IT NEWS

Since 2020, several governments and organizations have banned, or considered banning, the immensely popular social media app TikTok from their staff’s devices.

With all these alarming bells ringing, we thought it might be handy to break down what we know and see if we can plot a sensible strategy from there. So, if your hair is on fire, extinguish it and consider this with a cool head.

If you prefer listening over reading, we covered this topic in a recent LinkedIn Live.

TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It’s received explosive growth since it first appeared in 2017, and now it claims to have well over 1 billion users, an estimated 150 million of them in the US.

In 2020, India was the first country to ban TikTok, along with some 200 other Chinese apps that were all blocked from operating within the country. The decision came two weeks after a Chinese military operation in India’s northern border lead to the death of at least 20 Indian soldiers.

In the same year, retail giant Amazon sent a memo to employees telling them to delete the popular social media app from their phones. Even earlier, in December of 2019, the US Army banned the use of the app on government-issued phones.

Other US agencies and other governments have followed suit since then, or are planning to do so. During a US Senate hearing, General Paul Nakasone, Director of the National Security Agency (NSA) stated that “America’s TikTok-addicted youth is playing with a loaded gun.”

We can break down the potential problems with TikTok in 3 main categories:

• The data
• The algorithm
• The app itself

Let’s start by saying that all of the above categories are present in many other social media apps. The differentiating factor for TikTok is that it is owned by a Chinese company called Bytedance. It’s these ties with China and the ruling Chinese Communist Party (CCP) that have created so much concern among nations and their government agencies. 

The data

In general, it is safe to say that every free social media app makes money by using and selling the data of large groups of people for advertising purposes. The more specific to smaller groups these data can be refined, the bigger the privacy concern. Can TikTok be used to spy on certain groups of people? Definitely! TikTok has admitted that employees used its own app to spy on reporters as part of an attempt to track down the journalists’ sources. The company fired 4 employees for doing so.

We have seen similar cases in other social media apps. For example, a Twitter employee that was sentenced to more than three years in prison for spying for Saudi Arabia. With the amount of readily available information, there will always be those that use it for their own purposes, good or bad.

The algorithm

Control of the algorithm provides an opportunity to be an influencer. By the algorithm we mean the code in the app that tries to optimize the time you spend on the app, by showing you videos that it has determined you might be interested in. Knowing which reels show up on your feed tells us something about you. If nothing else, it will tell us what you prefer watching. Be it kittens, fails, or dance routines. What worried Christopher Wray, the Director of the FBI, is the possibility that the CCP might take control of the TikTok algorithm to conduct hard-to-detect influence operations against Americans. By deciding what you see, the Chinese government might influence your opinion about matters.

Again, neither the algorithm nor the utilization for influence are exclusive to TikTok. International state actors are increasingly leveraging social media platforms to spread computational propaganda and disinformation during critical moments of public life. Last year, we discussed some stats provided by YouTube about their battle against misinformation.

The app

Most people will install TikTok on their personal devices, especially now that many organizations have or are considering a ban for the app on company-provided devices. And, so far, nobody has found anything malicious in the app. But as an app it has access, although limited, to information on your device and about other devices on the same network. This information could be used for nefarious motives, but there has been no proof of that. Another worry is that this behavior could change with one update, and whether that next update will be secretly malicious. But this is true for any app, whether the developer introduces the malicious code or whether it comes as part of a supply-chain attack.

Should I be worried?

The risks of allowing TikTok on corporate or hybrid devices very much depends on your threat model. While it is understandable that governments, the military, or defense contractors are among the first to ban TikTok from these devices, many other organizations are facing a lot of threats that are a much greater concern. On the other hand, if the app, or any other app, is not needed for work purposes, why would you allow it on a corporate device? Using Mobile Device Management (MDM) can go a long way in keeping risks and distractions away from corporate devices.

Banning the app from personal devices that are used in a work environment is a whole different matter. Your employee satisfaction might even be a bigger concern than TikTok potentially spying on you.

During a recent congressional hearing, TikTok’s CEO Shou Chew said they were doing everything they could to accommodate the US:

“Our commitment is to move their data into the United States, to be stored on American soil by an American company, overseen by American personnel. So the risk would be similar to any government going to an American company, asking for data.”

I think we can agree with that last sentence. Until proof is provided that TikTok is worse than other social media apps, there is no compelling reason to treat it differently. But all social media apps should be regarded with reservations when it comes to privacy.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers at Orca Security disclosed how they found a remote code execution vulnerability in Azure Service Fabric Explorer.

The vulnerability was reported to the Microsoft Security Response Center (MSRC) with responsible disclosure and was included by Microsoft in their March 2023 Patch Tuesday round. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This newly-discovered vulnerability is listed as CVE-2023-23383 with a CVSS score of 8.2 out of 10.

This vulnerability was dubbed Super FabriXss and it’s a vulnerability that exists on Azure Service Fabric Explorer version 9.1.1436.9590 and earlier.

The researcher’s story is interesting as it shows that it is possible to find new Cross-Site Scripting (XSS) vulnerabilities in weathered and complex systems like Azure. And it’s frightening because the Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication.

Azure Service Fabric Explorer (SFX) is an open-source tool for inspecting and managing Azure Service Fabric clusters. A Service Fabric cluster is a network-connected collection of virtual or physical computers where your microservices are deployed and managed. A cluster can have thousands of nodes.

An XSS vulnerability is a flaw in a web application that allows an attacker to inject code, (usually HTML or JavaScript) into the contents of a website. As a possible consequence, a visitor of that website will execute that code in his browser and it will be treated (read: trusted) as if it originated from the site they visited. By exploiting this, the attacker can bypass the browser’s same origin policy and is able to steal private information from a victim associated with the website. Depending on the site, it allows the attacker to masquerade as a victim visitor, and carry out any actions that the user is able to perform, and to access any of the user’s data.

What the researchers found after some testing is that when the Node name is modified in the SFX UI, it is reflected in the Node’s independent dashboard. So they set out to try some different names to observe how the server handles non-existent and/or modified values for different variables.

By trying some simple HTML code like a H1 tag that is often used to display the main topic on a web page in a larger font size, they found that clicking on Cluster in the options on the Events tab resulted in a new title being displayed as a large title, due to the effect of the <h1> tag.

Image courtesy of Orca Security

While this is no serious attack, it shows that there are ways to circumvent the input sanitation that takes place, or should take place and it might be possible to inject more complex HTML code.

How can we use this in a full-fletched attack?

For a full analysis, feel free to ready the blog by the researchers which goes into more detail. But, roughly, the attack would work like this:

The attacker sends a crafted URL to the Service Fabric Administrator. This URL includes an iframe that uses a simple fetch request to trigger an upgrade of a Compose deployment. The upgrade process overwrites the existing deployment with a new, malicious one. This new deployment includes a CMD instruction in its Dockerfile that will download a remote .bat file.

The .bat file retrieves a second file that contains an encoded reverse shell. This reverse shell allows the attacker to gain remote access to the target system and potentially take control of the cluster node where the container is hosted. By taking control of a legitimate application in this way, the attacker can then use it as a platform to launch further attacks or gain access to sensitive data or resources.

Update

If you have automatic updates enabled, no action is needed. However, for those who choose to manually update and you are on version 9.1.1436.9590 or earlier, please refer to Manage Service Fabric cluster upgrades for instructions on how to update your Service Fabric Cluster.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Happy World Backup Day everyone!

What, you didn’t know it was World Backup Day? Hmmm, perhaps that’s not a surprise. If there was an award for “most overlooked really important thing in computing”, backups would win. Every year.

So let’s put that right this year and spend a minute or two of World Backup Day thinking about backups. Backups are great! Having backups is like having a do-over for your mistakes, and who hasn’t wished for that? And they can keep you safe too. Good computer security means creating layers of protection that overlap and cover each others’ backs. The final layer is your backups. They’re a “get out of jail free” card you can play if any of your files are destroyed, deleted, or corrupted by malware.

To get you off on the right foot we’ve got three tips: A beginner tip, an intermediate tip, and an advanced tip.

1. Make backups

Yes, our first tip really is “make backups”. Why? Because backups are the dental floss of cybersecurity—the thing that everyone knows they should do, that everyone intends to do, that nobody actually does.

You need to floss your computer, every day. We don’t care how you do it: You can use the cloud, put your files on a USB stick, plug in an external hard drive, burn your data to a disk (ask your parents), copy them to an FTP site (ask your grandparents), or print them out and bind them in a book for all we care. All we ask is that you make a copy of your data, and then make making copies of your data a habit.

The only backup you’ll ever regret is the one you didn’t make.

2. Make them automatic

Once you decide that you’re going to make regular copies of your data you are, in all likelihood, going to get bored of doing it and slip up on your rigorous, well-intentioned schedule. Humans just aren’t good at doing the same thing, the same way, every day. But you know what is? A computer.

So, our intermediate tip is to let the computer take the strain of remembering what you want to backup and when. They love that stuff.

Windows and macOS both come with backup software included, each of which is perfectly on-brand for your platform of choice. The Windows backup solution has a boring and sensible name. It’s called Backup and Restore. On Mac you’ll be using a Time Machine, because Apple lets its marketing department in the room when things are being named. As you’d expect, if you’re a Linux user there are a bewildering number of options to choose from. If you’re blinded by overchoice, check out Amanda.

3. Make sure they work

If you’ve followed tip two and automated your backups then you can sit back and relax right? Sure, you can. But if you want to know for sure that your backup solution will be there for when you need it most, you need to test it. After all, a backup is only as useful as the data you can actually restore from it.

Anyone who works with computers knows that assumption is the mother of all f*** ups, so don’t assume your backups work, prove they do. Pick a file you really care about and go get a copy of it from your backups. Better yet, if you have a directory where you keep lots of important files, restore that. Not only will that prove to you that your backups can dig you out of trouble if they ever need to, you’ll get a feel for how slow that process can be if you’re backing up over Wi-Fi. Understanding that restoring a lot of files from a backup can be a lengthy process will help you set your expectations and manage your stress levels if you ever need to.

Pat yourself on the back

Whether you made it all the way to rolling out tip three, or you stopped at one, we applaud you. Your digital life is now more resilient than it was, which means you’ll be better able to weather hardware failures, accidental deletions, and malware outbreaks. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Backups are an organization’s last line of defense against ransomware, because comprehensive, offline, offsite backups give you a chance to restore or rebuild your computers without paying a criminal for a decryption key.

Unfortunately, many organizations don’t realize how important it is to make backups until it’s too late. And it’s all-too-common for those that do take regular backups to discover too late that they aren’t fit for purpose.

Why? Because backups are hard to get right.

In September 2021, Malwarebytes spoke with Matt Crape from VMWare to find out why backups are so hard, why they fail, and what to do about it. This World Backup Day, we thought we’d revisit his advice for creating a more consistent, stable, and resilient backup process. Here are three essential things every organization can ponder today.

1. Know what you’re trying to achieve

Good backups start with a clear understanding of what your organization needs them to do. From that, you can determine what needs to be backed up, why, how frequently, and for how long. The answers to those questions will depend on how much data you have, how often it changes, whether you can live without any of it, whether you have remote employees, the implications of legal requirements such as GDPR, and a wide range of other factors.

Every organization is different, so the “right” answers to those questions will be unique for each. Organizations also change over time so decisions about what you need from your backups need to be reviewed often enough to keep up.

When thinking about ransomware, a good starting point is to imagine what you would need to do if all of your computers were rendered useless and you had to rebuild them from scratch. What’s your approach, will you restore everything from backups, or recreate applications and operating systems from a “golden” disk image? If that’s your plan, do you know how long it will take to reinstate every computer in your organization? Can your business survive that much downtime?

2. Keep a backup offline and offsite

Modern ransomware attacks are carried out by gangs who break into company networks, prepare the ground for their attack, and then run their ransomware manually. Gangs can spend weeks inside a network looking to increase the chances of their attack succeeding, and backups are a prime target. If the attackers can find them, they will delete them.

That’s exactly what happened when a ransomware gang attacked the Northshore School District in Washington state. In an instructive and painfully honest episode of our Lock and Code podcast, Systems administrator Ski Kacoroski told us “we find out, at about 4 or 5 hours after the attack, that our backup system is completely gone.” Without effective backups, Kacoroski was left with a mountain to climb: “It started to really sink in that I’m going to have to rebuild 180 Windows servers, and more importantly, rebuild Active Directory from scratch, with all those accounts and groups, and everything in it. That part really, really hurt us.”

The lesson of the Northshore attack and many others is that it’s vital to keep at least one recent copy of your data offsite and offline, beyond the reach of an attacker who has domain administrator access to your network

CISA recommends the tried and tested 3-2-1 rule of backups: 3 copies of your data, on 2 different media, with 1 held offsite, which provides resilience against a range of different risks, including ransomware.

3. Test your backups

A backup is only as useful as the data that can be successfully restored from it. So while it’s useful to know that your backup solution is running and recording data, the only way to be sure it works is to try reading data from it.

A true acid test is to prove to yourself that in the event of a ransomware attack, natural disaster, fire or flood, that you can restore your critical business systems from scratch. Simply having the data may not be enough. Companies grow organically and unless they are very new, their networks are likely to have been built over time rather than in one go. This can create interdependencies where system A requires system B and system B requires system A, and so on.

And keep in mind that the best judge of whether data has been restored successfully is the person who relies on that data—so keep them engaged during the testing.

Learn more

To learn more about why backups fail when you need them, and how to improve your chances of success, listen to the full podcast with Matt Crape, embedded below.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Watch out for this piece of spam lurking in mail boxes and claiming to be from the EE mobile network.

The mail, titled “We were unable to renew your monthly plan” with a likely random reference number alongside it, reads as follows:

Due to a problem with your card, we were unable to charge your next monthly payment automatically until you verify your billing details. To renew your contract, please use this link to update your payment information.

Failure to complete the process in a period of 7 business days may result in a disconnection of service.

The clickable link leads to an imitation EE site which asks for the visitor’s email address and password.

Subsequent pages ask for the kind of details typically covered by any phishing scam, such as name, date of birth, and email address. The final page asks for you card details:

If you fill those card details in, you are likely to soon become much lighter of pocket, as the criminals will use the details to take money from your card.

If you think you’ve accidentally filled in a form on a phishy site, contact your bank or card provider immediately so they can put it right. And follow the tips below on how to avoid phishing attacks.

How to avoid phishing attacks

• Don’t take things at face value. Phishing attacks often seem to come from people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Take action. If you receive a phishing attempt at work, report it to your IT or security team. If you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, cancel the card.
• Use a password manager. Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won’t enter your credentials into a fake site.
• Use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A new form of attack named “Near Ultrasound Inaudible Trojan” (NUIT) has been unveiled by researchers from the University of Texas. NUIT is designed to attack voice assistants with malicious commands remotely via the internet.

Impacted assistants include Siri, Alexa, Cortana, and Google Assistant.

This attack relies on abusing the high sensitivity of microphones found in these IoT devices. They’re able to pick up what is described as the “near-ultrasound” frequency range (16kHz – 20kHz), and this is where NUIT lurks.

A NUIT sound clip can be played on the targeted device’s speaker which allows for the voice assistant to be attacked on the device itself, or even another device altogether.

There are 2 different ways to launch this attack. One is where NUIT is happening on the targeted device itself. This could be, for example, a rogue app or an audio file. Below you can see a video where the NUIT attack results in an unlocked door.

The second form of attack is where the first device containing a speaker is used to communicate with a second device containing a microphone. This is the daisy-chain style approach, where all of the cool technology in all of your devices slowly comes back to haunt you. As researchers note, a smart TV contains a speaker and a quick blast of YouTube could be all that’s needed. Even unmuting a device during a Zoom call could be enough to send the attack signal to your phone sitting next to the computer as the meeting is taking place.

In terms of being successful via NUIT attack, social engineering plays a large part. Bogus websites, apps, and audio could all be entry points for voice assistant shenanigans.

Once access to a device is gained, an attacker lowers the device’s volume. This is so the device owner is unable to hear the assistant responding to commands being sent its way. Meanwhile, the speaker needs to be above a specific noise level so the attack can actually take place. As long as all of this takes place, the bogus command length has to be below 77 milliseconds or it won’t work.

In terms of current impact, researchers say that Siri devices “need to steal the user’s voice”. Meanwhile, the other 16 devices tested can be activated through use of a robot voice or indeed any other voice at all for that matter.

The NUIT attack is listed as being due to appear at the upcoming USENIX Security Symposium in August, which will give a complete overview of how this works. For now, the advice for possible defences against this new form of attack listed by the researchers include the following:

• Use earphones. If the microphone can’t receive malicious commands, then the compromise can’t take place.
• Awareness is key. Be careful around links, apps, and microphone permissions.
• Make use of voice authentication. If you’re on an Apple device, now is the time to fire that up.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers have found that the 3CX desktop app may be compromised and used in supply chain attacks.

The 3CX Desktop App is a Voice over Internet Protocol (VoIP) type of application which is available for Windows, macOS, Linux and mobile. Many large corporations use it internally to make calls, view the status of colleagues, chat, host web conferences, and for voicemail. 3CX is a Private Branch Exchange (PBX) system, which is basically a private telephone network used within a company or organization.

The 3CX website boasts 600,000 customer companies with 12 million daily users, which might give you an idea of the possible impact a supply chain attack could have.

The discovered attack is very complex and probably has been going on for months. While attribution in these cases is always difficult, some fingers are pointing to North Korea. It is likely the attacks have been ongoing since one of the shared samples was digitally signed on March 3, 2023, with a legitimate 3CX Ltd certificate issued by DigiCert.

While it is almost certain that Windows Electron clients are affected, there is no evidence so far that any other platforms are. On the 3CX forums, users are being told that only the new version (3CX Desktop App) leads to the malware infection, because the 3CX Phone for Windows (the legacy version) is not based on the Electron Framework. Electron is an open source project that enables web developers to create desktop applications.

According to a 3CX spokesperson, this happened because of an upstream library it uses became infected.

The main executable is not malicious itself and can be downloaded from 3CX’s website as part of an installation procedure or an update. The 3CXDesktopApp.exe executable, however, sideloads a malicious dynamic link library (DLL) called ffmpeg.dll.

The ffmpeg.dll in turn is used to extract an encrypted payload from d3dcompiler_47.dll and execute it. The malware then downloads icon files hosted on GitHub that contain Base64 encoded strings appended to the end of the images, as shown below.

Base64 strings embedded in ICO files (image courtesy of BleepingComputer)

The d3dcompiler_47.dll file has all the functionality of the legitimate version, with the payload appended. This warrants that it would alert users to the fact that something is wrong with their software.

While research is ongoing into the full payload, it is clear that a backdoor is created on affected systems.

What needs to be done?

After initially playing down the alerts on its user forums as a possible false positive, 3CX has now posted that it is working on an update.

The advice on the 3CX forums is to uninstall the app and then reinstall it, accompanied by a strong advice to install the PWA client instead.

Malwarebytes detects the malicious DDLs as Trojan.Agent.

We will keep you updated here, but as a user you might want to keep an eye on 3CX’s blog and forums to learn about new developments, and when an update is available.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers from Wiz have discovered a way to allow for search engine manipulation and account takeover. The research in question focuses on several Microsoft applications, with everything stemming from a new type of attack aimed at Azure Active Directory.

Azure Active Directory is a single sign-on and multi-factor authentication service used by organisations around the world. In Microsoft’s own words, “Governance ensures the right people have access to the right resources, and only when they need it”.

Unfortunately, a misconfiguration in how Azure was set up resulted in a collection of potentially serious issues. According to Wiz, once the team started scanning for exposed applications, no fewer than 35% of the apps they scanned were vulnerable to authentication bypass.

Perhaps the most striking example of this particular attack is how an exposed admin interface tied to Bing allowed any user to access it. Bypassing authentication resulted in a functional admin panel for the search engine. The researchers were able to not only change returned results for searches like “Best soundtrack”, but also take things quite a bit further.

This same access also allowed the researchers to inject a Cross Site Scripting attack (XSS) and compromise any Bing user’s Office365 credentials. From there, they could access:

• Private data
• Outlook emails
• SharePoint files
• Teams messages

This particular attack has been dubbed “BingBang”. Wiz notes that Bing is the 27th most visited website in the world, so that’s clearly a big target pool to play with. Additionally, other vulnerabilities existed in numerous other applications. These range from Mag News, a control panel for MSN newsletters and PoliCheck, a forbidden word checker, to Power Automate Blog (a WordPress admin panel) and CNS API, a Central Notification Service.

