IT News

New research highlights another potential danger from IoT devices, with a popular make of smart light bulbs placing your Wi-Fi network password at risk. Researchers from the University of London and Universita di Catania produced a paper explaining the dangers of common IoT products. In this case, how smart bulbs can be compromised to gain access to your home or office network.

If you use the TP-Link Tapo L530 E smart bulb and the TP-Link Tapo app, you will have some smart bulb related reading in your immediate future.

Bleeping Computer reports that no fewer than 10 million app installations exist via Google Play. From the app description:

The Tapo app helps you set up the Tapo smart devices within minutes and puts everything you need at the tip of your fingers

• Control your smart device from anywhere.

• Control the device via voice with Google Home and Amazon Echo.

• Preset Away mode to make it seem like someone is home.

• Set a countdown timer to automatically turn the device on or off.

• Schedule when to turn the device on or off automatically at times.

All fairly standard fare where smart home lighting is concerned. The bulbs can connect to your router, and the bulbs can be controlled via the relevant app. You may well have a similar setup in your own home. In this case however, Italian researchers have shone a light on more insecure issues and practices from smart products which make using them a potentially risky proposition.

Multiple high severity vulnerabilities exist which allow for password retrieval and device manipulation, with four issues in total.

One vulnerability, with a CVSS score of 7.6 out of 10) allows for attackers to retrieve verification keys through brute force, or by decompiling the Tapo app itself. The other high severity flaw, wtih a CVSS of 8.8, is related to incorrect authentication of the bulb, which means the device can be impersonated, allowing for Tapo password theft and device manipulation.

The other two issues, which are not as severe, related to lack of checks of received messages with regard to how old they are and a lack of randomness during encryption.

What is the potential for damage where the “severe” vulnerabilities are concerned? Well, in a worst case scenario someone could potentially swipe your Wi-Fi password via the Tapo app and then have access to all the devices on said network.

Bleeping Computer notes a few wrinkles in this attack plan. The most important of which is that the device would need to be in setup mode in order for the attack to strike gold. While you probably wouldn’t expect many people to have bulbs plugged in but not set up, the attacker can get around this. Namely: With a few clicks of the app, they can deauthenticate your light bulb thus forcing the need for a fresh setup. 

In terms of addressing these flaws, the researchers mention that they made use of TP-Link’s Vulnerability Research Program (VRP) to report all four issues. TP-Link responded that they have started work on fixes for both bulb and app. There is no specific date mentioned for this at time of writing. There are some workarounds suggested to “fix” these issues, but they’re aimed at the manufacturers as opposed to the users.

You can, and should, practice good security when dealing with any product making use of your home or office network. Strong passwords, multi-factor authentication, even turning off products that won’t be in use for a significant period of time.

Where the above TP-Link problems are concerned, users should keep the official website handy for security update notifications and ensure all apps and firmware are up to date whenever possible. You should also do this for all of your other smart appliances: Baby monitors, webcams, security systems, and utility service controls. Smart homes are here to stay, and it’s up to us to ensure we’re not providing easy inroads for attackers to exploit.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has published details about the first weekly update for the Chrome browser. Recently Google announced that it would start shipping weekly security updates for the Stable channel (the version most of us use). Regular Chrome releases will still come every four weeks, but to get security fixes out faster, updates to address security and other high impact bugs will be scheduled weekly.

This should also help in the reduction of a patch gap in the Chome release cycle. When a Chrome security bug is fixed, the fix is added to the public Chromium source code repository. The fix is then tested and evaluated before it goes to the Stable Channel. The gap is the time between the patch appearing in the Chromium repository and it being shipped in a Stable channel update.

The latest update has fixes for five vulnerabilities. Four of these vulnerabilities have been classified with a High importance and one as Medium. All these vulnerabilities have been reported by external researchers between August 1 and August 7, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-4430, a use after free (UAF) vulnerability in Vulkan, in Google Chrome prior to 116.0.5845.110, which allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Vulkan is a modern cross-platform graphics and compute API (application programming interface) that provides high-efficiency, low-level access to modern GPUs (graphics processing units) used in a wide variety of devices from PCs to smartphones.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program.

CVE-2023-4429 is another use after free vulnerability, this time in Loader, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2023-4428 is an out of bounds memory access in CSS, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions.

CVE-2023-4427 is an out of bounds memory access in V8, Google’s open-source JavaScript engine, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

CVE-2023-4431 is the vulnerability listed as Medium severity. It’s an out of bounds memory access vulnerability in Fonts in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update  to version 116.0.5845.110/.111 at your earliest convenience.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Google Chrome is up to date

After the update, your version should be 116.0.5845.110 for Mac and Linux, and 116.0.5845.111 for Windows, or later.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Today, I am absolutely thrilled to share some exciting news: Malwarebytes is officially welcoming Cyrus Security into our family. This acquisition signifies an exciting chapter in our journey, and I wanted to share why this development is so special, and what it means for the millions who trust Malwarebytes to keep them safe.

We have always been committed to keeping you safe and secure in the digital landscape. But cybersecurity isn’t limited to defending against malware anymore; it’s about ensuring your entire digital identity remains unscathed and your private details remain private. With Cyrus Security’s specialized solutions, we can further our promise, delivering a more comprehensive protective shield.

Cyrus Security, much like Malwarebytes, has been an innovative force in the cybersecurity realm.

Its relentless focus on protecting users from identity theft and ensuring online privacy has consistently impressed us. Merging our forces means bringing together two of the industry’s brightest minds.

Cyrus security’s skills, expertise and technology will complement Malwarebytes’ advanced threat detection and remediation capabilities in a number of exciting ways:

Mobile security expertise

One of the standout aspects of Cyrus Security is its unparalleled expertise in mobile user experience. As our world becomes more mobile-centric, this proficiency is crucial. With Cyrus on board, our users can expect even more robust protection on their mobile devices, ensuring safety on-the-go.

Expanding our toolset

Cyrus Security’s cutting-edge technologies will soon be integrated into our product suite. Imagine the robust Malwarebytes protection you know and love, now amplified with Cyrus’s identity protection tools. It’s a combination that promises to enhance the security of our customers, no matter what device they are using.

Growth and learning

Every acquisition is a two-way street. While we’re eager to integrate Cyrus Security’s tools into our portfolio, we’re equally excited about the knowledge exchange, the shared learnings, and the new perspectives that will enrich our team.

A Future Full of Possibilities

With the combination of Malwarebytes and Cyrus Security, we are gearing up to explore emerging aspects of cybersecurity we haven’t ventured into before. This acquisition isn’t just about what we can offer now, but what we can develop and deliver in the future.

To our Malwarebytes family–both old and new–this acquisition is a testament to our commitment to you. Your safety, your trust, and your peace of mind are what drive us every day. With Cyrus Security on board, we’re more equipped than ever to champion these values.

Ivanti has published a security blog post about a vulnerability in Ivanti Sentry, formerly MobileIron Sentry. Successful exploitation of the vulnerability would enable an unauthenticated attacker to access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal (commonly, MICS).

Ivanti Sentry is a gateway technology that allows organizations to manage, encrypt, and protect traffic between mobile devices and backend systems. The technology helps organizations to securely access enterprise applications and devices using personally owned and corporate-issued mobile devices.

This vulnerability impacts all supported versions (Versions 9.18. 9.17 and 9.16). Older versions are also at risk. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM.

Ivanti has made RPM scripts available now for all supported versions. It recommends customers first upgrade to a supported version and then apply the RPM script specifically designed for their version. More detailed information is available in this Security Advisory. Each script is customized for a single version and if the wrong RPM script is applied it may prevent the vulnerability from being remediated or cause system instability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in this update is CVE-2023-38035, which has a CVSS score of 9.8 out of 10. It’s described as a security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

A remote, unauthenticated attacker could exploit this vulnerability to change configuration files, run system commands, or write files to the system.

Reportedly, Ivanti customers have seen exploitation of CVE-2023-38035 in Sentry when port 8443 is exposed to the Internet. Port 8443 is commonly used for HTTPS (encrypted) web traffic. Users that are not ready to update to a supported version or don’t have the opportunity to run the script, are advised to close port 8443.

