IT News

A digital rights and privacy organization has filed a complaint against software company TeleSign for gathering and selling information on millions of mobile phone users.

The organization that filed the complaint is nyob. nyob is an Austrian based digital right organization that focusses on commercial privacy issues on a European level. After the General Data Protection Regulation (GDPR) came into force on May 25, 2018, commercial privacy violations can now be enforced on a European level, which allows for much more effective procedures and strategic litigation.

The complaint targets BICS, TeleSign, and Proximus. BICS is a Belgium-based communications service that enables phone calls, roaming, and data flows between different communications networks and services all over the world (500 mobile operators in more than 200 countries). Instead of having direct agreements with each other, hundreds of mobile phone providers can connect their networks through the interconnection service of BICS.

TeleSign is a US-based company that provides Application Programming Interfaces (APIs) that deliver user verification, digital identity, and omnichannel communications, to help other brands with secure onboarding, maintain account integrity, prevent fraud, and streamline omnichannel engagement. Among its customers are Ubisoft, ByteDance (TikTok), Skype, and Salesforce. 

Proximus is the Belgium based parent company of both BICS and TeleSign.

The problem

When processing phone customer data, BICS gets detailed information like the regularity of completed calls, call duration, long-term inactivity, range activity, and successful incoming traffic. And it receives these data for about half of the worldwide mobile phone users.

In 2022, Belgian newspaper Le Soir published an article about BICS sharing these data with TeleSign. Based on these data, TeleSign gave every mobile phone user a “trust score” between 0 and 300 points. This trust score helps their customers decide whether to allow users to sign up to a platform or, for example, require an SMS verification first.

According to Telesign’s website, it verifies over five billion unique phone numbers a month, representing half of the world’s mobile users, and provides critical insight into the remaining billions.

The data BICS shares includes information such as the type of technology used to make calls or texts, the frequency of activity, and the duration of calls.

nyob co-founder Max Schrems said:

“Your phone provider likely forwards data to BICS who then forwards it to TeleSign. TeleSign generates a ‘trust score’ about you and sells phone data to third parties like Microsoft, Salesforce or TikTok  – without anyone being informed or giving consent.”

While GDPR allows for sharing data for the purposes of taking appropriate, proportionate, preventive and curative measure and in order to detect fraud and malicious use of networks and services, nyob feels that this is not the case here.

From Max Schrems:

“The responses received by BICS and TeleSign suggest that this business model is not complying with EU privacy laws. We have therefore filed a complaint with the Belgian Data Protection Authority, who is competent for Proximus,  BICS and TeleSign.”

The lawsuit could end up to be very costly. The Belgian Data Protection Authority (DPA) can issue a fine up to 4% of the global turnover of Proximus, which is roughly $250 million.

EU citizens that want to know whether TeleSign has data on them, and has assigned them a score like the complainants, nyob has developed a template that you can use to send an access request to TeleSign. Companies holding data about you have the obligation under GDPR to tell you not just whether they process information about you, but also where they received the data, for which purpose they use it, and with whom they shared it.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Seven months after ChatGPT burst into our lives, it seems the lustre of the chatbot-that’s-going-to-change-everything is starting to fade. A new survey by Malwarebytes exposes deep reservations about ChatGPT, with optimism in startlingly short supply. Of the respondents familiar with ChatGPT:

• 81% were concerned about possible security and safety risks.
• 63% don’t trust the information it produces.
• 51% would like to see work on it paused so regulations can catch up.

The concerns expressed in the survey mirror the trajectory of the news about ChatGPT since its introduction in November 2022.

ChatGPT is a type of Artificial Intelligence (AI) developed by the organization OpenAI. Trained on vast amounts of text data, it can generate human-like responses to prompts or questions. And just in case you don’t know what that means, you should know that the last sentence you read was written by ChatGPT as part of a response to a request to “Describe ChatGPT in a single paragraph.” This is the whole text it generated:

ChatGPT is a powerful language model developed by OpenAI, based on the GPT-3.5 architecture. Trained on vast amounts of text data, it can generate human-like responses to prompts or questions. With its deep learning capabilities, ChatGPT understands context and produces coherent and contextually relevant text. It can assist with various tasks such as answering questions, providing explanations, and offering suggestions. Although it’s not a human and lacks real-time awareness, ChatGPT’s ability to generate text across multiple languages makes it a versatile tool, albeit one that should be cross-verified with reliable sources for accuracy.

When people explored its capabilities in the days and weeks after its launch, it seemed almost miraculous—a wonder tool that could do everything from creating computer programs and replacing search engines, to writing students’ essays and penning punk rock songs. Its release kick-started a race to disrupt everything with AI, and integrate ChatGPT-like interfaces into every conceivable tech product.

But those that know the hype cycle know that the Peak of Inflated Expectations is quickly followed by the Trough of Disillusionment. Predictably, ChatGPT’s rapid ascent was met by an equally rapid backlash as its shortcomings became apparent.

Chief among them is ChatGPT’s propensity to “hallucinate”, the euphemism that data scientists give to untruths created by machine learning models. Perhaps the best example of just how consequential hallucinations can be is Mata v. Avianca, Inc, a court case in which a lawyer found himself in serious hot water after citing numerous non-existent legal cases hallucinated by ChatGPT when he used it as a research tool.

Against that backdrop, Malwarebytes decided to poll its vast pool of newsletter subscribers to see how they felt about ChatGPT, six months after its launch.

Despite all the hype and hooplah surrounding it, only 35% of our tech-savvy respondents agreed with the statement “I am familiar with ChatGPT,” significantly less than the 50% that disagreed.

Those who claimed to be familiar with ChatGPT did not have a rosy outlook. This is what they told us.

Not accurate or trustworthy

The first issue for ChatGPT is that our respondents don’t trust that it’s accurate or trustworthy. Only 12% agreed with the statement “The information produced by ChatGPT is accurate,” while 55% disagreed, a huge discrepancy.

The responses were similarly bleak for the statement “I trust the information produced by ChatGPT,” with only 10% agreeing and a huge 63% disagreeing.

A risk to security and safety

Not only was ChatGPT seen as untrustworthy, it was also perceived as a negative influence on safety and security, with few seeing it as a tool that will improve safety, and an overwhelming majority seeing it as a source of risk.

51% disagreed with the statement “ChatGPT and other AI tools will improve Internet safety,” dwarfing the tiny percentage that see it as a positive for safety.

Worse still, an extraordinary 81% were concerned about the possible security and/or safety risks.

They aren’t alone. In March a raft of tech luminaries signed a letter that said “We call on all AI labs to immediately pause for at least 6 months the training of AI systems more powerful than GPT-4.” The letter pulled no punches on the “profound risks” posed by “AI systems with human-competitive intelligence”:

Should we let machines flood our information channels with propaganda and untruth? Should we automate away all the jobs, including the fulfilling ones? Should we develop nonhuman minds that might eventually outnumber, outsmart, obsolete and replace us? Should we risk loss of control of our civilization?

The letter calls for the pause to be used to “jointly develop and implement a set of shared safety protocols for advanced AI design and development that are rigorously audited and overseen by independent outside experts.”

We put the idea to our respondents and 52% of those familiar with ChatGPT agreed, while less than half that number disagreed.

Conclusion

Our survey showed that an overwhelming number of respondents familiar with ChatGPT were concerned about the risks it poses to security and safety. They also don’t trust the information it produces, and would like to see a pause in development so that regulation can catch up. What remains to be seen is whether this is simply a singular moment of anxiety or a trend that will persist.

An AI revolution has been gathering pace for a very long time, and many specific, narrow applications have been enormously successful without stirring this kind of mistrust. For example, at Malwarebytes, Machine Learning and AI have been used for years to help improve efficiency, to identify malware, and improve the overall performance of many technologies.

ChatGPT is a different beast though. It is a generalized AI tool that could help or supplant humans across a broad range of knowledge work, from coding and composing songs to making malware and spreading misinformation.

The uncertainty around how ChatGPT will change our lives, and whether it will take our jobs, is compounded by the mysterious way in which it works. It is an unknown quantity to everyone, even its creators. Machine learning models like ChatGPT are “black boxes” with emergent properties that appear suddenly and unexpectedly as the amount of computing power used to create them increases.

Real world emergent properties have included the ability to perform arithmetic, take college-level exams, and identify the intended meaning of words. The ability to perform these tasks could not be predicted from smaller models, and today’s models cannot be used to predict what the next generation of larger models will be capable of.

That leaves us facing a very uncertain future, both individually and collectively. The continuum of view points held by serious commentators ranges—quite literally—from those who think AI is an existential risk to those who think it will save the world. Given the stakes, the caution of our respondents is no surprise.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware is like that stubborn cold that you thought you kicked, but creeps back up determined to run amok again. The question is what medicine is available to kick this nasty infection for good.

In this post, we’ll break down the idea of ransomware reinfection and share a real-life episode where Malwarebytes Managed Detection and Response (MDR) mitigated a resilient ransomware reinfection from the Royal ransomware gang.

What is ransomware reinfection?

Imagine this scenario: You’ve recently battled a vicious ransomware attack, finally restoring your systems to their normal functionality. You breathe a sigh of relief, secure in the knowledge that your data is safe and operations are running smoothly.

Alas, it’s not the end of the story.

The ransomware attack you just countered was actually just the final act of a long-drawn series of malicious activities. In other words, many ransomware attacks aren’t the start of the problem; they’re often the result of an unresolved network compromise.

The true culprit is how the threat actor is gaining access to begin with. Once inside, they steal login credentials, deploy malware, or establish a backdoor—a secret gateway into the network that can be exploited later. This is like them leaving a hidden door unlocked for future visits.

Even after successfully mitigating the immediate ransomware attack, these hidden doors may remain unnoticed, enabling the attackers to infiltrate your network stealthily once more. This is the essence of ransomware reinfection.

Having clarified the terminology, let’s delve into a real-world instance of a ransomware reinfection in action.

Initial Ransomware Attack – November 23, 2022

Prior to their engagement with Malwarebytes, our customer experienced a ransomware attack on their AWS environment. They chose not to pay the ransom.

The subsequent countermeasure involved a complete system rebuild from backup to recover their operations.

Onboarding with Malwarebytes MDR and Detection of Reinfection – December 9, 2022

In response to the initial compromise, the customer onboarded with our Managed Detection and Response (MDR) service and Endpoint Detection and Response (EDR) product. Immediately after installing the EDR on the endpoint, detections for additional ransomware were identified.

Our MDR analyst spotted file detections linked to the previous ransomware attack, attempted outbound communications to a known malicious site (a Cobalt Strike C2 server), and remote inbound RDP connection attempts. The MDR analyst promptly contacted the customer, recommending to block the C2 server and the source of the RDP connections, which the customer promptly implemented.

New Threat Emerges – December 11, 2022

Only two days later, a new set of remote host RDP connection attempts were detected. Again, the MDR team advised the customer to block the connection source to prevent further infiltration.

Critical Incident and Response – December 13, 2022

A new wave of local host file detections indicated a return of the previously encountered ransomware. An unencountered persistent mechanism was also identified, suggesting that the threat was not completely eliminated. As part of our response, we raised a critical incident to the customer, carried out an extensive threat hunt, and identified two compromised domain admin accounts, a domain controller (DC), and an SQL server.

A Potentially Unwanted Modification (PUM) detection of a disabled Windows system restore setting.

The customers’ C:Program Files directory showed peculiar files like ‘desktop.ici.royal.w’, ‘PackageManagement’, ‘README.TXT’, and ‘Uninstall Information’.

This new detection, “Ransomware.Royal”, suggests that the attackers were either still present in the network or had gained access again.

Our MDR team promptly reached out to the customer’s Security team and initiated a strategic consultation via a Zoom call. Detailed insights were shared on the Indicators of Compromise (IoCs) encountered, and we advised the customer to change the passwords of the affected domain admin accounts.

In response, the customer implemented an enterprise-wide password change and blocked the newly identified C2 server. Additionally, the decision was made to rebuild the compromised DC.

Lessons from the Incident

This episode underscores the relentless threat of ransomware reinfection in today’s threat landscape, as well as the critical role that 24x7x365 diligence of trained cybersecurity experts, swift responses, and collaborative efforts play in cyber defense.

Without having a similar level of expertise in-house, the reality is that many organizations will see reinfections that could lead to catastrophic results.

In this case, our customer had assumed full recovery from the initial ransomware attack, and if not for the MDR service, they may never had realized that the attack was still ongoing. Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the threat and safeguarded the customer’s digital space.

For more information of our EDR and MDR products and services, please visit https://try.malwarebytes.com/mdr-consultation-new/

Read more:

• How to choose an MDR vendor: 6 questions to ask

• Is an outsourced SOC worth it? Looking at the ROI of MDR

• 3 ways MDR can drive business growth for MSPs

• Cyber threat hunting for SMBs: How MDR can help

Major software company SAP is putting the pieces of a story involving missing SSD disks back together.

Four SSD disks are alleged to have gone on an adventure last November, making their way out of a Walldorf, Germany, datacenter with one of them ending up on eBay. An investigation revealed that despite the disks being located in a building referred to as a “secure location”, it was anything but for the disks in question.

According to The Register’s sources, the disks were transported to an “unsecured building” somewhere in the HQ complex. Eventually, the disks were taken without permission. Some time later, an SAP employee saw one of the missing disks on eBay and purchased it, identifying it as one of their own.

It seems highly unlikely that the individual in question bought a random SSD disk on eBay and it randomly turned out to be one of the missing disks. This was presumably part of a “hope it turns up somewhere” investigation and they managed to hit the jackpot.

The Register says that the disk contained “personal records” of 100 or so SAP employees though there is no word as to what specifically was on there. At the time of writing, the three other disks remain unaccounted for. We don’t know what’s on them but considering the content of the recovered disk, but SAP seems to think no customer data has been lost:

SAP takes data security very seriously. Please understand that while we don’t comment on internal investigations, we can confirm we currently have no evidence suggesting that confidential customer data or PII has been taken from the company via these disks or otherwise.

The Register claims that this is the fifth incident along these lines affecting European datacenters in a two year time frame. That’s probably not surprising, lots of bits and pieces go missing from workplaces all the time. And it’s not necessarily done deliberately or as an act of theft. Sometimes people wander into accidents, and that’s how you end up with all of those “USB stick left on the bus” stories. Sadly, the end result is often the same: Data exposure and confidential information going public.

How to keep your removable devices in the right place

• Inventory management. Keeping a close eye on what you have can be tricky, but it’s essential to make sure assets don’t go wandering off. As Chron puts it, identification, number, location, and description will go a long way tied to a few spreadsheets or even dedicated software. Regular audits will ensure nothing is missing. Employees should have a set number of days to return items when leaving the business. Laptops should have remote location tracking which can’t be turned off.
• Encrypt your drives. Encrypting your drive essentially scrambles all of the data in a way which means that anyone picking it up will have a hard time accessing the contents. Without a password or some other way to verify that accessing the drive is allowed, no data will be forthcoming. Many off-the-shelf drives come with encryption built in and ready to set up. Others will automatically wipe all data if the password is entered incorrectly too many times. You can even encrypt USB flash drives, and if your main drives don’t come with encryption, plenty of third-party options exist to take up the security reigns.
• Hard to move hardware. It’s unlikely someone will walk out the door with a PC workstation, but you should think about everything plugged into it. Cables and peripherals can all be secured or even locked into the device. Some locking kits will allow you to secure multiple peripherals with one carbon steel cable. Others will block USB ports and prevent access without making lots of obvious damage to the device.
• Secure that space. Sensitive data areas may require CCTV, and scannable employee cards allowed for use in specific locations. Add printing funds to cards, deploy locks on your printer tray, and restrict access to paper used for billing and expense claims. You may not have considered your printer as a rogue element of your office, but in the right hands it could be.
• On the road observations. As TechRadar notes, items can be stolen from employees when travelling. Don’t leave work items in your car, and consider using bags for laptops which don’t look like expensive laptop bag carriers. If you’re in a cafe, don’t leave your devices unattended. There are many locks designed for laptops which can help secure a device when in public.
• When all else fails, browse the for sale sites. On the off chance that a piece of equipment has gone missing, it’s time to check out eBay and similar portals. You probably won’t find it listed as “[Company Name] Missing hard drive”, but you may get good results if you search for specific makes and models of hardware.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers have reported how popular game installers like Super Mario Games are being used to deliver malware. The malicious components include cryptominers, the SupremeBot mining client, and the open-source Umbral stealer.

The game installers route offers some very distinct advantages to the cybercriminals:

• The games are very popular and downloads are highly sought after, which increases the chances of people downloading them
• Game installers are large files which means they can’t be uploaded to most online malware scanners
• The game install finishes, so the user trusts the installer did what it promised to do and the extras get ignored
• The targeted systems are high performance machines suitable for playing games. Which means they can be expected to be useful in the intended mining activity

The researchers looked at a trojanized version of a Super Mario game installer which came as an NSIS installer. NSIS (Nullsoft Scriptable Install System) is a professional open source system to create Windows installers. In this case it was used to combine three executable files, one of which was the legitimate Super Mario Forever game.

But while the victim is going through the steps of the installation wizard for their game, in the background two secretly dropped files are executed by the same installer.

1. An XMR (Monero) miner which operates stealthily in the background to mine cryptocurrency for the cybercriminal without authorization and while using system resources in amounts that could be harmful
2. SupremeBot, a mining client which also downloads a file from a Command & Control (C2) server. In this case an information-stealer identified as the Umbral Stealer

The SupremeBot malware uses some techniques to stay under the radar. First it creates a copy of itself called Super-Mario-Bros.exe and drops that in a randomly named subfolder of the ProgramData folder. It also creates a new scheduled task that runs every 15 minutes to run that copy. When that persistence is set up it kills the process and deletes the original file.

The new copy sends the victim system’s CPU and GPU versions as identifiers to a C2 server to verify if the client is registered. If not, the new client is added and receives XMRig CPU and GPU mining configuration details from the C2 server.

When all that is set up it downloads a Themida packed file. Upon execution, this file unpacks itself and loads the Umbral Stealer into the process memory. The Umbral Stealer is a Windows-based information stealer, which is available on GitHub as an open-source project. It uses Discord webhooks to send collected data to the cybercriminal.

The collected data is obtained from the affected system by:

• Capturing screenshots
• Retrieving browser passwords and cookies
• Capturing webcam images
• Obtaining telegram session files and discord tokens
• Acquiring Roblox cookies and Minecraft session files
• Collecting files associated with cryptocurrency wallets

Advice

To prevent falling victim, here are some guidelines:

• Only download from trusted sources
• Monitor your system for high CPU usage and other performance issues
• Use an updated and real-time anti-malware protection

C2 servers:

silentlegion[.]duckdns[.]org

shadowlegion[.]duckdns[.]org

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This article is based on research by Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, who oversees data collection from spam feeds and telemetry to identify the most relevant threats.

Malvertising, the practice of using online ads to spread malware, can have dire consequences—and the problem only seems to be growing.

New research from the Malwarebytes Threat Intelligence team shows over 800 malvertising-related attacks in 2023 so far alone, an average of almost 5 attacks per day. But even these are only the ones reported by security researchers—in reality the number is much higher.

Our research indicates that malvertising ads often deliver infostealer malware such as IcedID, Aurora Stealer, and BATLOADER among others. These programs steal credentials from users’ browsers or computers, sowing the seeds for a future ransomware attack. 

Malvertising attack count throughout 2023

Ransomware gangs often buy stolen credentials from other cyber criminals involved in the dirty work of initial access brokering. In the case of malvertising, the chain of events looks something like this:

1. Malvertising campaigns infect users with infostealers.
2. Infostealers harvest user credentials.
3. Stolen credentials are sold in underground forums.
4. Ransomware actors buy these credentials to infiltrate networks.

Alternatively, some ransomware gangs have been observed use malvertising themselves to launch an attack on a victim machine directly.

The Royal ransomware group, for example, used malvertising to disguise BATLOADER as legitimate installers for applications like TeamViewer. BATLOADER then drops a Cobalt Strike Beacon as a precursor to the ransomware execution. 

For organizations looking to nip the malvertising-ransomware connection in the bud, however, perhaps the biggest challenge is how hard malvertising can be to spot. Threat actors often impersonate the official brand name and website in the ad snippet, making attacks extremely deceptive for the average user.

Can you spot the typo in this malvertising attempt? 

Even experts at Google have struggled to identify malicious redirects from an ad, underscoring the fact that malvertising is a nuanced, technical problem that requires advanced tools to spot.

In other words, your defense strategy against malvertising shouldn’t hinge entirely on your team recognizing brand impersonation. Instead, focus on equipping your team with advanced security tools to do the heavy lifting.

Some of the main tools you can use to prevent malvertising include:

• Vulnerability and patch management software: Malvertising often exploits known vulnerabilities in systems, applications, or browsers. These tools can help ensure that web browsers (including plug-ins) are up-to-date with the latest security patches.
• Web protection applications: Since malvertising campaigns often rely on connecting to malicious servers to download additional malware or steal information, blocking these connections can stop the attack in its tracks.
• Ad blockers: These can filter out potential malvertising threats and prevent hazardous content from loading. Malwarebytes Browser Guard provides additional protection to standard ad-blocking features by covering a larger area of the attack chain all the way to domains controlled by attackers.

Download the Malwarebytes Threat Intelligence Threat Brief today for comprehensive insights on malvertising and its role in stealing credentials.

Download Now

Poorly configured Linux and Internet of Things (IoT) devices are at risk of compromise from a cryptojacking campaign, according to researchers at Microsoft. The attacks, which involve brute forcing a way into a system, are designed to profit from mining in illicit fashion for cryptocurrency.

Once the attackers have broken into their target system, a patched version of OpenSHH, a remote login tool, is downloaded from a remote server. When the rogue version of this tool is deployed, it looks to backdoor hijacked systems and swipe credentials to ensure it lingers on the system for as long as it possibly can.

As Microsoft explains:

Utilizing an established criminal infrastructure that has incorporated the use of a Southeast Asian financial institution’s subdomain as a command and control (C2) server, the threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations. The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections. The complexity and scope of this attack are indicative of the efforts attackers make to evade detection.

A backdoor on the system checks to see if the hijacked device is a honeypot—a fake system set up by researchers or someone else to make an attacker think that they’ve compromised a genuine system when in reality everything the attacker does is being logged.

If it determines the system is a honeypot, it exits. If it determines that the system is the real thing, it begins a process of data exfiltration to a chosen email address. The data that is taken includes:

• Operating system version
• Network configuration
• The contents of /etc/passwd and /etc/shadow

Open source rootkits are installed in systems which support them, used to further hide malicious files and processes taking place under the hood. Activity records are removed from various places on the system to mask any malicious presence, and additional tools are installed to clean up other logs which could reveal evidence of sign-ins.

Years ago you’d occasionally see adware programs try to remove rivals from a PC, in order to take all of the ad revenue for its creator. Here, we have something similar happening with the cryptomining tools being used in this attack. It identifies mining processes by name and/or files, and then terminates the processes or blocks them outright. As a general point of order here, you don’t really want lots of rival programs fighting it out in your systems. It could easily lead to unstable performance. Even worse if the programs doing the fighting aren’t supposed to be there in the first place. They won’t be playing by any theoretical rules, and so you simply can’t predict what they’ll do to gain the upper hand.

Meanwhile, the patched version of OpenSSH is designed to look like the legitimate version and so may prove hard to detect. That’s not all, however. There’s botnet activity too. A portion of the install makes use of an open-source IRC bot with Distributed Denial of Service (DDoS) features.

Microsoft claims to have traced this particular campaign to a member of a hacking forum who offers several tools for sale in what may be a dedicated malware as a service operation. The operating system giant has some specific advice for those who may be worried about this attack impacting their business:

• Harden internet-facing devices against attacks
• Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
• Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
• Use least-privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.
• When possible, update OpenSSH to the latest version.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Before we get into the tips: a caveat. We know many seniors who are digitally more up to date than people 20 years younger, but for those who aren’t, this guide is for you.

If you’re offended by the word seniors in the title, feel free to replace it with “computer illiterate people.” And keep in mind that this piece was written by a 60-year old who happens to be the “computer guy” among his family and friends. 

With the world’s increasing digitalization, even those that are not a big fan of computers are compelled to use them for various urgent reasons. Seniors in a digital world can be overwhelmed by all the new technology. And just when you think you’ve caught up, something new’s been invented. 

In security terms, it can feel like there’s a lot to do in order to keep your data and devices secure. Multiple passwords, reading through EULAs, website cookie notifications, and more. All of this can contribute to a serious case of security fatigue.

Many of today’s most dangerous threats are delivered through social engineering, i.e., by tricking users into giving up their data, or downloading malware from an infected email attachment. Therefore, knowing more about what not to click on and what not to download can keep a good portion of threats out the door.

So, with that in mind, here are 9 basic security tips for seniors:

1. Do not click on links asking to fill out your personal information. Banks and other financial institutions will not send emails with links, especially if those links are asking you to update your personal information. If a website promises you something in return for filling out your personal data, they are likely phishing. In return for your data, you will probably get lots more annoying emails, possibly an infection, and no gift.
2. Don’t fall for too-good-to-be-true schemes. If you get offered a service, product, or game for free, and it’s unclear how the producers of the service or item are making money, don’t take it. Chances are, you will pay in other ways, such as sitting through overly-obnoxious ads, paying for in-game or in-product purchases, or being bombarded with marketing emails or otherwise awful user experiences.
3. Don’t believe pop-ups and phone calls saying your computer is infected. Unsolicited phone calls and websites that do this are known as tech support scams. The only programs that can tell if you have an infection are security platforms that either come built into your device or antimalware software that you’ve personally purchased or downloaded. Think about it: Microsoft does not monitor billions of computers just to call you as soon as it notices a virus on yours.
4. Don’t download programs that call themselves system optimizers. We consider these types of software, including driver updaters and registry cleaners, potentially unwanted programs. Why? They do nothing helpful—instead, they often take over browser home pages, redirect to strange landing pages, add unnecessary toolbars, and even serve up a bunch of popup ads. While not technically dangerous themselves, they’re unneeded and could let other nasties in through the door.
5. Disable web push notifications. These are almost never useful to the user, they can be easily spoofed, and they are regularly used for social engineering and obtrusive advertising purposes.
6. Keep your browser up-to-date. Major browsers such as Firefox, Safari, and Chrome all have their own strengths and weaknesses, so it’s a matter of personal preference which one you use. However, browsers regularly have vulnerabilities and any updates should be applied as soon as possible. Remember: You must restart your browser in order for updates to take effect.
7. Look for HTTPS and the padlock sign. Just because there is a padlock next to the address bar doesn’t mean the site is safe, but it does mean all the traffic between your computer and the website is encrypted. That means that if someone tried to snoop on what you were sending the website, they’d get nowhere because the data would be scrambled.
8. Use multi-factor authentication wherever you can. You can set this up on most sites and usually involves you entering a code from either an app or a text message, after you’ve entered your password. Bonus points for healthcare or banking organizations with logins that use passkeys, a hardware key, or behavioral biometrics.
9. Use a password manager. They help you create and remember safe passwords and they won’t automatically put your passwords into fake sites, which helps you tell if something is a phishing site. This step might require some time and help from someone more technical, but it makes things much safer in the long run.

We don’t just write about threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Microsoft Azure AD flaw can lead to account takeover
• 5 facts to know about the Royal ransomware gang
• Malwarebytes only vendor to win every MRG Effitas award in 2022 & 2023
• UPS warns customers of phishing attempts after data accessed
• 6 tips for a cybersecure honeymoon
• Update now! Apple fixes three actively exploited vulnerabilities
• Reducing your attack surface is more effective than playing patch-a-mole
• Ransomware attackers email bemused students as leverage for a payout
• DNA testing company failed to protect sensitive genetic and health data, says FTC
• Why businesses need a disinformation defense plan, with Lisa Kaplan: Lock and Code S04E13
• Update now! ASUS fixes nine security flaws
• Baby monitor safety: What you need to know
• Black Cat ransomware group wants $4.5m from Reddit or will leak stolen files
• US dangles $10 million reward for information about Cl0p ransomware gang
• Phishing scam takes $950k from DoorDash drivers

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

When we first introduced the Royal ransomware gang in our November 2022 review, little did we know they’d rapidly evolve into one of the most potent threats in our ongoing monthly threat intelligence briefings.

In fact, the Malwarebytes Threat Intelligence team has tracked down a staggering 195 ransomware incidents credited to Royal from November 2022 to June 2023.

Known Royal attacks up to May 2023

These figures put Royal in a formidable third place for that time frame, trailing behind ALPHV (with 233 incidents) and the relentless LockBit (at 542 incidents).

In the rest of this post, we’ll be shedding some light on five key facts to know about the Royal ransomware gang.

1. 66% of their initial access is done through phishing

It seems there are three things certain in life: death, taxes, and phishing as a reliable attack vector.

Royal likes to send phishing emails with nasty PDFs attached. They have also been spotted using callback phishing attacks to lure victims into installing remote desktop malware.

Once someone falls for Royal’s phishing scam and ends up with malware on their computer, that malware tries to reach out to its command and control (C2) base. Then it starts downloading malicious tools to aid in lateral movement or exfiltration.

2. They have a massive USA bias

The Malwarebytes Threat Intelligence team found that 64% of Royal’s victims are from the USA.

Known Royal attacks up to May 2023 by country

For comparison, 43% of all known ransomware attacks were on the USA in the same November 2022 to June 2023 time period. For gangs with more than 50 attacks, Royal was only second to Black Basta (67%) for attackers on the USA.

3. Cobalt Strike is one of the many legit tools they repurpose for malicious activities

Royal has been spotted using a host of legitimate tools to carry out their attacks under the radar. Just some of these tools include:

• Cobalt Strike: A legitimate commercial pen test to assess network security and simulate advanced threat actor tactics. Attackers use it for command and control, lateral movement, and exfiltration of sensitive data.
• System Management (NSudo): NSudo allows administrators to run programs with full system rights. Attackers use it to execute malicious programs with elevated privileges.

• PsExec (Microsoft Sysinternals): PsExec lets admins execute remote processes. Attackers use it to execute malware on remote systems.

By mimicking normal behavior, these tools can make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities.

4. We’ve observed them reinfecting victims

Shortly after Royal rose to prominence in late 2022, a new customer joined the Malwarebytes Managed Detection and Response (MDR) service. The customer was previously a casualty of a Royal ransomware attack and thought they had dusted themselves off completely.

But soon after plugging in with us, we spotted some shady activities.

Malwarebytes MDR detecting “Ransomware.Royal” in the client’s network.

It turns out that Royal wasn’t content with having ‘merely’ attacked our customer once—they were still messing around in their system, potentially setting the stage for another damaging attack.

Fortunately, our EDR tech halted the ransomware in its tracks, and our MDR team managed to stop the post-ransomware havoc from spiraling further.

Still, it goes to show that attacks Royal doesn’t simply move on after a successful attack; they stay engaged for future exploitation, if they can help it.

5. The Services, Wholesale, and Technology industries are their top victims

When we look at Royal ransomware’s victimology, no overwhelming pattern stands out like it does for Vice Society.

Known Royal attacks up to May 2023 by industry sector

Their victims per industry more or less match the averages across all ransomware gangs, suggesting they are sheer opportunists without a particular industry focus.

Like any ransomware gang, they leverage any potential vulnerabilities and security gaps across sectors, launching their attacks wherever they find the easiest point of entry. 

Getting the upper-hand against the Royal gang

Royal has made a big name for itself in a short amount of time.

While it looks like Royal will attack anyone they think is an easy target, it’s safe to say that organizations in the USA should be particularly wary of Royal considering their strong focus on that country.

We recommend the organizations across all sectors follow a few best practices to prevent (and recover) from ransomware attacks from every angle. That includes: 

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes’ EDR anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity, including Royal ransomware. 

Malwarebytes EDR blocking Royal ransomware On-Execution

In our Ransomware Emergency Kit, you’ll find more tips your organization needs to defend against RaaS gangs. 

Get the emergency kit