Microsoft's patch Tuesday roundup looks like a relatively quiet one. Unless your organization uses FBX files.

Microsoft has issued patches for 48 security vulnerabilities in the first Patch Tuesday of 2024. With a relatively low number of patches—and only two of them critical—this makes it a relatively quiet month, which is certainly not the norm in January.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE IDs for the two critical vulnerabilities are:

CVE-2024-20674 is a Windows Kerberos security feature bypass vulnerability with a CVSS score of 9.0 out of 10. An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.

Kerberos is an authentication protocol that is used to verify the identity of a user or host. To make use of this vulnerability the attacker will need to gain access to the restricted network before being able to run an attack. Nevertheless Microsoft thinks exploitation is “more likely,” which means the vulnerability could be exploited as part of an attack chain.

CVE-2024-20700 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 7.5 out of 10. Successful exploitation of this vulnerability might be hard because it requires an attacker to win a race condition and they will need to first gain access to the restricted network before running an attack.

Hyper-V is the Windows hardware virtualization service. It enables users to create and run a software version of a computer, called a virtual machine. Sometimes these virtual machines are attractive targets for cybercriminals. But the advisory is not very clear on the exact circumstances or context that would allow the RCE.

One other vulnerability, classified as important, that might turn out to be of interest, at least for some users, is:

CVE-2024-20677 is a Microsoft Office Remote Code Execution (RCE) vulnerability with a CVSS score of 7.8 out of 10. The security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365.

FBX files are a type of 3D model file created using the Autodesk FBX software. When you try to insert an FBX file into Word, Excel, PowerPoint, and Outlook, you will see the following error: “An error occurred while importing this file.” If you’d like to re-enable this ability, you can find the reasons why you shouldn’t and the method how to do it on this Microsoft Support page.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

*   Adobe released a patch addressing six CVEs in Substance 3D Stager.
*   Google published the Android Security Bulletin for January 2024.
*   Fortinet has released a security update to address a vulnerability in FortiOS and FortiProxy software.
*   SAP has released its January 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch now! First patch Tuesday of 2024 is here 

The US Securities and Exchange Commission's X account was compromised to take advantage of an expected Bitcoin ETFs announcement.

We have seen several high-profile accounts that were taken over on X (formerly Twitter) only to be used for cryptocurrency related promotional activities, like expressing the approval of exchange-traded funds (ETFs).

The latest victim in this line-up is the Securities and Exchange Commission (SEC).

> The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
> 
> — U.S. Securities and Exchange Commission (@SECGov) January 9, 2024

The unauthorized post (which was removed within 30 minutes) looked like this:

The post says:

> “Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges.
> 
> The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection.”

The hack appears to have been designed to take advantage of anticipation around an imminent annoncement by US regulators about Bitcoin Exchange Traded Funds (ETFs). ETFs are financial products that allow investors to buy commodities like gold or Bitcoin as if they are shares. A spot Bitcoin ETF will buy the cryptocurrency directly, “on the spot”, at its current price, throughout the day. The approval would mark a key milestone for the cryptocurrency market in gaining acceptance to mainstream financial markets.

Even though the false tweet only had a short life-span it caused a $2,000 spike in Bitcoin exchanges rates. Someone knowing this was going to happen could have made a significant profit.

In a statement the SEC said:

> “That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.”

Based on a preliminary probe, X confirmed that the SEC account had been compromised and it found that it was not due to a breach of the social media platform’s systems.

According to X, an unidentified individual was able to obtain control over a phone number associated with the @SECGov account through a third party. This would suggest the compromise was the result of a SIM swapping attack, where an attacker takes control of a phone number by convincing a mobile carrier to transfer the victim’s phone number to a SIM card they own.

With this control they can intercept messages, two-factor authentication (2FA) codes, and eventually reset passwords of the account the number has control over. Although apparently the SEC did not have 2FA enabled for its X account!

**Secure your X account**

Although any form of 2FA is better than none, all forms of 2FA are not equally secure. SMS-based 2FA is vulnerable to SIM swapping and if you can avoid it, we suggest you do. X offers other options like an authentication app and a security key.

To change your 2FA factor in X click on **More**

Select **Settings and Support** > **Settings and Privacy** > **Security and Account access**

Click **Security** > **Two-factor authentication** and put a checkmark in your preferred option.

You will be prompted to enter your X password and click Confirm. From there, follow the instructions in the prompts. Since not many people have security keys, I’ll continue with the Authentication app instructions.

*   Click **Get started**
*   Open your preferred authentication app and add the X account to the app. Usually this is as simple as scanning the QR code.
*   You’ll be prompted to enter the authentication code shown by the app.

You’re all set. Store the displayed backup code in a safe place in case you need it.

You’ll receive a confirmation mail at the address associated with the account.

And if you see tweets from an account about cryptocurrencies, NFTs, ETFs or other financial news that you would not expect from that account, keep a ten foot pole between you and what they are linking to.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 SEC X account hacked to hawk crypto-scams 

Dive more into how ThreatDown performed in G2 Winter 2024.

The peer-to-peer review source G2 has released its Winter 2024 reports, ranking ThreatDown products on top across several Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) categories. 

Based on verified customer reviews, ThreatDown EDR was voted a Leader in the overall and mid-market grid reports for EDR, winning awards for Most Implementable, Fastest Implementation, Easiest Admin, Best Usability, and more. ThreatDown MDR also won awards for Ease of Use, Highest User Adoption, and more. 

Let’s dive more into how ThreatDown performed in G2 Winter 2024 and look at quotes from IT professionals using ThreatDown solutions daily.  

**EDR that brings down complexity **

Endpoint Detection and Response (EDR) systems are grappling with significant complexities. Deployment challenges delay ROI and increase vulnerability to breaches. A lack of integrated tools in EDR necessitates additional platforms, creating operational and security gaps. Additionally, everyday management burdens, like alert overload, strain small IT teams and reduce productivity. 

Feedback from real users said ThreatDown EDR is the most user-friendly EDR solution available in the Mid-market Usability Index, with a Usability Score that surpasses the average across all other vendors. 

ThreatDown EDR deploys within minutes, featuring a lightweight endpoint agent, robust integrations, and an intuitive cloud-native management console. 

Dashboard view of ThreatDown Nebula console, featuring Security Advisor. 

> “The Nebula console is one of the most user-friendly interfaces we’ve come across. We can’t recommend it enough.” 
> 
> Justin N.  

> “Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so \[it’s\] win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.” 
> 
> John K. 

**Fastest to Implement EDR **

Malwarebytes EDR proudly holds the #1 spot on the mid-market Implementation Index. Our industry-leading ‘ease of setup’ and ‘implemention time’ won us the Most Implementable and Fastest Implementation awards for this category. 

With the average deployment timeline for traditional EDRs stretching up to 18 months for small security teams, a swifter solution means faster protection and resource savings. 

Smaller teams can’t afford extensive learning curves, which is why they prioritize implementation costs (50 percent) in their endpoint security more than anything else. (Global Surveyz)  

ThreatDown EDR, the cornerstone of most ThreatDown Bundles, takes the complexity out of EDR deployment with an average time to become fully operational that is two times shorter than the industry average. 

You can distribute the ThreatDown Endpoint Agent to endpoints either manually to each user or automatically via network-wide remote deployment tools. 

> “If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.” 
> 
> Mauro B. 

> “Very easy to install and deploy, setup, and configure – for instance – a 5 machine setup would take roughly ~10 mins from start to finish.” 
> 
> Verified User 

> “Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings.” 
> 
> Doug C. 

**MDR with the Highest User Adoption **

ThreatDown MDR placed on multiple reports for G2 Winter 2023 reports, winning awards for “Ease of Use,” “Highest User Adoption,” “Easiest to do Business With,” “Easiest Admin,” and “Easiest to Use.” 

ThreatDown MDR provides powerful and affordable threat detection and remediation services with rapid set-up and 24×7 monitoring and investigations. Our top-tier MDR analysts protect your organization from cyberthreats through accelerated threat detection and response to incidents—allowing you to focus on growing your business. 

> “Malwarebytes MDR is simple to deploy and manage. They increase our security posture, meet cyber security insurance requirements, and make a great partner to augment my small IT team.” 
> 
> Steve S.  

> “We wanted to extend our SOC team with MDR services, and that has always been our vision with Malwarebytes since we look at the company as a partner, rather than a vendor. Malwarebytes MDR enables us to meet the need for 24 x7 coverage with professional security experts who work in the industry every day.” 
> 
> Matthew Verniere, Richards Building Supply 

> “Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With Malwarebytes MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulder and making sure it’s all clear.” 
> 
> Dennis Davis, IT Systems Manager, Drummond 

**Experience ThreatDown bundles: Award-winning ROI, user-friendly, and effective threat defense  **

ThreatDown provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and smooth, speedy implementation.  

Try ThreatDown Bundles today and join the ranks of those who have already discovered amazing results, best-in-class support, strong ROI—and more—of top-rated cybersecurity solutions.  

**Get a custom quote**

 ThreatDown earns highest ratings across EDR and MDR categories in G2 Winter 2024 results  

Ransomware gangs are getting more ruthless to increase the pressure on their victims. Now, even swatting cancer patients seems to be on the table.

Ransomware groups are liars, yes, but even when these dangerous cybercriminals would ransack organizations and destroy entire companies, a few select groups espoused a sort of “honor among thieves.” According to those few groups, their cybercriminal actions would never include organizations actively involved in healthcare, such as hospitals.

But, as can be expected from ransomware groups, these were nothing but lies. The million-dollar criminal operations, awash with cash, are still vulnerable to greed.

LockBit has claimed the recent attack on Capital Health. And even though LockBit claims they did not encrypt the hospitals files, the hospitals and physicians’ offices experienced IT outages that forced them to resort to emergency protocols designed for system outages. Several surgeries were moved to later dates and outpatient radiology appointments were canceled.

Unfortunately, we have seen these type of disruptions in healthcare before. And despite promises, we expect to see them again.

But in an even more brutal turn of events, a ransomware group is crossing another line, and resorted to threatening physical violence against patients. As fewer organizations are willing to pay the ransom, it seems the ransomware operators have lost all human decency (admittedly, it’s hard to believe they ever had any).

Again, we have seen ransomware groups turn on people who had their data stolen before. It’s an extra type of leverage to get the target organization to pay the ransom. Integris Health for example, an organization which operates a network of 15 hospitals and 43 clinics, reported that some of their patients received emails threatening to sell their information on the dark web.

But in the case of Seattle’s Fred Hutchinson Cancer Center, the criminals have taken it even a few steps further and threatened to “swat” hospital patients.

Swatting is where someone makes a hoax emergency call to law enforcement in order to get armed police (in reference to US “Special Weapons And Tactics” teams) to target a particular address. Over time, swatting has evolved from a dangerous type of prank to a cybercrime that can be ordered as a service.

Swatting is dangerous because of the potential consequences. Not only does it take emergency services away from their actual tasks, but there have been swatting incidents that had fatal consequences.

Once the Fred Hutchinson Cancer Center became aware of the cybercriminals’ swatting threats, they immediately notified the FBI and Seattle police. Let’s hope this reduces the potential dangers involved in swatting.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Exposing the ransomware lie to “leave hospitals alone” 

Apple may be found negligent in an Airtags stalking lawsuit, but it has made improvements that may help potential victims

Each year, an estimated 13.5 million people in the US are victim to stalking. This is a worrying fact stated in the introduction of a lawsuit against Apple brought by stalking victims who charge that AirTags empowered their abusers.

AirTags are marketed as trackers that allow you to easily find lost belongings like keys and luggage. If you lose an object, you can find the AirTag in the Find My app on another Apple device. The tracker transmits its location via Ultra Wideband technology which is more accurate than Bluetooth when it comes to determining exact location. Since the tracker shares its location with the Apple devices of others, you can also find your AirTag over large distances.

AirTags are relatively cheap ($29), small (1.29”/3.19 cm) and can run for about a year before they need the battery replaced. This makes them an ideal tool for stalkers—they just need to attach one to something that they expect you to keep with you.

An important part of a negligence claim is whether the manufacture could have foreseen the issue—in this case, the stalking issue. This shouldn’t be a problem since lots of people were screaming from the rooftops that Apple was basically putting out a product for stalkers.

From the suit:

> “Prior to and upon the AirTag’s release, advocates and technologists urged the company to rethink the product and to consider its inevitable use in stalking. In response, Apple heedlessly forged ahead, dismissing concerns and pointing to mitigation featured that it claimed rendered the devices ‘stalker proof.'”

One plaintiffs’ lawyer argued that Apple did not make it possible, at the time the victim was stalked, for people being followed to locate an unwanted AirTag.

When the judge asked what Apple could have done better, the lawyer acknowledged that Apple has since made many fixes, but victims should have been alerted they were being subjected to unwanted tracking more quickly.

**How do the improvements Apple made help victims?**

Since AirTags were introduced, Apple has made some changes that can help potential stalking victims.

The most important one is that someone is now able to find out if an AirTag that they don’t own is moving with them over time.

On iPhones and iPads this is enabled by default, but it doesn’t hurt to check, especially if somoene may have had access to your device.

To make sure these options are enabled:

*   Go **to Settings** **\> Privacy & Security** > **Location Services**: Location Services should be on
*   Under **Location Services** > **System Services** > **Find My iPhone/iPad**: Significant Locations should be on.
*   Under **Settings** you also need to make sure you’re not in **Airplane Mode** and **Bluetooth** is on.
*   Open the **Find My** app, open the **Me** tab, and make sure **Tracking Notifications** are turned on.

If an unknown AirTag is following you, you’ll see an alert like this:

In the Find My app, you’ll be able to see how long the AirTag has been with you and you can use the Play Sound option to have the tracker emit a noise, which can help you find it.

For Android owners, Google has created a similar anti-stalking feature. Please note that the path to find the appropriate settings may vary with vendors and Android versions, but this should give you a good idea:

*   Select **Settings** \> **Safety and emergency** \> **Unknown tracker alerts**. Here you can allow alerts and do a manual scan for nearby trackers.

An unknown tracker alert is sent when someone else’s tracker device is separated from them and detected to be traveling with you and out of Bluetooth range from the owner. You can trigger any found AirTag to make a sound and you’ll be able to see how long it’s been with you on a map.

There are plans to broaden the scope of the tracker alerts besides AirTags. Companies including Samsung, Tile, Chipolo, Eufy, and Pebblebee have expressed interest in supporting this technology.

We’ll keep an eye on the lawsuit and let you know how it progresses.

 AirTags stalking lawsuit alleges Apple&#8217;s negligence in protecting victims 

A list of topics we covered in the week of January 1 to January 7 of 2024

January 7, 2024 - UK Police are investigating a sexual assault on the avatar of a girl aged under 16 that caused psychological trauma.

January 7, 2024 - People using LLMs for bug bounty hunts are wasting developers' time argues the lead developer of cURL. And he's probably right.

January 7, 2024 - Researchers have found flaws in the way SMTP servers handle messages, allowing them to send spoofed emails to and from targets.

January 4, 2024 - Facebook has announced it will roll out a new option called Link History to mobile users around the world. What does that mean?

January 4, 2024 - 23andMe has responded in a letter to legal representatives of data breach victims that they were to blame themselves for re-using passwords

 A week in security (January 1 &#8211; January 7) 

UK Police are investigating a sexual assault on the avatar of a girl aged under 16 that caused psychological trauma.

British police are investigating a case involving a virtual sexual assault of a girl’s avatar. Even though there was no physical violence involved the incident will be investigated as it has caused psychological trauma.

By definition, an avatar is a virtual representation of a user and is driven by the user’s movements in the virtual world. In Virtual Reality (VR) an avatar is placed, behaves, and moves like a physical body.

In the investigation, a girl under the age of 16 was playing a VR game when the avatars of online strangers gang raped her avatar. The VR experience is designed to be completely immersive. For example, we’ve all seen those “funny” movies where people wreck their television set because they loose contact with reality because what they see through their VR headset is so believable. So, it’s not very hard to imagine how much of an impact the incident had on the girl.

The BBC reports that the incident left her very distraught. According to an unnamed senior officer familiar with the matter, the victim suffered psychological trauma “similar to that of someone who has been physically raped”.

Whether it is possible to punish the attackers remains to be seen. As we all know, laws always trail behind when it comes to new technological developments. For an actual assault or rape case there needs to have been physical contact.

The incident should at least be considered as a good reason to:

*   Start thinking about legislation that can deal with these sort of incidents.
*   Create platforms that can provide a safe environment, especially for children.

It is possible to utilize existing laws, for example against the creation of synthetic child abuse images, which could be used as the basis of prosecutions in virtual world cases, but specialized laws would make court proceedings a lot easier.

According to the Daily Mail Online, police leaders are now calling for legislation to tackle a wave of sexual offending online, saying officers’ tactics must evolve to stop perverts using new technology to exploit children.

Details about the specific platform have not been released. But it’s certain that the new technology has led to new variations of existing types of crime like the theft of rare game artifacts, fraud, and sexual offenses. Unfortunately, some people feel they can behave like savages when they are hiding behind their virtual identity.

Billions of dollars are invested in developing the metaverse, an umbrella term for virtual worlds, and to attract new VR users. We hope to see some of those dollars invested in safety precautions, which will keep the experience safe for everyone.

For parents looking for guidance on how to keep their children safe on the internet, we recommend reading **Internet Safety Tips for Kids, Teens and Parents**.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Police investigate sexual assault on an avatar 

People using LLMs for bug bounty hunts are wasting developers' time argues the lead developer of cURL. And he's probably right.

Bug bounty programs that pay people for finding bugs are a very useful tool for improving the security of software. But with the availability of artificial intelligence (AI) as seen in the popular large language models (LLMs) like ChatGPT, Bard, and others it looks like there is a new problem on the horizon.

Bounty hunters are using LLMs not only to translate or proofread their reports, but also to find bugs.

Daniel “Haxx” Stenberg of cURL explains in a blogpost why he sees this as a possible problem. CURL is a computer software project providing a library and command-line tool for transferring data using various network protocols. The name stands for Client for URL. Daniel is the original author and currently the lead developer.

He argues that, for some reason, bug bounty programs also attract fortune seekers that are looking for a quick buck without putting in the necessary work. According to Stenberg, developers could easily filter out these fortune seekers before they had access to LLMs.

The source of the problem lies in the bad habit of some LLMs to “hallucinate.” LLM hallucinations is the name for the events in which LLMs produce output that is coherent and grammatically correct but factually incorrect or nonsensical.

This is a problem for developers because they can often discard nonsensical reports from humans only after a short examination. But reports generated by AI look coherent, so they waste a lot more time.

In the mystery of the CVE’s that are not vulnerabilities we saw how the automated submission of bugs had raised issues before that wasted a lot of developer time. Time the developer would like to use to fix real bugs or work on new features. As Daniel put it:

> “A security report can take away a developer from fixing a really annoying bug. because a security issue is always more important than other bugs. If the report turned out to be crap, we did not improve security and we missed out time on fixing bugs or developing a new feature. Not to mention how it drains you on energy having to deal with rubbish.”

This is especially annoying when the person that submitted the bug is unable to respond to additional queries in a way that clarifies the issue. Which is often the case since that person has no idea why the LLM flagged the submission as a bug in the first place.

In several areas people are working on tools that can recognize content created by AI, but these are not a full solution to this particular problem. Bug bounty hunters also use LLMs to translate their submissions from their native language to English. Which is often very helpful. But if a recognition tool were to discard all those submissions, they might end up ignoring a serious security vulnerability just because the bounty hunter wanted to submit a report in perfect English.

In the future, AI will undoubtedly proove to be useful in finding software bugs, but we expect these tools will be deployed by the developers themselves before the software goes live.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 How AI hallucinations are making bug hunting harder 

Researchers have found flaws in the way SMTP servers handle messages, allowing them to send spoofed emails to and from targets.

SMTP smuggling is a technique that allows an attacker to send an email from pretty much any address they like. The intended goal is email spoofing—sending emails with false sender addresses. Email spoofing allows criminals to make malicious emails more believable.

Let’s take a closer look at what it is exactly, and how cybercriminals can use it.

The first thing we need to look at is the Simple Mail Transfer Protocol (SMTP), a protocol that allows the exchange of emails. Mail servers and other message transfer agents use SMTP to send and receive mail messages.

SMTP is very much a protocol that has developed over time since it became the standard for always-online servers in the 1980s.

Basically, an email is written using software like Microsoft Outlook or Apple Mail and is then handed over to an SMTP server. The server looks up the appropriate mail server for the domain in the recipient’s address—the part on the right side of the @ symbol, and sends the mail to that server.

It sometimes takes a few steps, but if all goes well the email will be received by the SMTP server that handles the mail for the recipient. This server may deliver the messages directly to storage, or forward it over a network using SMTP before it reaches the recipient.

Simplified, the process looks like this:

Image courtesy of SEC Consult

Image courtesy of SEC Consult

Image courtesy of SEC Consult

Since SMTP lacks authentication it used to be extremely easy to spoof a sender address. Several safeguards emerged to stop this:

*   SPF (Sender Policy Framework): This uses DNS records to indicate to receiving mail servers which IP addresses are authorized to send mail for a given domain. So this still leaves the work to the receiving server.
*   DKIM (Domain Key Identified Mail): This method signs outgoing emails using a private key. Receiving servers validate the sender using the sending server’s public key,.
*   DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC verifies if the email’s “From” domain aligns with SPF checks and/or DKIM signatures. Thus, the DMARC check fails if there is a mismatch between the MAIL FROM and the From domain where otherwise the SPF check would pass. Unfortunately DMARC is not very widely used.

**SMTP smuggling**

SMTP smuggling takes advantage of inconsistencies in the way that proxy servers and firewalls handle SMTP traffic.

Traditionally, the end of data in an SMTP conversation is indicated by a sequence <CR><LF>.<CR><LF> (CR LF stands for Carriage Return and Line Feed, which are standard text delimiters) which can also be written as \r\n.\r\n.

Researchers published about two types of SMTP smuggling, inbound and outbound. They started working from the question, what happens if outbound and inbound SMTP servers interpret the end-of-data sequence (<CR><LF>.<CR><LF>) differently?

If you can tell one server the email ends here and the other one that the full packet ends later, you can create a compartment in which you can smuggle more data.

So, the researchers started testing by putting a <LF>.<LF>  sequence in the middle of sent packages. And they found that outbound SMTP servers have different methods of dealing with it, including:

*   Dot-stuffing (Escaping the single dot with another dot):  <LF>..<LF> 
*   Replacing it with a <CR><LF> 
*   Encoding it (e.g., via quoted-printable): =0A.=0A 
*   Removing the entire sequence 
*   Not sending the message 
*   Or do nothing at all

By testing, which included sending specially constructed messages from and to different email providers, the researchers were able to find combinations that allowed them to send two email messages in one package. The sequence <LF>.<CR><LF> turned out to be effective on a custom SMTP server called NemesisSMTPd which is in use by email services provided by Ionos (e.g. GMX) which accounts for about a million hosted domains.

Image courtesy of SEC Consult

Some vendors (Microsoft and GMX) were quick to fix the vulnerabilities that facilitated SMTP smuggling, but the researchers urge companies using the also affected Cisco Secure Email product to manually update their vulnerable default configuration. The Cisco flaw affects more than 40,000 vulnerable instances and allows an attacker to send spoofed emails to high-value targets, such as Amazon, PayPal, eBay, and the IRS.

The recommendation by the researchers tells organizations using Cisco Secure Email Gateway (on premises) or Cisco Secure Email Cloud Gateway (cloud) to change the default settings of “CR and LF Handling” from “Clean” to “Allow,” citing Cisco guidelines to help administrators understand the change that should be made.

That may sound counterproductive, but this setting passes e-mails with bare carriage returns or line feeds on to the actual e-mail server (Cisco Secure Email Gateway is just a gateway), which only interprets <CR><LF>.<CR><LF> as end-of-data sequence. So, if you don’t want to receive spoofed e-mails with valid DMARC checks, we highly recommend changing your configuration.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Explained: SMTP smuggling 

Facebook has announced it will roll out a new option called Link History to mobile users around the world. What does that mean?

In what seems like yet another attempt to adapt its platform to prepare for new regulations, Facebook has started rolling out a new feature called Link History.

Link History allows users to view and re-visit links they have visited with their Facebook browsing activity.

Obviously Facebook will tell us that the new feature is for its users’ benefit, but we can see several ways in which this benefits Meta even more. The only positive for me is that it could be a handy option for finding that thing that you saw on Facebook that one time, but you can’t quite remember the details. This gets defeated partially by the fact that users that have Link History enabled report they were unable to see the Link History page at all when looking at Facebook on their laptop.

However, as Facebook tracking goes at least this is an option that you have some control over. On most, if not all, popular websites you’ll find Meta’s and other’s tracking pixels. With an ongoing battle against cookies and other trackers, this may be a new way for Facebook to track its user’s behavior.

With Link History, Facebook now has another separate place where it stores details about the websites you visit along with the settings to control that data. Settings that are, deliberately or not, hard to find and easy to misinterpret.

The company itself says:

> “When you allow link history, we may use your information to improve your ads across Meta technologies.”

Translated, this means that they will use the information to provide you with targeted ads.

Recently Meta got sued over coercing users to pay to stop tracking. Organizations concerned about our privacy say that by doing this, Meta has changed the user’s choices from “yes or no” to “pay or okay.”

Research in 2022 showed that in-app browsers inject JavaScript code into third party websites that cause potential security and privacy risks to the user. This resulted in a class-action complaint against Meta in San Francisco’s federal court, alleging the company built a secret workaround to Apple’s safeguards that protect iPhone users from tracking.

So this may be another attempt to follow users around on the web. Unlike on your desktop, clicking a link in Facebook, or Instagram, will open a special browser built into the app, rather than the default browser of the device.

For now, a limited number of Android and iPhone users will see this option appear in the Facebook Mobile Browser. But the company says it will roll out the option globally over time.

**How to turn link history on or off**

Link history is turned on by default so you will have to opt-out if you don’t want it.

1.  Tap any link inside the Facebook app to open Facebook’s Mobile Browser.
2.  Tap the three dots (more actions) in the bottom right, then tap **Go to Settings**.
3.  To turn link history on, tap the slider to on (blue) next to **Allow link history**, then tap **Allow** to confirm.
4.  To turn link history off, tap the slider to off (grey) next to **Allow link history**, then tap **Don’t allow** to confirm. 

**Note**: When you turn link history off, this will immediately clear your link history, and you will no longer be able to see any links you’ve visited. Facebook promises to delete the link history it’s created for you within 90 days.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Source

Malwarebytes