Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

Apple has released new security updates for several products, including a patch for a zero-day vulnerability that could impact iPhones, iPad, Macs, and Apple TVs.

Apple says it’s aware of a report that the bug may have been exploited already. Further details about the nature of the vulnerability were not disclosed to give users enough time to install the updates.

The updates may already have reached you if you automatically update, but it doesn’t hurt to check you’re on the latest version.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

Updates are available for:

Safari 17.3

macOS Monterey and macOS Ventura

iOS 17.3 and iPadOS 17.3

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.5 and iPadOS 16.7.5

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

iOS 15.8.1 and iPadOS 15.8.1

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

macOS Sonoma 14.3

macOS Sonoma

macOS Ventura 13.6.4

macOS Ventura

macOS Monterey 12.7.3

macOS Monterey

watchOS 10.3

Apple Watch Series 4 and later

tvOS 17.3

Apple TV HD and Apple TV 4K (all models)

**Technical details**

The zero-day vulnerability is listed as CVE-2024-23222: a type confusion issue in WebKit that was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. Processing maliciously crafted web content may lead to arbitrary code execution.

Type confusion can occur in interpreted languages such as JavaScript and PHP, which use dynamic typing. In dynamic typing, the type of a variable is determined and updated at runtime, as opposed to being set at compile-time in a statically typed language. A type confusion vulnerability means an attacker has the opportunity to change the type of a given variable in order to trigger unintended behavior.

Several other vulnerabilities in WebKit, which is the browser engine that powers Safari and other apps, were patched as well.

**CISA**

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by February 13, 2024 in order to protect their devices against active threats.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update now! Apple releases patch for zero-day vulnerability 

Security researchers have discovered billions of exposed records online, calling it the "mother of all breaches". Check what data of yours has been exposed online with our free tool.

Security researchers have discovered billions of exposed records online, calling it the “mother of all breaches”.

However, the dataset doesn’t seem to be from one single data breach, but more a compilation of multiple breaches. These sets are often created by data enrichment companies. Data enrichment is the process of combining first party data from internal sources with disparate data from other internal systems or third party data from external sources. Enriched data is a valuable asset for any organization because it becomes more useful and insightful.

The researchers stated:

> “While the team identified over 26 billion records, duplicates are also highly likely. However, the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors.”

In other news about leaked personal data, a cybercriminal going by the name of “emo” claims they have 15 million unique records of project management tool Trello accounts for sale.

Trello is used by many organizations, so it understandably raised some concerns.

Atlassian, the company that runs Trello, however denies there has been a breach. It seems as if someone has used a large collection of email addresses and tested it against Trello.

This brings us to the question: when do you call a giant leak of personal information a breach, and when don’t you?

A definition of a breach that makes sense to me is this one:

> “A breach is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software.”

So you might say that exposing of billions of records was a breach because it is unlikely the instance was left open on purpose. After all, that amount of data can be sold for a pretty penny.

And Atlassian can safely say it was not breached, since the criminals used an existing feature. Maybe in larger numbers than intended, but why admit you shouldn’t have allowed it?

Some people will say that a data breach can only be the result of a hack and everything else is a leak. If you look at it that way, neither one of the datasets came from a breach. One set was stumbled upon and the other was created by using a legitimate API.

But to those affected the end result is pretty much the same whether your data was leaked in a breach, accumulated by scraping, or gathered by a data enrichment company. Your information is out there in the open for every cybercriminal to use at their perusal.

If you want to find out if your data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

You might be surprised. Remember though that it’s not embarrassing to you if your email address was found in a breach, but it is good to know if it was and where a password may have been included.

If the passwords it throws up at you look familiar, it would be a good idea to change the password where you’ve used it, enable 2FA, and check if it’s been re-used for other accounts.

Scammers are very good at using information found in breaches in social engineering attacks. Even the fact that your data may have been leaked in a breach is something scammers will readily use to launch a phishing attack and see what more they can find out from you.

Last year, over **2,000** companies and government entities reported data breaches impacting over **400** million personal accounts. Set up Identity Monitoring to get alerts whenever your data is exposed in a new breach.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 &#8220;The mother of all breaches&#8221;: 26 billion records found online 

Microsoft has acknowledged a cyberattack by Russians state sponsored group Cozy Bear who, it says, was looking how much information Microsoft holds about Cozy Bear.

In a spy-vs-spy type of scenario, Microsoft has acknowledged that a group called Midnight Blizzard (also known as APT29 or Cozy Bear), gained access to a Microsoft legacy non-production test tenant account.

