Microsoft has acknowledged a cyberattack by Russians state sponsored group Cozy Bear who, it says, was looking how much information Microsoft holds about Cozy Bear.

In a spy-vs-spy type of scenario, Microsoft has acknowledged that a group called Midnight Blizzard (also known as APT29 or Cozy Bear), gained access to a Microsoft legacy non-production test tenant account.

According to Microsoft, the group managed to access the account in November after subjecting it to a password spray attack, a type of brute force attack where the attacker tries a large amount of logins until they succeed. The group used this foothold to access some of Microsoft’s corporate email accounts and steal some emails and attached documents.

Cozy Bear, who is generally linked to the Russian Foreign Intelligence Service, also known as the SVR, appears to have been curious to find out what information Microsoft had gathered about it. Cozy Bear is generally believed to be behind the SolarWinds attack and attacks on several US institutions, including the State Department, the White House, and the DNC. On all these occasions, the Dutch alerted the US intelligence services.

Microsoft’s investigation about the attack showed that the group was not after customer data or corporate information, but instead something closer to home:

> “The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself.”

To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems, but the investigation is still ongoing. Microsoft has promised to provide additional details as appropriate.

Generally speaking, the larger an organization is, the larger the attack surface, but with companies like Microsoft people expect a tighter security. It is, after all, a security software vendor as well. So, the fact that Cozy Bear was able to stay undetected for months comes as a surprise to many.

Apparently, the attack scared Microsoft itself as well: It says that it feels the need to speed up its cyberprotection advancement project, the Secure Future Initiative, given how well-funded and resourced the attackers are.

> “We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”

This attack can generally be seen as a warning to every other organization that has information which might be of interest to foreign governments.

The more an organization has grown, the larger the chance that legacy accounts exist and may even be neglected. Compare the organization to an office building: The more doors and windows (pun intended) exist, the larger the chance that one is left open. And if there are offices that are no longer in use, the chance of an opening grows exponentially.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Microsoft got hacked by state sponsored group it was investigating 

Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

Researchers at Google’s Threat Analysis Group (TAG) have published their findings about a group they have dubbed Coldriver. The main targets of the Coldriver group are high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments. These targets are approached in spear phishing attacks.

The group uses social engineering techniques to persuade their targets to open documents or download malware. Their activities are aligned with those of the Russian government, so it’s pretty safe to say that Coldriver is a state-sponsored group.

In December 2023, the US charged two Russians believed to be members of this group, for their role in a campaign that hacked government accounts.

Microsoft, who tracks the group as Star Blizzard, says the group targets individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.

Typically, the group creates an impersonation account that pretends to be an expert in a field the target might be interested in or that is somehow affiliated with the target. Once a relationship has been established, the target will receive a phishing link or a document containing such a link.

To gain trust, Coldriver uses social media and professional marketing systems to build a profile of its target. With that information the group sets up email contacts, social media and other networking accounts that align with the target’s interests and appear legitimate.

Coldriver uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton Mail in the initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. The group is also known to register malicious domains that mimic legitimate organizations.

Recently, TAG has noticed that the group uses “lure documents” to install a backdoor on the target’s system. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted.

When the target queries about the encryption, Coldriver sends the target a link to a decryption utility, typically hosted on a cloud storage site. This so-called decryption utility shows the target a normal PDF file, so that it appears as if the original was decrypted, but at the same time it installs a backdoor.

This backdoor is custom malware, likely developed by or for Coldriver, called Spica. Spica is written in the Rust programming language and supports, among others, these commands:

*   Execute arbitrary shell commands
*   Steal cookies from Chrome, Firefox, Opera, and Edge
*   Upload and download files
*   Analyze the filesystem by listing the content
*   Enumerate documents and copy them to an archive

The backdoor establishes persistence through an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

TAG suspects but has been unable to verify that there are multiple variants of Spica: one to match each lure document sent to targets.

**YARA rule**

YARA is a tool that can identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.

TAG has created a YARA rule that cab help find the Spica backdoor.

rule SPICA\_\_Strings {  
meta:

author = “Google TAG”  
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”  
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”  
strings:  
$s1 = “os\_win.c:%d: (%lu) %s(%s) – %s”  
$s2 = “winWrite1”  
$s3 = “winWrite2”  
$s4 = “DNS resolution panicked”  
$s5 = “struct Dox”  
$s6 = “struct Telegram”  
$s8 = “struct Download”  
$s9 = “spica”  
$s10 = “Failed to open the subkey after setting the value.”  
$s11 = “Card Holder: Bull Gayts”  
$s12 = “Card Number: 7/ 3310 0195 4865”  
$s13 = “CVV: 592”  
$s14 = “Card Expired: 03/28”

$a0 = “agent\\\\src\\\\archive.rs”  
$a1 = “agent\\\\src\\\\main.rs”  
$a2 = “agent\\\\src\\\\utils.rs”  
$a3 = “agent\\\\src\\\\command\\\\dox.rs”  
$a4 = “agent\\\\src\\\\command\\\\shell.rs”  
$a5 = “agent\\\\src\\\\command\\\\telegram.rs”  
$a6 = “agent\\\\src\\\\command\\\\mod.rs”  
$a7 = “agent\\\\src\\\\command\\\\mod.rs”  
$a8 = “agent\\\\src\\\\command\\\\cookie\\\\mod.rs”  
$a9 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\mod.rs”  
$a10 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\browser\_name.rs”  
condition:  
7 of ($s\*) or 5 of ($a\*)  
}

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Coldriver threat group targets high-ranking officials to obtain credentials 

A list of topics we covered in the week of January 15 to January 21 of 2024

Skip to content

*   Contact Us
    *   Personal Support
    *   Business Support
    *   Talk to Sales
    *   Contact Press
    *   Partner Programs
    *   Submit Vulnerability
*   Company
    *   About Malwarebytes
    *   Careers
    *   News & Press
*   Sign In
    *   **MyAccount sign in:** manage your personal or Teams subscription >
    *   **Cloud Console sign in:** manage your cloud business products >
    *   **Partner Portal sign in:** management for Resellers and MSPs >

*   Personal
*   Business
    
    < Business
    
    BUNDLES
    
    *   Core
    *   Prevent and remediate threats and identify vulnerabilities
    *   Advanced
    *   Utilize threat guidance and patch management plus everything in **Core**
    *   Elite
    *   Deploy Managed Detection and Response plus everything in **Advanced**
    *   Ultimate
    *   Protect against categories of malicious websites plus everything in **Elite**
    
    TECHNOLOGY HIGHLIGHTS
    
    *   Managed Detection & Response (MDR)
    *   Deploy fully-managed threat monitoring, investigation, and remediation
    *   Endpoint Detection & Response (EDR)
    *   Prevent more attacks with security that catches what others miss
    *   Security Advisor
    *   Visualize and optimize your security posture in just minutes
    *   For Education
    *   Secure your students and institution against cyberattacks
    
    Learn more about Security Advisor (available in every bundle) and see the full list of our products and services.
    
    Full technology list >
    
*   Pricing
    
    < Pricing
    
    Protect your personal devices and data
    
    Protect your team’s devices and data
    
    Explore our award-winning endpoint security products, from EP to EDR to MDR
    
*   Partners
*   Resources
    
    *   Reviews
    *   Analyst Reports
    *   Case Studies
    
*   Support
    
    Featured Content
    
    *   Activate Malwarebytes Privacy on Windows device.
    

**RELATED ARTICLES**

January 22, 2024 - Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

January 20, 2024 - A nonprofit study claims that Google is failing to delete location history that reveals users' physical trips to abortion clinics.

January 19, 2024 - Google wants you to know you can still be tracked when you're incognito.

January 19, 2024 - CISA has added two Citrix NetScaler vulnerabilities to its vulnerability catalog, with a very short deadline to patch.

January 18, 2024 - Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.

 A week in security (January 15 &#8211; January 21) 

A nonprofit study claims that Google is failing to delete location history that reveals users' physical trips to abortion clinics.

Nearly 16 months after Google announced a policy change to remove location data that could reveal users’ physical trips to abortion clinics and other potentially sensitive medical centers, a nonprofit has alleged in a new report that the company is failing to do just that.

The findings, which were immediately disputed by Google, could impact whether Americans feel they can privately search for and access abortion care in several states across the US, should their digital activity be requested by law enforcement as evidence of a crime. In June 2022, the US Supreme Court overruled its 1973 decision of Roe v. Wade, which had, for decades, conferred the public’s constitutional right to choose to have an abortion; many states have now banned the procedure.

In a press release issued by Accountable Tech, which conducted the study, executive director and cofounder Nicole Gill lambasted Google for its alleged failure to keep users safe from the weaponization of their location data.

“Knowing they are complicit in the criminalization of essential care, Google has made promises to improve their privacy policies,” Gill said in a press release. “But proof that they continue to fall short makes it clear that they cannot be trusted to protect the millions of users who rely on their products everyday.”

But in responding to a report from The Guardian, which claimed to have exclusively reviewed Accountable Tech’s research, Google pushed back.

“We are upholding our promise to delete particularly personal places from Location History if these places are identified by our systems—any claims that we’re not doing so are patently false or misguided,” said Marlo McGriff, director of product for Google Maps.

At heart is whether Google is doing as it said it would in July 2022—auto-deleting location history entries for users who visit “medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others,” so long as Google’s internal systems detect such a visit.

According to Accountable Tech’s study, which ran eight experiments in seven different states, “Google retained Location History data about 50% of the time.” For its research, the nonprofit purchased new Android phones and set up default privacy settings before physically traveling to Planned Parenthood locations. In four of the eight visits to Planned Parenthood clinics, Google deleted the _name_ of the clinic in the user’s location history, but the _route_ that was traveled remained.

The study also claimed that location _searches_ were not deleted, sharing a screenshot from a user’s “Web & App activity timeline” that showed the text:

> “Directions to Planned Parenthood – Locust Street Surgical Center, 1144 Locust St, Philadelphia, PA 19107.”

In responding to examples from Accountable Tech’s study that The Guardian shared, Google Maps director of product McGriff explained that Google’s systems did not detect that a user had visited a Planned Parenthood, and so the route to and from that Planned Parenthood was not deleted.

Google’s 2022 policy change was a direct response to the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which placed the legality of abortion access in the control of individual states.

As of early this year, 14 states, including Louisiana, Alabama, Idaho, and Indiana, have banned abortion in nearly all circumstances, according to The New York Times. An additional seven states have placed additional restrictions. The changes have pushed countless residents to leave their homes or violate state laws to seek healthcare.

When the Lock and Code podcast spoke with two experts in digital privacy and law from Electronic Frontier Foundation, both agreed on how the public could more safely navigate a post-Roe America: Say less.

Less than one month after recording that podcast, Facebook reportedly delivered messages to law enforcement that were between a mother and daughter who were under investigation for allegedly aborting a pregnancy.

Accountable Tech’s CEO Gill said this is the new landscape that Americans face.

“In post-Roe America, prosecutors are looking to Big Tech to help them build cases against abortion seekers by providing the data to track their every movement,” Gill said. “We deserve to have power over our own data, and we must fight to prevent a handful of powerful Big Tech companies from weaponizing our private information against us.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Google failing to scrub abortion access in location history, study claims 

Google wants you to know you can still be tracked when you're incognito.

Users of Chrome Canary have noticed some slight changes in the wording that Google uses for Incognito mode.

Chrome Canary is mainly intended for use by developers. It’s updated nearly daily with new features, and because it can be used alongside versions of the “normal” Chrome browser (known collectively as Chrome’s “Stable channel”), it can serve for testing and development purposes. So, these developers have access to the latest features and some of them noticed a few updates in the wording about Chrome’s Incognito mode.

Chrome’s Incognito mode aims to protect your privacy from other people who use the same device. It mitigates the risk of a spouse, roommate, or anyone on a public computer spying on your browsing habits. Private browsing mode does so by stopping your browser from saving your browsing information on your computer.

Incognito mode is also sometimes used for troubleshooting, because it ignores the installed browser extensions unless you specifically allow them to run in Incognito mode.

But, although the primary function of private browsing is to locally hide your browsing activity, Incognito mode has an interesting side effect—websites also see you as a new user when you come back in Incognito mode. This can come in handy, but should not be overrated.

You can open Incognito mode by clicking on the three dots in the right hand upper corner (More) of the browser menu and then on **New Incognito window.**

How to open an Incognito window

In the Stable channel build this is what you will see when you open an Incognito window.

> You’ve gone Incognito
> 
> Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks and reading list items will be saved.

The new warning seen in Chrome Canary when you open an incognito window says:

> “You’ve gone Incognito. Others who use this device won’t see your activity, so you can browse **more** privately. **This won’t change how data is collected by websites you visit and the services they use, including Google.**“

Image courtesy of MSPowerUser

It’s clear that Google has put more emphasis on users of the same device while moving away from the websites you visit. And it’s true that Incognito mode is primarily designed to keep your information private from other users of the same computer. It isn’t designed to keep your information private from the websites you visit, although that is sometimes a side effect. We have explained this in the past, but it’s noteworthy that Google has now added that it “won’t change how data is collected by websites you visit and the services they use, including Google.”

It’s generally assumed that the changes are tied to the fact that Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over the Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to “track, collect, and identify \[users’\] browsing data in real time” even when they had opened a new Incognito window.

The judge rejected Google’s bid for summary judgement in August of 2023, pointing out that Google never revealed to its users that data collection continued even while surfing in Incognito mode.

Apparently many users, surely not our regular readers, where not aware that Incognito mode is not an anonymous mode. Websites and services, will still be able to track you and collect your data. Enabling the **Block third-party cookies** setting is more helpful.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Google changes wording for Incognito browsing in Chrome 

CISA has added two Citrix NetScaler vulnerabilities to its vulnerability catalog, with a very short deadline to patch.

The Cybersecurity and Infrastructure Security Agency (CISA) has added two Citrix NetScaler vulnerabilities to its Known Exploited Vulnerabilities catalog, and it has set the “due date” a week after they were added.

Federal Civilian Executive Branch (FCEB) agencies are handed specific deadlines for when vulnerabilities must be dealt with. Normally, the Directive requires those agencies to remediate internet-facing vulnerabilities on its catalog within 15 days, and all others within 25 days.

The Citrix NetScaler vulnerabilities need to be patched by January 24, 2024. These issues only apply to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs that CISA has added to the catalog are:

CVE-2023-6548, an improper control of generation of code (code injection) vulnerability in NetScaler ADC and NetScaler Gateway with a CVSS score of 5.5 out of 10. It allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on the interface.

Because this vulnerability only impacts the management interface, network traffic to the appliance’s management interface should be separated, either physically or logically, from normal network traffic, and you should avoid exposing it to the internet.

CVE-2023-6549 is an improper restriction of operations within the bounds of a memory buffer in NetScaler ADC and NetScaler Gateway with a CVSS score of 8.2 out of 10. It allows unauthenticated denial of service. An attacker could exploit this vulnerability when a vulnerable appliance has been configured as a gateway (e.g. VPN, ICA Proxy, CVPN, RDP Proxy) or as a AAA virtual server.

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

*   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
*   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
*   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
*   NetScaler ADC 13.1-FIPS before 13.1-37.176
*   NetScaler ADC 12.1-FIPS before 12.1-55.302
*   NetScaler ADC 12.1-NDcPP before 12.1-55.302

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

Citrix has also observed exploits on unpatched instances and strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

A few months ago, CISA and the Federal Bureau of Investigation (FBI), along with other international agencies, warned that ransomware gangs are actively exploiting the Citrix Bleed vulnerability which was also found in Citrix NetScaler versions. This goes to show how popular these kind of vulnerabilities are among cybercriminals.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 CISA urges urgent patching of two actively exploited Citrix NetScaler vulnerabilities 

"Spend smarter, not harder" is the mantra for cybersecurity in 2024.

“Spend smarter, not harder” is the mantra for 2024, as Gartner forecasts a 14.3% jump in global security and risk management spending—an uptick which brings a renewed focus on the need for cost-effective cybersecurity investments.

Inefficient cybersecurity spending, a known problem, becomes even more pressing with increased budgets—especially since inefficient spending often results in buying disparate security tools, which can create more security gaps and increase breach risks.

In a nutshell, with cybersecurity spending on the rise in 2024, businesses must make investments that aren’t just cost-effective, but which actually strengthen defenses too.

Let’s dive into three essential strategies for smart cybersecurity spending in 2024.

**Conduct a thorough needs analysis**

We’ve all experienced buyer’s remorse at some point, purchasing items that we later realize weren’t necessary. If only we had thoroughly questioned our need for that cool $430 HyperCube beforehand (alright, guilty as charged).

A similar concept applies in the realm of cybersecurity spending. Without carefully analyzing what goods or services they really need, organizations can fall into the trap of “tool sprawl”—the accumulation of too many cybersecurity tools.

The goal should be to tailor cybersecurity investments to actual needs, avoiding the latest, unnecessary technologies. For example, small businesses probably won’t benefit from complex, enterprise-level intrusion detection systems, and large businesses probably don’t need basic, consumer-grade security solutions.

Hastily choosing multiple cybersecurity vendors can also be a recipe for disaster. Juggling multiple vendors often complicates support processes, increases the training burden due to various systems, and challenges seamless tool integration.

**Opt for integrated security solutions**

To avoid wasteful spending, invest in security platforms which merge several protective measures in one. Not only is this more cost-effective, but it also actually improves your security posture.

Every additional security tool a company buys requires its own set of configurations, updates, and management protocols, ultimately translating to longer response times, inefficient workflows, and an inability to have a unified view of the threat landscape.

Opting for integrated security solutions like the popular ThreatDown Bundles can be a game-changer in terms of a targeted, lean approach to cybersecurity spending. By consolidating multiple security functions into a single platform, these integrations reduce overhead costs related to hardware, maintenance, and administration.

**Emphasize added value**

Imagine you’re hungry, and you can grab a basic $2 burger. That’s good, but for $5, you can upgrade to a complete meal—burger, fries, drink, maybe even a vintage Furby. That’s value-added fine dining right there—more bang for your buck.

Emphasizing added value in cybersecurity is a lot like upgrading from a basic burger to a complete meal—you get more features that go beyond the foundational security measures (and best of all, without any trans fats).

For example, consider solutions featuring complimentary Vulnerability Assessment (VA) and Application Block (AB). Amid rising cybersecurity costs, VA uncovers application vulnerabilities at no extra expense, while AB actively keeps your defenses strong by preventing unwanted applications from launching, adding substantial value without breaking the bank.

**Managing cybersecurity expenses in 2024**

As we venture into 2024, organizations can more efficiently spend cybersecurity budgets through meticulous needs assessments, integrated solutions, and a focus on added value.

For organizations seeking to put these strategies into action, ThreatDown Bundles offer a practical solution.

ThreatDown bundles are like the Swiss Army knives of cybersecurity, consolidating essential security technologies, including Endpoint Detection and Response and Managed Detection and Response, into one unified platform. Each bundle comes with free threat prevention capabilities, Vulnerability Assessment and Application Block—to further reduce your threat surface at no additional cost.

Want to learn more?

 Cybersecurity spend to soar in 2024: How companies can maximize their investment 

Application Block is now free for all ThreatDown users.

Malwarebytes continues to add value to its ThreatDown Bundles with the inclusion of Application Block as free for all ThreatDown Nebula accounts (excluding Mobile only accounts). Users don’t need to activate this new feature: the policy has been enabled in their account by default.

For as many applications out there that help you keep business running as usual, there are just as many that can spell big trouble for your network security. Threat actors can embed malicious code in seemingly legitimate applications, which end users then innocently execute on their Windows endpoints. (And the bad guys are in).

Or threat actors can find an application on your network with a known vulnerability for which no patch has been developed. (And again, they’re in.) 

Application threats also don’t just stop at cybercriminal gangs: organizations also just might not want employees using unproductive or unapproved applications and the security risks that follow.

All of this is to say that having the ability to blocklist certain applications from running is a key part of an effective layered defense. Malwarebytes is adding **Application Block** for free in all ThreatDown Bundles to make it easier for under-resourced orgs to meet this important security requirement.

Let’s dive in to see how it works!

**Features**

*   Log and monitor blocked application activity on endpoints.
*   Block device access to specified software applications, though this does not include cloud applications.
*   Block list rules are created and applied to policies across the console or sites.
*   Dashboard and reporting for blocked applications.

For a technical overview of Application Block for Nebula, click here: https://service.malwarebytes.com/hc/en-us/sections/10604417341587-Application-Block

**Enable Blocking**

When setting or modifying a policy in the Nebula console, go to the **Software management** tab at the bottom.

There you’ll find the **Application block** option for Windows. Let’s go ahead and check it and then save this policy.

**Block Rule Creation/Management**

Heading over to the Monitor tab, we’ll find Application Block near the bottom of the drop-down menu. Let’s click into that. 

We’re taken to an activity log dashboard of blocked applications. Find the **Rules** tab near the top and click “New rule”. 

Rules in Application Block for Nebula define which software applications and executables are blocked across your endpoints. We can apply this rule globally or to specific policies only.

Basic application block rules select the Application or Vendor name to block the service. Advanced rules are available to use file information to block the service including Certificate property, File path, File property, and Hash value.

Let’s save this rule and head back over to our activity log!

**Application Block Activity Log**

The Activity Log tab displays blocked applications across all your managed endpoints. Blocked records are retained for approximately 90 days.

View the following information for each endpoint’s activity record, including agent version, application data, and time blocked!

For auditing or external reporting purposes, you can even download Application Block activity information to your local machine by selecting all or checking specific boxes for the rows you want to export and clicking Export.

We can get a full and quick picture of our endpoint data by heading over to the Nebula Dashboard. Here we can add, remove, and rearrange widgets—including one for Application Block—that give us insight into what applications were blocked and their frequency.

**Plugging the holes in your Windows endpoint security**

Together with free Vulnerability Assessment, which effectively identifies and prioritizes critical security vulnerabilities, Application Block enhances overall security protection by preventing unauthorized software usage, offering a comprehensive security solution at no additional cost in all ThreatDown Bundles.

 Free access to ThreatDown Application Block: Elevate your Windows security at no cost 

Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.

Google has released an update for Chrome which includes four security fixes, including one for a vulnerability that has reportedly already been exploited.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

After the update, the version should be 120.0.6099.224, or later

**Technical details**

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

Three vulnerabilities found by external researchers all lie in Chrome’s V8 JavaScript engine.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three V8 vulnerabilities are listed as:

CVE-2024-0517: an out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written.

CVE-2024-0518: a type confusion in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In this case, it can lead to heap corruption.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap.

CVE-2024-0519: out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds memory access means that the software has access to data past the end, or before the beginning, of the intended buffer.

Google notes that it is aware of reports that an exploit for CVE-2024-0519 exists in the wild.

V8 is an open-source JavaScript and WebAssembly engine developed by the Chromium Project for Chromium and Google Chrome web browsers, so users of other Chromium based browsers, like Microsoft Edge, can expect to see similar updates in the near future.

Microsoft says it’s actively working on releasing a security patch and added:

> “It’s worth highlighting that Microsoft Edge’s enhanced security mode feature mitigates this vulnerability. You can opt-in into this security feature and have peace of mind that Microsoft Edge is protecting you against this exploit.”

Use the following steps to configure enhanced security in Edge.

1.  In Microsoft Edge, go to **Settings and more** > **Settings** > **Privacy, search, and services**.
2.  Under **Security**, verify that **Enhance your security on the web** is enabled.
3.  Select the option that’s best for your browsing.

The following toggle settings are available:

*   Toggle Off (Default): Feature is turned off
*   Toggle On – Balanced (Recommended): Microsoft Edge will apply added security protections when users visit unfamiliar sites but bypass those protections for commonly visited sites. This combination provides a practical level of protection against attackers while preserving the user experience for a user’s usual tasks on the web.
*   Toggle On – Strict: Microsoft Edge will apply added security protections for all the sites a user visits. Users may report some challenges accomplishing their usual tasks.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update Chrome! Google patches actively exploited zero-day vulnerability 

Two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateways are subject to massive exploitation despite an available workaround.

Last week we wrote about two vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways that were being actively exploited.

The researchers that discovered the active exploitation are warning that these attacks are now very widespread.

> “Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals.”

At first, the scans by the researchers showed only limited exploitation. But later they observed scans made by an unknown party that revealed compromised devices which had a different variant of the web shell on them. The latest numbers indicate some 1700 compromised devices.

The fact that there are no patches available and users were asked to apply a workaround and monitor their network traffic for suspicious activity, may have contributed to the slow response to the sounded alarms. Almost 7000 devices remain vulnerable according to the latest count.

The workaround requires importing a mitigation.release.20240107.1.xml file which can be obtained via the download portal (login required). The XML file is in the zipped format, so you’ll need to unzip and then import the XML file.

*   Navigate to **Maintenance** > **Import/Export** > **Import XML**
*   Use the **Browse** button to point to the unzipped XML file
*   Click the **Import** Button

Importing this XML into any one node of a Cluster is enough. A FAQ and more detailed instructions can be found in the Ivanti advisory article.

It is important to note that applying the workaround or a patch, when they are made available, is not enough to undo the effects of an attack.

To find out whether your devices have been compromised, you can run the Integrity Checker Tool provided by Ivanti. This integrity tool allows an administrator to verify the integrity of the ICS / IPS Image installed on Virtual or Hardware Appliances This tool checks the complete file system and finds any additional/modified file(s).

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Source

Malwarebytes