The potential for mischief here is wide-ranging. These applications can send internal notifications to Microsoft developers, or fire out emails to a large collection of recipients.

Thankfully Microsoft was notified about these issues, and by the time the latest Bing update was rolled out the issues had been addressed. From its Guidance Document:

Microsoft has addressed an authorization misconfiguration for multi-tenant applications that use Azure AD, initially discovered by Wiz, and reported to Microsoft, that impacted a small number of our internal applications. The misconfiguration allowed external parties read and write access to the impacted applications.  

Microsoft immediately corrected the misconfiguration and added additional authorization checks to address the issue and confirmed that no unintended access had occurred.

Microsoft has confirmed that all the actions outlined by the researchers are no longer possible because of these fixes.

Microsoft made additional changes to reduce the risk of future misconfigurations.

The initial Bing issue was first reported to Microsoft on January 31, and it was fixed the same day. The additional vulnerabilities were reported on February 25, with fixes for those beginning on February 27 and ending March 20.

While there doesn’t seem to be any solid evidence of these flaws being abused in the wild, Wiz notes that according to Microsoft, Azure Active Directory logs are “insufficient to provide insight on past activity”. As a result, you would need to view application looks and check for any evidence of dubious logins.

Managing cloud applications is a challenging and difficult business, with small tiny mistakes potentially causing big problems. Sometimes, even Microsoft doesn’t get it quite right. Hopefully the worst impact here will turn out to have been knocking Dune out of the top soundtrack spot for the Hackers OST…even if the latter is the far superior album. Hack the planet indeed.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Apple has released security updates for several products. Most notably one of the updates fixes an actively exploited vulnerability in the WebKit component of iOS 15.7.4 and iPadOS 15.7.4 that was fixed earlier in macOS Ventura 13.2.1, iOS 16.3.1, iPadOS 16.3.1, and Safari 16.3.

You can find the specific security content for the devices you’re interested in by following the links below:

• macOS Ventura 13.3
• Safari 16.4
• Studio Display Firmware Update 16.4
• iOS 15.7.4 and iPadOS 15.7.4
• tvOS 16.4
• macOS Big Sur 11.7.5
• iOS 16.4 and iPadOS 16.4
• macOS Monterey 12.6.4
• watchOS 9.4

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited vulnerability is listed as CVE-2023-23529: a type confusion issue that Apple says has been addressed with improved checks.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. So let’s say you have a program that expects a number as input, but instead it receives a string (i.e. a sequence of characters), if the program doesn’t properly check that the input is actually a number and tries to perform arithmetic operations on it as if it were a number, it may produce unexpected results which could be abused by an attacker.

Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this could allow attackers to execute arbitrary code on a vulnerable device. So, an attacker would have to trick a victim into visiting a malicious website or open such a page in one of the apps that use WebKit to render their pages.

WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

There are some other vulnerabilities that make it worth checking if you need to update. The latest iPhone update alone fixes 33 vulnerabilities, some of them could lead to arbitrary code execution. But none of the other fixed vulnerabilities were flagged as having been used in real life attacks.

For iOS 16.4 users that don’t consider security their first priority, you may be convinced to update by looking at all the new features that were introduced in iOS 16.4. Apparently Apple also found it more important to notify me on my iPad about the number of new emojis (21) first.

“This update introduces 21 new emoji and includes other enhancements, bug fixes, and security updates for your iPad.”

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A fraudster going by “OBN Brandon” has been defrauding Instagram influencers and entertainment figures out of hundreds of thousands of dollars by taking down their accounts and then asking for money to get them back up again, ProPublica reports. OBN has been successful in his exploits taking advantage of Instagram’s less-than-good customer support, and an easily manipulated account reporting system. The nonprofit believes it may have identified the fraudster as someone in Las Vegas.

Account takedowns for hire

In 2021, Motherboard reported on a booming industry in the digital underground dedicated to banning Instagram accounts at will. Interestingly, some scammers behind ban-as-a-service (BaaS) offerings would also provide account restoration for users who think they have been unfairly suspended.

BaaS offerings are often used by those with “money to throw around,” an ex, a business rival, someone nursing a grudge, or a mix of these. But what opened opportunities for scamming is a system’s tendency for abuse. Meta has developed Instagram’s reporting system to shield users from harmful content on the platform, such as those depicting suicide and self-harm, by taking them down as quickly as possible after receiving a report.

For a fee, scammers use the same system designed to protect as a tool to harass and censor Instagram users purposefully.

“We have been professionally banning since 2020 and have top-tier experience,” reads one advertisement from a scammer group. “We may not have the cheapest prices, but trust me you are getting what you are paying for.”

These groups use several methods to get accounts taken down. One is to fully duplicate a target account and then report the original account for impersonation. Some create scripts or bots to report accounts en masse. Scammers can also use these to file reports against a single Instagram account automatically.

Because reporting is anonymous, fraudsters can earn double by offering their victims a way to restore their accounts. A restoration service would cost $3,500 to $4,000, with a nonrefundable downpayment of $1,500. Victims will never know that the party responsible for their ban is also stepping up to get their accounts back up and running again.

Two years after this story, it appears BaaS has grown more wretched and lucrative.

“Log-out king”

There is no mention of OBN using scripts or bots, but ProPublica says that he “touts software he uses to file false reports that allege an account violated Meta’s community guidelines, triggering a takedown.” Impersonation is part of his repertoire, too. Sometimes, OBN orchestrates a setup by hacking an account himself to post content deemed inappropriate in Instagram’s terms of service (ToS) and then reports the account.

Like the Instascammers featured in Motherboard’s story, OBN also offers to reactivate accounts in tandem with his takedown service. He charges a fee as high as $5,000 (depending on follower count) to get an account back. But days later, victims would find their accounts suspended again. A vicious cycle of banning and reactivation ensues until the victim is bled dry of money or refuses to pay anymore.

OBN calls himsef himself the “log-out king,” boasting of having “deleted multiple celebrities + influencers on Meta & Instagram.” ProPublica has linked the pseudonym to one Edwin Reyes-Martinez (20). Despite appearing like a responsible and hardworking man with a full-time job in a warehouse, clues connect him to OBN. The email address and bank account OBN’s victims send money to bear Reyes-Martinez’s initials.

His social media accounts also show notable items featured on OBN’s profile on Telegram (his primary marketing vehicle), such as his gold and diamond jewelry and what appears to be a white Lamborghini Aventador.

Syenrai, an ex-Instascammer who took credit for memorializing Instagram head Adam Mosseri’s account, has known OBN since 2018. He said Reyes-Martinez “is at least partially responsible” for activities done under the OBN moniker but also welcomes the possibility that others may be involved. ProPublica alleges OBN became so jealous of Syenrai’s fame that he filed a cease-and-desist (C&D) notice against him in 2021.

OBN often targets women who use Instagram to draw people to their OnlyFans pages. Their accounts are deemed vulnerable because what they offer leans toward nudity and pornography—two types of content Instagram and Meta prohibit. OBN would mention working with an insider to ban and recover accounts. While Meta previously disciplined or fired employees for taking bribes, ProPublica’s investigation hasn’t yielded any accomplices. Instead, it shared a story about one of OBN’s victims.

Model and real estate agent Kay Jenkins directly contacted OBN’s “high-level” Europe-based Instagram insider via Telegram, claiming OBN failed to deliver a service as promised. They struck an agreement, and she paid $4,000 twice to reactivate and verify her account. It never came back.

It turns out OBN was posing as the Meta employee, and Jenkins had been paying him all along. The cryptocurrency wallet to which she sends payments belongs to OBN. ProPublica has also traced the IP used by the purported insider to a cellphone not in Europe but in Las Vegas, where Reyes-Martinez is based.

“Once you’re put on Brandon’s radar, whether someone’s paying him or not, he has this personal investment in making sure that your life is miserable and that he’ll try and get as much money out of you as he possibly can.”

Cease and desist

Meta claims to have banned Reyes-Martinez from its platforms after ProPublica handed over details linking him to OBN. The company also sent him a cease and desist order, refraining from conducting any more BaaS offerings.

“I’m done with banning if you mention anything about bans I’ll block you,” OBN writes to his followers on Telegram. This doesn’t mean he’s entirely out of the game, though.

“Only doing instagram claims & verification, and C&Ds only for high paying nothing less let’s work,” he says.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW