IT NEWS

Windows 10 is slowly coming to an end, with one more way to purchase the operating system riding off into the sunset. Microsoft is posting notices in a variety of locations to confirm it will no longer sell Windows 10 licenses directly. Support remains in place for the time being, as is the usual strategy when an operating system is gradually phased out.

Announcing the end times

All Microsoft products have their own life cycle, and all of these products inevitably meet their demise at the hands of the next incarnation. Those policies fall under two types, modern, for products and services serviced and supported continuously, and fixed, for certain products bought at retail, or volume licensing.

While businesses often have the ability to pay to keep themselves patched against specific threats even after the shutters come down, this isn’t an option for everyone and a change of software and hardware is needed across the board eventually.

Windows 10 download pages now say this at the bottom of the promotional text:

January 31, 2023 will be the last day this Windows 10 download is offered for sale. Windows 10 will remain supported with security updates that help protect your PC from viruses, spyware and other malware until October 14, 2025.

Whether or not you decide to buy Windows 10 before January 31, or ignore the warning and purchase from a third party retailer, January 31, 2025 looms on the horizon like a rather large banner advert for Windows 11. That tiny uptake of users back in 2021 is likely going to experience a spike over the next year or so.

Windows 11: A significant boost in security…

We’ve covered many of the security improvements which Windows 11 holds over Windows 10. There’s the multiple features and functionality of the hypervisor, the secure boot practices to help ward off boot kit malware, and the hardware enforced stack protection which protects various forms of running code.

Elsewhere we have custom made phishing alerts for users of Windows 11(but not Windows 10), and a default remote desktop protocol lock out. This is before you get to the other additions and improvements which you won’t find elsewhere.

Tabs? In my Notepad? The future is now.

…and a bit of a problem for hardware

One of the few remaining sticking points for people wary of upgrading remains the hardware issue. Microsoft has experienced quite a bit of backlash due to how the promotion of Windows 11 was handled. Nobody wants to find out their recently purchased powerhouse of a gaming PC inexplicably does not support the new operating system, nor does anyone want to discover their fairly new fleet of Windows 10 business PCs aren’t up to standard. Unfortunately, this is the exact situation far too many people found themselves in. Poor descriptions of secure boot and Trusted Platform Module (TPM) did not help at all.

My own home PC is a very powerful gaming rig, it will run anything thrown at it from games on their highest settings to rendering tools which will bring other high spec systems to their knees.

It’s still not compatible with Windows 11 because (insert convoluted technical explanation here). People don’t want to hear about inserted convoluted technical explanations, they just want to know why they’re suddenly faced with the prospect of potentially expensive hardware upgrades or replacements. This is not how you achieve high buy-in rates.

Playing the waiting game

For now, it’s fine to linger on Windows 10, and support is going to be around for some time to come. If you think you’re going to be putting together a bunch of self-built machines in the near future, or simply buying in bulk, this may be the time to do some emergency sort-of-last-minute shopping before it becomes increasingly more difficult to obtain a license. Given the leap in demands from Windows 10 hardware to Windows 11 hardware, you don’t want to be left in a situation where you have a pile of cases, hard drives, and RAM sticks in the corner of a room and nothing to make them all come alive.

Hang fire if you need to, but the clock is most definitely ticking.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

EU Commissioner Thierry Breton, the EU’s digital policy chief, “explicitly conveyed” to TikTok CEO Shou Zi Chew that the company must “step up efforts to comply” with the European Union’s rules on copyright, data protection, and the Digital Services Act (DSA)—an EU regulation setting out “an unprecedented new standard for the accountability of online platforms regarding illegal and harmful content”. 

According to the Associate Press, this transpired in a call on Thursday, January 19, wherein Breton and Chew discussed how TikTok plans to comply with the DSA, which is set to take effect on September 2023. The act will require online platforms to reduce harmful content online and combat online risks. Online platforms include (but may not be limited to) social networks and online marketplaces.

The West has been scrutinizing TikTok for years because of its parent company’s potential ties with the government of the People’s Republic of China. This alone brought up a lot of cybersecurity and privacy concerns. Though the company has consistently denied such a relationship, this didn’t stop state governments and private companies from banning the app from worker and employee phones, labeling it an “unacceptable security risk” and a “Chinese Trojan Horse”, accusing it of being a tool to promote various forms of misinformation and spying, and classing it as another social platform that doesn’t take the security of children’s privacy and well-being seriously.

“With younger audiences comes greater responsibility,” Breton said, according to a readout of his call with Chew. “It is not acceptable that behind seemingly fun and harmless features, it takes users seconds to access harmful and sometimes even life-threatening content.”

“We will not hesitate to adopt the full scope of sanctions to protect our citizens if audits do not show full compliance,” Breton further said.

Early last week, four European Commission officials met with Chew in Brussels to discuss growing concerns from Western countries, ranging from online child safety to the flow of user data to China. According to partial readouts of the call published by Politico, they warned TikTok to respect EU law and begin working on building trust. On top of this, they discussed compliance with the DSA, the Digital Markets Act (DMA)—the very anti-competition regulation Apple had been preparing for—and the GDPR (General Data Protection Regulation).

“I count on TikTok to fully execute its commitments to go the extra mile in respecting EU law and regaining [the] trust of European regulators,” EU Commissioner for Values and Transparency Vera Jourova had said during their meeting with Chew. “There cannot be any doubt that data of users in Europe are safe and not exposed to illegal access from third-country authorities.”

TikTok’s Director of Public Policy and Government Relations, Caroline Greer, tweeted that the safety of their users is paramount. “We also outlined our efforts to ensure compliance with the GDPR & the Code of Practice on Disinformation.”

As if to demonstrate their seriousness regarding data security, TikTok’s CEO revealed the people responsible for misusing journalist data to identify leaks were no longer with the company, confirming “it was wrong” for them to have done this.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Privacy is a right that is yours to value and defend. Article 8 of the Human Rights Act protects your right to respect for your private and family life. One of the pillars of the article is that personal information about you (including official records, photographs, letters, diaries, and medical records) should be kept securely and not be shared without your permission, except under certain circumstances.

But we know that information is not always protected as much as it should be, and it seems like we hear about a new data breach every day. It’s up to us to defend our privacy as much as we can online, so here are a few suggestions on how you can best protect your privacy when scrolling online:

1. Consider what you share about yourself

Many of us are leaking information about ourselves and our online behavior almost constantly.

When posting online, consider what information you find valuable and what you are happy for everyone to know? As soon as you know where you draw your personal line, you can start working on protecting your privacy.

As a guide, if you wouldn’t say it in person, don’t put it online.

2. Check your browser settings

Your browser is your gateway to the internet. Unfortunately, few of them have ideal privacy and security settings set by default, even if they’re present.

So it’s a good idea to go ahead and tinker with your browser’s settings, carefully making sure that options are set in a way that are acceptable to you, privacy-wise.

You can read about some popular browsers’ privacy settings here:

• Google Chrome privacy settings
• Firefox privacy and security settings
• Microsoft Edge, browsing data, and privacy
• Safari privacy preferences

While you’re reviewing your settings, you may want to clear out your browser history. Then review your extensions, and remove those you hardly, or have never, use. Vulnerable or malicious add-ons can easily become a privacy and security risk.

Do a browser settings review on your mobile devices as well. You can learn more about them here:

• Chrome for Android privacy settings
• Safari for iOS privacy

Now, if you find that what’s in there by default lacks the privacy and security settings you hope for, it’s time to ditch that browser for a new one.

Thankfully, most (if not all) desktop browsers that made taking care of your privacy their business, too, have mobile versions. Start by looking up Firefox, Brave, DuckDuckGo, and even the Tor Browser on the Google Play and Apple App stores.

3. Consider adding extra layers

There are a lot of browser extensions that decrease your online privacy. But the upside of being able to use browser extensions is that there are many good ones out there that can help you establish a more private browsing experience. Ad-blockers, anti-tracking tools, and protective extensions add further protection.

You can also tighten your privacy by using a Virtual Private Network (VPN) to anonymize your traffic. In short and easy terms, a VPN acts as a middle-man between a user and the internet. When the user wants to visit a site, they send information to the VPN over an encrypted connection, the VPN visits the site, and then it sends the data to the user over the same encrypted connection. These connections are not limited to web browsing, even though that is the first one that usually comes to mind.

Personally, I also use different browsers for different purposes. This is called compartmentalization and it allows you to visit trusted (and preferably bookmarked) websites with a quick browser and do your regular surfing with a fully protected and anonymized browser.

4. Do periodic check-ins

One thing to keep in mind if you are rolling out extra precautions is to stay aware of their existence and not take them for granted. Check for updates on a regular basis, make sure they are working properly, and don’t blindly rely on them.

It’s like speeding in a car, just because you have a seatbelt on. It does make it safer, but you still don’t want to get involved in an accident.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

According to blockchain data platform Chainalysis, ransomware revenue “plummeted” from $765.6 in 2021 to at least $456.8 in 2022. The data is based on an analysis of the cryptocurrency addresses known to be controlled by ransomware attackers.

Precision

While the real numbers are likely much higher, it does present us with an idea of the development of ransomware payments. Last year’s estimate at this point seemed to show a decline from $765 million to $602 million, but turned out to be a small gain after correction.

Image courtesy of Chainalysis

Payments, not attacks

This decline could be explained in a number of ways:

• Fewer attacks
• Lower ransom demands or demand being negotiated down
• Fewer victims willing to pay

According to our own research and Chainalysis, the declining numbers are mainly due to victim organizations increasingly refusing to pay ransomware attackers.

Number of attacks

Ransomware attacks make headlines, but that doesn’t mean we learn about all of them. In fact, the chances of learning about an attack are bigger when the victim decides not to pay, since that will get them posted on a leak-site controlled by the ransomware group. Many ransomware operators use these sites to post data they exfiltrated during the attack as extra leverage to get victims to pay the ransom. Monitoring these sites always gives us a good idea of which ransomware groups are most active and how many victims actually refuse to pay.

According to IT service provider AAG, there were 236.1 million ransomware attacks worldwide in just the first half of 2022. Through 2021, there were 623.3 million ransomware attacks globally. That seems to indicate the number of attacks could be slightly down.

Negotiators

One thing victims have learned is that ransomware sums can be negotiated down. In fact, a new form of ransomware response has emerged in the past year—the ransomware negotiator. On our Lock & Code podcast, Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20, Kurtis Minder talk about how he has helped clients with ransomware negotiation and his company has worked to formalize ransomware negotiation training.

Not willing to pay

There are many reasons, besides the obvious one, that companies are unwilling to meet the ransom demands:

• Paying keeps the ransomware eco-system alive
• There is no guarantee you will get your systems back
• It is no immediate cure, it sometimes takes just as long as restoring your systems from backups
• Organizations have learned the importance of backups
• In some cases it is prohibited due to embargoes and sanctions against certain countries

Sometimes organizations feel they have no other choice, which is understandable, but it gives us hope to see that the numbers are declining.

Continental

In our ransomware review of October 2022 we highlighted the case of automotive parts giant Continental. According to a transcript of the negotiations, obtained from LockBit’s dark web site, ransom negotiations began on September 23 and progressed slowly for a month. In the transcript, Continental sought proof that the ransomware group had the 40 terabytes of internal company data it claimed to have stolen, and then asked for assurances that the group would delete the data if the ransom was paid.

The final message attributed to Continental, dated October 24, reads “Hello, we have to hold a management meeting and will come back to you tomorrow end of business day.” It seems that the meeting did not go the way that LockBit hoped, and after several fruitless days trying to restart the negotiation, the ransomware group has made the Continental data available on its dark web site—for sale or destruction—for $50 million. It is unknown whether anyone shelled out that amount to obtain the stolen data.

Chainalysis queried several ransomware experts and is convinced that the drop in revenue is due to more victims refusing to pay. For those interested, the report provides a lot more details.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

T-Mobile has announced that an attacker has accessed “limited types of information” on customers. It says it is informing impacted customers.

According to the press release, no passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.

Method

T-Mobile says the attacked gained access to the data through a single Application Programming Interface (API), without authorization. According to T-Mobile, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.

An API in general is a software interface, usually intended to allow one automated system to retrieve data from another. For example, to allow a website to fetch relevant information from a database. When a threat actor finds a way to bypass authentication or obtain a higher level of permissions than they should have, it could enable them to fetch information about other customers.

Affected customers

The preliminary result of T-Mobile’s investigation combined with help from external cybersecurity experts indicates that the attacker accessed data of approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.

Window of access

The mobile carrier says it detected the malicious activity on January 5, 2023. The press release says the issue was resolved within 24 hours after it was identified. What the press release doesn’t say, but what we can read in the Form 8-K—used when informing the Securities and Exchange Commission (SEC) about a breach—is that the attacker first retrieved data through the impacted API starting on or around November 25, 2022.

Timing

The timing of the data breach is far from ideal. It was last week that customers faced a deadline to file a claim over $ 350 million related to a 2021 cyberattack which impacted around 80 million US residents. The carrier agreed to the massive payout to resolve allegations that negligence led to the 2021 data breach that exposed millions of people’s personal information. The stolen data at the time included names, driver licenses, addresses, and social security numbers.

As part of that settlement, T-Mobile committed to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023. T-Mobile references this in its Form 8-K about the current incident:

“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity. We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The US Department of Justice (DOJ) has released information about the arrest of Anatoly Legkodymov, the founder and majority owner of a cryptocurrency exchange called Bitzlato, on money laundering charges. Legkodymov, a Russian national who lives in China, is accused of processing over $700 million of illicit funds.

The US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) also issued an order that identifies Bitzlato as a “primary money laundering concern” in connection with Russian illicit finance.

The exchange is thought to have fueled crypto-related crimes like ransomware by helping cybercriminals launder illegally obtained money.

As stated by Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division:

As alleged, the defendant helped operate a cryptocurrency exchange that failed to implement required anti-money laundering safeguards and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking.

Bitzlato’s largest counterparty in cryptocurrency transactions was Hydra, a Russian language dark web marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services.

What made Bitzlato popular among criminals was the fact that it marketed itself as requiring minimal identification from its users. Where other exchanges require users to submit selfies and official IDs, Bitzlato said this was not required, and allowed  “straw man” registrants. According to the DOJ these deficient know-your-customer (KYC) procedures, allegedly made Bitzlato a haven for criminal proceeds and funds intended for use in criminal activity.

Bitcoin—the most popular cryptocoin used in cybercrime—is pseudonymous, meaning that transactions between entities are public and easy to trace, but the identity of the entities is hidden behind numeric addresses. If law enforcement can identify the owner of a bitcoin address they can see the transactions that person has made. As a result, some countries insist that exchanges take identifying information from customers when they open an account so that their transactions can be attributed to a real identity easily.

The lax procedures at Bitzlato would have given its users piece of mind that any illicit transactions can’t be traced back to them, since they were able to use stolen identities to register their accounts.

To reassure its users, Bitzlato issued a statement saying it suffered a minor hack:

Our service was hacked, part of the funds was withdrawn from the service. 

We ask you DO NOT REPLENISH our service during the proceedings! 

Withdrawals will also be suspended indefinitely.

Sincerely,
The Bitzlato Team.

It later added:

We want to inform you that the funds are completely safe. 

The attackers were able to withdraw a small part of the funds, but for all victims, we guarantee a refund! 

As a security measure, we have disabled the service, we ask you not to replenish the wallets of our service until the work is restored.

The Bitzlato website was replaced by a notice saying that the service had been seized by French authorities as part of a coordinated international law enforcement action.

Whie Bitzlato is far from a leading name in cryptocurrency exchanges, according to Chainanalysis, Bitzlato is one of the major cryptocurrency businesses with a presence in Moscow City that have facilitated the most money laundering.

FinCEN  said:

Bitzlato plays a critical role in laundering Convertible Virtual Currency (CVC) by facilitating illicit transactions for ransomware actors operating in Russia, including Conti, a Ransomware-as-a-Service group that has links to the Government of Russia.

While the crypto-exchange claimed not to allow users from the United States to register accounts, prosecutors said Bitzlato knowingly serviced US customers and conducted transactions with US-based exchanges using US online infrastructure. For at least some period of time, it was being managed by the defendant while he was in the United States.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Card fraud, a staple diet of scammers online, is currently featuring heavily on the US Department of Justice portal. The reason? A story which has rumbled on for a few years finally seems to be pulling into its final destination, as a man admits his role in a slice of fraud which impacted thousands of people across the US.

A timeline of credit card fraud

Back in 2019, three people alleged to be part of a “nationwide stolen credit card ring” were arrested in January of that same year. The gang was said to have racked up $3 million in unauthorised purchases, being charged with conspiracy to commit bank fraud and aggravated identity theft.

The location the arrest took place in was filled with credit cards. Said cards were alleged to have been bought online via the dark web and elsewhere. A network of women was put together via social media, with those individuals collecting bought goods from different cities and receiving a cut of the profits once those items were sold on. Some individuals involved had been flagged in the past for various crimes, many of which involved credit cards with one related to “700 stolen accounts”.

The case went silent in the news until 2020, when Hamilton Eromosele, 29, pleaded guilty to one count of conspiracy to commit bank fraud. He was sentenced to 110 months in prison.

We now have some new crime related numbers to report, and it doesn’t look great for at least one of the other individuals involved.

Big fraud, big losses

Trevor Osagie, 31, has now pleaded guilty with regard to charges of conspiracy, which ended up with the conspirators making more than $1.5 million in fraud-laden purchases via a tally of over 4,000 stolen credit card accounts.

Over a period of at least four years from 2015 up until November 2018, the crime network purchased everything from gift cards and hotel stays to rental cards and other goods and services. Despite being based primarily in the New York / New Jersey area, the crimes committed took place all over the US.

We have the why, but not the how

The Indictment adds some additional context to the overall picture, though there is currently no deep dive into the group’s many activities. In fact, there’s only one example listed of how the group made use of aliases to email the card numbers to one another. 

There’s also no word (yet) as to how people were recruited on social media to visit the different cities. Were these roles offered in public under the guise of being something legitimate? Did these opportunities come by private direct messaging? At this point, we simply don’t know.

In total, nine people are listed as having some level of involvement with the wide ranging fraud operation. Two financial organisations in particular incurred significant losses.

From doing crime to doing time

As Bleeping Computer notes, Osagie is now facing up to 30 years in prison. There’s also a potential maximum fine of up to $1 million, which definitely has the potential to put the brakes on some criminal activity.

We’ll hear the sentence decision in a few month’s time, and then perhaps the full story of how this one played out, along with how the group was caught in the first place, will finally be revealed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A threat actor successfully used compromised employee credentials to gain access to 133 accounts on Mailchimp, the mainstream Intuit-owned email marketing platform, in a security incident that recently came to light.

“On January 11, the Mailchimp Security team identified an unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration,” said Mailchimp in a blog post. “The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.”

The blog further asserts the company’s compromise had not affected other Intuit systems or other Mailchimp customer data.

It is noted that very little detail is shared about the attack, such as the specific social engineering tactic used against Intuit’s employees, who might be responsible for the attack, or how long the intruder was in the company’s systems.

According to TechCrunch, who first reported the incident, Mailchimp detected the intruder while accessing one of the tools used by its customer support and account administration. Upon discovery of the targeted attack, it suspended the affected accounts temporarily and reached out to their owners regarding the breach.

“That afternoon, we sent another email to affected accounts with steps to help users reinstate access to their Mailchimp accounts safely. Since then, we’ve been working with our users directly to help them reinstate their accounts, answer questions, and provide any additional support they need.”

One of the 133 accounts affected belonged to WooCommerce, an immensely popular e-commerce plugin for WordPress with more than five million customers. TechCrunch said customer names, web store addresses, and customer email addresses might have been exposed in the compromise.

This latest incident with Mailchimp definitely calls back to the April 2022 breach when threat actors were able to breach 319 of its client accounts, mostly belonging to companies in the cryptocurrency and finance industries. Cryptocurrency wallet company Trezor had taken to Twitter to let followers know some of its services were also affected by the Mailchimp compromise.

Trezor said then, “Mailchimp have confirmed that their service has been compromised by an insider targeting crypto companies. We have managed to take the phishing domain offline.”

Since this attack, Mailchimp said it had implemented “an additional set of enhanced security measures”, but TechCrunch noted the company wasn’t specific about these measures.

“We know that incidents like this can cause uncertainty, and we’re deeply sorry for any frustration,” Mailchimp said. “We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Several experts have warned LastPass users who store cryptocurrency-related login information in their vaults to change that login information as soon as they can.

Apparently, cybercriminals who have access to the stolen information are making it a priority to decrypt the data in an attempt to access to cryptowallets and online accounts.

The breach

According to LastPass, an unknown attacker accessed a cloud-based storage environment using information obtained in LastPass’ August 2022 breach. Some of the stolen source code and technical information were used to target another LastPass employee, allowing the attacker to obtain credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

Unencrypted data

As we mentioned in an earlier post about the LastPass breach, part of the stolen data was not encrypted. The unencrypted data included URLs, which could act as a pointer for the attacker to figure out which accounts deserve their attention. For example, if someone has stored their login credentials to Blockchain.com or any other crypto services platform in LastPass, the threat actor will be able to see the URL to that platform and then can choose to prioritize the attempts to decrypt that information.