Ivanti recommends that customers restrict access to MICS to internal management networks and not expose this to the internet, which would then require any attacker to gain internal access first.

While we are not completely sure if this vulnerability is used in the wild, two previous vulnerabilities in Ivanti Endpoint Manager Mobile Authentication (EPMM) listed as CVE-2023-35078 and CVE-2023-35081were both subject to active exploitation.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Adobe ColdFusion vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by September 11, 2023 to protect their networks against active threats.

Adobe ColdFusion is an application server and a platform for building and deploying web and mobile applications.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE you need to patch is CVE-2023-26359, which has a CVSS score of 9.8 out of 10.

According to Adobe, Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Deserialization of untrusted data happens when an application uses data input to create an object. It is often convenient to serialize objects for communication or to save them for later use. However, untrusted data can’t be relied on to be well-formed. When there are not sufficient protections in place this can be abused to trigger self-execution during the deserialization process. Exploitation can lead to arbitrary code execution.

To patch the vulnerability Adobe has released security updates for ColdFusion versions 2021 and 2018. To successfully remediate against this vulnerability the latest updates for ColdFusion should be applied, specifically:

• ColdFusion 2021 Update 6 or later
• ColdFusion 2018 Update 16 or later

Another critical vulnerability tackled in this update is CVE-2023-26360—an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. It affects Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).

In April Adobe noted:

“Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.”

Therefore this vulnerability has previously been added to the Known Exploited Vulnerabilities Catalog. The remediation deadline for federal civilian executive branch agencies was April 5, 2023. With a second critical, and known to be exploited vulnerability, this really is a wake up call to install that update if you haven’t already.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

In July 2023, we observed a malvertising campaign that lured potential victims to a fraudulent site for a Windows IT management tool. Unlike previous similar attacks, the final payload was packaged differently and not immediately recognizable.

The decoy file came as an MSI installer containing an AutoIT script where the payload was obfuscated to avoid detection. Upon analysis and comparison, we determined that this sample was an updated version of DarkGate, a multi purpose malware toolkit first identified in 2018. 

Since the malware’s obfuscation and encryption features have been recently documented by other researchers, we will focus on two of its web delivery methods, namely the use of malicious ads and search engine poisoning.

The campaigns we observed coincide with an announcement from DarkGate’s developer in June as well, boasting about the malware’s new capabilities and limited customer seats.

New DarkGate

In its debut back in 2018 and later in 2020, DarkGate (also known as MehCrypter) was distributed via torrent sites and mostly focused on European victims and Spanish users in particular. The original blog post from enSilo (now Fortinet) also notes that its author may have been using email to spread malicious attachments.

In June 2023, a threat actor going by the handle RastaFarEye posted an advertisement in the XSS underground forum about a project known as DarkGate. As detailed by the ZeroFox Dark Ops intelligence team, the new version includes certain key features to evade detection while offering the expected credential stealing capabilities. The cost ($100K/year) and limited availability (10 customers) make DarkGate somewhat of an elusive toolkit.

Photo credit: ZeroFox Dark Ops intelligence team

Two blog posts came out in early August, identifying new DarkGate attacks:

• Aon’s Stroz Friedberg Incident Response Services details how they encountered a recent incident from a group similar to ScatteredSpider (UNC3944) that was using this new version of DarkGate.
• Researcher 0xToxin wrote about phishing emails distributing a loader leading to DarkGate, with a complete technical analysis of the malware.

Malvertising

While investigating malvertising campaigns, we observed the following Google ad on on July 13, 2023:

Advanced IP Scanner is a popular tool used by IT administrators. Victims who click on the ad are presented with a decoy site:

The downloaded file (Advanced_IP_Scanner_2.5.4594.1.msi) is an installer that contains the legitimate Advanced IP Scanner binary but also some extra files that are unpacked in the %temp% folder upon execution:

We recognize the familiar use of AutoIT which was already present in the very early versions of DarkGate.

Note: The same threat actor was also serving malicious ads via Bing as documented by Cyberuptive on August 8, 2023.

SEO poisoning

SEO poisoning is an old technique used by various threat actors and scammers who attempt to game search engines’ ranking system. Although it takes a little more time to roll out, it is an effective way to trick users into visiting malicious sites.

The following search result appeared on Google:

The domain advancedscanner[.]link was created on 2023-07-28 and is used to redirect to the decoy page hosted at ipadvancedscanner[.]com. The downloaded file, IPAVSCAN_win_vers_1.1.3.msi, also has the same AutoIt encrypted payload:

Anti-VM and other checks

We noticed that several of the newly registered domains associated with these campaigns had implemented advanced fingerprinting checks. We recently documented this trend which could soon become the norm due to its ease of use.

Here’s another lure, this time for Angry IP Scanner, with a domain (ipangry[.]com registered 2023-07-29):

The payload, angry_win_0.47_installer.msi and its AutoIt script:

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. They are also diversifying their delivery techniques by leveraging malspam, malvertising and SEO poisoning.

Malwarebytes’ anti-malware engine detects this malware as Backdoor.DarkGate and our web protection blocks its known command and control servers.

Malwarebytes for Business (EDR) customers may also see the following alerts:

Indicators of Compromise

Malvertising campaign

top[.]advscan[.]com
advanced-ips-scanne[.]com
a4scan[.]com
advanced-ip-scanne[.]com

SEO poisoning campaign

advancedscanner[.]link
ipadvancedscanner[.]com
185.224.137[.]54
185.11.61[.]65

DarkGate samples

e5ca3a8732a4645de632d0a6edfaf064bdd34a4824102fbc2b328a974350db8f
206042ec2b6bc377296c8b7901ce1a00c393df89e7c4cbbb1b8da1a86a153b67
9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3

DarkGate C2s

80.66.88[.]145
107.181.161[.]200

Additional resources

• 0xToxin’s payload decryptor
• RussianPanda’s DarkGate config extractor

A new version of the file archiving software WinRAR fixes two vulnerabilities that could allow an attacker to execute code on a target system. All the victim has to do is to open a specially crafted archive.

After receiving a report about the vulnerability in June, a new version of the software was published on August 2, 2023. Users should install the latest version (WinRAR 6.23 or later) at their earliest convenience.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in this update is CVE-2023-40477 (with a CVSS score of 7.8 out of 10).

The vulnerability lies in how the software processes recovery volumes. The issue is due to the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

The update release notification states that another vulnerability was fixed, described as:

“WinRAR could start a wrong file after a user double clicked an item in a specially crafted archive.”

So, until you have installed the new version, it is advisable to be careful when someone sends you an archived file. Opening the archive to scan the content is not a safe option right now.

Given the great many users of WinRAR the impact of these vulnerabilities could be substantial, knowing that similar flaws were abused by hackers in the past to install malware.

Windows 11 users are likely to hold of on installing the latest version, because Microsoft announced their latest operating system (OS) will natively support RAR and some other archive formats.

“We have added native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project. You now can get improved performance of archive functionality during compression on Windows.”

Users of a cracked version of the software, which is probably another big group of users, will not be able to install the latest version right off the shelf, so they may remain vulnerable as well.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Sleepless nights, missed threats, a deluge of notifications—the common symptoms of the bane of IT teams everywhere: Alert fatigue.

Out of the litany of problems IT teams face every day, alert fatigue might be among the most pressing—especially considering that 30 percent of EDR alerts are ignored by IT security teams. Simply put, it’s impossible to keep up when your tools aren’t helping you prioritize alerts.

Enter: Alert Prioritization and Guided Remediation.

Alert Prioritization and Guided Remediation is a feature of EDR Extra Strength that helps IT teams cut through the noise, using specialized threat intelligence to highlight the threats that truly need their attention.

But why do traditional approaches to EDR alert ranking lead to alert fatigue? And how does Alert Prioritization and Guided Remediation work to combat it?

Why Traditional EDR Is Inherently Exhausting

At its core, EDR has one job—to generate alerts of suspicious activity. The humans operating EDR also broadly have one job: to interpret and act on that suspicious activity.

But here’s the problem: “suspicious” could mean anything.

Let’s say an alert was generated in response to an employee installing a new piece of software attempting to modify system files. Traditional EDR doesn’t know if this is a benign program—it just flags the activity as suspicious. But “suspicious” could mean that the alert is a false positive, it could mean the alert is malicious but can be safely ignored; it could mean “This is a huge deal.”

In other words, IT teams can’t know how “bad” a suspicious alert is until it is investigated—an impossible task for each of the thousands of alerts generated by EDR daily. The end result is, of course, alert fatigue.

Traditional EDR is inherently exhausting. Without additional context, alerts become just too ambiguous to be actionable, meaning IT teams inevitably end up over-prioritizing less urgent threats while also overlooking severe ones.

How Alert Prioritization And Guided Remediation Works

Alert Prioritization and Guided Remediation helps you cut through the noise of traditional EDR by enriching alerts with external threat intelligence.

In this scenario, when an EDR product generates an alert, Alert Prioritization and Guided Remediation consults the threat intelligence service’s extensive database for relevant data. This data, which could include information from various antivirus solutions and user submissions, helps Alert Prioritization and Guided Remediation assess the legitimacy of the alert, clarifying whether the alert represents a genuine threat or a false positive.

Let’s illustrate using the same example from our section on the limitations of traditional EDR, when an alert was generated after an employee installed a new piece of software.

If threat intelligence data shows, for example, that 50 out of 60 antivirus solutions flagged the same file as malicious, it’s likely not a false positive.

Alternatively, if threat intelligence data shows that only 2 out of 60 antivirus solutions flagged the same file as malicious, it is likely that the alert is a false positive and can be safely ignored.

After the threat is externally validated to be a known bad, we turn to Phase 2: Guided Remediation.

When a prioritized threat is detected, Guided Remediation sends detailed remediation information directly to customers through text and email.

These communications direct customers to an EDR portal page that further details the identified threat, explaining what was found, why it is deemed a priority, and simple steps on how to remediate it. This ensures that users are not only alerted to potential threats, but also equipped with the information needed to take decisive action.

Business benefits to Alert Prioritization and Guided Remediation

Reduced alert fatigue

Alert Prioritization and Guided Remediation helps IT teams massively reduce the volume of alerts that need to be reviewed, saving them much-needed mental to focus on only the most critical threats.

Improved security posture

Alert Prioritization and Guided Remediation of threats allows for quicker detection and response to threats, minimizing attacker dwell time and reducing the potential damage that attackers can cause once in your systems.

Empowers smaller or less experienced teams

With the right solution, highly specialized staff become a less critical requirement when an organization has to keep up with the volume of EDR alerts. Alert Prioritization and Guided Remediation helps to level the playing field, helping smaller IT teams or those with lower levels of specialized security expertise identify and respond to threats on the fly.

Try EDR Extra Strength today

Automation is the name of the game when it comes to preventing burnout—and with Alert Prioritization and Guided Remediation, IT teams can finally ease their alert fatigue burdens.

Interested in learning more? Alert Prioritization and Guided Remediation is a part of our EDR Extra Strength product, which reimagines EDR to deliver superior protection in a single, easy-to-use package.

Get a free trial of Malwarebytes EDR Extra Strength.

Retroactive removals are finally on the way for malicious Chrome browser extensions. Beginning with Chrome 117, Chrome will “proactively highlight to users when an extension they have installed is no longer in the Chrome web store”.

Previously, if you installed an extension which was subsequently unpublished by the developer or removed by Google, the extension you installed would remain in place, even if it was malicious. If, for example, the extension was some sort of data stealer, it would simply continue to steal your data (assuming the infrastructure it sent the data to had not been shut down). 

Now, when an extension is pulled from the web store in one of the following three situations, Chrome users will be notified:

The extension has been unpublished by the developer.

The extension has been taken down for violating Chrome Web Store policy.

The item was marked as malware.

If we’re talking about an “under review” situation, no notification will take place. For example, if a developer is notified that they may have potentially violated one of Google’s policies and has been given time to address or appeal the issue, then a notification will not be triggered.

Violations themselves can result in a wide range of possible outcomes, from immediate suspensions and permanent disabling of extensions to warnings and re-enablement if a violation is addressed to Google’s satisfaction. If the violation involves malware, there’s a good chance there is no way back into Google’s good books. From the violations information page:

The Chrome Web Store Review team has special procedures for egregious policy violations. In cases such as malware distribution, deceptive behavior designed to evade review, repeated severe violations indicative of malicious intent, and other egregious policy violations, more drastic measures are necessary.

To limit the potential for these developers to further harm users, the Chrome Web Store team intentionally does not provide details regarding these violations. Additionally, in more severe cases the developer’s Chrome Web Store account will be permanently suspended.

In the Privacy and Security settings of Chrome, users will find a “Review” option under the Safety Check setting. It will read as follows:

Review [x amount of] extensions that were taken down from the Chrome web store

Clicking the Review button will take users to their extensions page where they will be given the option to remove all listed extensions. They can also choose to hide the warning and keep the extension if they really want to.

Malware is the exception here though. Extensions flagged as malware are automatically disabled, as they have been in previous versions of Chrome. For everything else, Chrome will state the following:

Review these extensions that were taken down from the Chrome web store. These extensions might be unsafe. Chrome recommends that you remove them.

Users can select each flagged extension individually, or just hit a “Remove all” button and wipe the lot in one go. If you don’t want to wait for the new feature to roll out in Chrome 117, Bleeping Computer notes that you can give it a try right now by switching on Chrome 116’s experimental “Extensions Module in Safety Check” feature.

Researchers have published details about a phishing campaign that uses QR codes to phish for Microsoft credentials.

A QR (Quick Response) code is a kind of two-dimensional barcode that holds encoded data in a graphical black-and-white pattern. The data that a QR code stores can include URLs, email addresses, network details, Wi-Fi passwords, serial numbers, etc.

While QR codes are generally safe, they can easily be manipulated by scammers because they all appear similar to the human eye. A malicious QR code may lead you to a spoofed website designed to drop different malware types or steal your sensitive data, like your password, credit card information, or money.

The use of QR codes in malicious campaigns is not new, and because they can provide contactless access to a product or service they grew in popularity during the pandemic. And because QR codes are images (sent as PNG or PDF attachments in the campaigns reported here) their content is more likely to make it past email filters.

The researchers have been monitoring a campaign since May of 2023 that, although it targeted users from a wide array of industries, seemed to focus on a major energy company based in the US. This undisclosed target received 29% of the over 1,000 emails containing malicious QR codes.

The links in the QR codes used open redirects from legitimate domains associated with Bing, Salesforce, and Cloudflare to send the targets to phishing sites that were after Microsoft credentials. Since the subject of the emails were often spoofed Microsoft security notifications the Bing URLs would not have looked out of place to any victims who noticed them.

The campaign has reportedly shown a significant growth since it was discovered with the volume increased by more than 2,400% since May 2023.

Example of a malicious QR code (courtesy of Cofense)

For cybercriminals, the use of QR codes usually has the disadvantage that they need to be scanned by a mobile device, which is more complex than simply giving targets a link to click on. But in a corporate environment this can also be an advantage as the mobile device might be outside of the protection of the enterprise environment.

The researchers showcase a Bing redirect URL which is likely to be seen as legitimate in light of the other Microsoft mimicry used in this campaign. Many search engines, social media, and other platforms use some form of open redirect, which cybercriminals use to make their links look legitimate. 

Recommendations

When it comes to QR codes they are nearly impossible to recognize as malicious by humans, so it takes some extra attention. Some pointers:

• Treat QR codes like any other link in an unsolicited mail, or possibly even with more caution. If you receive a QR code either in the mail or sent to you by a friend, get in touch with them first and verify that they have indeed sent you the code.
• When scanning a QR code your device should display the site it will take you to. Pay close attention to that link. Be wary of legitimate domains that are known to use redirects and URL shorteners.
• Use the built-in scanner through your smartphone’s camera to scan for QR codes. There is no need to download another one from the app store since there are fake QR code scanners and ones that come bundled with unwanted extras.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW