NEWS

In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), along with other international agencies, warn that ransomware gangs are actively exploiting the Citrix Bleed vulnerability.

Affiliates of at least two ransomware groups, LockBit and Medusa, have been observed exploiting Citrix Bleed as part of attacks against organizations. Both are globally significant, and were ranked as the first and sixth most active groups in our November ransomware review.

Known ransomware attacks by ransomware group, October 2023

Mandiant states it is currently tracking four distinct uncategorized groups involved in exploiting this vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE for the vulnerability known as Citrix Bleed is CVE-2023-4966 (CVSS score 9.4 out of 10). The vulnerability is described as a sensitive information disclosure in NetScaler web application delivery control (ADC) and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

The vulnerability provides attackers with the capability to bypass multi-factor authentication (MFA) and hijack legitimate user sessions, and is said to be very easy to exploit. It’s reported to have been in use as a zero-day since late August. On October 10, 2023, Citrix released security updates to address CVE-2023-4966 along with another unrelated vulnerability giving organizations the chance to patch for the vulnerability.

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerability:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL) and also vulnerable. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication products are not impacted.

The advisory provides Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IoCs) obtained from FBI, the Australian Cyber Security Centre (ACSC), and voluntarily shared by Boeing. Boeing observed LockBit affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment.

Besides patching, CISA encourages organizations to assess Citrix software and their systems for evidence of compromise, and to hunt for malicious activity. If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious code.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Researchers have found several weaknesses in Windows Hello fingerprint authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops.

Microsoft’s Offensive Research and Security Engineering (MORSE) asked the researchers to evaluate the security of the top three fingerprint sensors embedded in laptops. They found vulnerabilities that allowed them to completely bypass Windows Hello authentication on all three.

If you like to read the full technical details, we happily refer you to the Blackwing researcher’s blog: A TOUCH OF PWN – PART I. For a less technical summary, carry on.

First but foremost, it’s important to know that for these vulnerabilities to be exploitable, fingerprint authentication needs to be set up on the target laptop. Imagine the type of disaster if that wasn’t true.

The three sensors the researchers looked at were all of the “match on chip” type. This means that a separate chip stores the biometric credentials (in this case the fingerprints), making it almost impossible to hack into.

The communication between the sensor and the laptop is done over a secure channel, set up through the Secure Device Connection Protocol (SDCP) created by Microsoft.

SDCP aims to answer three questions about the sensor:

1. How can the laptop be certain it’s talking to a trusted sensor and not a malicious one?
2. How can the lapop be certain the sensor hasn’t been compromised?
3. How is the raw input from the sensor protected?
   • The input has to be authenticated.
   • The input is fresh and can’t be re-playable.

So, what could go wrong?

The researchers were still able to spoof the communication between sensor and laptops. They were able to fool the the laptops using a USB device which pretended to be its sensor, and sent a signal that an authorized user had logged in.

The bypasses are possible because the device manufacturers did not use SDCP to its full potential:

• The ELAN sensor commonly used in Dell and Microsoft Surface laptops lacks SDCP support and transmits security identifiers in cleartext.
• Synaptics sensors, used by both Lenovo and Dell, had turned SDCP off by default and used a flawed custom Transport Layer Security (TLS) stack to secure USB communications.
• The Goodix sensors, also used by both Lenovo and Dell, could be bypassed because they are suitable for Windows and Linux, which does not support SDCP. The host driver sends an unauthenticated configuration packet to the sensor to specify what database to use during sensor initialization.

The recommendation of the researchers to the manufacturers is clear: SDCP is a powerful protocol, but it doesn’t help if it isn’t enabled or when it can be bypassed by using other weak links in your setup.

The fact that three manufacturers were mentioned by name doesn’t mean by any stretch that others have done a better job. It just means the researchers didn’t get round to testing them.

If you, as a user, are worried about anyone being able to get near your laptop with a USB device, you shouldn’t be using fingerprints as an authentication method and disabled.

1. Type and search [Sign-in options] in the Windows search bar, then click [Open].
2. Select [Fingerprint recognition (Windows Hello), then click [Remove], and the fingerprint sign-in option will be removed.

Until the manufacturers have dealt with the weaknesses in their setups, we can’t assume that this is a secure method of authentication.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Scammers never miss an opportunity to make a quick buck, and love to piggy back on the latest trends. So what better way to kick off the scamming season than by offering Black Friday sales on one of the most popular products around: a Stanley cup.

We found an ad on Facebook offering a Stanley Quencher for the low price of $19:

Facebook ad for Stanley Quenchers

Normally these Stanley cups sell for $45 on Amazon. They’re very popular since they reportedly keep drinks cold for 11 hours and hot for seven hours. Even if your car burns out.

Clicking the advertisement takes you to a shady-at-best website where you can take your pick of Stanleys.

Website at domain d-sportinggoodsus[.]com

Hint: look at the domain name. Malwarebytes doesn’t like it either.

Malwarebytes customers are protected

Both the site and the payment processor are registered in Hong Kong and will happily pocket your money without doing anything in return.

To gain the buyer’s trust, the Facebook comments are populated by bots and/or compromised accounts.

Facebook comments of people claiming they received the goods

As always, use your best spidey senses to pick up on scams like these. With this particular scam, you’re likely to only lose the money you paid to the scammers, but other scams can end in much higher losses.

How do you avoid bad ads?

• You probably have the URL you need. It’s sometimes easier to search a brand name than put in the full URL, but if you go directly there you won’t get caught by any bad ads lurking in your search results.
• Careful searching. If you do need to go looking, cross reference the URLs you see in search engines with a search of your own. If it’s legitimate, you should see a large number of people and businesses referencing it.
• Report bad ads. If a sponsored ad is up to no good, there should be a way to report from the search engine or social media platform in which you found it. You’re doing your part to help the next person who coes along to stay safe!
• The thorny blocking issue. If you choose to block ads, be aware that the way you block may break functionality of the site you’re on. Some sites will insist you turn off your ad blocker. Others may simply not work anymore if you use script blocking or turn off JavaScript. It’s not so much a case of “job done”, as it is “job just getting started”.
• Remember, if it’s too good to be true it probably isn’t true, and could mean someone is trying to trick you into paying for something you’re never going to get.

Black Friday sale

Save 50% on our Home bundles for a limited time only!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has announced it will shut down Manifest V2 in June 2024 and move on to Manifest V3, the latest version of its Chrome extension specification that has faced criticism for putting limits on ad blockers. Roughly said, Manifest V2 and V3 are the rules that browser extension developers have to follow if they want their extensions to get accepted into the Google Play Store.

Manifest V2 is the old model. The Chrome Web Store no longer accepts Manifest V2 extensions, but browsers can still use them. For now. Manifest V3 is supported generally in Chrome 88 or later and will be the standard after the transition planned to take place in June 2024.

A popular type of browser extensions are ad blockers. Almost all these ad blockers work with block lists, which are long lists of domains, subdomains, and IP addresses that they filter out of your web traffic. These lists are commonly referred to as rulesets. One part of the transition will “improve” content filtering. And to be fair, Google has made some compromises when it comes to the version as it’s now in the planning, compared to what it originally planned to do.

• Originally, each extension could offer users a choice of 50 static rulesets, and 10 of these rulesets could be enabled simultaneously. This changes to 50 extensions simultaneously and 100 in total.
• Extensions could add up to 5,000 rules dynamically which encouraged using this functionality sparingly and made it easier for Google to detect abuse. Extensions can add rules dynamically to support more frequent updates and user-defined rules. But it comes with the risks of phishing or data theft because these “updates” are not checked during the Chrome Web Store review. For example, a redirect rule could be abused to inject affiliate links without consent. But Google has decided that block and allow are not that easily abused so it will allow up to 30,000 rules to be added dynamically.

However, this is still far from enough to fully reach the potential of the best ad blockers we have now. And it’s not just the hard limits on filtering rulesets, there are a lot of other new limits on filtering. Items can’t be filtered based on the response headers or according to the URL in the address bar. Also, extension developers are limited in what regular expressions they can use, along with other technical limitations.

Even if this is not targeted at ad blockers specifically, it’s still a major change that makes blocking requests less flexible. But the bottom line result is that it limits the API that many ad blockers use, and replace it with a less capable one.

Google’s will tell you that by limiting extensions, the browser can be lighter on resources, and Google can protect your privacy from extension developers and calls it “a step in the direction of privacy, security, and performance.” The Electronic Frontier Foundation (EFF) however calls Manifest V3 deceitful and threatening.

“Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks.”

Under the new specifications, browser extensions that monitor and filter the web traffic between the browser and the website will have greatly reduced capabilities. This includes ad blockers and privacy-protective tracker blockers. No real surprise, considering Google has trackers installed on 75% of the top one million websites.

According to Firefox’s Add-on Operations Manager, most malicious extension that manage to get through the security review process, are usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. So in their mind, what would really help security is a more thorough review process, but that’s not something Google says it has plans for.

After looking at the arguments Google used to justify this transition, ArsTechnica came to the conclusion that there’s no justification for arbitrarily limiting the list of filter rules. It says once Manifest V3 happens, Chrome users will be limited to light ad blocker functionality while users will need to switch to Firefox or some other non-limited browser to get the full extension.

Nevertheless, Firefox said it will adopt Manifest V3 in the interest of cross-browser compatibility. And Chrome’s market share will certainly have influenced that decision as well.

Google Chrome Enterprise users with the “ExtensionManifestV2Availability” policy turned on will get an extra year of Manifest V2 compatibility.

If you want to help Malwarebytes get ready for the transition, you can test the beta version of Browser Guard for Manifest V3.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Black Friday sale

Save 50% on our Home bundles for a limited time only!

At Malwarebytes, we’re constantly evolving to protect our customers. These days, our products don’t just protect you from malware, we protect your identity, defend you from ads, safeguard your social media, and keep your mobile safe too.

Here are the innovations we’ve made in our products recently. Are you making the most of them?

Malwarebytes Premium

Windows

Tamper / Uninstall Protection. This allows you to password protect your software so that it can’t be removed remotely.

Trusted Advisor. This dashboard provides an easy-to-understand assessment of your computer’s security with a single comprehensive protection score, and clear, expert-driven advice.

Brute Force Protection. This blocks Remote Desktop Protocol (RDP) attacks, which are attempts by cybercriminals to access a computer remotely. We do this by blocking IP addresses that exceed a threshold of invalid login attempts.

Smart Scan. This enables you to schedule scans at a time when you’re not using your computer, which is best for productivity.

Mac

The old adage about Macs not getting viruses is simply not true. Macs need protection too and our Premium for Mac is now compatible with macOS Sonoma.

Mobile Security

Whether you’re on iOS or Android, our Mobile Security app just got an upgrade. Our Premium Plus plan now includes a full-featured VPN to help keep your connections private, no matter where you are. Using the latest VPN technology, WireGuard® protocol, you can enjoy better online privacy at a quicker speed than traditional VPNs.

What you get with our apps:

• Android: Scan for viruses and malware, and detect ransomware, android exploits, phishing scams, and even potentially unwanted apps.

• iOS: Detect and stop robocalls and fake texts, phishing links, malicious sites, and annoying ad trackers (while browsing in Safari).

Browser Guard

Available for both Windows and Mac, Malwarebytes Browser Guard is our free browser extension for Chrome, Edge, Firefox, and Safari that blocks unwanted and unsafe content, giving users a safer and faster browsing experience. It’s the world’s first browser extension to do this, while at the same time identifying and stopping tech support scams.

Browser Guard adds an extra layer to your personal security, on top of your antivirus or firewall. Because it’s a browser extension, it can offer protection in the browser that other means of protection do not have access to.

We’ve recently made enhancements to Browser Guard:

• Improved protection: Stops even more threats with enhanced phishing detection. 
• New scanning blocks: Prevents websites from scanning for vulnerable network ports. 
• Facebook support: Blocks ads and sponsored content from appearing on Facebook feeds. 
• Monthly overview: Summary showcases what has been blocked. 

On top of that, Malwarebytes Premium Security users (Windows only) can now take advantage of:

• Content control: Take control of your browsing experience and define what’s appropriate for you and your family. Fully customize the content you want to block while browsing.
• Import and export: Use your preferences and customized rules with all your browsers, even on other devices. This helps you to experience a consistent and clean web experience. Discover on this video how to transfer Malwarebytes Browser Guard settings to another browser.
• Historical Detection Statistics: View past detections and see what we’ve protected you from.  

Want to see Browser Guard in action? Read the 25 most popular websites vs Malwarebytes Browser Guard

Malwarebytes Identity Theft Protection

Newly released, Malwarebytes Identity Theft Protection scours the dark web for your personal information, prevents your social media account from being hacked, and even keeps an eye on your credit (US only) — and it’s all backed by an up-to-$2 million identity theft insurance. (Insurance coverage is $1 or $2 million depending on selected package (latter only available in the US plan Ultimate))

Here’s what you get (based on your selected plan):

• Ongoing monitoring: Peace of mind that we are actively working in the background to keep you safe
• Real-time alerts: Immediate notifications if we identify suspicious activity
• Recommendations and best practices: Advice on how to prevent identity theft, and help if it happens
• Identity restoration helpline and top-notch customer support.