Decrypt

At this point it is unclear whether the attacker tries to decrypt the master password of these interesting accounts, or the crypto-related login credentials, but it is likely they will try both. And because they have stolen copies of the vaults, they have an unlimited amount of time to keep trying.

Secret keys

If your secret keys were in the stolen data, simply changing your passwords will not be enough. With a secret key you can prove ownership of a blockchain address, which means you can change all the other information associated with that address. The password, the recovery email, etc—everything a threat actor needs to drain the account.

This is why the tweet by Responders.nu (a Dutch Incident Response cybersecurity firm) says that you will have to move your funds to a different account.

Changing your LastPass master password and enabling 2FA is good, but it does not help in a case where attackers have a copy of your vault, because they can access the copy at all times. Once they crack your master password, they will be able to see everything you stored in that vault in plaintext, and they’ll have plenty of time to use brute force attacks to decrypt the encrypted data.

We realize that opening new accounts and transferring funds to them is time-consuming and costly, but it is certainly better than waking up to a drained account.

Class action

A “John Doe” class-action lawsuit has been filed against LastPass following the August 2022 data breach. The class action was filed with the United States district court of Massachusetts on January 3 by an unnamed plaintiff (John Doe) and on behalf of others similarly situated. Allegedly the data breach of LastPass has resulted in the theft of around $53,000 worth of Bitcoin.

We have reached out to LastPass, but it has not returned our request for comment. We will keep you posted about any developments here.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In a sponsored security source code audit, security experts from X41 D-SEC GmbH (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) found two notable critical flaws in Git’s code. A vulnerability on Git could generally compromise source code repositories and developer systems, but “wormable” ones could result in large-scale breaches, according to the high-level audit report. Microsoft defines a flaw as “wormable” if it doesn’t rely on human interaction, instead it allows malware to spread from one vulnerable system to another.

The two critical flaws, tracked as CVE-2022-23521 and CVE-2022-41903, could allow threat actors to potentially run malware after taking advantage of overflow weaknesses in a system’s memory.

A total of eight vulnerabilities were found in Git’s code. On top of the critical ones we mentioned, the experts also found one rated medium, one high, and four rated low severity. 27 other issues found don’t have a direct security impact.

A copy of the full audit report from X41 and GitLab can be found here.

Recommendation and workaround

The easiest way to protect against exploits of these critical vulnerabilities is to upgrade to the latest Git release, which is version 2.39.1, as well as update your GitLab instance to one of these versions: 15.7.5, 15.6.6, and 15.5.9. 

• How to update GitLab
• How to update GitLab Runner

Version 2.39.1 of Git for Windows also addresses the flaw tracked as CVE-2022-41953.

The researchers recommend those using Git continue to use safe wrappers and develop strategies to mitigate common memory safety issues. They also discouraged storing length values to signed integer typed variables.

“Introducing generic hardenings such as sanity checks on data input length, and the use of safe wrappers can improve the security of the software in the short term. The usage of signed integer typed variables to store length values should be banned. Additionally, the software could benefit from compiler level checks regarding the use of integer and long variable types for length and size values. Enabling the related compiler warnings during the build process can help identify the issues early in the development process.”

Per BleepingComputer, users who cannot upgrade to address CVE-2022-41903 may want to apply this workaround instead:

• Disable ‘git archive’ in untrusted repositories or avoid running the command on untrusted repos
• If ‘git archive’ is exposed via ‘git daemon,’ disable it when working with untrusted repositories by running the ‘git config –global daemon.uploadArch false’ command

CVE-2022-23521: Truncated Allocation Leading to Out-of-bounds (OOB) Write

An OOB Write occurs when software writes data at the beginning or end of a buffer, resulting to data corruption, a system crash, or code execution. OOB Write is a flaw classed as a heap-based buffer overflow.

This flaw triggers when Git parses a crafted .gitattributes file that may be part of a commit history, causing multiple integer overflows (also known as wraparounds). This means the program is trying to store a huge value or number more than an integer type can store.

If this happens, OOB reads and writes can occur, which could then lead to remote code execution.

CVE-2022-41903: OOB Write in Log Formatting

This flaw is found in Git’s commit-formatting mechanism, which displays arbitrary information on commits. When Git processes a padding operator, an integer overflow can occur. OOB reads and writes can occur out of the overflow, leading to remote code execution if exploited.

A detailed, technical dive into these vulnerabilities are in the full audit report.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.