According to Microsoft, the group managed to access the account in November after subjecting it to a password spray attack, a type of brute force attack where the attacker tries a large amount of logins until they succeed. The group used this foothold to access some of Microsoft’s corporate email accounts and steal some emails and attached documents.

Cozy Bear, who is generally linked to the Russian Foreign Intelligence Service, also known as the SVR, appears to have been curious to find out what information Microsoft had gathered about it. Cozy Bear is generally believed to be behind the SolarWinds attack and attacks on several US institutions, including the State Department, the White House, and the DNC. On all these occasions, the Dutch alerted the US intelligence services.

Microsoft’s investigation about the attack showed that the group was not after customer data or corporate information, but instead something closer to home:

> “The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself.”

To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems, but the investigation is still ongoing. Microsoft has promised to provide additional details as appropriate.

Generally speaking, the larger an organization is, the larger the attack surface, but with companies like Microsoft people expect a tighter security. It is, after all, a security software vendor as well. So, the fact that Cozy Bear was able to stay undetected for months comes as a surprise to many.

Apparently, the attack scared Microsoft itself as well: It says that it feels the need to speed up its cyberprotection advancement project, the Secure Future Initiative, given how well-funded and resourced the attackers are.

> “We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”

This attack can generally be seen as a warning to every other organization that has information which might be of interest to foreign governments.

The more an organization has grown, the larger the chance that legacy accounts exist and may even be neglected. Compare the organization to an office building: The more doors and windows (pun intended) exist, the larger the chance that one is left open. And if there are offices that are no longer in use, the chance of an opening grows exponentially.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Microsoft got hacked by state sponsored group it was investigating 

Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

Researchers at Google’s Threat Analysis Group (TAG) have published their findings about a group they have dubbed Coldriver. The main targets of the Coldriver group are high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments. These targets are approached in spear phishing attacks.

The group uses social engineering techniques to persuade their targets to open documents or download malware. Their activities are aligned with those of the Russian government, so it’s pretty safe to say that Coldriver is a state-sponsored group.

In December 2023, the US charged two Russians believed to be members of this group, for their role in a campaign that hacked government accounts.

Microsoft, who tracks the group as Star Blizzard, says the group targets individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.

Typically, the group creates an impersonation account that pretends to be an expert in a field the target might be interested in or that is somehow affiliated with the target. Once a relationship has been established, the target will receive a phishing link or a document containing such a link.

To gain trust, Coldriver uses social media and professional marketing systems to build a profile of its target. With that information the group sets up email contacts, social media and other networking accounts that align with the target’s interests and appear legitimate.

Coldriver uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton Mail in the initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. The group is also known to register malicious domains that mimic legitimate organizations.

Recently, TAG has noticed that the group uses “lure documents” to install a backdoor on the target’s system. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted.

When the target queries about the encryption, Coldriver sends the target a link to a decryption utility, typically hosted on a cloud storage site. This so-called decryption utility shows the target a normal PDF file, so that it appears as if the original was decrypted, but at the same time it installs a backdoor.

This backdoor is custom malware, likely developed by or for Coldriver, called Spica. Spica is written in the Rust programming language and supports, among others, these commands:

*   Execute arbitrary shell commands
*   Steal cookies from Chrome, Firefox, Opera, and Edge
*   Upload and download files
*   Analyze the filesystem by listing the content
*   Enumerate documents and copy them to an archive

The backdoor establishes persistence through an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

TAG suspects but has been unable to verify that there are multiple variants of Spica: one to match each lure document sent to targets.

**YARA rule**

YARA is a tool that can identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.

TAG has created a YARA rule that cab help find the Spica backdoor.

rule SPICA\_\_Strings {  
meta:

author = “Google TAG”  
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”  
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”  
strings:  
$s1 = “os\_win.c:%d: (%lu) %s(%s) – %s”  
$s2 = “winWrite1”  
$s3 = “winWrite2”  
$s4 = “DNS resolution panicked”  
$s5 = “struct Dox”  
$s6 = “struct Telegram”  
$s8 = “struct Download”  
$s9 = “spica”  
$s10 = “Failed to open the subkey after setting the value.”  
$s11 = “Card Holder: Bull Gayts”  
$s12 = “Card Number: 7/ 3310 0195 4865”  
$s13 = “CVV: 592”  
$s14 = “Card Expired: 03/28”

