IT News

Malwarebytes Premium earned a perfect score in the latest AVLab Cybersecurity Foundation “Advanced In-The-Wild Malware Test,” catching and stopping 100% of malware samples, outperforming multiple competitors in the field, and continuing a longstanding tradition of proven, perfect protection for users.

In the January evaluation, Malwarebytes Premium for Windows detected and blocked 380 out of 380 malware samples, with 69% (263 samples) detected “pre-launch” and 31% (117 samples) detected “post-launch.” The time to remediation was just 41 seconds—quicker than nearly every single competitor that also blocked all malware samples in the test.

For its performance and results, Malwarebytes obtained an “Excellent” award badge from AVLab.

Comprised of a small team of cybersecurity and information security experts, AVLab Cybersecurity Foundation regularly evaluations cybersecurity vendors on the performance of their products.

To ensure that the organization’s evaluations reflect current cyberthreats, each round of testing follows three steps:

1. Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
2. Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
3. Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”

In the January evaluation, AVLab tested 12 cybersecurity products (one of which included ThreatDown, powered by Malwarebytes). Just more than half of the products blocked 100% of the malware samples tested, and of those products, only one had a quicker Remeditation Time than Malwarebytes Premium for Windows.

Notably, the default cybersecurity program that many users rely on—Microsoft Defender—failed to detect and block two malware samples.

The work conducted by AVLav and other independent, third-party testers is vital to a transparent cybersecurity market. Users should not have to rely solely on the words of cybersecurity vendors, and vendors should be willing to submit their products to external reviews.

Malwarebytes is proud to once again achieve a 100% score with AVLab’s Advanced In-The-Wild Malware Test, a trusted resource that proves our commitment to user safety.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ThreatDown is happy to announce that our Vulnerability Assessment and Patch Management (VPM) tool is now available for Mac endpoints. 

There are hundreds of third-party apps that Mac endpoint use on a daily basis—and with that large number of apps comes a dizzying amount of software updates to apply on a rolling basis. 

With VPM for Mac, Nebula and OneView users can now easily find missing updates and install them to take care of the large volume of software updates in third-party applications on Mac endpoints. Some key features include: 

• Single, lightweight agent: Updates install in minutes, using the same agent and cloud-based console that powers all ThreatDown endpoint security technologies. 
• Quick scans: Identifies software updates dates in modern and legacy applications in less than a minute. 
• Install software updates easily: Create a schedule to install third-party software updates regularly. 

Let’s dive into how to set up software updates for Mac endpoints with ThreatDown VPM.

Configuring VPM for Mac 

To configure VPM for Mac in Nebula/OneView: 

1. Go to Configure > Policies 

2. Create a new policy or select an existing policy. 

3. Click the Software management tab. 

4. Check mark Allow scanning for known vulnerabilities in installed software Mac endpoints.  

5. Click Save.  

In order to be able to apply software updates, users need to enable the policy setting Allow updating software inventory and applying Windows OS patches for endpoints for Mac.  

Viewing outdated software 

To view and update software: 

6. Go to Monitor > Software Inventory page. 

7. Filter Update available as Yes.

8. Click Actions.

9. Select Update Software.

10. Click Update.

You can also view outdated software by endpoint by: 

11. Click Manage > Endpoints  

12. Select specific endpoint(s) under the Software tab.  

13. Click Update Software.  

14. Click Update.

Updating outdated software 

To update outdated software, you can go directly to the Patch Management page as well: 

15. Manage > Patch Management 

16. Under Software Updates tab, select specific version(s) .

17. Click Actions. 

18. Select Update Software.

19. Click Update.

Try VPM for Mac today

3rd party software updates for Mac endpoints is available on both Nebula and OneView for our Patch Management users or users on an Advanced bundles and above.

Not a user but looking to learn more on how to protect your Mac endpoints? Reach out for a quote today.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities in several products:

• Adobe Experience Manager
• Adobe Premiere Pro
• Adobe ColdFusion
• Adobe Bridge
• Adobe Lightroom
• Adobe Animate

The Android Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

SAP has released its March 2024 Patch Day updates.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Some hoaxes on Facebook are years old, but like a cat with nine lives they keep coming back again and again. This is certainly the case with this most recent hoax.

Fact-checking site Snopes is reporting on a hoax that concerns Meta’s use of our photos, messages and other posts on Facebook. Users are told in numerous ways to repost something that contains the phrase:

“I do not authorize META, Facebook or any entity associated with Facebook to use my photos, information, messages or posts, past or future.”

“Hello It’s official. Signed at 8:44 PM. It was even on TV. Mine really turned blue. Don’t forget that tomorrow starts the new Facebook rule (aka… new name, META) where they can use your photos. Don’t forget the deadline is today!!!

I do not authorize META, Facebook or any entity associated with Facebook to use my photos, information, messages or posts, past or future.

With this statement, I notify Facebook that

it is strictly prohibited to disclose, copy, distribute or take any other action against me based on this profile and/or its contents. Violation of privacy may be punishable by law.

Here’s how to do it:

Hold your finger anywhere in this message and “copy” will appear. Click “copy”. Then go to your page, create a new post and place your finger anywhere in the empty field. “Paste” will appear and click Paste.

This will bypass the system….

He who does nothing consents.”

The first round of hoax posts similar to this one surfaced in 2012 (and have resurfaced many times since then). As you can see in this page on the Internet archives, Facebook even issued a statement about it:

“Fact Check

Copyright Meme Spreading on Facebook

There is a rumor circulating that Facebook is making a change related to ownership of users’ information or the content they post to the site. This is false. Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.”

It’s not a Real Thing

With all the—legitimate—concern around keeping personal data private, one can see why people fall for hoaxes like this. However, this copy-paste post does nothing. Facebook doesn’t get to “own” your content and you don’t need to make any declarations about copyright issues since the law already protects you.

Equally, Facebook users cannot retroactively negate any of the privacy or copyright terms they agreed to when they signed up for their accounts, simply by posting a contrary legal notice on to Facebook.

In other words, you agreed to Facebook’s terms of use and when you did, you provided Facebook with a right to use, distribute, and share the things you post, subject to the terms and applicable privacy settings. If that doesn’t sit well with you, it’s worth considering deactivating or deleting your Facebook account.

Sharing posts like this “just in case” continues the hoax and unnecessarily worries people who might see your post. If you’re not sure about whether you should share something, it’s worth googling the post’s text to check if there are any alerts about it.

Check your own digital footprint

If you are worried about how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.

One malware family we have been tracking on this blog is FakeBat. It is very unique in that the threat actor uses MSI installers packaged with heavily obfuscated PowerShell code. For weeks, the malvertiser helping to distribute this malware was abusing the same URL shortener services which may have made the attack somewhat predictable. We saw them experimenting with new redirectors and in particular leveraging legitimate websites to bypass security checks.

Another interesting aspect is the diversity of the latest campaigns. For a while, we saw the same software brands (Parsec, Freecad) being impersonated over and over again. With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.

All the incidents described in this blog have been reported to Google.

New redirection chain

During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs. As observed in other malvertising campaigns, they were abusing URL/analytics shorteners which are ideal for cloaking. That practice enables a threat actor to use a ‘good’ or ‘bad’ destination URL based on their own defined parameters (time of day, IP address, user-agent, etc.).

The other type of redirect was using subdomains from expired and sitting .com domains reassigned for malicious purposes. This is a common trick to give the illusion of credibility. However, in the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.

It’s worth noting that the few examples we found were all Argentinian-based (.ar TLD):

Victims click on the ad which sends a request to those hacked sites. Because the request contains the Google referer, the threat actor is able to serve a conditional redirect to their own malicious site:

The full infection chain can be summarized in the web traffic image seen below:

Several active brand impersonations

There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application. A number of those malicious domains can be found on Russian-based hoster DataLine (78.24.180[.]93).

Each downloaded file is an MSIX installer signed with a valid digital certificate (Consoneai Ltd).

Once extracted, each installer contains more or less the same files with a particular PowerShell script:

When the installer is ran, this PowerShell script will execute and connect to the attacker’s command and control server. Victims of interest will be cataloged for further use. ThreatDown EDR detects the PowerShell execution and creates an alert:

Conclusion

FakeBat continues to be a threat to businesses via malicious ads for popular software downloads. The malware distributors are able to bypass Google’s security checks and redirect victims to deceiving websites.

It is as important to defend against the supporting infrastructure as the malware payloads. However, that is not always easy since legitimate websites may be used to defeat domain blocklists. As always, blocking ads at the source via system policies such as ThreatDown DNS Filter, remains one the most effective ways to stop malvertising attacks in their tracks.

Indicators of Compromise

Hacked sites

cecar[.]com[.]ar
estiloplus[.]tur[.]ar

Decoy sites

obs-software[.]cc
bandi-cam[.]cc
breavas[.]app
open-project[.]org
onenote-download[.]com
epicgames-store[.]org
blcnder[.]org

Download URLs

bezynet[.]com/OBS-Studio-30[.]0[.]2-Full-Installer-x64[.]msix
bezynet[.]com/Bandicam_7[.]21_win64[.]msix
church-notes[.]com/Braavos-Wallet[.]msix
church-notes[.]com/Epic-Games_Setup[.]msix
church-notes[.]com/Onenote_setup[.]msix

File hashes

07b0c5e7d77629d050d256fa270d21a152b6ef8409f08ecc47899253aff78029
0d906e43ddf453fd55c56ccd6132363ef4d66e809d5d8a38edea7622482c1a7a
15ce7b4e6decad4b78fe6727d97692a8f5fd13d808da18cb9d4ce51801498ad8
40c9b735d720eeb83c85aae8afe0cc136dd4a4ce770022a221f85164a5ff14e5
f7fbf33708b385d27469d925ca1b6c93b2c2ef680bc4096657a1f9a30e4b5d18

Command and control servers

ads-pill[.]xyz
ads-pill[.]top
ads-tooth[.]top
ads-analyze[.]top

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. But February didn’t just bring unprecedented numbers, but unprecedented developments as well: law enforcement shut down LockBit, the largest ransomware gang, while ALPHV, the second-largest, appeared to fake its demise and abscond with its own affiliates’ funds.

Before we dive into the two biggest stories of the month, however, let’s start with a quick overview of other significant ransomware developments, including a new Coveware report revealing a record low of 29% of victims paying ransoms in the last quarter of 2023.

A few years ago, paying ransomware attackers was almost a given—85% of hit organizations in early 2019 felt they had no choice. But fast forward to 2024, and Coveware data suggests that that trend has completely reversed—not only have the number of victims paying dropped but so have the dollar amounts of actual ransom payments. In other words, we’re seeing fewer and smaller ransomware payouts than ever before. 

At first glance, the trend appears counterintuitive: with global ransomware attacks hitting record highs annually, one might expect a proportional increase in the number of victims choosing to pay a ransom. But as it turns out, all the attention on ransomware is effectively shooting attackers in the foot: the more these attacks make headlines, the more businesses understand ransomware as a prime threat, leading to improved security measures that can allow victims to recover from an attack without paying a ransom. Also discouraging payments are increasing doubts about cybercriminals’ reliability and stricter anti-ransom laws.

But all of this begs the question: with fewer payments, will ransomware gangs adapt their strategies to remain a threat, or will the decrease in successful ransoms lead to a decline in attacks as they seek more lucrative avenues? Will ransomware attacks always remain profitable, albeit less so over time? The report raises just about as many questions as it answers. 

Our prediction? Ransomware gangs aren’t backing down any time soon; in fact, they’ll likely continue getting more inventive in pressuring companies to pay up. Our coverage on “big game ransomware” showed ransomware gangs aren’t just hiking up demands when companies resist paying, they’re also turning to more aggressive tactics. “Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics gangs can make use of” to force reluctant businesses to pay, writes former Malwarebytes Labs author Christopher Boyd.

In other words, despite fewer companies paying up, we foresee ransomware attackers compensating with higher ransom demands and more sophisticated, aggressive negotiation tactics.

In other February news, new reports highlighted ALPHV’s surge of targeted attacks against the healthcare sector. Coincidentally, a day after these reports were published, there was news of ALPHV’s severe attack on Change Healthcare, one of the largest healthcare technology companies in the US.

The report indicated that since mid-December 2023, out of nearly 70 leaked victims, the healthcare sector has been ALPHV’s most frequent target. This seems to be a response to the ALPHV Blackcat administrator’s encouragement for its affiliates to target hospitals following actions against the group and its infrastructure in early December 2023.

The Roman historian Tacitus once said, “Crime, once exposed, has no refuge but in audacity.” Well, the exposure of ALPHV’s crimes has seemingly emboldened them further, pushing them to undertake even more brazen acts of revenge against the very institutions aiming to curb their criminal activities. At the end of the day, ALPHV’s actions are unsurprisingly petty, pointless, and endanger human lives, but they at the very least they hint at the group’s last desperate gasps for relevance.

On the vulnerability front, ransomware gangs like Black Basta, Bl00dy, and LockBit were seen exploiting vulnerabilities in ConnectWise ScreenConnect last month that exposed servers to control by attackers. It appears that almost every other month, our ransomware reviews uncover a new vulnerability being exploited with great success—whether it was MOVEit in the summer of 2023 or Citrix Bleed at the end of 2023. The vulnerabilities in ScreenConnect are once again part of this broader trend we’ve noticed of ransomware gangs finding ever-new points of entry—perhaps even more quickly and extensively than in previous years.

LockBit down, ALPHV out

February 2024 is likely to be remembered for years as the month when two of the most dangerous ransomware gangs in the world suffered some serious turbulence.

LockBit has been the preeminent ransomware menace since the demise of Conti in spring 2022, but for the first time there are serious reasons to doubt its status and longevity. On February 19, the ransomware gang’s dark web site announced “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

What followed was something quite unique in the annals of ransomware takedowns. Alongside the usual dry press releases, the law enforcement agencies responsible used the site it had acquired to showcase the details of what it had done.

It was an act of exquisite trolling that looked designed to damage the LockBit brand by humiliating it in the eyes of its peers and affiliates.

There was substance to the disruption too—some arrests, “a vast amount of intelligence” gathered, infrastructure seized, cryptocurrency accounts frozen, decryption keys captured, and the revelation that LockBit administrator LockBitSupp “has engaged with law enforcement.”

LockBit quickly established a new site and insisted everything was fine in exactly the way that people do when things aren’t fine, by releasing a stream of concious 3,000-word essay that explained precisely how fine things were, thanks. It remains to be seen if LockBit’s rebound will last. When ransomware gangs start to feel the hot breath of law enforcement on their neck a rebrand normally follows.

LockBit’s main rival, ALPHV, used February to demonstrate an alternative ending. It decided to leave the ransomware world behind by ripping off its own customers (which are really just affiliates in crime) in a sloppily executed exit scam. ALPHV had suffered its own brush with law enforcement in December and, like LockBit, appeared to have recovered.

Perhaps it was spooked by its brush with the feds, or perhaps the $22 million ransom an affiliate extracted from its devastating attack on Change Healthcare was just too hard to resist. Whatever the reason, ALPHV cut and ran, taking the cash and leaving its criminal affiliates high and dry. A half-hearted attempt to pin the blame for its disappearance on the FBI fooled no one.

Preventing Ransomware

Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough. 

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through. 

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood. 

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.

How ThreatDown Addresses Ransomware

ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:

• Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access.
• RDP Shield: Securing remote access points with Brute Force Protection.
• Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them.
• Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network.
• Ransomware Rollback: Reversing the impact of any successful attacks.

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Information newly made available under California law has shed light on data broker practices, including exactly what categories of information they trade in.

Any business that meets the definition of data broker must register with the California Privacy Protection Agency (CPPA) annually. The CPPA defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses.

Where there’s money to be made you’ll find companies and individuals that will go to any length to get a piece of the action. At the moment there are around 480 data brokers registered with the CPPA. However, that might be just the tip of the iceberg, because there are a host of smaller players active that try to keep a low profile. There are 70 fewer data brokers listed than last year, but it is questionable whether they went out of business or just couldn’t be bothered with all the regulations tied to being a listed data broker.

The law requires registered data brokers to disclose in which of the following categories they actively trade information in:

• Minors (24)
• Precise Geolocation (79)
• Reproductive healthcare data (25)

Four of these data brokers are active in all three of these categories: LexisNexis Risk Solutions, Harmon Research Group, Experian Marketing Solutions, and BDO USA, P.C., Global Corporate Intelligence group.

What is particularly disturbing is the traffic in the data of minors. Children require special privacy protection since they’re more vulnerable and less aware of the potential risks associated with data processing.

When it comes to children’s data, the CCPA requires businesses to obtain opt-in consent to sell the data of a person under the age of 16. Children between the ages of 13 and 16 can provide their own consent, but for children under the age of 13, businesses must obtain verifiable parental consent before collecting or selling their data.

Data brokers were under no obligation to disclose information about selling data belonging to minors until the Delete Act was signed into law on October 10, 2023. The Delete Act is a Californian privacy law which provides consumers with the right to request the deletion of their personal information held by various data brokers subject to the law through a single request.

The next step forward would be if more states followed California’s example. So far only four states—California, Vermont, Oregon, and Texas—have enacted data broker registration laws.

The Children’s Online Privacy Protection Act (COPPA), which regulates children’s privacy, does not currently prevent companies from selling data about children. An update for the bill (COPPA 2.0), that would enhance the protection of minors, is held up in Congress.

In Texas, data brokers are governed by Chapter 509 of the Business and Commerce Code and this includes the specification that each data broker has a “duty to protect personal data held by that data broker.” This is important because, as we have seen, breaches at these data brokers can be combined with others and result in a veritable treasure trove of personal data in the hands of cybercriminals.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

This week on the Lock and Code podcast…

A disappointing meal at a restaurant. An ugly breakup between two partners. A popular TV show that kills off a beloved, main character.

In a perfect world, these are irritations and moments of vulnerability. But online today, these same events can sometimes be the catalyst for hate. That disappointing meal can produce a frighteningly invasive Yelp review that exposes a restaurant owner’s home address for all to see. That ugly breakup can lead to an abusive ex posting a video of revenge porn. And even a movie or videogame can enrage some individuals into such a fury that they begin sending death threats to the actors and cast mates involved.

Online hate and harassment campaigns are well-known and widely studied. Sadly, they’re also becoming more frequent.

In 2023, the Anti-Defamation League revealed that 52% of American adults reported being harassed online at least some time in their life—the highest rate ever recorded by the organization and a dramatic climb from the 40% who responded similarly just one year earlier. When asking teens about recent harm, 51% said they’d suffered from online harassment in strictly the 12 months prior to taking the survey itself—a radical 15% increase from what teens said the year prior.

The proposed solutions, so far, have been difficult to implement.

Social media platforms often deflect blame—and are frequently shielded from legal liability—and many efforts to moderate and remove hateful content have either been slow or entirely absent in the past. Popular accounts with millions of followers will, without explicitly inciting violence, sometimes draw undue attention to everyday people. And the increasing need to have an online presence for teens—even classwork is done online now—makes it near impossible to simply “log off.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Tall Poppy CEO and co-founder Leigh Honeywell, about the evolution of online hate, personal defense strategies that mirror many of the best practices in cybersecurity, and the modern risks of accidentally becoming viral in a world with little privacy.

“It’s not just that your content can go viral, it’s that when your content goes viral, five people might be motivated enough to call in a fake bomb threat at your house.”

Leigh Honeywell, CEO and co-founder of Tall Poppy

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• Patch now! VMWare escape flaws are so serious even end-of-life software gets a fix
• Update now! JetBrains TeamCity vulnerability abused at scale
• PetSmart warns customers of credential stuffing attack
• Predator spyware vendor banned in US
• ALPHV ransomware gang fakes own death, fools no one
• Update your iPhones and iPads now: Apple patches security vulnerabilities in iOS and iPadOS
• Check your DNS! Abandoned domains used to bypass spam checks
• American Express warns customers about third party data breach
• No “Apple magic” as 11% of macOS detections last year came from malware
• Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

VMWare has issued secuity fixes for its VMware ESXi, Workstation, Fusion, and Cloud Foundation products. It has even taken the unusual step of issuing updates for versions of the affected software that have reached thier end-of-life, meaning they would normally no longer be supported.

This flaws affect customers who have deployed VMware Workstation, VMware Fusion, and/or VMware ESXi by itself or as part of VMware vSphere or VMware Cloud Foundation.

A virtual machine (VM) is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and the VM (the guest system).

VMWare’s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.

Besides instructions about how to update the affected products, the advisory lists possible workarounds that would block an attacker from exploiting the vulnerabilities. Since three of the vulnerabilities affect the USB controller, applying the workarounds will effectively block the use of virtual or emulated USB devices. For guest operating systems that do not support using a PS/2 mouse and keyboard, such as macOS, this means they will effectively be unable to use a mouse and keyboard.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2024-22252 and CVE-2024-22253 are use-after-free vulnerabilities in the XHCI and UHCI USB controllers of VMware ESXi, Workstation, and Fusion. A malicious actor with local administrative privileges on a virtual machine can exploit the issues to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation of either is contained within the VMX sandbox, but on Workstation and Fusion this may lead to code execution on the machine where Workstation or Fusion is installed.

The VMX process is a process that runs in the kernel of the VM and is responsible for handling input/output (I/O) to devices that are not critical to performance. The VMX is also responsible for communicating with user interfaces, snapshot managers, and remote consoles.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2024-22254 is an out-of-bounds write vulnerability in VMWare ESXi. A malicious actor with privileges within the VMX process can trigger an out-of-bounds write leading to an escape of the sandbox.

A sandbox environment is another name for an isolated VM in which potentially unsafe software code can execute without affecting network resources or local applications.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data being written to memory is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written

CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller of VMware ESXi, Workstation, and Fusion. A malicious actor with administrative access to a VM may be able to exploit this issue to leak memory from the VMX process.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.