IT NEWS

The FBI issued a public warning this week about a fraud scheme wherein scammers impersonate government officials and law enforcement personnel. According to the PSA, the scammers spoof legitimate numbers and names and use fake credentials of well-known members of the government and law enforcement agencies.

The scam starts off either as a call from the “police” or a text message from a “government agency”. The content of the calls and text messages vary, but they are all bogus.

In the case of phonecalls, victims are either informed that their identities have been used in a crime, such as drug dealing or money laundering, or told they missed jury duty. The victim is then pressed to verify their identity using their social security number (SSN) or date of birth (DOB). If the victim resists, they are threatened with fines, arrest and imprisonment.

The text messages don’t involve accusations but instead ask victims for information related to either passport, driver’s license, or medical license renewals. The scammers threaten the revocation of licenses or registration if the victims refuse to renew or hand over the information.

Other tactics include extorting money from romance scam victims to “clear their name for participating in a crime” or as means to aid law enforcement in capturing their romance scammer. The scammers also impersonate law enforcement and say they are collecting taxes and fees from lottery scam victims. Lastly, the scammers call victims to tell them they are due to recieve a government grant, but say they need to pay some money before they can claim it.

Victims are offered a variety of means of payment, including prepaid cards, wire transfers, and cash sent by mail or cryptocurrency ATMs.

The FBI says legitimate law enforcement personnel and government officials would never request payment via the above means. It also remindes people to never give out personal information over the phone without verifying that the caller is who they say they are.

The warning included some red flags to pick up on: “Scammers will use an urgent and aggressive tone, refusing to speak to or leave a message with anyone other than their targeted victim; and will urge victims not to tell anyone else, including family, friends, or financial institutions, about what is occurring.”

The post Extortion scheme impersonates government officials, law enforcement appeared first on Malwarebytes Labs.

Azure is Microsoft’s cloud computing service providing a wide range of features for businesses worldwide. It’s particularly popular for its virtual machines and IaaS (infrastructure as a service). One useful Azure feature is Automation, which has been around for some years now. Management tasks can be automated across multiple external systems. This is where the latest vulnerability tale begins.

Researchers at Orca Security have discovered an issue with Azure which they’ve called “AutoWarp”. The issue allows for attackers to grab authentication tokens and grant unauthorised access to accounts. As per the research itself, AutoWarp could mean “…full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer”.

How could this issue be used in an attack?

The flaw enables interaction with servers managing sandboxes belonging to other entities. The tokens—used to confirm a user has the correct permissions to access Azure—could be grabbed via automation jobs.

Here’s a description of what went down from the Microsoft Security Response Center:

An Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token’s access is defined in Automation Account’s Managed Identity. Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.

A timeline of token disaster…almost

This flaw was reported to Microsoft on December 6, 2021 and it was fixed by December 10. The researchers then went hunting for other similar attacks. The good news is, they don’t appear to have found any. Not only that, but it also seems there’s no evidence of this having been exploited out in the wild.

As the Orca blog points out, you may well have been vulnerable to this problem before Microsoft fixed it if you used the Automation service and the related managed identity function was enabled by default. Even so: no examples of exploitation in the wild. That’s as good an end result as we can possibly hope for, given how many organisations may have been running with default configurations.

Why Azure is an appealing target for attackers

Anything cloud based is always going to be a hot target for people up to no good. Depending on the setup, attackers may be able to impact multiple people and companies all in one go. Exfiltration, ransomware, and blackmail all go well alongside vulnerable cloud services. This is why flaws like the above are taken so seriously.

Whether we’re talking about OMIGOD exposing virtual machines, the Mirai botnet, brute forcing, or four-year long source code leak bugs, the cloud space has been affected by many issues. Organisations place a lot of trust in cloud services, and they expect secure platforms and data that’s kept safe from prying eyes and sticky fingers.

You can’t guarantee something is 100% foolproof. Even so, the above is a great example of getting an issue resolved in a very short timeframe. We can only hope to see more of this the next time a cloud-based service runs into trouble.

The post Azure AutoWarp brings automation headaches appeared first on Malwarebytes Labs.

In a FLASH publication issued by the FBI in coordination with DHS/CISA, the FBI says it has identified at least 52 organizations across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including organizations in the critical manufacturing, energy, financial services, government, and information technology sectors.

Threat profile

RagnarLocker can be recognized by the extension of the encrypted files which contains “.RGNR_<ID>,”  or “.ragnar_<ID>” where <ID> is a hash of the computer’s NETBIOS name.

The ransom note is called “.RGNR_[extension].txt” and states the files and data have been encrypted by RAGNAR_LOCKER.

Exfiltrated data of victims that refuse to pay will be published on the “Wall of Shame” leak site.

RagnarLocker iterates through all running services and terminates services commonly used by Managed Service Providers (MSPs) to remotely administer networks. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files.

Don’t call the cops

In the past, RagnarLocker has warned victims explicitly against contacting the FBI, or other law enforcement agencies for that matter. In September 2021, the ransomware operators threatened to publish all the data of victimized organizations that seek help from law enforcement or investigators following ransomware attacks.

But, in the wake of recent high-profile cyber and ransomware attacks, Congress and the Biden administration have joined forces to drive policy changes that would require organizations to report certain cyberincidents to the federal government. Importantly, the legislation would give organizations 72-hours to report a cyberincident. Ransomware attacks by an entity believed to originate from the CIS would certainly qualify as such.

The FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks.

The FBI says it would like the following information:

Short term items:

• Copy of the ransom note (screen shot/picture/text file)
• Any discovered malicious IPs with time stamps/time zones (unusual RDP connections/unusual VPN connections/beacons to malicious IPs)
• Virtual currency addresses/amount of demand
• Any malicious files (executables/binaries)
• Summary of timeline of events (dates of initial observation/malicious activity)
• Evidence of data exfiltration

Long term items:

• Brief summary of where the IOCs came from
• Incident response report
• Copy of any communications with malicious actors
• Forensic images and memory captures
• Host and network logs
• Any available decryptor
• Scope of impact (amount of loss)

CIS

As mentioned in our blog post Ransomware’s Russia problem, RagnarLocker is believed to be of Russian origin and will try to avoid making victims in the Commonwealth of Independent States (CIS). To do so, Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine. If the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian,” the process terminates.

IOCs

In the pdf file that carries FLASH Number CU-000163-MW you can find the current IOCs, including IP addresses, Bitcoin addresses, and email addresses.

Mitigation

To stay out of the claws of the RagnarLocker group the usual mitigation techniques for ransomware apply. The FBI lists:

• Use multi-factor authentication with strong passwords, including for remote access services.
• Keep computers, devices, and applications patched and up-to-date.
• Monitor cyberthreat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
• Consider adding an email banner to emails received from outside your organization.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Implement network segmentation.

The FBI recommends backup strategies to speed up recovery from a ransomware attack:

• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
• Secure your backups and ensure data is not accessible for modification or deletion from the system where the data resides.

Stay safe, everyone!

The post RagnarLocker ransomware gang breached 52 critical infrastructure organizations appeared first on Malwarebytes Labs.

Our Threat Intelligence team has been closely monitoring cyber threats related to the war in Ukraine. Today, we discovered a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians.

Formbook is part of a long-running malspam operation that we observe on a regular basis. This time, the email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.

The email can be translated as:

Dear citizens, we inform you that you are not alone in this difficult time, we in the authorities are doing everything possible to protect our citizens.
 
All citizens receive support from the Federal Government in the amount of 15,000, we want to say that you must protect each other, this is a difficult time for everyone, together with God we will fight this difficult time.
 
Your letter of approval is added
 
Sincerely.

Upon opening the file called лист підтримки.xlsx (support letter.xlsx), an exploit for CVE-2017-11882 will attempt to compromise the machine in order to download the Formbook payload from a remote server.

This is not the first — and certainly won’t be the last — time we see threat actors taking advantage of crises. As heartless as it looks, we realize that malware and criminal operations are always ongoing.

Malwarebytes customers were protected from this attack thanks to our Anti-Exploit protection layer.

Indicators of Compromise

Email subject

лист схвалення касового забезпечення – міністр

Formbook maldoc

лист підтримки.xlsx
7d39e6ca46c053c1ad744de1ca8867217596bb17bb673785eb8827b00c5ae05b

Formbook URL

103.167.92[.]57/xx_cloudprotect/vbc.exe

Formbook payload

b5f79bb30d60794b7edbf486fa96a11c1ac3ba34592a496379020e8379f281be

The post FormBook spam campaign targets citizens of Ukraine️ appeared first on Malwarebytes Labs.

The updates for Microsoft’s March 2022 Patch Tuesday should fix 92 vulnerabilities, including three zero-day vulnerabilities.

Of the 92 vulnerabilities, 21 are for Microsoft Edge and originate from the Chromium Project. Of the 71 others, three are classified as Critical because they allow remote code execution (RCE).

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

The first three are publicly disclosed vulnerabilities, which makes them zero-day vulnerabilities, but so far none of them has been seen to be exploited in the wild.

Remote Desktop Client

CVE-2022-21990: A Remote Desktop Client remote code execution vulnerability. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. This vulnerability might be hard to exploit since it requires an attacker to control a malicious server and that the user must willingly connect to it. There is Proof-of-Concept (PoC) code available for this vulnerability.

Windows Fax and Scan service

CVE-2022-24459: Windows Fax and Scan service elevation of privilege vulnerability is an LPE (local privilege escalation) vulnerability in the Windows Fax and Scan service. An LPE vulnerability means that an attacker should already have some level of access and can take their privileges to a higher level by exploiting this vulnerability. Such vulnerabilities can be useful in an attack chain. There is Proof-of-Concept (PoC) code available for this vulnerability.

.NET and Visual Studio

CVE-2022-24512: A .NET and Visual Studio Remote Code Execution vulnerability. The ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack. This is because successful exploitation of this vulnerability would require a user to trigger the payload in the application.

Next up are the vulnerabilities that were rated as critical.

Exchange Server

CVE-2022-23277: A Microsoft Exchange Server remote code execution vulnerability. The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call. So the attacker needs some form of authentication to exploit this vulnerability. Which makes it all the more important to change or remove compromised accounts. Stolen or leaked credentials can be used to wreak havoc.

HEVC video extensions

CVE-2022-24508: A HEVC Video Extensions arbitrary code execution vulnerability. The High Efficiency Video Coding (HEVC) extensions allow a buyer to playback files in HEVC format. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately.

VP9 video extensions

CVE-2022-24501: A VP9 video extensions arbitrary code execution vulnerability. Very much the same as the above. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. VP9 is the successor to VP8 and competes with HEVC.

Finally, one vulnerability that is listed as Important and not as Critical, but which looks like a likely candidate to be exploited.

SMBv3 client/server

CVE-2022-24508: A Windows SMBv3 client/server remote code execution vulnerability. The vulnerability exists in a new feature that was added to Windows 10 version 2004 and exists in newer supported versions of Windows. Older versions of Windows are not affected. The attacker needs to be authenticated to exploit the vulnerability. The Microsoft page provides a workaround that requires administrators to disable SMBv3 compression.

Other vendors

Other vendors have published security related updates as well:

• Cisco released security updates
• Google released Android security updates
• Samsung released a Security Maintenance Release package that includes patches from Google and Samsung.
• HP released a security update to deal with 16 disclosed UEFI firmware vulnerabilities.

Stay safe, everyone!

The post Update now! Microsoft patches three zero-day vulnerabilities on Patch Tuesday appeared first on Malwarebytes Labs.

Tor is getting another visibility boost for people who may not otherwise come into contact with it. The reason: an attempt to navigate increasing amounts of censorship.

What is Tor?

The Tor network is something designed to keep communications anonymous. A variety of tools exist to make use of it, including messaging, web browsers, and other clients. Most people new to this realm would likely have their first experience via the standalone Tor browser. This works like any other browser download, with a lot of the same functionality. The big difference is that when you load it up, it connects to the Tor network. From the Tor browser manual:

Tor is a network of virtual tunnels that allows you to improve your privacy and security on the Internet. Tor works by sending your traffic through three random servers (also known as relays) in the Tor network. The last relay in the circuit (the “exit relay”) then sends the traffic out onto the public Internet.

Additional security tools and precautions abound in the browser to reduce the risk of fingerprinting, unwanted tracking, and more. The default search engine in DuckDuckGo. All data vanishes when the browser is closed (think Incognito mode), and three levels of security increasingly strip out page aspects such as JavaScript and media which could present problems.

That’s not all. Many sites have a .onion version available to make it even harder to perform surveillance on the user. When an onion version of a page you’re on exists, an “Onion available” notification is displayed next to the URL bar. That is highly relevant in this instance.

Peeling the onion

Onion pages are considered to have more advantages than regular sites where anonymity and privacy are concerned. Going back to the Tor manual:

• Onion services’ location and IP address are hidden, making it difficult for adversaries to censor them or identify their operators.
• All traffic between Tor users and onion services is end-to-end encrypted, so you do not need to worry about connecting over HTTPS.
• The address of an onion service is automatically generated, so the operators do not need to purchase a domain name; the .onion URL also helps Tor ensure that it is connecting to the right location and that the connection is not being tampered with.

The second bullet is particularly useful for those perhaps increasingly rare occasions of dealing with a non HTTPs site. They do still exist! The third bullet is handy for service operators, and the first is good for everybody involved.

Why is the potentially obscure world of onion addresses (to regular web users at least) getting an airing in the media?

Social media makes the leap (again)

Twitter has launched an onion version of its service, available immediately. It now joins Facebook, who went live with its own onion service in 2014. While some may flag this as a response to events in Ukraine, it seems this has been in the works for some time. Indeed, one of the people behind it says they’ve been toying with the idea for several years.

Elsewhere, major news services have had onion pages for a few years now:

They’re also actively promoting relevant language specific pages:

So, then, it really depends what you’re looking for via Tor. If your personal circumstances currently require access to blocked services to communicate with friends and family, or you simply need a variety of news sources in a hurry, then you may well want to consider downloading the Tor browser, because there’s a good chance what you need is already available.

Just keep in mind that, as with all things, risks do exist, and factor in additional security precautions as appropriate. Navigating directly to the Onion pages from official links likely presents minimal risk, but forewarned is most definitely forearmed.

The post Twitter makes the leap to Tor appeared first on Malwarebytes Labs.

I’ve run into many romance scams over the years. You’ll find them lurking on social media, instant messaging, chatrooms/forums, and many more besides. They’re particularly popular during times of war or natural disaster, as they often dovetail into donation and charity scams.

The icing on the cake for many of these fakeouts is an air of respectability. Anything that adds legitimacy or something seemingly trustworthy is going to pull in potential victims. Of all the romance scams I’ve dealt with, the most common element is probably the military-centric profile picture.

A profile you can trust

Nothing adds a splash of appeal in the minds of scammers quite like a dashing hero in full combat get-up. That’s their game plan, anyway. It does seem to be rather successful though, with a neverending stream of people losing lots of money. Worth noting, large volumes of cash can go AWOL even without the addition of anything military related.

Security researchers dealing with military themed romance scams will often recognise the same images in circulation time and time again. Scammers often lazily lift the first army general they can find on Wikipedia. Other times, they’ll put a bit of work into it. It’s harder to pinpoint a scam if the image being used isn’t particularly well known.

As a result, scammers will trawl social media pages, work portals, and even Linkedin profiles. One stolen profile picture later and they’re in business. One peculiar side effect of this is that the supposedly unknown image starts getting more use as additional scammers simply grab it from their peers. The end result is that no stolen soldier photograph remains unknown for long.

When dating scammers make you famous

Have you ever considered what it’s like for the army person themselves when they realise they’re the face of scams?

This is the problem faced by Col. Daniel Blackmon. His images have been used in romance scams since around 2014, and is basically playing whack-a-mole trying to get these fake accounts shut down. The scammers grabbed his photographs from his (at the time) entirely open Facebook page, and things spiralled out of control from there. The scam messages tied to the fake profiles aren’t particularly unique, and sound like all the other romance scams out there. With a military twist, of course. Some of the examples from the article:

• Diamond sales via “the Yemen Government”
• Secretive portfolios containing all the wealth you could possibly desire
• Coming from a military family where at least one serving parent has been killed in a war
• Peacekeeping missions with a lot at stake
• Unable to access money, and not allowed to talk on video “for security reasons”

This is, of course, all nonsense. But to someone on the other side of the computer screen who’s feeling a bit lonely, it can be entirely convincing. Dropping images of someone in uniform across these profiles may well be enough to tip the scales in favour of the scammer.

How to avoid a romance scam

Romance scams are a big enough deal that banks flag potential payments before sending through the system. Should someone using Barclays select the “love interest” dropdown, when selecting the reason for transferring money, users will see a popup probing the nature of the payment. It’ll also highlight some of the things to be wary of (although the way it’s been done has itself drawn some criticism).

No matter which kind of romantic messages you’re receiving, be on your guard with people you don’t know. We recently published an article detailing some of the ways you can avoid being caught in this fashion. Here’s some of our general tips for avoiding common forms of romance scams:

• Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in.
• Do an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait.
• Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible to fleece them of their money as equally quickly.
• If they encourage you to invest in something—be suspicious. Start digging around online about the company that, they say, is worth investing in. Never send them money.
• Follow your gut instinct. If something feels off, cut off contact immediately and report your experience to the police, the Internet Crime Complaint Center (IC3), and the dating or social media site where you met the scammer.

Please check the article out for more advice on subjects ranging from sextortion to bogus dating websites, as you don’t need a broken heart and a shattered bank balance to go with it.

The post When fake dating profiles try the military approach appeared first on Malwarebytes Labs.

Cloud-based document suites have always been a hot target for scammers. When it’s easy to dip in and out for collaboration purposes, or just share things generally, then it’s likely that bad people will want in on the action.

In 2019, Google calendar users were wading through endless spam invites/event notifications when spammers worked out how to game the system. It was fixable, with the caveat that the fix was a multi-stage process. Quite likely a bit too much work for people who just want to access their calendars without spam, and who can blame them?

Anyway, these things come around time and time again. When a new feature appears, so too do the spam vultures. Time to cast our minds back to the end of 2020.

Of comments and exploits

The pandemic has helped nudge along additional features into collaboration tools to make remote work more straightforward. One such Google Docs revamp is the “tag tool” which fetches lists of recommended people. This operates in a similar way to how when you type in a username on Twitter, it prefills a bunch of suggestions after the “@”.

So far, so good.

Around October 2020, spam messages via Google Docs came to light. Specifically: the comments feature. It’s worth noting this behaviour wasn’t just restricted to Docs; other apps like Slides were affected too.

Spammers figured out they were able to send messages via tagging to “nearly any email address” (as per this article). Inserting a tag would generate and send mail to the tagged individual’s mailbox, with the mail appearing to have come from Google. While we can question if that alone is enough to add the legitimacy sheen required, at the baseline it’s sailing past spam filters and related precautions.

The messages included everything from “inappropriate PDFs” and fake financial transaction links to more general bogus notifications and supposed financial compensation.

Filtering out the rogues

As with the workaround for calendar spam, the process to block the mails required setting up custom filters, although I suspect a lot of regular Google users didn’t bother with figuring out the mechanics of such a procedure.

As mentioned, one really big problem with this spam technique was the absence of additional sender information. Good news: Google has now addressed this. Notifications will now also show the commenter’s email address, in order to allow recipients to be sure about who it came from.

The change is scheduled to take place over a 15-day period, and as this rollout started on March 3rd, you may well already have the new functionality. According to the Times of India, this will also be a default option. No digging around for obscure options or menus, which is always appreciated.

If you’ve been weathering the storm of spam missives via Google apps over the last few weeks or even longer, then help is now officially on the way. Let’s hope we can all get back to being productive without the risk of bogus messages as soon as possible.

The post Google takes on Docs notification spammers appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Beware of malware offering “Warm greetings from Saudi Aramco”
• Update now! Cisco fixes several vulnerabilities
• HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine
• Tips to protect your data, security, and privacy from a hands-on expert
• Nvidia, the ransomware breach with some plot twists
• Don’t fall for the “Donate to help children in Ukraine” scam
• Four SMB cybersecurity practices during geopolitical upheaval
• Biden wants stronger privacy protections, no targeted ads for children
• Google launches Chrome 99, fixes 28 vulnerabilities
• Deepfake study suggests fakes can run but not hide
• Meta blocks Russia-Ukraine disinformation campaigns on Facebook, Instagram
• Toyota’s just in time manufacturing faced with disruptive cyberattack
• The Conti ransomware leaks
• Data breaches leave customers very shaky, report says
• Unusual sign-in activity mail goes phishing for Microsoft account holders
• Covid app’s privacy information ruled not clear enough
• How Crisis Text Line crossed the line in the public’s mind: Lock and Code S03E05
• TrickBot takes down server infrastructure after months of inactivity

Stay safe!

The post A week in security (February 28 – March 6) appeared first on Malwarebytes Labs.

There are many reasons why we want a bug fixed as soon as we can, but there are also plenty of reasons why doing it “right now” is not an option. This phenomenon starts at the side of the developers. The average time to fix a bug seems to vary depending on the platform the bug was found in. What is one group doing better and can the others take lessons from that? Or is it something we have to take as it comes?

“Bug-fixing time” refers to the time required to fix known bugs. So, on a per bug basis it is the time between being made aware of an existing bug and issuing a fix for the bug. The ability to better understand and predict bug-fixing time can help a project team better estimate software maintenance efforts and better manage software projects.

Reasons to fix ASAP

There are some very obvious reasons why we want to push and install bug fixes as soon as possible.

• Improved security by fixing the vulnerability.
• Even if a vulnerability is found by a researcher taking the high road of responsible disclosure, once the cat is out of the bag, there is a good chance others will be able to duplicate the researcher’s effort. This could result in a zero-day vulnerability.
• When you are working on a new version, a critical bug in the old version is holding you back as long as you don’t know how to fix it.
• If the published timeline shows it has taken months to fix a bug it reflects badly on your company, and could lead customers to question whether you care about security.

In general, you can say that the bug-fixing time is an important factor for bug related analysis, such as measuring software quality. Having your software considered to be “buggy” does not helps sales in any way. But situations may arise when you need to prioritize what needs to be fixed first.

Differences in platform

Last month, the Project Zero team at Google looked at fixed bugs that were reported between January 2019 and December 2021. During this period, Project Zero reported 376 issues to vendors under their standard 90-day deadline.

When reading the data, it is important to note that the number of issues is too small and not chosen randomly enough to give a full picture, but it gives you an idea at least.

Overall, the data show that almost all of the big vendors here are coming in under 90 days, on average.

Complaints from bug bounty hunters

At this point it should be pointed out that bugs reported by the Project Zero team are reported to vendors directly and will be taken very seriously by the vendors.

Individual bounty hunters, however, have been complaining about getting their bugs accepted. For example, in January we saw CVE-2022-22587, a vulnerability in Apple’s IOMobileFrameBuffer, where a malicious app could execute random code with kernel privileges. This vulnerability ended up being a zero-day vulnerability that was exploited in the wild after one of them posted a Proof-of-Concept (PoC).

Many researchers that don’t want to report to vendors directly make use of the Zero-Day-Initiative (ZDI). The ZDI was created to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers, although there have been complaints from researchers that they didn’t feel they were taken seriously by the ZDI.

The next step

So, yes, it’s important to fix vulnerabilities ASAP, but why does it take so long sometimes before these fixes and patches get installed?

According to recent podcast guest Jess Dodson, the problem of patching isn’t just a problem of resources—time, staffing, funding—but also of mindset. For some organizations, refusing to patch almost brings with it a bizarre sense of pride, Dodson said.

Finally, even if you are not a Federal Civilian Executive Branch (FCEB) agency that needs to follow the Binding Operation Directive 22-01, the CISA list known as the Known Exploited Vulnerabilities Catalog can act as a good guideline for your patch management strategy. This catalog provides FCEB agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.

The post The struggle to reduce bug-fixing time is real appeared first on Malwarebytes Labs.