IT NEWS

On Friday April 7, 2023, Apple released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible because all three updates include important security fixes.

The Cybersecurity and Infrastructure Security Agency (CISA) has already ordered federal agencies to patch these two security vulnerabilities before May 1st, 2023.

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The vulnerabilities

The security content of iOS 16.4.1 and iPadOS 16.4.1 contains information about two vulnerabilities that Apple has been made aware of reports that these issue may have been actively exploited.

CVE-2023-28206: an out-of-bounds write issue in IOSurfaceAccelerator was addressed with improved input validation. The issue that could allow an app to execute arbitrary code with kernel privileges is fixed in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Big Sur 11.7.6, macOS Ventura 13.3.1.

IOSurfaceAccelerator is an object that manages hardware accelerated transfers/scales between IOSurfaces in the IOSurface framework. The IOSurface framework provides a framebuffer object suitable for sharing across process boundaries. It is commonly used to allow applications to move complex image decompression and draw logic into a separate process to enhance security.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written. In this case an attacker can use it to elevate the privileges of a malicious app. For those interested, a proof-of-concept (PoC) has been published for this vulnerability.

CVE-2023-28205: a use after free (UAF) issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, processing maliciously crafted web content may lead to arbitrary code execution.

WebKit is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps.

The security content of macOS Ventura 13.3.1 covers the same two vulnerabilities and Apple has also released a new Safari 16.4.1 update for macOS Monterey and macOS Big Sur, which likely addresses the WebKit vulnerability.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• TikTok: What’s going on and should I be worried?
• Super FabriXss: an RCE vulnerability in Azure Service Fabric Explorer
• Big changes to Twitter verification: How to spot a verified account
• New macOS malware steals sensitive info, including a user’s entire Keychain database
• Pre-ransomware notifications are paying off right from the bat
• 2023 State of Malware Report: What the channel needs to know to stay ahead of threats
• Fake ransomware demands payment without actually encrypting files
• Western Digital confirms breach, affects My Cloud and SanDisk users
• TikTok misused children’s data, faces $15.6M fine
• Update Android now! Google patches three important vulnerabilities
• 9 vital criteria for effective endpoint security: Insights from the ‘Endpoint Security Evaluation Guide’ eBook
• Stop! Are you putting sensitive company data into ChatGPT?
• Do cyber regulations actually make K–12 schools safer? Navigating compliance while securing school and student data
• IoT garage door exploit allows for remote opening attack
• A whirlwind adventure: Malwarebytes’ 15-year journey in business cybersecurity
• New tool allows you to opt out of Facebook’s targeted advertising
• Google aims to reduce data theft with app data and account deletions
• Visitors of tax return e-file service may have downloaded malware
• Uber data theft: Driver info stolen after law firm breached

Stay safe!

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The list of people and organizations that are hungry for your location data—collected so routinely and packaged so conveniently that it can easily reveal where you live, where you work, where you shop, pray, eat, and relax—includes many of the usual suspects.

Advertisers, obviously, want to send targeted ads to you and they believe those ads have a better success rate if they’re sent to, say, someone who spends their time at a fast-food drive-through on the way home from the office, as opposed to someone who doesn’t, or someone whose visited a high-end department store, or someone who, say, vacations regularly at expensive resorts. Hedge funds, interestingly, are also big buyers of location data, constantly seeking a competitive edge in their investments, which might mean understanding whether a fast food chain’s newest locations are getting more foot traffic, or whether a new commercial real estate development is walkable from nearby homes. 

But perhaps unexpected on this list is police.

According to a recent investigation from Electronic Frontier Foundation and The Associated Press, a company called Fog Data Science has been gathering Americans’ location data and selling it exclusively to local law enforcement agencies in the United States. Fog Data Science’s tool—a subscription-based platform that charges clients for queries of the company’s database—is called Fog Reveal. And according to Bennett Cyphers, one of the investigators who uncovered Fog Reveal through a series of public record requests, it’s rather powerful. 

