IT NEWS

FBI confirms Barracuda patch is not effective for exploited ESG appliances

In an FBI Flash about a Barracuda ESG vulnerability, listed as CVE-2023-2868, the FBI has stated that the patches released by Barracuda in response to this CVE were ineffective for anyone previously infected. Although both Barracude and Mandiant have already made this determination, the agency says it has “independently verified” it.

As we explained in an earlier post, the zero-day vulnerability was reportedly used in targeted attacks for months before the patch was issued, by a group that allegedly has ties to China.

On May 23, 2023, Barracuda posted that “a security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023.” The patch was followed by another on May 21, and users with impacted appliances were reportedly “notified via the ESG user interface of actions to take.”

On June 6, 2023, Barracuda sent out an action notice informing customers that impacted ESG appliances must be replaced immediately, signalling that patching alone would not suffice on an already-infected device.

Compromised ESG appliances must be immediately replaced regardless of patch version level. Only a subset of ESG appliances have shown any known indicators of compromise, and are identified by a message in the appliance User Interface.

On July 28, the company explained that SUBMARINE malware was found on infected devices that had been patched

This additional malware was utilized by the threat actor in response to Barracuda’s remediation actions in an attempt to create persistent access on customer ESG appliances. This malware appeared on a very small number of already compromised ESG appliances.

In a blog post today, Mandiant confirmed that the patches appear to be effective, saying that since Barracuda released its patches, “Mandiant and Barracuda have not identified evidence of successful exploitation of CVE-2023-2868 resulting in any newly compromised physical or virtual ESG appliances.” The company goes on to reiterate that compromised organizations should replace their appliances:

…a limited number of previously impacted victims remain at risk due to this campaign … Mandiant’s recommendations remain unchanged — victims impacted by this campaign should contact Barracuda support and replace the compromised appliance.

The FBI has now independently verified the same findings.

the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability.

The flaw in Barracuda’s appliance is a remote command injection vulnerability which exists in the Barracuda Email Security Gateway (appliance form factor only). The vulnerability stems from incomplete input validation of file names contained in .tar file attachments. As a consequence, a remote attacker could specifically format these file names in a way that results in remotely executing a system command through Perl’s qx operator, with the privileges of the Email Security Gateway product.

According to the FBI, the cybercriminals utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration.

The Cybersecurity and Infrastructure Security Agency (CISA) has published four malware analysis reports based on malware variants associated with the exploitation of this vulnerability in Barracuda ESG appliances.

The CISA reports address:

In these reports and the FBI Flash you can find a host of Indicators of Compromise that are certainly worth pursuing if you have or had the Barracuda ESG appliance in your environment between October 2022 and now.

The FBI recommends that customers who used enterprise privileged credentials for management of their Barracuda appliances (such as Active Directory Domain Admin) should immediately take incident investigation steps to verify the use and behavior of any credentials used on their devices. Investigation steps may include:

  • Review email logs to identify the initial point of exposure
  • Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise
  • Revoke and reissue all certificates that were on the ESG at the time of compromise
  • Monitor entire network for the use of credentials that were on the ESG at the time of compromise
  • Review network logs for signs of data exfiltration and lateral movement
  • Capture forensic image of the appliance and conduct a forensic analysis

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Meal delivery service PurFoods announces major data breach

An organisation that provides home delivery meals has revealed that around 1.2 million people’s personal data may be at risk, after the company suffered a ransomware attack earlier in the year.

PurFoods, which offers up a service called Mom’s Meals, helps to provide meals for folks in a variety of different personal situations. From its site:

We work with over 500 health plans, managed care organisations, governments, and agencies to provide access to meals for people covered under Medicare and Medicaid, as well as the opportunity for individuals to order meals on their own.

The PurFoods notification reveals that suspicious account behaviour was first seen back in February of this year. An investigation concluded that at some point between January 16 and February 22, 2023, a cyberattack took place. Certain files in the PurFoods network were encrypted, and investigators also noticed tools present which can be used for data exfiltration. As a result, PurFoods says it “can’t rule out” the possibility that data was exfiltrated from one of its file servers.

The notice stresses that so far there has been no evidence of data being misused, which will be some measure of relief for those using the service. Even so, an abundance of caution has led to a variety of advice for those who think they may be impacted.

Here’s who could be affected by the breach according to PurFoods:

The individuals whose information was involved included clients of PurFoods who received one or more meal deliveries, as well as some current and former employees and independent contractors.

The data potentially at risk, which is quite significant, includes:

  • Date of birth
  • Driver’s license/state identification number
  • Financial account information
  • Payment card information
  • Medical record number
  • Medicare and/or Medicaid identification
  • Health information
  • Treatment information
  • Diagnosis code
  • Meal category and/or cost
  • Health insurance information
  • Patient ID number
  • Social Security numbers were involved for less than 1% of the total population, most of which are internal to PurFoods.

PurFoods began sending out notification letters by mail on August 25, which included specific information with regard to identity theft protection and availing of “identity restoration services and complimentary credit monitoring”. There’s also a dedicated call center line for people who may have further questions about the breach: (866) 676-4045.

At this point in time, there’s no additional information with regard to the specific ransomware used or whether additional extortion tactics were deployed. The notification does state that this incident is unrelated to the MOVEit attack from a few months prior

This could potentially prove to be costly for the food provider. As The Register notes, many search results for this breach lead to law firms on the lookout for potential clients impacted by the ransomware attack. We may have to wait a while to see if any data actually does leak online, or if PurFoods reveals any more information about the attackers behind the compromise. For now, if you receive a notification letter we suggest keeping a close eye on your finances, watch out for targeted phishing, and call the PurFoods helpline if you are concerned.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google strengthens its Workplace suite protection

Google has announced the strengthening of safeguard measures for its Workspace customers. You may well be using Workspace without realising it. If you’re using a Google product such as Gmail, Calendar, Drive, or Google Docs Editors Suite (among other apps), then congratulations: you are fully inside the Workspace ecosystem.

Late last year, changes were made to try and catch out an attacker rifling through Google accounts and attempting to access certain critical settings or functionality.

When an account (any account, not just one offered by Google) is taken over, there’s going to be a specific flow the compromiser makes use of. 

For example, if I hijack your email the first thing I’ll try and do is lock you out by changing your password. After that, I might pay a visit to the backup email address and try to stop you from regaining access that way. All of your accounts will have hot button settings which attackers will make a beeline for.

Google’s response to assist Workspace administrators was presenting challenges to users when performing sensitive actions in unusual ways not seen before. Logging in far away from your usual location? Following an odd or significantly different pattern when trying to log in? These actions and more could trigger the challenge response.

One login challenge might be a two-step login prompt. Others might be specified by the administrator of the service being used. It’s a pretty flexible system.

The new additions related to features in Gmail. Specifically:

  • Filters: creating a new filter, editing an existing filter, or importing filters. 
  • Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings. 
  • IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not) 

With these in place, if an attacker hijacked your mail and then tried to sneakily add a forwarding address then Google would flag it and issue a “Verify it’s you” challenge. Depending on how the system has been set up by the admin, a relevant identity challenge will then take place. If the challenge is failed, the user will be sent a critical security alert notification on a trusted device to let them know someone is up to no good.

Cleverly, Google has designed the system so that even an incomplete challenge will send out an alert. Sorry attackers, you can’t just ignore it or back out!

At this point, you may be wondering if there’s a list of activities you can expect to trigger a challenge as well as a list of potential challenges. Fear not, the relevant Google Support page has it covered.

Here’s some of the more common challenge triggers:

  • View activity saved in your Google Account
  • Change your password
  • View saved passwords
  • Turn on 2-Step Verification
  • Download your data
  • Change channel ownership on YouTube Creator Studio
  • Change Google Ads account budget
  • Buy any other product or service from Google
  • Example: Buy a Google Pixel or Nest device from Google Store

Here’s how you can verify your identity. It’s important to note that in order to verify yourself, the device you use to do this must have been registered for a period of seven days minimum:

  • A device associated with the recovery phone number for your account
  • A device that’s signed in to your Google Account
  • For accounts with 2-Step Verification turned on
  • A security key that’s been added to your Google Account
  • A verification code from Google Authenticator

If you fail the challenge you can still use and access your account, but updating sensitive information or completing sensitive actions are not allowed for a seven day period.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A week in security (August 21 – August 27)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

2.6 million DuoLingo users have scraped data released

An unknown party has released the scraped data of 2.6 million DuoLingo users on a hacking forum. While they offered the data set for sale in January for $1,500, it’s now been released on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.

DuoLingo is an educational platform most famous for its language learning programs. According to a May 2023 press release, DuoLingo has 72.6 million monthly active users.

The scraped data among others contain email addresses, usernames, languages, and which language the users are learning.

screenshot of post on hackers forum

screenshot courtesy of FalconFeedsio

The data were scraped from public profile information by using an exposed application programming interface (API). On March 2, a researcher called Ivano Somaini tweeted how one could take advantage of Duolingo’s API to check if an email address is associated with a Duolingo account.

The API allows anyone to run a query by submitting a username or an email address to confirm if it is associated with a valid DuoLingo account. Bleeping Computer has confirmed that this API is still openly available to anyone on the web, even after its abuse was reported to DuoLingo in January.

Such a query by email address will result in JSON formatted data, revealing:

  • Streak – A user’s streak is a measure of how consistently they use Duolingo. A streak starts at zero and increases by one for each day the user completes a lesson.
  • Profile picture – For this field, Duolingo’s API yields a URL with this structure //simg-ssl.duolingo.com/avatar/*******/*******. If you get //simg-ssl.duolingo.com/avatar/default_2 it means there’s no profile picture associated with the email address you’ve queried.
  • Learning languages, XP points and crowns – Duolingo’s API shows which courses the account has enrolled in. XP points and crowns give an idea of the progression on those courses. When you learn on Duolingo, you earn experience points, or XP for short.
  • hasFacebookId – Shows if the profile is associated with a Facebook account (true or false)
  • hasGoogleId – Shows if the profile is associated with a Google account (true or false)
  • id – Probably Duolingo’s user ID.
  • username – Username associated with the Duolingo’s account
  • hasPhoneNumber – Shows if the profile is associated with a phone number (true or false)
  • creationDate – This is a Unix timestamp (epoch time) that appears to show when the account was created.
  • name – The real name associated with the account.
  • Location – User location (unknown if it’s vetted by Duolingo)
  • emailVerified – Shows if the email address associated with the account was checked by Duolingo (true or false).

HaveIbeenPwnd’s (HIBP) Troy Hunt explained how it is possible that practically every one of the email addresses in the DuoLingo data could already be found in the HIBP database. The email addresses the scraper used came from the big melting pot of data breach-land being used to compromise even more of our personal information. By trying millions and millions of addresses, the scraper found 2.6 million matches on DuoLingo.

Troy Hunt added:

“I’m a Duolingo user but because I have a unique email address on every service, I’m not in there”

Even though most of the scraped data is publicly available, it gives cybercriminals yet another chance to correlate more information with a specific email address or name. Affected users should be wary of phishing emails making use of this information. For example, since you are interested in a certain language you might be more likely to fall for an email inviting you to visit a country where that language is spoken.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Teenage members of Lapsus$ ransomware gang convicted

A wave of video game developer compromises has come to a court-based conclusion for those responsible, with several convictions the end result. Arion Kurtaj, and a second teen who cannot be named due to their age, are finding themselves to be in quite a lot of trouble after repeated and sustained attacks on multiple businesses.

The infamous Lapsus$ ransomware gang gained notoriety for a number of attacks against companies involved in game development, or companies closely associated with gaming, such as Nvidia. Other compromises involved major telecoms companies like EE and BT. In 2021, two of the teens now found to be responsible for the telecoms attacks breached their servers and went on to demand a $4m ransom.

No ransom was paid, despite the attackers claiming to have source code belonging to Orange, BT, and EE in text messages sent out to 26,000 EE customers. Even so, they were able to steal close to $126,000 from five victims by abusing the SIM data used to secure their cryptocurrency accounts.

At the time, the teens (aged 16 and 17) were arrested for this incident and then released while being kept under investigation. You would think someone in this situation would steer clear of trouble. Here, things played out very differently.

Both teens continued to work with the group, going on to score more successful compromises like Nvidia in the first few months of 2022. One particularly unusual aspect of this attack would be Lapsus$ demanding that Nvidia make all of their graphics card drivers open source, or else risk internal data being leaked.

Nvidia was also rightly concerned that something dubious could have been inserted into a software update. If something bad were to sneak into people’s graphics card drivers, total chaos would be the end result. In terms of reach, this could have been very bad indeed. Other audacious attacks on services like Okta and Globant underscored how dangerous this particular ransomware group was if given the chance to jump onto a network.

Both teens were re-arrested at the end of March 2022, as a result of potential involvement in some of the above crimes. Kurtaj had his personal data leaked online, and had to be moved into a secure location for his own safety.

At this point, you would think that it would be a game over. There is no way that somebody in this situation, with their details leaked, and their hands caught in the cookie jar, would keep going. Right?

Wrong.

According to the BBC, police searched his hotel room and caught him “red handed”. Law enforcement discovered that Kurtaj used an Amazon Fire Stick plugged into his hotel television. This meant he was able to access cloud computing services. The court was told that he’d helped take on Uber, Revolut, and (in what may be the most publicised attack) Rockstar Games.

He posted a message to Rockstar’s Slack channel to all employees which said “I am not a Rockstar employee, I am an attacker”. He also claimed to have downloaded all of the data for the upcoming Grand Theft Auto 6, with the threat of releasing source code if he was not contacted on Telegram within 24 hours. Elsewhere, no fewer than 90 clips of unfinished gameplay ended up on a fan forum.

As you may have expected by this point, Kurtaj was indeed arrested and detained until his trial.

The prosecution mentions that members of the group had a desire to show off and highlight their skills for all to see. In the case of Kurtaj, this desire led to various hacking incidents he surely had little to no hope of concealing as the arrests and re-arrests continued apace.

It’s possible an older and more experienced crew would have cut their losses and gone silent for a while. In this case, those responsible were lighting the digital equivalent of emergency flares every five minutes during what would otherwise be covert attacks. Indeed, prosecutors tied some of the incidents to the teens responsible via IP addresses associated with their email and Telegram accounts. This is very much something you wouldn’t expect them to be caught out by. An amateur mistake, or that sense of youthful invulnerability coming to the fore?

Either way, for both of the teens involved their wave of compromises is now over.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Smart lightbulb and app vulnerability puts your Wi-Fi password at risk

New research highlights another potential danger from IoT devices, with a popular make of smart light bulbs placing your Wi-Fi network password at risk. Researchers from the University of London and Universita di Catania produced a paper explaining the dangers of common IoT products. In this case, how smart bulbs can be compromised to gain access to your home or office network.

If you use the TP-Link Tapo L530 E smart bulb and the TP-Link Tapo app, you will have some smart bulb related reading in your immediate future.

Bleeping Computer reports that no fewer than 10 million app installations exist via Google Play. From the app description:

The Tapo app helps you set up the Tapo smart devices within minutes and puts everything you need at the tip of your fingers

• Control your smart device from anywhere.

• Control the device via voice with Google Home and Amazon Echo.

• Preset Away mode to make it seem like someone is home.

• Set a countdown timer to automatically turn the device on or off.

• Schedule when to turn the device on or off automatically at times.

All fairly standard fare where smart home lighting is concerned. The bulbs can connect to your router, and the bulbs can be controlled via the relevant app. You may well have a similar setup in your own home. In this case however, Italian researchers have shone a light on more insecure issues and practices from smart products which make using them a potentially risky proposition.

Multiple high severity vulnerabilities exist which allow for password retrieval and device manipulation, with four issues in total.

One vulnerability, with a CVSS score of 7.6 out of 10) allows for attackers to retrieve verification keys through brute force, or by decompiling the Tapo app itself. The other high severity flaw, wtih a CVSS of 8.8, is related to incorrect authentication of the bulb, which means the device can be impersonated, allowing for Tapo password theft and device manipulation.

The other two issues, which are not as severe, related to lack of checks of received messages with regard to how old they are and a lack of randomness during encryption.

What is the potential for damage where the “severe” vulnerabilities are concerned? Well, in a worst case scenario someone could potentially swipe your Wi-Fi password via the Tapo app and then have access to all the devices on said network.

Bleeping Computer notes a few wrinkles in this attack plan. The most important of which is that the device would need to be in setup mode in order for the attack to strike gold. While you probably wouldn’t expect many people to have bulbs plugged in but not set up, the attacker can get around this. Namely: With a few clicks of the app, they can deauthenticate your light bulb thus forcing the need for a fresh setup. 

In terms of addressing these flaws, the researchers mention that they made use of TP-Link’s Vulnerability Research Program (VRP) to report all four issues. TP-Link responded that they have started work on fixes for both bulb and app. There is no specific date mentioned for this at time of writing. There are some workarounds suggested to “fix” these issues, but they’re aimed at the manufacturers as opposed to the users.

You can, and should, practice good security when dealing with any product making use of your home or office network. Strong passwords, multi-factor authentication, even turning off products that won’t be in use for a significant period of time.

Where the above TP-Link problems are concerned, users should keep the official website handy for security update notifications and ensure all apps and firmware are up to date whenever possible. You should also do this for all of your other smart appliances: Baby monitors, webcams, security systems, and utility service controls. Smart homes are here to stay, and it’s up to us to ensure we’re not providing easy inroads for attackers to exploit.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Update now! Google Chrome’s first weekly update has arrived

Google has published details about the first weekly update for the Chrome browser. Recently Google announced that it would start shipping weekly security updates for the Stable channel (the version most of us use). Regular Chrome releases will still come every four weeks, but to get security fixes out faster, updates to address security and other high impact bugs will be scheduled weekly.

This should also help in the reduction of a patch gap in the Chome release cycle. When a Chrome security bug is fixed, the fix is added to the public Chromium source code repository. The fix is then tested and evaluated before it goes to the Stable Channel. The gap is the time between the patch appearing in the Chromium repository and it being shipped in a Stable channel update.

The latest update has fixes for five vulnerabilities. Four of these vulnerabilities have been classified with a High importance and one as Medium. All these vulnerabilities have been reported by external researchers between August 1 and August 7, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-4430, a use after free (UAF) vulnerability in Vulkan, in Google Chrome prior to 116.0.5845.110, which allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Vulkan is a modern cross-platform graphics and compute API (application programming interface) that provides high-efficiency, low-level access to modern GPUs (graphics processing units) used in a wide variety of devices from PCs to smartphones.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program.

CVE-2023-4429 is another use after free vulnerability, this time in Loader, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2023-4428 is an out of bounds memory access in CSS, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions.

CVE-2023-4427 is an out of bounds memory access in V8, Google’s open-source JavaScript engine, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

CVE-2023-4431 is the vulnerability listed as Medium severity. It’s an out of bounds memory access vulnerability in Fonts in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update  to version 116.0.5845.110/.111 at your earliest convenience.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Google Chrome is up to date

Google Chrome is up to date

After the update, your version should be 116.0.5845.110 for Mac and Linux, and 116.0.5845.111 for Windows, or later.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Malwarebytes acquires Cyrus Security

Today, I am absolutely thrilled to share some exciting news: Malwarebytes is officially welcoming Cyrus Security into our family. This acquisition signifies an exciting chapter in our journey, and I wanted to share why this development is so special, and what it means for the millions who trust Malwarebytes to keep them safe.

We have always been committed to keeping you safe and secure in the digital landscape. But cybersecurity isn’t limited to defending against malware anymore; it’s about ensuring your entire digital identity remains unscathed and your private details remain private. With Cyrus Security’s specialized solutions, we can further our promise, delivering a more comprehensive protective shield.

Cyrus Security, much like Malwarebytes, has been an innovative force in the cybersecurity realm.

Its relentless focus on protecting users from identity theft and ensuring online privacy has consistently impressed us. Merging our forces means bringing together two of the industry’s brightest minds.

Cyrus security’s skills, expertise and technology will complement Malwarebytes’ advanced threat detection and remediation capabilities in a number of exciting ways:

Mobile security expertise

One of the standout aspects of Cyrus Security is its unparalleled expertise in mobile user experience. As our world becomes more mobile-centric, this proficiency is crucial. With Cyrus on board, our users can expect even more robust protection on their mobile devices, ensuring safety on-the-go.

Expanding our toolset

Cyrus Security’s cutting-edge technologies will soon be integrated into our product suite. Imagine the robust Malwarebytes protection you know and love, now amplified with Cyrus’s identity protection tools. It’s a combination that promises to enhance the security of our customers, no matter what device they are using.

Growth and learning

Every acquisition is a two-way street. While we’re eager to integrate Cyrus Security’s tools into our portfolio, we’re equally excited about the knowledge exchange, the shared learnings, and the new perspectives that will enrich our team.

A Future Full of Possibilities

With the combination of Malwarebytes and Cyrus Security, we are gearing up to explore emerging aspects of cybersecurity we haven’t ventured into before. This acquisition isn’t just about what we can offer now, but what we can develop and deliver in the future.

To our Malwarebytes family–both old and new–this acquisition is a testament to our commitment to you. Your safety, your trust, and your peace of mind are what drive us every day. With Cyrus Security on board, we’re more equipped than ever to champion these values.

Ivanti Sentry critical vulnerability—don’t play dice, patch

Ivanti has published a security blog post about a vulnerability in Ivanti Sentry, formerly MobileIron Sentry. Successful exploitation of the vulnerability would enable an unauthenticated attacker to access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal (commonly, MICS).

Ivanti Sentry is a gateway technology that allows organizations to manage, encrypt, and protect traffic between mobile devices and backend systems. The technology helps organizations to securely access enterprise applications and devices using personally owned and corporate-issued mobile devices.

This vulnerability impacts all supported versions (Versions 9.18. 9.17 and 9.16). Older versions are also at risk. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM.

Ivanti has made RPM scripts available now for all supported versions. It recommends customers first upgrade to a supported version and then apply the RPM script specifically designed for their version. More detailed information is available in this Security Advisory. Each script is customized for a single version and if the wrong RPM script is applied it may prevent the vulnerability from being remediated or cause system instability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in this update is CVE-2023-38035, which has a CVSS score of 9.8 out of 10. It’s described as a security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

A remote, unauthenticated attacker could exploit this vulnerability to change configuration files, run system commands, or write files to the system.

Reportedly, Ivanti customers have seen exploitation of CVE-2023-38035 in Sentry when port 8443 is exposed to the Internet. Port 8443 is commonly used for HTTPS (encrypted) web traffic. Users that are not ready to update to a supported version or don’t have the opportunity to run the script, are advised to close port 8443.

Ivanti recommends that customers restrict access to MICS to internal management networks and not expose this to the internet, which would then require any attacker to gain internal access first.

While we are not completely sure if this vulnerability is used in the wild, two previous vulnerabilities in Ivanti Endpoint Manager Mobile Authentication (EPMM) listed as CVE-2023-35078 and CVE-2023-35081were both subject to active exploitation.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.