Archive for NEWS

Update now! Chrome fixes actively exploited zero-day vulnerability

Google has released an update to Chrome which includes seven security fixes including one for a vulnerability which is known to have already been exploited.

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible.

The easiest way to update Chrome is to set it to update automatically, but you have to make sure to close your browser for the update to finish. You can also end up on an older, vulnerable version if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome (on Windows) or Google Chrome > About Google Chrome (on Mac).

If there is an update available, Chrome will start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Google Chrome shwoing at version 119.0.6045.200

Google Chrome is up to date

After the update, the version should be listed as 119.0.6045.199 for Mac and Linux, and 119.0.6045.199/.200 for Windows, or later.

The technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to the actively expoited zero-day is:

CVE-2023-6345: Integer overflow in Skia. Google notes it is aware that an exploit for CVE-2023-6345 exists in the wild. This vulnerability could lead to a range of risks, from crashes to the execution of arbitrary code.

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix, so that interested criminals remain none the wiser.

The fact that the vulnerability is listed with a severity rating of High, indicates that the scope of the flaw is limited to the browser, but this could mean successful exploitation could provide the attacker with information about visited websites and so on.

Skia is an open source 2D graphic library for drawing Text, Geometries, and Images. Skia works across a variety of hardware and software platforms. It serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and many other products.

That’s why users of other Chromium based browsers and software that uses Skia should keep their eyes open for similar updates.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Posted in: NEWS

Leave a Comment (0) →

Many major websites allow users to have weak passwords

A new study that examines the current state of password policies across the internet shows that many of the most popular websites allow users to create weak passwords.

For the Georgia Tech study, the researchers designed an algorithm that automatically determined a website’s password policy. With the help of machine learning, they could see the consistency of length requirements and restrictions for numbers, upper- and lower-case letters, special symbols, combinations, and starting letters. They could also see if sites permitted dictionary words or known breached passwords.

Using this tool they found:

  • 12% of the websites they looked at completely lack password length requirements
  • 3 out of 4 fail to meet minimum requirement standards which means they:
    • Allow very short passwords
    • Do not block common passwords
    • Use outdated requirements like complex characters

More than half of the websites in the study accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. Around 12% of the websites had no length requirements, and 30% did not support spaces or special characters.

Giving users that kind of freedom is asking for them to be duped. As we pointed out a while back, even tech-savvy users like IT administrators resort to awful passwords when given the chance.

The reasons for not enforcing standards are obvious. Most websites care more about customer satisfaction than security, and you can guess which one is better for business.

Users don’t like passwords, especially since the password situation has been made worse by ridiculous and unnecessary rules, such as asking users to pick passwords that follow formulas, or forcing users to change their password every few months. Both rules have been discredited but continue to haunt us. Formulas reduce the number of possible passwords a user can pick from, and regular password resets encourage users to pick passwords that conform to a predictable pattern, both of which can make guessing passwords easier, which is the opposite of what we want.

If you’d like to read more about this, read “Why (almost) everything we told you about passwords was wrong.” The article summarizes how a lot of what you’ve been told about passwords over the years was either wrong (change your passwords as often as your underwear), misguided (choose long, complicated passwords), or counterproductive (don’t reuse passwords).

We feel that we should entirely move away from the model that requires users to create and remember passwords. It is time for something more secure AND user-friendly. And it’s not like these systems don’t exist (hello Passkeys), we just need to embrace them more widely.

Let’s enable muti-factor authentication (MFA) where we can, even if we feel that using a password as the first factor doesn’t add a lot of extra security to the login procedure. And if we need to rely on passwords alone, try using a password manager. They help you create complex passwords and remember them for you.

The full report of the researchers will be presented at the ACM Conference on Computer and Communications Security (CCS) in Copenhagen, Denmark, later this month.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Posted in: NEWS

Leave a Comment (0) →

Ransomware gangs and Living Off the Land (LOTL) attacks: A deep dive

We’ve told you about ransomware-as-a-service (RaaS) gangs; we’ve told you about living off the Land (LOTL) attacks. What do you get when you bring the two together? Bad news. 

Our recent report, Threat Brief: Ransomware Gangs & Living Off the Land Attacks, takes a deep dive into why the intersection of these two threats is so dangerous.  

Ransomware gangs use LOTL attacks to carry out their malicious activities using legitimate IT administration tools like Powershell, PsExec or Windows Management Instrumentation (WMI). This is exactly why LOTL attacks are so dangerous: by mimicking normal behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities

And that’s one big reason why RaaS gangs like Lockbit, Vice Society, and ALPHV love using these attacks so much: LOTL attacks allow ransomware gangs to master the art of blending their criminal activities within normal network operations. 

The report also dives into the challenges of spotting these stealthy attacks and why defenders often miss the mark. For example, traditional security systems, which are designed to flag overtly malicious activities, often overlook the subtle and covert tactics LOTL attacks employ. Simply put, when it comes to fighting LOTL and RaaS, organizations can’t afford to overlook the importance of combining human expertise with advanced detection technologies.

Further key points in the report include:

  • Expert insights: Gain wisdom from cybersecurity pros who contribute their knowledge, emphasizing the importance of multi-layered defense strategies against LOTL threats.
  • Practical tips: The report isn’t just theory; it offers actionable advice for IT teams on staying one step ahead of these covert operations.
  • Real-world scenarios: Engage with case studies that bring the concepts to life, demonstrating the impact and intricacies of LOTL attacks in action.

Ransomware gangs and LOTL attacks are a dual threat that organizations need to be prepared to take down. Read our report, Threat Brief: Ransomware Gangs & Living Off the Land Attacks, to get the vital intelligence you need to uncover LOTL techniques in the ransomware attack chain. 

Get the report

Posted in: NEWS

Leave a Comment (0) →

ownCloud vulnerability can be used to extract admin passwords

ownCloud has warned users about three critical security flaws in its file-sharing software which, if exploited, could reveal sensitive information and modify files. An especially and potentially impactful one is a vulnerability that could lead to disclosure of sensitive credentials and configuration in containerized deployments.

ownCloud is a very widely used open-source project that allows users to host and sync files. ownCloud says on its own website that it has 200 million users, including 600 enterprises.

The vulnerabilities stem from one of the building blocks of the project.

“The graphapi app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).”

Microsoft’s Graph API (graphapi) is a web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API.

A Shodan search shows many thousands of exposed services, especially in Germany and the US.

Shodan search results for ownCloud showing over 21,000 exposed instances

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs of the found vulnerabilities are:

CVE-2023-49105 (CVSS score 9.8 out of 10): An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

CVE-2023-49104 (CVSS score 9 out of 10): An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain (TLD) controlled by the attacker.

Redirect URLs are a critical part of the OAuth (authentication) flow. After a user successfully authorizes an application, the authorization server will redirect the user back to the application. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.

CVE-2023-49103 (CVSS score 10 out of 10): An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When you acess this URL, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. A working Proof of Concept (PoC) for this vulnerability is already available on GitHub

Ransomware operators could have a field day with this vulnerability. As they have shown in the past, they love file-sharing apps almost as much as they love admin passwords. It allows them to roam free in your network and move the stolen data to a location under their control at your expense.

What to do

ownCloud says you should delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Simply disabling the graphapi app won’t eliminate the vulnerability.

In newer versions, ownCloud has disabled the phpinfo function in the docker-containers, promising to apply various hardenings in future core releases to mitigate similar vulnerabilities.

Then change the following:

  • Your ownCloud admin password
  • The mail server credentials
  • Database credentials
  • Object-Store/S3 access-key

Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

If you are unable to patch right now you can disable the “Allow Subdomains” option to disable the vulnerability as a workaround for CVE-2023-49104.

As a workaround for CVE-2023-49105, you can configure the signing-key.

Instructions on how to update ownCloud can be found on its website.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Posted in: NEWS

Leave a Comment (0) →

A week in security (November 20 – November 26)

Last week on Malwarebytes Labs:

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Posted in: NEWS

Leave a Comment (0) →
Page 3 of 450 12345...»