“What [Fog Data Science] sells is, I would say, like a God view mode for the world… It’s a map and you draw a shape on the map and it will show you every device that was in that area during a specified timeframe.”

Today, on the Lock and Code podcast with host David Ruiz, we speak to Cyphers about how he and his organization uncovered a massive data location broker that seemingly works only with local law enforcement, how that data broker collected Americans’ data in the first place, where this data comes from, and why it is so easy to sell. 

Tune in now. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

A popular and reasonably cheap garage door controller is making waves in the news, and not in a good way. Ars Technica reports that the $80 devices created by Nexx are suffering from a number of security issues which could compromise the safety of your home.

A Medium post by researcher Sam Sabetan reveals the details.

At the tail end of 2022, Sam discovered a “series of critical vulnerabilities” in the Nexx range of smart devices. These issues not only affected garage door openers, but also smart plug switches and alarms too.

Working with the US Cybersecurity and Infrastructure Security Agency (CISA), five CVEs were eventually assigned. As per the advisory, successful exploitation of these vulnerabilities could allow an attacker to receive sensitive information or hijack devices and not a huge amount of technical ability is required to perform the attacks.

Developers keep making the hard coded password mistake

What are some of the issues at play here? Well, one of the biggest is that hard coded credentials are used to talk to Nexx servers. What this means is that the password shipped with the product can never be changed. If someone finds out what it is, either from a list online or by socially engineering the victim, the game is indeed up.

As Ars Technica notes, this alongside controllers broadcasting unencrypted email addresses along with messages needed to open or close doors all means a fairly easy win for a competent attacker. Indeed, someone could potentially open your garage door from the other side of the planet if they wanted to. Sabetan estimates that somewhere in the region of more than 40,000 devices might be impacted by this issue, both commercial and residential users.

Additional vulnerabilities include smart alarm impersonation, which would allow attackers to ultimately control the branded home alarm system that the Nexx smart alarm controller operates.

Elsewhere, we have smart alarm hijacking which could allow an attacker to essentially remove all control from a home alarm out of the owner’s hands, granting them full access in the process.

The suggested fix: replace these devices

This is all very bad. Worse, Sabetan reports that Nexx has “consistently ignored communication attempts from myself, the Department of Homeland Security, and the media”. One has to wonder if the company is unwilling or unable to fix the issue. With this in mind, the only real advice which Sabetan has is the same as when you realise your phone is running an abandoned app. As painful as it may be to start reorganising how your physical home meshes with the digital world, it’s time to start ripping everything out and look for other home security solutions.

From the CISA mitigations page, which doesn’t go quite as far as Sabetan’s advice to remove all of the Nexx products from your home or place of business:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
• CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

The Internet of Things can be a perilous place, and the lack of effective security in these tools we entrust our homes to is far from ideal. If you have devices and apps being used to power your home, alarms, doors, windows, or anything else, now is the time to check if those passwords are hard coded.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

After Meta (Facebook and Instagram) switched the legal basis for targeting advertising from automatic consent to opt-out, privacy watchdog noyb has built a tool for users to opt out of targeted advertising and various other claims made by Meta in an easy and legally sound way.

After losing several cases where privacy-focused organizations claimed that Meta was in violation of GDPR regulations, Meta changed the legal basis to process certain first party data in Europe from “Contractual Necessity” to “Legitimate Interests.” GDPR is the EU’s general data protection regulation which governs how the personal data of individuals in the EU may be processed and transferred.

Even in Meta’s own words the new rules shouldn’t make much of a difference:

“It is important to note that this legal change does not prevent personalized advertising on our platform, nor does it affect how advertisers, businesses or users experience our products.”

The GDPR allows the processing of personal data if a company complies with one of the six legal bases in Article 6(1) GDPR, which are almost all irrelevant for advertising, so Meta does need the user’s consent.

