IT NEWS

Play ransomware gang leaks City of Oakland data

The Play ransomware gang has begun partially publishing data they stole from the City of Oakland, California. The data were in multiple archive files with a collective file size of 10GB. According to the ransomware gang, the files contain “[p]rivate and personal information data, financial information. IDs, passports, employee full info, human rights violation information.”

“If there is no reaction full dump will be uploaded,” the gang wrote in a comment on their leak site. They also hinted that each file could be used independently.

easset upload file18056 260827 ePlay ransomware gang’s leak page for the City of Oakland, California

Following the release of the data, the City of Oakland said in an updated statement:

“While the investigation into the scope of the incident impacting the City of Oakland remains ongoing, we recently became aware that an unauthorized third party has acquired certain files from our network and intends to release the information publicly.

We are working with third-party specialists and law enforcement on this issue and are actively monitoring the unauthorized third party’s claims to investigate their validity.”

The City of Oakland, California was attacked four weeks ago, bringing several City services to a standstill. This pushed Interim City Administrator G. Harold Duffey to declare a state of emergency. The Play ransomware group claimed responsibility for the attack.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

DoppelPaymer ransomware group disrupted by FBI and European police agencies

Europol has released information about the arrests of two suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware. On 28 February 2023, the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized equipment to determine the suspect’s exact role in the structure of the ransomware group.

DoppelPaymer is a ransomware group that has been linked to Russia, the EvilCorp group, and Emotet. DoppelPaymer is a mostly enterprise-targeting ransomware with targets including healthcare, emergency services, and education. They have been around since 2019. Last year they claimed responsibility for a high-profile ransomware attack on Kia Motors America.

According to the Europol statement DoppelPaymer relied on Emotet to infiltrate target networks. Emotet is a modular type of malware that can be used to drop other malware on infected systems. At Malwarebytes we have also seen usage of the modified Dridex malware 2.0, for both initial access and lateral movement.

DoppelPaymer was responsible for the attack on a German hospital that led to the death of a patient that could not be admitted. They were also responsible for the costly attack on the St. Lucie County sheriffs department, the Dutch Institute for Scientific Research (NWO), and the Illinois Attorney General’s office. Other victims attacked by DoppelPaymer in the past, include CompalPEMEX (Petróleos Mexicanos), the City of Torrance in California, Newcastle UniversityHall County in Georgia, Banijay Group SAS, and Bretagne Télécom.

The law enforcement agencies used operational analysis, crypto-tracing, and forensics to find the suspects and to determine where the suspects fit into the organizational structure of the DoppelPaymer group. These investigations may lead to further arrests.

Recently we have seen an increased number of take-downs and arrests in ransomware, and related, cases. Better and more effective investigational methods, backed by a shorter time-frame in which cyberincidents have to be reported, and already dwindling ransomware revenue, may significantly bring down the amount of damages caused by ransomware attacks.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

8 cybersecurity tips to keep you safe when travelling

The best way to keep your devices safe when you’re travelling is to be unplugged. If you don’t need it, don’t take it with you. But since that is not always an option, here are some tips to keep you safe while you travel.

1. Backup before you go

The consequences of losing your device or having it stolen are worse when you are outside of your own environment. So make sure that you have recent backups of your important data, and don’t keep the backups on the devices you are taking.

2. Turn on Find My device

Both Android and iOS offer options to track your device. So turn this on before you go, and if you lose your device you can remotely wipe it, or even leave a message on the screen for whoever finds it.

3. Consider your connections

The router that handles the Wi-Fi in your home keeps the individual devices shielded from a lot of undesirable traffic. But when you’re out and about, a mobile firewall can manage the flow of traffic in and out of your device.

Disable the auto-connect options shortly before you leave and have your devices forget the network SSIDs in their lists. Threat actors can abuse these features for machine-in-the-middle attacks. Also disable the Bluetooth on your devices whenever you’re not using it.

4. Protect your devices

Use a fully updated anti-malware solution for all your devices. Most anti-malware solutions will update automatically, but it’s worth double checking their settings to check that’s being done.

5. Patch and update

Your security software is not the only thing that should be kept up-to-date. Check if there are updates for your operating system (Windows, Android, iOS, or whatever you’re using), banking apps, and anything else which is privacy sensitive and you use on a daily basis. Updating them while you are travelling can be slow and tedious.

6. Use a password manager

Don’t forget to take your password manager and your 2FA device with you. Nothing can kill the buzz like having to go through umpteen “I forgot my password” routines. Talking of passwords, it goes without saying that all your devices should be protected with a PIN or password.

7. Careful what you post on social media

We know it’s hard, but usually it’s better to wait till you get back home before you show the world how beautiful the scenery was at your travel destination. Don’t announce your absence from home or burglars might get drawn to your home. Speaking of which, a little automation of the lighting can make it seem as if there is someone home watching the place.

8. Public Wi-Fi and computers

Simple. Don’t use them if you can avoid them. And if you have to, be thoughtful of the fact that they are indeed, public. Avoid sites where you need to login, sites with sensitive info (banking, healthcare, etc.), and especially stay away from making purchases over an unsecured connection. Use a VPN with strong encryption. After using a public computer, delete your cookies and maybe your browser history as well.

Don’t let all this ruin the fun

While most of the things mentioned above are precautions we (should) take every day, they are not the first ones that come to mind when you are planning that awesome trip you have worked for all year. But as always, it’s better to be safe than sorry. Safe travels!


Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

National Cybersecurity Strategy Document: What you need to know

The US Government has been working on the National Cybersecurity Strategy Document 2023 for some time now, and it’s finally been released. The strategy document, which replaces the last such piece of work from 2018, attempts to indicate the general direction of the US approach to cybercrime and security for the next few years.

While you don’t necessarily need to take immediate action on the points raised, there’s a lot of talk about liability for poor security practices for larger organisations, better ratings for IoT devices, and a greatly improved hiring strategy for unfilled security vacancies. If these are areas of concern for you, we highlight the important parts below.

 As per the WSJ, the five primary areas for action are:

  • Defending critical infrastructure
  • Disruption and dismantling of criminal gangs
  • Shape market forces
  • Investing in a resilient future
  • Forge international partnerships

One large part of this new strategy is that organisations potentially most well equipped to fend off attacks must step up and do more:

The most capable and best positioned actors in cyberspace must be better stewards of the digital ecosystem…we must ask more [across both the public and private sectors] of the most capable and best positioned actors to make our digital ecosystem more secure and resilient. In a free and interconnected society, protecting data and ensuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.

With this in mind, then, let’s highlight some of the standouts from relevant sections.

Defending critical infrastructure

Expanding the use of minimum cybersecurity requirements in critical sectors

If you work in a critical sector of industry, you can expect to see new requirements heading your way in the near future. “Existing authorities” will set new requirements for cybersecurity, and where gaps exist in statutory authorities to create minimum standards, the Administration will work with congress to close them. Regulations will be performance based and make use of existing security frameworks—no reinventing the wheel here. A focus on driving better practices in the cloud industry is also evident.

Update Federal response plans

You can expect better processes should you need to contact Federal authorities after a cyber incident, with the aim of creating a “unified, coordinated, whole of government response” with organisations able to quickly and easily find out who to contact, and when. The National Cyber Incident Response Plan (NCIRP) will be updated through this work, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require specific entities in critical infrastructure sectors to report incidents to CISA “within hours”.

Disruption of criminal gangs

Engaging the private sector in disruption activities

The Government wants to combine the “unique insights and capabilities” of the private sector with the ability to take decisive action by Federal agencies. There’s a strong desire here to have private sector partners organise through non-profit organisations serving as hubs for operational collaboration with the Federal government.

Virtual collaboration platforms will be used for these activities and information sharing processes, with the Government looking after the necessary security requirements and records management activities. In other words: if your organisation casts a wide security net, gathers data on attempted attacks, blocks and catches interesting files, wards off ransomware, and spots dubious network traffic, then there’s something approaching an Avengers initiative waiting in the wings.

Shape market forces

Promoting privacy and the security of personal data

Making large organisations accountable for failing to be responsible stewards of data is a key thread running throughout the strategy document. This is because the costs are often passed on to everyday people, with the biggest impact being felt on vulnerable populations.

Internet of Things devices can expect to fall under “IoT security labelling programs”, which will allow consumers to compare security protections offered by devices. The idea here is to create a market incentive for better security across the IoT space, but this is reliant upon people understanding that these labels exist, and what they mean in practice.

Shifting liability for software products and services to promote secure development practices

If you know someone who works for an organisation playing fast and loose with data, security practices, and compliance, they should be warned: there’s a liability storm coming. The Administration is going to be working with Congress and the private sector to develop legislation establishing liability for software products and services, along with a “safe harbour” for those securely developing and maintaining products and services.

Investing in a resilient future

Develop a national strategy to strengthen our cyber workforce

The hundreds of thousands of vacancies in cybersecurity positions nationwide are a sore point for this Administration. If you’re short on security workers yourself, then the proposed development of a National Cyber Workforce and Education Strategy may be what you’ve been looking for. Critical infrastructure is once again a key talking point, and it aims to improve hiring among underrepresented groups of candidates. This plan aims to make use of several already existing schemes, and also take inspiration from successful hiring practices in other nations.

What’s the response so far?

There is some criticism for the plans, mainly on the basis that plans come and go but rarely manage to keep pace with the actual speed of changing technological threats. As Bloomberg Law points out, the plan itself has no regulatory teeth and it’s now mainly up to various agencies to take the ball and run with it in terms of making new changes.

New strategies for tackling cybercrime and protecting critical infrastructure are always welcome, but it remains to be seen how much practical impact the Biden Administration’s 2023 National Cybersecurity Strategy will have over the next few years.


Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Intel CPU vulnerabilities fixed. But should you update?

Microsoft has released out of band updates for information disclosure vulnerabilities in Intel CPUs. The normal gut reaction would be to install out of band updates as soon as possible. Microsoft wouldn’t be releasing the updates ahead of the regular cycle without good reason, would it?

Well, maybe there are good reasons, but the number of users that would have to worry about these vulnerabilities is relatively small. And there are known performance issues related to applying the updates or disabling the Intel Hyper-Threading Technology. So please read on before you rush to update your system(s).

The vulnerabilities

Microsoft issued a security advisory about these vulnerabilities on June 14, 2022. Intel’s advisory about the same four vulnerabilities came out the same day, which triggers the question, why did it take so long to release the updates? We can only speculate that a lot of time was spent on figuring out how to address these vulnerabilities most effectively.

The vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities. In shared resource environments (for example in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. Under normal circumstances, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The MMIO CVEs are listed as:

The underlying cause for these vulnerabilities is that Virtual Machines (VMs) share a portion of the physical processor (CPU). MMIO uses the processor’s physical-memory address space to access I/O devices that respond like memory components. Due to the incomplete cleanup in specific special register read and write operations, or shared buffers an authenticated user could potentially gain information disclosure through local access.

There is a long list of affected processors which shows the impact of transient execution attacks and select security issues on currently supported Intel® products, including recommended mitigation where affected.

Should you update?

As with many threats, the risk you are running very much depends on your threat model. If you are not running virtual machines in shared environments, I wouldn’t worry about these updates. If you are, then the ball is for a large part in the park of the provider of the cloud services, since it’s their physical machines that may or may not have the affected CPUs.

If any action needs to be taken, I would consider it their duty to let you know what needs to be done on your end.  

Mitigation for these vulnerabilities includes a combination of microcode updates and software changes, depending on the platform and usage model. Microcode updates should be issued by the original equipment manufacturer (OEM). For more information, see INTEL-SA-00615.

Microcode is the name for the internal code that implements support for the processor’s instructions set.

The Windows updates are being released as manual updates in the Microsoft Update Catalog:

Another option is to disable Intel Hyperthreading, although we need to note that Intel Hyperthreading improves the overall performance for applications that benefit from a higher processor core count. So disabling it may have a negative impact, depending on the usage of the system.

According to VMWare, ensuring that no virtual machine has a PCI passthrough (VMDirectPath I/O pass-through) device configured is a viable workaround that will prevent any exploitation. VMDirectPath I/O allows a guest operating system on a virtual machine to directly access physical PCI and PCIe devices connected to a host.

Sometimes Microsoft really fails in providing a clear explanation about who needs to install an update, or even about how to do it. We get that it’s complicated when there are other vendors and OEMs involved, but referring users to highly technical third-party sites isn’t very helpful.

We do hope we have at least made clear that most of you do not have to worry about these.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

A week in security (February 27 – March 5)

Last week on Malwarebytes Labs:

Stay safe!


Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

YouTube under fire for allegedly gathering children’s data

The UK’s children’s code, introduced three years ago by the Information Commissioner’s Office (ICO), is all about ensuring that companies make children’s privacy a primary consideration when creating sites and services, games, and toys. The code, also known as the Age Appropriate Design Code (AADC), may now be stepping into the digital privacy ring. Duncan McCann, who works for child advocacy group 5Rights, has lodged a complaint with the ICO about YouTube.

The Children’s code applies to UK-based companies and also companies outside the UK involved in processing the personal data of UK children. In short, if an app or website is likely to be accessed by children, then there’s a good chance the code applies.

The complaint focuses on how YouTube collects children’s data and alleges that it is being handled poorly. If the allegations are true we could see the ICO ordering Google to stop collecting the data, Google could by in line for a large fine.

McCann claims that YouTube has broken the law by collecting “the location, viewing habits and preferences” of anything up to five million children. He wants YouTube to change how the platform is designed, and to delete the data which it has gathered. The Guardian also mentions that another part of the complaint asks the ICO to consider ordering YouTube to rollback or delete any machine learning systems trained on this data.

That’s quite the request, and McCann says that the ICO has three months to let him know whether or not it will take on the investigation.

Children uner 13 are, in theory, banned from using YouTube, and are supposed to use YouTube Kids instead, which is stricter about data collection. For example, there are no personalised ads on YouTube Kids, and no sensitive video categories. This is not the case on the main site. You may have seen for yourself how easy it is for videos on YouTube that are about one thing to autoplay their way into content which is about something quite different, including content that is not suitable for those under 13.

Child data is a prominent topic for Google. Back in 2019, YouTube was fined $170m due to the collection of children’s data without their parent’s consent.

Setting up YouTube Kids

If your children are making use of YouTube Kids, it’s a good idea to check out some of the security and privacy settings available to you. Assuming you are signed in, you can:

  • Block channels. If there’s some YouTube Kids approved content which you’re still not happy with, this is the way to go.
  • Enable specific content. If you want control over every aspect of viewing behaviour, you can force YouTube Kids to display only content which you’ve personally approved for viewing.
  • Turn off the search feature. Although in theory nothing bad should come up via search in YouTube Kids, you can still turn this off if needed. Do this by changing the “Allow Searching” option to “Off” in Settings.
  • Disable Autoplay. Again, this feature shouldn’t result in content you wouldn’t want randomly popping up. Even so, the option is there should you desire it. Change this setting by clicking your profile picture, selecting “Settings”, then “Parental Settings”. Select the child’s account, and then change “Disable autoplay” to “On”.
  • Review watch history. You can pull up a list of watched videos through the “Watch it Again” option at the top of the home screen on a tablet, or navigating to the option on desktop or laptop by selecting the child’s profile picture to view the relevant videos.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

LockBit ransomware demands $2 million for Pierce Transit data

The Pierce County Public Transportation Benefit Area Corporation (Pierce Transit) has fallen victim to a cyberattack using LockBit ransomware. Pierce Transit is a public transit operator in Washington state.

The attack began on February 14, 2023, and required Pierce Transit to implement temporary workarounds, to maintain the service of the transit system which transports around 18,000 people every day.

Based on the number of known attacks, Lockbit has been the most widely used ransomware-as-a-service (RaaS) for some time now. It accounted for almost a third of all known RaaS attacks last year, peaking at almost half of all known ransomware attacks in September 2022. The largest ransom demand it made in 2022 was a staggering $50 million. And it hasn’t tempered its ambitions in 2023—last month it tried to get $80 million out of UK’s Royal Mail, but was politely shown the door by its negotiator.

On February 28, the LockBit ransomware group published details of the attack on Pierce Transit, along with a public demand for just shy of $2 million in return for the stolen data. Publishing data like this is normally a sign that negotiations have broken down or that the victim does not intend to pay. The ransomware group claims to have stolen contracts, client information, non-disclosure agreements, correspondence, and more, all of which are now on sale.

The eye-watering ransom demand is just one of the costs of an attack like this. Even if a ransomware victim pays for a decryption key, it takes time to restore systems and the total damages are almost always a multiple of the ransom.

easset upload file6717 260768 eAccording to The Record, The incident has been reported to law enforcement agencies, and forensic experts were brought in to investigate the nature and scope of the event. If it turns out that LockBit managed to steal and leak client information, the company intends to let them know.  A spokeswoman stated:

“We are dedicated to informing our community, as appropriate, as our inquiry progresses.”

The majority of its operations have now been fully restored and Pierce Transit says it plans to implement new cybersecurity monitoring tools and security measures.

Public transportation is an essential service and any long-term disruption of its internal networks could have a devastating effect on the people who rely on it to get to school, their work, or medical appointments.

Thankfully, Pierce Transit managed to keep operations going, but undoubtedly there will be financial losses resulting from system failure and damage restoration in the short- and long-term.

Ransomware-as-a-service is the most lucrative and dangerous form of cybercrime. Individual attacks can bring entire organizations to a halt and raise multi-million-dollar ransoms. You can learn more about LockBit and the danger it poses to your organization in our 2023 State of Malware report.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Ransomware led to multiple DISH Network outages

Satellite broadcast organisation DISH experienced a major system issue over the past week which affected multiple services. Websites and channels were unavailable, logins were non-functional, and some folks couldn’t even pay their bills as a result of the downtime.

There was a suspicion that something may have gone wrong behind the scenes. This suspicion has turned out to be correct, as DISH has reported to the US Securities and Exchange Commission that a ransomware attack is responsible.

A timeline of ransomware

DISH filed an 8-K form, used to inform shareholders of major events, to explain the situation. The timeline is as follows:

February 23: DISH announces on an earnings call that a network outage affected internal servers and IT telephony. Having already determined that the outage was due to a “cybersecurity incident”, law enforcement was informed and security experts were brought in to assess the situation.

February 27: DISH becomes aware that data was extracted from IT systems as a result of the ransomware attack. At this point, it’s not certain if personal information is included in the extracted data.

The filing continues:

The forensic investigation and assessment of the impact of this incident is ongoing.  DISH, Sling and our wireless and data networks remain operational; however the Corporation’s internal communications, customer call centres and internet sites have been affected.  The Corporation is actively engaged in restoring the affected systems and is making steady progress.

At this point, DISH still can’t confirm whether or not personal data has been compromised. A statement given to The Record states that customers will be contacted if this turns out to be the case.

Downtime and confusion

To give some idea of the scale of the outage, services impacted according to Silicon include some of the below::

  • Dish.com
  • The Dish Anywhere app
  • Boost Mobile
  • “Other websites and networks” operated and owned by DISH network.
  • The DISH call centre.

This is in addition to people not being able to pay bills or login. It’s not uncommon for a business to be rendered inoperable in the aftermath of a ransomware attack. However, it is somewhat unusual to see so many services fall over simultaneously. Perhaps the scale of the attack is something to behold, or maybe the attackers just got lucky. Either way, we won’t know for certain until the investigation is concluded and findings are published.

Bleeping Computer has been told by sources that the Black Blasta ransomware operation is allegedly behind the attack, “first breaching Boost Mobile and then the Dish corporate network”. It’s worth stressing that Bleeping Computer goes on to say that this information has not been independently, and DISH has not responded to multiple emails requesting more information. It’s possible we may be waiting some time for additional details to be made public.

Meanwhile, TechCrunch has been informed that employees have no information about the incident and have not been told when they can return to work. This is not a great situation for anyone involved, and really speaks to the scale of impact that a ransomware outbreak can have.

How bad is the current state of play?

Customers are without various services, and the Dish website is still sporting a “Thank you for your patience” message along with the link to a statement which includes the following message:

The security of our customers’ data is important to us, and if we learn that information was compromised, we’ll take the appropriate steps and let any impacted customers know.

As a result of this incident, many of our customers are having trouble reaching our service desks, accessing their accounts, and making payments. We’re making progress on the customer service front every day, including ramping up our call capacity, but it will take a little time before things are fully restored. DISH TV continues to operate and is up and running.

If you’re a DISH customer, you may have to wait a bit longer until things are something like approaching normal service.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Internet Explorer users still targeted by RIG exploit kit

Despite a very slim browser market share, Internet Explorer (IE) is still being exploited by exploit kits like the RIG exploit kit (EK).

One major advantage for the malware distributors behind the exploit kit is that the outdated browser has reached end-of-life (EOL), which means it no longer receives security updates and patches against known threats.

According to Malwarebytes’ Senior Director of Threat Intelligence Jérôme Segura:

“RIG EK is probably one of the last exploit kits targeting Internet Explorer still around. We have observed RIG EK activity via the same malvertising campaigns for the past several years.”

An exploit kit is a toolkit designed to facilitate the exploitation of client-side vulnerabilities most commonly found in browsers and their plugins in order to deliver malware. The primary infection method with an exploit kit is a drive-by download attack, when cybercriminals lure potential victims to a site where their browser can be fingerprinted and vulnerabilities can be unleashed to infect the system. Ideally for the exploit kit handler, such attacks occur silently within seconds and they do not require any user interaction.

A recent report by Prodaft details a wealth of information related to the victim statistics, operation, command and control (C&C) server, and technical aspects of RIG EK.

RIG EK has been around since 2014 and, despite many take down efforts, has always managed to make a comeback. Without many changes to the inner workings of the exploit kit itself, we’ve seen many changes in the malware distributed. It all depends on which cybercriminals pay the RIG EK administrator to install their malware on victim machines. RIG EK has also introduced some newer vulnerabilities while Internet Explorer’s market share has continued to drop.

Prodaft researchers describe how they noticed RIG EK RIG dropping multiple types of malware, including stealers, Remote Access Trojans (RATs), cryptocurrency miners, and banking malware. The exploits of RIG EK are delivered to unsuspecting victims in two ways: either via malvertising, where users are redirected to online advertising pages that are tricked to execute the RIG exploits on their browser; or when the victim visits sites that were compromised and the exploit kit’s JavaScript was injected.

As Jérôme mentions, at Malwarebytes we’ve seen them involved via the same malvertising campaigns for the past several years.

November 2020 Fiddler analysis

2020 analysis of malvertising leading to the RIG Exploit Kit

We connected some RIG EK activity with the cybercriminal behind the “MakeMoney gate” (a name coined by security researcher @nao_sec) based on the domain makemoneywithus[.]work (188.225.75.54) with the earliest instance of this threat group seen in December 2019 via the gate gettime[.]xyz (185.220.35.26).

We still see some hits every week, but nothing to make this exploit kit a real threat anymore. We should note that the threat actor behind the MakeMoney gate tried the social engineering route in 2022, using a fake browser update campaign which was not all that different from the one we saw with SocGholish.

February 2023 analysis

Very recently recorded malvertising campaign

Mitigation

The main advice to stay out of the claws of exploit kits is clear. Use a fully updated and patched browser. And always be careful before you click on links.

A warning from Jérôme Segura:

“We can expect RIG EK to stick around to the very end until there is no one left behind to infect. The individual(s) behind the malvertising campaigns have been persistent and still count on victims daring enough to visit shady websites with an outdated computer.”


Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED