addresses Ransomware** **

ThreatDown Bundles take a comprehensive approach to ransomware. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including:  

*   Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access. 
*   RDP Shield: Securing remote access points with Brute Force Protection. 
*   Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them. 
*   Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network. 
*   Ransomware Rollback: Reversing the impact of any successful attacks. 

ThreatDown EDR detecting LockBit ransomware 

ThreatDown automatically quarantining LockBit ransomware 

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams. 

Try ThreatDown bundles today

 Ransomware review: January 2024 

Several info-stealers have incorporated an exploit that allows them to gain permanent access to your Google account

Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA) the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn’t even help if the owner of the account changes their password.

Since the discovery of the exploit, numerous white and black hat security researchers have looked into and discussed the issue. As a result, the exploit is now built into various information stealers.

Cookies are used to track users across websites and remember information about their visit. Authentication cookies are in essence pieces of data that the browser sends to a site to identify the user and check whether they are logged in. Usually these cookies have an expiration date after which the user will be asked to log in.

Persistent cookies enable a continuous access to Google services, even after the user resets their password. This exploit allows the generation of persistent Google cookies by using a Google Application Programming Interface (API) designed for synchronizing accounts across different Google services to bring back to life expired authentication cookies.

A Google account provides access to Google services like Gmail, Google Calendar, and Google Maps, but also Google Ads and YouTube.

In a statement Google responded:

> “We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

However, some info stealers have reportedly already been updated to counter Google’s fraud detection measures.

Sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and and that no vulnerability is being exploited by the malware, which implies that Google isn’t working on a more permanent fix for this problem.

**Review devices**

To check whether someone has accessed your account, you can view which computers, phones, or other devices that were signed in to your Google Account recently.

1.  Go to your Google Account.
2.  On the left navigation panel, select **Security** .
3.  On the _Your devices_ panel, select **Manage all devices**.
4.  You’ll see devices where you’re currently signed in to your Google Account or have been in the last few weeks. For more details, select a device or a session.
5.  Devices or sessions where you’re signed out will have a “Signed out” indication.
6.  If multiple sessions appear for the same device type, they might all be on one device or multiple devices. Review their details, and if you’re not sure all the sessions are from your devices, sign out on them.

**Remediate**

If you think your account has been compromised, you will have to sign out of all browsers to invalidate the current session tokens and then reset your password. Next you will need to sign back in to generate new tokens. Only this stops the unauthorized access because it invalidates the old tokens.

The steps outlined below are for administrators who manage Google Accounts for a company, school, or other group. As an administrator, you can sign a user out of a managed Google Account, such as Google Workspace or Cloud Identity.

To reset a user’s sign-in cookies:

1.  Sign in to your Google Admin console. Sign in using an _administrator account_, not your current account.
2.  In the Admin console, go to **Menu** > **Directory > Users**.
3.  In the **Users** list, find the user. If you need help, go to Find a user account.
4.  Click the user’s name to open the user’s account page.
5.  Click **Security > Sign-in cookies > Reset**.

What might help stop this abuse is if Google speeds up the announced end of tracking cookies. Obviously, we think it’s best to keep these information stealers off your computer.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Info-stealers can steal cookies for permanent access to your Google account 

Mac users should be aware of an active distribution campaign via malicious ads delivering Atomic Stealer. The latest iteration of the malware is stealthy thanks to added encryption and obfuscation of its code.

Last year, we documented malware distribution campaigns both via malvertising and compromised sites delivering Atomic Stealer (AMOS) onto Mac users. This stealer has proven to be quite popular in the criminal underground and its developers have been adding new features to justify its hefty $3000/month rental fee.

It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules. Some samples from crack websites made their way to VirusTotal around that time frame, followed by a malvertising campaign we observed in January 2024.

In this blog post, we will review the latest changes with Atomic Stealer and the recent distribution with malicious ads via the Google search engine.

In December, Atomic Stealer ran a promotion via a post on their Telegram channel to offer a special holiday discount to their customers:

> Welcome. From today until December 31, 2023, the price for a subscription to Atomic MacOs Stealer is only $2000 . Happy New Year!

While the developers did not specifically advertise this feature, it appears that around December 17 Atomic Stealer had changed some of its code to hide certain strings that were previously used for detection and identifying its command and control server.

Sample with strings in clear text (Dec 12), showing for example the IP address for the malware’s C2 server:

Obfuscated sample (Dec 17), using a new encryption routine that hides strings of interest:

Those two samples above also represent the different distribution channels that Atomic Stealer customers are using to distribute the malware. It’s possible customers using software cracks got access to the update Atomic Stealer before those that leverage malicious ads.

In fact, during the holiday break, we noticed a decrease in malvertising activity, in particular for the campaigns running via Google search ads. This was somewhat expected and typically extends into early January. However, on January 8, we identified a malvertising campaign using similar tactics seen previously by threat actors distributing FakeBat. In this instance, there was also a payload destined for Mac users, Atomic Stealer in its updated version.

**Malvertising with FakeBat – Atomic Stealer combo**

The threat actors are luring victims via a Google search ad impersonating Slack, the popular communication tool, and redirecting them to a decoy website where the app can be downloaded for both Windows and Mac:

The threat actors are leveraging tracking templates to filter traffic and route it through a few redirects before loading the landing page:

On that same domain, there is an open directory showing the location of the Windows payload which is an MSI installer (FakeBat), and the Mac one, Atomic Stealer (AMOS):

**Obfuscated Atomic Stealer**

The malicious DMG file contains instructions for users to open the file as well as a dialog window asking them to enter their system password. This will allow Atomic Stealer to collect passwords and other sensitive files that are typically access-restricted.

When comparing the previous Atomic Stealer samples we have, we can see that the application code has changed. Previously, we could see certain strings revealing the nature of the payload (browsers, wallets, etc.) and more importantly the command and control server that receives stolen user data. Now, these strings are no longer visible as the code is well obfuscated:

When we analyzed this sample in a sandbox we saw the data exfiltration taking place and the corresponding C2 server:

**Stealing victim passwords, crypto wallets and cookies**

As detailed in Objective-See’s The Mac Malware of 2023, stealers were the most popular type of malware. It’s not just passwords that are of interest to cyber criminals. Stealing browser cookies can sometimes be even better than having the victim’s password, enabling authentication into accounts via session tokens.

In fact, Atomic Stealer developers were working on a cookie feature they announced on Christmas Eve:

> Hi everyone, the panel has released an update with a new feature – Google Restore, it is located instead of the old page Cookies Convertor. In brief – implemented anti-unlogin Google.

As stealers continue to be a top threat for Mac users, it is important to download software from trusted locations. Malicious ads and decoy sites can be very misleading though and it only takes a single mistake (entering your password) for the malware to collect and exfiltrate your data.

We have reported the malicious ad and infrastructure to the respective parties for mitigation.

To stay safe from this and other similar threats, a combination of web protection and antivirus is best suited. Malwarebytes Browser Guard and Antivirus for macOS can prevent and detect Atomic Stealer.

**Indicators of Compromise**

Malvertising chain

ivchlo\[.\]gotrackier\[.\]com  
red\[.\]seecho\[.\]net

Decoy site

slack\[.\]trialap\[.\]com

FakeBat payload URL

slack\[.\]trialap\[.\]com/app/Slack-x86.msix

FakeBat hash

49f12d913ad19d4608c1596cf24e7b6fff14975418f09e2c1ad37f231943fda3

FakeBat C2

ads-strong\[.\]online

Atomic Stealer payload URL

slack\[.\]trialap\[.\]com/app/Slack-Apps.dmg

Atomic Stealer hash

18bc97e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704a

C2

5.42.65\[.\]108

 Atomic Stealer rings in the new year with updated version 

Microsoft's patch Tuesday roundup looks like a relatively quiet one. Unless your organization uses FBX files.

Microsoft has issued patches for 48 security vulnerabilities in the first Patch Tuesday of 2024. With a relatively low number of patches—and only two of them critical—this makes it a relatively quiet month, which is certainly not the norm in January.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE IDs for the two critical vulnerabilities are:

CVE-2024-20674 is a Windows Kerberos security feature bypass vulnerability with a CVSS score of 9.0 out of 10. An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.

Kerberos is an authentication protocol that is used to verify the identity of a user or host. To make use of this vulnerability the attacker will need to gain access to the restricted network before being able to run an attack. Nevertheless Microsoft thinks exploitation is “more likely,” which means the vulnerability could be exploited as part of an attack chain.

CVE-2024-20700 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 7.5 out of 10. Successful exploitation of this vulnerability might be hard because it requires an attacker to win a race condition and they will need to first gain access to the restricted network before running an attack.

Hyper-V is the Windows hardware virtualization service. It enables users to create and run a software version of a computer, called a virtual machine. Sometimes these virtual machines are attractive targets for cybercriminals. But the advisory is not very clear on the exact circumstances or context that would allow the RCE.

One other vulnerability, classified as important, that might turn out to be of interest, at least for some users, is:

CVE-2024-20677 is a Microsoft Office Remote Code Execution (RCE) vulnerability with a CVSS score of 7.8 out of 10. The security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365.

FBX files are a type of 3D model file created using the Autodesk FBX software. When you try to insert an FBX file into Word, Excel, PowerPoint, and Outlook, you will see the following error: “An error occurred while importing this file.” If you’d like to re-enable this ability, you can find the reasons why you shouldn’t and the method how to do it on this Microsoft Support page.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

*   Adobe released a patch addressing six CVEs in Substance 3D Stager.
*   Google published the Android Security Bulletin for January 2024.
*   Fortinet has released a security update to address a vulnerability in FortiOS and FortiProxy software.
*   SAP has released its January 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch now! First patch Tuesday of 2024 is here 

The US Securities and Exchange Commission's X account was compromised to take advantage of an expected Bitcoin ETFs announcement.

We have seen several high-profile accounts that were taken over on X (formerly Twitter) only to be used for cryptocurrency related promotional activities, like expressing the approval of exchange-traded funds (ETFs).

The latest victim in this line-up is the Securities and Exchange Commission (SEC).

> The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
> 
> — U.S. Securities and Exchange Commission (@SECGov) January 9, 2024

The unauthorized post (which was removed within 30 minutes) looked like this:

The post says:

> “Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges.
> 
> The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection.”

The hack appears to have been designed to take advantage of anticipation around an imminent annoncement by US regulators about Bitcoin Exchange Traded Funds (ETFs). ETFs are financial products that allow investors to buy commodities like gold or Bitcoin as if they are shares. A spot Bitcoin ETF will buy the cryptocurrency directly, “on the spot”, at its current price, throughout the day. The approval would mark a key milestone for the cryptocurrency market in gaining acceptance to mainstream financial markets.

Even though the false tweet only had a short life-span it caused a $2,000 spike in Bitcoin exchanges rates. Someone knowing this was going to happen could have made a significant profit.

In a statement the SEC said:

> “That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.”

Based on a preliminary probe, X confirmed that the SEC account had been compromised and it found that it was not due to a breach of the social media platform’s systems.

According to X, an unidentified individual was able to obtain control over a phone number associated with the @SECGov account through a third party. This would suggest the compromise was the result of a SIM swapping attack, where an attacker takes control of a phone number by convincing a mobile carrier to transfer the victim’s phone number to a SIM card they own.

With this control they can intercept messages, two-factor authentication (2FA) codes, and eventually reset passwords of the account the number has control over. Although apparently the SEC did not have 2FA enabled for its X account!

**Secure your X account**

Although any form of 2FA is better than none, all forms of 2FA are not equally secure. SMS-based 2FA is vulnerable to SIM swapping and if you can avoid it, we suggest you do. X offers other options like an authentication app and a security key.

To change your 2FA factor in X click on **More**

Select **Settings and Support** > **Settings and Privacy** > **Security and Account access**

Click **Security** > **Two-factor authentication** and put a checkmark in your preferred option.

You will be prompted to enter your X password and click Confirm. From there, follow the instructions in the prompts. Since not many people have security keys, I’ll continue with the Authentication app instructions.

*   Click **Get started**
*   Open your preferred authentication app and add the X account to the app. Usually this is as simple as scanning the QR code.
*   You’ll be prompted to enter the authentication code shown by the app.

You’re all set. Store the displayed backup code in a safe place in case you need it.

You’ll receive a confirmation mail at the address associated with the account.

And if you see tweets from an account about cryptocurrencies, NFTs, ETFs or other financial news that you would not expect from that account, keep a ten foot pole between you and what they are linking to.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 SEC X account hacked to hawk crypto-scams 

Dive more into how ThreatDown performed in G2 Winter 2024.

The peer-to-peer review source G2 has released its Winter 2024 reports, ranking ThreatDown products on top across several Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) categories. 

Based on verified customer reviews, ThreatDown EDR was voted a Leader in the overall and mid-market grid reports for EDR, winning awards for Most Implementable, Fastest Implementation, Easiest Admin, Best Usability, and more. ThreatDown MDR also won awards for Ease of Use, Highest User Adoption, and more. 

Let’s dive more into how ThreatDown performed in G2 Winter 2024 and look at quotes from IT professionals using ThreatDown solutions daily.  

**EDR that brings down complexity **

Endpoint Detection and Response (EDR) systems are grappling with significant complexities. Deployment challenges delay ROI and increase vulnerability to breaches. A lack of integrated tools in EDR necessitates additional platforms, creating operational and security gaps. Additionally, everyday management burdens, like alert overload, strain small IT teams and reduce productivity. 

Feedback from real users said ThreatDown EDR is the most user-friendly EDR solution available in the Mid-market Usability Index, with a Usability Score that surpasses the average across all other vendors. 

ThreatDown EDR deploys within minutes, featuring a lightweight endpoint agent, robust integrations, and an intuitive cloud-native management console. 

Dashboard view of ThreatDown Nebula console, featuring Security Advisor. 

> “The Nebula console is one of the most user-friendly interfaces we’ve come across. We can’t recommend it enough.” 
> 
> Justin N.  

> “Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so \[it’s\] win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.” 
> 
> John K. 

**Fastest to Implement EDR **

Malwarebytes EDR proudly holds the #1 spot on the mid-market Implementation Index. Our industry-leading ‘ease of setup’ and ‘implemention time’ won us the Most Implementable and Fastest Implementation awards for this category. 

With the average deployment timeline for traditional EDRs stretching up to 18 months for small security teams, a swifter solution means faster protection and resource savings. 

Smaller teams can’t afford extensive learning curves, which is why they prioritize implementation costs (50 percent) in their endpoint security more than anything else. (Global Surveyz)  

ThreatDown EDR, the cornerstone of most ThreatDown Bundles, takes the complexity out of EDR deployment with an average time to become fully operational that is two times shorter than the industry average. 

You can distribute the ThreatDown Endpoint Agent to endpoints either manually to each user or automatically via network-wide remote deployment tools. 

> “If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.” 
> 
> Mauro B. 

> “Very easy to install and deploy, setup, and configure – for instance – a 5 machine setup would take roughly ~10 mins from start to finish.” 
> 
> Verified User 

> “Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings.” 
> 
> Doug C. 

**MDR with the Highest User Adoption **

ThreatDown MDR placed on multiple reports for G2 Winter 2023 reports, winning awards for “Ease of Use,” “Highest User Adoption,” “Easiest to do Business With,” “Easiest Admin,” and “Easiest to Use.” 

ThreatDown MDR provides powerful and affordable threat detection and remediation services with rapid set-up and 24×7 monitoring and investigations. Our top-tier MDR analysts protect your organization from cyberthreats through accelerated threat detection and response to incidents—allowing you to focus on growing your business. 

> “Malwarebytes MDR is simple to deploy and manage. They increase our security posture, meet cyber security insurance requirements, and make a great partner to augment my small IT team.” 
> 
> Steve S.  

> “We wanted to extend our SOC team with MDR services, and that has always been our vision with Malwarebytes since we look at the company as a partner, rather than a vendor. Malwarebytes MDR enables us to meet the need for 24 x7 coverage with professional security experts who work in the industry every day.” 
> 
> Matthew Verniere, Richards Building Supply 

> “Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With Malwarebytes MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulder and making sure it’s all clear.” 
> 
> Dennis Davis, IT Systems Manager, Drummond 

**Experience ThreatDown bundles: Award-winning ROI, user-friendly, and effective threat defense  **

ThreatDown provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and smooth, speedy implementation.  

Try ThreatDown Bundles today and join the ranks of those who have already discovered amazing results, best-in-class support, strong ROI—and more—of top-rated cybersecurity solutions.  

**Get a custom quote**