NEWS

The Cybersecurity and Infrastructure Security Agency (CISA) maintains a “known exploited vulnerabilities catalog” which can be useful if you need help prioritizing the patching of vulnerabilities. In essence it is a long list of vulnerabilities that are actually being used by criminals to do harm, with deadlines for fixing them.

Many organizations are running a plethora of software and Internet-facing devices and vulnerabilities that can be used to exploit them are found every day. Everybody knows they need to patch, but deciding what to patch when, and then finding time and resources to do it, are a significant challenges.

If you are having difficulty deciding what to patch next whether you use a vulnerability and patch management service or not, the CISA catalog offers useful guidance to help you decide what to focus on.

BOD 22-01

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 in November 2021. The directive established the catalog and bound everyone operating federal information systems to abide by it.

Two things made the directive stand out. The first was that it was based on what was actively being exploited, rather than an abstract severity score, like CVSS. The second was that it mandated specific—and very tight—deadlines, for vulnerabilities to be dealt with. Although agencies were given a longer grace period to handle historic vulnerabilities, they only had two weeks to patch anything new—the blink of an eye in patching terms.

At first the catalog focused on vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold suitable for data theft or ransomware.

Later, around the start of the war in Ukraine, CISA added a long list of vulnerabilities that threat actors can use to disrupt operations and networks. Actions that do not lead to financial gain, but can be used in a conflict.

Because it’s based on what criminals are actually exploiting, your organization might still want to feed the catalog into its patch management strategy, even if it isn’t a federal agency that’s obliged to.

The catalog has 9 columns:

• The CVE number of the vulnerability.
• Vendor/Project
• Product
• Vulnerability Name
• Date Added to Catalog
• Short Description (of the vulnerability)
• Action: What needs to be done to mitigate the vulnerability
• Due Date: by when the action needs to be completed by FCEB agencies.
• Notes: point to Emergency Directives about the vulnerability or vendor sites that discuss the vulnerability.

If you’re responsible for keeping your organization’s systems secure, you will already know that having a network inventory is critical: To be effective, you have to know what to protect. With that network inventory in hand, it’s good to know that the catalog can be sorted, among others, by Vendor/Project, by Product, and by Due Date.

Advice

Because the list is regularly updated you will want to keep an eye out for changes, once you are caught up. To make things easier, you can subscribe to receive updates. We also suggest you check out Malwarebytes’ patch management solution, and finally, make sure you ditch any software that has reached its end-of-life (EOL) and is beyond the scope of security updates.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Today we have a fascinating tale of a business email compromise (BEC) group steering clear of targeting executives, in favour of fouling up supply chains instead. The attack, which may sound overly complicated, is a fairly streamlined attack with the intention of making a lot of money.

BEC: What is it?

BEC follows a few different patterns, but primarily revolves around an approach by a criminal who has compromised or spoofed an executive-level email account.

The criminal sends one or more “urgent” emails to a more junior employee about moving money from inside the business to somewhere else entirely. Some attackers perform reconnaissance in advance so they can target people in HR, finance, or accounts.

The criminal is likely to insist the money is moved quickly, and that nobody else is involved.

This technique has been around for a number of years, and some folks are getting wise to it. As a result, attackers are trying to broaden how these scams operate to give them the best chance of flying under the radar.

What we’re looking at below is Vendor Email Compromise (VEC). Instead of going after a company directly, attackers figure out a network of vendors, clients, customers, suppliers…you name it, they’ll try and map it all out. From there, it’s a case of figuring out the weak links in the chain and then pursuing them as best they can.

A splash of fraudulent domain management and social engineering may be all that it takes to get the job done.

VEC

The supply chain steps to success

The group at the heart of this particular campaign, the bizarrely monikered “Firebrick Ostrich”, has been flagged as having its hand in no fewer than 350 campaigns dating back several years. 151 organisations were spoofed across 200 or so different URLs. The attacks are said to have been US-centric, with a particular focus on US business.

According to Abnormal Intelligence, the group behind the research, Firebrick Ostrich was at its peak in August 2022, numbers wise, and the majority of URLs used in the various campaigns were less than a day old when they were used.

The steps to success for the VEC group are listed as follows:

1. Pretend to be a vendor, complete with imitation domain and multiple bogus email addresses related to said bogus “company”.
2. The bogus vendor initiates communication with the potential victim, going down one of several paths as the ball is set in motion. In the example given, the scammers ask to update a bank account on file, and then note that they’ve “lost track” of outstanding payments. This is how they gain insight into actual potential payments owed, or other relevant information which can be further used against the victim.
3. Some or all of the additional email addresses created, mentioned above, may be tied into some of the various email chains to add a layer of “this all looks plausible and real” to the recipients. Would scammers go to all this length to steal money? You bet. Many employees looking at this kind of email chain wouldn’t give it a second thought.

Cashing out

If the email antics are successful, a follow-up mail from the fake vendor includes tweaked payment information for the victim to wire funds. Abnormal Security notes that in some cases, PDF documents are attached to the mails containing the payment details. It’s possible that this is done to try and bypass any email flags looking out for suspicious content (such as payment details in the body of the mails).

With all of the imitation details in place, from fake emails and imitation URLs to including real employee names in some of the communications in case someone perhaps jumps onto Google or LinkedIn, this attack could very well cause big problems for an organisation.

Vendor attacks: a slippy customer

Given that this particular group does not appear to target one industry sector specifically, running the range of manufacturing and retail to energy and education, it could affect any business, and if it’s successful, it will be imitated.

The best defence against these kind of attacks is to ensure that staff are aware that they exist and how they work. Many scams rely on isolating and hurrying employees, so they are less diligent, so it also helps to have processes that ensure more than one employee is involved in significant transactions.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Today we have a ten minute YouTube expedition into the murky world of ransomware.

In the video, “The rise of multi-threat ransomware” (embedded below), I cover a couple of key talking points that always seem to come up in conversation.

Single, double, triple?

The video covers how ransomware made the leap from “just” encrypting your files to double- or even triple-threat ransomware. The threats, the blackmail, the possibility of leaking data, and more.

A timeline of ransomware

It also examines attacks of interest from 2017 to the present day, looking at some of the key incidents from the last couple of years, and the brutal real world impact of ransomware attacks that increasingly affect the spaces and services around us. Schools, hospitals, housing associations, everyone is a potential target.

Keeping the enemy at the gate

The video finishes with a run through some of the ways organisations can avoid the perils of ransomware, and the realisation that cyber insurance may not solve every problem.

The video covers the importance of locking down your remote desktop access and VPNs, rolling out multi-factor authentication, and keeping a tight handle on repeated login attempts.

A determined attacker may find a way through despite your best efforts, but in many cases they’ll give up and look for a less resilient target. If you’re causing ransomware gangs to shrug and go elsewhere, you’re doing OK.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

As the reports covering all of 2022 start trickling in, we can see that cybercrime and other types of fraud had a major impact last year.

Take for example the 2022 half year fraud update by UK Finance, which tells us that criminals stole a total of £609.8 million (roughly $750 million) through authorized and unauthorized fraud and scams in the UK alone.

UK Finance is the collective voice for the UK’s banking and finance industry, representing around 300 firms across the industry. Its report states: “As we have warned previously, the level of fraud in the UK has reached a point where it must be considered a national security threat.”

Another report, called the ‘State of cyber security in the UK’, surveyed 500 UK-based cybersecurity strategy decision makers. It showed that financials are at significantly higher risk than the average UK business. More than half (58.2 percent) reporting between 40 and 60 cyber security incidents in the last 12 months.

Businesses

Many financials not only carry the burden of protecting their customers, but are also at risk of falling victim to cybercrime themselves.

The threat which was mentioned the most in responses to the survey was phishing. Some 67 percent of respondents highlighted it as their main worry for their organization. This is no surprise as phishing is often the prelude to more serious threats like ransomware, breaches, and BEC scams.

Other worries were the rise in premium prices for cyber insurance, and the security implications of the rise in flexible working. The advancing pace of technology (39 percent) also featured, as effects from the pandemic have complicated organizations’ ability to protect themselves from cyber threats.

The report based on the survey also shows a higher-than-expected number of breaches. Which made more organizations realize that having a recovery plan is almost as important as having effective preventive measures.

Consumers

The main types of fraud targeting consumers were:

• Authorized push payment (APP) scams, which use social engineering that tricks victims into authorizing payments to accounts belonging to the scammer. Romance scams and investment scams operate this way, as do purchase scams, where people pay for goods that are never delivered.
• Unauthorized payment card fraud. This category covers fraud on debit, credit, charge, and ATM-only cards issued in the UK. Payment card fraud losses are organized into five categories: Remote card purchases, lost and stolen cards, cards that aren’t received, counterfeit cards, and card ID theft.
• Remote purchase fraud. This type of fraud occurs when a criminal uses stolen card details to buy something on the Internet, over the phone or via mail order. It is also referred to as card-not-present (CNP) fraud, because the threat actor does not have the physical card, but has enough details to pretend that they are authorized to use it.

A common factor behind APP scams is use of online platforms and social media to target victims and trick them into making payments. This includes fraudulent advertising on search engines, fake websites and posts on social media. This is where the first contact between perpetrator and victim usually takes place.

Another worrying side effect of many of these financial frauds is the use of money mules. Often younger people that allow their bank account to be used to ‘cash out’ fraudulent funds, without realizing how sever the consequences can be.

For detailed numbers and more information you are encouraged to look at the UK Finance report.

Cooperation

Because of the direct threats and the responsibility for their customers, the banking and finance industry invests billions in tackling fraud. But it’s not a problem the banking sector can solve on its own.

Some of the initiatives that have been taken by the sector in the UK are:

• Working with the government and law enforcement to establish clear strategic priorities.
• Sharing intelligence on emerging threats.
• Delivering customer education campaigns.
• Training staff to spot and stop suspicious transactions.
• Sponsoring a specialist police unit.
• Cracking down on phone number spoofing.
• Blocking scam text messages.

How can we help?

NatWest, one of the UK’s “big four” banks, is offering all of its customers a free Malwarebytes Premium subscription, which can be used on up to 10 devices. The software protects against viruses, ransomware, and phishing scams, and is available for Windows PCs and Macs, as well as Android and Apple phones and tablets.

In the first half of 2022, Malwarebytes helped stop over seven million security threats that would have impacted NatWest customers. The bank’s customers can access the software by clicking the security tab within their online banking, where they will receive a coupon and a link to the Malwarebytes site.

Stuart Skinner, head of fraud protection at NatWest, said:

We are committed to helping our customers stay safe and secure and are continuously investing in new fraud prevention tools and the latest security technology. I urge you to download Malwarebytes today, to help ensure you are doing everything possible to protect yourself against this crime.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Everything we teach our kids starts at home—we parents are their first teachers, after all. So, why wait for them to start going to school to start learning about cybersecurity and online privacy?

Though it’s hardly news that more and more children are being introduced to mobile computing devices like tablets, smartphones, and laptops at an early age, you may be surprised at what that age is. In 2015, Time featured a study revealing parents handing over such devices to kids as young as six months old. That may be too early an age for teaching a child beyond getting them to sit up, but after nearly a decade, similar trends on age versus technology use have persisted. [1][2][3]

As mobile devices have become an indispensable part of a child’s life, a big question stands: What is the “appropriate” age to start teaching your little one about their security and privacy when using those devices? 

Well, it depends. If your child can understand (simple?) instructions and do them, you’re good to go. Remember, every child is different.

5 cybersecurity and privacy tips you can tell your 5+-year-old

Fostering habits for some simple yet good cybersecurity and privacy best practices early on can go a long way.

1. Lock the device.

When it’s time to put away the phone or tablet so your child can do something else like going to the park, remind them to lock it. They can do this by pressing the power button of the device. Of course, this only works if you have Lock Screen enabled on the device.

If your child is 5 years old and up, you can explain to them that locking the phone or tablet stops other people from using it without asking permission.

2. Use passwords.

Of course, in order to lock a device’s screen, a password is needed in this case. Not going for a pattern lock is deliberate. At this stage, we’re not only seeding the idea of creating strong passwords but also making locking devices the norm (From 2016 to 2018, a reported 28 percent of Americans surveyed failed to use any safeguards to lock their phones).

Don’t be too concerned about length yet, but if you can get your little one to spell out and remember a six to eight-character string—ideally, a word—you’re both golden. We started our little one with a three-letter password to open her tablet when she was four, and we plan to triple that length now that she’s two years older.

3. Keep the device in a safe place.

Instruct your little one to put away the phone or tablet after they lock it. Make sure you already have a designated place in the house that your child knows about. Also, check that this place is accessible, and if it has doors, they can easily open and close them with minimal effort and supervision.

Under a pillow on the master’s bed works, too (just don’t forget to remove it before bedtime).

4. Ask for permission.

Your five-year-old may have access to either the Google Play or Apple App stores via the device you’re letting them use. Whether you have parental controls set up for these stores or not, wouldn’t it be great to hear them ask: “Is this okay to download, mum?” This gives you, the parent or guardian, the opportunity to review the app to see if it’s any good for them (Remember, dubious apps can still end up in these stores.).

The same principle should apply when they’re watching videos on YouTube.

Every now and again, we see or read about cute or cartoony clips that are not actually for kids’ consumption. And believe it or not, some of them were purposefully made to appear inviting to young children. To be safe, a critical eye is needed because, sometimes, even YouTube’s AI can get it wrong.

5. Share only with relatives and close family friends.

Kiddo loves having her picture taken. Sometimes, she would ask me to take a snap and send it to her Nana, who is part of an Instagram group.

Thankfully, only family members—and those close to us who’re treated as family—are members of that group. We would’ve been reluctant to share otherwise.

Kiddo doesn’t have a single social media account, but we’re already instilling in her the value of information related to her and, consequently, us. She knows our home address, for example, and she also knows she should only share it with a policeman or policewoman if she’s lost.

Final thoughts

The computing devices and apps your little one uses are already impacting them in more ways than one. It’s essential to steer them in the right direction by getting ourselves involved in their digital lives as early as possible. There is plenty of room for growth.

So, parents and guardians, be patient. Put these points on repeat and expand on them. And, if you’re lucky, be thankful that before your child starts school, they already have some of the cybersecurity and privacy basics down.

Good luck!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.