IT NEWS

The Vice Society ransomware gang is back and making some unfortunate waves in the education sector. According to Bleeping Computer, the Society has held their ransomware laden hands up and admitted an attack on the University of Duisberg-Essen. Sadly this isn’t the University’s first encounter with ransomware attacks, though it has proven to perhaps be its worst, given reports of leaks and changes to its IT infrastructure.

Ransomware and a destroyed network

When word spread of the attack back in November, it essentially shuttered the university’s entire network and removed it from the internet. Essential functionality such as email and telephone were entirely non-functional. “Large parts” of the servers were encrypted, alongside the usual ransom demands.

At the time, there was no word as to who did it. This has all changed now, with the leaking of files onto the dark web. A statement from the University mentions that it refused to pay the ransom, not wanting to support criminal offences or contribute to ransomware authors doing it to someone else next time. The University will also be contacting people and institutions affected by the data leak.

The shattering impact of a ransomware outbreak

The data appeared on the Vice Society leak page, which comes complete with pages “for journalists”, “for victims”, and even a blog. A short biography of the University sits above a “View Documents” link. Bleeping Computer says it found “financial documents, research papers, student spreadsheets”, and also backup documents.

Though it’s not possible for anyone but the University itself to confirm the legitimacy of these claims and files, on the surface it doesn’t sound very good. Vice Society has been targeting education for some time now, with an ever growing number of schools and learning resources being massively impacted by the attacks.

The UDE attack alone broke the University’s IT in half at the end of November, bringing portions of the network back online in a way that was so unsatisfactory that the whole thing had to be rebuilt from the ground up a week or so into the start of January.

This is, of course, potentially devastating for educators who can no longer teach effectively, and students themselves who can no longer learn without additional hurdles to jump. Not all education sectors have the ability to teach remotely or even provide learning materials away from the classroom. If this disruption spills into test time or revision periods, things can quickly become a bit of a nightmare all round.

Keeping ransomware at bay

It’s not easy to fend off a determined ransomware attack, especially from an experienced group or someone making use of professional Ransomware as a Service (RaaS) tools. However, there are many ways to reduce the attacker’s window of opportunity.

• Plan your emergency response. Who is responsible for what, and which data needs removing from the network as fast as possible?
• Lock down your Remote Desktop Protocol. Weak passwords, no 2FA, and no limit on how many times someone can try to login spells disaster.
• Backup your data. Keep it away from the network, and test the backups on a regular basis.
• Update your devices and your security tools, and run regular security scans across the network.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Ransomware gangs have shown that they can play a long game, so it shouldn’t come as a surprise to learn of one prepared to wait months to make use of a compromised system.

S-RM’s Incident Response team shared details of a campaign attributed to the Lorenz ransomware group that exploited a specific vulnerability to plant a backdoor that wasn’t used until months later.

Lorenz

The Lorenz ransomware group first appeared on the radar in 2021. They have targeted organizations all over the world and are known to specialize in VoIP vulnerabilities to access their victims’ environments. Like many ransomware groups, they steal their victim’s data before encrypting it, so they can add the threat of leaked data to the threat of encryption making it irrecoverable.

Vulnerability

The researchers found in a specific case that the Lorenz group was able to exploit a vulnerability listed as CVE-2022-29499 a week prior to it being patched. This vulnerability, which has a CVSS score of 9.8 out of 10, exists in the Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 and allows remote code execution because of incorrect data validation. Essentially the vulnerability allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution.

Exploited

After a vulnerability has been discovered and patched, it is not uncommon for organizations to wait for a convenient moment to apply the patch. But as soon as a patch is made available threat actors have the opportunity to reverse engineer it, find the vulnerability, create an exploit, and then scan for vulnerable systems. Its exactly this window of opportunity that the Lorenz ransomware group managed to exploit, in order to install a web shell on the vulnerable system. This web shell has a unique name and requires credentials to access the system.

The shell was placed some five months before the actual ransomware event, and sat dormant throughout that period. Whether the backdoor was created by an Initial Access Broker (IAB) and then sold on to the ransomware group or whether the Lorenz group created it themselves is unknown. But the results is the same.

Why wait?

The time between the compromise and the deployment of the ransomware can be explained by several theories.

• The backdoor was planted by an IAB that waited for the right offer to sell off their access to the compromised system.
• When an easy to exploit vulnerability is available, a group will first compromise as many systems as possible and later work their way through the list of victims.
• With the initial breach the threat actor replaced several key artefacts on the perimeter CentOS system, effectively blocking the creation of any additional logging or audit data. After a while old logs will be deleted and no new ones are created, which improves the attacker’s chances of going in undetected.

Patching

Besides showing us how important it is to patch in a timely fashion, this vulnerability has shown us that patching alone is not always enough.

Victims were made with this vulnerability before there was a patch available. The vulnerability was found by investigating a suspected ransomware intrusion attempt, so there was at least one group that was able to use the vulnerability when it was still a zero-day.

The exploit details were published in June and the victim patched in July but was compromised a week prior to patching. So, the backdoor was planted during the time between the patch being released and it actually getting installed, the so called “patch gap”.

Monitoring

So, what else do we need to do in case we patch a vulnerable system? A difficult question with no easy cure-all answer. But there are some pieces of advice we can give:

• Keep the patch gap as small as possible. We know it’s not easy, but it helps a lot.
• Check vulnerable devices before and after patching for indicators of compromise (IOCs). They may not always be available, but when it concerns a vulnerability that’s known to have been exploited you may be able to find the IOCs or figure out where to look.
• Constant monitoring. If you didn’t find the backdoor, make sure you have the capabilities to find the tools threat actors use for lateral movement, and block the final payload (ransomware in this case).
• Look for unauthorized access or atypical behavior originating from the recently patched device/system.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The real world impact of cybercrime rears its head once more, with word that 14 schools in the UK have been caught out by ransomware. The schools, attacked by the group known as Vice Society, have had multiple documents leaked online in the wake of the attack.

One of the primary schools highlighted, Pates Grammar School, was affected on or around the September 28, 2022. The school eventually realised that data had been stolen somewhere around the October 14, notifying the parents. Law enforcement are investigating, but this timeline of not knowing data had been exfiltrated for a week or two is sadly common.

Schools: A recurring target

Vice Society is no stranger to school compromise, having most recently been in the news for threatening to leak data from the LA Unified School District. In that incident, the School District refused to pay up despite the threat of eventual data leakage should they not comply with the ransom demands.

Here, the same pattern of attack has been followed with data leaked after non-payment of the ransom. There’s going to be quite a bit of concern for parents and teachers alike, with sensitive data being thrown into the mix.

According to the BBC, the data includes:

• Passport scans of both pupils and parents which date back to 2011
• Contractual offers made to members of staff
• Headmaster’s pay and student bursary fund recipients
• Special Educational Needs (SEN) data 

Other, unnamed confidential documents were seen which belong to a variety of other schools from across all parts of the UK. The responses to the attacks from the schools are a mixed bag. Some reported the attack to teachers but did not notify them that data had been taken. Others notified their IT department but not parents and pupils. One school reports roughly 18,680 documents having been stolen.

The word from law enforcement

There’s no word if any of the schools affected paid the ransom and had their data leaked anyway, or if the ransomware gang stuck to its word and “only” leaked in cases of non-payment. As we’ve seen recently, cyber insurance is no guarantee of avoiding a ransomware pitfall either with refusal of payout being decided in a court of law.

Schools are a juicy target for ransomware affiliates—schools’ often lack both funding and IT expertise, which can mean they’re an easier target than sectors where funding for cybersecurity is more available. The impact on students can be immediate, with no access to teaching resources, cancelled exams, or even a total school shut down.

The FBI has already issued multiple alerts with regard to school attacks down the years, with a joint FBI / CISA alert dedicated to Vice Society back in September of last year:

Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff…School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk.

The message is loud and clear: If you’re in education, you’re sadly a target for some of the most prolific ransomware groups around and geographical location is no restriction.

Avoiding the breach

If you’re compromised, there’s no guarantee the attackers will play nice should you pay up. They may leak the files they’ve stolen anyway, or the decryption tool you’re given to recover your files might not work properly. Our advice is to never pay. Here’s some things to think about in terms of warding off ransomware attacks:

Remote Desktop Protocol (RDP) compromise. While we don’t know how the attackers got into so many school networks, we can say that RDP is often used to gain entry to targets. Ensure your RDP points are locked down with a good password and multi-factor authentication. If you require a VPN to access it, ensure the VPN is locked down with MFA and other security measures appropriate to your network too. Rate limiting is a great way to fend off brute force attempts on your login.

Backup your data. Backups are the last line of defence against an attack that encrypts your data. This makes your backups a target for attackers, so they need to be offline and offsite so they are completely out of reach. They also need to be tested regularly to make sure they can be restored and aren’t missing anything vital. Backups are not a defence against attackers that steal and leak the data.

Make an emergency plan sooner, rather than later. Too many incidents happen and the first reaction is “What do we do now?” Take the initiative. Work out who is contacted first in the event of an emergency, which data is the most sensitive and valuable on your network, and what do you need to restore access to first after an attack. You may have a backup plan in place, but who is responsible for setting it in motion? Are you aware of your legal data breach notification responsibilities? These are all valuable components of a solid response strategy.

Keep your tools in good shape. Are your security tools and network endpoints updated and patched? Ensure that you’re running regular scans and looking for unusual activity on the network. On a related note, keep your security tool licences up to date. You don’t want to discover, mid-incident, that someone in accounting didn’t authorise a payment for another year’s worth of security detection and remediation.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malicious links. Third-party ad trackers. Information-gobbling data brokers.

Let’s face it, the Internet is kind of like the Wild West when it comes to threats to our privacy and security. And unfortunately, it takes a little more than a cowboy hat and a pistol to defend yourself out there.

That’s where Malwarebytes Premium + Privacy VPN comes in.

Whether it’s blocking unwanted trackers, securing your personal information, or booting malware off your devices, here are three ways Malwarebytes can help you become the sheriff of your own digital frontier.

1. Let’s you browse anonymously

It’s no secret that some companies are big fans of your personal information.

Your name, your address, location data, and more, are all being collected, packaged up, and sold to advertisers at any given moment. Even menstrual cycle data is fair game.

But one of the most valuable pieces of information is your browsing history, because it says a lot about what you like and where you spend your time. When it comes to getting a good look at your browsing your ISP has a window seat, and in the USA ISPs have been allowed to sell your browsing data since 2017.

The easiest and most effective ways to put a stop to that? Using a Virtual Private Network, or VPN.

VPNs create a secure, encrypted “tunnel” between your device and the VPN server, through which all of your internet traffic is routed—so if your ISP is collecting your data, it won’t be able to read it.

But not all VPNs are equal.

Some VPN providers log your data and browsing history, which means they’re just another ISP that can potentially share your data with third parties. Other VPNs can slow down your Internet to a significant degree, using older encryption methods or having fewer options for servers located nearer to you.

Needless to say, choosing the wrong VPN vendor can feel like trading one poison for another. So if you’re tired of dealing with both data-hungry companies and lackluster VPNs, then look no further than Malwarebytes Privacy.

• We don’t log anything. Ever.
• Best-in-class encryption secures your personal information.
• Less lag. Browse the Internet faster with VPNs powered by WireGuard®.
• Over 380 servers in more than 30 countries.
• 7-day free trial. All the premium features, no data limits!

2. Crushes ads, third-party trackers, and blocks malicious websites

We ignore the many threats to web browsers at our own peril.

Legitimate sites are following us with third-party tracking code, and criminal hackers are busy making friendly sites unfriendly by injecting credit card skimmers, and trying to steal our passwords with phishing sites. One way or another, wherever you go, your personal, sensitive data is being stolen or shared with somebody using it for financial gain.

And your browser? It lets this happen without complaint.

If you think your browser comes with native abilities to block tracking scripts and other threats like phishing websites, though, you’d be half right.

Chrome has the infamously useless ‘Do Not Track’ setting, and anti-phishing engines exist, like Chrome Safe Browsing or Microsoft Defender SmartScreen, but they work with variable levels of success and aren’t enough by themselves.

It stands to reason then that Malwarebytes Browser Guard is the ultimate browsing sidekick for quashing ads, phishing sites, and trackers.

• You’re in charge. We prevent third-party ad trackers from collecting information about your browsing habits.
• Shields up. We intercept (and block) malicious skimming scripts your browser can execute them.
• Clear the clutter. Browse up to 4x faster by blocking ads and other unwanted content.
• Uses heuristics to sniff out and block unknown phishing sites.
• Available on your preferred browser—for free!

Malwarebytes Browser Guard blocking a credit card skimming attack

3. Uses multiple protection layers to actively stop threats

A key part of browsing securely online is accepting the risk that no one technology can keep out 100 percent of the threats 100 percent of the time.

To that end, it’s essential to use a strong anti-malware product that catches any threats that do slip through the cracks and make it to your desktop.

But that’s not all. To quote everybody’s favorite ogre, security has “layers” just like onions—your anti-malware should also have multi-layers of defense, not just one.

Because what’s better than one layer of protection? Two.

What’s better than two? Three.

Better than that?

(Okay, you get the point.)

The fact is you don’t want to rely on any one mechanism to keep the wolves at bay, you want several.

Enter Malwarebytes Premium, offering four different layers of malware protection.

• Advanced web protection. Blocks outgoing or incoming communication so malware can’t receive instructions or steal your data.
• Malware & PUP protection. Blocks malware, viruses, adware, potentially unwanted programs (PUPs), and other threats.
• Ransomware protection. Proprietary ransomware attack prevention technology.
• Exploit protection. Blocks malware which seeks to leverage bugs and vulnerabilities in your device.

Go beyond just antivirus. Level-up your security and privacy today.

Choosing between security and privacy shouldn’t feel like a Herculean task.

While no single method is ever 100 percent foolproof, there are some tried and true ways for keeping your data (and device) safe that, if put into practice, will guard you from most of the threats and prying eyes on the Internet.

Downloading Malwarebytes is one of those ways.

With the Malwarebytes Premium + Privacy VPN bundle, you get total protection with smart antivirus, faster, safer web browsing, and our next-gen VPN for your online privacy. Level-up your protection and upgrade to the bundle today.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

It’s bad news for the US Department of the Interior—a Government watchdog’s security audit has revealed its passwords are simply not up to the job of warding off cracking attempts.

The audit’s wordy title was not kind:

P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk

The audit, which used a list of “more than 1.5 billion words” and only cost around $15,000 to achieve with a dedicated cracking rig, tested the words against cryptographic hashes for the department’s active directory accounts. The words were a combination of public password lists, pop culture and government terminology, and various dictionaries written in several languages.

How well did the 86,000 or so hashes hold up? The answer is, sadly, not hugely encouraging.

A poor show of security practices

According to the results:

• 21 percent of the 85,944 hashes tested were cracked
• Close to 300 accounts had elevated privileges as opposed to simply being “regular” accounts
• 362 accounts belonged to senior employees.

Perhaps more worryingly, multi-factor authentication (MFA) is not being used as widely as it could be. This may not be a surprise to regular readers. We’ve often talked about low MFA adoption rates, and this is despite large organisations like Google doing everything possible to drive people toward such setups.

25 out of 29 so-called high value assets were not protected by MFA. According to the audit, these accounts had the potential to “severely impact agency operations”.

4.75 percent of all active user accounts were based on the word “password”, and the department’s complexity requirements meant that variations of “password” combined with “1234” fulfilled the criteria despite being easy to crack.

The report makes several recommendations for better security practices, but Ars Technica notes that at least one of these is itself perhaps not the best of advice. The audit takes the Department of the Interior to task for not sticking to password changes every 60 days. Some folks insist that this practice just leads to weak password alterations. (If your staff think password1 is a decent password they’ll just change it to password2 after 60 days.)

Tackling your password problems

If you’re worried about your organisation’s password routine, there are steps you can take to hopefully makes a lot more secure.

1. Multi-factor authentication (MFA). MFA renders password cracking almost useless, no matter how weak your password. The best form of MFA is a FIDO2 device, like a hardware key, although almost any form of MFA is better than none.
2. Strong passwords. Most humans are terrible at coming up with just one strong password, and most of us need about 100 of them. Password managers solve this problem by creating and remembering strong passwords. The key part here is to ensure that the master password is also strong, and that the password manager access itself is also gated behind an additional layer of login security.
3. Password requirements. If your complexity requirements sound good on paper, but allow for passwords like “p@ssw0rd123”, then you need to set about revising them. Research suggests that forcing users to make a password that passes a formula doesn’t help much. It’s better to simply block common passwords and have users focus on choosing long passwords rather than shorter, more complex ones.
4. Rate limit login attempts. For as long as the login requires an online component of some kind, you can make life very difficult for attackers by only allowing 3 or 4 logins before shutting them down for a period of time.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Over the years, cyberattacks on K-12 schools and districts have steadily increased, and in 2022 that trend only continued. In the first half of 2022 alone, the education sector saw an average of almost 2,000 attacks every week—a 114% increase compared to two years ago.

The tight budgets of many educational institutions forces them to struggle with outdated equipment and limited staff, making them an easy target for cybercriminals. But if their wallets allow for it, there are a few staple cybersecurity safeguards that schools and districts should always consider implementing.

In this post, we’ll look at the 5 must-haves for K-12 cybersecurity.

1. Anti-ransomware EDR

It’s no secret that public schools have been experiencing a scourge of ransomware attacks lately. In total, 89 education sector organizations were impacted by ransomware in 2022—the number of potentially affected schools doubling from 2021 to 1,981.

The most high profile of these attacks occurred during Labor Day weekend, when a ransomware gang breached the Los Angeles Unified School District and stole roughly 500 gigabytes of data.

In addition to meeting ransomware best practices as defined by CISA, schools and districts should carefully consider their options when it comes to selecting an EDR vendor. In particular, an anti-ransomware EDR should have the following features:

• Multi-vector Endpoint Protection (EP) built-in
• Maintains visibility and patching regularly
• Has machine learning (ML) to recognize ‘goodware’ instead of malware
• Uses standard reference language and forensic analysis
• Thorough containment, eradication, and recovery options
• Searches for ransomware indicators across all your managed endpoints

For more, check out our six point checklist for an anti-ransomware EDR.

2. Third-party risk management

Data breaches and leaks constituted about 30% of K-12 reported cyber incidents in 2021, according to the K12 Security Information Exchange (K12 SIX). What’s more, 55% of these incidents were directly due to leaks originating from district vendors!

In 2021, schools reported breaches of personal information by Independent Health, PCS Revenue, and the Student Transportation of America, just to name a few.

In other words, the majority of school data breaches aren’t the handiwork of cybercriminals, but rather due to school district vendors and other trusted non-profit and government partners. Despite this, only 51% of those in the education sector say they evaluate the security and privacy practices of third parties before engaging with them.

Schools and districts should make it a point to follow third-party risk management best practices such as:

• Keeping a comprehensive inventory of all third parties with access to your network.
• Ranking levels of risk within third parties, looking for red flags such as poorly written policies and procedures, failed security audits, and complaints from customers about privacy and security.
• Monitoring all third parties with access to your organization’s sensitive and confidential information.

3. Chromebook endpoint protection

As more and more schools adopt a 1:1 device to student ratio, it’s become clear that the Chromebook is the most preferred and widely-used device in K-12 schools. In fact, there are more than 50 million Chromebooks used in schools worldwide.

Chromebooks are so popular in schools for two big reasons: they’re cheap and have great in-built security. Three examples of security of Chromebook are:

• Executables are blocked (lesser chance of malware infection)
• Sandboxing is enabled by default (restricts movement of threats)
• Verified boot (so if an attack does prevail, the OS reverts to a previous, untampered version.)

But, while safer than devices running Windows or iOS when it comes to viruses and malware, Chromebooks remain vulnerable to other threats including fake browser extensions, phishing, and dangerous or insecure websites.

A Chromebook endpoint protection solution can give school IT teams much-needed visibility into Chromebook activity, enabling them to prevent accidental access to harmful websites, block ads and malicious extensions, and protect user privacy.

Related infographic: Managing cybersecurity risk and optimizing uptime in K-12 schools.

4. Effective threat hunting

Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23% of intrusions lead to ransomware, 29% to data theft, and 30% to exploit activity—when adversaries use vulnerabilities to initiate further intrusions.

In other words, the earlier you can weed out a threat, the better. That’s why early threat detection, accomplished through threat hunting, is an absolute must-have for any school district.

Threat hunting arrived on the scene as an important security practice with the increased prevalence of unidentifiable or highly-obfuscated threats—those that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

The bad news for K-12: Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC). To that end, outsourcing threat hunting to seasoned professionals is a compelling option for K-12 schools.

Read the blog for more: Is an outsourced SOC worth it? Looking at the ROI of MDR

5. Automated, complete endpoint remediation

One of the biggest challenges schools and districts face is having the manpower to achieve cyber resilience—the ability to prevent, withstand and recover from cybersecurity incidents.

Without adequate staff or resources, the simple act of accessing an endpoint to perform remediation can be a manual, slow, and tedious effort. And inevitably, the longer the response time, the greater the risk schools and districts face and the greater the opportunity for the threat to do costly damage.

The key to adopting a cyber resilient approach to K-12 cybersecurity? Automation.

Automated tasks take place in less time with greater accuracy and reduce malware dwell time. In fact, 71 percent of security professionals state that automation reduces response time for detection, response, and remediation.

Some examples of important tasks that an incident response product does automatically include updating your firewall to block malicious IPs as they are detected, immediately disabling networking on an infected system, and so on. 

Read the brief: Why it’s time to start automating endpoint remediation

Next-generation threat prevention and remediation for K-12 schools

As schools and districts continue to get hammered by cyberattacks, following a few K-12 cybersecurity best practices has never been more important.

Malwarebytes has ample experience providing local governments and public schools with effective, intuitive, and inclusive cyberprotection. Read the case studies below to learn more:

• McMinn County School District erases Emotet infections down to zero
• Holyoke Public School turns to Malwarebytes in the search for an endpoint remediation solution
• Shaker Heights Schools uses Malwarebytes to help remediate ransomware infection

Check out our government case studies and education pages for more information.

More resources

How to Create a Successful Cybersecurity Plan

Ransomware Emergency Kit

Cyber threat hunting for SMBs: How MDR can help

Local government cybersecurity: 5 best practices

The first Microsoft Patch Tuesday of 2023 is an important one to start of the year with. In total 98 vulnerabilities were patched, including 11 that were labelled critical and one that is being actively exploited in the wild.

This is also the last time we expect to see fixes for Windows 8.1 included, since the support for Windows 8.1 ended January 10, 2023.

ALPC

Let’s start with the vulnerability that was found to be actively exploited in the wild. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The actively exploited vulnerability is listed as CVE-2023-21674.

The flaw is an Elevation of Privilege  (EoP) vulnerability in the Windows Advanced Local Procedure Call (ALPC). ALPC is an inter-process communication (IPC) facility provided by the Microsoft Windows kernel. The ALPC is an ideal attack surface for EoP vulnerabilities since it helps client processes communicate with server processes. So a vulnerability in this facility could be used to give a malicious client process the permissions of a service process, which are often SYSTEM privileges.

An EoP vulnerability by itself is not always of much use to an attacker, unless they can use the gained privileges to further compromise the target system. So it is likely that is has been spotted in the wild in combination or in a chain with other vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its catalog of actively exploited vulnerabilities, urging federal agencies to apply patches by January 31, 2023.

SharePoint Server

Another vulnerability that deserves your immediate attention if you’re a Microsoft SharePoint Server user, is listed as CVE-2023-21743—a SharePoint Server security feature bypass vulnerability. In a network-based attack, an unauthenticated attacker could bypass authentication and make an anonymous connection. According to Microsofts’ description, exploitation is more likely and exploitation requires no user interaction.

It is very important to note that users have to trigger a SharePoint upgrade action, which is included in this update, to protect their SharePoint farm. The upgrade action can be triggered by running the SharePoint Products Configuration Wizard, the Upgrade-SPFarm PowerShell cmdlet, or the “psconfig.exe -cmd upgrade -inplace b2b” command on each SharePoint server after installing the update.

BitLocker

Another interesting one, albeit only for those that use BitLocker, is CVE-2023-21563, a BitLocker security feature bypass vulnerability. BitLocker is a Windows volume encryption technology that protects your data from unauthorized access by encrypting your drive. Many travellers and remote workers trust BitLocker to keep sensitive data safe from prying eyes in case a laptop is lost or stolen. This flaw allows a successful attacker to bypass the BitLocker Device Encryption feature on the system storage device. Which means an attacker with physical access to the target system could exploit this vulnerability to gain access to encrypted data.

Other updates

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe released four patches to fix vulnerabilities in Acrobat and Reader, InDesign, InCopy, and Dimension software.

Cisco released security updates for its IP Phone 7800 and 8800 phones.

Fortinet published its monthly advisory covering issues in several of their products.

Google patched 60 vulnerabilities in the first Android update of 2023

Intel published a oneAPI Toolkit software advisory.

SAP published 12 new and updated patches.

Synology issued an advisory about a vulnerability that allows remote attackers to execute arbitrary commands through a susceptible version of VPN Plus Server.

On Monday, the US Supreme Court denied the NSO Group’s petition for a writ of certiorari, a request to the high court to review its case, signaling that Meta’s WhatsApp can go ahead with its case against the Israeli-based company behind the Pegasus spyware. The court didn’t explain why it refused to hear the NSO’s appeal.

If you recall, WhatsApp filed a lawsuit against NSO in 2019 under the Computer Fraud and Abuse Act for allegedly targeting and installing spyware on roughly 1,400 devices of its global users, including human rights activists, journalists, and government officials.

NSO group allegedly did this by exploiting a then zero-day vulnerability in WhatsAapp. Based on a detailed timeline of the case, NSO said it is protected by the Foreign Sovereign Immunity Act (FSIA), which shields foreign government officials from common law, making it immune to the lawsuit—an argument district court judges in California were unconvinced by.

The company then filed a motion to dismiss the case in the US Court of Appeals, insisting it should be granted immunity, much to the dismay of a number of organizations: Microsoft, Google, Cisco, GitHub, LinkedIn, VMWare, and Internet Association (IA). These companies then banded together to file an amicus brief supporting WhatsApp’s case.

Microsoft said:

“We believe the NSO Group’s business model is dangerous and that such immunity would enable it and other PSOAs to continue their dangerous business without legal rules, responsibilities or repercussions. The expansion of sovereign immunity that NSO seeks would further encourage the burgeoning cyber-surveillance industry to develop, sell and use tools to exploit vulnerabilities in violation of US law. Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve.”

Eventually, the Appeals Court rejected NSO’s appeal.

Appeals Court judge Danielle Forrest wrote in a unanimous opinion:

“NSO does not contend that it meets the FSIA’s definition of ‘foreign state,’ and, of course, it cannot. It is not itself a sovereign. NSO is a private corporation that provides products and services to sovereigns — several of them,” 

“Whatever NSO’s government customers do with its technology and services does not render NSO an ‘agency or instrumentality of a foreign state,’ as Congress has defined that term. Thus, NSO is not entitled to the protection of foreign sovereign immunity.”

The NSO Group’s request for the Supreme Court to review its case was its last straw effort to be recognized as a foreign government agent and is, therefore, entitled to sovereign immunity.

In a statement to Reuters, WhatsApp spokesperson Carl Woog is quoted saying:

“NSO’s spyware has enabled cyberattacks targeting human rights activists, journalists and government officials. We firmly believe that their operations violate US law and they must be held to account for their unlawful operations.”

Meta’s WhatsApp is not the only tech giant suing the NSO Group. Apple also filed a lawsuit against the Israeli firm in November 2021 for violating terms of service by hacking into the devices of Apple users, calling the company “amoral 21st-century mercenaries.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

If 2022 was any indication, businesses are about to face an unprecedented volume, frequency, and sophistication of cyberthreats in 2023. Global cyberattacks have increased by 483 percent over the last two years, and at the current rate of growth, damage from such attacks will amount to $10.5 trillion in 2025.

Against that backdrop, and despite increased spending on cybersecurity, the skills gap has widened to a canyon. According to the (IC)² 2022 Cybersecurity Workforce Study, the global security workforce gap increased by 26 percent, with 3.4 million additional workers needed to effectively secure businesses. It’s this discrepancy that I believe will lead to a nationally significant cyberattack on a major US organization this year.

As an industry, we need to preemptively address these risks, both by immediately hiring and onboarding new cyber talent and introducing new tools and resources to help simplify operations for SMBs and other thinly-stretched teams.

How to find (and keep) diverse security staff—and when to turn to MSPs

Business leaders are doing a lot of hand-wringing these days. Fears of recession, geopolitical instability, and rising tides of cybercrime compete for attention and have already impacted budget decisions for 2023. But with the average cost of a US data breach at $9.44 million—more than twice the global average—many executives are putting their eggs in the cybersecurity basket. A recent Gartner survey of CIOs revealed that two-thirds plan to increase cyber spending this year.

And yet—will that be enough? Cybercriminals don’t retreat in the face of economic trouble. If anything, they up the ante to meet their financial goals, as has been witnessed firsthand with record cyberattack volume since the start of the pandemic. Cybercrime surged to meteoric heights in 2020 and 2021, and 2022 continued the upward trend with an additional 28 percent increase in global attacks. These numbers hardly do the crimes justice, as they don’t include the effect on employee productivity and morale, lost profits and investments, and irrevocable damage to company reputation.

While organizations have made major investments in cybersecurity recently, hiring additional staff members to manage complex systems, processes, and people does not appear to be a priority. In 2022, the security employment gap expanded by 40 percent to 700,000 unfilled positions in the US alone. “The cybersecurity talent shortage is one of the most significant and threatening challenges facing our industry today,” said Barbara Massa, executive vice president at Mandiant, in an article for CNN.

Indeed, an estimated 70 percent of respondents to the (IC)² 2022 Cybersecurity Workforce Study reported that their organization does not have enough employees devoted to security, with more than half saying staff deficits put their company at “moderate” or “extreme” risk of cyberattack. It’s no leap of logic to assume a significant cyberattack will take place in 2023 due to a mistake made by an overburdened employee or an incident that overwhelms an understaffed team.

Signs of impending crisis have already started to show. According to a 2022 survey by Colbalt, a whopping 90 percent of respondents who have suffered shortages or lost team members are struggling with workload management. Talent gaps can have tangible impacts on an organization’s security posture, including difficulty maintaining standards, lackluster or non-existent training deployment, and undetected vulnerabilities slipping under the radar.

When security professionals are barely keeping their heads above water, important tasks slip through the cracks, leaving infrastructure exposed to the potential for massive compromise. That’s why it’s time to start thinking differently about the security talent shortage and look for creative solutions to the growing problem.

Recruiting security staff: fewer certifications, more diversification

Historically, job listings for cybersecurity positions have placed heavy focus on prior experience, often with a legacy security institution, as well as a laundry list of technical skills and certifications. Many businesses also require familiarity with their preferred software, with dozens of programs littering job descriptions. However, rigid adherence to such qualifications is often to blame for positions remaining unfilled for extended periods.

Instead, organizations should ditch preconceived notions that security professionals must possess a plethora of niche technical skills and consider candidates with so-called “soft skills” of creative problem-solving, communication, collaboration, and critical thinking. If the candidate shows strong potential and a willingness to learn—and is a good cultural fit with other team members and employees—they can be trained to pick up the technical skills they lack.

Another habitual practice in hiring security teams is to look at the same job boards or set of schools for graduates in computer science and information technology year after year. Instead, businesses should expand their search beyond the usual places and methods. A college degree is not always necessary for someone to become a talented cybersecurity professional.

Experts recommend looking in-house at employees not currently on the security team to fill open slots. Perhaps someone in IT, Q/A testing, or customer service has expressed an interest and can be easily trained. Capture the flag, bug bounty, and other security contests are also excellent sources of highly-skilled candidates, as are apprenticeship and internship programs. Finally, SMBs might have surprising luck poaching experienced candidates who are looking to make more of an impact from enterprise businesses, though admittedly this does little to address the overall skills shortage.

In addition to expanding skill and location parameters, it’s crucial for businesses to diversify their cybersecurity teams. With fresh perspectives, a diverse IS department can not only look at a problem from new angles but address multiple issues stemming from multi-dimensional adversaries. Diversifying security teams means adding members with different skill sets and backgrounds, including those traditionally excluded from the industry.

Women are a growing, yet still underrepresented group in cybersecurity, cornering just 25 percent of the global security workforce in 2021. Hiring managers can look to nonprofits, such as WiCyS, CybHER, Inteligencia, and the Diana Initiative to connect them with women looking to enter the field. The SANS Institute also offers the CyberTalent Immersion Academy for Women, where candidates receive world-class training and certification.

Businesses should also conduct outreach to tap into Black, Indigenous, and people of color (BIPOC) and LGBTQ+ communities for potential job prospects. A September 2021 study on diversity and inclusion in cybersecurity found that only 4 percent of US security professionals self-identify as Hispanic and 9 percent as Black.

To court ethnically and culturally diverse applicants, add language to job descriptions that explicitly states interest in groups often left out of hiring pools. Let candidates know the company fosters a welcoming environment for all and encourages professional development of its cybersecurity talent. In addition, look for organizations that match diverse hopefuls to job openings, such as CyberSN, Secure Diversity, and Blacks in Cybersecurity.

Retaining security staff: show them the money

Cybersecurity as an industry suffers from a retention problem. A study from the Kapor Center estimated that high turnover has cost the technology sector more than $16 billion annually. At the heart of such turnover is toxic workplace culture. Nearly 40 percent of employees surveyed said that unfairness or mistreatment played a major role in their decision to leave their company.

It follows, then, that creating fair policies for workload, promotion, and pay—plus treating all employees with dignity and respect—can help businesses hang onto talented security staff. Other strategies include:

• Having a succession plan in place so employees can envision and make reality their career growth within the business.
• Establishing a mentoring program to allow junior personnel to shadow senior staff and picture what the next stage of their career might look like.
• Offering security staff opportunities to be involved in the planning stages of projects so they feel their voice is heard.
• Giving employees ample time off for wellbeing, including mental health and personal days, to avoid burnout.
• Allowing flexible in-office hours, including a hybrid or remote work schedule to keep competitive offers at bay.

Finally, of critical importance to attract and retain quality employees is offering a competitive salary. Currently, the median salary for cybersecurity professionals in the US is $135,000, according to (ISC)². The study also shows that 27 percent of security workers enter the sector for the high earning potential and strong compensation packages.

Salaries should increase to keep up with both market trends and increasing responsibilities related to the growing sophistication and frequency of cyberattacks. Between 2020 and 2021, some cybersecurity salaries jumped by more than 16 percent to well over six figures, according to a 2021 report from Dice, a tech recruiting platform.

To MSP or not to MSP

Organizations of every size are in the crosshairs of cybercriminals, but SMBs disproportionately feel the weight of cyberattacks. A 2022 Devolutions report found that 60 percent of SMBs have experienced at least one attack in the past year, and 18 percent have endured six or more. However, 44 percent of respondents indicated they do not have a comprehensive, updated incident response plan in place. Alongside choppy economic waters, 2023 could shape up to be a perfect storm for SMBs who haven’t shored up cybersecurity defenses.

SMBs traditionally have fewer resources than enterprises but are at the receiving end of more attacks. Top threats against SMBs include phishing, credential theft, and ransomware, the latter of which can render a small business bankrupt if not properly thwarted. SMBs need robust security protections, but over 40 percent have no internal IT personnel, and most of these businesses are staffed with just one generalist on call.

The growing complexity of securing ever-widening digital threat surfaces while maintaining industry, national, and international security and privacy regulations has driven many SMBs to turn to managed service providers (MSPs) as a lifeline.

MSPs allow small businesses to cost-effectively supplement or stand in for a full-fledged security team to protect against infections and reduce exposure to threats.

Many SMBs, recognizing that MSPs can be critical partners in helping them overcome security challenges, are planning to increase investment in managed IT and security solutions this year. The widespread and growing need for process digitization, cloud migration, post-COVID collaboration, analytics, compliance, and all-around better security are creating strong demand from SMBs for external expertise in cybersecurity.

SMB investment in MSP solutions will not only provide a shield against the onslaught of digital threats in 2023, but help organizations achieve their business goals while improving collaboration and engagement. Whether your organization has budget to hire a diversified security team or requires an MSP to handle complex security needs, ensuring you have skilled professionals to manage and deploy comprehensive protections will keep your business thriving in the new year and many years to come.

For more information on Malwarebytes’ Managed Service Provider Program, check out our dedicated MSP portal.

If you’re looking to send letters or parcels outside of the UK using Royal Mail, you’ll want to hold off for a little while. Royal Mail is suffering from “severe disruption” after an unnamed cyber incident.

While no specifics are currently available, Royal Mail has disclosed enough to let us know that the disruption is very bad indeed.

The statement reads as follows:

“We are temporarily unable to despatch items to overseas destinations. We strongly recommend that you temporarily hold any export mail items while we work to resolve the issue. Items that have already been despatched may be subject to delays. We would like to sincerely apologise to impacted customers for any disruption this incident is causing.

Our import operations continue to perform a full service, with some minor delays. Parcelforce Worldwide export services are still operating to all international destinations though customers should expect delays of one to two days.”

Hunting for clues

The attack is being investigated by third parties, but there’s no word currently with regard to how quickly the services will be back online. Royal Mail has told Bleeping Computer that domestic deliveries are unaffected, so for now people will just have to steer clear of anything overseas bound. This is of course a big problem for people selling items online, or simply sending items to friends and relatives.

Potentially more costly alternative solutions may have to be found until Royal Mail can get its services back up and running.

We will update this blog as more details are released.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.