IT News

Cisco Secure Client is the fresh recipient of a fix to address a high-severity vulnerability related to improper permissions. The flaw allows attackers to potentially escalate privileges to the SYSTEM account.

From the vulnerability advisory:

A vulnerability in the client update feature of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.

This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the upgrade process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

As Bleeping Computer notes, Secure Client allows for remote work thanks to a secure Virtual Private Network and also gives admins telemetry and endpoint management functionality. The attacks themselves do not need user interaction to get the exploitation ball rolling. Bleeping Computer also mentions that there is no current evidence to suggest active exploitation in the wild. With this in mind, there’s never been a better time to start patching. 

As with so many other vulnerabilities out there, there is no workaround for this issue. What this means is that if you’re delayed applying an update for whatever reason, there’s no way to put a band-aid over the wound until you’re ready to hit the update button. Your setup will simply remain at risk until you do it.

The vulnerable products are as follows:

Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows.

Note: For releases earlier than Release 5.0, Cisco Secure Client for Windows is known as Cisco AnyConnect Secure Mobility Client for Windows.

There’s a number of products not at risk from this issue, which are listed below. You’ll note that none of them are Windows.

• Cisco AnyConnect Secure Mobility Client for Linux
• Cisco AnyConnect Secure Mobility Client for MacOS
• Cisco Secure Client-AnyConnect for Android
• Cisco Secure Client AnyConnect VPN for iOS
• Cisco Secure Client for Linux
• Cisco Secure Client for MacOS

This issue has been resolved with the release of Cisco Secure Client for Windows 5.0MR2, and AnyCOnnect Secure Mobility Client for Windows 4.10MR7. If you haven’t already done so, it’s time to check out the Cisco downloads page and make your network a little bit safer.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The FBI has issued a warning about criminals digitally manipulating people’s faces on to pornographic images—known as deepfaking—and then using those images to harass or extort money out of their victim in a practice known as sextortion.

The FBI said the victims include children. From the release:

The FBI continues to receive reports from victims, including minor children and non-consenting adults, whose photos or videos were altered into explicit content. The photos or videos are then publicly circulated on social media or pornographic websites, for the purpose of harassing victims or sextortion schemes.

To hear that children are now being inserted into deepfake creations is horrifying, though perhaps unsurprising. The way these attacks work is that potential victims are contacted through a variety of methods, most commonly by instant messaging apps. Here’s how the FBI describes sextortion:

Sextortion, which may violate several federal criminal statutes, involves coercing victims into providing sexually explicit photos or videos of themselves, then threatening to share them publicly or with the victim’s family and friends. The key motivators for this are a desire for more illicit content, financial gain, or to bully and harass others. Malicious actors have used manipulated photos or videos with the purpose of extorting victims for ransom or to gain compliance for other demands (e.g., sending nude photos).

There’s a few different ways sextortion attacks can play out. One of the most basic forms is sending emails to people whose login details have been exposed in a password breach. The email claims to have nude photographs of the recipient, and threaten to release the photos unless the recipient pays up. There are no images, it’s all a lie. 

The more traditional form of sextortion is where a fraudster convinces the person they’re speaking to that they’re interested in romance, obtains revealing images of the victim, and then uses those images for blackmail. The victim is asked to pay money, often wired or through digital currency, or else the images will be sent to the victim’s friends and family. As it’s usually easy to build up a picture of someone’s network on social media like Facebook and Twitter, the pressure may well be too much for the person on the receiving end of such a scam.

That’s how it usually works. With deepfakes on the scene, a lot of the pre-scam work can simply be discarded. Now fraudsters go and grab some photos of their target, and feed those images into their faking tool of choice. All of that social engineering, the possibility of the victim not falling for it and sending revealing images is completely done away with. Why bother, when you can just swipe a photograph and press a few buttons?

The end result is the same. In fact, it’s arguably much worse as the pornographic movie creations thrown together by these tools are almost always a lot more graphic than anything a target would probably come up with. The pressure to pay up is going to be immense, and realistically non-internet savvy relatives or friends may not have even heard the word “deepfake” before. What are the chances of them knowing a file landing in their mailbox is fraudulent?

There are several general pieces of advice we can give when talking about the different sextortion tactics which exist:

• Don’t engage: report. If you’re shown evidence of stolen images, report to your local authorities and the FBI as soon as you can. Never engage with the sextortionist.
• Be cautious about what you say to someone online. When asked certain questions, be vague and never give specifics.
• Remember that online, people can pretend to be someone they’re not, and can even look and sound like a different person with today’s technology.
• Personalize your security and privacy settings. Lock down your accounts as much as you can, and keep as much hidden from public view as possible.
• Data is typically forever. Remember that once you send something to someone—whether they’re a stranger, a romantic partner, relative, or friend—you have no control over where it goes next.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We’re excited to announce Report 2.0, a major upgrade to our report system in Nebula. Report 2.0 is not just a cosmetic touch up—it’s a completely revamped security reporting solution designed to cater to your diverse business requirements, allowing for a more dynamic, data-driven approach to IT security.

Key features of Report 2.0

This upgrade comes as part of a three-phase solution to redefine our reporting capabilities. The core features of Report 2.0 include:

• More Intuitive User Experience. The upgraded report system offers an intuitive user interface designed to lower barriers and improve visibility into your IT landscape. This feature enables you to make data-driven decisions, effectively enhancing your security approach.
• Enhanced Visibility. The new system offers an insightful view of your security posture, demonstrating the value Malwarebytes delivers, at your preferred frequency.
• Integrated Functionality. With the aim of lowering reliance on third-party solutions, Report 2.0 is an integrated solution with all functionalities accessible within the console.
• Pre-built Report Library. Our new feature includes an expanded library of pre-built report widgets. This comprehensive collection addresses common use cases, complete with interpretations and recommendations, giving you a head start in your reporting tasks.

More formats, better customization

Previously, reports could only be generated in a CSV file format. They displayed various information related to detections of malware, endpoints, logged endpoint events, quarantined items, and detailed information on identified assets.

The new system offers a more comprehensive, engaging reporting experience.

Not just CSV files anymore, you can now generate reports in a PDF format, with charts and graphs included where applicable. Not only that, but an Excel format will be added soon.

Reports can now be sent to multiple recipients, both console and non-console users, with the ability to include or exclude the report creator. An open text field has been also added, allowing for personalized introductions to the reports.

New Report Scheduling Modal

New Email notification

New report types and widgets

Report 2.0 initially introduces the PDF format to the following existing reports as part of a phased rollout:

• Endpoint Summary
• Software Inventory Summary
• Quarantine Summary
• Events Summary
• Detection summary

Each report now comes with widgets to capture specific data sets, custom date ranges, and formatted charts. These widgets offer a detailed breakdown that allows for close monitoring of potential threats and strategizing accordingly.

For example, in the ‘Detection Summary’ report, widgets are used to display the total detections, endpoints with the most detections, detections by group and threat category, most frequently detected threats, and detections per day.

Detection Summary report

From ‘Endpoint Summary’ to ‘Software Inventory Summary’, ‘Quarantine Summary’ and ‘Events Summary’, each report offers a comprehensive view of your security landscape.

Endpoint Summary report

Software Inventory report 

Quarantine summary

Events summary

Onwards and upwards

We’re thrilled to bring this new feature to our customers, making your experience with Nebula’s reporting more effective and insightful. Learn more about Report 2.0 here!

Not a current Nebula user interested in getting started? Reach out for a free trial.

Google has released an update which includes two security fixes. One of these security fixes is for a zero-day about which Google says it’s aware that an exploit for this vulnerability exists in the wild.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Android users will also find an update waiting.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome is up to date

After the update the version should be 114.0.5735.106 for Mac and Linux, and 114.0.5735.110 for Windows, or later.

Zero day

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

The vulnerability was reported by Clément Lecigne of Google’s Threat Analysis Group. This could indicate that Google found this vulnerability while researching an active attack, which matches the fact that an exploit for the vulnerability exists in the wild.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE for the zero-day is:

CVE-2023-3079: a type confusion in V8 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

In other cases, type confusion vulnerability leads to an arbitrary heap write, or heap spray. Heap spraying is a method typically used in exploits that places large amounts of code in a memory location that the attacker expects to be read. Usually, these bits of code point to the start of the actual code that the exploit wants to run in order to compromise the system that is under attack.

At the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8.

An attacker can exploit this vulnerability by using a specially crafted piece of HyperText Markup Language (HTML). It needs user interaction, which could be easier than it sounds. HTML is the standard markup language for documents designed to be displayed in a web browser and these documents (webpages) can contain JavaScript. Potentially this means that by opening the wrong website, which contains such a specially crafted JavaScript, the browser could be compromised.

Users of other Chromium based browsers, like Edge, should be on the lookout for updates as well, as this one is likely to affect all Chromium based browsers.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

On Friday June 2, 2023 we reported about a MOVEit Transfer vulnerability that was actively being exploited. If your organization uses MOVEit Transfer and you haven’t patched yet, it really is time to move it.

Excuse the bad pun, but yesterday we saw the first victims of this vulnerability come forward. MOVEit Transfer is a widely used file transfer software which encrypts files and uses secure File Transfer Protocols to transfer data. As such, it has a large userbase in healthcare, education, US federal and state government, and financial institutions.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. On Friday the CVE had not been assigned yet, but now this vulnerability has now been listed as:

CVE-2023-34362: In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Microsoft says that the group behind the attacks on MOVEit instances is the Lace Tempest group, which is a known ransomware operator and runs the extortion website Cl0p. This was confirmed by a Cl0p representative to Bleeping Computer, who also said that the criminals started exploiting the vulnerability on May 27th, during the US Memorial Day holiday.

We saw a similar scenario unfold in March which caused Cl0p to occupy the first place as most used ransomware in our Ransomware Review for that month. Contributing to Cl0p’s rise to the number one spot was its extensive GoAnywhere campaign. The group successfully breached over 104 organizations by taking advantage of a zero-day vulnerability in the widely-used managed file transfer software, GoAnywhere MFT.

As we have pointed out before, ransomware gangs can afford to play the long game now. And some of them do. When you have hundreds or maybe even thousands of victims to choose from, you start with the juiciest ones that are most likely to pay.

Payroll provider Zellis who serves British Airways and the BBC would be a good example of that. Pharmacy chain Boots, which employs more than 57,000 people in the UK and Ireland, has also announced that it has been impacted.

A Reuters reporter that has an inside contact in the Cl0p ransomware gang tweeted a screenshot of his contact saying that the military, gov(ernment), children’s hospitals, and police would not be attacked.

The same was repeated by BleepingComputer’s contact. But this is no guarantee, and in the end they may not be able to resist the urge to steal data from those networks anyway.

All this means that if your organization uses MOVEit Transfer and it is internet facing, you should assume that your network has been breached. The fact that you haven’t noticed anything yet probably means you are low on the list of desirable targets. It does NOT mean you got away lucky and simply patching the vulnerability is enough.

What needs to be done

First of all, MOVEit Transfer users should visit the Progress security bulletin about this vulnerability and bookmark it. You can find the latest advice, Indicators of Compromise (IOCs), affected versions, and available patches there.

Basically the advice, and you can find detailed instructions on the page, is to:

1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
2. Delete unauthorized files and user accounts.
3. Reset service account credentials for affected systems and the MOVEit Service Account.
4. Apply the patch or upgrade.
5. Verify to confirm the files have been successfully deleted and no unauthorized accounts remain.
6. Re-enable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
7. Continue to monitor your network, endpoints, and logs for IoCs.

Additionally, users of MOVEit Transfer with Microsoft Azure integration should take immediate action to rotate their Azure storage keys.

In our previous post about this vulnerability I mentioned a few tools to help you find the malicious artifacts:

• MoveIT-WebShellCheck a Python script by ZephrFish
• Sigma rule by Florian Roth
• Yara rule by Florian Roth
• Sigma rule by tsale

Malwarebytes detects the malicious webshell C:MOVEitTransferwwwroothuman2.aspx as Exploit.Silock.MOVEit and blocks five malicious IP addresses—138.197.152.201, 209.97.137.33, 5.252.191.0/24, 148.113.152.144, 89.39.105.108—that were found to be looking for vulnerable systems.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim didn’t pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. For regular ransomware gang updates, check out our monthly ransomware reviews.

Ransomware gangs have made the past year a hard one for the education sector.

Between June 2022 and May 2023, there were 190 known ransomware attacks against educational institutions, and many more that went unreported and unrecorded. Between the first and second six months of that period, education experienced an 84% increase in attacks.

Known ransomware attacks against education, June 2022-May 2023

Although the attacks were carried out by a large number of different ransomware gangs, one in particular was responsible for the lion’s share (23%). Vice Society is a gang that specializes in attacking education, and almost half of its activity (43%) is directed against the sector.

Distribution of Vice Society attacks vs other ransomware gangs, June 2022-May 2023

Further findings from the data show that, while ransomware attacks against education are a global phenomenon, the USA (with 56% of known attacks) and the UK (with 15%) were hit the most frequently attacked countries between June 2022 and May 2023.

We’ll spend the rest of this blog breaking down attacks on education by gangs, countries, and which gangs attack which countries the most.

The Threat Landscape

The leading gangs that targeted the education sector between June 2022 and May 2023 include Vice Society with 43 attacks, LockBit with 33, BianLian (18), Royal (16), and AvosLocker (15).

A few of the educational institutions attacked in the last year include De Montfort School, Cincinnati State, and one that made national headlines in September: Los Angeles Unified, the second largest school district in the US. The stakes are no joke: schools and colleges have suffered an estimated 1,600 days of downtime due to ransomware attacks, and the average cost of a ransomware breach was $4.54 million in 2022.

Top ten ransomware used in attacks against education, June 2022-May 2023

In total, 26 separate ransomware-as-a-service gangs contributed to the onslaught on education.

Geographic Distribution

When we break down education sector attacks by country, it becomes clear that no region is safe from ransomware. The USA bore the brunt, with 107 reported attacks.

Known attacks on education by country, June 2022-May 2023

The United Kingdom followed distantly with 28 known attacks, while other countries like Canada, Germany, Brazil, and others also fell prey to these cybercriminals.

Comparatively speaking, however, the education sector in the UK suffered far more than in other countries. Education was the target in 15% of known attacks in the UK from June 2022 to May 2023, compared to only 3% in France, 4% in Germany, and 8% in the USA.

The Gang-Country Dynamics

In general, the ransomware activity of the top gangs seems to adhere to a common trend: Most of them spread their attacks across multiple countries, displaying a diverse geographical targeting.

However, we do find an intriguing outlier that challenges the established patterns: Vice Society’s strong focus on the United Kingdom. Vice Society was responsible for 66% of known attacks on UK education institutions May 2022 to April 2023.

UK education ransomware attacks by gang, June 2022-May 2023

It is worth remembering that our numbers only reflect attacks where a ransom wasn’t paid, and the true number of attacks is far larger.

This activity is distinct from the typical spread of ransomware attacks seen among other top gangs, which generally have a more balanced distribution across several countries, including the United States, Canada, and various European countries, charted below.

USA education ransomware attacks by gang, June 2022-May 2023

Global education ransomware attacks by gang, June 2022-May 2023

Looking Ahead

To recap, our key findings include:

• A significant increase in attacks: The education sector experienced a steep rise in ransomware attacks, with a 84% increase observed over a 6-month period. This was the third highest increase among all monitored sectors.
• Leading ransomware gangs: Vice Society was the most active ransomware gang in the education sector, responsible for 23% of all attacks. LockBit and BianLian also targeted the sector heavily, alongside a host of other groups.
• Geographic distribution: The USA bore the brunt of the attacks, accounting for more than 50% of the total, while the UK accounted for 15%. However, relative to the total number of attacks in each country, the education sector in the UK was targeted more frequently.
• Vice Society’s unusual UK focus: Vice Society focused heavily on the UK education sector, responsible for 64% of all known ransomware attacks on this sector. This contrasts with the typical distribution of ransomware gangs in a given country, which is usually spread more or less proportionally.

Looking ahead, it is anticipated the trend of ransomware gangs targeting the education sector will persist or even intensify. The reality is that tight budgets of many educational institutions force them to struggle with outdated equipment and limited staff, making them an easy target for ransomware gangs. 

But with knowledge comes power. The more the education sector knows about ransomware threats like Vice Society, the better prepared they are to defend against them.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Security researchers at Akamai have published a blog about a new Magecart-alike web skimming campaign that uses compromised legitimate sites as command and control (C2) servers.

A web skimmer is a piece of malicious code embedded in web payment pages to steal personally identifiable information (PII) and credit card details from customers of the site.

Since the code is executed on the client’s side, the malicious behavior is hard to detect by the website’s owner since it will not be picked up by web application firewalls (WAFs) and other measures to keep the server safe.

This campaign is different since it relies on legitimate but compromised sites to make the traffic look genuine. Since these sites normally operate as legitimate businesses, they are less likely to raise suspicion when connecting to a victim. The target sites are running digital content management systems like Magento, WooCommerce, WordPress, and Shopify, but contain a variety of vulnerabilities.

The Akamai researchers uncovered numerous digital commerce websites that have fallen victim, and say that it is reasonable to assume that there are additional legitimate websites that have been exploited as part of this extensive campaign.

Some of the victim organizations see hundreds of thousands of visitors per month which could potentially result in thousands of victims that have their credit card data and PII stolen. Especially since the campaign has been going unnoticed for close to a month for many of the victims.

In this campaign there were two kinds of victim sites:

• Host victims: Legitimate websites that are hijacked for the purpose of hosting the malicious code used in the attack. They are compromised to behave as an attacker-controlled server.
• Web skimming victims: Instead of directly injecting the attack code into the website’s resources, the attackers employ small JavaScript code snippets as loaders to fetch the full attack code from the host victim website.

In some cases, the exploited host websites appear to have been abused in both ways.

The code used on the web skimming victims is designed to look like popular third-party services such as Google Tag Manager or Facebook Pixel. This method is popular among web skimmers because it helps the malicious code blend in seamlessly, disguising its true intentions.

CMS security in a nutshell

Spilling your customers’ PII and credit card details can be very damaging for your reputation, so it’s important to make sure they can visit and use your website safely.

There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security:

• Choose your CMS with both functionality and security in mind
• Choose your plug-ins wisely
• Update as soon as you can
• Keep track of the changes to your site and their source code
• Use 2FA
• Give user permissions (and their levels of access) a lot of thought
• Be wary of SQL injection
• If you allow uploads, limit the type of files to non-executables and monitor them closely.

For websites that require even more security, there are specialized vulnerability scanners and application firewalls that you may want to look into. This is especially true if you are a popular target for people that would love to deface or abuse your website.

If the CMS is hosted on your own servers, be aware of the dangers that this setup comes with some additional risks. Use network segmentation to keep the website server separated from other work servers.

IOCs

Malwarebytes Browser Guard blocks the receiving domains of the stolen data:

byvlsa.com

chatwareopenalgroup.net

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

So, you’re on top of your software updates, you use a password manager, you’ve enabled two-factor authentication wherever you can, you’ve got BrowserGuard installed, and you’re running Malwarebytes Premium.

If you’re doing all of that you’re already winning at security. But you want more, because you know that security is a journey and not a destination, and, let’s face it, you’re reading an article about five unusual cybersecurity tips: You’re hooked.

It’s time to innovate and get weird. It’s time to shake off that special feeling, start lying, forget everything you’ve been told about passwords, spin up a million email addresses, and start throwing away computers for fun.

It’s time for five unusual cybersecurity tips that actually work:

1. Lie

Generally speaking, the fewer pieces of data you hand out, the safer you are. If a site is asking for data you don’t want to share, remember: Sometimes it’s OK to lie.

If a site wants a phone number and you don’t want them to call you, fake it. (00000000000 is surprisingly effective.) If the site won’t accept your made up number, don’t worry. Lists of fake numbers that look right for your country but don’t work are a short Google search away. It works for other data too, even fake credit card numbers—you won’t be able to buy anything with one, but neither will anyone who steals it.

2. Stop thinking you’re special

Everyone is a star in their own story, so when we unexpectedly get a message from a lonely young Russian lady who’s recently moved to our town, a Nigerian Prince promises us riches, “Keanu Reeves” follows us on Instagram, or we stumble upon the crypto-opportunity of a lifetime, our exceptionalism can kick in.

If it happened to somebody else, we’d be sceptical, but when it happens to us…well, we had a feeling our luck was about to turn! Burst that bubble. If something looks too good to be true, it isn’t because you’re special, it’s because it IS too good to be true. Sorry.

3. Forget strong passwords

For years you’ve been told to make unreadable passwords with a of mix uppercase letters, lowercase letters, and wacky characters. That is still important, but reusing passwords over and over again is actually much worse than having lots of different, weaker, passwords.

If a thief can steal your password from anywhere, they will try to use it everywhere, and if the same password works everywhere, you’ve lost everything. Your goal should be to create a new password for each service you use. Focus on simply avoiding really awful passwords, like “password” or “12345”, and save the unreadable passwords for things that really matter, like your bank.

4. Use endless email addresses

Look at your inbox for a few minutes and you’ll probably start to wonder “how did they get my email address?” In between the messages from friends and colleagues, and the newsletters you signed up for but never read, there is always a smattering of speculative nonsense from people who have no business using your email address.

One way of getting on top of that problem is to use different email address for each account you sign up for. Apple will do this for you with its Hide My Email feature, and if you use Gmail you can just add a “+” to the name part of your address followed by anything you like, e.g. john.doe+malwarebytes@gmail.com.

Each unique address should only get messages from the site where you used it. If any other sites use it, you know that your data has been leaked, stolen or sold. If that happens, block the email address and consider closing your account on that site.

5. Throw your computer away

If you want to say super-safe, just browse the internet using a computer with no sensitive data on it, and throw it away when you’ve finished, simple!

OK, it sounds expensive, but you can do it for free with tools like Oracle’s VirtualBox. Virtual Machines (VMs) are computers made of software instead of plastic, metal, and silicon, that run on your computer just like any other program. You can run Windows, your web browser of choice, and all your other favourite apps inside a VM, where they are totally isolated from your real computer.

Like trips to Vegas, whatever happens on a VM stays on a VM. And because VMs can be cloned, rolled back, or destroyed with a mouse click, if anything bad happens on yours you can simply trash it and start a new one.

If you’ve got an unusual cybersecurity tip, we’d love to hear it. Leave it in the comments below.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Ransomware is creating additional work for a major Spanish bank. Globalcaja, said to have more than 300 offices in Spain and close to half a million customers, has fallen victim to the Play ransomware gang.

The gang claim to have swiped both private and personal information in the attack—including passport scans, contracts, and client / employee documents—which happened last week, but have not revealed exactly how much has been taken. The bank released a statement on June 2, which reads as follows:

COMUNICADO OFICIAL

En el día de ayer, registramos un
ciberincidente, consistente en un ataque informático a algunos equipos locales a través de un virus tipo #ransomware.

El mismo no ha afectado al transaccional de la entidad (ni las cuentas ni los acuerdos de los clientes se… pic.twitter.com/LeQdNN8r1i

— Globalcaja (@SomosGlobalcaja) June 2, 2023

Yesterday, we registered a cyber incident, consisting of a computer attack on some local computers through a type #ransomware virus.

It has not affected the transaction of the entity (neither the accounts nor the agreements of the clients have been compromised), so it can operate with total normality in electronic banking (Ruralvía), as well as in ATMs.

From the outset, in #Globalcaja we activated the security protocol created for this purpose, which led us, out of prudence, to disable some office posts, temporarily limiting the performance of some operations.

We continue to work hard to finish normalizing the situation and analyze what happened, prioritizing security at all times.

We apologize for any inconvenience caused.

According to The Record, the bank has not said whether or not a ransom will be paid to the attackers. If there is a bright side here, it’s that people’s actual accounts and transactions have not been accessed. If the bank chooses not to pay the ransom, however, everything taken may be dumped online. Considering the haul is supposed to include passport scans and more, this may still end up causing many problems for those folks in the stolen data.

The Play Ransomware group will quite happily leak data in cases where no ransom is forthcoming. Data taken from the city of Oklahoma was leaked in small amounts in March of this year, after several service shutdowns caused by Play brought the city to a standstill. Elsewhere, the gang brought the city of Antwerp to a grinding halt (do you see a pattern here?) with a similar ransomware outbreak. They’re also responsible for the H-Hotel attack which followed the classic ransomware pattern of disrupt and exfiltrate where possible.

There’s no additional information on offer from Globalcaja, so if you’re a customer or client you’ll have to keep an eye on its website and social media channels for updates in the short term. The supposed publication date for the pilfered information is the June 11, so the clock is most definitely ticking.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim didn’t pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

According to a recent Malwarebytes Threat Brief, in the last 12 months, the Vice Society ransomware gang has conducted more known attacks against education targets globally, and in the USA and the UK individually, than any other ransomware group.