IT NEWS

Popular game developer Riot Games brings word of a system compromise which may cause issues for updates to well known titles, although for the time being it seems as though customer data isn’t affected.

A social engineering development

Making the notification via Twitter late last week, we’re still waiting on the full story as an investigation takes place. For now Riot, stewards of titles such as Valorant and League of Legends, made the following statement in relation to the attack:

Earlier this week, systems in our development environment were compromised via a social engineering attack. We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained.

We may not be told the full details of what exactly took place here. Based on how these things usually tend to go, social engineering launched via an email sent directly to an employee could be a strong candidate.

Having said that, games publishers and developers make use of everything from social media to Discord for keeping in touch with players and fans. It could just as easily be that this began in a social media direct message and spiralled from there.

Slowdowns expected

Riot Games manages a number of incredibly popular online titles. This newly discovered compromise is going to cause some drag and delay in relation to keeping things updated with new content and other under the hood activities.

Unfortunately, this has temporarily affected our ability to release content. While our teams are working hard on a fix, we expect this to impact our upcoming patch cadence across multiple games.

League of Legends, for example, has a regular patching cycle and some of those patches are very large indeed, as you’d expect for an online game. The League of Legends Twitter account has already warned of potential impact. Valorant operates in much the same way. We can expect similar across all titles as resources are used up to ensure the compromise has been fully contained and addressed.

The game developer jackpot

Games companies have been major targets for compromise for years, which is only to be expected considering the huge amount of data these organisations have access to. There are so many areas for exploitation, from game platform logins to publisher-centric accounts. You can target a PC running a game with remote code execution, go phishing for two-factor authentication codes, steal an account and sell digital items from its inventory…the list is endless.

The only good thing here is the low probability of customer data having been grabbed, with the attack instead focusing on the development environment for reasons known only to the attacker. There have been many incidents where attackers poking around behind the scenes have been in an effort to upload or release rogue files via game titles themselves.

This hasn’t happened here, thankfully, and with any luck Riot Games will release additional information as the week goes by.

Update, 9:03AM (GMT-8)

Riot Games updated its Twitter followers regarding the compromise. It confirmed attackers were able to steal code for some its flagship games, League of Legends and Teamfight Tactics (TFT), and a legacy anticheat platform.

As promised, we wanted to update you on the status of last week’s cyber attack. Over the weekend, our analysis confirmed source code for League, TFT, and a legacy anticheat platform were exfiltrated by the attackers.

1/7 https://t.co/IogE05HaD1

— Riot Games (@riotgames) January 24, 2023

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The fight for data privacy must be won in the middle.

No declaration, no call to arms, will sway the worst offenders. No public swell, no great big hack, has changed how money gets made.

Corporations will continue to reap our data, package it into ad-friendly profiles, and, for a price, deliver the right ads to the right users as determined by the right algorithms of the moment, because that is the formula for profit. And if a few privacy fiascos happen along the way? Well, pay the government-mandated fee, introduce a couple new controls, and, most importantly, march onwards.

This is where you, the people, come in.

Every single Data Privacy Day, companies, organizations, and privacy rights advocates make their best case for why everyday people should care about privacy. “It’s a human right,” we say, forgetting that one international charter does not hold sway on most of the human population. “It’s threatened every day,” we say, forgetting that the most common privacy threats happen away from plain sight, difficult to see and to understand. Even when we offer well-intentioned privacy tips, we forget that privacy today has become management. It’s fiddling with settings. It’s saying “No” on countless forms. It’s auditing and dumping old apps and clicking through the permissions on your current ones. It is, for many people today, inconvenient.

That’s why, for this year’s Data Privacy Day—which has been expanded into Data Privacy Week—we’re doing something different. We’re going to explain the most convenient advantages and benefits of privacy.

This isn’t about what you have to do to get some sense of privacy online. This is about what privacy gets you.

Fewer all-knowing ads

Today’s advertising landscape isn’t necessarily new, it’s simply hyper-charged beyond our wildest predictions. For decades, advertisers delivered their ads to the people they believed most likely to buy their products—investment managers advertising in the pages of The Wall Street Journal, joint pain medication companies airing daytime television commercials, when retirees are most likely to watch.

But in the early 2000s, the ability to grab user attention was revolutionized, as emerging tech companies began hoovering up entirely new types of user data that could be used to build “profiles” that advertisers could then select to buffet with ads. No longer did companies have to rely on a little bit of guesswork when sending their ads out based on zip codes or age ranges. Instead, companies like Facebook built new infrastructure for advertisers and marketers, selling access to users’ attention based on these newly collected data streams.

In 2021, the end-to-end encrypted messaging app Signal tried to reveal the invasive nature of Facebook’s advertising profiles by purchasing Instagram ads that would tell users exactly why they’d been selected, based on their characteristics, to receive the advertisement.

“You got this ad because you’re a newlywed pilates instructor and you’re cartoon crazy. This ad used your location to see you’re in La Jolla. You’re into parenting blogs and thinking about LGBTQ adoption,” read one of the ads, which, like all the others made by Signal, was banned by Facebook before ever being rolled out.

Sneaky as these privacy invasions may be, they are only half the picture. The other half is third-party ad-tracking cookies. Third-party ad-tracking cookies, which are going out of style, enable companies to track your web browsing activity across multiple sites. It’s why your search for luggage on one site could deliver a relevant luggage ad on a separate website.

And at least when it comes to stopping third-party ad trackers, we have several solutions.

Browser plugins like Malwarebytes Browser Guard block third-party ad trackers (and, separately, malicious websites), which means your activity across the internet won’t be so easily stitched together into a user profile that advertisers can target with what they think you want to buy most. Privacy-forward browsers like Safari, Firefox, and Brave all block third-party ad trackers by default.

This means fewer ads following you around and fewer ads that remember your every search. (It also probably means fewer moments where you think your phone is listening to you.) 

Now, it’s true that browser plugins and privacy-minded browsers won’t stop companies like Google and Facebook from collecting the information we seemingly volunteer—through our posts, our friend requests, our Google searches—but it’s important to remember that those same companies also relied on third party ad trackers for years to grow their own advertising operations.

Faster browsing

A half-hour TV show, without commercials, doesn’t last a half-hour. The same idea is true when browsing online. Webpages cluttered with ads take longer to load, and webpages without ads—all other things being equal—will take less time to load.

And if you’ve got privacy on your side, you’ve got fewer ads to worry about.

Browser plug-ins that block ad-tracking (like Malwarebytes’ Browser Guard) can result in faster loading times for websites. To illustrate this, the web browser Brave offers a regular infographic on how much time the browser has saved for its users because of its pro-privacy experience.

We must remind you that advertisements are far from the only variable that affects loading times. Your personal connection speed, the website’s optimization, and the engine that drives the browser you’re using—which determines how a browser reads a website’s information and in what order that information will be loaded—all affect how long it takes for a website to load. 

Potentially fewer spam calls and robocalls

Your phone number is too easy to find. Want proof? Just look at the number of spam calls and robocalls that you likely encountered last year.

But spam callers don’t call you because they’re targeting you, specifically. They’re calling you because your phone number, which has been endlessly collected, shared, and sold, is just a few clicks away.

According to the call protection company First Orion, everyday actions, like applying for credit, donating to charity, or calling a 1-800 number, will likely result in your phone number being collected. Once that data is collected, separate, third-party companies work to tie that data to more information about the household behind the phone number, such as any addresses associated with it, any real names, and even info like estimated salaries. And those third-party companies have little problem selling these packages of data to whoever pays for it. Often, it’s their entire business model.

But what if the collection and sale of your data was only allowed with your explicit agreement? What if your privacy—not your data—was most valued?

We like to think that your phone number would be collected less often, which might mean it would be sold less often, which might create a few more obstacles for whatever scam group is pushing its latest robocall campaign.

It’s not about “nothing to hide”

The weakest excuse we hear from people who have yet to champion their own privacy is that they “have nothing to hide.” The stark, unavoidable truth today is that you have nothing to hide, yet.

On June 24, 2022, the US Supreme Court overturned earlier decisions made in Roe v. Wade and Planned Parenthood v. Casey, which had, for decades, ensured national access to abortions. With the Court’s new decision, the issue of abortion—and its legality—was pushed onto the states, which could individually criminalize abortion itself, criminalize providing abortion services, and criminalize the act of supporting anyone seeking abortion.

Immediately, questions of legality and data privacy rushed to the forefront. As we discussed in our podcast Lock and Code at the time:

“Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that is now promising to technologically protect their data from legal requests? Should they clamp down on all their data? What should they do?”

The Supreme Court’s decision also sparked a flurry of activity from users of period-tracking apps who now had to worry about how their previously benign data might be used as evidence against them in an investigation into now-allegedly criminal behavior. The companies that make these apps responded to their users’ concerns, promising to either anonymize their users’ data, or encrypt it so that it would be useless if requested by law enforcement. At least one of those companies’ promises were over-inflated, one investigation found.

This unanswerable turmoil spat forth like a geyser, with little warning, upending everyday people’s lives for behaviors that were not illegal just 24 hours prior.

You deserve better.

So much of your data is collected every day that it’s more accurate to say that so much of you is collected every day. Your late-night WebMD visits about a new symptom. Your personal record on your regular jogging route near your home. Your first baby’s due date.

Privacy isn’t about having something to hide. It’s about not needing to hide yourself at all.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers have successfully dismantled a massive ad fraud campaign they stumbled upon by accident. 

The Satori Threat Intelligence and Research Team dubbed the campaign VASTFLUX, a portmanteau of “fast flux”—an evasion technique involving the constant changing of IP addresses behind a single domain—and “VAST” (Video Ad Serving Template), a framework to embed ads in videos. The researchers said they came across the VASTFLUX operation while investigating a different ad fraud scheme. While looking at the other scheme, they noticed an app creating an abnormally large number of requests using different app IDs.

Since then, they have studied the campaign in depth, uncovering its inner workings, before taking everything down.

VASTFLUX, up close

Satori researchers defined VASTFLUX as “a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views”. Its sophistication only mirrors the intimate knowledge its operators have of the digital advertising ecosystem.

Apparently, this campaign was an adaptation of an earlier ad fraud scheme called Matryoshka that made headlines in 2020. Researchers said VASTFLUX exploited apps that run ads, particularly on iOS. “More than 1,700 apps and 120 publishers were spoofed in the course of the operation, reaching a peak volume of 12 billion ad requests a day and impacting nearly 11 million devices,” they further said.

VASTFLUX begins with JavaScript (JS) injections into a static ad the operators issue. These scripts decrypt the encrypted ad configurations, which include a static banner image for the ad slot, a video ad player behind the banner image, and parameters for stacked video players. A script then calls home to its command-and-control (C2) server for additional information on what to place behind the static banner.

The researchers say VASTFLUX spoofs legitimate publisher and app IDs, including the size of the ads, and operators do it in a way that could easily be missed with cursory glances at the code. The code also contained masked instructions on what apps to spoof, how to spoof them, and how video players can be stacked up to play 25 streams with ads. These ads generate income, but the videos they play on are hidden behind a visible ad, rendering the video stack invisible to users.

As this video stack renders the ads simultaneously, they also “keep loading new ads until the ad slot with the malicious code is closed”.

“The URL of the VAST players are encoded in base64,” the researchers said. “When decoded, they show that each player has its own ‘playlist’ of ads to cycle through, each with its own URL with tracking code attached. It’s in this capacity that VASTFLUX behaves most like a botnet; when an ad slot is hijacked, it renders sequences of ads the user can’t see or interact with.”

Decrypted code of the ad playlist, which plays in videos hidden from users. (Source: HUMAN)

VASTFLUX is very much capable of operating under fraud tracking schemes. It does this by avoiding using ad verification tags, which is a piece of technology that allows marketers to check whether their ads have been seen by real people or not. Since the real ads VASTFLUX runs are all out of sight with no tags to track them, the campaign appears virtually nonexistent.

The takedown

VASTFLUX’s takedown didn’t happen in one go. In fact, the Satori team carried out three waves of “distinct mitigation responses”, which all occurred between June and July 2022, before finally pulling the plug. The first resulted in a dramatic decrease in VASTFLUX’s traffic, but the operators adapted quickly. The second mitigation reduced 92 percent of the billions of requests the campaign sent at the peak of its operations. The third and final mitigation further blocked VASTFLUX’s activity.

The Satori team identified the operators behind this ad fraud scheme, but they didn’t name them. Working closely with fraud abuse organizations, VASTFLUX met the inevitable in December. “[B]id requests associated with VASTFLUX, which reached a peak of 12 billion requests per day, are now at zero,” the team proudly declared in their blog.

Because this ad fraud campaign particularly targets ad slots within apps, it is highly likely that legitimate apps would start showing VASTFLUX-related ads. That said, any or all iOS users may start experiencing the effects of having multiple videos playing in the background while using an app, such as device performance drops, battery drains quicker, and even overheating.

These are classic symptoms of adware infection, and if your device is experiencing one or more of these, be suspicious and try looking for which apps have caused these. Perhaps it’s time to start paying attention to how your device behaves. The researchers provided the following other red flags you should be looking out for:

• The device’s screen seems to turn on at unexpected times and without prompting, like in the middle of the night.
• An app suddenly slows down the performance of the device.
• Data use jumps dramatically from one day to the next.
• An app crashes frequently and without warning.

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In December, 2022, we warned our readers about an actively exploited vulnerability in Apple’s WebKit. Back then we wondered why Apple specifically stated that the issue may have been actively exploited against versions of iOS released before iOS 15.1.

At the time, our resident Apple expert Thomas Reed said that Apple has been known to release fixes for older systems when it is aware of active attacks taking place. And indeed, Apple has now released security content for iOS 12.5.7. which includes a patch for this vulnerability.

Affected devices

The patch is available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

The update may already have reached your device during your regular update routines, but it doesn’t hurt to check if your device is at the latest update level.

Here’s how to update your iPhone or iPad.

Since the vulnerability we’ll discuss below is already being exploited, it’s important that you install the update your devices as soon as you can, if you haven’t already.

The vulnerability

The bug (CVE-2022-42856) was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps.

Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. In essence this means an attacker can try to lure his victims to a malicious site to compromise their devices. But Apple has not disclosed any details about the circumstances under which the vulnerability was actively exploited.

Other updates

There is also new security content for  iOS 15.7.2 and iPadOS 15.7.2 and security updates for a lot of other Apple software.

The results of our latest survey on mobile cybersecurity in K-12 and hospitals are in—and it’s not all peaches and roses.

When we talk about endpoint protection, it’s only natural to only think about the most commonly compromised endpoints like work laptops and servers—but your smartphone isn’t off the hook.

There are plenty of risks associated with mobile devices, and we ignore them at our peril. In 2020 alone, almost 50% of organizations had at least one employee download a malicious mobile application that threatened their organization’s network and data.

Certain industries such as education and healthcare face their own distinct set of challenges when it comes to mobile security, namely a diverse amount of endpoints and lackluster budgets and infrastructure.

To better understand the mobile security landscape, we asked 250 schools and hospitals about their mobile security posture (including Chromebooks). The average organization surveyed was based in North America and had anywhere from 250 to over 5000 endpoints.

Here’s some key takeaways.

45% of schools reported that at least one cybersecurity incident last year started with Chromebooks or other mobile devices

Almost 30% of schools and hospitals aren’t protecting mobile devices with their current endpoint protection solution

77% of organizations are confident in their ability to protect mobile devices, including Chromebooks, from cybersecurity threats

Chromebooks and employee devices rank top among schools’ riskiest attack surfaces

63% of organizations say cost is their biggest concern for their current mobile security tools

58% of organizations’ cybersecurity budgets are the same compared to 2022

Mobile security for resource-constrained organizations

Windows 10 is slowly coming to an end, with one more way to purchase the operating system riding off into the sunset. Microsoft is posting notices in a variety of locations to confirm it will no longer sell Windows 10 licenses directly. Support remains in place for the time being, as is the usual strategy when an operating system is gradually phased out.

Announcing the end times

All Microsoft products have their own life cycle, and all of these products inevitably meet their demise at the hands of the next incarnation. Those policies fall under two types, modern, for products and services serviced and supported continuously, and fixed, for certain products bought at retail, or volume licensing.

While businesses often have the ability to pay to keep themselves patched against specific threats even after the shutters come down, this isn’t an option for everyone and a change of software and hardware is needed across the board eventually.

Windows 10 download pages now say this at the bottom of the promotional text:

January 31, 2023 will be the last day this Windows 10 download is offered for sale. Windows 10 will remain supported with security updates that help protect your PC from viruses, spyware and other malware until October 14, 2025.

Whether or not you decide to buy Windows 10 before January 31, or ignore the warning and purchase from a third party retailer, January 31, 2025 looms on the horizon like a rather large banner advert for Windows 11. That tiny uptake of users back in 2021 is likely going to experience a spike over the next year or so.

Windows 11: A significant boost in security…

We’ve covered many of the security improvements which Windows 11 holds over Windows 10. There’s the multiple features and functionality of the hypervisor, the secure boot practices to help ward off boot kit malware, and the hardware enforced stack protection which protects various forms of running code.

Elsewhere we have custom made phishing alerts for users of Windows 11(but not Windows 10), and a default remote desktop protocol lock out. This is before you get to the other additions and improvements which you won’t find elsewhere.

Tabs? In my Notepad? The future is now.

…and a bit of a problem for hardware

One of the few remaining sticking points for people wary of upgrading remains the hardware issue. Microsoft has experienced quite a bit of backlash due to how the promotion of Windows 11 was handled. Nobody wants to find out their recently purchased powerhouse of a gaming PC inexplicably does not support the new operating system, nor does anyone want to discover their fairly new fleet of Windows 10 business PCs aren’t up to standard. Unfortunately, this is the exact situation far too many people found themselves in. Poor descriptions of secure boot and Trusted Platform Module (TPM) did not help at all.

My own home PC is a very powerful gaming rig, it will run anything thrown at it from games on their highest settings to rendering tools which will bring other high spec systems to their knees.

It’s still not compatible with Windows 11 because (insert convoluted technical explanation here). People don’t want to hear about inserted convoluted technical explanations, they just want to know why they’re suddenly faced with the prospect of potentially expensive hardware upgrades or replacements. This is not how you achieve high buy-in rates.

Playing the waiting game

For now, it’s fine to linger on Windows 10, and support is going to be around for some time to come. If you think you’re going to be putting together a bunch of self-built machines in the near future, or simply buying in bulk, this may be the time to do some emergency sort-of-last-minute shopping before it becomes increasingly more difficult to obtain a license. Given the leap in demands from Windows 10 hardware to Windows 11 hardware, you don’t want to be left in a situation where you have a pile of cases, hard drives, and RAM sticks in the corner of a room and nothing to make them all come alive.

Hang fire if you need to, but the clock is most definitely ticking.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

EU Commissioner Thierry Breton, the EU’s digital policy chief, “explicitly conveyed” to TikTok CEO Shou Zi Chew that the company must “step up efforts to comply” with the European Union’s rules on copyright, data protection, and the Digital Services Act (DSA)—an EU regulation setting out “an unprecedented new standard for the accountability of online platforms regarding illegal and harmful content”. 

According to the Associate Press, this transpired in a call on Thursday, January 19, wherein Breton and Chew discussed how TikTok plans to comply with the DSA, which is set to take effect on September 2023. The act will require online platforms to reduce harmful content online and combat online risks. Online platforms include (but may not be limited to) social networks and online marketplaces.

The West has been scrutinizing TikTok for years because of its parent company’s potential ties with the government of the People’s Republic of China. This alone brought up a lot of cybersecurity and privacy concerns. Though the company has consistently denied such a relationship, this didn’t stop state governments and private companies from banning the app from worker and employee phones, labeling it an “unacceptable security risk” and a “Chinese Trojan Horse”, accusing it of being a tool to promote various forms of misinformation and spying, and classing it as another social platform that doesn’t take the security of children’s privacy and well-being seriously.

“With younger audiences comes greater responsibility,” Breton said, according to a readout of his call with Chew. “It is not acceptable that behind seemingly fun and harmless features, it takes users seconds to access harmful and sometimes even life-threatening content.”

“We will not hesitate to adopt the full scope of sanctions to protect our citizens if audits do not show full compliance,” Breton further said.

Early last week, four European Commission officials met with Chew in Brussels to discuss growing concerns from Western countries, ranging from online child safety to the flow of user data to China. According to partial readouts of the call published by Politico, they warned TikTok to respect EU law and begin working on building trust. On top of this, they discussed compliance with the DSA, the Digital Markets Act (DMA)—the very anti-competition regulation Apple had been preparing for—and the GDPR (General Data Protection Regulation).

“I count on TikTok to fully execute its commitments to go the extra mile in respecting EU law and regaining [the] trust of European regulators,” EU Commissioner for Values and Transparency Vera Jourova had said during their meeting with Chew. “There cannot be any doubt that data of users in Europe are safe and not exposed to illegal access from third-country authorities.”

TikTok’s Director of Public Policy and Government Relations, Caroline Greer, tweeted that the safety of their users is paramount. “We also outlined our efforts to ensure compliance with the GDPR & the Code of Practice on Disinformation.”

As if to demonstrate their seriousness regarding data security, TikTok’s CEO revealed the people responsible for misusing journalist data to identify leaks were no longer with the company, confirming “it was wrong” for them to have done this.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Privacy is a right that is yours to value and defend. Article 8 of the Human Rights Act protects your right to respect for your private and family life. One of the pillars of the article is that personal information about you (including official records, photographs, letters, diaries, and medical records) should be kept securely and not be shared without your permission, except under certain circumstances.

But we know that information is not always protected as much as it should be, and it seems like we hear about a new data breach every day. It’s up to us to defend our privacy as much as we can online, so here are a few suggestions on how you can best protect your privacy when scrolling online:

1. Consider what you share about yourself

Many of us are leaking information about ourselves and our online behavior almost constantly.

When posting online, consider what information you find valuable and what you are happy for everyone to know? As soon as you know where you draw your personal line, you can start working on protecting your privacy.

As a guide, if you wouldn’t say it in person, don’t put it online.

2. Check your browser settings

Your browser is your gateway to the internet. Unfortunately, few of them have ideal privacy and security settings set by default, even if they’re present.

So it’s a good idea to go ahead and tinker with your browser’s settings, carefully making sure that options are set in a way that are acceptable to you, privacy-wise.

You can read about some popular browsers’ privacy settings here:

• Google Chrome privacy settings
• Firefox privacy and security settings
• Microsoft Edge, browsing data, and privacy
• Safari privacy preferences

While you’re reviewing your settings, you may want to clear out your browser history. Then review your extensions, and remove those you hardly, or have never, use. Vulnerable or malicious add-ons can easily become a privacy and security risk.

Do a browser settings review on your mobile devices as well. You can learn more about them here:

• Chrome for Android privacy settings
• Safari for iOS privacy

Now, if you find that what’s in there by default lacks the privacy and security settings you hope for, it’s time to ditch that browser for a new one.

Thankfully, most (if not all) desktop browsers that made taking care of your privacy their business, too, have mobile versions. Start by looking up Firefox, Brave, DuckDuckGo, and even the Tor Browser on the Google Play and Apple App stores.

3. Consider adding extra layers

There are a lot of browser extensions that decrease your online privacy. But the upside of being able to use browser extensions is that there are many good ones out there that can help you establish a more private browsing experience. Ad-blockers, anti-tracking tools, and protective extensions add further protection.

You can also tighten your privacy by using a Virtual Private Network (VPN) to anonymize your traffic. In short and easy terms, a VPN acts as a middle-man between a user and the internet. When the user wants to visit a site, they send information to the VPN over an encrypted connection, the VPN visits the site, and then it sends the data to the user over the same encrypted connection. These connections are not limited to web browsing, even though that is the first one that usually comes to mind.

Personally, I also use different browsers for different purposes. This is called compartmentalization and it allows you to visit trusted (and preferably bookmarked) websites with a quick browser and do your regular surfing with a fully protected and anonymized browser.

4. Do periodic check-ins

One thing to keep in mind if you are rolling out extra precautions is to stay aware of their existence and not take them for granted. Check for updates on a regular basis, make sure they are working properly, and don’t blindly rely on them.

It’s like speeding in a car, just because you have a seatbelt on. It does make it safer, but you still don’t want to get involved in an accident.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

T-Mobile has announced that an attacker has accessed “limited types of information” on customers. It says it is informing impacted customers.

According to the press release, no passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.

Method

T-Mobile says the attacked gained access to the data through a single Application Programming Interface (API), without authorization. According to T-Mobile, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.

An API in general is a software interface, usually intended to allow one automated system to retrieve data from another. For example, to allow a website to fetch relevant information from a database. When a threat actor finds a way to bypass authentication or obtain a higher level of permissions than they should have, it could enable them to fetch information about other customers.

Affected customers

The preliminary result of T-Mobile’s investigation combined with help from external cybersecurity experts indicates that the attacker accessed data of approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.

Window of access

The mobile carrier says it detected the malicious activity on January 5, 2023. The press release says the issue was resolved within 24 hours after it was identified. What the press release doesn’t say, but what we can read in the Form 8-K—used when informing the Securities and Exchange Commission (SEC) about a breach—is that the attacker first retrieved data through the impacted API starting on or around November 25, 2022.

Timing

The timing of the data breach is far from ideal. It was last week that customers faced a deadline to file a claim over $ 350 million related to a 2021 cyberattack which impacted around 80 million US residents. The carrier agreed to the massive payout to resolve allegations that negligence led to the 2021 data breach that exposed millions of people’s personal information. The stolen data at the time included names, driver licenses, addresses, and social security numbers.

As part of that settlement, T-Mobile committed to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023. T-Mobile references this in its Form 8-K about the current incident:

“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity. We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

According to blockchain data platform Chainalysis, ransomware revenue “plummeted” from $765.6 in 2021 to at least $456.8 in 2022. The data is based on an analysis of the cryptocurrency addresses known to be controlled by ransomware attackers.

Precision

While the real numbers are likely much higher, it does present us with an idea of the development of ransomware payments. Last year’s estimate at this point seemed to show a decline from $765 million to $602 million, but turned out to be a small gain after correction.

Image courtesy of Chainalysis

Payments, not attacks

This decline could be explained in a number of ways:

• Fewer attacks
• Lower ransom demands or demand being negotiated down
• Fewer victims willing to pay

According to our own research and Chainalysis, the declining numbers are mainly due to victim organizations increasingly refusing to pay ransomware attackers.

Number of attacks

Ransomware attacks make headlines, but that doesn’t mean we learn about all of them. In fact, the chances of learning about an attack are bigger when the victim decides not to pay, since that will get them posted on a leak-site controlled by the ransomware group. Many ransomware operators use these sites to post data they exfiltrated during the attack as extra leverage to get victims to pay the ransom. Monitoring these sites always gives us a good idea of which ransomware groups are most active and how many victims actually refuse to pay.

According to IT service provider AAG, there were 236.1 million ransomware attacks worldwide in just the first half of 2022. Through 2021, there were 623.3 million ransomware attacks globally. That seems to indicate the number of attacks could be slightly down.

Negotiators

One thing victims have learned is that ransomware sums can be negotiated down. In fact, a new form of ransomware response has emerged in the past year—the ransomware negotiator. On our Lock & Code podcast, Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20, Kurtis Minder talk about how he has helped clients with ransomware negotiation and his company has worked to formalize ransomware negotiation training.

Not willing to pay

There are many reasons, besides the obvious one, that companies are unwilling to meet the ransom demands:

• Paying keeps the ransomware eco-system alive
• There is no guarantee you will get your systems back
• It is no immediate cure, it sometimes takes just as long as restoring your systems from backups
• Organizations have learned the importance of backups
• In some cases it is prohibited due to embargoes and sanctions against certain countries

Sometimes organizations feel they have no other choice, which is understandable, but it gives us hope to see that the numbers are declining.

Continental

In our ransomware review of October 2022 we highlighted the case of automotive parts giant Continental. According to a transcript of the negotiations, obtained from LockBit’s dark web site, ransom negotiations began on September 23 and progressed slowly for a month. In the transcript, Continental sought proof that the ransomware group had the 40 terabytes of internal company data it claimed to have stolen, and then asked for assurances that the group would delete the data if the ransom was paid.

The final message attributed to Continental, dated October 24, reads “Hello, we have to hold a management meeting and will come back to you tomorrow end of business day.” It seems that the meeting did not go the way that LockBit hoped, and after several fruitless days trying to restart the negotiation, the ransomware group has made the Continental data available on its dark web site—for sale or destruction—for $50 million. It is unknown whether anyone shelled out that amount to obtain the stolen data.

Chainalysis queried several ransomware experts and is convinced that the drop in revenue is due to more victims refusing to pay. For those interested, the report provides a lot more details.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.