IT News

Traditional Endpoint Detection and Response (EDR) today has a three-fold complexity problem—with big consequences.

First, complexity in EDR deployment causes long delays, directly impacting ROI and leaving organizations vulnerable to breaches. In fact, almost 10 percent of small security teams cite such complexity as a primary reason for deployment setbacks. (Global Surveyz 2022)

Second, lack of integrated security tools within an EDR can lead security teams to overcompensate by buying and operating additional security platforms. This complexity multiplies operational overhead and creates gaps in security.

Dealing with day-to-day EDR complexity is a third challenge. A survey of 200 CISOs by Global Surveyz found that nearly half (45 percent) of small IT teams flag issues like excessive alerts and multiple dashboards as chief product concerns, culminating in alert fatigue and drops in productivity. 

To save time, money, and to stop more threats, IT teams need an EDR that resists complexity—one that’s easy to implement and straightforward to operate.

What is EDR Extra Strength?

The solution is EDR Extra Strength.

EDR Extra Strength combines the award-winning threat detection of Malwarebytes EDR, with Alert Prioritization and Guided Remediation, and Vulnerability & Patch Management. EDR Extra Strength offers a singular, cost-effective strategy for organizations looking for in-depth security.

Instead of navigating through multiple platforms, each with their own separate cost and learning curve, organizations can now harness the unified strength of all-in-one protection with EDR Extra Strength—boosting visibility and protection at a cost that makes sense.

Deployment

With the average deployment timeline for traditional EDRs stretching up to 18 months for small security teams, the need for a swifter solution is clear.

Simply put, smaller teams just can’t afford extensive learning curves, which perhaps is why, from a financial standpoint, they prioritize implementation costs (50 percent) in their endpoint security more than anything else. (Global Surveyz) 

Malwarebytes EDR, the cornerstone of EDR Extra Strength, takes the complexity out of EDR deployment as evidenced by an average time to become fully operational that is two times shorter than the industry average.

Cloud-hosted on the Nebula platform, EDR Extra Strength core technology can deploy within minutes and has won multiple G2 awards for its unique combination of rapid time to go live and time to ROI, all delivered via an agent deployed with a small footprint.

Integration

Managing too many platforms is challenging. Each additional security tool requires its own set of configurations, updates, and management protocols, ultimately translating to longer response times, inefficient workflows, and an inability to have a unified view of the threat landscape.

According to Global Surveyz, 77 percent of small security teams ranked a ‘one-stop’ product with the ‘most integrated’ features as one of their top considerations when choosing a new security technology. In addition, 80 percent of CISOs recognize vendor consolidation as an avenue for more efficient security. 

And, once you consider that over 5 percent of breaches in 2022 came from known vulnerabilities that had yet to be patched—and that the average cost of those breaches was $4.17 million—it goes without saying that Vulnerability and Patch Management needs to be part of any all-in-one security solution today.

By combining Endpoint Protection (EP), EDR, and an award-winning Vulnerability and Patch Management solution, EDR Extra Strength gives IT teams the ‘one-stop’ product they need to streamline detection and response through a single pane of glass.

Day-to-Day Operation

It’s not hard to see why Gartner ranks ease-of-use as the top buying priority in the endpoint protection platform. Daily struggles related to navigation, excessive alerts, and an inability to view the full picture of a digital environment are often symptoms of a complicated-to-use EDR.

The core technology of EDR Extra Strength has won awards for end-user focused attributes (Ease of Use, Meets Requirements, Quality of Support), and administration-specific attributes (Ease of Admin, Ease of Setup, Ease of Doing Business With). 

In addition, EDR Extra Strength provides meaningful contextualization for analyst actions with its Alert Prioritization and Guided Remediation feature, helping to reduce alert fatigue and time-to respond associated with complex EDR. Learn more about Alert Prioritization and Guided Remediation here.

Try EDR Extra Strength today

The complexity challenges in EDR deployment, integration, and day-to-day use have big consequences for organizations, ultimately leading to wasted time and money.

EDR Extra Strength addresses this three-fold EDR complexity by combining multiple effective and easy-to-use products under one hood, harnessing the power of award-winning EDR, Vulnerability and Patch Management, and Alert Prioritization and Guided Remediation to boost security without added complexity.

Learn more about EDR Extra Strength here.

The Ohio History Connection (OHC) has posted a breach notification in which it discloses that a ransomware attack successfully encrypted internal data servers. During the attack, the cybercriminals may have had access to names, addresses, and Social Security Numbers (SSNs) of current and former OHC employees (from 2009 to 2023). Additionally, they may have gained access to W-9 reports and other records revealing the names and personal SSNs of vendors who contracted to provide services to OHC. They also may have gained access to images of checks provided to OHC by some members and donors beginning in 2020.

OHC is a statewide history nonprofit chartered in 1885 that manages more than 50 sites and museums across the state. As the State Archives for the state, OHC preserves the historical records of Ohio’s legislative, executive, and judicial branches.

The ransomware attack took place in early July of 2023, after which OHC notified the FBI and retained forensic IT consulting firms to help it determine the extent of the data breach and to assist in reconstructing its systems and restoring its data.

In total, the information of 7,600 individuals was potentially exposed. Notification letters were mailed on August 23, 2023 to all individuals who were impacted by this data breach.

While OHC hasn’t said which ransomware group was behind the attack, we have information that it was LockBit, although I was unable to locate the OHC data on LockBit’s leak site at the time of writing (it was there earlier this month).

screenshot taken early August 2023

OHC said that it made an offer to the cybercriminals to prevent the release of the data, but the offer was rejected on August 7, 2023. OHC hasn’t disclosed how the attackers got in.

Those impacted may sign up for free credit monitoring for one year and take advantage of their rights to the free fraud alert services offered by the three major credit bureaus. At the time of writing, there is no evidence that there has been any use or attempted use of the information exposed in this incident.

What to do if you’ve been caught in a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Cisco Product Security Incident Response Team (PSIRT) has posted a blog about Akira ransomware targeting VPNs without Multi-Factor Authentication (MFA).

The Cisco team states that it is aware of reports of the Akira ransomware group going specifically after Cisco VPNs that are not configured for MFA. And they have observed instances where cybercriminals appear to be targeting organizations that do not configure MFA for their VPN users.

One of the reports the team may be aware of was tweeted weeks ago by security researcher and incident responder Aura:

“I’m just gonna go ahead and say it. If you have:
Cisco VPN
No MFA for it
You may get a surprise knock from #Akira #Ransomware soon.”

Cisco VPN solutions are widely used to provide secure, encrypted data transmission between users and corporate networks, often used by remote employees. Gaining access could allow attackers to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed.

What the researchers haven’t been able to determine is how the ransomware operators gained access to Cisco VPN’s account login credentials in the first place, also hindered by the fact that Cisco ASA (Adaptive Security Appliance) doesn’t feature a logging function for successful logins. Only login attempts with invalid username/password combinations can be found in the logs if logging is configured in the affected Cisco’s ASAs.

It is possible that the criminals acquired valid credentials by purchasing them on the dark web, that they are using a zero-day exploit, or that they are using brute-force or credential stuffing attacks. Credential stuffing is a popular tactic of attempting to access online accounts using username-password combinations acquired from already-breached data dumps. In a brute force attack, attackers typically try a lot of common passwords, or a few common passwords across many usernames which is called password spraying. Password spraying focuses on trying a few passwords across many accounts, often to avoid account lockouts and detection.

Cisco says it has seen evidence of brute force and password spraying attempts. Other researchers say they have found evidence of Akira using Cisco VPN gateways in leaked data posted on the group’s extortion page and seem to be leaning towards the vulnerability scenario.

Whichever way was used to gain access, it has become even more apparent that adding MFA is an important factor in fighting off these attacks.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In an FBI Flash about a Barracuda ESG vulnerability, listed as CVE-2023-2868, the FBI has stated that the patches released by Barracuda in response to this CVE were ineffective for anyone previously infected. Although both Barracude and Mandiant have already made this determination, the agency says it has “independently verified” it.

As we explained in an earlier post, the zero-day vulnerability was reportedly used in targeted attacks for months before the patch was issued, by a group that allegedly has ties to China.

On May 23, 2023, Barracuda posted that “a security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023.” The patch was followed by another on May 21, and users with impacted appliances were reportedly “notified via the ESG user interface of actions to take.”

On June 6, 2023, Barracuda sent out an action notice informing customers that impacted ESG appliances must be replaced immediately, signalling that patching alone would not suffice on an already-infected device.

Compromised ESG appliances must be immediately replaced regardless of patch version level. Only a subset of ESG appliances have shown any known indicators of compromise, and are identified by a message in the appliance User Interface.

On July 28, the company explained that SUBMARINE malware was found on infected devices that had been patched

This additional malware was utilized by the threat actor in response to Barracuda’s remediation actions in an attempt to create persistent access on customer ESG appliances. This malware appeared on a very small number of already compromised ESG appliances.

In a blog post today, Mandiant confirmed that the patches appear to be effective, saying that since Barracuda released its patches, “Mandiant and Barracuda have not identified evidence of successful exploitation of CVE-2023-2868 resulting in any newly compromised physical or virtual ESG appliances.” The company goes on to reiterate that compromised organizations should replace their appliances:

…a limited number of previously impacted victims remain at risk due to this campaign … Mandiant’s recommendations remain unchanged — victims impacted by this campaign should contact Barracuda support and replace the compromised appliance.

The FBI has now independently verified the same findings.

the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability.

The flaw in Barracuda’s appliance is a remote command injection vulnerability which exists in the Barracuda Email Security Gateway (appliance form factor only). The vulnerability stems from incomplete input validation of file names contained in .tar file attachments. As a consequence, a remote attacker could specifically format these file names in a way that results in remotely executing a system command through Perl’s qx operator, with the privileges of the Email Security Gateway product.

According to the FBI, the cybercriminals utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration.

The Cybersecurity and Infrastructure Security Agency (CISA) has published four malware analysis reports based on malware variants associated with the exploitation of this vulnerability in Barracuda ESG appliances.

The CISA reports address:

• Barracuda Exploit Payload and Backdoor
• SEASPY
• SUBMARINE
• WHIRLPOOL

In these reports and the FBI Flash you can find a host of Indicators of Compromise that are certainly worth pursuing if you have or had the Barracuda ESG appliance in your environment between October 2022 and now.

The FBI recommends that customers who used enterprise privileged credentials for management of their Barracuda appliances (such as Active Directory Domain Admin) should immediately take incident investigation steps to verify the use and behavior of any credentials used on their devices. Investigation steps may include:

• Review email logs to identify the initial point of exposure
• Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise
• Revoke and reissue all certificates that were on the ESG at the time of compromise
• Monitor entire network for the use of credentials that were on the ESG at the time of compromise
• Review network logs for signs of data exfiltration and lateral movement
• Capture forensic image of the appliance and conduct a forensic analysis

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Becky Holmes is a big deal online. 

Hugh Jackman has invited her to dinner. Prince William has told her she has “such a beautiful name.” Once, Ricky Gervais simply needed her photos (“I want you to take a snap of yourself and then send it to me on here…Send it to me on here!” he messaged on Twitter), and even Tom Cruise slipped into her DMs (though he was a tad boring, twice asking about her health and more often showing a core misunderstanding of grammar). 

Becky has played it cool, mostly, but there’s no denying the “One That Got Away”—Official Keanu Reeves. 

After repeatedly speaking to Becky online, convincing her to download the Cash app, and even promising to send her $20,000 (which Becky said she could use for a new tea towel), Official Keanu Reeves had a change of heart earlier this year: “I hate you,” he said. “We are not in any damn relationship.” 

Official Keanu Reeves, of course, is not Keanu Reeves. And hughjackman373—as he labeled himself on Twitter—is not really Hugh Jackman. Neither is “Prince William,” or “Ricky Gervais,” or “Tom Cruise.” All of these “celebrities” online are fake, and that isn’t commentary on celebrity culture. It’s simply a fact, because all of the personas online who have reached out to Becky Holmes are romance scammers. 

Romance scams are serious crimes that follow similar plots. 

Online, an attractive stranger or celebrity—coupled with an appealing profile picture—will send a message to a complete stranger, often on Twitter, Instagram, Facebook, or LinkedIn. They will flood the stranger with affectionate messages and promises of a perfect life together, sometimes building trust and emotional connection for weeks or even months. As time continues, they will also try to remove the conversation away from the social media platform where it started, instead moving it to WhatsApp, Telegram, Messages, or simple text. 

Here, the scam has already started. Away from the major social media and networking platforms, the scammers persistent messages cannot be flagged for abuse or harassment, and the scammer is free to press on. Once an emotional connection is built, the scammer will suddenly be in trouble, and the best way out, is money—the victim’s money.

These crimes target vulnerable people, like recently divorced individuals, widows, and the elderly. But when these same scammers reach out to Becky Holmes, Becky Holmes turns the tables.

Becky once tricked a scammer into thinking she was visiting him in the far-off Antarctic. She has led one to believe that she had accidentally murdered someone and she needed help hiding the body. She has given fake, lewd addresses, wasted their time, and even shut them down when she can by coordinating with local law enforcement.

And today on the Lock and Code podcast with host David Ruiz, Becky Holmes returns to talk about romance scammer “education” and the potential involvement in pyramid schemes, a disappointing lack of government response to protect victims, and the threat of Twitter removing its block function, along with some of the most recent romance scams that Becky has encountered online.

“There’s suddenly been this kind of influx of Elons. Absolutely tons of those have come about… I think I get probably at least one, maybe two a day.”

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

An organisation that provides home delivery meals has revealed that around 1.2 million people’s personal data may be at risk, after the company suffered a ransomware attack earlier in the year.

PurFoods, which offers up a service called Mom’s Meals, helps to provide meals for folks in a variety of different personal situations. From its site:

We work with over 500 health plans, managed care organisations, governments, and agencies to provide access to meals for people covered under Medicare and Medicaid, as well as the opportunity for individuals to order meals on their own.

The PurFoods notification reveals that suspicious account behaviour was first seen back in February of this year. An investigation concluded that at some point between January 16 and February 22, 2023, a cyberattack took place. Certain files in the PurFoods network were encrypted, and investigators also noticed tools present which can be used for data exfiltration. As a result, PurFoods says it “can’t rule out” the possibility that data was exfiltrated from one of its file servers.

The notice stresses that so far there has been no evidence of data being misused, which will be some measure of relief for those using the service. Even so, an abundance of caution has led to a variety of advice for those who think they may be impacted.

Here’s who could be affected by the breach according to PurFoods:

The individuals whose information was involved included clients of PurFoods who received one or more meal deliveries, as well as some current and former employees and independent contractors.

The data potentially at risk, which is quite significant, includes:

• Date of birth
• Driver’s license/state identification number
• Financial account information
• Payment card information
• Medical record number
• Medicare and/or Medicaid identification
• Health information
• Treatment information
• Diagnosis code
• Meal category and/or cost
• Health insurance information
• Patient ID number
• Social Security numbers were involved for less than 1% of the total population, most of which are internal to PurFoods.

PurFoods began sending out notification letters by mail on August 25, which included specific information with regard to identity theft protection and availing of “identity restoration services and complimentary credit monitoring”. There’s also a dedicated call center line for people who may have further questions about the breach: (866) 676-4045.

At this point in time, there’s no additional information with regard to the specific ransomware used or whether additional extortion tactics were deployed. The notification does state that this incident is unrelated to the MOVEit attack from a few months prior. 

This could potentially prove to be costly for the food provider. As The Register notes, many search results for this breach lead to law firms on the lookout for potential clients impacted by the ransomware attack. We may have to wait a while to see if any data actually does leak online, or if PurFoods reveals any more information about the attackers behind the compromise. For now, if you receive a notification letter we suggest keeping a close eye on your finances, watch out for targeted phishing, and call the PurFoods helpline if you are concerned.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google has announced the strengthening of safeguard measures for its Workspace customers. You may well be using Workspace without realising it. If you’re using a Google product such as Gmail, Calendar, Drive, or Google Docs Editors Suite (among other apps), then congratulations: you are fully inside the Workspace ecosystem.

Late last year, changes were made to try and catch out an attacker rifling through Google accounts and attempting to access certain critical settings or functionality.

When an account (any account, not just one offered by Google) is taken over, there’s going to be a specific flow the compromiser makes use of. 

For example, if I hijack your email the first thing I’ll try and do is lock you out by changing your password. After that, I might pay a visit to the backup email address and try to stop you from regaining access that way. All of your accounts will have hot button settings which attackers will make a beeline for.

Google’s response to assist Workspace administrators was presenting challenges to users when performing sensitive actions in unusual ways not seen before. Logging in far away from your usual location? Following an odd or significantly different pattern when trying to log in? These actions and more could trigger the challenge response.

One login challenge might be a two-step login prompt. Others might be specified by the administrator of the service being used. It’s a pretty flexible system.

The new additions related to features in Gmail. Specifically:

• Filters: creating a new filter, editing an existing filter, or importing filters. 
• Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings. 
• IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not) 

With these in place, if an attacker hijacked your mail and then tried to sneakily add a forwarding address then Google would flag it and issue a “Verify it’s you” challenge. Depending on how the system has been set up by the admin, a relevant identity challenge will then take place. If the challenge is failed, the user will be sent a critical security alert notification on a trusted device to let them know someone is up to no good.

Cleverly, Google has designed the system so that even an incomplete challenge will send out an alert. Sorry attackers, you can’t just ignore it or back out!

At this point, you may be wondering if there’s a list of activities you can expect to trigger a challenge as well as a list of potential challenges. Fear not, the relevant Google Support page has it covered.

Here’s some of the more common challenge triggers:

• View activity saved in your Google Account
• Change your password
• View saved passwords
• Turn on 2-Step Verification
• Download your data
• Change channel ownership on YouTube Creator Studio
• Change Google Ads account budget
• Buy any other product or service from Google
• Example: Buy a Google Pixel or Nest device from Google Store

Here’s how you can verify your identity. It’s important to note that in order to verify yourself, the device you use to do this must have been registered for a period of seven days minimum:

• A device associated with the recovery phone number for your account
• A device that’s signed in to your Google Account
• For accounts with 2-Step Verification turned on
• A security key that’s been added to your Google Account
• A verification code from Google Authenticator

If you fail the challenge you can still use and access your account, but updating sensitive information or completing sensitive actions are not allowed for a seven day period.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Teenage members of Lapsus$ ransomware gang convicted
• Update now! Google Chrome’s first weekly update has arrived
• Smart lightbulb and app vulnerability puts your Wi-Fi password at risk
• Malwarebytes acquires Cyrus Security
• Ivanti Sentry critical vulnerability—don’t play dice, patch
• DarkGate reloaded via malvertising and SEO poisoning campaigns
• Adobe ColdFusion vulnerability exploited in the wild
• Alert Prioritization and Guided Remediation: The future of EDR
• Update now! WinRAR files can be abused to run malware
• Trusted Advisor puts you in the security driving seat
• Chrome will soon start removing extensions that may be unsafe
• QR codes used to phish for Microsoft credentials

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

An unknown party has released the scraped data of 2.6 million DuoLingo users on a hacking forum. While they offered the data set for sale in January for $1,500, it’s now been released on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.

DuoLingo is an educational platform most famous for its language learning programs. According to a May 2023 press release, DuoLingo has 72.6 million monthly active users.

The scraped data among others contain email addresses, usernames, languages, and which language the users are learning.

screenshot courtesy of FalconFeedsio

The data were scraped from public profile information by using an exposed application programming interface (API). On March 2, a researcher called Ivano Somaini tweeted how one could take advantage of Duolingo’s API to check if an email address is associated with a Duolingo account.

The API allows anyone to run a query by submitting a username or an email address to confirm if it is associated with a valid DuoLingo account. Bleeping Computer has confirmed that this API is still openly available to anyone on the web, even after its abuse was reported to DuoLingo in January.

Such a query by email address will result in JSON formatted data, revealing:

• Streak – A user’s streak is a measure of how consistently they use Duolingo. A streak starts at zero and increases by one for each day the user completes a lesson.
• Profile picture – For this field, Duolingo’s API yields a URL with this structure //simg-ssl.duolingo.com/avatar/*******/*******. If you get //simg-ssl.duolingo.com/avatar/default_2 it means there’s no profile picture associated with the email address you’ve queried.
• Learning languages, XP points and crowns – Duolingo’s API shows which courses the account has enrolled in. XP points and crowns give an idea of the progression on those courses. When you learn on Duolingo, you earn experience points, or XP for short.
• hasFacebookId – Shows if the profile is associated with a Facebook account (true or false)
• hasGoogleId – Shows if the profile is associated with a Google account (true or false)
• id – Probably Duolingo’s user ID.
• username – Username associated with the Duolingo’s account
• hasPhoneNumber – Shows if the profile is associated with a phone number (true or false)
• creationDate – This is a Unix timestamp (epoch time) that appears to show when the account was created.
• name – The real name associated with the account.
• Location – User location (unknown if it’s vetted by Duolingo)
• emailVerified – Shows if the email address associated with the account was checked by Duolingo (true or false).

HaveIbeenPwnd’s (HIBP) Troy Hunt explained how it is possible that practically every one of the email addresses in the DuoLingo data could already be found in the HIBP database. The email addresses the scraper used came from the big melting pot of data breach-land being used to compromise even more of our personal information. By trying millions and millions of addresses, the scraper found 2.6 million matches on DuoLingo.

Troy Hunt added:

“I’m a Duolingo user but because I have a unique email address on every service, I’m not in there”

Even though most of the scraped data is publicly available, it gives cybercriminals yet another chance to correlate more information with a specific email address or name. Affected users should be wary of phishing emails making use of this information. For example, since you are interested in a certain language you might be more likely to fall for an email inviting you to visit a country where that language is spoken.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google has published details about the first weekly update for the Chrome browser. Recently Google announced that it would start shipping weekly security updates for the Stable channel (the version most of us use). Regular Chrome releases will still come every four weeks, but to get security fixes out faster, updates to address security and other high impact bugs will be scheduled weekly.

This should also help in the reduction of a patch gap in the Chome release cycle. When a Chrome security bug is fixed, the fix is added to the public Chromium source code repository. The fix is then tested and evaluated before it goes to the Stable Channel. The gap is the time between the patch appearing in the Chromium repository and it being shipped in a Stable channel update.

The latest update has fixes for five vulnerabilities. Four of these vulnerabilities have been classified with a High importance and one as Medium. All these vulnerabilities have been reported by external researchers between August 1 and August 7, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-4430, a use after free (UAF) vulnerability in Vulkan, in Google Chrome prior to 116.0.5845.110, which allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Vulkan is a modern cross-platform graphics and compute API (application programming interface) that provides high-efficiency, low-level access to modern GPUs (graphics processing units) used in a wide variety of devices from PCs to smartphones.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program.

CVE-2023-4429 is another use after free vulnerability, this time in Loader, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2023-4428 is an out of bounds memory access in CSS, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions.

CVE-2023-4427 is an out of bounds memory access in V8, Google’s open-source JavaScript engine, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

CVE-2023-4431 is the vulnerability listed as Medium severity. It’s an out of bounds memory access vulnerability in Fonts in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update  to version 116.0.5845.110/.111 at your earliest convenience.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Google Chrome is up to date

After the update, your version should be 116.0.5845.110 for Mac and Linux, and 116.0.5845.111 for Windows, or later.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.