IT NEWS

We’ve all heard the stories: Organizations getting breached like there’s no tomorrow thanks to threat actors exploiting unpatched vulnerabilities. Likewise, we’ve also all heard the familiar refrain: Patch regularly! But for many businesses—including the Managed Service Providers (MSPs) that serve them—“patching regularly” is easier said than done.

From prioritizing what to patch to getting a common view of all the vulnerabilities across their customer environment, patching is no cakewalk for MSPs. To boot, many MSPs already face constrained staff resources and a team that is often overloaded with alert triage. 

With a patch management platform, however, MSPs can greatly simplify the patching process for their clients—and the benefits don’t end there.

In this post, we break down six reasons MSPs need a patch management platform.

Table of Contents

1. Fills a dire need for MSP customers
2. Generates new MSP revenue streams
3. Gives visibility across diverse customer assets
4. Helps MSPs become a more holistic cybersecurity provider
5. Streamlines threat assessment and mitigation
6. Allows you to quickly stay on top of evolving security risks

Simplify patch deployment for your customers

1. Fills a dire need for MSP customers 

According to Ponemon Institute, almost 60% of low-security maturity organizations (i.e most MSP customers) suffered a data breach because “a patch was available for a known vulnerability but not applied”. 

So, why aren’t SMBs applying patches? Simply put, because their vulnerability and patch management (VPM) activities are either only partially deployed (40%) or not even “planned or deployed at all” (24%), according to the same Ponemon study.

This is where MSPs can step in. By taking the reins of their customers’ VPM activities with a VPM platform, MSPs are filling a dire need for organizations who lack the budget and staff to do patch management themselves.

2. Generates new MSP revenue streams

According to Market Data Forecast: “The global patch management market size is forecasted to grow to USD 1.084 billion by 2027 from USD 652 million in 2022, growing at a CAGR of 10.7% between 2022 to 2027.”

Needless to say, as the threat of unpatched vulnerabilities continues to increase, and as organizations with limited budgets and IT staff continue to struggle with patching, MSPs are in great shape to capitalize on the growing market size of patch management platforms.

“Adding a VPM platform to your MSP’s existing menu of security services will allow you to generate new/additional Monthly Recurring Revenue (MRR),” says Josh Pederson, MSP expert and Senior Director of Global Product Marketing at Malwarebytes. 

What’s also important to highlight here is not just how MSPs can grow revenue directly from VPM, but indirectly as well. Nadia Karatoreos, Senior MSP Growth Strategist at Malwarebytes, explains: “Having a simplified and automated patch management process allows the MSP to focus their attention on other revenue generating activities.”

Check out our MSP’s Guide to selling security!

3. Gives visibility across diverse customer assets

Most MSPs (69%) have up to 100 different clients, according to Datto’s Global State of the MSP Report. Dozens of different clients, each using different flavors of OSes, servers, and applications—and each one of those with their own unique vulnerabilities. 

Without a VPM platform, patching all of these assets would be a nightmare for MSPs.

“The more OS and application combinations at a customer site, the more individual patches need to be maintained,” says Pederson. “Most customers do not have a homogenous set of endpoints (only Mac, etc), so MSPs are forced to stay on top of multiple versions of the same software (Slack for OSX and Slack for Windows–double the challenge).”

A patch management platform can bring all the vulnerabilities and patch updates across your network under one view. For example, in the below screenshot of Malwarebytes OneView VPM, you can see detailed information on available software and OS patches across sites and endpoints.

4. Helps MSPs become a more holistic cybersecurity provider

MSPs are heroes to the companies they serve. Providing IT services and support is not an easy job, and to do it well, requires a technology stack that is scalable, reliable, and above all, comprehensive.

SMBs who outsource their cybersecurity are looking for providers who cover all their bases–in fact, 91% of SMBs would consider switching IT service providers if they found a new one that offered the “right” cybersecurity services. And while the “right” services will vary from SMB to SMB, some form of endpoint protection, EDR, and VPM services are high-up on the list for every security-minded business.

“Enhancing their ability to prevent infections is an urgent need of MSPs,” says Pederson. “Patch management is a preventative measure that helps the MSP reduce customer risk of malware infection. Many AV and EDR options do not provide this as a layer of protection, so clients are looking for it.”

In addition, adding VPM services to their portfolio not only helps MSPs better serve their clients, but it also helps them stay competitive in a notoriously competitive MSP landscape.

“MSPs can outcompete other MSPs when they provide a more comprehensive security service. A patch management platform provides that to them,” says Pederson. 

5. Streamlines threat assessment and mitigation

“Threat assessment involves identifying threats, determining the seriousness of each threat, and prioritizing how to manage threat actors,” says Nosa Obosohan, Senior Director, Cloud Product Platform at Malwarebytes.

The most common way of measuring security vulnerabilities is with the Common Vulnerability Scoring System (CVSS), which provides IT professionals a standardized process for assessing vulnerabilities. Without a VPM platform, you can expect to experience a higher level of effort trying to assign priority to your patching schedule manually.

“IT teams’ patch management challenges start with incomplete asset inventory, not being able to prioritize vulnerabilities, and determining how to patch up those systems in a timely manner. A VPM platform can address all these concerns,” says Obasohan.

6. Allows you to quickly stay on top of evolving security risks

By now, we should understand that one of the best pieces of insurance against infection is not just patching, but timely patching. Automated patching–a feature of most VPM platforms–vastly improves your ability to patch in a timely manner.

“Many data breaches and ransomware attacks are the result of known vulnerabilities that have not been addressed,” says Rumna Mishra, VP of Product Management at Malwarebytes. “VPM helps organizations minimize their attack surface, identify & patch vulnerabilities in a timely manner.”

Organizations who don’t automate their patching have a much more difficult time patching things quickly–80% of organizations that use automation say they have the ability to respond to vulnerabilities in a shorter time frame. A patch management platform that automates patching gives MSPs the tool they need to quickly prevent security risks for their customers.

Simplify patch deployment for your customers 

The benefits of a patch management platform for MSPs are manyfold. 

On the business side, a VPM platform not only helps MSPs generate revenue and stay competitive, but it also fills a dire need for MSP customers. On the practical side, a VPM platform gives MSPs easy visibility into all of their customers’ assets, and, through automation, streamlines CVSS scoring and timely patching.

Want to continue learning how to maximize the profitability of your MSP business? Give a listen to our newly launched MSP podcast, “MSP Smartbytes”!

With Malwarebytes Vulnerability and Patch Management for OneView, MSPs can easily search for vulnerabilities across their customer ecosystem and patch them quickly. See the demo below!

If you want to know how to secure your Mac so your kids can use it safely, I can help.

In 2018 I decided to give my kids an old Apple laptop to share, and I documented the steps I took to secure it. They were still a few years short of their tenth birthdays, and it was their first computer, so I looked into every child safety feature in macOS and dialled everything up to eleven.

It’s now four years later—my kids have changed, the laptop has died and been replaced by another Mac, and we have been through the acid test of several periods of computer-based home schooling, thanks to the pandemic.

As a result I’ve learned a few things about how Apple’s parental controls worked out in practice. In the article I’ll tell you how you can secure your Mac for your kids, and what I found useful about Apple’s safety features.

Basic security

Securing a computer for a child is not the same as securing a computer for an adult, although there are significant overlaps and similarities. Malware and malicious websites don’t care if it’s an adult or a child at the screen, so every Mac needs the same basic security precautions in place, no matter who’s using it:

• Apply macOS security updates promptly. All the software on the computer needs to be maintained by installing the latest security updates when they become available. To ensure your Mac is installing macOS updates automatically, choose Apple menu > System Preferences, then click Software Update, and tick Automatically keep my Mac up to date. You can automatically download and install app updates from the App Store by opening App Store and going to App Store > Preferences and selecting Automatic Updates.
• Use security software. Macs don’t see as much malware as Windows, but it is out there, and you don’t want it on your computer. We strongly recommend that you install a third-party security solution like Malwarebytes Premium for Mac.
• Start backing up. The only backup people ever regret is the one they didn’t make. They are your last line of defense against system-altering malware, bad software updates, hardware failure and theft, and simple mistakes. Read Apple’s introduction to Time Machine and get yours working now, before you need it.
• Install a password manager. A password manager is software for creating and remember strong passwords. Good ones also provide a safe way for users to share passwords with other people. Proper password handling is something lots of adults struggle with, so get your kids doing the right thing from day one!

Security for kids

In addition to the threats adults face, kids also have to struggle with growing up online. They may have to deal with peer bullying, predatory adults, and harmful content. They may struggle to turn off their devices willingly, and while they may not be as interested as you in invoices from UPS or riches from Nigerian princes, they are naïve and vulnerable to other scams.

For that reason there are a lot of specialist tools for protecting children. On a Mac, they are called Screen Time. But before we look at Screen Time, I want to tell you what I think the most important thing you can do for your kids is, whatever computer they use:

Set up separate accounts

The first thing I did on my kids’ laptop was give each child their own separate user account. They each had their own virtual space to arrange as they liked, and it meant I could use different parental control setups for each child if necessary. Most importantly to me, it meant each child would have their own password.

It is much harder to learn good habits if you’ve already been taught bad ones, so I wanted my children to start out expecting they would always have their own account, and that they’d have a password that nobody else knew.

You will need at least two accounts: An admin account for yourself, and a separate account for each child.

Log on to your Mac using your admin account and go to System Preferences > Users & Groups. On the left side is a list of users. Under your name it should say Admin.

Create an account for each child by clicking the padlock, entering your password, and then clicking on the + button, choosing a Standard account, and filling in the child’s details. When it’s time to enter the password, have the child do it and make a point of looking away.

My perspective

Ensuring that both kids had their own account was the best decision I’ve made about securing the Mac. I was concerned that they might find it a drag to log out when they’d finished, or to log the other child out and enter their own password. In fact, they embraced having their own digital space, with their own avatar and wallpaper, and their own mess. Without realising, they have established an important expectation about their digital privacy and security. I hope that when they are older they’ll find it odd if somebody wants to share their account, or expects them to share theirs.

Using separate accounts also allowed me to teach the kids about the importance of keeping passwords secret from the very start. It is very hard to teach a young child how to make a strong password, but it is easy to teach them that a password is a secret.

We made a game of out of picking a password that nobody else was allowed to know, not even me. Over the days and weeks that followed I’d ask “what’s your password” and they delighted in refusing to tell me.

Screen Time (Parental controls)

Apple provides parents with controls for restricting what children can and can’t do on their devices.

The functionality was once clearly signposted under the name Parental Controls but is now available through the far-less-obviously named Screen Time, which you’ll find in System Preferences > Screen Time.

The change from Parental Controls to Screen Time is a shift from a paradigm that imagines adults placing limits on their children, to a paradigm that imagines users placing computer-enforced guardrails around themselves and others. Personally, I find it hard to view this as a step forward, but it acknowledges the reality that it isn’t just kids that can get carried away with screen time.

Screen Time controls can be extended to children via Apple’s Family Sharing, accessible via Preferences > Family Sharing, and across multiple devices, using iCloud, which brings needed parity with Microsoft’s multi-device view of parental control.

Exhaustive and up-to-date details about how to set up Screen Time are available on Apple’s Use Screen Time on your Mac support page so I will not repeat them here. Suffice to say, the major features offered by Screen Time are:

• Monitor how much time your child spends on certain apps and websites
• Schedule downtime, so that certain apps aren’t available at certain times
• Limit how much time your child can spend on certain apps
• Restrict what type of content they can see in apps or websites
• Set limits on who they can communicate with
• Disallow access to features that might impact privacy, such as the camera

Similar, but less granular features were available via Parental Controls four years ago when I set up my kids’ laptop and I used all of them.

Their accounts would only work at times they were supposed to be awake, and for a maximum of one hour per day.

They were restricted to using a short list of pre-approved websites and apps, and a very short list of people they were allowed to exchange emails with. Whenever there was an option to turn on a content filter, such as restricting access to adult websites or blocking explicit language in music, I turned it on and dialled it up.

My perspective

Within a year of setting up the parental controls I removed them all, for two reasons.

Some of the controls simply proved unnecessary. For example, the children already had an established routine around when they could use screens, so it turned out there was simply no need for automatic enforcement of it. And while automatic enforcement didn’t make the kids any safer, it did give us an unwelcome hurdle to clear if we wanted to be flexible and give the children an extra 15 minutes of time.

The other controls I simply found too restrictive. Operating an allow list of websites seems like a great idea until you find yourself adding endless exceptions. Similarly, operating an allow list of apps seems like a great idea until you discover that some apps have dependencies on other apps that aren’t immediately clear. Knowing exactly what you have to add to the allow list in order for something to work was often not as clear as it needed to be.

The straw that finally broke the camel’s back on parental controls for me was school homework tasks.

It is important to understand that I felt I didn’t need the parental controls because we had already created a set of guardrails for our kids and how they use screens. Software restrictions can be useful, but they can only ever be a tool that helps with parenting and not a substitute.

For the next three years I found one other thing helped a great deal.

Because the children didn’t have access to a credit card, and didn’t have the access rights they needed to install software, they had to ask if they wanted to install something or buy something. That provided a bottleneck to prevent a lot of problems. For example, one of my children wanted to buy a game and came to me very excited about it, knowing they could afford it. The child hadn’t realised that the game was a pre-release that asked customers to part with their money and then wait (and hope) for the game to be released. As disappointed as they were, it was a great opportunity to talk about how some things aren’t what they seem.  

All of which is to say Parental Controls didn’t work for us, and our children, in our situation, at a particular age. I would encourage any concerned parent to play with the controls, try them for a reasonable period, and see what works for you. It is unlikely you will hit the bullseye with the first try.

And me? I will be taking another look at Screen Time this summer because one of my children is now racing towards teenage, and is about to get their first phone. This is the biggest change in their access to computing since I gave them the laptop and I will be thinking hard about appropriate rules and guidance, and then looking to see if software can help me.

In an email sent to its users, Plex has revealed that a cybercriminal accessed some customer data, including emails and encrypted passwords.

From the email that was sent out by the Plex security team:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

What to do

Plex advised all customers to reset their passwords immediately. While doing that, it asked customers to make sure the checkbox “Sign out connected devices after password change” is ticked. This will sign out all of your devices and require you to sign back in with your new password.

It’s also worth making sure you have two-factor authentication set up on your account to add an extra layer of security.

Problems

Some users experienced some problems following the instructions provided by Plex. Here’s this from Troy Hunt of “Have I been pwnd?”:

Apparently it helps to uncheck the recommended “Sign out connected devices after password change” option and the password change will work.

Additional actions

If you have reused your Plex login credentials elsewhere, you will want to change the passwords on those sites and services as well, since there is a chance that they will end up in a database for sale on the Dark Web.

If you are having trouble keeping track of all the different passwords, we advise using a password manager.

Also be wary of phishing mails that may or may not be targeted at Plex users. Exfiltrated email addresses like these have a tendency to surface in phishing campaigns.

Microsoft recently released a report about a ChromeOS remote memory corruption vulnerability. The issue has already been fixed. In fact, it was reported to Google in April. The fix was applied shortly after, and released on June 15. The resulting deep-dive from Microsoft is a fascinating look at how one technology giant addresses another’s bugs and issues.

A critical issue

The problem, known as CVE-2022-2587 on the Common Vulnerabilities and Exposures (CVE) list, caused big headaches for Chrome. It also racked up a Common Vulnerability Score (CVSS) of 9.8, which results in it being tagged as “Critical”. As per the description:

Out of bounds write in Chrome OS Audio Server in Google Chrome on Chrome OS prior to 102.0.5005.125 allowed a remote attacker to potentially exploit heap corruption via crafted audio metadata.

This is a memory corruption vulnerability in a ChromeOS component. As per the Microsoft report, it can be triggered remotely. Attack options are varied, ranging from denial of service attacks to remote code execution. Manipulating audio metadata and baiting potential victims with songs played in browsers or paired Bluetooth devices could be enough to set the ball rolling.

How was this possible? Let’s take a look.

The realm of common ChromeOS problems

Microsoft points out that ChromeOS vulnerabilities typically land in one of three categories:

1. ChromeOS specific logic vulnerabilities.

2. ChromeOS specific memory corruption vulnerabilities.

3. Broad threats like browser vulnerabilities.

This one falls under category number 2. The problem stems from the use of something called D-Bus.org.chromium.cras, a D-Bus service related to audio which gives users a way to channel audio to new devices. These devices might take the form of headsets, speakers, anything as long as it’s audio-centric.

The strange world of Strcpy

While looking at the ways audio could be routed to new peripherals, Microsoft observed a handling function called SetPlayerIdentity. Where this goes wrong is one of the functions involved makes a call to something called strcpy. Sadly for strcpy, it’s been known as something potentially dangerous which should be avoided when possible for many years.

Strcpy doesn’t know how big a destination buffer is going to be. Programming accidents may result in the buffer being overrun. This could lead to otherwise innocent crashes or actual exploitation by people with bad intentions.

In this case, it resulted in a vulnerability triggered using a single command line sent-argument containing more than 128 bytes. That’s bad, but this requires developer mode. As the majority of Chrome users will never touch that mode, Microsoft researchers needed a way to make this happen without it.

Remotely exploiting your way to a fix

Going back to the SetPlayerIdentity handling function, researchers made their breakthrough. Changes to audio metadata could trigger the vulnerability in just the way they were looking for:

• From the browser: The browser’s media component invokes the function when metadata is changed, such as when playing a new song in the browser.

