IT NEWS

Stalkerware is a huge problem when it comes to intrusion into people’s personal lives. “Friends”, strangers, family members, abusive spouses and many more can potentially dabble in this malignant pastime and cause all manner of trouble for their target.

Thanks to the New York Attorney General’s office, some folks will shortly be made aware of a little extra something lurking on their devices, after it landed a developer with a $410,000 fine and a requirement to notify people that their devices are running monitoring software. 

A wealth of personal information

As far as the apps in question go, the release [PDF] explains what they can get up to without the device owner’s knowledge. This is a long extract, but it’s important to get a feel for just how much the device owner gives up privacy without knowing about it:

“Once installed on a Target Device, the Spyware App will copy information from the Target Device and transmit it to Respondents’ servers, where the information is made available for viewing by the purchaser of the Spyware App. Information copied and transmitted by Respondents’ Spyware Apps includes: call logs (including phone number, date, and call duration); text messages (including message content, date, and recipient); camera images and videos (including the image or video itself and date taken); location (including current latitude and longitude of the device); Gmail data (including an excerpt/snippet of the email message content, email subject, sender and recipient email address, and date); WhatsApp messages (including message text, sender, and date); Skype data (including message content, sender, and date); Facebook, Instagram, and Twitter data (including direct message content, date, and sender); and Google Chrome data (including browser history with URL and dates visited). “

Up until October 2021, which brought changes to both iOS and Android, these apps could have their icon hidden by whoever was in control of the app. All data grabbed by the app could be viewed by the controller via a web dashboard. This data was organised in a way which made it easy for the spyware controller to browse at leisure.

Of ads and reviews

On top of all of this, the respondents “misrepresented the legal risks of using the spyware products for covert spying”. In other words: Websites and adverts promoted use of these tools in a positive light, with no clear references to how you could land yourself in legal hot water by using them. It’s all “catching your cheating partner in the act” and “relationship advice”, and not “covert spying on people without their permission could well be illegal in your region”.

Last but not least, there was no indication of affiliation with supposedly independent third-party review websites covering the spying tools in question. If this all sounds like a recipe for disaster for the app developers, you’d be right. The real shame is that some of these tools have been available since “at least” 2011. Better late than never?

All’s well that ends well?

This isn’t a one and done issue. Correct and proper notification on devices where these installations reside in the future must take place:

“In addition, Hinchy’s companies must modify the apps and software so that the owner of the device being monitored is notified and informed of the types of information collected by the app or software and made available for viewing by the user of the product. The agreement further requires Hinchy and his companies to make accurate disclosures regarding endorsements, rooting and jailbreaking requirements, refund policies, and data security.”

With no real way to dodge proper notification, this is a serious blow to software which is heavily reliant on being as invisible as possible. We can only hope that this gives some more app developers pause for thought. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

After eavesdropping on yet another encrypted messaging service for five months, law enforcement agencies decided to shut down the service that was popular among members of organized crime groups.

The service called Exclu claims to use the “most secure encryption protocols”, as well as end-to-end encryption to ensure that only the sender and the person they’re communicating with can read what’s sent, not even Exclu itself.

That these claims were not entirely true can be concluded after 42 arrests on Friday February 3, 2023 In the Netherlands, Belgium, and Germany. Among the arrested were not only users of the messaging service, but also the owners and operators of Exclu.

Exclu

Exclu was an app marketed as an end-to-end-encrypted messaging service and users paid €500 (roughly $540) for three months’ use. The police estimate there were some 3000 users, most of them involved in criminal activities and many of them part of organized crime groups.

Exclu joins a list of encrypted messaging services—including Ennetcom, Encrochat, and Sky ECC—that eventually saw a lot of their users getting arrested. And let’s not forget the fake An0m service that was set up and run by law enforcement in a sting operation.

You’d almost recommend criminals to save themselves some money and use WhatsApp or Signal, but maybe it’s better this way.

Broken how?

Assuming that the Exclu operators knew what they were doing, how is it possible that law enforcement could listen in on end-to end encrypted messages?

Options that are available to various levels of law enforcement include, but are not limited to:

• Eavesdropping on unencrypted or misconfigured communications of a suspect’s contact.
• Collecting unencrypted metadata to characterize the encrypted data.
• Detaining the suspect indefinitely until they “voluntarily” decrypt the device.
• Grabbing unencrypted data at rest.
• Eavesdropping on other channels where the suspect describes the encrypted data.

I think the most important clue can be found in the statement by the German department of justice (Generalstaatsanwalt). It says the investigation, which was initiated in 2020, came about after finding a “Cyberbunker” in Germany’s TrabenTrarbach, where the messaging service was hosted and operated from. Seizing a server or copying the contents of a server could provide the investigators with enough data at rest, clues about weaknesses in the encryption routine, or even encryption keys to enable eavesdropping on all or same conversations.

In the case of Ennetcom, the Dutch police managed to decrypt a number of messages stored on a server found in Canada, despite a similar claim that messages supposedly were being protected with end-to-end encryption. The Dutch police were contacted in 2020 by German police to assist in the investigation, and have had quite a lot of experience with this kind of operation.

Encryption and law enforcement

Listening in on the conversations of people that you have no evidence against is not allowed in many countries. But in this case, the authorities had very good reason to assume that this was a service provided with the intention to enable organized crime.

The high fees may explain why many of the Exclu clientele operated on the wrong side of the law. Other parties that might have a vested interest in keeping their chat messages secret include government parties, journalists, security professionals, or lawyers. However, there are cheaper alternatives for legitimate secret-keeping that law enforcement does not target.

Thankfully, breaking encryption is not easy. Finding a way to break the encryption will depend on a flaw in the implementation. Usually, eavesdropping will depend on a possibility to intercept messages before the encryption on the sender’s end or after the encryption on the receiver’s end. Or finding one or more keys on a server.

We don’t just report on encryption—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

An emergency patch (7.1.2) has been released for an actively exploited zero-day vulnerability found in the GoAnywhere MFT administrator console.

GoAnywhere MFT, which stands for managed file transfer, is a software solution that allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, mostly those with more than 10,000 employees and 1B USD in revenue.

Some of these organizations are part of vital infrastructures; such as local governments, financial companies, healthcare organizations, energy firms; and technology manufacturers. A breach resulting from a GoAnywhere exploitation would lead to a serious supply chain attack.

Fortra (formerly HelpSystems), the company behind GoAnwhere MFT and Cobalt Strike, released the patch to finally secure the vulnerability, which allows an attacker to perform unauthenticated remote code execution during instances when the administrator console is made accessible in the public internet. Florian Hauser (@frycos), IT security consultant at Code White, released a proof-of-concept (PoC) exploit for the vulnerability on Monday.

Brian Krebs of KrebsOnSecurity graciously shared what Fortra said in its advisory, which can only be accessed by creating a free account:

“The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).” However, a scan using Shodan, the search engine for internet-connected devices, revealed more or less a thousand instances of exposed GoAnywhere admin panels, the majority of which were found in Europe and the US.

Shodan results came up after security professional Kevin Beaumont did some digging. He said the GoAnywhere admin consoles use ports 8000 and 8001. (Source: Kevin Beaumont on Mastadon)

Fortra urges clients to apply emergency patch 7.1.2 as quickly as possible. If for some reason you can’t, Fortra says you should follow the mitigation steps it put out days before, which involves implementing some access control wherein the administrator console interface should only be accessed from trusted sources, or disabling the licensing service altogether. There is also a technical mitigation configuration shared in the advisory.

Furthermore, clients must take the following additional steps after applying the mitigation steps if they suspect that attackers have already compromised their systems:

• Rotate the master encryption key.
• Reset credentials.
• Review audit logs and delete suspicious admin or user accounts.
• Contact Fortra support by going to its portal, emailing technicians at goanywhere.support@helpsystems.com, or phoning them up at 402-944-4242.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

LockBit started off the new year just as it ended the last one, topping the charts once again as January’s most prolific ransomware-as-a-service (RaaS). The Hive ransomware group meanwhile found itself shut down by the FBI.

It’s not all old news for Lockbit, however: Last month the gang was seen using a new Conti-based encryptor named ‘LockBit Green’. This latest ransomware version, the third from the gang after LockBit Red and LockBit Black, shares 89% of its code with Conti v3 ransomware and has already been used to attack at least five victims.

Considering the success of LockBit Black, it’s unusual (and unclear) why the gang is offering a new variant. One possible explanation is that it wants to attract affiliates who are more comfortable using Conti-based ransomware, such as ex-Conti members. Expanding marketing operations, so to speak.

A post on the Dark Web by LockBit (translated from the original Russian) suggests the group is supplementing the ransomware (“lockers”) it already sells, rather than replacing it:

I have repeatedly said that I want to collect as many top lockers as possible in one panel, who have well-known and good sources lying around, write – I will buy. I don’t care what the reviewers think and say. It is important for me to expand the arsenal in my wonderful panel. Each advert decides for himself what to work with or combines several lockers in an attack on one company if time permits. Agree, it would be nice if I had some other Petya Ransomware or something else epic in my panel?

Known ransomware attacks by country in January 2023

Known ransomware attacks by industry sector in January 2023

While LockBit was plowing through the new year, however, there was nothing but radio silence from another notorious ransomware player: BlackBasta. Ever since we started tracking them in April 2022, BlackBasta’s high placement every month among the ranks of other ransomware groups has been more or less a foregone conclusion. Their absence of activity in January therefore bears mentioning.

Apparent inactivity by ransomware gangs is complicated by the fact that their Dark Web leak sites only show companies that didn’t pay a ransom, so an extremely successful month for them also looks like an inactive month. A month where nobody refused to pay would be hugely unusual though.

Having said that, the Black Basta News Tor site, where it publishes new victims, has been down for several weeks. We saw that it was reactivated on January 22, but the next day it went down again. The backend to the site used to contact the victims seems to be down as well.

On the other hand, attacks by Vice Society—the ransomware gang responsible for an infamous attack on the LA Unified School District—have shot up to their highest level in three months. Vice Society is believed to be a Russian-based group whose ideal prey appears to be universities, colleges, and K-12 schools. The Federal Bureau of Investigation (FBI) even released a joint Cybersecurity Advisory (CSA) in September, after observing that Vice Society has disproportionately targeted the education sector.

In January, Vice Society published the data of nine schools on its leak site. It’s perhaps not a coincidence then that attacks on the education sector are the highest they have been in three months.

Last month we introduced a newcomer named Endurance, a solo actor who successfully infiltrated big corporations and breached several US government entities. In January the lone wolf managed to crack the top five biggest ransomware gangs for the month, launching successful attacks on places such as car marketplace Autotrader, where they stole data belonging to 1.4 million users. Another newcomer we introduced last month, Unsafe, which recycles leaks from other ransomware groups, added seven new victims to its rap sheet in January.

Play’s surge in December activity fell by about 76% percent in January. At the same time, we witnessed the ‘return of the dead’ with AvosLocker, placing itself back on the map for the first time since October 2022.

Hive seized

Hive ransomware is no stranger to the Threat Intelligence team: It was one of the most widely used RaaS in 2022 and indeed if their 15 attacks in December was any indication, Hive showed no signs of slowing down going into the new year.

Hive’s final chapter came to a close in late January, however, after the United States Department of Justice (DoJ) confirmed it had launched a successful disruption campaign against them.

The disruption campaign has reportedly had access to Hive’s infrastructure since July of 2022. Its access became public on Thursday when Hive’s Dark Web site began showing a notice that “this hidden site has been seized”.

According to the DoJ, the Hive ransomware group has targeted over 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure, attempting to extort hundreds of millions of dollars from victims in the United States and around the world.

We can’t say we’re sad to see them go.

Nevada Ransomware

Nevada is a relatively new ransomware which emerged on the Dark Web right before the start of 2023, but it wasn’t until late January that it got a serious upgrade.

On December 10, an actor named ‘nebel’ published a post promoting the project on the RAMP underground community, which is known as a space for initial access brokers (IABs) and Russian and Chinese hackers. On January 30, researchers at Resecurity released a report on how the operators behind the project “updated and significantly improved the functionality of the locker for Windows and Linux/ESXi, and distributed new builds for their affiliates”.

Ransomware revenue down

According to blockchain data platform Chainalysis, ransomware revenue “plummeted” from $765.6 in 2021 to at least $456.8 in 2022. The data is based on an analysis of the cryptocurrency addresses known to be controlled by ransomware attackers.

While the real numbers are likely much higher, it does present us with an idea of the development of ransomware payments. Last year’s estimate at this point seemed to show a decline from $765 million to $602 million, but turned out to be a small gain after correction.

According to our own research and Chainalysis, the declining numbers are likely due to victim organizations increasingly refusing to pay ransomware attackers.

In our Ransomware Emergency Kit, you’ll find tips your organization needs to defend against RaaS gangs. 

GET THE RANSOMWARE EMERGENCY KIT

ION Group, a financial software firm, is reportedly beginning to bring clients back online after being hit by a ransomware attack late last week.

The Russian-linked LockBit ransomware group claimed responsibility for attacking a division of ION Group, which affecting 42 clients in Europe and the United States. The incident forced several banks and brokers to process trades manually.

The subsidiary, ION Cleared Derivatives, which offers software for automating the trading cycle and the clearing process for derivatives, released a very short statement regarding the “cybersecurity event” on Tuesday.

The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available.

In a statement last week, Deputy Assistant Secretary of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection Todd Conklin was quoted saying the disruption to Cleared Derivatives’ platform does not pose a “systemic risk to the financial sector”, adding that the incident is isolated to a small number of smaller and mid-size firms. “We remain connected with key financial sector partners, and will advise of any changes to this assessment,” he further said.

The ION Group leak site post (Source: Malwarebytes)

On Friday, February 4, the ransomware group claimed the ransom had been paid, with Reuters quoting the attackers as saying the money was paid by a “very rich unknown philanthropist”. Both ION and LockBit declined to reveal further details.

In an interview with The Register, Tom Kellermann, senior VP of cyber strategy at Contrast said that supply chain attacks like this are becoming common in the financial sector. “Shared service providers are being increasingly targeted by cybercrime cartels to manifest island hopping,” he said. “Cyberattacks in the financial sector are no longer merely about conducting a heist but rather to hijack the digital transformation of the victim so as to launch attacks against their customer base.”

Last month, the LockBit ransomware group attacked Royal Mail during the first week and the Housing Authority of the City of Los Angeles (HACLA) just days after.

How to avoid ransomware

There is no doubt hospitals remain under a bullseye, and attackers can strike at any time. Thankfully, there are ways organizations can help reduce their risk of suffering from a ransomware attack.

• Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they’re the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
• Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
• Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
• Backup your files. Backups have saved a lot of organizations after a ransomware attack—provided they work. When you make a plan, ensure you also have provisions for backup testing.
• Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. In fact, we guarantee our Endpoint Detection and Response will stop a ransomware infection on your deployed systems, or we’ll refund your annual subscription fee. Try it here.
• Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Today is the 20th Safer Internet Day. Since 2004, there’s been an annual event designed to “Promote safer and more responsible use of online technology and mobile phones, especially amongst children and young people across the world.”

2004 was a key year for several safety activities, encompassing both Safer Internet Day and the Safer Internet Forum. As it would turn out, a wide range of group security activities would follow hot on its heels the year after, not just through the public but also in professional security, legal, and government circles too.

You may be asking, why 2004? Was the general state of the Internet at the time so bad that all of these events sprang up almost out of necessity? Well, the answer to this makes a compelling case for a “yes”, because security was quite the mess back in the day.

Help required. Apply within

In 2004, a big slice of security advice was most definitely needed from somewhere. The dedicated security firms were primarily big antivirus organisations, some of which were struggling to keep up with the threats now spilling across the Internet.

You had very rich and powerful adware companies, making liberal use of bundled installers. Those meme pictures of someone’s browser filled with 50+ toolbars may be funny to look at now, but it definitely wasn’t at the time.

The adware was frequently incredibly invasive, with affiliate networks often in meltdown promoting every kind of rogue install under the sun. One day, the “agree to install” button would be missing. The next day, the adware would be installed via exploit without permission, something which the adware companies would swear is “not possible”. When it turned out to be entirely possible, and recorded on a Quicktime file, the same old excuses would be made and you knew it’d all be happening again a week later.

Exploits were rampant. People had pretty much no idea about even the most basic of scams as inventive fraudsters came up with everything bar the kitchen sink in the brave new world of social media, AKA “all my fish in one barrel”. Sometimes it felt like all you could do was read the Windows XP vs Linux comparisons while waiting for the inevitable infection to strike.

As for those “time it takes to become infected” numbers…well, they made for grim reading.

Spreading the infection

20 minutes was an important number in 2004. How so? It turns out that 20 minutes was the average amount of time it took your average, unprotected Windows XP installation to become infected with something horrible.

Data collected by the Internet Storm Center dug into “Survival Time History”, which is “calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe”.

Sounds bad, right? Well, it can certainly become more problematic. Before we discuss why, we need to experience a moment of hope in the form of what may be the most well known service pack ever released.

XP SP2: A new challenger enters the ring

2004 was a key turning point for Windows XP, as it happens. In August of that year, Microsoft rolled out a major weapon in the Operating System arsenal: Service Pack 2. XP SP2 was a response to criticism of Windows security and the ever-growing range of threats besieging desktop computers. Many of the additions and improvements brought in with SP2 survive in some form to this day. Some of its greatest hits:

• The Security Center, a one stop shop for all of your security needs at a glance. Prior to this, you mostly went on a Frodo and Sam style journey to find crucial settings hidden away in the far flung corners of your desktop.
• The Windows Firewall enabled by default, and the Internet Explorer popup blocker. The pop up blocker in particular was a big help with the proliferation of adware and spyware plugging into advertising networks.
• Data execution prevention, helping to ward off buffer overflow exploits.

All this and much more, including a bundled collection of any and all security patches. If you’d fallen off with regard to your updating habits, this was the perfect way to fix all of those increasingly exposed security holes.

This all sounds great, and it was. XP SP2 was met with much joy in security circles at the time, and was a much needed playing field leveller to help get all of those unpatched systems back in the game.

However: Remember when I said things could become more problematic?

Things quickly become more problematic

If you were online back in 2004, do you remember how good your Internet was? Were you still on dial up? Incredibly slow broadband? Something else entirely? You can probably see where I’m going with this.

If the estimated time to infect an unpatched XP machine is 20 minutes, and you need to download a large service pack weighing in somewhere between 70MB to 260MB, you’re probably in a lot of trouble, because you’re almost certainly not going to get it onto your system in that magical 20 minute time frame.

To put this into some way-back-when context: If you were caught out by a malware attack which pushed 8 whole megabytes at you, this was treated as a cavalcade of malware. An attack which would potentially take forever to slowly crawl its way onto your system, likely tanking your ability to do anything online while the secret payloads did their thing from the shadows.

In 2005, one malware install which needed the .NET framework to run would helpfully install the whole thing for you if you didn’t have it. If there’s one thing you probably didn’t want downloading out of the blue, it was probably 65 MB or so of .NET framework alongside various bits and pieces of malware.

These numbers are nothing now, but back then it was a big deal! If your Internet wasn’t tanked by increasingly large malware hijacks, it was being gobbled up by increasingly large security updates in a desperate effort to keep people safe.

Say hello to the meet and greets

No wonder, then, that very big and visible safer day/week campaigns became such a huge deal. For one final slice of additional context, 2005 was also a key year for security happenings. The largely forgotten CNET/Download.com Antispyware Workshop, held in San Francisco, was the first time many security folks in the antispy/mal/adware space were in the same room (myself included). As an added bonus, so were many representatives from the adware vendors.

Link Rot has done a number on pretty much all references to the event. If you want to delve into the mists of time and see an early collective response to the mess our desktops found themselves in, this is what I’ve dug up:

• A brief summary of the event itself
• A rundown of the FTC, researchers, and adware vendors arguing over details
• Various adware vendors having to sit and take their medicine
• A summary of the panels. Unfortunately the audio recordings are almost certainly lost forever.

Now yes, I may be cheating a little by referencing an event from 2005 instead of 2004 when our Safer Internet Day events kicked into life. However, it was almost certainly thanks to big, well funded day/week awareness campaigns grabbing the public’s attention that news and media organisations started to consider putting their own events on. There was clearly an increasing appetite for it.

Many folks from that first event would go on to make regular appearances at everything from the Antispyware Coalition (ASC) Workshops to more mainstream events like RSA, warning of the dangers of malware and spyware. By curious coincidence, the ASC also came into existence in 2005. I guess there was just something in the air at this point.

I’d like to think a small contribution to all of the group activity in 2005 and beyond was helped along a little by the work done a year earlier with Safer Internet Day and other awareness campaigns.

Windows XP, possibly the most conspicuous presence on people’s desktops around the time that Safer Internet Day established itself, eventually fell into disrepair. Safer Internet Day continues to keep ticking over and help spread word of safe Internet practices for everyone. This can only be a good thing.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tallahassee Memorial Healthcare (TMH), a major hospital system in northern Florida, has reportedly been experiencing an “IT security issue” since Thursday evening, which impacted some of its IT systems. When TMH learned of the issue, it took its entire IT systems offline as a precaution and contacted law enforcement.

In a news post on its website, the hospital says it’s making progress managing the security incident while it continues to operate under IT system downtime protocols, which includes the use of old fashion pen and paper.

We will also post updates on https://t.co/UGsradFUmG pic.twitter.com/MhQmM67l6b

— Tallahassee Memorial (@TMHFORLIFE) February 3, 2023

Tallahassee Memorial’s official Twitter account said in a statement on Friday:

“We are reviewing each of our IT systems now, prioritizing them and bringing them back online one-by-one. We do not currently have a timeline for how long this will take as this is an emerging situation,” 

While TMH has yet to reveal details about the issue, major news outlets have begun speculating that it could have been hit by a ransomware attack. According to a source who spoke with CNN, Tallahassee Memorial’s CEO Mark O’Bryant told staff on Friday that the system suffered a “cyberattack”.

The hospital has been regularly posting updates about the issue, even if there are no real updates. It says staff is working round the clock to resolve the incident and get the system back up and running as quickly as possible.

TMH has cancelled and rescheduled non-emergency surgical and outpatient procedures, rescheduled non-emergency appointments, and diverted some emergency medical services patients. It says it is continuing to accept Level 1 traumas. The hospital provides healthcare across 21 counties in northern Florida and Georgia.

TMH is the second US hospital victim to suffer from such an attack this year, following Atlantic General Hospital which was hit by ransomware in January.

How to avoid ransomware

There is no doubt hospitals remain under a bullseye, and attackers can strike at any time. Thankfully, there are ways organizations can help reduce their risk of suffering from a ransomware attack.

• Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they’re the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
• Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
• Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
• Backup your files. Backups have saved a lot of organizations after a ransomware attack—provided they work. When you make a plan, ensure you also have provisions for backup testing.
• Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. In fact, we guarantee our Endpoint Detection and Response will stop a ransomware infection on your deployed systems, or we’ll refund your annual subscription fee. Try it here.
• Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malwarebytes is excited to announce Malwarebytes Mobile Security for Business, which extends our award-winning endpoint protection to mobile devices.

Don’t get it twisted: mobile devices may be small, but they have huge implications for your security posture. In fact, 73% of organizations experienced a mobile-related compromise that they described as “major” in 2022.

To properly secure your mobile endpoints, you need to tackle two biggies: phishing and malware.

According to Verizon’s 2022 Data Breach Investigations Report, eighteen percent of clicked phishing emails in organizations come from a mobile device. What’s more is that almost 50% of organizations had an employee download mobile malware that threatened their organization’s network and data.

We released Malwarebytes Mobile Security for Business to help organizations crush mobile threats like these on iOS, Android, and even ChromeOS.

Let’s dive in to see how it works!

Deployment

We’re big fans of simplicity here at Malwarebytes (that might be why G2 users rated us the #1 endpoint security product for ease of use), so designed deployment for Mobile Security to be as quick and easy as possible.

To that end, there are two ways to activate the endpoint agent for your mobile devices: Email (self-activation by end users) and via Mobile Device Management (MDM).

Using an MDM tool automates the deployment of Mobile Security for Business. To deploy via Email sharing, the end user must manually complete installation, activation, and grant system permissions for Malwarebytes Mobile Security.

Voila, you’re done.

The Malwarebytes for Business app on IOS (left) and Android (right)

Protection

So you’ve got your mobile endpoints all set up, now it’s time to set a policy.

If you’re a current Nebula user, much of this next part will feel familiar. If you’re new to Nebula though, no sweat. All you need to know is that policies are what let us define how Malwarebytes behaves when using Mobile Security for Business.

After going to the Policy tab in Nebula, head on down to Protection settings to select Web protection and Ad block for IOS and Behavior protection for ChromeOS and Android.

Cool. To control how Malwarebytes behaves when running a scheduled scan, we have to check out the section right under, Scan settings.

Here you’ll find different options for scanning ChromeOS and Android devices for malware.

This policy is looking good! Let’s save and head over to our dashboard to get a bird’s eye view of anything going on with our mobile devices and Chromebooks.

Dashboard

The Dashboard provides a high level view of this activity on your network. It presents a summarized view of the information displayed in more detail on sections of your Nebula console through widgets.

We can narrow our dashboard view so we can just see what’s up with our mobile devices and Chromebooks in particular. With this view IT teams can easily identify malicious threats, PUPs and PUMs on mobile endpoints and act accordingly.

Mobile Devices and Chromebooks: The Cybersecurity Gap

Whether employer-provided or employee- or student-owned, mobile devices and Chromebooks are tempting targets for malicious threat actors—yet, these mobile devices remain woefully under-protected. With our Malwarebytes Mobile Security for Business solution, we’re setting out to change that.

Crush annoying ads, malicious websites, and find dangerous malware all within with a lightweight agent that protects without impacting performance. Check out the Malwarebytes Mobile Security landing page for more information or reach out for a free trial below.

REQUEST YOUR FREE MALWAREBYTES BUSINESS TRIAL

Last week on Malwarebytes Labs:

• A private moment, caught by a Roomba, ended up on Facebook. Eileen Guo explains how: Lock and Code S04E03
• New data wipers deployed against Ukraine
• Update your LearnPress plugins now!
• Riot Games refuses to pay ransom to avoid League of Legends leak
• Analyzing and remediating a malware infested T95 TV box from Amazon
• Google sponsored ads malvertising targets password manager
• 40% of online shops tricking users with “dark patterns”
• How to protect your business from supply chain attacks
• Up to 10 million people potentially impacted by JD Sports breach
• GitHub revokes several certificates after unauthorized access
• Malwarebytes earns AV-TEST Top Product awards for fifth consecutive quarter
• Ransomware in December 2022
• Cybersecurity and privacy tips you can teach your 5+-year-old
• The rise of multi-threat ransomware
• Cyberthreats facing UK finance sector “a national security threat”
• How the CISA catalog of vulnerabilities can help your organization
• Business Email Compromise attack imitates vendors, targets supply chains

Stay safe!

On Friday and over the weekend, several Computer Emergency Response Teams (CERTs) sounded the alarm about an ongoing large scale ransomware attack on VMware ESXi virtual machines.

With some discrepancies between Shodan queries from various researchers, most agree that an estimated 500 entities were affected by the attack over the weekend.

Old vulnerability

The suspected vulnerability, which is listed as CVE-2021-21974 was patched by VMware almost two years ago. The vulnerability can be found in OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) and is a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. Heap memory is used by all the parts of an application as opposed to stack memory which is used by only one thread of execution.

Mitigation

The products that are vulnerable for CVE-2021-21974 are VMware ESXi, and VMware Cloud Foundation (Cloud Foundation).To remediate CVE-2021-21974 apply the updates listed under 3b in the ‘Fixed Version’ column of the ‘Response Matrix’ to affected deployments.

The fixed versions are:

• For ESXi 7.0: ESXi70U1c-17325551 or later
• For ESXi 6.7: ESXi670-202102401-SG or later
• For ESXi 6.5: ESXi650-202102101-SG or later
• For Cloud Foundation (ESXi) 4.x: 4.2 or later
• For Cloud Foundation (ESXi) 3.x: please refer to VMware KB82705

A recommended workaround if you are not using the OpenSLP service in ESXi is to disable the SLP service on VMware ESXi.

Ransomware

Even though Proof-of-Concept (PoC) instructions were posted only a few months after the vulnerability was patched we haven’t seen any reports of the exploit being used in the wild before February 3, 2023. The attack was aimed at vulnerable ESXi servers that are exposed to the internet on port 427. The threat actor runs an encryption process which is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”). Although some researchers have found instances where only the configuration files were encrypted. More on that later.

The ransomware group that reportedly launched this large-scale attack dubbed ESXiArgs against vulnerable ESXi is believed to be the new Nevada ransomware group.

Recently, it became known that the Royal ransomware group had added the ability to target Linux machines to their arsenal. With the transition of organizations to Virtual Machines (VMs) a Linux based ransomware version allows them to target the very popular ESXi virtual machines.

Decryptable

Security researcher Matthieu Garin posted on social media that the attackers only encrypt the config files, and not the vmdk disks where the data is stored. In such cases, the Enes.dev website may be of help to you. The guide explains how admins can rebuild their virtual machines and recover their data for free.

According to research from BleepingComputer, the encryption routine itself is secure, which means there are no cryptography bugs that allow free decryption.

Disclaimers

Nevada may turn out to be the Linux variant of a well-known ransomware group.

While all clues point to CVE-2021-21974 there are several critical vulnerabilities in VMware ESXi like CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699, that can potentially lead to remote code execution (RCE) on affected systems.

There may be special circumstances at work in the cases where only the config files were encrypted. For example the ransomware tries to stop the VM so it can encrypt the file, but this may not always be successful in which cases the damage is limited to the config files.

When more details become available we will keep you updated here.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.