$a0 = “agent\\\\src\\\\archive.rs”  
$a1 = “agent\\\\src\\\\main.rs”  
$a2 = “agent\\\\src\\\\utils.rs”  
$a3 = “agent\\\\src\\\\command\\\\dox.rs”  
$a4 = “agent\\\\src\\\\command\\\\shell.rs”  
$a5 = “agent\\\\src\\\\command\\\\telegram.rs”  
$a6 = “agent\\\\src\\\\command\\\\mod.rs”  
$a7 = “agent\\\\src\\\\command\\\\mod.rs”  
$a8 = “agent\\\\src\\\\command\\\\cookie\\\\mod.rs”  
$a9 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\mod.rs”  
$a10 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\browser\_name.rs”  
condition:  
7 of ($s\*) or 5 of ($a\*)  
}

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Coldriver threat group targets high-ranking officials to obtain credentials 

A list of topics we covered in the week of January 15 to January 21 of 2024

Skip to content

*   Contact Us
    *   Personal Support
    *   Business Support
    *   Talk to Sales
    *   Contact Press
    *   Partner Programs
    *   Submit Vulnerability
*   Company
    *   About Malwarebytes
    *   Careers
    *   News & Press
*   Sign In
    *   **MyAccount sign in:** manage your personal or Teams subscription >
    *   **Cloud Console sign in:** manage your cloud business products >
    *   **Partner Portal sign in:** management for Resellers and MSPs >

*   Personal
*   Business
    
    < Business
    
    BUNDLES
    
    *   Core
    *   Prevent and remediate threats and identify vulnerabilities
    *   Advanced
    *   Utilize threat guidance and patch management plus everything in **Core**
    *   Elite
    *   Deploy Managed Detection and Response plus everything in **Advanced**
    *   Ultimate
    *   Protect against categories of malicious websites plus everything in **Elite**
    
    TECHNOLOGY HIGHLIGHTS
    
    *   Managed Detection & Response (MDR)
    *   Deploy fully-managed threat monitoring, investigation, and remediation
    *   Endpoint Detection & Response (EDR)
    *   Prevent more attacks with security that catches what others miss
    *   Security Advisor
    *   Visualize and optimize your security posture in just minutes
    *   For Education
    *   Secure your students and institution against cyberattacks
    
    Learn more about Security Advisor (available in every bundle) and see the full list of our products and services.
    
    Full technology list >
    
*   Pricing
    
    < Pricing
    
    Protect your personal devices and data
    
    Protect your team’s devices and data
    
    Explore our award-winning endpoint security products, from EP to EDR to MDR
    
*   Partners
*   Resources
    
    *   Reviews
    *   Analyst Reports
    *   Case Studies
    
*   Support
    
    Featured Content
    
    *   Activate Malwarebytes Privacy on Windows device.
    

**RELATED ARTICLES**

January 22, 2024 - Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

January 20, 2024 - A nonprofit study claims that Google is failing to delete location history that reveals users' physical trips to abortion clinics.

January 19, 2024 - Google wants you to know you can still be tracked when you're incognito.

January 19, 2024 - CISA has added two Citrix NetScaler vulnerabilities to its vulnerability catalog, with a very short deadline to patch.

January 18, 2024 - Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.

 A week in security (January 15 &#8211; January 21) 

A nonprofit study claims that Google is failing to delete location history that reveals users' physical trips to abortion clinics.

Nearly 16 months after Google announced a policy change to remove location data that could reveal users’ physical trips to abortion clinics and other potentially sensitive medical centers, a nonprofit has alleged in a new report that the company is failing to do just that.

The findings, which were immediately disputed by Google, could impact whether Americans feel they can privately search for and access abortion care in several states across the US, should their digital activity be requested by law enforcement as evidence of a crime. In June 2022, the US Supreme Court overruled its 1973 decision of Roe v. Wade, which had, for decades, conferred the public’s constitutional right to choose to have an abortion; many states have now banned the procedure.

In a press release issued by Accountable Tech, which conducted the study, executive director and cofounder Nicole Gill lambasted Google for its alleged failure to keep users safe from the weaponization of their location data.

“Knowing they are complicit in the criminalization of essential care, Google has made promises to improve their privacy policies,” Gill said in a press release. “But proof that they continue to fall short makes it clear that they cannot be trusted to protect the millions of users who rely on their products everyday.”

But in responding to a report from The Guardian, which claimed to have exclusively reviewed Accountable Tech’s research, Google pushed back.

“We are upholding our promise to delete particularly personal places from Location History if these places are identified by our systems—any claims that we’re not doing so are patently false or misguided,” said Marlo McGriff, director of product for Google Maps.

At heart is whether Google is doing as it said it would in July 2022—auto-deleting location history entries for users who visit “medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others,” so long as Google’s internal systems detect such a visit.

According to Accountable Tech’s study, which ran eight experiments in seven different states, “Google retained Location History data about 50% of the time.” For its research, the nonprofit purchased new Android phones and set up default privacy settings before physically traveling to Planned Parenthood locations. In four of the eight visits to Planned Parenthood clinics, Google deleted the _name_ of the clinic in the user’s location history, but the _route_ that was traveled remained.

The study also claimed that location _searches_ were not deleted, sharing a screenshot from a user’s “Web & App activity timeline” that showed the text:

> “Directions to Planned Parenthood – Locust Street Surgical Center, 1144 Locust St, Philadelphia, PA 19107.”

In responding to examples from Accountable Tech’s study that The Guardian shared, Google Maps director of product McGriff explained that Google’s systems did not detect that a user had visited a Planned Parenthood, and so the route to and from that Planned Parenthood was not deleted.

Google’s 2022 policy change was a direct response to the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which placed the legality of abortion access in the control of individual states.

As of early this year, 14 states, including Louisiana, Alabama, Idaho, and Indiana, have banned abortion in nearly all circumstances, according to The New York Times. An additional seven states have placed additional restrictions. The changes have pushed countless residents to leave their homes or violate state laws to seek healthcare.

When the Lock and Code podcast spoke with two experts in digital privacy and law from Electronic Frontier Foundation, both agreed on how the public could more safely navigate a post-Roe America: Say less.

Less than one month after recording that podcast, Facebook reportedly delivered messages to law enforcement that were between a mother and daughter who were under investigation for allegedly aborting a pregnancy.

Accountable Tech’s CEO Gill said this is the new landscape that Americans face.

“In post-Roe America, prosecutors are looking to Big Tech to help them build cases against abortion seekers by providing the data to track their every movement,” Gill said. “We deserve to have power over our own data, and we must fight to prevent a handful of powerful Big Tech companies from weaponizing our private information against us.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Google failing to scrub abortion access in location history, study claims 

Google wants you to know you can still be tracked when you're incognito.

Users of Chrome Canary have noticed some slight changes in the wording that Google uses for Incognito mode.

Chrome Canary is mainly intended for use by developers. It’s updated nearly daily with new features, and because it can be used alongside versions of the “normal” Chrome browser (known collectively as Chrome’s “Stable channel”), it can serve for testing and development purposes. So, these developers have access to the latest features and some of them noticed a few updates in the wording about Chrome’s Incognito mode.

Chrome’s Incognito mode aims to protect your privacy from other people who use the same device. It mitigates the risk of a spouse, roommate, or anyone on a public computer spying on your browsing habits. Private browsing mode does so by stopping your browser from saving your browsing information on your computer.

Incognito mode is also sometimes used for troubleshooting, because it ignores the installed browser extensions unless you specifically allow them to run in Incognito mode.

But, although the primary function of private browsing is to locally hide your browsing activity, Incognito mode has an interesting side effect—websites also see you as a new user when you come back in Incognito mode. This can come in handy, but should not be overrated.

You can open Incognito mode by clicking on the three dots in the right hand upper corner (More) of the browser menu and then on **New Incognito window.**

How to open an Incognito window

In the Stable channel build this is what you will see when you open an Incognito window.

> You’ve gone Incognito
> 
> Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks and reading list items will be saved.

The new warning seen in Chrome Canary when you open an incognito window says:

> “You’ve gone Incognito. Others who use this device won’t see your activity, so you can browse **more** privately. **This won’t change how data is collected by websites you visit and the services they use, including Google.**“

Image courtesy of MSPowerUser

It’s clear that Google has put more emphasis on users of the same device while moving away from the websites you visit. And it’s true that Incognito mode is primarily designed to keep your information private from other users of the same computer. It isn’t designed to keep your information private from the websites you visit, although that is sometimes a side effect. We have explained this in the past, but it’s noteworthy that Google has now added that it “won’t change how data is collected by websites you visit and the services they use, including Google.”

It’s generally assumed that the changes are tied to the fact that Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over the Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to “track, collect, and identify \[users’\] browsing data in real time” even when they had opened a new Incognito window.

The judge rejected Google’s bid for summary judgement in August of 2023, pointing out that Google never revealed to its users that data collection continued even while surfing in Incognito mode.

Apparently many users, surely not our regular readers, where not aware that Incognito mode is not an anonymous mode. Websites and services, will still be able to track you and collect your data. Enabling the **Block third-party cookies** setting is more helpful.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Google changes wording for Incognito browsing in Chrome 

CISA has added two Citrix NetScaler vulnerabilities to its vulnerability catalog, with a very short deadline to patch.

The Cybersecurity and Infrastructure Security Agency (CISA) has added two Citrix NetScaler vulnerabilities to its Known Exploited Vulnerabilities catalog, and it has set the “due date” a week after they were added.

Federal Civilian Executive Branch (FCEB) agencies are handed specific deadlines for when vulnerabilities must be dealt with. Normally, the Directive requires those agencies to remediate internet-facing vulnerabilities on its catalog within 15 days, and all others within 25 days.

The Citrix NetScaler vulnerabilities need to be patched by January 24, 2024. These issues only apply to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs that CISA has added to the catalog are:

CVE-2023-6548, an improper control of generation of code (code injection) vulnerability in NetScaler ADC and NetScaler Gateway with a CVSS score of 5.5 out of 10. It allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on the interface.

Because this vulnerability only impacts the management interface, network traffic to the appliance’s management interface should be separated, either physically or logically, from normal network traffic, and you should avoid exposing it to the internet.

CVE-2023-6549 is an improper restriction of operations within the bounds of a memory buffer in NetScaler ADC and NetScaler Gateway with a CVSS score of 8.2 out of 10. It allows unauthenticated denial of service. An attacker could exploit this vulnerability when a vulnerable appliance has been configured as a gateway (e.g. VPN, ICA Proxy, CVPN, RDP Proxy) or as a AAA virtual server.

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

*   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
*   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
*   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
*   NetScaler ADC 13.1-FIPS before 13.1-37.176
*   NetScaler ADC 12.1-FIPS before 12.1-55.302
*   NetScaler ADC 12.1-NDcPP before 12.1-55.302

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

Citrix has also observed exploits on unpatched instances and strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

A few months ago, CISA and the Federal Bureau of Investigation (FBI), along with other international agencies, warned that ransomware gangs are actively exploiting the Citrix Bleed vulnerability which was also found in Citrix NetScaler versions. This goes to show how popular these kind of vulnerabilities are among cybercriminals.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 CISA urges urgent patching of two actively exploited Citrix NetScaler vulnerabilities 

"Spend smarter, not harder" is the mantra for cybersecurity in 2024.

“Spend smarter, not harder” is the mantra for 2024, as Gartner forecasts a 14.3% jump in global security and risk management spending—an uptick which brings a renewed focus on the need for cost-effective cybersecurity investments.

Inefficient cybersecurity spending, a known problem, becomes even more pressing with increased budgets—especially since inefficient spending often results in buying disparate security tools, which can create more security gaps and increase breach risks.

In a nutshell, with cybersecurity spending on the rise in 2024, businesses must make investments that aren’t just cost-effective, but which actually strengthen defenses too.

Let’s dive into three essential strategies for smart cybersecurity spending in 2024.

**Conduct a thorough needs analysis**

We’ve all experienced buyer’s remorse at some point, purchasing items that we later realize weren’t necessary. If only we had thoroughly questioned our need for that cool $430 HyperCube beforehand (alright, guilty as charged).

A similar concept applies in the realm of cybersecurity spending. Without carefully analyzing what goods or services they really need, organizations can fall into the trap of “tool sprawl”—the accumulation of too many cybersecurity tools.

The goal should be to tailor cybersecurity investments to actual needs, avoiding the latest, unnecessary technologies. For example, small businesses probably won’t benefit from complex, enterprise-level intrusion detection systems, and large businesses probably don’t need basic, consumer-grade security solutions.

Hastily choosing multiple cybersecurity vendors can also be a recipe for disaster. Juggling multiple vendors often complicates support processes, increases the training burden due to various systems, and challenges seamless tool integration.

**Opt for integrated security solutions**

To avoid wasteful spending, invest in security platforms which merge several protective measures in one. Not only is this more cost-effective, but it also actually improves your security posture.

Every additional security tool a company buys requires its own set of configurations, updates, and management protocols, ultimately translating to longer response times, inefficient workflows, and an inability to have a unified view of the threat landscape.

Opting for integrated security solutions like the popular ThreatDown Bundles can be a game-changer in terms of a targeted, lean approach to cybersecurity spending. By consolidating multiple security functions into a single platform, these integrations reduce overhead costs related to hardware, maintenance, and administration.

**Emphasize added value**

Imagine you’re hungry, and you can grab a basic $2 burger. That’s good, but for $5, you can upgrade to a complete meal—burger, fries, drink, maybe even a vintage Furby. That’s value-added fine dining right there—more bang for your buck.

Emphasizing added value in cybersecurity is a lot like upgrading from a basic burger to a complete meal—you get more features that go beyond the foundational security measures (and best of all, without any trans fats).

For example, consider solutions featuring complimentary Vulnerability Assessment (VA) and Application Block (AB). Amid rising cybersecurity costs, VA uncovers application vulnerabilities at no extra expense, while AB actively keeps your defenses strong by preventing unwanted applications from launching, adding substantial value without breaking the bank.

**Managing cybersecurity expenses in 2024**

As we venture into 2024, organizations can more efficiently spend cybersecurity budgets through meticulous needs assessments, integrated solutions, and a focus on added value.

For organizations seeking to put these strategies into action, ThreatDown Bundles offer a practical solution.

ThreatDown bundles are like the Swiss Army knives of cybersecurity, consolidating essential security technologies, including Endpoint Detection and Response and Managed Detection and Response, into one unified platform. Each bundle comes with free threat prevention capabilities, Vulnerability Assessment and Application Block—to further reduce your threat surface at no additional cost.

Want to learn more?

 Cybersecurity spend to soar in 2024: How companies can maximize their investment 

Application Block is now free for all ThreatDown users.

Malwarebytes continues to add value to its ThreatDown Bundles with the inclusion of Application Block as free for all ThreatDown Nebula accounts (excluding Mobile only accounts). Users don’t need to activate this new feature: the policy has been enabled in their account by default.

For as many applications out there that help you keep business running as usual, there are just as many that can spell big trouble for your network security. Threat actors can embed malicious code in seemingly legitimate applications, which end users then innocently execute on their Windows endpoints. (And the bad guys are in).

Or threat actors can find an application on your network with a known vulnerability for which no patch has been developed. (And again, they’re in.) 

Application threats also don’t just stop at cybercriminal gangs: organizations also just might not want employees using unproductive or unapproved applications and the security risks that follow.

All of this is to say that having the ability to blocklist certain applications from running is a key part of an effective layered defense. Malwarebytes is adding **Application Block** for free in all ThreatDown Bundles to make it easier for under-resourced orgs to meet this important security requirement.

Let’s dive in to see how it works!

**Features**

*   Log and monitor blocked application activity on endpoints.
*   Block device access to specified software applications, though this does not include cloud applications.
*   Block list rules are created and applied to policies across the console or sites.
*   Dashboard and reporting for blocked applications.

For a technical overview of Application Block for Nebula, click here: https://service.malwarebytes.com/hc/en-us/sections/10604417341587-Application-Block

**Enable Blocking**

When setting or modifying a policy in the Nebula console, go to the **Software management** tab at the bottom.

There you’ll find the **Application block** option for Windows. Let’s go ahead and check it and then save this policy.

**Block Rule Creation/Management**

Heading over to the Monitor tab, we’ll find Application Block near the bottom of the drop-down menu. Let’s click into that. 

We’re taken to an activity log dashboard of blocked applications. Find the **Rules** tab near the top and click “New rule”. 

Rules in Application Block for Nebula define which software applications and executables are blocked across your endpoints. We can apply this rule globally or to specific policies only.

Basic application block rules select the Application or Vendor name to block the service. Advanced rules are available to use file information to block the service including Certificate property, File path, File property, and Hash value.

Let’s save this rule and head back over to our activity log!

**Application Block Activity Log**

The Activity Log tab displays blocked applications across all your managed endpoints. Blocked records are retained for approximately 90 days.

View the following information for each endpoint’s activity record, including agent version, application data, and time blocked!

For auditing or external reporting purposes, you can even download Application Block activity information to your local machine by selecting all or checking specific boxes for the rows you want to export and clicking Export.

We can get a full and quick picture of our endpoint data by heading over to the Nebula Dashboard. Here we can add, remove, and rearrange widgets—including one for Application Block—that give us insight into what applications were blocked and their frequency.

**Plugging the holes in your Windows endpoint security**

Together with free Vulnerability Assessment, which effectively identifies and prioritizes critical security vulnerabilities, Application Block enhances overall security protection by preventing unauthorized software usage, offering a comprehensive security solution at no additional cost in all ThreatDown Bundles.

Source

Malwarebytes