• From Bluetooth: The media session service in the operating system invokes the function when a song’s metadata changes, which can happen when playing a new song from a paired Bluetooth device.

It took Google less than a week to have code ready and made available to users. As a result, ChromeOS users have been happily connecting new audio devices for some time now without having a sound-related mishap of the exploitation kind.

In September 2021 we told you about insecure Hikvision security cameras that were ready to be taken over remotely.

However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update, and are therefore vulnerable to exploitation.

The vulnerability

According to the researcher that reported it last year, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner, and the attack is not detectable by any logging on the camera itself. A cybercriminal could exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.

The patch

The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021. The critical bug received a 9.8 out of 10 on the CVSS scale of severity, clearly demonstrated by the fact that it gives the attacker to gain even more access than the owner of the device has, since the owner is restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.

The abuse

One possible exploit of this vulnerability was published by packet storm in October 2021.

In December 2021, BleepingComputer reported that a Mirai-based botnet called Moobot was spreading aggressively via exploiting this vulnerability in the webserver of many Hikvision products.

A Metasploit module based on the vulnerability was published by packet storm in February of 2022.

The Cybersecurity & Infrastructure Security Agency (CISA) added the vulnerability to its list of known exploited vulnerabilities that should be patched by January 24, 2022.

Unpatched

Given the amount of available information, it is trivial even for a “copy and paste criminal,” to make use of the unpatched cameras.

Of an analyzed sample of 285,000 internet-facing Hikvision web servers, CYFIRMA found roughly 80,000 of them were still vulnerable to exploitation. Most of these are located in China and the United States, while Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania all count above 2,000 vulnerable cameras.

Mitigation

If you are in doubt whether you are using a vulnerable product, there is a list of the vulnerable firmware versions in the researchers’ post. Hikvision says you should download the latest firmware for your device from the global firmware portal.

In general it is not a good idea to make your cameras accessible from the internet and if you do, put them behind a VPN.

Mark noticed something was wrong with his son. His penis was hurting and appeared to be swollen. Since it was a Saturday during the pandemic, an emergency consultation was scheduled by video. So the doctor could assess the problem ahead of time, the parents were advised to send photos of their toddler’s groin area before the appointment. In one of these pictures Mark’s hand was visible, helping to better display the swelling.

Luckily for his son, the doctor diagnosed the issue and prescribed antibiotics. But the episode left Mark with a much larger problem, one which made him the target of a police investigation, according to a recent article in the New York Times. The subsequent investigation ruled that this was not a case of child sexual abuse.

False positive

In computing, a false positive is a file that gets marked as malicious when it actually isn’t, and Mark’s photos were a false positive. But sadly there are a lot of images that aren’t false positives.

Although estimates vary across studies, research shows that about one in four girls and one in thirteen boys in the United States experience child sexual abuse.

In the second half of 2021, Google alone filed over 287,368 reports of child abuse material and disabled the accounts of over 140,000 users as a result. The US National Center for Missing and Exploited Children (NCMEC) which is the clearinghouse for abuse material, received 29.3 million reports last year, an increase of 35% from 2020. In 2021, The NCMEC’s CyberTipline reported that it had alerted authorities to over 4,260 potential new child victims.

From numbers provided by Facebook and LinkedIn we can see that over half of the accounts that were reported to the authorities were dismissed after manual review.

The consequences

We have heard from cybersecurity evangelist Carey Parker how hard it is to de-Google your life. Imagine being forced into that position without fair warning.

When Mark’s photos were flagged as abuse, he lost access to all his Google accounts, including his Android phone. Even after being exonerated by the police his access was not restored.

“Not only did he lose emails, contact information for friends and former colleagues, and documentation of his son’s first years of life, his Google Fi account shut down, meaning he had to get a new phone number with another carrier. Without access to his old phone number and email address, he couldn’t get the security codes he needed to sign in to other internet accounts, locking him out of much of his digital life.”

Inevitable

When you look at the numbers, it is clear that automation is needed to review the huge number of reports. Not to mention the mental health issues a human moderator may encounter. But can we trust Artificial Intelligence (AI) to decide in cases where the consequences can be so dire? How can we make a choice between ruining someone’s life just because an algorithm coughed up their name, and missing a case of child abuse?

Whichever way we decide to go, we should not leave this in the hands of machines alone. To extend the comparison to malware false positives: If our AI detects a false positive and we find out, we hurry to remove the false detection and help correct any errors that ensued from it. That is what our customers expect from us and they are right to do so.

Oblivious

Both governments and tech giants are unwilling to share details about the inner working of the system, for understandable reasons. But should we not have at least some insight? At least enough to not become the next false positive.

By not knowing how these scanning algorithms work, we have no idea of knowing how we can avoid becoming  a false positive. I’ve sometimes wondered, because of my profession and my interests in coding and malware how many alarms I have triggered and whether at some point someone is coming to knock on my door and ask what’s up with that?

The end verdict

While the discussion about the algorithms and their consequences is a valid one, maybe we shouldn’t even be having it. What gives any government or tech giant the right to go through our personal files? In an article written in response to the New York Times article, the Electronic Frontier Foundation (EFF) concludes that the real solution lies in “real privacy”.

“The answer to a better internet isn’t racing to come up with the best scanning software. There’s no way to protect human rights while having AI scan peoples’ messages to locate wrongdoers.”

The problem is real, but giving up our privacy may not be the answer.

On Thursday, CISA (the US Cybersecurity and Infrastructure Security Agency) updated its catalog of actively exploited vulnerabilities by adding seven new entries. These flaws were found in Apple, Google, Microsoft, Palo Alto Networks, and SAP products. CISA set the due date for everyone to patch the weaknesses by September 8, 2022.

CVE-2022-22536, an SAP flaw with the highest risk score of 10, is one of the seven. We wrote about it in February, and thankfully, SAP addressed the issue fairly quickly, too, by issuing a patch. CISA even mentioned that if customers fail to patch CVE-2022-22536, they could be exposed to ransomware attacks, data theft, financial fraud, and other business disruptions that’d cost them millions.

CVE-2022-32893 and CVE-2022-32894, the two zero-day, out-of-bounds write vulnerabilities affecting iOS, iPadOS, and macOS, continue to headline as of this writing. These are serious flaws that, if left unpatched, could allow anyone to take control of vulnerable Apple systems. Apple already released fixes for these from the following support pages:

• About the security content of iOS 15.6.1 and iPadOS 15.6.1
• About the security content of macOS Monterey 12.5.1
• About the security content of Safari 15.6.1

The Google Chrome flaw with high severity, CVE-2022-2856, is also confirmed to be targeted by hackers. As with other zero-days, technical details about it are light, but the advisory states that the flaw is an “insufficient validation of untrusted input in Intents.” The Intents technology works in the background and is involved in processing user input or handling a system event. If this flaw is exploited, anyone could create a malicious input that Chrome may validate incorrectly, leading to arbitrary code execution or system takeover.

Google already patched this. While Chrome should’ve updated automatically, it is recommended to force an update check to ensure the patch is applied.

Microsoft also has patches available for CVE-2022-21971 and CVE-2022-26923 in February and May, respectively. The former was given an “exploitation less likely” probability, but that has already changed—a proof-of-concept (PoC) has been available since March. PoC exploits were also made public for the latter Microsoft flaw. However, these were released after Microsoft had already pushed out a patch.

Palo Alto Networks’s is the oldest among the new vulnerabilities added to the catalog. Discovered in 2017, CVE-2017-15944 has a severity rating of 9.8 (Critical). Once exploited, attackers could perform remote code execution on affected systems. You can read more about this flaw on Palo Alto’s advisory page.

Malwarebytes advises readers to apply patches to these flaws if they use products of the companies we mentioned. You don’t have to wait for the due date before you act.

The BBC is warned of a large photograph trading ring which operated on popular group forum site Reddit. These warnings are in relation to stolen nude photographs and other content shared without permission.

In this case, even non-explicit photos are being posted alongside frequently degrading and inappropriate comments. Some of them even tip into potential threats and harassment. What is going on here?

Non-consensual image theft on a grand scale

We’ve previously highlighted regular images stolen and used as bait to lure people to pornography sites. On this occasion, the reporter was tipped off after a contact found their own photograph posted to the subreddit (which is a topic-specifc forum on Reddit) in question alongside various derogatory comments. The BBC reporter quickly discovered a large ring of individuals not only “sharing, trading, and selling explicit imagesm,” but also teaming up to figure out where the women in the photographs live.

Addresses, social media accounts, phone numbers and more were pieced together by Reddit users. Threats, blackmail, and related comments would soon be sent to their chosen targets.

In fact, this isn’t the work of “just” one subreddit but dozens. One subreddit played host to around 20,000 users and contained more than 15,000 images. And 150 of those were sexually explicit. It seems at least some of these images are being shared by ex-partners without consent. Others victims have been filmed or photographed secretly, and then had the images posted online at a later date.

These can be typical actions within abusive relationships where the abuser misuses technology to exert control. In this case, the abuse is being farmed for public syndication, likes, virtual hi-fives, or even a small profit.

The problem of taking down stolen images

Images are often shared between different subreddits, and also messaging apps. This makes it quite difficult to guarantee that stolen images are gone forever. Hoarding of images ensures that if the original source goes down, someone else is almost guaranteed to simply repost the theoretically lost photographs.

Several women told the BBC they’ve struggled to have images of them posted without permission removed. In other cases, some images would be removed quickly but others would take a long time to resolve.

Slow response times and failure to remove images generally is a big problem in tech. Back in February, the BBC reported 100 images in Telegram. A month later, 96 were still available. The other 4 were in groups which were no longer accessible.

Another issue weighs heavily on whatever your local laws happen to be. If you’re in the UK, revenge porn legislation requires proof of the sharer doing it to cause distress to the victim. If they claim that the images were not shared to cause distress or harm, they can try to wiggle out of trouble through a potential legal loophole.

Sadly, for the most part, the bottom line here seems to be that people suffering this kind of abuse are mostly on their own.

One down, many more to go

The main subreddit from the BBC investigation has been shut down. The person who operated it was identified and has deleted their Reddit account. Many other unrelated subreddits likely exist, and many more away from Reddit.

Bad people are more than willing to do awful things with your most private data. Having said that, there’s much you can do to keep everything as secure as possible.

• Securing your explicit files: This is a good starting point for locking down your photos and videos.
• Safe storage in the cloud: If you keep your files in the cloud, you’ll want to read this.
• Sending data securely: Do you need to send files in a way which won’t expose your data? If so, this is for you.

Stay safe out there.

When an organization experiences a massive data breach, it knows (at least) that it needs to inform the federal government about the cybersecurity incident, get law enforcement involved, and then inform its clients and affiliates. Seems simple enough, but this process, which countries from the West have been abiding by, is the result of countless breaches in the past, followed by a myriad of digital crimes that took advantage of those leaked and stolen data.

Unfortunately, not all governments in the world are in the same boat when handling incidents of compromised data—something every country has been familiar with, along with its associated victims. And while some governments continue to deny the real-life impacts of such online incidents and lawmakers are still figuring out what to do, consumers are left to fend for themselves with no real help in sight from law enforcement.

Such was the case of @TheVenusDarling, a Twitter user in Malaysia. She was targeted by online scammers who used her personal details gleaned from an April 2022 data leak that affected 22.5 million people.

Note that Venus’s case is just one of many. After she shared her experiences on Twitter, some came forward to tell a similar tale that, more than losing money, left them feeling traumatized for a long time. Without Venus’s quick thinking and help from a cybersecurity pro, she would’ve been left in a far more difficult situation.

Scammers put victims in a swirl of “too much”

It began with a phone call.

The caller, a female who was purportedly working for the Inland Revenue Board of Malaysia (IRBM), an agency responsible for collecting taxes, said that “Venus” owed at least RM50,000 ($11,000) in arrears for a business created under her name.

“The caller seemed authoritative and convincing and even supplied a reference number,” said Munira Mustaffa, the expert who helped Venus in her case. It didn’t stop here. In further attempts to sell the legitimacy of the call and the integrity of the person on the other end of the line, the caller connected Venus to a “police inspector” (PI), who then instructed her to hang up and Google the number of the local police headquarters. She then received a call from a number matching the number she had just searched.

Mustaffa, who founded the Chasseur Group and serves as its executive director and principal analyst, is known in counter-terrorism and organized crime circles. In her post, she broke down the scam into four phases, reflecting the scammers’ intent in each stage: Dismay, Isolate, Overwhelm, and Intimidate.

The so-called PI proceeded to inform Venus that there was an arrest warrant for her because her ATM card was linked to money laundering and fraud activities [Dismay]. He then passed the call to a “high-ranking officer” (HRO), who instructed her to move to a quieter place to ensure the call’s privacy [Isolate]. The HRO then sent Venus a copy of the purported arrest warrant, containing her legitimate details, via WhatsApp [Overwhelm]. He also told her to download and install an APK file he sent via the messaging app to aid them in their investigation.

The fake arrest warrant the supposed “high-ranking officer” sent to the victim. It contains the official emblem of the country’s law enforcement body and contains legitimate details of the victim gleaned from the April 2022 leak. (Source: Chasseur Group)

Venus did what she was instructed, including filling out the form in the app. When she was about to enter her bank account PIN, she remembered she wasn’t supposed to share it with anyone. She then realized she was about to be scammed. Sensing her hesitation, the HRO began shouting to further freak her out into giving up the PIN [Intimidate].

She then ended the call, uninstalled the app, and sought Mustaffa’s help.

“Unfortunately, in this instance, uninstalling the app is not sufficient,” Mustaffa said. “Even with the application deleted, we had to assume that the device remained infected with malware. Hitting reset would have been the recommended option; however, that would result in data loss—an outcome not many are willing to go for.”

Scammers know what people don’t

If this scam is not spotlighted and people are not educated, many more will continue to fall for this campaign. Scammers find success in what they do because not only do they have the tools to take advantage of anything ill that happens to people—they know what people know and what they don’t.

In this case, they know that citizens are largely unaware of government processes. And while the IRBM and law enforcement have social media presence and do inform their followers of scams, it’s not enough.

“[T]he general populace must be properly informed about the government’s procedures and standards,” Mustaffa said. “And in order to do this, it is vital to enhance the accessibility, clarity, and transparency of information that is already widely available.”

Getting familiar with the scam is also a big way to prevent it.

A scam is a scam, regardless of origin. If it proves lucrative, many will copy it. It’s only time before online criminals adopt this tactic and begin their social engineering campaign against unwary citizens.

With rising energy costs and increased volatility in the value of cryptocurrencies, we were bound to see a rise in malicious cryptomining, aka cryptojacking. If you don’t know whether you will ever see a return on your investments in mining equipment, one will look for other opportunities. But if you are a threat actor, you can use other people’s resources to mine your cryptocurrency. No investment, and if the number of mining bots is high enough, there might be some worthwhile profit.

Detection

Keeping the number of bots that are secretly being used for mining means that cybercriminals will have to maintain a low profile on the affected machines. Rendering a device useless for the owner will cause that user to investigate, which could result in that user removing the sneaky miner from their machine.

File detections, whether based on running executables or browser extensions, will have the same effect. Once a miner is detected by one or more popular anti-malware programs, a cyberthief will quickly see their army of miners diminish. Looking at our top 10 malware of last month, you will notice that RiskWare.BitCoinMiner and Trojan.BitCoinMiner are regulars in the top 10 of (Windows) malware that we blocked.

Fileless

The workaround that some cybercriminals find for averting file detection is to make their malware fileless. Unlike traditional malware, which relies on a file being written to a disk, fileless malware is intended to be memory resident only. In a recent blog post, Microsoft differentiates between crypto miners that use legitimate tools and LOLBins.

LOLBins is the abbreviated term for Living Off the Land Binaries. Living Off the Land Binaries are binaries of a non-malicious nature, local to the operating system, that are utilized and exploited by cybercriminals to camouflage their malicious activity.

Notepad

One of the most abused tools for cryptomining is notepad.exe. Using techniques like process hollowing to inject malicious code into legitimate processes like notepad.exe, the cryptomining malware tries to stay below the radar. The malware will create a scheduled task or use other recurring events to start the process hollowing routine.

Detecting fileless malware

There are several ways to detect fileless malware. In their blog post, Microsoft proposes using a hardware-based threat defense, which applies machine learning to low-level CPU telemetry to detect threats. Cryptojackers will typically cause spikes in CPU usage, a phenomenon that will typically cause a user to start an investigation because it slows the system down.

Using behavioral detection methods certainly makes sense, especially in the case of cryptojacking where the behavior of the malware is predictable based on its end goal. But other typical malware behavior like code injection, process hollowing, and creating scheduled tasks will raise warning flags as well.

Other warning signs can be found in the connections that certain processes make, like reaching out to known C2 servers and mining pools. And we can block the connection to websites that use their visitor’s systems for cryptomining without their explicit consent.

Mitigation

Noticing that something is amiss is an important step. Don’t discard constant high CPU usages as a nuisance. It can do some costly damage to your system. It was not built to constantly perform at peak levels.

Cryptojacking can be done locally on the system or in the browser. Knowing the difference can help you remediate the problem, as both methods require different forms of protection.

Any decent anti-malware solution, like Malwarebytes, will provide protection against both methods. You will need to use active protection though. Just scanning your computer’s file system can miss the fileless variants.