IT NEWS

Last week on Malwarebytes Labs:

• Why we should be more open about ransomware attacks
• Windows 11 is showing its first signs of Rust
• Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs
• 3 reasons to use a VPN
• PharMerica breach impacts almost 6 million people
• Leaked Babuk ransomware builder code lives on as RA Group
• KeePass vulnerability allows attackers to access the master password
• Child safety app riddled with vulnerabilities: Update now!
• Zip domains, a bad idea nobody asked for
• APT attacks: Exploring Advanced Persistent Threats and their evasive techniques

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Vulnerabilities have been found and fixed in the web-based user interface of various Cisco products in the Small Business Series. These nine issues are tied to the web-based user interface of the products, and in a worst case scenario could lead to denial of service (DoS) conditions or arbitrary code execution.

Affected products

The vulnerabilities affect all of the below if running vulnerable firmware:

• 250 Series Smart Switches
• 350 Series Managed Switches
• 350X Series Stackable Managed Switches
• 550X Series Stackable Managed Switches
• Business 250 Series Smart Switches
• Business 350 Series Managed Switches
• Small Business 200 Series Smart Switches
• Small Business 300 Series Managed Switches
• Small Business 500 Series Stackable Managed Switches

Exploits

• CVE-2023-20159: Cisco Small Business Series Stack Buffer Overflow
• CVE-2023-20160: Cisco Small Business Series Switches Unauthenticated BSS Buffer Overflow Vulnerability 
• CVE-2023-20161: Cisco Small Business Series Switches Unauthenticated Stack Overflow Vulnerability
• CVE-2023-20189: Cisco Small Business Series Switches Unauthenticated Stack Buffer Overflow Vulnerability

The four vulnerabilities above could allow an unauthenticated remote attacker to execute arbitrary code on an affected device. This is because of improper validation of requests sent to the web interface. A crafted request sent through the web interface could result in the attacker executing arbitrary code with root privileges on an affected device.

• CVE-2023-20024: Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
• CVE-2023-20156: Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
• CVE-2023-20157: Cisco Small Business Series Switches Unauthenticated Heap Buffer Overflow Vulnerability
• CVE-2023-20158: Cisco Small Business Series Switches Unauthenticated Denial-of-Service Vulnerability

The four vulnerabilities above could allow for a denial of service (DoS) condition on an affected device. As above, this is due to crafted requests being improperly validated when sent to the web interface.

• CVE-2023-20162: Cisco Small Business Series Switches Unauthenticated Configuration Reading Vulnerability

This final vulnerability could allow a remote attacker to read unauthorised information on an affected device. This is, as with the other flaws, improper validation of requests sent to the web interface.

Mitigation

Two products confirmed as being not vulnerable to the issue are:

• 220 Series Smart Switches
• Business 220 Series Smart Switches

However, for those web-based user interfaces that are affected, Cisco has released software updates to fix the vulnerabilities. Cisco states that product users “should obtain security fixes through their usual update channels”.

There are no workarounds to address these vulnerabilities. In other words, if you’re unable to apply an update for the time being, your devices will remain vulnerable until they’re applied.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

If you heard a strange and unfamiliar creaking noise on May 3, it may been the simultaneous rolling of a million eyeballs. The synchronised ocular rotation was the less than warm welcome that parts of the IT and security industries—this author included—gave to Google’s decision to put .zip domains on sale.

Google Registry actually announced eight new top-level domains (TLDs) that day: .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus, but it was dot zip and dot mov that had security eyeballs looking skywards, because of their obvious similarity to the extremely popular and long-lived .zip and .mov file extensions.

TLDs are the letters that come after the dot at the end of the domain name in an Internet address, like example.com, example.org, and example.zip.

File extensions are the three letters that came after the dot at the end of a file name, like example.docx, example.ppt, and example.zip.

You see the problem?

Domain names and filenames are not the same thing, not even close, but both of them play an important role in modern cyberattacks, and correctly identifying them has formed part of lots of basic security advice for a long, long time.

The TLD is supposed to act as a sort of indicator for the type of site you’re visiting. Dot com was supposed to indicate that a site was commercial, and dot org was originally meant for non-profit organizations. Despite the fact that both dot com and dot org have been around since 1985, it’s my experience that most people are oblivious to this idea. Against that indifference, it seems laughable that dot zip will ever come to indicate that a site is “zippy” or fast, as Google intends.

When you’re offering services where speed is of the essence, a .zip URL lets your audience know that you’re fast, efficient, and ready to move.

Meanwhile, plenty of users already have a clear idea that .zip means something completely different. Since the very beginning, files on Windows computers have used an icon, and a filename ending in a dot followed by three letters to indicate what kind of file you’re dealing with. If the three letters after the dot spell z-i-p, then that indicates an archive full of compressed—”zipped up”—files. The icon even includes a picture of a zipper on it (because reinforcement is good, and confusion is bad.)

As it happens, cybercriminals love .zip files and the last couple of years has seen an explosion in their use as malicious email attachments. Typically, the zip file is first in a sequence of files known as an “attack chain”. In a short chain, the zip file might simply contain something bad. In a longer chain it might contain something that links to something bad, or contain something that contains something that links to something bad, or contain something that links to something that contains something that links to something bad. You get the idea.

The key to it all is misdirection. The attack chain is there to confuse (there’s that word again) and mislead users and security software.

Criminals use other forms of misdirection in file extensions too. An old favourite is giving malicious files two files extensions, like evil.zip.exe. The first one, .zip in this case, is there to fool you. The second is the real one: A dangerous executable type, .exe in this example. Given a choice of two, users have to decide which one to believe. Most aren’t even faced with that choice though. Hilariousy, Windows helps the subterfuge along by hiding the second file extension, the one you really should be paying attention to, by default.

Domain names get the same treatment. Criminals make extensive use of open redirects for example—web pages that will redirect you anywhere you want to go—to make it look as if their malicious URLs are actually links to Google, Twitter or other respectable sites. Less sophisticated criminals just throw words like “paypal”, or anything else you might recognise, into the link and hope you’ll notice that bit and ignore the rest.

Against that backdrop, Google inexplicably decided to introduce something that will generate no useful revenue but will give cybercrooks an entirely new form of file and domain name misdirection, to add to all the others we’re still wrestling with.

What could criminals do with this new toy? There is no better example than that provided by security researcher Bobby Rauch, in his excellent article The Dangers of Google’s .zip TLD. In it, Rauch challenges readers to identify which of the following two URLs “is a malicious phish that drops evil.exe?”

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1.27.1.zip

It’s the bottom one.

The top one would open a zip file called v1.27.1.zip from the github.com domain. The second would go to the domain v1.27.1.zip, which in this hypothetical example triggers the download of the evil.exe file.

If you figured it out, well done, but remember you knew that one of them was bad. Would you have spotted it if you hadn’t been forewarned? And if you didn’t spot it, don’t feel bad, that’s the whole point. It’s hard to read URLs even if you know you’re looking for something out of place.

Of course, the invention of dot zip domains didn’t suddenly make URLs hard to read, they were already, but that’s no excuse.

Google does an awful lot of really good stuff for computer security, for which it deserves enormous credit, and this is a small and uncharacteristic misstep. The search giant was under absolutely no pressure to create a dot zip TLD and it hardly seems destinted to become a major income stream.

Dot zip domains are not yet a serious problem. At the time of writing, a little fewer than 4,000 have been registered, some of which were almost certainly bought by security researchers wanting to demonstrate what a bad idea they are, or to deprive criminals of some of the more dangerous names.

Criminals may yet decide they don’t need the built-in confusion of the dot zip domain (or at least, not today). They already have a wholebag of tricks that work very well and if a new one doesn’t make their life easier or richer, they won’t use it.

It is also possible that dot zip will simply die on the vine if enough companies choose to block it. Last week, Citizen Lab’s John Scott-Railton urged his nearly 200,000 Twitter followers to simply “block it all“, saying “The chance that new .zip and .mov domains mostly get used for malware attacks is 100%.”

It’s for you and your organisation to decide if you should block it, but I will point out that if you are going to, the best time to do it is now: Almost nobody is currently using it, and nobody is going to use in future if it’s routinely blocked.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Cyber criminals come in all shapes and sizes.

On one end of the spectrum, there’s the script kiddie or inexperienced ransomware gang looking to make a quick buck. On the other end are state-sponsored groups using far more sophisticated tactics—often with long-term, strategic goals in mind.

Advanced Persistent Threats (APT) groups fall into this latter category.

Well-funded and made up of an elite squadron of hackers, these groups target high-value entities like governments, large corporations, or critical infrastructure. They often deploy multi-stage, multi-vector approaches with a high degree of obfuscation and persistence.

But for every small-to-medium-sized business (SMB) out there asking themselves “Why would an APT group care about me?” We have the answer. 

SMBs can be stepping stones to bigger targets—especially if they’re in a supply chain or serve larger entities. A whopping 93% of SMB execs even think nation-state hackers are using businesses like theirs as a backdoor into the country’s digital defenses.

In this post, we’ll break down how APT groups work, explain their tactics and evasive techniques, and how to detect APT attacks.

How APT groups work

The aim of APT groups is not a quick hit, but a long-term presence within a system, allowing them to gather as much information as they can while remaining undetected.

APTs stand apart from typical cybercriminals in several key ways:

• Motive: Unlike ordinary cybercriminals, APTs are primarily driven by the acquisition of intelligence. While they might engage in activities that yield financial gains, their primary funding comes from the state they serve, not from their operations.
• Tools: APTs have access to advanced tools and zero-day vulnerabilities. They keep these under wraps for as long as they can, only resorting to destructive malware when necessary.
• Crew: APTs consist of experienced and motivated individuals who work in close coordination with one another. This is a stark contrast to traditional cybercriminals, where distrust often prevails.

An example of APT reconnaissance (RedStinger) as observed by the Malwarebytes Threat Intelligence Team 

So, how does an APT work its dark magic? Here’s a quick rundown:

• Step 1: Reconnaissance. This could be anything from figuring out whether there’s sensitive data or information worth stealing to making a hit list of employees or ex-employees.
• Step 2: Infiltration. Usually, this involves some crafty social engineering, like spear phishing or setting up a watering hole to deliver custom malware.
• Step 3: Establishing a foothold. APTs need someone inside the target’s network to run their malware.
• Step 4: Expanding their reach. This might involve further deployment of malware, reconnaissance of the network, or other activities aimed at consolidating their position.
• Step 5: Data acquisition. The ultimate goal is to acquire the desired data. They might need to get more access in the network to do this.
• Step 6: Maintaining presence. Once they’re in, they might need to create more entry points or even leave a backdoor open for a return visit. If they’re done, they’ll clean up their mess to cover their tracks.

While not all these steps are required in every case, and the time and effort expended on each can vary widely, this provides a general framework for understanding how APTs operate.

Evasive techniques of APT attacks

Alright, now that we know the basics of how APTs operate, let’s dive into the specifics of their tools, techniques, and procedures (TTPs).

In a word, APT groups use methods like “living off the land” (utilizing built-in software tools to carry out their activities), fileless malware (malware that resides in memory rather than on disk), encryption (to hide their communication), and anti-forensic measures (to cover their tracks). 

Breakdown of different APT groups

Attribution is always a bit thorny when it comes to different APT groups, but some groups are rather well-known and their origin has become clear. A naming convention that not everyone follows is: Chinese APT actors are commonly known as “Pandas,” Russian APTs as “Bears,” and Iranian APTs as “Kittens”.

Some examples:

• APT28 aka Fancy Bear (Russia)
• Nemesis Kitten (Iran) a sub-group of Iranian threat actor Phosphorus (APT35)
• APT1 aka Comment Panda aka unit 61398 of the People’s Liberation Army (China)

Countries typically have different groups that focus on different targets, but generally speaking, some of the most frequently hit sectors are governments, aerospace, and telecommunications. 

According to the cyber threat group list compiled by MITRE ATT&CK, we’re aware of over 100 APT groups worldwide. The majority of these groups have ties to China, Russia, and Iran. In fact, China and Russia alone are reportedly connected to nearly 63% of all these known groups.

For the purposes of this article, I compiled data on 37 different APT groups listed by American cybersecurity firm Mandiant and broke them down by country. I also ran numbers of the most frequently mentioned target industries; as this data comes from a relatively small sample size, treat these as rough estimates. 

Detecting Advanced Persistent Threats (APTs)

You’ve got a few tricks up your sleeve when it comes to detect APTs on your network.

You can use things like Intrusion Detection and Prevention Systems, or IDS/IPS for short, which keep an eye on your network traffic. Regular check-ups on your logs and network can also give you clues.

Then there’s following bread crumbs known as Indicators of Compromise (IoCs) and watching for any weird behavior from users or end devices. But here’s the thing, these threats are getting smarter and trickier.

That’s where Endpoint Detection and Response (EDR) comes in. Let’s take a look at how EDR can help level up your defense game against these APTs.

Consider, for example, the fairly common case of an APT group using Mimikatz, an open source tool for Windows security and credential management, to extract credentials from memory and perform privilege escalation. MITRE lists at least 8 APT groups observed to use Mimikatz for this exact purpose. 

Using Malwarebytes EDR, we can find suspicious activity like this and quickly isolate the endpoint with which it’s associated.

Clicking into a high-severity alert, we’ll see that we have categorization of rules to help a maybe newer or less savvy security expert understand what’s going on with this process.

What we see here is the actual categorization of behaviors that Malwarebytes witnessed in this process. Each of these little bubbles has been color coded to help you understand the severity of this issue.

At the bottom, we have a detailed process timeline as well. Clicking into any of these nodes, we get a lot of rich context information about what this process did.

As a security analyst or an IT admin, the first question you typically ask when an incident occurs is: What happened? Do we know if it’s malicious? What is the actual extent of the potential damages? And so on.

We can see the exact time that it ran and the file hashes, so if we needed to do further investigation, we have those available. And most importantly, we’ve highlighted below the command line actually used to execute this technique on our machine.

This is really suspicious looking code that could definitively be a sign of an APT on the network. This PowerShell command is downloading and executing Mimikatz from a remote server. Let’s remediate ASAP!

Closing this view out we’ll find a “Respond” option in the upper-right hand corner with a drop-down menu to “Isolate Endpoint“.

We have three layers of isolation that we can provide: network isolation, process isolation, and desktop isolation.

The network and process isolations are intended to give us the ability to quarantine that machine and prevent it from doing anything that is not authorized by Malwarebytes.

What this means is, we can still use our Malwarebytes console to trigger scans to perform other tasks and to review data, but the machine otherwise can’t communicate or run anything else. 

Bam! This potential APT threat is blocked all in a matter of minutes.

Want to see Malwarebytes EDR in action? Learn more here.

Respond to APT attacks quickly and effectively

Managed Detection and Response (MDR) services provide an attractive option for organizations without the expertise to manage EDR solutions. MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to APT attacks quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection.

Stop APT attacks today

KeePass is a free open source password manager, which helps you to manage your passwords and stores them in encrypted form. In fact, KeePass encrypts the whole database, i.e. not only your passwords, but also your user names, URLs, notes, etc.

That encrypted database can only be opened with the master password. You absolutely do not want an attacker to get hold of your master password, since that is basically the key to your kingdom—aka “all your passwords are belong to us.”

However, a researcher has worked out a way to recover a master password, and has posted KeePass 2.X Master Password Dumper on GitHub.

The description of the vulnerability (CVE-2023-32784) says:

“In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.”

The issue was reported to the developer of KeePass on May 1, 2023 and relies on the way that Windows processes the input of a text box. 

Since the developer has fixed the issue, this would normally be the place where we tell you to update KeePass. Unfortunately, a release for the new update (2.54) is not expected for a few months, since the developer is still working on a few other security related features.

However, there is no reason for most KeePass users to immediately panic and switch to a different password manager, because it would be very difficult for an attacker to get their hands on a memory dump of your system without you noticing. That being said, the gravity of the situation is different for people that are afraid their system might be confiscated and submitted to forensic analysis.

Protection

There are a few things you can do if you’re worried about this vulnerability.

• KeePass can be used with YubiKey. A YubiKey is a USB stick which, when inserted into a USB slot of your computer, allows you to press the button and the YubiKey will enter the password for you. This keeps the password out of the text box and it doesn’t end up in the system memory.
• Scan your system for malware. It is feasible that malware could be used to remotely fetch a memory dump from an infected system.
• Turn on device encryption to keep unauthorized users from accessing your system.

For those with the more serious threat model of system confiscation that we mentioned earlier, the researcher that found the issue posted the advice to follow these steps:

• Change your master password
• Delete hibernation file
• Delete pagefile/swapfile
• Overwrite deleted data on the HDD to prevent carving (e.g. Cipher with /w on Windows)
• Restart your computer

Or just overwrite your hard disk drive (HDD) and do a fresh install of your operating system (OS).

That looks a bit over the top for most users, and most will not need to do it. However we do advise all KeePass users to keep an eye out and to update to KeePass 2.54 or higher once it is available.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

US pharmacy giant PharMerica has notified over 5.8 million people about a security incident in which it says personal information and medical information may have been obtained by cybercriminals. The Data Breach Notification lists the total number of persons affected as 5,815,591.

An investigation was started after PharMerica noticed suspicious activity on its network. The investigation showed that an unauthorized party accessed PharMerica computer systems on March 12-13, 2023, and that this party may have had access to certain personal information. The incident was noticed on March 14, and a week later PharMerica identified that the personal information accessed included names, dates of birth, Social Security numbers, medication lists and health insurance information.

Ransomware group Money Message has claimed responsibility for the attack. The gang claims that they encrypted almost the entire PharMerica infrastructure, and has published parts of the stolen data to their leak site.

Image courtesy of BleepingComputer

Money Message is a new ransomware which targets both Windows and Linux systems. As we mentioned in our May ransomware review, Taiwanese PC parts maker MSI also fell victim to Money Message.

On its website PharMerica says:

“At this point, PharMerica is not aware of any fraud or identity theft to any individual as a result of this incident, but is nonetheless notifying potentially affected individuals to provide them with more information and resources. The notice will include information on steps individuals can take to protect themselves against potential fraud or identity theft. PharMerica has arranged for complimentary identity protection and credit monitoring services for potentially affected individuals.”

An extra point of concern is that a relative large part of the people affected by the breach have passed away, which makes it unlikely that relatives will regularly monitor their credit reports, making any cybercrime related to the stolen data even more difficult to detect and stop.

What to do if you’ve been caught in a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The bones of long gone ransomware group Babuk continue to rattle in the breeze, in the form of reused code. Researchers from Cisco Talos have named this new team the “RA Group”, a ransomware collective which may have only been up and running since last month.

Babuk famously threatened to leak law enforcement data, relented, and then had its ransomware builder tool leaked during the weirdest retirement ever. While some of these antics may sound faintly comical, the ransomware was no joke. Babuk popped up in all sorts of attacks, like being deployed via Microsoft Exchange exploits. Babuk code has also been reused prior to this latest group, for example as the basis for Rook ransomware at the end of 2021.

The leaked builder has proven to be very useful for those in the ransomware realm, and people wanting to get in on the act. Its versatility and relative ease of use ensures that—sadly—we’ll likely be seeing Babuk lurking at the edges of ransomware development for a long time to come.

Our latest Babuk beneficiary, the RA Group, already has four known compromises in the US and South Korea. According to Talos, like many other forms of ransomware, the attacks are based around double extortion tactics. This is where the target isn’t just stuck with encrypted, inaccessible files, they’re also threatened with the stolen data being leaked should the ransom not be paid.

In this case, RA Group is sticking with the tried and tested leak portal technique. Watching confidential information be spilled across the internet for download is certainly one way to encourage a business to pay up, and an effective tactic. Talos reports that the main leak site is undergoing various cosmetic tweaks and alterations, confirming the impression that this is all very new indeed.

If you’re unfortunate enough to end up on the leak portal, your details are organised like so:

• Organisation name
• A list of stolen data / file size
• Organisation URL

Customised ransom notes are used for compromised entities, with three days given to pay up or risk the data being made public. When the three day mark is reached, “sample files” are made public. After 7 days, everything goes public.

A list of the stolen data is also provided in the ransom note, which isn’t something you see all the time. There’s no better way to show you mean business than explain exactly what you’ve done to supplier, tax, and financial information across every compromised desktop. Talos notes that the impacted organisation is also mentioned inside the code of the executable too.

Should your data eventually end up for sale, the below message may eventually provide lots of sleepless nights:

If you want to buy this data, please contact us by qtox

qTox is an instant messaging tool billed as being secure and private, particularly with regard to avoiding having your Government listening in on what you might be saying. Ransomware groups using instant message to communicate with victims is fairly common, and they often make use of secure tools to do so.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

There are many good reasons to use a Virtual Private Network (VPN), even if you are just casually scrolling. Privacy is a right that is yours to value and defend, and if you want to increase your online privacy then a VPN is one of the possible solutions. 

A VPN works like this: When you’re connected to the internet, all of your activity is logged and associated with your Internet Protocol (IP) address. Using a VPN creates an encrypted tunnel from your device to the VPN server, which is like creating a digital middleman between your device and the internet that blocks others from seeing what you’re doing. When you connect to a VPN, instead of your activity being associated with your IP address, now it’s the VPN server’s IP address that is associated with your data. Yours remains private.

Here are three reasons why you might want to use a VPN.

1. To stay private, at all times

Someone who is worried about being spied on — perhaps by their Internet Service Provider (ISP) or by someone that is on the same network, such as an employer or spouse — may choose to use a VPN. All these snoops will see when you are using a VPN is the fact that you are communicating with the VPN server. They are unable to see the content of the communications and where the traffic goes from there. Even if hackers are on the same WiFi network, that encrypted tunnel makes it impossible for them to capture any of your data.

2. To change your location

There are some basic reasons why someone would like to change their location. Some services have location-based restrictions and these services usually rely on your IP address to figure out where you are. So, if you want to evade such a restriction, you can pretend to be in a location where these restrictions don’t apply. Or the other way round if you want to restrict content: For example, if you don’t want your children to visit Pornhub you can set your location to Utah, because visitors from this state are blocked over an age verification law.

Switching your location is easy in Malwarebytes Privacy VPN

3. To protect when you need it the most

Some users only use a VPN when they feel they need its protection the most. For example, they might turn on the VPN when they are connected to a public WiFi, accessing their bank accounts, sending work-related or other sensitive information, or because they plan on visiting high-risk websites.

Malwarebytes Privacy VPN

Malwarebytes Privacy VPN helps protect your online privacy, shield your location, keep your data private even on public WiFi, and delivers speeds way faster than traditional VPNs. And it’s important to know that Malwarebytes does not log anything the user does. What you do is your business, not ours.

Some important changes are heading to Windows which should make the operating system quite a bit more secure than it is now. At the end of April, Microsoft’s VP of OS Security and Enterprise referenced upcoming changes to Windows involving the programming language Rust.

Rust matches the performance of languages like C and C++ while being easier to debug and maintain, and—most importantly—memory safe. It is highly desired by some programmers—you can see his excitement in the below talk from Blue Hat IL 2023:

At the time, he cautioned that “rewriting Windows in Rust isn’t going to happen anytime soon”. However, he also mentioned that Rust would be making an appearance in the operating system’s Kernel “in the next several weeks or months”.

That moment has now arrived for folks on the Windows 11 Insider program:

If you’re on the Win11 Insider ring, you’re getting the first taste of Rust in the Windows kernel! pic.twitter.com/uyZkK2vRLY

— Mark Russinovich (@markrussinovich) May 10, 2023

Why is this such good news? Well, the kernel is the core component of a computer operating system and is crucial to how it functions. It’s one of the first things to fire up when a computer is switched on, and then it sits in memory permanently, mediating between the computer’s applications and hardware.

If an attacker successfully compromises a kernel, they can expect to have full control over the device it’s running on, which is of course very bad indeed. These issues aren’t just Windows specific—you can end up with a kernel disaster on a Mac, or over in Linux land, too.

A big part of kernel exploitation is focused on memory management. Traditionally, the most popular coding languages for kernels have been C and C++, which provide excellent performance and lots of flexibility, and a lot of rope to hang yourself with when it comes to security. When people with bad intentions stroll into town, one of the key places they prod around is in the realm of memory. Bugs and errors in this area can lead to exploitation, and making the memory unstable can cause malfunctions or allow for malicious code.

A huge part of this is the dreaded buffer overflow attack, which has been around since the 1970s. This is when data written to a buffer spills out and overwrites nearby memory. When the system’s memory is tampered with in this way it can lead to all manner of exploitation.

Despite endless attempts to get programmers to write more secure code, improvements to the underlying languages, and mitigations like Windows Address Space Layout Randomization (ASLR), buffer overflows continue to be a huge problem. The only way to root them out completely is to switch away from C and C++ to a memory safe language like Rust that can manage memory automatically.

This approach has already proven to be more reliable than hoping programmers will do the right thing: The adoption of memory safe languages in Android, which predates Windows by several years, has lead to signficiant decline in memory safety vulnerabilities on that platform.

According to Google, in situations where Rust has been used on low-level Android components instead of C++, there have been “zero memory safety vulnerabilities discovered.”

The work of switching out C++ for Rust in Windows 11 has already begun. As per The Register, the Microsoft Windows graphics interface device is currently being ported to Rust to the tune of 36,000 lines of Rust code, and there’s a system call (SysCall) in the Windows kernel right now which is implemented in Rust.

While the “wouldn’t it be nice” dream of replacing all pieces of C and C++ in Windows with safer, better alternatives is likely impossible, big and important strides in memory safety are finally being made. What we have here is yet another good reason to finally make the leap from Windows 10 to 11.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW