IT NEWS

The Cybersecurity and Infrastructure Security Agency (CISA) added one new vulnerability to its Known Exploited Vulnerabilities Catalog affecting Ivanti Endpoint Manager Mobile, based on evidence of active exploitation. All Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by August 15, 2023 to protect their networks against active threats.

We urge everyone else to take this vulnerability seriously and to patch as soon as possible since the vulnerability was used in a cyberattack on the ICT platform which is relied upon by 12 Norwegian ministries.

The vulnerability exists in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, and impacts all supported versions as well as unsupported and end-of-life releases. Ivanti EPMM is a mobile management software engine that enables IT to set policies for mobile devices, applications, and content. The affected Norwegian ministries used it to manage mobile devices used by government employees and grant remote access to government systems and applications.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to this vulnerability is:

CVE-2023-35078 (CVSS score 10 out of 10): Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, allows remote attackers to obtain Personally Identifiable Information (PII), add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild.

Ivanti has made a patch available for supported version 11.4 releases 11.10, 11.9 and 11.8 and recommends that you immediately take action to ensure you are fully protected. Customers can find the detailed information and how to access and apply the remediations in Ivanti’s Knowledge Base article (login required).

The vulnerability was discovered in Norway as a result of an investigation into a cyberattack on the ICT platform used by 12 ministries. The Norwegian National Security Authority (NSM) and the Norwegian Government Security and Service Organization (DSS) found the vulnerability but chose not to disclose any details until a patch was available.

In a statement, Erik Hope, Director General of the Norwegian Government Security and Service Organisation (DSS) said:

“We have detected a previously unknown vulnerability in one of our suppliers’ software. This vulnerability has been exploited by an unknown third party. This vulnerability has now been fixed. It is still too early to say anything about who is behind the attack or the extent of the attack. Our investigations and the police investigations will provide more answers.”

On their site, Ivanti describes the vulnerability as an authentication bypass vulnerability in Ivanti EPMM that allows unauthorized users to access restricted functionality or resources of the application without proper authentication. According to Ivanti the vulnerability was used against “a very limited number of customers.”

According to Shodan scan posted by BleepingComputer, more than 2,900 MobileIron user portals are presently exposed online, out of which around three dozen are linked with US local and state government agencies.

Image courtesy of BleepingComputer

It is strongly advised that all network admins apply the Ivanti Endpoint Manager Mobile (MobileIron) patches as soon as possible. If this is not possible at short notice or you are using an unsupported version, you should restrict access to the platform as much as possible.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Stalkerware-type app Spyhide is coded so badly that it’s possible to gain access to the back-end databases and retrieve data about everyone that has the app on their device. And it’s not a small number. Hacktivist maia arson crimew told TechCrunch she’d found 60,000 compromised Android devices, dating back to 2016.

Spyhide, like many other stalkerware-type apps “silently and continually uploads the phone’s contacts, messages, photos, call logs and recordings, and granular location in real time.”

By definition, stalkerware are tools – software programs, apps and devices – that enable someone to secretly spy on another person’s private life via their mobile device. Many stalkerware applications market themselves as parental monitoring tools, but they can be and often are used to stalk and spy on a person. The most common users of stalkerware are domestic violence abusers, who load these programs onto their partner’s computer or mobile device without their knowledge.

In fact, crimew recently was a guest on Malwarebytes podcast Lock & Code, revealing how easy many of these apps can be compromised due to bad coding and a careless security posture.

Writing about the SpyHide hack, crimew describes how it was possible to download the full source code and git history for the account panel of SpyHide. From there she figured out how data uploads from victim devices worked and managed to upload a web shell that helped download around 230GB of stalkerware data. The data showed that between 2016 and the server takeover, around 60k devices had been compromised.

TechCrunch’s analysis of the data shows Spyhide’s surveillance network spans every continent, with clusters of thousands of victims in Europe and Brazil. The US has more than 3,100 compromised devices, a fraction of the total number worldwide, yet the US victims are still some of the most surveilled victims on the network by the quantity of location data alone.

If you are thinking about installing such an app, and you are reading this:

1. Don’t!
2. It definitely is illegal in almost every country, unless it’s done with consent of the government itself.
3. We have never heard of anyone who was able to solve a problem by using stalkerware. Usually resorting to stalkerware only makes it worse.
4. Consider the consequences of someone finding out what you did and remember that is a distinct possibility.
5. Listen to this podcast.

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware makes it a priority to detect and remove stalkerware from your device. It is good to keep in mind however that by removing the stalkerware you will alert the person spying on you that you know the app is there. But should you require help removing it, Malwarebytes for Android detects Spyhide as Android/Monitor.Spyhide. 

We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Music giant Yamaha’s Canadian division has experienced a compromise on two different fronts, both related to ransomware. In an attack which has worrying echoes of the recent Estée Lauder attack, multiple attackers have claimed to breach the organisation.

Yamaha Canada Music had the following to say in a statement:

Yamaha Canada Music Ltd. recently encountered a cyberattack that led to unauthorized access and data theft. In response, we swiftly implemented measures to contain the attack and collaborated with external specialists and our IT team to prevent significant damage or malware infiltration into our network.

Yamaha Canada has been notifying affected individuals, and we are offering credit monitoring services to those at risk of potential harm. Additionally, we have taken decisive actions to reinforce our network defenses and ensure enhanced security measures moving forward.

Note that, as with the Estée Lauder incident(s), no specific ransomware group is cited as having been responsible for the attack in question. Despite this, we have two groups claiming to have been involved in data exfiltration.

This time around, the groups claiming responsibility are Black Byte and Akira ransomware. The BlackByte claim was noticed by researcher Dominic Alvieri on June 14, with a follow up post to confirm Akira’s claim July 21.

The Record article notes that several “double-hitter” attacks have been made public recently, and the question of whether or not this is by accident or design is raised once more. One proposed theory is that it could be down to affiliates working on behalf of several groups. Another is that groups are simply working together to reap the rewards, and perhaps make the attacks even more visible to the public.

Whatever the reason, it just means more work and more potential headaches for the organisations being targeted.

Akira has appeared in a few of our Ransomware Reviews, beginning in May of this year, and is typically found in the top half of our most active gang chart. From our post:

Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.

Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.

Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

BlackByte, a ransomware as a service (RaaS) tool, is another frequent appearance in our top ransomware gang lists. BlackByte has scored some notable attacks, with one of the biggest being the compromise of the San Francisco 49ers shortly before the 2022 Super Bowl.

As with all of these attacks, it remains to be seen whether any data will be leaked or sold on. For now, organisations large and small will have to try and weather the storm of simultaneous single, double, or even triple threat attacks.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

If you want to tighten up your parents’ home cybersecurity as much as possible, you’ve come to the right place. After all, you’re no doubt the family IT person, and first point of contact if trouble arises. 

Consider a Chromebook. If someone is looking for a new computer system for regular, non-demanding purposes, such as browsing, social media, and email, you can help with recommendations. For such a person, who isn’t invested in heavy gaming, a Chromebook would be a good option, as it will save them some money and can perform all those functions, plus allows them to play browser-based games if needed.

Turn on auto-update. Installing software on a system usually comes with the task of having to keep it up-to-date. Therefore, any software program, operating system or browser that has an option to auto-update should be set to do this. We know this isn’t always recommended in a work environment, but for the computer illiterate person in their own home, it’s perfect. One less thing to worry about.

Configure their security software.  In addition, selecting security software that allows users to minimize notifications to only dire warnings will keep users from getting confused. Notifications coming from programs can have strange effects on the less computer savvy for several reasons:

• They don’t understand to which program the messages belong, which takes away the context for them
• The text in the notifications is designed to be short, which means they’re not always maximized for clarity
• Technical terms used in the notification may be unfamiliar

When there are too many notifications, people can get fatigued. Most will simply want the pop-ups to disappear, no matter what they have to click on to accomplish this. So, any software that can be set to only issue a warning when something is really amiss deserves a big plus.

Disabled Remote Desktop. If you’re dealing with a Windows computer, disable Remote Desktop. Remote Desktop is sometimes used by scammers in things like technical support scams, so if you don’t need it you may as well turn it off. You can do this in Settings. Here’s how to do it in Windows 10:

• Launch the Settings app. (shortcut Win + I)
• Under the System section, scroll down and click on the Remote Desktop option.
• Then, click on the toggle next to the Remote Desktop option to turn it off.

• Windows will prompt you to confirm your decision.
• Click on the Disable button and exit the settings app.

Use an easy to maintain blocklist or firewall. This can keep a lot of harm at bay. Alternatively, make use of security software that includes a web protection module, like Malwarebytes Premium.

Configure the router accordingly. Make sure to configure the home router and access points with unique usernames and passwords and do not use the default ones that come with the equipment. Many botnets will attempt to take over such devices by trying default credentials.

There are some other basic settings that can enhance the security of the home router without hindering the users:

• Turn off remote management if enabled.
• Use WPA2 or WPA3 (if available) encryption on Wireless routers.

Hang up, close the tab, and call your bank. A Dutch bank ran a very effective campaign that advised customers to “Hang up, close the tab, and call your bank.” This is very easy to remember and very effective at the same time. Tell your parents to remember that phrase when they see “urgent” warnings online or get cold calls from Microsoft, their bank, or any other entity that seeks access to personal or financial information. It’s good to teach your parents they shouldn’t trust that friendly voice with a concerned tone, if they can’t verify their identity. The same is true for text and chat messages. Even if the sender claims to be you on your new phone.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has released security updates for several products to address several serious vulnerabilities  including some actively exploited zero-days. Updates are available for these products:

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. Some of the notable CVEs patched in these updates are:

CVE-2023-38606: A vulnerability in the kernel that may allow an app to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. The exploitation of this vulnerability took place as part of a 0-click exploit chain used to install spyware. These exploitation methods are named like that because they require no user interaction to compromise a device.

CVE-2023-32409: a vulnerability in the WebKit. A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited. A patch for this vulnerability was issued in May for iOS 16 and iPadOS 16, but is now also available for iOS 15.7.8 and iPadOS 15.7.8.

WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

CVE-2023-37450: Another WebKit vulnerability where processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This vulnerability has been covered by a Rapid Security Response (RSR) earlier because Apple was aware of a report that this issue may have been actively exploited.

CVE-2023-32416: a vulnerability in the Find My app which could allow another app to read sensitive location information. This issue was addressed with improved restrictions.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

The Tampa General Hospital (TGH) has promised to reach out to individuals whose information has been stolen by a ransomware group.

In a cybersecurity notice, TGH said it noticed unusual activity on its computer systems on May 31, 2023.

“Fortunately, TGH’s monitoring systems and experienced technology professionals effectively prevented encryption, which would have significantly interrupted the hospital’s ability to provide care for patients.”

While that is good news from a healthcare perspective, the ransomware operators did obtain something of value. An investigation learned that an unauthorized third party accessed TGH’s network and obtained files from its systems between May 12 and May 30, 2023.

Further investigation showed that some patient information was included. The information varied from person to person, but may have included names, addresses, phone numbers, dates of birth, Social Security numbers (SSNs), health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by TGH for its business operations.

According to TGH, the criminals did not access the hospital’s electronic medical record system.

TGH says it is mailing letters to individuals whose information may have been compromised, and will provide complimentary credit monitoring and identity theft protection services to those whose Social Security numbers were accessed.

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Snatch ransomware

On July 18, 2023, Snatch ransomware group claimed responsibility for the data theft on its leak site.

At Malwarebytes, we’ve been tracking the Snatch group since 2019. The group is suspected to operate from Russia. Back in 2019, the group stood out because it deployed a somewhat new technique for ransomware which forced the affected machine to reboot into safe mode without networking. Safe mode starts Windows in a basic state, using a limited set of files and drivers. It’s intended for troubleshooting, but since many monitoring tools will not work in safe mode, it allowed for an undisturbed and quicker encryption process. By choosing the “without networking” mode, administrators lose view of the system. The Snatch ransomware added itself as a service which ran in safe mode. Interestingly, for some reason the group no longer uses that method.

Their most common attack vectors include brute-force attacks against vulnerable, exposed services such as RDP, VNC (Virtual Network Computing), and TeamViewer. Programmed in Go, the ransomware component is separate from the data stealer. We have not seen the multi-platform capabilities of Go put to use, and only Windows machines are affected.

Malwarebytes detects the Snatch ransomware as Ransom.Snatch.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• CISA: You’ve got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519
• Estée Lauder targeted by Cl0p and BlackCat ransomware groups
• Google fixes “Bad.Build” Cloud Build flaw, researchers say it’s not enough
• Accidental VirusTotal upload is a valuable reminder to double check what you share
• Amazon in-van delivery driver footage makes its way online
• Docker Hub images found to expose secrets and private keys
• Plane sailing for ticket scammers: How to keep your flight plans safe
• Microsoft validation error allowed state actor to access user email of government agencies and others
• FakeSG enters the ‘FakeUpdates’ arena to deliver NetSupport RAT
• Introducing Slack and MS Teams Notifications for Nebula & OneView
• Act now! In-the-wild Zimbra vulnerability needs a workaround
• Spy vs. spy: Exploring the LetMeSpy hack, with maia arson crimew

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Estée Lauder is currently at the heart of a compromise storm, revealing a major security issue via a Security Exchange Commission (SEC) filing on Tuesday.

Although no detailed explanation of what has taken place is given, there is confirmation that an attack allowed access to some systems and involved potential data exfiltration. Meanwhile, two ransomware groups are taking credit for compromises unrelated to one another. Is one of the compromises the attack mentioned in the filing? It’s worth mentioning here that Estée Lauder does not name either ransomware group. With this in mind, the relevant section from the filing reads as follows:

The Estée Lauder Companies Inc. (NYSE: EL) has identified a cybersecurity incident, which involves an unauthorized third party that has gained access to some of the Company’s systems.  After becoming aware of the incident, the Company proactively took down some of its systems and promptly began an investigation with the assistance of leading third-party cybersecurity experts. The Company is also coordinating with law enforcement.  Based on the current status of the investigation, the Company believes the unauthorized party obtained some data from its systems, and the Company is working to understand the nature and scope of that data.

The Company is implementing measures to secure its business operations and will continue taking additional steps as appropriate. During this ongoing incident, the Company is focused on remediation, including efforts to restore impacted systems and services. The incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.

Bleeping Computer notes that the ALPHV/BlackCat and Cl0p groups are claiming responsibility for the two unrelated ransomware compromises specifically. Worse, both ransomware groups have what they claim to be Estée Lauder data up for grabs on their leak portals.

If you’re unfamiliar with such sites, they’re places where ransomware groups store stolen data. The compromised organisation is then threatened with the data being made public, traded, or sold off to the highest bidder unless a ransom is paid. This is a common tactic in so-called “double extortion” ransomware, where the encrypting of devices is merely the first step to extracting money.

The Cl0p group claims to have somewhere in the region of 131GB of data to hand. Meanwhile BlackCat is complaining of the lack of communication from Estée Lauder, sending multiple emails but receiving no replies. It also claims to still have network access despite various attempts to secure the network.

Supposedly, the information taken could “impact customers, employees, and suppliers”. There are no further details on the contents at this time. Regular readers will know that these attacks typically target confidential information, company secrets, personal data, payroll, and identity scans. The attackers could be bluffing, or it really could be as bad as they claim. We’ll have to wait and see.

The Cl0p compromise is said to have made use of a MOVEit Transfer vulnerability to gain access to the target systems. Both Cl0p and BlackCat tend to feature heavily in our ransomware review posts. In our June post, Cl0p was the most active group around with BlackCat falling suspiciously quiet. Perhaps it was focusing on heavy-hitter attacks such as this the whole time.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical unauthenticated remote code execution (RCE) vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by August 9, 2023 to protect their networks against active threats. We urge everyone else to take it seriously too.

The recommended actions are to apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Given the active exploitation, we would advise to do this as soon as possible.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited CVE patched in this update is CVE-2023-3519 a Citrix NetScaler ADC and NetScaler Gateway code injection vulnerability with a CVSS score of 9.8 out of 10. The vulnerability can lead to unauthenticated RCE. It affects appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication, authorization and accounting (AAA) virtual server.

Little information has been made available about the campaign that is exploiting this vulnerability. What we do know is that the criminals use web shells—a script that can be used by an attacker to run remote commands and maintain persistent access on an already compromised system. CISA has released a cybersecurity advisory about the tactics, techniques, and procedures (TTPs) of the currently active campaign.

Reportedly, there are around 38,000 Citrix Gateway appliances exposed to the public Internet and exploits against Citrix ADC have been discussed, including the sale of a Remote Code Execution (RCE) exploit, on a cybercrime forum.

Citrix acknowledges the urgency by stating:

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

The security bulletin by Citrix about this vulnerability includes two more vulnerabilities. The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Citrix notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.

Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Malwarebytes blocks the IP addresses that are known indicators of compromise (IoCs) for the active campaign exploiting this vulnerability.

216.41.162.172

216.51.171.17

For administrators that would like to see whether their instance has been compromised and what they should do about it, I found this checklist.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Footage from technology used to monitor Amazon delivery drivers is leaking onto the internet. AI-enabled equipment which keeps an eye on the drivers’ speed, location, and other activities is part of the growing trend of workplace surveillance. In theory where drivers are concerned it could flag a lack of seat belt, or running red lights.

In practice the drivers aren’t too keen and insist that the companies using this tech can trust them without having a camera in their face all day long. There are other privacy issues to consider too.

When you receive a delivery nowadays, it’s not unusual for drivers to take a photo at the doorstep. You may or may not be present when these images are taken, but you’ll often see them on the web-based “parcel delivered” status page. If you’re lucky, your pyjamas are safely out of shot.

You may have wondered about the privacy issues related to these photographs. On the one hand, they’re attached to a URL online somewhere and they sometimes have your house number in shot. On the other hand, there’s a good chance nobody cares, those parcel delivered links tend to be temporary, and you’re not posing and waving alongside your delivery.

Why does this matter? Well, filmed footage takes in a lot more than a static, split-second shot of your doorstep. If a camera is rolling when a delivery person reaches your home, you could end up in the video footage or even just via the recorded audio should it exist. Ever had a casual chat with your driver? It could be in one of these recordings somewhere.

The cameras used are able to record both road and driver, with Vice reporting that drivers must consent to their biometric data being collected so their actions can be recorded “properly”. Despite this, there are examples of the cameras incorrectly penalising drivers.

Meanwhile the current clips are leaking to sites like Reddit, and nobody is sure who is doing it for the most part. Drivers claim they don’t have access to the footage: only Amazon, the technology maker, and the delivery service partner (DSP) which is the firm making the actual delivery.

On the Subreddit in question, drivers confirm that there is no live feed, but “dispatchers” on the other end can check-in, and drivers can request a pull up of specific footage as seems to be the case in this example. Whether the footage should be requested and dropped online is a different question. With drivers already worried about potential privacy issues of clips making their way to the internet, it’s probably not helpful if some drivers are contributing to the steady flow.

This isn’t the first time footage has appeared online, even if it seems to be more common now. Back in February of this year, one driver shared details of the AI system tracking her moments to a TikTok video which went viral. In that instance, she described the van’s four cameras (one forward facing, two on the side, and one facing her) and how they work together to “ding” her with a violation should she do something against the rules. Even there, she references a driver receiving a “distracted driver violation” for itching his beard which the system considered to be him using a phone while driving. Drivers can contest these supposed violations, but it all gives the impression of a system somewhat at war with itself.

Amazon’s stance on this technology is clear: It’s a valuable and necessary tool to ensure drivers are doing the right thing and not causing problems for other drivers. From Amazon’s comments to Business Insider:

“The safety technology in delivery vans help keep drivers and the communities where we deliver safe, and claims that these cameras are intended for anything else are incorrect. Since we started using them, we’ve seen a 35% reduction in collision rates across the network along with a reduction in distracted driving, speeding, tailgating, sign and signal violations, and drivers not wearing their seatbelts.”

As for people receiving the packages, this is more of a problem for drivers than the recipients for the most part. However, it would be a shame if this ends up encouraging a lack of interaction with the folks bringing you your packages on a daily basis. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.