But, instead of switching to an “opt-in” system, like Google or Microsoft, Meta argues that its “legitimate interest” to process user data would override the fundamental right to privacy and data protection of users.

In the view of the noyb the “legitimate interest” argument has no lawful foundation, and even if it had, opting-out should be as easy as it is to opt-in. But instead of providing a simple method to opt-out, like clicking a button,  Meta requires users to fill out a hidden form. This form requires users to argue why they want to perform an opt-out and explain why Meta’s, non-public, assessment is wrong in their individual case. An action that requires a user to click all the right buttons, understand legalese, and argue their points effectively. This has been made so complicated, that noyb thinks it is highly unlikely that any normal user would be able to successfully complete this process.

This means the days in court are far from over, but in the mean time noyb created a quick and easy way for users to object to the processing in a broad way. It has created a tool that allows users to opt-out of any processing under “legitimate interest“ and generally object to the use of personal data for targeted ads.

The tool

The tool helps EU citizens to object, as a precautionary measure, under Article 21(1) and (2) of the GDPR, to any use of their personal data for alleged “Legitimate Interests” as set out in the “What is our legal basis for processing your data?” section of Meta’s Privacy Policy.

In the words of Max Schrems, co-founder and honorary chairman of noyb:

“Our form turns the table: Meta has to argue why they have an overriding interest – not the user. Users can now opt out of data processing, and Facebook must process this objection without delay. We want to make it as easy as possible for those affected to exercise their fundamental rights.”

To use the free tool, users can visit the noyb consent form for collecting the necessary information and sending it to Meta.

Next you are presented with three options.

The Facebook Login option allows you to object via noyb’s servers, using your email address as a sender and verifying that you have a Facebook account via Facebook Login. You will receive a copy of the objection.

The Email Tool option is basically the same except for the fact that you don’t have to log in to Facebook. Instead you will have to provide the email address that you use for Facebook/Instagram and noyb will verify if it’s yours.

Content of the verification email sent to users of the second option

The Email Client option provides you with an example text so you can send an objection email yourself. All you have to do is copy the text into your email client and replace <YOUR_EMAIL_ADDRESS> in two places with the email address that is linked to your Meta account(s).

Knowing Meta, it’s probably too soon to get your hopes up. But sending out that email will at least tell Meta that there are objections and users feel that this is not the way to go about their business.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google has made multiple security improvements to the general operation of apps over the last 12 months or so. It’s now a little easier to understand what apps want from you. Labels which indicate a level of trustworthiness for developers. Changes made to ensure old, abandoned apps will no longer appear for download on the Play store.

Now the focus is on data collection, or to be more accurate, data deletion. Google wants people to be able to scrub data associated with an app. This counts for data inside of the application itself, but also out there on the web.

A farewell to app data?

Many apps require you to create an account, and very often those accounts are pinned to websites. This is particularly common with regard to video game apps, but can be a requirement for pretty much anything you choose to install depending on the developer’s needs.

From the Google announcement:

For apps that enable app account creation, developers will soon need to provide an option to initiate account and data deletion from within the app and online. This web requirement, which you will link in your Data safety form, is especially important so that a user can request account and data deletion without having to reinstall an app.

If you’re wondering, Google’s Data Safety Form is a way for developers to inform their users about how their data is used, collected, shared, and so on. All of the developer’s primary safety and privacy practices are listed here. Everything from what the developer itself does to how associated third-party entities work alongside them should be included.

Total account and data deletion

If an app user decides they no longer want anything to do with an application, there is now a way to ensure everything is gone forever. No more remnant accounts sitting around, potentially waiting to be compromised after a long period of abandonment.

From the release:

As the new policy states, when you fulfill a request to delete an account, you must also delete the data associated with that account. The feature also gives developers a way to provide more choice: users who may not want to delete their account entirely can choose to delete other data only where applicable (such as activity history, images, or videos). For developers that need to retain certain data for legitimate reasons such as security, fraud prevention, or regulatory compliance, you must clearly disclose those data retention practices.

As with so many changes of this nature, nothing is happening just yet. Developers have been given some time to get their houses in order if necessary, and submit their comments in relation to the proposed changes. They have from now until the beginning of December to do this. However, an extension is possible if needed which could give them until the end of May 2024. Either way, changes reflecting this new policy won’t kick in until somewhere around the beginning of next year.

As a device user there’s not much you can do about this for now. It’s squarely a heads up for developers to take a long look at the data they collect, and how to dispose of it when the app users feel that it’s no longer needed. Other major store owners are moving to similar policies, and this can only be a good thing for helping to reduce the threat of data theft.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The IRS-authorized electronic filing service for tax returns, eFile.com, has been caught serving a couple of malicious JavaScript (JS) files these past few weeks, according to several security researchers and corroborated by BleepingComputer. Note this security incident only concerns eFile.com, not the IRS’ e-file infrastructure and other similar-sounding domains.

As of this writing, eFile.com is clean. Users can access it without worry.

The attack began 18 days ago

The incident first arose as a possibility that something might be up with the website. A Reddit user encountered a fake “Network Error” page when accessing www.efile.com. The page, as shown below, informed visitors their browser “uses an unsupported protocol,” and that they need to click the link it provided to them to update their browser—a known tactic often used by scammers.

This fake error message used to come up when visiting the domain. Uncharacteristically, it told visitors to update their browsers. This made Redditors suspect the domain was hijacked. (Source: /u/SaltyPotter, original image cropped to fit)

This, however, is no scam.

Known figures in cybersecurity, such as MalwareHunterTeam (@malwarehunterteam) and Johannes Ullrich (@johullrich) of SANS, caught wind of the potential site compromise and dug in, with each writing their analysis.

According to both MalwareHunterTeam and Ullrich, a malformed JS file named popper.js contains encrypted malicious code—meaning it cannot be read plainly. Its purpose is to load another JS script called update.js hosted on an Amazon Web Services (AWS) site. update.js contains code used to display the fake error page.

popper.js is a legitimate file modified to do malicious tasks. Because almost every page within the eForm website loads it, the malicious activities we mentioned are triggered every time a user visits any site page.

update.js also contains two hard-coded download URLs, both served on the malicious domain infoamanewonliag[.]online. The two payloads are for two specific browsers visitors typically use, Chrome and Firefox.

“So different browsers get different payloads,” says Ullrich. Chrome users get a payload named “update.exe” with a valid signature from Sichuan Niurui Science and Technology. Firefox users get “installer.exe.” There is no indication if browsers based on Chromium (where Chrome is based) or Quantum (where Firefox is based) could also receive the payloads.

BleepingComputer has independently confirmed the payloads connect to an IP address hosted by Alibaba in China. The same IP also hosts the illicit domain the payloads were downloaded from.

These executables were written in Python. Malwarebytes detects them as Trojan.Downloader.Python.

As of Wednesday, popper.js is free of malicious code.

The backdoor

Once users execute the payload, a PHP script runs quietly in the background. BleepingComputer’s analysis shows that every 10 seconds, the backdoor script connects to a remote command and control (C2) server to receive one or more tasks to perform on the affected system. These include “executing a command and sending its output back to the attackers or downloading additional files onto the computer.”

The backdoor is unsophisticated, but it’s enough to give attackers access to the entire system, including company-owned devices.

“The full scope of this incident, including if the attack successfully infected any eFile.com visitors and customers, remains yet to be learned,” says BleepingComputer.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Uber, yet again, has become a victim of data theft following a third-party breach. This time, threat actors have aimed at the company’s law firm, Genova Burns. Data of Uber’s drivers may have been swiped during the security incident.

According to the letter sent to affected drivers, the firm became aware of “suspicious activity relating to our internal information systems” on January 31, 2023. It immediately engaged with hired experts to investigate. Data was extracted between the 23rd and the 31st. The firm also contacted Uber regarding the breach after discovering that driver data was affected.

The Register, who first reported the incident, shares the below statement from an Uber spokesperson regarding the attack against Genova Burns:

Impacted information held by Genova Burns included information of certain drivers who had completed trips in New Jersey, including social security number and/or tax identification number. These drivers have been notified that their social security number and/or tax identification number have been potentially impacted and offered complimentary credit monitoring and identity protection services.

Genova Burns indicates that they are not aware of any actual or attempted misuse of the information, and confirmed that they are taking additional steps to improve security and better protect against similar incidents in the future.

The firm also promises to take “additional steps to improve security and better help protect against similar incidents in the future.” It didn’t elaborate on those steps, however.

No Uber customer data was touched in the attack. Affected drivers, as per usual, get one year free of identity monitor services as compensation, according to The Register.

Uber is no stranger to supply chain attacks. In December, threat actors raided data from Teqtivity, a vendor that provides asset management and tracking services for the company. 77,000 Uber employee data were later on leaked.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Endpoint security has never been more important, and with the increasing complexity of the security stack, choosing the right solution can be confusing. The good news is that there is a guide available to help organizations navigate this complex landscape: the “Endpoint Security Evaluation Guide” eBook.

One of the biggest challenges in selecting an endpoint security solution is ensuring that it can protect against both existing and emerging threats, without negatively impacting system performance or causing too many false positives. This is where MRG Effitas’ independent lab assessment comes in.

Evaluating endpoint security today

MRG Effitas’ 360° Assessment & Certification evaluates endpoint security vendors against nine vital criteria for efficacy, performance, and reliability. These include blocking potentially unwanted applications, preventing exploit and post-exploitation techniques, and blocking in-house ransomware samples. Based on a product’s performance on these criteria, MRG Effitas awards four certifications: 360° Level 1, 360° Exploit, 360° Online Banking, and 360° Ransomware.

Malwarebytes is a well-known name in the endpoint security industry, and it’s no surprise that they were put to the test in MRG Effitas’ 360° Assessment & Certification. The “Endpoint Security Evaluation Guide” eBook features Malwarebytes’ results on the assessment and includes head-to-head matchups of Malwarebytes versus each participating vendor. One shining takeaway is that Malwarebytes was the only vendor to win every certification in 2022. 

Read our recap blog for the full results: https://www.malwarebytes.com/blog/business/2023/03/malwarebytes-only-vendor-to-win-every-mrg-effitas-certification-award-in-2022 

In today’s complex threat landscape, it is more important than ever to choose an endpoint security solution that can effectively protect against a wide range of threats, while minimizing false positives and system impact. The “Endpoint Security Evaluation Guide” eBook, based on MRG Effitas’ independent lab assessment, is an essential tool for any organization looking to make an informed decision about endpoint security. Download below!

GET THE ENDPOINT SECURITY EVALUATION GUIDE

Western Digital, a big brand in digital storage, says it has suffered a “network security incident—potentially ransomware—which resulted in a breach and some system disruptions in its business operations.

The company identified the incident on March 26 and said an unnamed third party unlawfully accessed several computer systems to steal data. The investigation is ongoing and Western Digital has yet to learn how much was taken. 

Since the incident, Western Digital’s consumer cloud and backup service My Cloud has experienced outages, preventing customers from accessing their files. My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, and SanDisk Ixpand Wireless Charger all experienced service interruptions. 

Westen Digital said in its press release:

“The Company is implementing proactive measures to secure its business operations including taking systems and services offline and will continue taking additional steps as appropriate. As part of its remediation efforts, Western Digital is actively working to restore impacted infrastructure and services. Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”

Western Digital is a billion-dollar company, making it a target for criminals aiming to cash in. In the first quarter of 2023 alone, it received a revenue of $3.1B.

We’ll update this story as we learn more.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW