IT NEWS

A critical vulnerability can send countless organizations into chaos, as security teams read up on the vulnerability, try to figure out whether it applies to their systems, download any potential patches, and deploy those fixes to affected machines. But a lot can go wrong when a vulnerability is discovered, disclosed, and addressed—an inflated severity rating, a premature disclosure, even a mixup in names.

In these instances, when the security community is readying itself for a major sea change, what it instead gets is a ripple. Here are some of the last year’s biggest miscommunications and errors in security vulnerabilities. 

1. “Wormable”

There are some qualifications for vulnerabilities that send shivers up the spine of the security community as a whole. A “wormable”  vulnerability is used when the possibility exists that an infected system can contribute as an active source to infect other systems. This makes the growth potential of an infection exponential. You’ll often see the phrase “WannaCry like proportions” used as a warning about how bad it could get.

Which brings us to our first example: CVE-2022-34718, a Windows TCP/IP Remote Code Execution (RCE) vulnerability with a CVSS rating of 9.8. The vulnerability could have allowed an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction, which makes it “wormable,” but in the end, it turned out to be not so bad since it only affected systems with IPv6 and IPSec enabled and it was patched before an in-depth analysis of the vulnerability was publicly disclosed.

2. Essential building blocks

Something we’ve learned the hard way is that there are very popular libraries maintained by volunteers, that many other applications rely on. A library is a set of resources that can be shared among processes. Often these resources are specific functions aimed at a certain goal which can be called upon when needed so they do not have to be included in the code of the software. A prime example of such a library that caused quite some havoc was Log4j.

So, when OpenSSL announced a fix for a critical issue in OpenSSL, everybody remembered that the last time OpenSSl fixed a critical vulnerability, that vulnerability was known as Heartbleed. The Heartbleed vulnerability was discovered and patched in 2014, but infected systems kept popping up for years.

However, when the patch came out for the more recent OpenSSL issue, it turned out the bug had been downgraded in severity. That was good news all around: The patch for the two vulnerabilities is available, and the announced vulnerability wasn’t as severe as we expected. And there is no known exploit for the vulnerabilities doing the rounds.

3. Zero-day

The different interpretations for the term zero-day tend to be confusing as well.

The most accepted definition is:

“A zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw.”

But you will almost as often see something called a zero-day because the patch is not available yet, even though the party or parties responsible for patching or otherwise fixing the flaw are aware of the vulnerability. For example, Microsoft uses this definition:

“A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available.”

The difference is significant. The fact that a vulnerability exists is true for almost any complex platform or software. Someone has to find such a vulnerability before it becomes a risk. Then it depends on the researcher finding the flaw whether it becomes a threat. If the researcher follows the rules of responsible disclosure, the vendor will be made aware of the existence of the flaw before anyone else, and the vendor will have a chance to find and publish a fix for the bug before any malicious actors find out about it.

So, for a vulnerability to be alarming, I would argue it has to be used in the wild or a public Proof-of-Concept has to be available before the patch has been released.

As an example of where this went wrong, a set of critical RCE vulnerabilities in WhatsApp got designated as a zero-day by several outlets, including some that should know better. As it turned out, the vulnerabilities listed as CVE-2022-36934 and CVE-2022-27492 were found by the WhatsApp internal security team and silently fixed, so they never posed any actual risk to any user. Yes, the consequences would have been disastrous if threat actors had found the vulnerabilities before the WhatsApp team did, but there never were any indications that these vulnerabilities had been exploited.

4. Spring4Shell

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database as an individual number. CVE numbers are very helpful because they are unique and used in many reliable sources, so they make it easy to find a lot of information about a particular vulnerability. But they are hard to remember (for me at least). Coming up with fancy names and logos for vulnerabilities names, such as Log4Shell, Heartbleed, and Meltdown/Spectre helps us to tell them apart.

But when security experts themselves start to confuse different vulnerabilities in the same framework and researchers disclose details about an unpatched vulnerability because they think the information is out anyway, serious problems can arise.

In March, two RCE vulnerabilities were being discussed on the internet. Most of the people talking about them believed they were talking about “Spring4Shell” (CVE-2022-22965), but in reality they were discussing CVE-2022-22963. To add to the stress, a Chinese researcher prematurely spilled details about the vulnerability before the developer of the vulnerable Spring Framework could come up with a patch. This may have been due to the confusion about the two vulnerabilities.

In the end, Spring4Shell fizzled, working only for certain configurations and not for an out-of-the-box install.

Public service or not?

So, are we doing the public a service by writing about vulnerabilities? We feel we are, because it is good to raise awareness about the existence of vulnerabilities. But, to be effective, we need to meet certain criteria.

• First of all, it needs to be made clear who is affected and who needs to do something about it. And what you can do to protect yourself.
• While it is not always easy to make an assessment about the threat level, since we often don’t have the exact details of a vulnerability, it is desirable to not exaggerate the impact.
• Make it very clear whether or not a threat is being used in the wild if you have that information.

In a recent assessment, security researcher Amélie Koran said on Mastodon that the economic costs of Heartbleed were mostly due to vulnerability assessment and patching and not necessarily lost or stolen data. Not that it wouldn’t have backfired if the patch hadn’t been deployed, but it is something to keep in mind. A panic situation can do more harm than the actual threat.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

On June 7, 2021, the US Department of Justice announced a breakthrough: Less than one month after the oil and gas pipeline company Colonial Pipeline had paid its ransomware attackers roughly $4.4 million in bitcoin in exchange for a decryption key that would help the company get its systems back up and running, the government had in turn found where many of those bitcoins had gone, clawing back a remarkable $2.3 million from the cybercriminals.

In cybercrime, this isn’t supposed to happen—or at least it wasn’t, until recently. 

Cryptocurrency is vital to modern cybercrime. Every recent story you hear about a major ransomware attack involves the implicit demand from attackers to their victims for a payment made in cryptocurrency—and, almost always, the preferred cryptocurrency is bitcoin. In 2019, the ransomware negotiation and recovery company Coveware revealed that a full 98 percent of ransomware payments were made using bitcoin.

Why is that? Well, partly because, for years, bitcoin received an inflated reputation for being truly “anonymous,” as payments to specific “bitcoin addresses” could not, seemingly, be attached to specific persons behind those addresses. But cryptocurrency has matured. Major cryptocurrency exchanges do not want their platforms to be used to exchange stolen funds into local currencies for criminals, so they, in turn, work with law enforcement agencies that have, independently, gained a great deal of experience in understanding cybercrime. Improving the rate and quality of investigations has also been the advancement of technology that actually tracks cryptocurrency payments online. 

All of these development don’t necessarily mean that cybercriminals’ identities can be easily revealed. But as Brian Carter, senior cybercrimes specialist for Chainalysis, explains on today’s episode, it has become easier for investigators to know who is receiving payments, where they’re moving it to, and even how their criminal organizations are set up.

“We will plot a graph, like a link graph, that shows [a victim’s] payment to the address provided by ransomware criminals, and then that payment will split among the members of the crew, and then those payments will end up going eventually to a place where it’ll be cashed out for something that they can use on their local economy.”

Tune in to today’s Lock and Code podcast, with host David Ruiz, to learn about the world of cryptocurrency forensics, what investigators are looking for in reams of data, how they find it, and why it’s so hard. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Apple has released new security content for iOS 16.1.2 and Safari 16.2. Normally we would say that Apple pushed out updates, but in this mysterious case the advisory is about an iPhone software update Apple released two weeks ago. As it turns out, to fix a zero-day security vulnerability that was actively exploited.

Mitigation

The updates should all have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level.

How to update your iPhone or iPad.

How to update macOS on Mac.

If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.

Since the vulnerability we’ll discuss below is already being exploited, it’s important that you update your devices as soon as you can.

CVE-2022-42856

Apple revealed that it is aware that threat actors are actively exploiting the vulnerability listed as CVE-2022-42856. The bug was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. So, it’s no surprise that you will find the same CVE number in the Safari security advisory, along with a list of others.

Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. The underlying issue was what is called a “type confusion” issue, which was addressed with improved state handling.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

Another clue was given when Apple revealed that security researchers at Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking, and cyberattacks, discovered and reported the WebKit bug. That might give you an idea about who was using the exploit in the wild.

Version confusion

What remains a mystery is why Apple specifically stated that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

We asked our resident Apple expert Thomas Reed why, then, did iOS 16 users get an update and iOS 15 users didn’t?

He pointed out the fact that Apple recently documented that security fixes may only apply to the latest system, and may not be back-ported to older systems. This has always been the case, but it wasn’t documented, leaving users guessing about what was going on.

“Still, Apple has been known to back-port fixes when they’re aware of active attacks on an older system, so I doubt it’s just a matter of falling back on a disclaimer. That suggests to me that there’s some difficulty involved. I don’t know exactly what changed in WebKit between iOS 15 and 16, but there were definitely a lot of Safari-related changes in iOS 16, so it’s entirely possible there’s some kind of architectural change standing in the way of back-porting.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Criminals making use of booter services which execute Distributed Denial of Service (DDoS) attacks to take down websites will have to try a little bit harder today: A major international operation has taken no fewer than 48 of the most popular booter services offline.

The operation, known as “Power Off,” included law enforcement agencies from the UK, the US, the Netherlands, Germany, and Poland.

Sites down, operators arrested

The sites that were taken down by law enforcement have been replaced with seizure notices which read as follows:

This website has been seized

The FBI has seized this website for operating as a DDoS-for-hire service. This action has been taken in conjunction with Operation Power Off, a coordinated international law enforcement effort to dismantle criminal DDoS-for-hire services worldwide. DDoS attacks are illegal.

Law enforcement agencies have seized databases and other information relating to these services. Anyone operating or utilizing a DDoS service is subject to investigation, prosecution, and other law enforcement action.

As a result of the operation, seven individuals have been arrested in the UK and US with “further actions planned” against users of the services.

The National Crime Agency (NCA) reports that one of those arrested is just 18 years of age. “Around a quarter” of referrals to the NCA involve the use of booter services.

Why are booters so popular?

Booting services typically have a low technical barrier to entry. Back in the days of Xbox360, especially around 2009, custom made booter services became very popular with gamers. If you wanted to ensure victory in an online session, you could pay a small fee and dedicated services would kick the other players out of the game or you could download and run the tools yourself.

This is one way in which DDoS made the leap from “people who have a decent idea of what they’re doing in order to take a website down” to “pay me $10 and push this button to win.” As it turns out, pushing that button to win is a lot less intensive than figuring out how to make people run your executable or set up a working phishing page.

The people running these booter services know this, and that’s why they’re so popular. Need a website kicked offline? A gamer you just can’t stand? A service playing host to people you just can’t stand? Off to the booter markets you go. More often than not, people don’t realize how much trouble they can get into by using these tools. This is especially true in situations where young children or teenagers are looking to these services.

The long arm of the law

As the various agencies involved in this operation point out, they will be going after users of these services as well as those who operated them. They’re very clear that if you’ve used the now offline booters, you can expect to be paid a visit down the line.

Previous versions of Operation Power Down have explicitly targeted the users of DDoS tools, with police visits to the home and device confiscation thrown into the mix for good measure.

If you’re tempted to use a DDoS tool of any kind, keep this in mind. “I only used it once because I was curious” is probably not going to save you from the law’s reach. As the NCA explains, a DDoS attack a crime under the UK’s Computer Misuse Act 1990. If you’re on the fringes of illegality where this is concerned, check out their Cyber Choices page as soon as possible for a solid explanation of the consequences of these actions, and how you can use your technical skills in a positive manner.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Warnings abound of a major new piece of fraud doing the rounds which uses your relative’s voice as part of a blackmail scam. What happens is the victim receives a call from said relative’s number, and they’re cut off by blackmailers who have them held hostage. The only way to get them back safely is to pay a sizable sum of money, usually within a time limit. Refusal to pay up could clearly end very badly for the person being held to ransom.

There’s just one problem with this: It’s all fake.

When virtual kidnappers attack

The tale is retold by a Tik-Tok user who fell for the scam tactic, who says:

“New scam alert. I usually don’t fall for scams but they got me.”

The victim recounts how she heard the voice of her mother “fading away.” This is supposed to sound like someone being dragged away from the phone. At this point, a stranger jumps on the call demanding money “or else.” The scammer may be working alone, or have someone else doing things like yelling in the background at the non-existent kidnap victim. It’s all designed to convince the victim to hand over a large amount of cash in as short a time as possible.

In terms of demands, the pretend abductors demanded $1,000 in US dollars via Venmo or CashApp. The recipient of this call could only afford to send $100, at which point the callers ended the call. What followed was an understandably panicked call to the victim’s mother, who was safe the whole time.

Scams go around, come around

This is clearly an unpleasant story, but let’s take a deep breath before we perhaps become a little too alarmed by references to newness and (most importantly) claims of using your relative’s voice.

First, this is not a new tactic. Not at all. These are usually referred to as virtual kidnapping scams, and they’ve been around for some years now. Here’s an FBI release regarding the targeting of doctors back in 2014.

In fact, we covered a virtual kidnapping threat around the same time which threw a few more scam tactics into the mix. In those attacks, a fraudster would: Pretend to be from a phone network, and call the person intended to be the fake kidnap victim. The fake phone network engineer would tell this person to turn the phone off for a few hours. This was so they’d be able to call the other family member they intended to extort, with no risk of them checking with the kidnapee if they were in fact kidnapped or sitting at home.

When fraudsters get vocal

As for “using your relative’s voice”, well, no. Don’t panic. People may be inclined to start worrying about deepfaked voices winging their way across the airwaves. In these cases, the victim is almost certainly listening to generic voice recordings which very quickly fade out. The relatives don’t stay on the line, or make conversation, or say anything beyond muffled screams after the call begins because they’re not there.

The scammer is very unlikely to have anything sounding identical to your supposedly kidnapped relative. It’s the adrenaline shot of the call and sheer panic making people think that their relative is pleading down the phone line. This, combined with the spoofed phone number, is enough to make it all seem real while it’s taking place.

How to spot the signs of a virtual kidnapping scam

There’s a strong social engineering component to these attacks. Scammers trawl websites, social media, and more, to obtain names of families and individual family members. They do much the same thing for phone numbers, which is how you end up with a call which looks like it’s from your relative and from their phone number. With this in mind, we have some tips and suggestions for you:

• Revisit your online presence, and lock down or delete as appropriate in relation to locations, names, and phone numbers.

• Avoid posting travel dates and locations, which can add some fake legitimacy into a scammer’s phone call.

• Family members should have a password which allows you to confirm someone actually is in some kind of serious danger.

• It used to be that these scams were almost exclusively steered towards wire transfers. As you can see from the above story, those payment requests are now moving into the realm of being fully digital.

There are other tips online sourced from law enforcement, mostly in relation to asking to speak to your supposedly kidnapped relative, trying to contact them by other means while the scammers are on the line, and slowing the situation down to allow you to try and contact the kidnapee in the first place.

Yes, this is an awful scam. However, it’s definitely not new, people only think their relative is being heard down the line, and there are many strategies and safeguards in place to get one step ahead of the virtual kidnap scammers.

Stay safe out there!

InfraGard, a partnership between the FBI and members of the private sector that was established to protect critical infrastructure in the US, has been infiltrated by a cybercriminal. As a result, its database of contact information is now for sale on an English-language cybercrime forum.

InfraGard

InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector that was created to help protect US critical infrastructure. In its collaboration efforts, InfraGard connects those responsible for critical infrastructure to the FBI. The FBI provides education, information sharing, networking, and workshops on emerging technologies and threats. InfraGard’s membership includes business executives, entrepreneurs, lawyers, security personnel, military and government officials, IT professionals, academia, and state and local law enforcement.

Breached

A threat actor posted samples as proof that they have obtained access to the more than 80,000-member database of InfraGard. According to KrebsOnSecuirty, the threat actor is a member of the Breached forums using the handle USDoD. Pompompurin, the administrator of the cybercrime forum Breached, is providing an escrow service for the seller. An escrow service acts as a mediator between two parties making a financial transaction and is meant to ensure no one loses their funds due to a scam. They receive the funds from the buyer and hold on to that payment until the buyer has received the purchase in good order.

False account

When asked, the threat actor revealed that they gained access by registering a false account. The user USDoD told KrebsOnSecurity that they applied with the name and real phone number belonging to a CEO of a major US financial corporation, but with an email address that was under the threat actor’s control. The application was approved, apparently without any verification that the CEO was aware of.

Once they had access, the InfraGard user data was easily available via an Application Programming Interface (API) that is built into several key components of the website.

The FBI commented that they were aware of a false account but declined to provide any further comments.

“This is an ongoing situation, and we are not able to provide any additional information at this time.”

The data

The stolen data are not earth-shattering. The stolen database has the names, affiliations, and contact information for more than 80,000 InfraGard users, but only 47,000 of the stolen records include unique emails. Probably due to the security awareness of the members, the data contained neither Social Security numbers nor dates of birth. Although fields existed in the database for that information, many users had left them blank.

What’s maybe more worrying is that the threat actor has direct access to the other InfraGard members and can use this “trustworthy” platform to engage on other phishing expeditions. USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGard messaging portal.

This story looks like it might be continued. We will keep you posted here of any new developments.

On Tuesday, Bloomberg reported that Apple is preparing to allow access to third-party app stores on all iPhone and iPad devices owned by EU users, in anticipation of a new EU competition law coming into force in mid-2024. If the reporting is correct, then in future users in the EU will no longer be confined to the “walled garden” of the App Store and will be free to download apps from stores owned by companies other than Apple. If it happens, the move will bring both increased freedom and increased security risks.

The Digital Markets Act

The Digital Markets Act (DMA), also referred to as Regulation (EU) 2022/1925, was introduced by the European Commission, the executive arm of the EU, in December 2020 and was recently signed into law, in September 2022. It aims to “ban certain practices used by large platforms acting as ‘gatekeepers’ and enable the Commission to carry out market investigations and sanction non-compliant behaviour”. 

It targets the most prominent “Big Tech” companies operating within the EU. The Commission has yet to provide a list of gatekeepers, but Apple is expected to be one of them.

A gatekeeper is defined by the DMA as a platform operating on one or more of the world’s digital core services, which includes advertising, search, and social networking, in at least three EU countries and satisfies the following criteria:

• Has an annual turnover of 7.5B EUR ($8.2B) or a market capitalization of 75B EUR ($82B)
• Provides certain services, such as browsers, messengers, and social media, that have 45M EU users per month minimum and 10,000 annual business users

Non-compliant gatekeepers could be subjected to fines of at least 10 percent of their previous year’s annual worldwide turnover (20 percent for repeat offenders). Systemic violations could lead to a ban on acquiring other companies for a particular time.

“The agreement ushers in a new era of tech regulation worldwide. The Digital Markets Act puts an end to the ever-increasing dominance of Big Tech companies,” said Andreas Schwab, an Internal Market and Consumer Protection Committee of the Parliament rapporteur. “From now on, they must show that they also allow for fair competition on the internet. The new rules will help enforce that basic principle. Europe is thus ensuring more competition, more innovation and more choice for users.”

“As the European Parliament, we have made sure that the DMA will deliver tangible results immediately: consumers will get the choice to use the core services of Big Tech companies such as browsers, search engines or messaging, and all that without losing control over their data.”

New laws, new risks

Indeed, the DMA could usher in new business opportunities for small businesses and app developers, and give European users access to more apps and different pricing models. But with change comes challenges. Apple’s move to open the platform for other app stores threatens its services business and could introduce security risks.

Apple told Reuters that “allowing sideloading, bypassing its App Store, exposes users to security and privacy dangers”. On the other hand, some regulators and Apple critics say these are overblown.

Thomas Reed, Malwarebytes Director for Mac and Mobile, disagrees, and thinks Apple may take extra steps to beef up security around apps from third-party stores.

There’s a lot of potential for this to undermine Apple’s security, so I’d expect there to be a lot of effort put into securing it. It’s possible third-party app stores, and apps downloaded from them, will have to run in some kind of sandbox that limits what they’re able to do,”

Alternatively, says Reed, Apple might let users embrace a less secure environment.

It’s also possible Apple will create a less-secure mode, somewhat like Android’s developer mode, that users have to turn on explicitly. Although I don’t think this is likely and seems more out-of-character for Apple, as it would open up the device to more abuse.

He sees problems with potentially unwanted programs (PUPs) either way though.

Regardless of how they do it, I expect to see a big problem with PUPs in those third-party stores. Apple already has a problem policing its store, and they have way more resources to throw at it than any third-party would. I also see the potential for bogus third-party stores, not just app scams.

We’ll be entering a whole new world where users will be able to download from numerous untrustworthy sources. I predict security issues will abound as a result.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In the turbulent world of cybersecurity, one thing is for certain: Threats are evolving in ways that make them harder for organizations to predict—and stop.

For businesses with scarce security staff resources and disconnected, complex toolsets, keeping up with today’s cyberthreats is even harder. That’s why an outsourced Security Operations Center (SOC) is a great option for resource-constrained organizations.

A SOC, or team of professionals who monitor and respond to threats for your business, is a staple of Managed Detection and Response (MDR) services. MDR is an outsourced service which provides organizations with 24×7 attack prevention, detection, and remediation, as well as targeted and risk-based threat hunting.

If you’re an organization wanting to reap the benefits of a 24/7 SOC, then MDR might just be the best bang for their buck. But hold up.

How much can you really save leveraging an outsourced SOC versus building your own in-house? How much ROI can MDR provide over the long-term? And are there any downsides to consider?

In this post, we’ll answer each of these questions and more.

In-house SOC vs outsourced SOC costs

In-house SOC costs

Spoiler alert: building an in-house SOC costs a heck of a lot more than partnering with an MDR provider. There’s quite a long (and expensive) checklist of things you’ll need to have, including:

• Hire a minimum of five, full-time employees to provide 24/7 coverage.
• Identify effective avenues to find, hire, and replenish high-caliber security talent.
• Develop an employee loyalty and retention program.

If we really get down to the nitty-gritty, there’s a slew of other costs and logistical hurdles you’ll have to take on:

• Purchase, implement, and maintain the hardware and software for your SOC.
• Project manage the facility operations and day-to-day functions.
• Provide ongoing security training, certifications, and red team exercises to expand staff expertise.
• Purchase and manage third-party security intelligence feeds.
• Engage periodic outside consultation to assess the caliber of your detection and response services and invest in appropriate items to make any recommended improvements

Some estimates place the capital costs to establish a SOC at close to $1.3 million USD—and annual recurring costs running up almost $1.5 million USD. Not exactly dirt-cheap, to say the least.

Outsourced SOC costs

Outsourced SOCs, such as those provided by MDR services, are much more cost-efficient than building out your own.

Pricing for MDR is typically calculated based on the number of assets in your environment, somewhere in the ballpark of $8-12 USD per device/log source.

Some vendors will look at additional factors for pricing, including number of ingress/egress points and the daily rate of ingestion for SIEM. Cost will also be influenced by any customer-specific pricing (including any discounts) and the breadth of services contracted (more features, for example).

Assuming the average number of endpoints (servers, employee computers, mobile devices) for a small to mid-sized company is 750, you’re looking at dishing out a cool 6K to 9K a month for MDR.

All in all, the cost of MDR comes out at around 100K annually—quite a difference from the 7 figures we talked about with in-house!

Long-term ROI of MDR

Sure, when it comes to reaping the benefits of a 24×7 SOC, MDR is cheaper than building out your own—but that’s only one part of the picture. We should also look at the ROI of MDR and break down any savings we can expect over the long-term.

The two most obvious examples of the ROI of MDR are:

1. It removes the full-time employee staffing costs of hiring five analysts to run a 24/7 SOC, and;
2. It alleviates the capital expenditures of purchasing a SIEM or other security tools.

But that’s not all. There’s several other aspects of cost avoidance with MDR, including:

• Reduced risk of data breach: With a team of seasoned professionals monitoring your network 24×7, you’re less likely to get hit with a data breach. In 2022 the average cost of a data breach was $4.35 million.
• Savings attributed to reduction in security incidents: Infected (and therefore inoperable) devices greatly impacted worker productivity. MDR can reduce worker downtime and reduce necessary IT resources for remediation.
• Savings on cyber insurance: Cyber insurers want 24/7 detection and response in an environment. MDR satisfies this requirement for businesses, saving you potentially tens of thousands of dollars in premiums and other costs annually.

All this being said, there is one big factor to consider before jumping into MDR, and it has to do with control.

MDR providers will have access to sensitive network and endpoint data in order to monitor your infrastructure for threats. And although many MDR vendors have ways to secure/obfuscate that data, some organizations may still be wary of having their data handled by an outside organization.

When it comes to great security and high ROI, MDR is tough to beat

MDR is a cost-efficient way to reap the benefits of a 24/7 SOC for organizations who lack the budget to set one up themselves.

With MDR, organizations have access to a round-the-clock team of experts to threat hunt, stay on top of the latest adversary tools, techniques, and procedures (TTPs), and quickly remediate threats as necessary, among other things.

Get a deep dive into the Malwarebytes MDR service

Want to learn more MDR, but not sure where to start? We’ve got you covered. Here are list of resources we think you’ll find helpful:

• Introducing Malwarebytes Managed Detection and Response (MDR)
• How to choose an MDR vendor: 6 questions to ask
• Cyber threat hunting for SMBs: How MDR can help 
• A cyber threat hunter talks about what he’s learned in his 16+ year cybersecurity career

Uber is facing a new cybersecurity incident after threat actors stole some of its data from Teqtivity, a third-party vendor that provides asset management and tracking services.

“We are aware of customer data that was compromised due to unauthorized access to our systems by a malicious third party,” said Teqtivity in a statement. “The third party was able to gain access to our AWS backup server that housed Teqtivity code and data files related to Teqtivity customers.”

The investigation is ongoing, but Teqtivity would like you to know that it doesn’t collect or retain personal information, banking information or government identification numbers. As you’d expect, it says it has already notified affected clients and is taking steps to ensure a similar incident can’t happen again.

“We sincerely apologize for any inconvenience this may cause and very much regret this situation has occurred. Your confidence in our ability to safeguard your company data and your peace of mind are very important to us,” the company said.

Attack dates against Teqtivity and Uber have yet to be established; however, a threat actor named “UberLeaks” began leaking the stolen data on BreachForums, a site infamous for posting data breaches, around early Saturday morning, according to BleepingComputer.

UberLeaks claimed the data came from Uber and Uber Eats. However, the leaks are said to have included archives containing source code associated with mobile device management (MDM) platforms for Uber, Uber Eats, and Teqtivity. The leaks also had employee email addresses, corporate reports, data destruction reports, IT asset management reports, Windows domain login names and email addresses, and other corporate information.

UberLeaks created separate topics for the MDMs for the brands above, with each referencing a member of Lapsus$, the hacking group involved in the Uber breach in September. 

Uber told BleepingComputer that it did not believe the files were related to the September security incident. “Based on our initial review of the information available, the code is not owned by Uber; however, we are continuing to look into this matter.”

The leaked data may not contain customer information, but security researchers who analyzed it said there’s enough to create targeted phishing attacks against Uber employees who may be tricked into giving away their credentials.

Uber has had its share of data breaches and controversies. In September, a purported teen hacker breached its network, compromised an employee’s access, and gained access to its internal Slack chat app. Six years before that, the personal data of 7 million drivers were exposed, including 600,000 driver’s license numbers. In July of this year, Uber confessed to a cover-up of the 2016 data breach with the help of its former chief security officer (CSO), Joe Sullivan. Sullivan was charged with obstruction of justice.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The city of Antwerp’s digital systems have come to a grinding halt. The Flemish government under which Antwerp resides has confirmed that this is the result of a ransomware attack.

The consequences for the city’s inhabitants are drastic, as hundreds of city employees revert to working on paper instead of on their computers. This is creating complications for everything from the obvious to the not-so-obvious. 

For example: There are problems with payments to people that depend on city benefits (which are not expected to be resolved before the end of the year); libraries and recycling centers are closed; there is no way to obtain new IDs; and students with special needs are unable to use their laptops.

The Play ransomware group is claiming credit on its dark web leak site.

Play is a relatively new ransomware group and first attracted media attention a few months ago, when it attacked Argentina’s Judiciary of Córdoba. Play can be recognized by the .play extension it adds to encrypted files and a very simple ReadMe.txt ransom note which is only dropped at the root of the C: drive, that simply contains the word ‘PLAY’ and a contact email address.

According to the leak site, 557 GB of information was stolen, including personal information, passports, other IDs, and financial documents.

ITdaily claims the attackers gained initial access through Digitalis, the digital partner of the city of Antwerp. From there they were able to encrypt essential files which rendered databases and applications unreachable.

The large amount of stolen data suggests that the threat actor must have had access over a longer period of time.

The city has been given until December 19, 2022 to pay the ransom or the threat actor will start publishing the stolen data.

Government warning

In a newsletter to Belgian government employees, staff were cautioned to be alert and careful. This was prompted by recent attacks on the systems of the Zwijndrecht police by Ragnar Locker, and an attack on the municipality of Diest which has not been claimed by a specific ransomware group yet.

The Belgian government’s warning is specifically about actionable items for the staff:

• Be alert about phishing attempts.
• Use secure and unique passwords.
• Identity verification during contact. Make sure the person you are communicating with is who they claim to be.
• Use updated devices, only permitted software, and limit administrator privileges to where they are strictly necessary.

We concur. For organizations we would like to add:

• Always use active anti-virus/anti-malware protection.
• Limit Internet access to critical devices and systems where possible.
• Ask the same prudence of your service providers.
• Maintain offsite, offline backups and test that you can restore from them

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.