IT NEWS

Stopping a targeted attack on a Managed Service Provider (MSP) with ThreatDown MDR

In late January 2024, the ThreatDown Managed Detection and Response (MDR) team found and stopped a three-month long malware campaign against a Managed Service Provider (MSP) based in Europe. In line with our observations of attackers increasingly relying on legitimate software in their attackers, the attacker employed various Living Off the Land (LOTL) techniques to avoid detection.

MSPs are a prime target of cyberattacks for two main reasons. One, they provide services to multiple clients, giving attackers access to a broader network of targets through a single breach. Two, MSPs often operate on tight security budgets, making them more vulnerable to attacks.

Almost immediately after onboarding the MSP in mid-January, the ThreatDown MDR team found extensive evidence of an ongoing malware campaign. The attackers, who targeted the MSP’s network from October 2023 to January 2024, silently monitored and manipulated the network for months, leveraging legitimate remote access tools like AnyDesk and TeamViewer and attempting to install malware like Remcos RAT and AsyncRAT.

Let’s dive into the details of this incident and how ThreatDown MDR neutralized the threat.

Initial discovery and evidence of compromise

In late October 2023, ThreatDown Endpoint Detection and Response (EDR) flagged multiple suspicious outbound connections on the MSP’s network. These were attempts to communicate with known malicious external sites and IPs, involving several endpoints within the network.

This activity was immediately blocked by ThreatDown, marking the first documented evidence of a security breach. The nature of these attempts—targeting sites associated with RDP-based attacks and other malicious activities—indicated a possible compromise.

image4

List of malicious sites automatically blocked by ThreatDown MDR.

Expanding presence and evasion

Following the initial detections in October, the attacker quietly expanded their presence within the network. On December 8th, network scanning activity was detected from an endpoint, indicative of the attacker’s efforts to map out the network for further exploitation. This activity went beyond mere exploration, suggesting a systematic approach to identify additional targets or vulnerabilities within the MSP’s digital environment.

Escalation and discovery of malware

The situation escalated in January 2024 with the discovery of malware on several endpoints, linked to unauthorized remote access tools like ScreenConnect and AnyDesk.

This pointed towards a more aggressive phase of the attack, with the attackers deploying malware to maintain and expand their access. An attempt to uninstall McAfee via PowerShell, observed on an endpoint, further underscored the attackers’ intentions to weaken the network’s defenses.

image2 6fcab5

Detection of malware leveraging RMM tools.

Ongoing surveillance and response

The implementation of ThreatDown MDR services on January 18th, 2024, was a strategic move by the MSP to gain deeper insights into the attackers’ movements. By this time, the attackers had already established a significant presence within the network, as evidenced by the attempted communications with a known AsyncRAT botnet C2 server and the discovery of additional remote management and monitoring (RMM) tools on the network.

image1 6e5d44

Connections to AsyncRAT were detected and automatically blocked by ThreatDown MDR

Fortunately, the ThreatDown MDR team caught the attack in action and made several immediate recommendations for the MSP, including:

  • Isolating the compromised endpoints to halt the infection spread and re-imaging them for a clean slate.
  • Changing all administrative and local passwords three times to fortify security.
  • Restoring all infected endpoints from secure backups, eliminating the use of local administrator accounts, and implementing application and DNS filtering to control software usage and web access.

Threat hunting with ThreatDown MDR

image3

How ThreatDown MDR works

MSPs continue to be a prime target in cyber attacks—and as we’ve seen in this case study, attackers are in it for the long-haul, able to remain undetected for several months after compromising a network.

The attacker’s use of legitimate tools such as TeamViewer, ScreenConnect, and PowerShell, in their months-long attack on the MSP underscores a key theme we’ve been writing about on the blog recently: attackers are increasingly relying on LOTL techniques in their attacks to avoid detection.

In this example, if the attack had been allowed to continue, the MSP could have suffered a ransomware attack, data breach, or both. Fortunately, however, by hunting down LOTL techniques for the MSP based on suspicious activity and past indicators of compromise (IOCs), the ThreatDown MDR team successfully stopped the threat.

Protecting your MSP from stealthy LOTL threats takes an elite team of security professionals scouring your systems 24×7 for IOCs and suspicious activity observed on endpoints. Learn more about ThreatDown today.

ALPHV is singling out healthcare sector, say FBI and CISA

In an updated #StopRansomware security advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) has warned the healthcare industry about the danger of the ALPHV ransomware group, also known as Blackcat. According to the advisory:

Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized.

We have reported in the past that ransomware groups show absolutely no respect to previous promises to leave the healthcare sector alone. This is not a new phenomenon, but ALPHV focusing on healthcare specifically is a relatively new one.

On the grapevine you can hear that ALPHV asked their affiliates to focus on this industry as a kind of payback for the disruptions to their infrastructure in December last year by law enforcement.

The recent attack on Change Healthcare has been reportedly caused by ALPHV, but we don’t feel it’s right to say that they didn’t attack healthcare way before the said disruption.

alphv home page
The ALPHV leak site home page. Four of the last nine victims were in healthcare

And unfortunately ALPHV is not the only one. In a new low, the attack on Lurie Children’s Hospital has been claimed by the Rhysida ransomware group.

ALPHV is a Ransomware-as-a-Service (RaaS) group, meaning that its ransomware is made available to criminal affiliates using a software-as-a-service (SaaS) business model. ALPHV was ranked second in the list of most active big game ransomware groups of 2023.

According to the advisory, ALPHV’s affiliates use advanced social engineering techniques and open source research on a company to gain initial access. They pose as company IT and/or helpdesk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network. After the initial breach they deploy remote access software such as AnyDesk, Mega sync, and Splashtop to prepare the theft of data from the network.

From the initial access they use various other legitimate, living off the land (LOTL), tools to further their access. Once the data has been safely moved to their Dropbox or Mega accounts, the ransomware is deployed to encrypt machines in the network. The latest ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, as well as VMWare instances.

It is unclear how ALPHV would stimulate attacks on healthcare institutions among its affiliates. We do understand that some of the data found during these attacks is very valuable on the underground market.

Having seen how devastating attacks on healthcare can be, we would encourage every cybercriminal involved to waive their right to be treated in any healthcare facility. Or, at least, try and realize the damage they are doing and the potential impact on people’s health.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

One year later, Rhadamanthys is still dropped via malvertising

It was just a little over a year ago that the Rhadamanthys stealer was first publicly seen distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads.

Fast forward to 2024 and the same malvertising campaigns are still going on. After a lull last summer, we noticed an increase since the fall which so far has been sustained. The most recent targeted searches are for Parsec and FreeCad, followed by WinSCP, Advanced IP Scanner, Slack and Notion.

Threat actors are targeting business users with payloads such as FakeBat, Nitrogen or Hijackloader. One other malware family we have seen here and there is Rhadamanthys. In this blog post, we detail the latest distribution chain related to this malware.

Key points

  • Rhadamanthys is an infostealer distributed via malspam and malvertising.
  • Google searches for popular software such as Notion return malicious ads.
  • Threat actors are using decoy websites to trick users into downloading malware.
  • The initial payload is a dropper that retrieves Rhadamanthys via a URL pasted online.
  • The TexBin paste site shows the URL was seen/accessed 8.5K times.
image 2a771d

Malicious ad

Threat actors continue to impersonate well-known brands via sponsored search results. As can be seen below in a search for Notion (productivity software), an extremely deceiving ad is shown. Because it includes the official logo and website for Notion, most users will not think twice and click on the link.

image 44be5b

While the ad looks real on the surface, the Google Ads Transparency Center page (which can be accessed by clicking on the menu right next to the ad’s URL) shows this ad was created by a certain ‘BUDNIK PAWEŁ’ from Poland. According to the same report, the first ad first appeared on January 23, 2024.

image 47f25a

As a matter of fact, we have been tracking this fraudulent advertiser for a few weeks and had reported it to Google in early February, when we first ran into it. At the time, victims who clicked the ad and visited the site were tricked with a download for NetSupport RAT.

image c20ef6

In this more recent campaign, the threat actor is pushing Rhadamanthys as the final payload, after an initial dropper. In the web traffic seen below, we can see that the threat actor uses a number of redirects to evade detection. URL shorteners and redirectors are quite common for the initial ad click, often followed by an attacker-controlled domain responsible for cloaking traffic.

image c47cda

There is one more check within the browser via JavaScript to detect virtual machines before the actual landing page is displayed to the victim.

Landing page and payload

The landing page is the decoy site that victims will see after they click on the ad. Apart from the URL in the address bar, it looks very similar to the official web site for Notion, although somewhat simplified. There are two download buttons, one for Mac and the other for Windows.

image 14493a

The Mac payload (Notion.dmg) is a new variant of Atomic Stealer. Thanks to Luis Castellanos from Block for sharing a sample with us.

The Windows binary is a signed file but its digital signature is not valid. The name of the signer that shows here is from the inventor of PuTTY, a popular admin tool. This digital certificate is likely fake or was revoked, but it may evade detection in some cases.

image 06f85c

This dropper contacts the paste site TextBin where it retrieves a URL for the followup payload, Rhadamanthys. If the numbers are correct this unlisted paste was viewed 8.5k times already.

image 9c801e

Rhadamanthys attempts to steal credentials stored in applications such as PuTTY, WinSCP and mail programs (screenshot from Joe Sandbox):

image 6e941c

Upon execution, Rhadamanthys reports to its command and control server, sends and receives data.

image 03c54f

Conclusion

Not a lot has changed with malvertising campaigns focused on software downloads as we enter the second year of actively tracking them. Sponsored search results continue to be highly misleading due to the fact that any verified individual is able to impersonate popular brands by using their logo and official site within the ad itself.

We are aware of reports shared within private circles, that businesses were compromised after an employee clicked on a malicious ad. Follow-up activities post infection include the usual ‘pentesting tools’ that precede a company-wide breach or ransomware deployment.

The infrastructure used in this particular attack was reported to the relevant parties. Malwarebytes and ThreatDown customers are protected against the payloads and distribution sites.

image d5d5f3

Additionally, EDR customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

image 814abe

Endpoint users will see a customizable message when they click on an ad such as those that appear on a search engine results page:

image fbe6d2

Indicators of Compromise

Malvertising chain

pantovawy.page[.]link
cerisico[.]net
notione.my-apk[.]com
alternativebehavioralconcepts[.]org

Dropper

6f4a0cc0fa22b66f75f5798d3b259d470beb776d79de2264c2affc0b5fa924a2

Dropper IP

185[.]172[.]128[.]169

Rhadamanthys download URL

yogapets[.]xyz/@abcmse1.exe
birdarid[.]org/@abcnp.exe

Rhadamanthys

e179a9e5d75d56140d11cbd29d92d8137b0a73f964dd3cfd46564ada572a3109
679fad2fd86d2fd9e1ec38fa15280c1186f35343583c7e83ab382b8c255f9e18

Rhadamanthys C2

185[.]172[.]128[.]170

Change Healthcare outages reportedly caused by ransomware

On Wednesday February 21, 2024, Change Healthcare—a subsidiary of UnitedHealth Group—experienced serious system outages due to a cyberattack.

In a Form 8-K filing the company said it:

“identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”

Change Healthcare is one of the largest healthcare technology companies in the United States. Its subsidiary, Optum Solutions, operates the Change Healthcare platform. This platform is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system.

The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States.

According to Reuters, the group behind the attack is the ALPHV/BlackCat ransomware group. ALPHV is currently one of the most active groups, and generally associated with Russia. They are certainly no strangers to attacking healthcare providers. In our monthly ransomware reviews you will typically find them in the top five of ransomware groups. Even after a disruption in December 2023 they returned and maintained a high level of activity.

BleepingComputer confirmed Reuters assertion, saying it had received information from forensic experts involved in the incident response that linked the attack to the ALPHV ransomware gang.

It would certainly make more sense to us that the attacker was a ransomware group than a nation-state associated group, but both ALPHV and UnitedHealth have not commented on this. That’s no surprise since the investigation is probably still ongoing and solving the security issue is a higher priority.

What the ramifications of any stolen data are, remains to be seen, but they could be very serious given the size of the company and the nationwide application of their electronic health record (EHR) systems, payment processing, care coordination, and data analytics.

In a February 26 update the company says it took immediate action to disconnect Change Healthcare’s systems in order to prevent further impact. You can follow updates about the issue on the dedicated incident report site.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Android banking trojans: How they steal passwords and drain bank accounts

For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals.

These are “Android banking trojans,” and, according to our 2024 ThreatDown State of Malware report, Malwarebytes detected an astonishing 88,500 of them last year alone.

While the 2024 ThreatDown State of Malware report focuses heavily on the corporate security landscape today, make no mistake: Android banking trojans pose a serious threat to everyday users. They are well-disguised, hard to detect in regular use, and are a favorite hacking tool for cybercriminals who want to automate the theft of online funds for themselves.

What are Android banking trojans?

The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.  

By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on.

But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Instead, what makes Android banking trojans so tricky is that, once installed, they present legitimate-looking permissions screens that ask users to grant the new app all sorts of access to their device, under the guise of improving functionality.

Take the SharkBot banking trojan, which Malwarebytes detects and stops. Last year, Malwarebytes found this Android banking trojan hiding itself as a file recovery tool called “RecoverFiles.” Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play.

These are just the sorts of permissions that any piece of malware needs to dig into your personally identifiable information and your separate apps to steal your usernames, passwords, and other important information that should be kept private and secure.

Screenshot 2024 02 22 at 2.46.06%E2%80%AFPM
The introduction screen when opening “RecoverFiles” and the follow-on permissions it asks from users. Once installed, it is invisible on the device home screen.

Still, the tricks behind “RecoverFiles” aren’t yet over.

Not only is the app a clever wrapper for an Android banking trojan, it could also be considered a hidden wrapper. Once installed on a device, the “RecoverFiles” app icon itself does not show up on a device’s home screen. This stealth maneuver is similar to the features of stalkerware-type apps, which can be used to non-consensually spy on another person’s physical and digital activity.

But in the world of Android banking trojan development, cybercrminals have devised far more devious schemes than simple camouflage.

Slipping under the radar

The problem with the Ancient Greeks’ Trojan Horse strategy is that it could only work once—if you don’t sack Troy the first time, you better believe Troy is going to implement some strict security controls on all future big horse gifts.

The makers of Android banking trojans have to overcome similar (and far more advanced) security measures from Google. As the Google Play store has become the go-to marketplace for Android apps, cybercriminals try to place their malicious apps on Google Play to catch the highest number of victims. But Google Play’s security measures frequently detect malware and prevent it from being listed.

So, what’s a cybercriminal to do?

In these instances, cybercriminals make an application that is seemingly benign, but, once installed on a device, executes a line of code that actually downloads malware from somewhere else on the internet. This is how cybercriminals recently snuck their malware onto Google Play and potentially infected more than 100,000 users with the Anatsa banking trojan.

What was most concerning in this attack was that the malicious apps that made it onto the Google Play store reportedly worked for their intended purposes—the PDF reader read PDFs, the file manager managed files. But hidden within the apps’ coding, users were actually downloading a set of instructions that directed their devices to install malware.

These malicious packages are sometimes called “malware droppers” as the apps “drop” malware onto a device at a later time.  

What does it all mean for me?

There’s a lot of technical machinery at work inside any Android banking trojan that is put in place to accomplish a rather simple end goal, which is stealing your money.

All the camouflage, subterfuge, and hidden code execution is part of a longer attack chain in which Android banking trojans steal your passwords and personally identifiable information, and then use that information to take your money.

As we wrote in the 2024 ThreatDown State of Malware report:

“Once it has accessibility permissions, the malware initializes its Automated TransferSystem (ATS) framework, a complex set of scripts and commands designed to perform automated banking transactions without user intervention. The ATS framework uses the harvested credentials to initiate unauthorized money transfers to accounts held by the attacker. This mimics real user behavior to bypass fraud detection systems.”

Staying safe from Android banking trojans

Protecting yourself from Android banking trojans is not as simple as, say, spotting grammatical mistakes in a phishing email or refusing to click any links sent in text messages from unknown numbers. But just because Android banking trojans are harder to detect by eye does not mean that they’re impossible to stop.

A graphic showing that Malwarebytes detected Android banking trojans 88,500 times in 2023

Malwarebytes Premium provides real-time protection to detect and stop Android banking trojans that are accidentally installed on your devices. It doesn’t matter if the banking trojan is simply a malicious app in a convenient package, or if the banking trojan is downloaded through a “malware dropper”—Malwarebytes Premium provides 24/7 cybersecurity coverage and stops dangerous attacks before they can be carried out.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Identity theft is number one threat for consumers, says report

The German Federal Office for Information Security (BSI) has published a report on The State of IT Security in Germany in 2023, and the number one threat for consumers is… identity theft.

The thing is, you can protect your devices and your online privacy as much as possible, but what happens when some organization which you have trusted with your personal information gets breached?

The report states:

“For consumers, the issue of data leaks was prominent in the reporting period (2023). In many cases, these were related to ransomware attacks, in which cybercriminals exfiltrated large amounts of data from organizations in order to later threaten to publish it unless a ransom or hush money was paid.“

In addition to data breaches, there is the danger of information stealers that allow cybercriminals to obtain various types of personal data, such as login details for various online services, and financial information. The stolen data may also include website cookies and biometric data that can be used by criminals to defraud the victim.

Cybercriminals are also getting better at using these data. For example, the report mentions that on one of the largest underground marketplaces for identity data, cybercriminals offered interested parties a browser plug-in that made it possible to import stolen credentials directly into the web browser, allowing criminals to assume the victim’s digital identity with just a few clicks.

We’ve previously talked about the dangers of data brokers that, by trading and buying, are accumulating massive troves of personal data. Now, with the mass availability of Artificial Intelligence tools, it becomes so much easier to correlate all these data sets and piece together a complete profile of everyone affected.

As you can see, it’s usually not the victim’s fault that their data become available to cybercriminals. In many cases, there isn’t even that much that they could have done about it. Some services simply are not available in the offline world anymore, and we have no choice than to trust an organization with our information.

So, all we can do is make sure we come prepared to act when a data breach affects us, and keep an eye on how much we share and how much others will be able to find out about us.

What to do in the event of a data breach

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Digital Footprint scan

If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

How to make a fake ID online, with Joseph Cox: Lock and Code S05E05

This week on the Lock and Code podcast…

For decades, fake IDs had roughly three purposes: Buying booze before legally allowed, getting into age-restricted clubs, and, we can only assume, completing nation-state spycraft for embedded informants and double agents.

In 2024, that’s changed, as the uses for fake IDs have become enmeshed with the internet.

Want to sign up for a cryptocurrency exchange where you’ll use traditional funds to purchase and exchange digital currency? You’ll likely need to submit a photo of your real ID so that the cryptocurrency platform can ensure you’re a real user. What about if you want to watch porn online in the US state of Louisiana? It’s a niche example, but because of a law passed in 2022, you will likely need to submit, again, a photo of your state driver’s license to a separate ID verification mobile app that then connects with porn sites to authorize your request.

The discrepancies in these end-uses are stark; cryptocurrency and porn don’t have too much in common with Red Bull vodkas and, to pick just one example, a Guatemalan coup. But there’s something else happening here that reveals the subtle differences between yesteryear’s fake IDs and today’s, which is that modern ID verification doesn’t need a physical ID card or passport to work—it can sometimes function only with an image.

Last month, the technology reporting outfit 404 Media investigated an online service called OnlyFake that claimed to use artificial intelligence to pump out images of fake IDs. By filling out some bogus personal information, like a made-up birthdate, height, and weight, OnlyFake would provide convincing images of real forms of ID, be they driver’s licenses in California or passports from the US, the UK, Mexico, Canada, Japan, and more. Those images, in turn, could then be used to fraudulently pass identification checks on certain websites.

When 404 Media co-founder and reporter Joseph Cox learned about OnlyFake, he tested whether an image of a fake passport he generated could be used to authenticate his identity with an online cryptocurrency exchange.

In short, it did.

By creating a fraudulent British passport through OnlyFake, Joseph Cox—or as his fake ID said, “David Creeks”—managed to verify his false identity when creating an account with the cryptocurrency market OKX.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Cox about the believability of his fake IDs, the AI claims and limitations of OnlyFake, what’s in store for the future of the site— which went dark after Cox’s report—and what other types of fraud are now dangerously within reach for countless threat actors.

Making fake IDs, even photos of fake IDs, is a very particular skill set—it’s like a trade in the criminal underground. You don’t need that anymore.

Joseph Cox, 404 Media co-founder

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

A week in security (February 19 – February 25)

Last week on Malwarebytes Labs:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Joomla! patches XSS flaws that could lead to remote code execution

On February 20, Joomla! posted details about four vulnerabilities it had fixed in its Content Management System (CMS), and one in the Joomla! Framework that affects the CMS.

Joomla! is an open-source CMS that’s been around since 2005, and has been one of the most popular CMS platforms by market share for much of that time. Many companies, from small outfits to large enterprises, use a CMS in some form to manage their websites. There are lots of advantages to using a popular CMS, but if you do you should keep an eye out for updates. And this looks like an important one.

Just last month, a vulnerability patched in February 2023 was added to CISA’s catalog of known exploited vulnerabilities, suggesting a lack of patching urgency by some Joomla! owners. Let’s see if we can avoid duplicating that scenario.

To make this happen, Joomla! CMS users should upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3. The latest releases that include the fixes are available for download. Links can be found on the release news page. The latest versions can always be found on the latest release tab. The extended long term support (elts) versions can be found on the dedicated elts site.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We’ll list them below,  but the descriptions of the vulnerabilities require some explaining.

  • CVE-2024-21722: The multi-factor authentication (MFA) management features did not properly terminate existing user sessions when a user’s MFA methods have been modified. This suggest that logged-in users could stay logged in if an administrator changed their MFA method. This is a problem if you are changing the MFA method because you suspect there has been unauthorized access.
  • CVE-2024-21723: Inadequate parsing of URLs could result into an open redirect. An open redirect vulnerability occurs when an application allows a user to control how an HTTP redirect behaves. Phishers love open redirects on legitimate sites because the URLs look like they go to the legitimate site, when in fact they redirect to another site.
  • CVE-2024-21724: Inadequate input validation for media selection fields lead to Cross-site scripting (XSS) vulnerabilities in various extensions. XSS is a type of vulnerability that allows an attacker to inject malicious code into a site’s content. Input validation should stop that injection.
  • CVE-2024-21725: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components. According to Joomla! this is the vulnerability with the highest exploitation probability. A website user could input data in the email address field that would cause a XSS vulnerability because it was not properly escaped. Email addresses need to be escaped because otherwise they could be interpreted as HTML code.
  • CVE-2024-21726: Inadequate content filtering leads to XSS vulnerabilities in various components. This is the vulnerability in the Joomla! Framework. Apparently there has been an oversight in the filtering code which can cause XSS vulnerabilities in several components. Researchers found that attackers can exploit this issue to gain remote code execution by tricking an administrator into clicking on a malicious link.

These researchers also urged users to update their CMS:

“”While we won’t be disclosing technical details at this time, we want to emphasize the importance of prompt action to mitigate this risk.”

Secure your CMS

There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security. They are as follows:

  • Choose a CMS from an organization that actively looks for and fixes security vulnerabilities.
  • If it has a mailing list for informing users about patches, join it.
  • Enable automatic updates if the CMS supports them.
  • Use the fewest number of plugins you can, and do your due diligence on the ones you use.
  • Keep track of the changes made to your site and its source code.
  • Secure accounts with two-factor authentication (2FA).
  • Give users the minimum access rights they need to do their job.
  • Limit file uploads to exclude code and executable files, and monitor them closely.
  • Use a Web Application Firewall (WAF).

If your CMS is hosted on your own servers, be aware of the dangers that this setup brings and keep it separated from other parts of your network.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Update now! ConnectWise ScreenConnect vulnerability needs your attention

ConnectWise is warning self-hosted and on-premise customers that they need to take immediate action to remediate a critical vulnerability in its ScreenConnect remote desktop software. This software is typically used in data-centers and for remote assistance. Together ConnectWise’s partners manage millions of endpoints (clients).

A Shadowserver scan revealed approximately 3,800 vulnerable ConnectWise ScreenConnect instances on Wednesday, most of them in the US.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog. ConnectWise has shared three IP addresses that were recently used by threat actors:

  • 155.133.5.15
  • 155.133.5.14
  • 118.69.65.60

These IP addresses are all blocked by ThreatDown and Malwarebytes solutions.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The flaw added to the CISA Catalog is CVE-2024-1709, an authentication bypass vulnerability with a CVSS score of 10 that could allow an attacker administrative access to a compromised instance. With administrative access it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE).

Affected versions are ScreenConnect 23.9.7 and prior. Cloud partners don’t need to take any actions. ScreenConnect servers hosted in on screenconnect.com and hostedrmm.com have been updated to remediate the issue. 

Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch. ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommends that partners update to ScreenConnect version 23.9.8.

For instructions on updating to the newest release, please reference this doc: Upgrade an on-premise installation – ConnectWise.


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.