IT News

Google has released a Chrome update which includes five security fixes. One of these security fixes is for a critical vulnerability in Autofill payments.

Google labels vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. 114.0.5735.130/.131 for Android will become available on Google Play over the next few days.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome needs a relaunch to apply the update

After the update, your version should be 114.0.5735.133 for Mac and Linux, and 114.0.5735.133/134 for Windows, or later.

The critical vulnerability

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVE patched in these updates is listed as CVE-2023-3214:  Use after free in Autofill payments in Google Chrome prior to 114.0.5735.133 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Google is always very careful about providing information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the vulnerability description we can learn a few things.

The Autofill payments function is to automatically enter payment details in online forms.

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

A remote attack means that this vulnerability could potentially be exploited by tricking the user into visiting a specially crafted website.

Whether all this actually means that vulnerable Chrome versions will spill payments details on such a website remains to be seen, but it’s not the unlikeliest of scenarios.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Taylor Swift fans are being warned to be cautious when buying tickets for her current “Eras” tour, with scammers waiting in the wings to trick would-be gig goers. The Better Business Bureau says it has received somewhere in the region of 200 complaints from residents of Michigan, and there’s bound to be more from other locations.

The issue is so bad that Michigan’s Attorney General advised the local “Swifties” about fraud in relation to last weekend’s Michigan leg of the tour. His warning reads as follows:

“Michigan residents who are defrauded by online ticket scammers should not just shake it off,” said Nessel. “We know these scams all too well. If you believe you were taken advantage of, filing a complaint with my office is better than revenge.”

Reports of scammers taking advantage of Swift’s fans, called Swifties, indicate some have lost as much as $2,500 paying for tickets that don’t exist or that never arrive. The Better Business Bureau has reportedly received almost 200 complaints nationally related to the Swift tour. The complaints range from refund struggles to outright scams.

Other locations for the tour are trying to get ahead of the scam curve, issuing their own warnings ahead of events where possible. For example, Cincinnati has highlighted tales of woe related to fake ticket sales on Facebook. Detroit flagged fake ticket sales on Instagram. CBC covered multiple fake sale attempts cheating folks in Canada out of significant chunks of money. Elsewhere, teens have lost out on $1,200 thanks to Craigslist scammers.

With something like 19 dates left in the US alone stretching from Minneapolis and Pittsburgh to Los Angeles and Seattle, there’s still plenty of opportunity for scammers to crawl out of the woodwork. These are undoubtedly the hottest music tickets around at the moment, so you’ll want to follow some common sense rules before trying to get your hands on some. This is especially the case given that the only ticket source left may be resellers.

How to avoid ticket scams

• Research the ticket seller. Anybody can set up a fake ticket website, and sponsored ads showing at the top of search engines can be rife with bogus sellers. You may also run into issues buying tickets from sites like ebay. Should you decide to use sites other than well known entities like Ticketmaster, check for feedback on the BBB website.
• Use a credit card if possible. You’ll almost certainly have more protection than if you pay using your debit card, or cash. We definitely recommend that you avoid using cash. If someone decides to rip you off, that money is gone forever.
• A “secure” website isn’t all it seems. While sites that use HTTPS (the padlock) ensure your communication is secure, this does not guarantee the site is legitimate. Anyone can set up a HTTPs website, including scammers.
• It’s ticket inspector time. One of the best ways to know for sure that your ticket is genuine is to actually look at it. Is the date and time correct? The city, the location? Are the seat numbers what you were expecting to see? It may well be worth calling the event organisers or the event location and confirming that all is as it should be. Some events will give examples of what a genuine ticket should look like on the official website.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A relatively new service provided by Microsoft’s browser Edge sends images you’ve viewed online back to Microsoft. A new feature labelled Enhance images in Microsoft Edge has raised some privacy concerns. The feature is designed to upscale low resolution images, making them sharper, and improving the lighting and contrast.

Unlike the Video Super Resolution which uses local resources to enhance the quality of video viewed in Microsoft Edge, the pictures submitted to the Enhance images service are sent to Microsoft for processing as Edge loads them. This is enabled by default, so users have to opt out if they don’t want their images to be sent.

Observant Edge Canary users spotted a difference in the description of the feature after an update. Under Enhance images in Microsoft Edge in settings, it now says “Image URLS will be sent to Microsoft to provide super resolution.”

Microsoft offers Edge users different update channels. The Canary Channel ships daily and is the most bleeding edge of all the channels. If you want access to the newest updates, they’ll appear here first. The downside is that it also comes with a certain amount of bugs.

This recent update also came with the option to have a more granular control about images from which sites should be enhanced.

Image courtesy of Neowin

How to disable the service

If you prefer to turn of the Enhance image service, here’s how to do it:

• In Edge, open the Settings menu and select Privacy, search, and services (edge://settings/privacy)
• Scroll down to the Services section and find the Enhance images in Microsoft Edge entry
• Switch the toggle to Off.

And while we have your attention and you are in the Privacy menu anyway, if you scroll up a little bit, you may see the Show Collections and follow content creators in Microsoft Edge. If you are not actively using this feature you may want to disable that as well. The feature was found to track every single URL you visited and send them to Microsoft.

Reportedly, Microsoft is working on resolving this unintentional behavior.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers at NC State University have outlined potential privacy issues with popular fitness app Strava which could lead to users’ homes being pinpointed. The researchers’ findings are detailed in a paper called Heat marks the spot: de-anonymising users’ geographical data on the Strava heat map. 

Strava, used by more than 100 million people, includes features you’d commonly see in this kind of product like heart rate, GPS data, and so on. Users can build up a picture of their health related activities over time and make informed decisions based on the findings of the service. 

The mobile tracking app is designed to track exercise activity, but it also includes a social component, allowing users to connect with each other. The primary concern of researchers focused on the heat map feature, which aggregates user data and allows you to see how many people are doing forms of exercise in various locations.

Although there are attempts to anonymise user data, the study highlighted ways in which some personal information—including home address—could be found. Researchers claim they found a “loophole” to ignore the anonymity of aggregated heatmap data. From their post:

Specifically, the researchers found it is possible for anyone to look up all of the Strava users in a given area. It is also possible for users to look at the aggregate data on a heatmap and see where each of the anonymous users’ routes begin and end.

In a densely populated area, with lots of routes and lots of users, there is so much data that it would be extremely difficult to track any specific person,” Das says. “However, in areas where there are few users and/or few routes, it becomes a simple process of elimination – particularly if the person someone is looking for is a highly active Strava user. Even users who have marked their accounts as private show up when anyone searches for a list of all the users in a given municipality, so marking an account private doesn’t necessarily provide additional protection against this tracking technique.

Strava told the researchers that heat map data isn’t shared unless several users are active in any given area, but the researchers still managed to identify the home addresses of some users via the heatmap. These locations were confirmed using voter registration data. Note that depending on which country you live in, voter data may not be available to use in this manner (or even be available in the first place).

While this may all sound very straightforward to do, the actual process involved is fairly involved. As Bleeping Computer highlights, the process is as follows:

• Collect data on your chosen location for a period of roughly a month.
• Overlay OpenStreetMaps (an open geographic database maintained by volunteers) at a zoom level which allows for singling out residence addresses.
• Compare heatmap endpoints and user data accessible from search to establish connections between “high activity points” and home addresses.

This, combined with public profiles displaying real names, photographs, and data related to specific activities means that singling out certain users was achievable. A word of caution: the success rate for this kind of needle in a haystack activity is not fantastic. The study mentions that more active users will be potentially easier to track down, but for “average” users of the app the likelihood of being discovered is 37.5%.

The paper highlights a few of the ways Strava users can reduce the possibility of falling victim to this attack, but a lot depends on the app developers implementing them or the randomness of your personal circumstances. For example, living in a heavily populated area will go a long way toward blending you into the crowd.

Another is large exclusion zones around your home area, to make it impossible to figure out which specific location you’re exiting and entering. You can set your Strava profile to private, and also disable the heatmap feature if you don’t need any of the social features available to you. If you use another form of fitness tracking app, this is the ideal moment to see what data you may be sharing and lock down as needed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In early June, we reported on the discovery of a critical vulnerability in MOVEit Transfer—known as CVE-2023-34362. 

After the first vulnerability was discovered, MOVEit’s owner Progress Software partnered with third-party cybersecurity experts to conduct further detailed code reviews of the software. Now, Progress says it has discovered multiple SQL injection vulnerabilities in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.

There are no CVEs yet available for the new vulnerabilities, but Progress has released patches.

Users of Progress MOVEit Transfer versions released before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), 2023.0.2 (15.0.2) should follow the recommendations in the security bulletin about the new vulnerabilities.

This code review was undoubtedly triggered by the severe consequences of the first vulnerability that was exploited by the Cl0p ransomware gang. Cl0p confirmed it was behind these attacks in responses to inquiries by Reuters and BleepingComputer

Cl0p is showing a very different behavior from other ransomware groups. The gang either found or bought the CVE-2023-34362 vulnerability and reportedly started testing it against victims as far back as 2021.

They felt comfortable enough to wait with actively deploying their ransomware, and didn’t launch a large scale campaign until the 2023 Memorial Day weekend in the US. This demonstrates a level of sophistication and planning that we don’t see in other ransomware groups.

Victims of this exploitation wave are plentiful and new ones keep coming forward. All the victims of this attack have been told to contact the Cl0p ransomware group before June 14, 2023 or “face the consequences,” which tends to suggest that their data will be published online.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Trusting AI not to lie: The cost of truth: Lock and Code S04E12
• 5 unusual cybersecurity tips that actually work
• The 2023 State of Ransomware in Education: 84% increase in attacks over 6-month period
• Information stealer compromises legitimate sites to attack other sites
• Play ransomware gang compromises Spanish bank, threatens to leak files
• Vice Society: The #1 cyberthreat to schools, colleges, and universities
• Cl0p ransomware gang claims first victims of the MOVEit vulnerability
• Microsoft illegally collected and retained children’s data, says FTC
• Facebook clickbait leads to money scam for users
• How Coffee County Schools safeguards 7500 students and 1200 staff
• Update Chrome now! Google patches actively exploited zero-day
• Warning: Victims’ faces placed on explicit images in sextortion scam
• Unveiling Nebula’s Report 2.0: A new approach to security reporting
• VMware patches critical vulnerabilities in Aria Operations for Networks
• Update your Cisco System Secure Client now to fix this AnyConnect bug
• Ransomware review: June 2023
• Former TikTok exec: Chinese Communist Party had “God mode” entry to US data

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We’ve got into the habit of expecting internet access wherever we go. But data costs can be expensive, and out of your own home often the only WiFi available is public, passwordless and free.

In security, we’ve been trained to carefully contemplate anything that’s free, because, well, often when something is free, you turn out to be the product. So should we be concerned about free Wi-Fi?

A few years ago, we wrote:

“A WiFi connection’s safety depends on its security settings and the source of the WiFi connection. In public, using shared WiFi carries risks. If you have to use public WiFi hotspots, it’s wise to also use a VPN to keep your activity private while you use that connection.  A VPN wraps your network traffic (including web browsing, email, and other things) in a protective tunnel and makes up for any weaknesses in their encryption.”

While this is still basically true, the internet has changed since then. Most websites have switched to HTTPS (Hypertext Transfer Protocol Secure), which means that any traffic to and from the website you are trying to access is encrypted. That means that it couldn’t be read by anyone trying to intercept the traffic in order to snoop on your data. 

So nowadays, my advice is this: For day-to-day use, I wouldn’t recommend setting up a new banking account over public WiFi, but I wouldn’t fret about using public Wi-Fi for everyday browsing either.

How to reduce public WiFi security risks

In order to see if a website is using HTTPS, check for the padlock symbol in the browser address bar, and make sure the website starts with “https://”.

If you really want to be sure, or you need to do something like set up a bank account, then you can use a Virtual Private Network (VPN) to secure your traffic when using public WiFi.

By wrapping your traffic in a single, impenetrable tunnel, the best VPN services will keep your data safe from attempts to intercept your communications.

We don’t just report on encryption—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim didn’t pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In May, Lockbit, usually the reigning king of ransomware, found a fierce competitor in MalasLocker. Last month also witnessed a record number of 556 reported ransomware victims, the unusual emergence of Italy and Russia as major targets, and a significant rise in attacks on the education sector.

Let’s jump right in with MalasLocker, who burst onto the scene last month with 171 total victims—beating out LockBit (76) by almost 100 known attacks.

This isn’t the first time this year a gang has overhauled LockBit and climbed to the top spot on our monthly charts. In April Cl0p rose to the number one spot by compromising over 100 victims with a zero-day vulnerability in the widely-used managed file transfer software GoAnywhere MFT.

This month, MalasLocker’s meteoric rise to the top can be explained along similar lines.

MalasLocker attacked vulnerabilities in Zimbra servers, including CVE-2022-24682, to enable remote code execution (RCE). Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes an email server and a web client.

What sets MalasLocker most apart, however, is its unique ‘charitable’ twist. Rather than demanding ransoms, it asked victims to donate to its approved charities.

Needless to say, it is highly unusual for a ransomware gang to purport to attack organizations on altruistic grounds. We haven’t seen it once since keeping track of gangs in early 2022. 

“Unlike traditional ransomware groups, we’re not asking you to send us money. We just dislike corporations and economic inequality,” reads the MalasLocker ransom note README.txt.

One might assume that a ransomware gang principally opposed to corporations and economic inequality might disproportionately target larger and more wealthy organizations, but this isn’t necessarily the case. The gang’s blog suggests it’s open to targeting businesses of all sizes, so long as they aren’t located in “Latin America, Africa, or other colonized countries.”

We are completely unmoved by MalasLocker’s supposed altruism. Ransomware gangs (and cybercriminals in general) have a long and storied history of writing long and tedious tracts justifying their criminal activity with grandiose claims.

MalasLocker is no different. We read its manifesto so you don’t have to, and the only line you need to pay any attention to is the one that reads “so we will become just another ransomware group.”

So far, we have no confirmation that MalasLocker is keeping its word for a decryptor when a victim donates money to a charity.

Italy and Russia emerge as targets

The upswing in ransomware activity in Italy and Russia in May is striking. Both countries were propelled into the top three most targeted nations in May, a list typically dominated by the USA and the UK.

Italy saw more than a six-fold increase from the month before, and Russia went from zero reported attacks to 50 in a single month. For comparison, Italy had only eight reported ransomware incidents in April, while Russia wasn’t even listed. Similarly, in March, Russia had no reported incidents, and Italy had just eight.

The surge in attacks on these two countries is entirely due to MalasLocker, which hit more targets in Russia and Italy than anywhere else. We assume that this is not a matter of deliberate targeting but simply a matter of where there were vulnerable targets.

Known MalasLocker attacks by country, May 2023

Traditionally, most ransomware gangs have avoided targeting Russia and the Commonwealth of Independent States (CIS) to prevent attracting the attention of local authorities who otherwise turn a blind eye to them.

Either MalasLocker isn’t based in the CIS and therefore doesn’t fear the Federal Security Service (FSB), or they are going to have a very short stay in the ransomware charts.

Increased ransomware attacks on Education

The increase in ransomware attacks on the education sector in May is particularly concerning. May saw 30 known attacks—the highest we’ve seen in a single month since we started keeping records in early 2022, and the continuation of a trend that has seen a sustained increase over the past twelve months.

Known ransomware attacks against education, June 2022-May 2023

Between June 2022 and May 2023, Vice Society attacked more education targets than any other gang—a specialization that should alarm schools, colleges, and universities everywhere.

A new norm?

Ransomware gangs seem to be adopting a new modus operandi: Exploiting known vulnerabilities for multi-target attacks. This year we have seen Cl0p and MalasLocker attack multiple targets simultaneously with (presumably automated) targeting of specific system weaknesses, expanding the scale and impact of their ransomware operations.

Cl0p, for example, has a history of exploiting platforms like Accellion FTA and GoAnywhere MFT. In April, it shifted its focus to a vulnerability in another popular platform, PaperCut.

In June, as we prepared this report, it emerged that Cl0p was been exploiting yet another vulnerability, this time in the widely used file transfer software MOVEit Transfer. The gang started exploiting the vulnerability on May 27th, during the US Memorial Day holiday.

A security bulletin released on May 31, 2023 by Progress Software states:

“A SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.“

This approach is unusual and should concern us all because it has the potential to make ransomware attacks more scalable.

New players

BlackSuit

BlackSuit is a new ransomware that is strikingly similar to Royal, sharing 98% of its code. Last month, BlackSuit targeted both Windows and Linux hosts. 

BalckSuit could be a new variant developed by Royal’s authors, a mimicry attempt using similar code, an affiliate of the Royal ransomware gang running its own modifications, or even a breakaway group from the Royal ransomware gang. 

Rancoz

Rancoz is a new ransomware variant which shares similarities with Vice Society. Its sophistication lies in its ability to modify existing code from leaked source codes to target specific industries, organizations, or geographic regions, increasing its attack efficacy and ability to evade detection.

8BASE

8Base is a newly discovered ransomware gang which, despite only recently gaining attention, has been in operation since April 2022. In May, it had a total of 67 victims.

Predominantly targeting small and medium-sized businesses (SMBs), 8Base has attacked mainly companies within the Professional/Scientific/Technical sector, comprising 36% of known attacks, followed by Manufacturing at 17%. Geographical analysis of the victims suggests a concentration in America and Europe, with the United States and Brazil being the most targeted countries.

RA Group

RA Group is a new ransomware primarily focusing its attacks on pharmaceutical, insurance, wealth management, and manufacturing firms located in the United States and South Korea. 

The RA Group employs an encryptor derived from the leaked source code of Babuk ransomware, an operation that ceased in 2021. The encryptor employs intermittent encryption, which alternates between encrypting and not encrypting sections of a file to expedite the encryption process, but leaves some data partially recoverable. 

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A former executive at TikTok’s parent company ByteDance has claimed in court documents that the Chinese Communist Party (CCP) had access to TikTok data, despite the data being stored in the US. The allegations were made in a wrongful dismissal lawsuit which was filed in May in the San Francisco Superior Court.

The former executive is Yintao “Roger” Yu, who worked as head of engineering for ByteDance. Yu worked for ByteDance between 2017 and 2018. According to his claims, the CCP had its own office inside ByteDance’s headquarters.

In the lawsuit he also accuses ByteDance of pushing nationalistic content that served to both increase engagement on ByteDance’s websites and to promote support of the CCP, and that the Communist Party could access American user data through what he called a backdoor channel in the code.

That statement was supported by recent events. The Australian Financial Review has been shown a sample of code to secretly suppress or elevate content that supports Communist Party narratives or sows division within democracies. This is exactly the reason why General Paul Nakasone, Director of the National Security Agency (NSA) called TikTok a loaded gun. Speaking at a US Senate hearing, the general said “one third of Americans get their news from TikTok,” adding “one sixth of American youth say they’re constantly on TikTok.”

Even more shocking is the claim that the CCP not only could access US user data via a backdoor channel in the code but also that some members of the ruling Communist Party used data held by the company to identify and locate protesters in Hong Kong.

Hong Kong is a semi-autonomous region in China with its own government. TikTok is no longer available there. Anyone who tries to open TikTok from within Hong Kong will see a message that reads “We regret to inform you that we have discontinued operating TikTok in Hong Kong.”

He also accused ByteDance of scraping data from competitors, mainly Instagram and Snapchat, without users’ permission.

After being banned from devices of employees of several—mostly government—organizations, TikTok is battling to convince politicians that it operates independently of ByteDance, which has deep ties to the CCP. Yu’s suit alleges that ByteDance was aware that if the Chinese government’s backdoor was removed from the US version of the app, the Chinese government would likely ban the company’s valuable Chinese-version apps.

Responding to Yu’s allegations, ByteDance said it will “vigorously oppose what we believe are baseless claims and allegations in this complaint.” It is “committed to respecting the intellectual property of other companies” and obtains data “in accordance with industry practices and our global policy.”

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

VMware has released security updates to fix three vulnerabilities in Aria Operations for Networks which could result in information disclosure and remote code execution.

The vulnerabilities were found in Aria Operations for Networks which was formerly known as vRealize Network Insight. Users of versions VMware Aria Operations for Networks 6.x are under advise to applying the patches listed in the VMware KB article about these vulnerabilities.

Before you download and apply the security patch for your Aria Operations for Network deployment, it is advised to perform clean up using steps mentioned in VMware KB 88977 to avoid issues with patch upgrade failing with “Insufficient disk space toast message.”

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-20887 (CVSS score: 9.8 out of 10): Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution (RCE).

CVE-2023-20888 (CVSS score: 9.1 out of 10): Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials may be able to perform a deserialization attack resulting in remote code execution (RCE).

CVE-2023-20889 (CVSS score: 8.8 out of 10): Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.

Command injection is an attack method that aims to execute arbitrary commands on a system. Typically, the threat actor injects the commands by exploiting an application vulnerability, such as insufficient input validation.

Deserialization is the process of extracting data from files, networks or streams and rebuilding the data as objects. Deserialization of user input is considered a security misconfiguration, and can have serious consequences.

VMware Aria Operations for Networks helps IT teams to monitor, discover, and analyze networks and applications to build an optimized, highly available and secure network infrastructure across clouds.

Virtualization technology has taken the scalability of IT systems to the next level. Cybercriminals are very much aware of that and have a vested interest in hypervisor software and network mapping tools, because they make it easier to control a host of virtual machines. Which is much more effective than attacking individual systems.

So, vulnerabilities in such software are guaranteed to be researched by malicious actors.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.