IT NEWS

Over the last few days, scammers have been sending out phishing mails that disguise bogus URLs with something called Slinks—shortened Linkedin URLs.

The shortened URLs redirect users to a different URL when they are clicked. If you’ve ever seen a Tiny URL, or a Bit.ly link, you’ll already be familiar with how these work. Shortened links are a common tool in the phishing armoury because they obscure the final destination of their links, and because familiar shortening services may be seen as more trustworthy.

As you would expect, a LinkedIn shortened link is going to carry a certain amount of trust for someone on the receiving end. This has been put to the test a number of times. For example, in February of last year Slinks were being used to send people to IRS and PayPal phishes. As Brian Krebs notes, this tactic has been around for some years and was spotted in 2016 being sent out via Skype spam.

Now they’re being used in a scam based on Amazon’s popular Prime membership.

Fake Prime email

The email claims to have been sent from “Prime” and has the subject “New Membership Statement : Renewal P‎‎rime Membership statement was ended – Your renewal scheduled on February 21, 2023.” The text reads:

Due to a problem with your card, we were unable to charge your ac͏count $12.99 and applicable taxes for the next 1 month of Amazon Prime.Your membership benefits are currently on hold.If you not update your card information in the next 24 hours, your membership benefits will be cancelled. To continue enjoy your membership benefits, please update your payment information.We are sorry for any inconvenience this may have caused.SincerelyPrime Team

The email includes an Update Now button. Hovering over it reveals the Slink URL, and hitting it redirects you to a site resembling an Amazon login page.

Some folks may wonder why an Amazon email contains LinkedIn links, but many won’t. Some won’t notice, and some will assume it’s OK, becasue they’ve been trained that way. Email newsletters and promotions often use shorteners and tracking links. As a result, odd-looking URLs won’t necessarily alarm recipients as being unusual.

Fake Amazon login

The phishing site asks for an email or phone number tied to an Amazon account.

Next, the site directs you to a tailored password page, using the information you just entered. For example, entering a Gmail address leads to a page asking for the Gmail password. Enter a Microsoft address, and you’ll be directed to a Microsoft-centric password request page, and so on.

With these details out of the way, the phishers move on and begin collecting even more personal information. First up, via a “Security Checkup”, the site asks for

• Mother’s maiden name
• Phone number
• Date of birth

Next up:

• Address
• City
• State/province/region
• Zip / postal code

Finally, the site asks for credit / debit card information.

• Cardholder name
• Card number
• Security code
• Expiration date

In terms of damage done, someone filling these sections in and hitting submit has potentially handed over their password, credit card details, and a lot of answers to common security questions.

Not good at all.

How to avoid phishing attacks

• Block known bad websites. Malwarebytes DNS filtering  blocks malicious websites used for phishing attacks, as well as websites used to spread or control malware.
• Don’t take things at face value. Phishing attacks often seem to come from people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Take action. If you receive a phishing attempt at work, report it to your IT or security team. I you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, cancel the card.
• Use a password manager. Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won’t enter your credentials into a fake site.
• Use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Dutch police have announced the arrest of three more suspects in one of the biggest data extortion cases to date. The men, all aged between 18 and 21, were allegedly involved in extorting businesses and selling stolen data to other criminals.

During a two-year investigation the police learned that the suspects victimized thousands of businesses, including educational institutions, web shops, online ticket vendors, and institutions connected to critical infrastructure and services.

The three men, and a 25 year-old arrested last year, are accused of entering computer systems illegally, data theft, extortion and blackmail, and money laundering. The suspect arrested last year was allegedly involved in a data theft incident regarding Geburen Info Service GmbH (GIS), which collects television license fees on behalf of the Austrian government. It is likely that the dataset in that breach includes information about almost every Austrian citizen.

Sadly, one of the people arrested was also a member of the Dutch Institute for Vulnerability Disclosure (DIVD), a group of volunteer cybercrime fighters. You may remember hearing about them in the 2021 Lock and Code episode about “The failed race to fix Kaseya VSA, with Victor Gevers”.

Whether the suspect worked there to soothe his conscience or in the hope of gaining access to information he could use for his illegal practices is unknown. Either way, it is clear he alternated between wearing his white and black hats. According to a statement by the DIVD, there is no indication that he has been able to abuse his position, but his access to DIVD systems has been blocked.

As you might expect from crimials willing to extort businesses like this, they were not men of thier word. Some of the data they held to ransom was later sold to other criminals anyway, even if the ransom demad was paid.

One of the members of the group ran a Telegram channel where he offered to sell personal and address information based on a license plate. This enabled organized criminals to find out details of an intended target with the click of a button.

That data would also have been suitable for a variety of other crimes, and useful for phishing attacks, bank card fraud, or any other type of fraud where some knowledge of the victim gives the ciminal an advantage.

The cybercrime unit behind the arrests also warned that criminals are getting better at refining this kind of stolen data and finding innovative uses for it.

It is worth reflecting on the damage caused by a ciminal enterprise like this. It is not limited to those businesses that feel forced to pay the ransom. There are substantial costs associated with restoring compromised systems and forensic investigations. There are also the emotional damages to the owners of the stolen data, and to the people who feel responsible for letting this happen—imagine being the person that clicked on a link that launched an attack.

In an interview, the CEO of the online ticket vendor said he was intimidated by the criminals who let him know they knew “who he was married to”. He also said he is glad to have worked with the police. By engaging in a negotiation about the ransom he was able to win time. And with the help of HaveIbeenPwned’s Troy Hunt he was able to establish the extent of the stolen data and inform the affected customers himself.

Take care

Anyone whose data fell into the hands of these criminals (which could include every Austrian and Dutch citizen), should be on their guard for unsolicited calls from people claiming to be from their bank, for phishing mails, and other scams.

Anyone affected by data theft should take the following precautions:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts..

In a statement issued Monday morning, Lehigh Valley Health Network said it had been the target of a cyberattack attributed to a ransomware gang known as BlackCat. The Network is made up of 13 hospital campuses, as well as other health facilities, and is based in Pennsylvania.

BlackCat

The ransomware-as-a-service (RaaS) group BlackCat, also known as ALPHV and Noberus, is currently one of the most active groups, and has been associated with Russia. In our recent February ransomware review it came in second after Lockbit, based on the number of known attacks.

In December, 2022, the Office of Information Security and Health Sector Cybersecurity Coordination Center issued an extensive Analyst Note which identified BlackCat as a “relatively new but highly-capable” ransomware threat to health care providers.

BlackCat uses double extortion and sometimes triple extortion to make victims pay the ransom. That means that besides encrypting files, the gang also threaten to publish the stolen data on a so-called “leak site”, and at times, threaten their victims with DDoS attacks.

The attack

According to the health network, the attack targeted the network supporting Delta Medix, a physician practice in Lackawanna County. The unauthorized activity was detected on February 6, 2023 and involved a computer system used for patient images for radiation oncology treatment and other sensitive information.

The health network is investigating the full scope of the attack, but says services have not been disrupted, although its websites seem to be offline for the moment. It was unable to say yet whether any specific patient’s personal or sensitive information was compromised, but promised to inform any affected individuals if it discovers that was the case.

No ransom

The Lehigh Valley Health Network said it has refused to pay a ransom, but did not disclose the demanded amount. According to the US Department of Health and Human Services (HHS) The BlackCat group has demanded ransoms as high as $1.5 million in previous cybersecurity attacks against the healthcare sector.

Dr. Brian Nester, the health network’s president and CEO said:

“BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise. We understand that BlackCat has targeted other organizations in the academic and health care sectors. We are continuing to work closely with our cybersecurity experts to evaluate the information involved and will provide notices to individuals as required as soon as possible. Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident.”

Recent reports indicated that ransomware revenue went significantly down over 2022, likely due to companies’ increasing unwillingness to meet the ransom demands.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The LockBit group has finally given up any prospect of extracting a ransom from Royal Mail and published the files it stole from the company in a recent ransomware attack. The leak brings weeks of negotiations to a close, leaving Royal Mail without a decryptor, and LockBit without a payday.

Malwarebytes regards LockBit as one of the five most serious cyberthreats facing businesses in 2023. It was the most widely used ransomware-as-a-service (RaaS) in 2022, by far. It accounted for almost a third of all known RaaS attacks last year, and the largest ransom demand it made was a staggering $50 million. In February 2023 it asked Royal Mail for $80 million.

Alongside the leaked files, the LockBit gang have released a chat history that shows the negotiations between the two parties. Perhaps the group is trying to justify its decision to call off the negotiation and leak the stolen files, or perhaps it’s a warning to other victims.

You could read this as a failed negotiation or a missed opportunity for Royal Mail, but I don’t. I think the chat between Royal Mail and LockBit shows something quite different.

I suspect that Royal Mail never intended to pay a ransom. It certainly showed no willingness to engage with the ludicrous $80 million that was demanded of it, and it seems to have had the LockBit negotiator dancing to its tune throughout.

The negotiation began on January 12, 2023, and like any Internet chat, the conversation takes place between two avatars who may or may not be who they say they are. When the LockBit negotiator asks who they’re talking to, the Royal Mail’s representative says “I work in our IT.”

Maybe they did work in IT, but having spent years working in IT myself, and after seeing how the Royal Mail’s representative conducted themselves, I will simply say they aren’t like anyone I ever met. Perhaps they’re just naturally good negotiators, or perhaps they listened to our recent podcast about ransomware negotiations, but there is every chance they were actually a professional ransomware negotiator.

In the podcast, ransomware negotiator Kurtis Minder reveals that the first job in a situation like this is to play for time, without annoying the representative of the ransomware gang. A good way to lower the temperature is to adopt the ransomware gang’s self-serving vernacular, he says, and the Royal Mail’s “IT guy” does this in subtle ways, such as referring to LockBit’s criminal activity as “penetration testing.” Ransomware gangs like that sort of nonsense for some reason—maybe it helps them sleep at night.

Playing for time is important because it allows the victim to gather as much information as possible, understand their options, and decide their best response. They need to understand which systems are affected, how the organization can function without them temporarily, and what it will take to restore or rebuild them. They will also have numerous stakeholders to involve and duties to fulfill: Legal obligations must be met, law enforcement involved, cyberinsurance rules followed, customers and suppliers informed, and so on.

Royal Mail consistently succeeds in playing for time with LockBit. Although the first 24 hours of the chat are peppered with urgent and vaguely menacing language designed to rush the victim—“don’t delay,” “hurry up,” “our patience is not infinite”—LockBit is quickly dragged into the weeds. The first two weeks of negotiation were almost entirely devoted to a tedious conversation about decrypting large files.

According to Royal Mail’s negotiator “my management have heard that your decryptor might not work on large files.” (This tactic of invoking a demanding or difficult to please manager will be familiar to anyone who’s ever haggled with a salesperson over a car.) Whether Royal Mail’s curiosity about large file decryption was genuine or a ruse, it created a role reversal in the conversation, with Royal Mail asking the questions and LockBit providing the answers, to prove that it can meet Royal Mail’s needs.

The Royal Mail negotiator also tried to earn trust by positioning themselves as a reasonable go between who’s trying to do the best for both parties. They consistently used language like “I am trying to help our Senior Team understand this,” “I am still trying to work with you here,” “I am doing what I can to drive things forward.”

When the conversation finally turned to money, it quickly found more weeds. This time the thorny undergrowth was formed by a disagreement about who LockBit had actually attacked. LockBit thought it was talking to Royal Mail. The victim told them they’re Royal Mail International, a loss-making subsidiary of Royal Mail with a vastly smaller turnover.

LockBit asked for a ransom of $80 million, 0.5 percent of Royal Mail’s annual global turnover. Royal Mail retorted that using LockBit’s calculation, a good “starting figure” would be $4 million, based on Royal Mail International’s finances.

At this point in the negotiation LockBit actually acknowledged what it was dealing with. “You are a very clever negotiator,” they wrote, “I appreciate your experience in stalling and bamboozling.”

They might have appreciated it, but they didn’t seem able to do anything about it. By this point in the negotiation, Royal Mail was dictating the timeline: “We will not have anything new to speak about until Monday,” “Please confirm you will wait for their [the board’s] decision on Monday”.

LockBit did as it was told and waited. Finally, the last message from Royal Mail arrived on February 6, 2023. It suggested that the company probably never had any intention of paying. “To be honest with you I have heard that they [the board] might not want to pay you for this,” it said. “In our perspective the files got leaked when you took them from our system, and paying you won’t undo that in any way.”

Ransomware attacks can be devastating, and it’s hard to say that being on the end of one is ever a “win” for the target. However, most experts agree that all you can ever do is reduce the chances an attack will occur and reduce the impact if it does. You can only ever play the hand you’re dealt, and we think given the hand they were playing, Royal Mail’s negotiation came as close to a win as a loss like this ever does.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Samsung has announced the introduction of Message Guard for the Samsung Galaxy S23 series. It will be gradually rolled out to other Galaxy smartphones and tablets later this year.

Message Guard works on images received in messages by the apps “Samsung Messages” and “Messages by Google” and basically acts like a sandbox.

A sandbox in computing is a virtual habitat designed to provide a secluded environment to screen certain files or programs without giving any malware a chance to spread outside of the sandbox across the rest of the “playground”.

Samsung’s Message Guard is a sandbox that aims to protect your device by limiting exposure to invisible threats disguised as image attachments that arrive in messages received by Samsung Messages and Messages by Google. The plan is to release a software update at a later date to let Samsung Message Guard protect you across third party messaging apps as well.

How it works

When an image file arrives as an attachment to a message, the file is put in the sandbox and inspected. The file is processed inside the controlled environment of the sandbox to establish that it will not pose a threat to the device if it is released outside of the sandbox. This prevents malicious code from running amok or accessing your files. It does this silently in the background so the user doesn’t have to do anything and might not even notice it’s there.

Samsung Message Guard covers the following image formats: PNG, JPG/JPEG, GIF, ICO, WEBP, BMP, and WBMP.

Zero-click

Zero-click malware is defined as malware that does not require any user action or input to infect a device or system. Zero-click exploits are files that hide malicious code which do not require user interaction to be executed.

Zero-click exploits typically depend on vulnerabilities in software running on the device, such as the messaging app or the software on the device that renders the image. Such a vulnerability could be used by an attacker to craft a malicious image that automatically executes the malicious code embedded within it.

Samsung Knox already protects against such attachments in audio and video form, behind the scenes. With Message Guard, Samsung says Galaxy users will be protected against exploits in image form too.

Needed?

Samsung states in the announcement that there has been no sign of such attacks on Samsung Galaxy smartphones, but it wants to anticipate potential threats and develop preemptive security measures. This is by no means far-fetched if you look at the methods that Pegasus used against iMessage, although those are highly targeted attacks on people in high-level roles.

Would you like us to list the reasons why we think this is not something we’ve been waiting for? OK then, here goes:

• The Android Operating System is already based on sandboxing, so we don’t see how this is adding any extra protection.
• There is no indication that this type of protection has been or ever will be needed.
• At best it will be providing a false sense of security because it says it offers protection (against a non-existent threat).
• At worst it will stop people from installing actual protection against threats that actually exist, because they think they already are under maximum protection.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

DNA Diagnostics Center (DDC), an Ohio-based private DNA testing company, last week reached a settlement deal with the Ohio and Pennsylvania state attorneys general in relation to a 2021 breach that saw the theft of 45,000 residents‘ personal details. Overall the attack compromised over 2.1 million customers who had undergone genetic testing across the US.

The company will pay a total fine of $400,000 for Ohio and Pennsylvania—and has promised to tighten its information security.

What happened in the 2021 breach

When DDC acquired Orchid Cellmark, a British company also in the DNA testing industry, as part of its business expansion in 2012, the company didn’t know that it also inherited legacy databases that kept personally identifiable information (PII) in plain text form. According to court documents, “the Breach’s impacted databases, containing sensitive personal information, were inadvertently transferred to DDC without its knowledge. Moreover, DDC asserts it was not aware that these legacy databases existed in its systems at the time of the Breach—more than nine years after the acquisition.”

DDC said it conducts both inventory assessment and penetration testing on its systems. But since it was unaware of the unused databases, they were not included during the tests as the assessments focused only on those with active customer data.

In May 2021, one of DDC’s MSPs (managed service providers) began sending automated alerts over a two-month period about suspicious activities within its network. Court documents didn’t reveal why DDC didn’t act on the alerts, but three months after, the same MSP notified DDC again, this time about Cobalt Strike malware activity in its network. This triggered the company’s incident response plan.

According to the investigation, an attacker logged into the old VPN (virtual private network) that DDC used before migrating to a new one using a compromised employee account. It’s not known how this account ended up in the attacker’s hands, but they were able to harvest Active Directory (AD) credentials from a domain controller, a server providing security authentication for users. Weeks after, the attacker used a test account with administrator privileges to establish persistence in the now-compromised environment. They then unleashed Cobalt Strike.

In the following weeks, the attacker accessed five servers and copied 28 databases. They then exfiltrated data from DDC using a decommissioned server. Finally, in September, the attacker contacted DDC to extort payment for all the data they had. The company paid up to have all copied data deleted.

No threat group has owned up to the attack.

The Commonwealth took issue with DDC engaging in “deceptive or unfair business practices by making material misrepresentations in its customer-facing privacy policy concerning the safeguarding of its customers’ personal information.” Evidence of this was when DDC “disseminated, or caused to be disseminated” statements in its Privacy Policy, stating the company is committed to protecting the information of its clients. Yet, the Commonwealth alleges it “failed to employ reasonable measures to detect and prevent unauthorized access to its computer network,” leading to the compromise of Pennsylvanians’ data. 

“Negligence is not an excuse for letting consumer data get stolen,” said Ohio Attorney General Dave Yost in a statement. Acting Attorney General Michelle Henry added, “The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes.”

Terms of settlement

DDA is required to develop an information security program that is “reasonably designed” to protect user data. An employee or third-party service provider with appropriate credentials and expertise must be assigned to oversee the prram.

The company is also ordered to conduct comprehensive annual risk assessments of its networks where sensitive client data are stored, maintain an asset inventory, create and implement an incident response plan, and remove any assets that are not used or necessary for business purposes. 

Lastly, DDA must create and implement security measures for the overall protection of personal data it stores, including regularly updating software, controlling user access (such as the use of two-factor authentication), conducting network penetration testing, segmenting the network, and maintaining a central log management system, among others.

The infosec program must be developed and implemented within 180 days (six months).

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Ransomware authors are wading into the cybersecurity insurance debate in a somewhat peculiar way. Specifically: urging victims to disclose details of their insurance contract, in order to tailor a ransom which will be beneficial to the company under attack.

HardBit 2.0: dismantling a device piece by piece

The ransomware, called HardBit 2.0, has been in circulation since sometime around November last year. Although there is no specific information as to how it arrives on a network, once it gets there is performs typical ransomware operations:

• Encrypts files, branding them with the file’s custom logo
• Gathers system/network data
• Reduces overall security of affected systems
• Disables recovery options and tamper protection, turns off multiple Windows Defender features, and interferes with several other security features including real time monitoring and Windows services related to backups like the Volume Shadow Copy Service.

What does the encryption warning message say?

HardBit 2.0 encrypts files and presents the following infection message on compromised desktops:

All your important files are stolen and encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send your ID for us.

Our contact information is written in the file “How to restore your files”.

You have 48 hours to contact or pay us. After that, you will have to pay double.

Please do not touch the key written under the help file in any way.

Just like Mortal Kombat ransomware, the attackers ask those who are hijacked to use Tox Messenger to communicate. The authors claim to steal data as well as encrypt it, although there’s no dedicated leak site to exploit this particular angle. In this case, it may be that most organisations targeted by the group would be too distracted by their “unique” approach to ransom demands to care.

A helping hand?

We’ve seen ransomware authors claim to care about their victims in the past. Some ransomware groups will remove themselves from impacted entities such as hospitals or critical services once those stories go public. Your mileage may vary with regard to whether this is a face saving PR move, or if they genuinely care about having going a little bit too far.

Here, they’re going out of their way to “help” by quizzing victims about the specifics of their cyber insurance policy. According to Varonis, there’s no outright demand for Bitcoin or another form of cryptocurrency. In its place is a long, rambling ransom note.

The note explains at length that their final ransom demand will be adjusted to ensure it falls inside of the insurance claim requirements. It paints the insurer as some sort of bad actor wanting to withhold money from the victim. If the scammers are told in private what the insurance total is, they’ll be able to ensure their demand for money is

A) at the top end limit of the ransom payout scale provided and

B) does not go past this limit, so the affected company receives every cent they’ve paid out. This is designed to be a mutually beneficial deal for both parties, as victim and attacker will receive as much as they possibly can.

There is, of course, no guarantee that the ransomware authors won’t use the reveal of potentially confidential insurance information against the victim at a later date. Anyone presented with this choice is really the living breathing definition of crossing some fingers and hoping for the best.

Malwarebytes detects this threat as Trojan.Crypt.Generic.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Which of the myriad, extant cyberthreats should your business be paying the most attention to in 2023? 

That’s the question we set out to answer in this year’s annual State of Malware report, and the answers might surprise you. To understand why, you need to know what makes this year’s report so different from previous ones.

Unquestionably, over the last five years, the most serious cybersecurity task facing businesses has changed from defending against waves of malicious, email-borne malware to stopping seasoned criminals armed with Ransomware-as-a-Service (RaaS).

RaaS attacks can be extraordinarily severe. They can bring entire organizations to a halt, come with ruinous ransoms, and may take months of dedicated effort to recover from. They represent an existential threat to businesses.

The worst-of-the-worst is LockBit, the first on our list of the most dangerous threats you face. LockBit’s largest known ransom demand in 2022 was $50 million, although multiple sources report even higher demands were made. Its victims included businesses of all sizes, from local law firms with a handful of employees to multi-national enterprises.

LockBit was the most widely used RaaS in 2022, by far. It accounted for almost a third of all known RaaS attacks, and more than three times as many as its closest competitor, ALPHV.

And yet, if you were to create a list of the most detected malware from last year, you wouldn’t see LockBit on it. In fact, you wouldn’t see any RaaS on it. In cybersecurity, what’s common and what’s serious have diverged markedly.

For that reason, lists of the most detected malware are gone from this year’s report. In their place, we asked our experts—our threat intelligence analysts, and the threat hunters in our Managed Detection and Response (MDR) team: What essential information do resource-constrained organizations need to know?

They came up with a list of the five worst-in-class malware threats spanning Windows, Android and macOS. The report explains what these threats do and why, what it takes to detect them, and what it takes to recover from an attack. Each of our five is an archetype, so if you prepare to stop them, you’re well prepared for anything, on any of your devices.

Compiling our report like this also led us to an important insight: The most dangerous attacks you will face are not from the strangest new malware, the most sophisticated, the most eye-catching, or the most prevalent.

Instead, the most dangerous threats come from a set of known, mature tools and tactics that an entire ecosystem of cybercriminals rely upon to take in billions of dollars a year. Criminals have come to rely upon these attack types and their vectors because they work, and they work because they are hard to defend against and difficult to remove.

The 2023 State of Malware report explains what they are, how they find their victims, and how to avoid becoming one of them.

To learn more about LockBit and how to defend against it, and to discover the four other threats you should prepare for this year, download the 2023 State of Malware report. In it you will also learn:

• What it takes to stop what Europol called the “world’s most dangerous malware.”
• Why there was a 300% increase in some new malware delivery methods.
• How to catch the emerging, hard-to-detect attacks that don’t rely on malware.
• Why security people are as important as security software.

Get the 2023 State of Malware report

Hosting and domain name company GoDaddy says it believes a “sophisticated threat actor group” has been subjecting the company to a multi-year attack campaign, the most recent of which occurred in December 2022.

In December, it received complaints about customer websites being periodically redirected to malicious sites. It turned out malware caused the redirection after threat actors compromised GoDaddy’s cPanel shared hosting servers. How the attackers got in remains a mystery.

GoDaddy said in a statement:

“As our investigation continued, we discovered that an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites. Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections.”

The company also said it believes that previous breaches in March 2020 and November 2021 were part of the multi-year attack campaign from the same threat actor group.

In March 2020, an attacker compromised 28,000 hosting account login credentials belonging to customers and some GoDaddy employees. Then, in November 2021, 1.2 million Managed WordPress hosting environments were compromised. The stolen data included email addresses, original WordPress admin credentials, database credentials, and private keys.

GoDaddy said it’s working on the ongoing issue:

“We are working with multiple law enforcement agencies around the world, in addition to forensics experts, to further investigate the issue. As we continue to monitor their behavior and block attempts from this criminal organization, we are actively collecting evidence and information regarding their tactics and techniques to help law enforcement.”

Make sure your hosting account is secure

If you are using GoDaddy or other hosting services, now is a good time to review your credentials and ensure your account is as locked up as possible. The guideline below is for GoDaddy customers:

• Remotely log out of your account. If you think your hosting account has been compromised, doing this will sign you and the possible attacker out from accounts opened on different devices and browsers.
• Use a password manager, which will help you create long and complicated passwords without having to commit them to memory. Password managers also help you avoid phishing sites by not filling in credential fields if you mistakenly end up on a phishing page you can’t distinguish from the real thing.
• Change your Support PIN. You can find this on your GoDaddy Login & PIN page.
• Change all your hosting-related email credentials and FTP passwords.
• Use two-factor authentication (if you’re not using it already) for that extra layer of protection for your account.
• Change the payment methods you have stored in your account, and delete those you don’t use. It would also be good to keep an eye on your bank account transactions and be ready to flag those that are fraudulent.
• Remove delegate access for anyone you’ve allowed into your account.
• Delete unknown API keys.
• Update your domain contact information to avoid anyone claiming ownership of your site.

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Twitter is making some dramatic shake ups to its currently available security settings. From March 19, users of Twitter won’t be able to use SMS-based two-factor authentication (2FA) unless they have a subscription to the paid Twitter Blue service.

If you use text-based 2FA, the important thing here is not to worry.

You may be under the impression that Twitter is removing your 2FA ability altogether, but this isn’t the case. There are alternatives, and they’re quite a bit more robust than the SMS approach. In fact, they’re referenced by Twitter repeatedly in the documentation regarding the removal of the text service for free Twitter users.

If you’re not sure what they are, or how they work, fear not. We’re going to walk you through the alternatives.

Changing your security approach on a deadline

If you log into Twitter at the moment, you’ll eventually be treated to a popup message which says the following:

Only Twitter Blue subscribers can use the text message two factor authentication method. It’ll just take a few minutes to remove it. You can still use the authentication app and security key methods. To avoid losing access to Twitter, remove text message two-factor authentication by Mar 19, 2023.

This move is being blamed on fraudulent bot behaviour in relation to the Twitter platform. From the above linked Twitter blog post:

While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.

It’s not great that an additional security measure is being removed from users and placed behind a subscription. Some form of 2FA is better than nothing, and uptake for any type of 2FA is painfully low on major platforms. Even Twitter itself struggles, with just 2.6% of active accounts making use of at least one 2FA method. Out of those, 74.4% are using SMS 2FA so this removal plan could have a big impact on already tiny sign up numbers.

As Twitter is so mobile-centric and likely already has your mobile number, SMS 2FA is for many people a natural fit for the platform. It may well be that people stripped of their SMS 2FA may not bother to implement 2FA all over again with an app or hardware key. That would leave those accounts much less secure.

With this in mind, let’s take a look at what’s on the other two forms of 2FA that Twitter offers.

Twitter and 2FA: What can you use?

Authenticator apps

Apps are viewed as being more secure than text-based 2FA, but are still very convenient.

Authenticator apps work by continually generating a numerical code that you enter on the site after you’ve logged in with your username and password. If the code expires before you enter it, the app generates another one and you use that instead. The app will never run out of codes.

These codes are valid whether your phone is online or offline. Some authenticator apps will also send you a prompt to accept, to prove it is you who is logging in. If you travel a lot, this can be more convenient than relying on SMS because you may not have access to a network provider while overseas, or even some form of internet connection. With an app, it doesn’t make any difference.

Unlike text-based 2FA, authenticator apps are resistant to SIM-swap phone calls, because your codes are entirely disconnected from your carrier. Note that you can still be phished should you enter your app generated code on a phishing page.

Hardware security keys

These are dedicated USB sticks which can be tied to the websites you use, taking on the 2FA role in place of text messages, app codes, or even codes sent by email. Hardware security keys can’t be SIM swapped, and they won’t fall foul of phishing either. There’s nothing to phish. Unless the attacker can somehow physically obtain the device from your home, your wallet, your keychain, or anywhere else, they’re going to fail miserably with regard to compromising your security.

Hardware keys are very much the niche option, but if you want to reduce the risk of phishing as much as you possibly can, they’re definitely something to consider. There are models of hardware key which also work with services like password managers, so there’s a lot of options available depending on your specific security needs.

Making the change

Our next post on this subject will explain how to remove text based 2FA from your Twitter account if you have it enabled, and how to enable either app-based authentication or a hardware key instead. Some of the options and settings can be hard to find even for a pro, but we’ll cover each option in detail and you can pick the setting most relevant to your needs.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.