IT NEWS

We’re excited to announce quarantine for Malwarebytes Cloud Storage Scanning (CSS), a new feature which allows you to automatically quarantine threats found in your cloud storage repositories.

Malwarebytes Cloud Storage Scanning is an add-on service in Nebula that scans for malware on cloud storage repositories across supported cloud storage providers, using multiple anti-malware engines to monitor and protect the health of all your enterprise data.

By toggling on Enable Quarantine toggle in the Cloud Storage Scan configuration, malicious files are automatically quarantined to the configured folder. You can manage these detections from the Storage Quarantine page. For more information, see Manage Cloud Storage Scanning quarantine in Nebula.

Let’s dive to learn more about how quarantine for Cloud Storage Scanning works.

Configuring quarantine in a new Cloud Storage Scan

In Nebula, go to “Settings” and click “Cloud Storage Scans”. Here you can see existing scans and the providers being checked. Click “Add a Scan” to create a new scan. For our full article on how to configure Cloud Storage Scans in Nebula, check our previous blog post.

In the Quarantine tab, toggle Enable Quarantine on to automatically move detected malware to a selected user’s storage.

Select a user to transfer all quarantined files to. A quarantine folder will be created in their cloud storage location.

Quarantined files will no longer be accessible to original owners, collaborators, or others with access.

Select the default tombstone message or customize it. A tombstone file is created and replaces the original file when it is quarantined. The tombstone file is designed to provide information or instructions for users.

Manage Cloud Storage Scanning quarantine in Nebula

The Cloud Storage Quarantine page displays quarantined files from your cloud storage providers and allows you to manage them. Review the files detected by Cloud Storage Scans and moved to quarantine here.

If the file is a false positive, select it and go to Actions > Restore. This will place the file back in its original location.

To delete the file from quarantine, go to Actions > Delete. The file is sent to the administrator’s trash in the cloud storage provider.

Reduce risk from cloud-based malware, without slowing down your business.

Malwarebytes Cloud Storage Scanning (CSS) service enables Malwarebytes IR/EP/EDR customers to use our cloud-native Nebula console to detect (and now quarantine) threats across multi-vendor cloud storage repositories, such as Box and OneDrive.

With Malwarebytes CSS, customers gain centralized visibility across cloud storage repositories and the ability to generate reports to confirm the security of their cloud-stored data.

Learn more about CSS: https://www.malwarebytes.com/business/cloud-storage-scanning

Further resources

5 SaaS security best practices

Cloud data breaches: 4 biggest threats to cloud storage security

Benefits of a malware scanner for cloud storage

Cloud-based malware is on the rise. How can you secure your business?

In numbers, the patch Tuesday of December 2022 is a relatively light one for Windows users. Microsoft patched 48 vulnerabilities with only six considered critical. But numbers are only half the story. Two of the updates are zero-days with one of them known to be actively exploited.

Windows SmartScreen

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability that is exploited in the wild is listed under CVE-2022-44698 and described as a Windows SmartScreen Security Feature bypass vulnerability. To understand how this works, you need to understand that files can be cryptographically signed in order to confirm who created them, and to confirm that they have not been changed since they were signed. Mark-of-the-Web (MOTW) is the name for the Windows technology that warns users of potential harm when downloading and opening a file from the internet or an email attachment. In other words, it’s a safety precaution in the form of a reminder that the user is about to use a risky file that might harm their computer. The problem is that a malformed signature bypasses all the warnings you should get, so you are bound to assume everything is dandy while it’s not.

DirectX Graphics Kernel

The other zero-day is labeled as “Exploitation Less Likely” but information about the vulnerability has been made public. The vulnerability is listed as CVE-2022-44710 and described as a DirectX Graphics Kernel Elevation of Privilege (EoP) vulnerability. To successfully exploit it the attacker would need to win a race condition. But if they succeed they could gain SYSTEM privileges.

A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. Sometimes these bugs can be exploited when the outcome is predictable and works to the attackers’ advantage.

Windows Secure Socket Tunneling Protocol

Two critical vulnerabilities we want to highlight were found in the Windows Secure Socket Tunneling Protocol (SSTP). CVE-2022-44670 and CVE-2022-44676 are remote code execution (RCE) vulnerabilities. Successful exploitation of these vulnerabilities requires an attacker to win a race condition but when successful could enable an attacker to remotely execute code on a remote access server (RAS).

A RAS is a type of server that provides a suite of services to remotely connected users over a network or the Internet. It operates as a remote gateway or central server that connects remote users with an organization’s internal local area network (LAN).

PowerShell

One more vulnerability we want to highlight because exploitation is more likely is listed as CVE-2022-41076 and described as a PowerShell RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment and to be authenticated. If these conditions are met, the attacker could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system. This seems a very likely candidate to be chained or exploited in combination with leaked or stolen login credentials.

Other vendors

As per usual, other vendors also released important updates:

Adobe released updates for Adobe Campaign Classic, Adobe Experience Manager, and Adobe Illustrator.

Apple released several updates. More on that later.

Cisco released updates for Cisco IP Phone 7800 and 8800 phones.

Citrix released updates for Citrix ADC and Citrix Gateway.

Fortinet released an update to patch for an actively exploited FortiOS SSL-VPN vulnerability.

Google released an Android security bulletin we discussed last week.

Mozilla released updates for for Thunderbird 102.6, Firefox ESR 102.6, and Firefox 108.

SAP has released its round of December 2022 updates.

VMWare has released security updates for multiple products. Users should review the VMware Security Advisories VMSA-2022-0031, VMSA-2022-0033, and apply the necessary updates.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A recent rise in the number of Truebot infections has been attributed to a threat actor known as the Silence Group. The Silence Group is an initial access broker (IAB) that frequently changes tools and tactics to stay on top of the game. An IAB’s primary task is to find a weakness or vulnerability, create a foothold in a network, and do some exploratory work to find out how attractive the target is. Once this is done they can sell the access to another threat actor, like a ransomware group. For these tasks Truebot is the tool of choice in the Silence Group.

The Silence Group seems to have a strong relation with the group behind Clop ransomware, often referenced as TA505. Which, in turn, has a large overlap with the FIN11 group.

Truebot

The researchers identified two separate Truebot botnets. One of which appears to be focused on the US, while the other is predominantly focused at Mexico, Pakistan, and Brazil.

We touched on the second one when we wrote about the recent activities of the Raspberry Robin worm. The use of this worm, in combination with an attack vector leveraging a Netwrix vulnerability, seems the have laid the ground work for the creation of a botnet of over 1,000 systems that is distributed worldwide.

The other botnet is almost exclusively composed of Windows servers, directly connected to the internet, and exposes several Windows services such as SMB, RDP, and WinRM. The attack vector that was used to establish this botnet has not yet been identified, although the researchers are confident that it is different from those used for the other botnet, Raspberry Robin and the Netwrix vulnerability (CVE-2022-31199).

New version

At its core, Truebot is a Trojan.Downloader. As such, it is an ideal malware for IAB groups that want to plant a backdoor on a system and do some basic reconnaissance of the network. For those purposes, this new version of Truebot collects this information: a screenshot, the computer name, the local network name, and active directory trust relations. Active Directory trust relations allow organizations to share users and resources across domains.

What’s also new is that this version is now capable of loading and executing additional modules and shellcodes in memory, making the payloads fileless malware which is less likely to be detected.

Exfiltration

Besides the usual suspects designed to act as a backdoor, Cobalt Strike and Grace, the researchers also found a new data exfiltration tool. Finding Grace as a payload seems to confirm the close ties between the Silence Group and TA505 since Grace was almost exclusively used by TA505.

The exfiltration tool, dubbed Teleport, was used extensively by the attackers to steal information from the network. It seems to be a custom data exfiltration tool built in C++ , containing several features that make the process of data exfiltration easier and stealthier. It has some features that are not commonly found in remote copying tools but which make it very useful to an attacker stealthily exfiltrating data.

• It limits the upload speed, which can make the transmission go undetected by tools that monitor for large data exfiltration and avoids slowing down the network.
• The communication is encrypted to hide what information is being transmitted.
• Limiting the file size, which can maximize the number of stolen files by avoiding lengthy copies of files that may not be interesting.
• The ability to delete itself after use, which is ideal to keep it as unknown as possible.

Clop

Ransom.Clop was first seen in February of 2019. Besides encrypting systems, the Clop ransomware also exfiltrates data that will be published on a leak site if the victim refuses to pay the ransom. In February of 2021, the group made headlines by targeting executives’ systems specifically to find sensitive data.

Mitigation

The tools that are used by Silence are versatile, but there are a few logical steps you can take to protect yourself and your organization:

• Do not insert USB drives of unknown or unreliable origin into your systems. 
• In Windows, the autorun of USB drives is disabled by default. However, many organizations have widely enabled it through legacy Group Policy changes. If you enabled it, this is a policy worth re-thinking.
• Install patches as soon as possible, especially for internet facing devices.
• Run an anti-virus/anti-malware solution that actively monitors and scans your systems.

Malwarebytes blocks the download URLs and detects Truebot as Malware.AI.{id.nr.}. Clop ransomware is detected as Malware.Ransom.Agent.Generic.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

When you see point of sale software in the news, it’s usually because the terminal has been compromised and is now stealing payment details used in the device. Insecure stores, whether compromised as part of an inside job or a phishing attack, are a big problem for both buyers and the store itself when the attack comes to light.

This time around, it’s a little bit different. The point of sale software here allegedly emerged during the pandemic and is designed to be an “Electronic Sales Suppression Tool”. It doesn’t steal payment details from shoppers. Rather, it enables the shop owner to potentially get up to a bit of tax dodging. The continued growth of these tools has resulted in the arrest of five individuals which tax authorities allege to be involved in the design and sale of said software.

Taxing times for scammers

The raids in Australia were spearheaded by the Australian Tax Office, alongside simultaneous raids undertaken in the US and UK. So-called Electronic Sales Suppression Tools (ESST) were outlawed in Australia back in 2018. From ATO Deputy Commissioner John Ford:

These dodgy sales suppression tools allow retailers to keep a separate set of books and launder the money in one transaction. They conceal and transfer this income anonymously, sometimes offshore.

How do these tools work?

ESSTs are designed to manipulate sales data in a way which allows the business to reduce the value of transactions. When this happens over a period of time and not all sales are being recorded properly, the business is making money but it is also shirking responsibility for paying its tax correctly.

This became a particular problem during the COVID-19 outbreak, where businesses in the UK were found to be committing specific kinds of pandemic fraud. The UK ran a Coronavirus Job Retention Scheme (CJRS), where employers could receive financial assistance in situations where employees were unable to work or the business had to reduce its capacity.

By using ESSTs, you could potentially show that your sales were down (when they’d actually been tampered with) and then claim against the CJRS scheme.

Targeting the suppliers

By and large, tax agencies and governments are focusing on the sellers, the coders, and the distributors of the tools. Having said that, businesses currently using ESST are being urged to notify the tax office before the tax office catches them in the act where penalties are likely to be more severe. From the ATO statement:

The ATO strongly encouraged businesses using ESST to come forward voluntarily rather than hope they won’t be discovered by ATO investigators.

Businesses that come forward voluntarily may be provided with an opportunity to receive a reduction in penalties. Information about how to do this is on the ATO website.

Businesses that have used ESS tools or software will need to review their past tax returns and activity statements to amend or correct them. They may also wish to discuss next steps with their registered tax professional.

According to The Register, 35 locations have been raided by Australian authorities in connection with ESST activities. Meanwhile Dutch tax agencies are branching out into exploring cryptocurrency and virtual assets. The slow shift away from cash to digital payments and processing in the post-pandemic world has encouraged a new arena of tax evasion and money laundering for both tax authority and scammer. It’ll be interesting to see who gains the upper hand. For now, the advantage seems to be with the tax agencies slowly closing the net on anyone looking to turn a dubious profit.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Have you ever wondered what happens to your phone if it’s stolen while on vacation or a business trip? The answer may surprise you, as it did one Mastodon user who graciously shared a tale of a smartphone gaining some serious air miles. Our intrepid business traveller was in London when their phone was snatched from their hand in the street.

Thankfully, they’d taken the precaution of setting up Apple’s Find My service prior to making their trip.

In practical terms, this meant that the phone could be remotely wiped (via Find My) and essentially turned into a paperweight. This has a two fold advantage: Keeping valuable data out of the thief’s hands, and also making the phone considerably less useful to a criminal.

You might think a theft such as this stays local, and that’s what it looked like for a while with the phone coming to a halt a few miles away. I would have assumed the phone would be sold locally or scrapped, but in this story our thief had other ideas in mind. What followed was an attempt to revive the phone via phishing, and a very long flight.

When a theft gets phishy

The thief was not just interested in grabbing the device and selling it on in its bricked form. They wanted to reactivate the device too. This was attempted via a text message sent to the phone owner’s emergency contacts. The text reads as follows:

Your iPhone 13 Pro 256GB Sierra Blue has been found. View location: [URL]

Apple Support

The site, which spoofed the Find My website, was phishing for an Apple ID login to kickstart the reviving process. I’m sure the thief wouldn’t have objected to whatever data was locked behind that Apple ID too, but we can presume that getting the phone up and running is the primary concern.

Roughly a month after the phone was stolen, the activation lock for the device started pinging home. This is the feature which prevents random people from unlocking a lost or stolen device.

The victim of this crime was surprised to learn that the stolen device had travelled from the UK to Shenzen in China. You may wonder if the Find My service was perhaps malfunctioning and the stolen device was still in London somewhere, but as we’re about to see, this is far from the only example of this happening.

Why do stolen phones end up in China?

Stolen phones ending up in China is, perhaps surprisingly, not uncommon. In fact, searching for this kind of thing brings up a wealth of results (try it!) and they all tend to look something like this:

My phone was swiped from my hand in London a month ago. Annoyed, I immediately blocked the phone and erased its contents.

Anyway, I got a notification today and that my phone has now been switched on in Shenzen, China. pic.twitter.com/nPNEGaflQT

— Scott Bryan (@scottygb) October 25, 2021

Phones make their way via “networks of black marketers” to their new owners in cities where phones, and modifications, are extremely cheap. In many cases, the final destination for the stolen iPhone is someone who has no idea a theft took place. Occasionally there’s a heartwarming story and meet up, but mostly it’s just a case of “My phone is gone and now I need to do something about it”.

What to do if your iPhone is stolen

There are some great tips gleaned from personal experience via the above tale, most importantly making sure you turn on Find My. This is the way you’ll be able to remotely scrub that device and make it unusable for the thief. The other great tip is to make sure you have a secondary (and fast!) way to access Find My. If you don’t have an additional device with you, then you may struggle to find a way to get online and remedy the situation. Every second counts. It’s worth noting that you can still take steps to protect your data even if you don’t enable Find My.

Apple provides several tips for what you should do in the event of a theft. Here’s some of the more pressing technical related suggestions:

1. Lock your phone down. Use the previously mentioned Find My service. Do this in advance of any theft! In your Settings app, tap your name, and then select Find My.

     2. Mark your phone as lost. Doing this via the Find My app disables the Apple Pay service, and locks the device with a passcode like so:

• Open the Find My app and choose the Devices tab or the Items tab.
• Select your missing device or item.
• Scroll down to Mark As Lost or Lost Mode and select Activate or Enable.
• Follow the onscreen steps if you want your contact information to be displayed on your missing device or item, or if you want to enter a custom message asking the finder of your missing device to contact you.
• Select Activate.

Erase the device remotely. To do this:

• Open the Find My app and choose the Devices tab.
• Select the device you want to erase remotely.
• Scroll down and choose Erase This Device.
• Select Erase This [device].

What to do if your Android is stolen

This can be a bit trickier, as there are so many different models out there and often network carriers nudge you towards using their own bespoke tracking solutions. Despite this, the basic Android options should always be available. To enable Android’s find my device service:

• Open Settings
• Tap Security > Find My Device.
• If you can’t see the Security option, tap Security > location or Google > Security.
• Ensure Find My Device is enabled.
• Test the service out on the Find my Device site.
• From the map, you can select the “Lock and Erase” option. Note that it may not erase the contents of an SD card.

Losing your phone, laptop, or other device to a thief is never a pleasant experience but you’re never totally out of options. The trick is to ensure you put some time into setting these solutions in place long before the possibility of a theft happens. Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Security advisories are falling short. Here’s why, with Dustin Childs: Lock and Code S03E25
• Eufy “no cloud” security cameras streaming data to the cloud
• Snapchat gives Californians more power over their personal data
• Update now! Emergency fix for Google Chrome’s V8 JavaScript engine zero-day flaw released
• Hive Social pulls the plug on itself after security flaws found
• “Baby dumped at the gate” post is a Facebook hoax
• Watch out for this triple threat PayPal phish
• Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware
• Vehicle Identification Numbers reveal driver data via telematics
• SIM swapper jailed for 18 months over crypto heist
• Ho, ho, no! Scams to avoid this festive season
• Update now! Google patches Android vulnerability that allows remote code execution over Bluetooth
• Update now! NetGear routers’ default configuration allows remote attacks
• Rackspace confirms it suffered a ransomware attack
• Apple’s AirTag stalker safeguards are “woefully inadequate,” alleges lawsuit
• 5 SaaS security best practices
• Apple announces 3 new security features
• Threat Intelligence Reports
• Epic Games introduces safer accounts for kids

Stay safe!

On Wednesday, the State of Indiana filed two lawsuits against TikTok, Inc, the company behind the same name app, and its parent company, ByteDance.

The first suit alleges TikTok’s 12+ rating on the Apple App Store and a “T” for “Teen” rating in the Google Play Store and the Microsoft Store are misleading as minors are repeatedly exposed to inappropriate content generated by the app’s algorithm. 

The second suit claims that TikTok violated consumer protection laws by not disclosing that China has access to sensitive user data.

“TikTok is a wolf in sheep’s clothing,” court documents read, echoing what Federal Communications Commission (FCC) Chairman Brendan Carr said about TikTok back in July.

“As long as TikTok is permitted to deceive and mislead Indiana consumers about the risks to their data, those consumers and their privacy are easy prey.”

TikTok declined to comment on the lawsuits; however, its spokesperson, Brooke Oberwetter, was quoted by The New York Times saying, “the safety, privacy, and security of our community is our top priority.” Oberwetter added:

“We build youth well-being into our policies, limit features by age, empower parents with tools and resources, and continue to invest in new ways to enjoy content based on age-appropriateness or family comfort.”

When TikTok CEO Shou Zi Chew attempted to assuage critics by pointing out that US data are hosted on servers managed and controlled by Oracle, an American company, and disputing claims that the Chinese government could access the data, the second suit stated that such statements are “false and misleading.”

“In addition to TikTok’s statements that some China-based employees may access unencrypted US user data, which includes Indiana consumers’ data, TikTok’s privacy policy permits TikTok to share information with ByteDance’ or ‘other affiliate of our corporate group,”” the suit claims. “ByteDance and any affiliates and their employees who are located in China or are Chinese citizens are subject to Chinese law and the oppressive Chinese regime, including but not limited to laws requiring cooperation with national intelligence institutions and cybersecurity regulators.”

Because ByteDance is subject to Chinese law, and TikTok’s privacy policy expressly permits TikTok to share data with ByteDance, TikTok’s statements that Chinese law does not apply to that data are false and misleading.

Banning TikTok is slowly becoming a trend among US states. On Tuesday, Outgoing Maryland Governor Larry Hogan issued a directive forbidding state employees from using several Chinese and Russian equipment and software, citing these present “an unacceptable level of security risk.” These include TikTok, Huawei products, ZTE, Tencent products, Alibaba products, and Kaspersky.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers have uncovered a new campaign by hacking group MuddyWater, aka Static Kitten, in which a legitimate remote access tool is sent to targets from a compromised email account. The targets in this campaign are reportedly in Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates.

MuddyWater is suspected of being associated with Iran’s Ministry of Intelligence and Security. The group is tracked by various vendors under other names such as Boggy Serpens, Cobalt Ulster, Earth Vetala, Mercury, Seedworm, Static Kitten, and TEMP.Zagros. The group is believed to have targeted a variety of government and private organizations across various sectors, including telecommunications, local governments, defense, oil, and natural gas.

Over the years, the group has deployed many different tactics, including Log4Shell attacks. Its most common method is to send targeted phishing emails with links to malware hosted on legitimate services like Dropbox and Onehub.

Compromised accounts

The emails are sent from compromised accounts which is a way to establish a level of trust without requiring a high skill level on the attacker’s side. In a targeted attack, the receiving end knows the company or maybe even the person who allegedly sent the mail. Compromised email accounts can be bought on Dark Web markets for a relatively low fee (price range is $8-$25). 

The downloaded files contain an installer for the agent of a remote access tool. Remote access tools or remote control software, let you remotely control one computer from another. The remote control features of some of these tools give the controller the feeling they are working directly on the remote system, along with a high level of control. For this reason they are often installed by managed service providers (MSPs) to remotely troubleshoot or administer their clients’ systems.

Syncro

In the past, MuddyWater used ScreenConnect, RemoteUtilities, and Atera Agent, but in the current campaign the group has switched to Syncro, an integrated business platform for MSPs. The trial version of Syncro that the threat actor distributed contains the fully featured web interface which allows complete control over a computer with the Syncro agent installed. Those features include terminal with SYSTEM privileges, remote desktop access, full file system access, tasks, and services manager—ideal for an attacker to expand their foothold across the target’s network.

Mitigation

This threat actor uses legitimate services and tools to gain initial access and do reconnaissance of the target network, so they can be hard to detect.

The article by Deep Instinct contains a list of IOCs and TTPs. In general, we can only repeat:

• Don’t click on links or open unexpected attachments, even if they seem to come from someone you know.
• While there could be legitimate reasons for the presence of remote access tools, make sure you know who installed them and why. And monitor their actions.

There’s been a lot of weird and frankly bizarre attacks over the course of 2022, nestled in amongst the usual ransomware outbreaks and data breaches.

Whether we’re talking social media, email, or even malware, there’s been a mind bending tale of tall behaviour in almost every corner. It’s time to forget about nation state attacks and the nagging sensation that every single piece of data ever created has ended up on a TOR site somewhere.

For one brief moment in time, we’re going to wallow in weirdness.

419 scams…in spaaaaaaaaaace

There’s not many individual scams which can put “18 years and counting” on their resume. However, what we have here is something very odd and very special. Way back in 2004, a spam email claimed that assistance was needed for a lost astronaut. Supposedly trapped on a top secret Soviet space station, the astronaut’s cousin implored recipients to help bring the missing astronaut home. Of course, this was tied into a nonsensical scam about recovering lots of lost money should he be brought safely back.

So yes, it’s weird…but it’s just a one off. Right?

Well, no. Turns out this baffling attempt at parting people from their money would come back around every so often. To be more precise, 2010, 2016, and now 2022 with a whole new astronaut to recover. This feels like less of a final frontier and more of a never ending, he’ll be back again in a few years frontier. See you in 2026?

A dance off of destruction

If you’ve ever pondered how certain people give off bad vibes, you’ll be one step closer to understanding how other types of bad vibes stand a chance of destroying your hard drive. If you happened to be one of the few people running a certain type of OEM hard drive on a Windows XP desktop, Janet Jackson was someone to avoid.

How so? Because the video for Rhythm Nation matched a resonant frequency identical to those hard drives. When the two clashed, there would be only one winner and it wasn’t the hard drive.

Amazingly, it was possible to crash a second device in the same room while playing the video on the first. Even Michael wasn’t able to pull something like that off.

Monkeying around with digital artists

Apes! NFTs! Cyberpunk! Wait, what?

In May, artists offering their wares on several platforms were approached by individuals claiming to represent the “Cyberpunk Ape Executives”, because of course they were. The “executives” claimed to have wonderful ape-related NFT projects waiting in the wings. $200 to $350 per day is not an untidy sum for artists, many of who may not pull in anything close to that from commissions.

Sadly, it was all a large ape-shaped lie. The supposed promo zip for the project contained a number of ape pictures and an infostealer. While there was no direct evidence of account theft from the malware file, numerous accounts caught out by this attack were indeed compromised. Whether those compromises specifically were via some additional form of social engineering, we’ll likely never know.

Invisible ads for thee but not for me

You might think that adverts designed not to be seen sounds like some sort of wonderful utopia. Finally, you can set down your ad blockers and your beacon trackers and presumably wander into the woods a free person.

However, you might miss the ads in the woods, but the people watching you walk around will see ads galore. Amazon decided to trial ad technology which displays ads in Twitch streams, but the ads are only visible to certain people. If you’re the player, you won’t see them. If you’re watching the stream, you will.

Given how hard game developers work to ensure players are often funnelled into locations where they see ads, this all sounds somewhat counterintuitive. You’re not only trying to drag a player to a place where an ad exists, but also draw them towards the nice shiny ad in the first place. If you have a darkly lit area and the one beacon of light is a giant billboard containing an ad, you’re achieving both of your goals in one fell swoop. If there’s no cool looking ad further pulling the player where you want them to go, they might simply not go there.

This may well turn out to be a case of Amazon seeing how well we’ve trained players to follow the trail of digital breadcrumbs. Will they gravitate towards ads while not being able to see them? Or wander off in all the wrong places, much to the frustration of the ad teams? Only time will tell.

Mark Ruffalo deepfake smashes life savings

“Mark Ruffalo deepfake romance scam”. What a sentence. What a world. One of the biggest questions about this whole endeavour is “Why Mark Ruffalo”? He seems nice enough, but why did a scammer sit down and decide to use the Hulk actor specifically as bait for this romance scam? Was deepfake Chris Evans not available?

What we do know is that a well known Manga artist was tricked into handing over large amounts of money at the behest of a deepfake Mark Ruffalo. A video call lasting just half a minute was enough to convince Chikae Ide to part with roughly half a million dollars in return for deepfake Mark Ruffalo’s undying love. While all of the other deepfake scammers in 2018 were making dubious pornography or supposedly figuring out how to cause trouble during elections, this scammer decided to ignore all of that and smash and grab someone’s savings.

A carnival of fake cricket

In what may perhaps be the oddest story of this year, a small village became the stage for a fake cricket gambling operation, complete with live streams of the fake cricket games, a commentator used who sounds like an actual syndicated cricket commentator, and even fake crowd cheers piped in through speakers as the games went on.

The bogus operation hit 47 videos and 49k views on its YouTube channel before law enforcement broke up the operation.

There really is no limit to how far some people will go to turn a quick bit of profit.

We can only hope that 2023 is slightly more sensible, with significantly fewer scams and technical oddities. No more fake movie stars, an end to lost astronauts, and most definitely an End of Line for hard drives vibrating themselves into the digital afterlife.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has announced three new security features focused on protecting user data in the cloud: iMessage Contact Key Verification, Security Keys for Apple ID, and Advanced Data Protection for iCloud.

iMessage Contact Key Verification and Security Keys for Apple ID will be available globally in 2023. Advanced Data Protection for iCloud is available in the US today for members of the Apple Beta Software Program, and will be available to US users by the end of the year. The feature will start rolling out to the rest of the world in early 2023.

3 new features

iMessage Contact Key Verification

Apple’s messaging app, iMessage, already uses end-to-end encryption so that messages can only be read by the sender and recipients. It’s new iMessage Contact Key Verification ramps up the protection for “users who face extraordinary digital threats”, such as journalists, human rights activists, and politicians.

Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications.

Security Keys for Apple ID

In what can be considered another step towards a password-less future, Security Keys for Apple ID will give users the choice to use third-party hardware security keys. A hardware security key uses public-key encryption to authenticate a user, and is much harder to defeat than other forms of authentication, such as passwords, or codes sent by SMS or generated by apps.

For users who opt in, Security Keys strengthen Apple’s two-factor authentication by requiring a hardware security key as one of the two factors.

This new Apple ID support for physical authentication keys is another feature long-sought by users and announced months ago in cooperation with Google and Microsoft.

Advanced Data Protection for iCloud

Advanced Data Protection for iCloud is end-to-end encyption for data that is synced between devices via iCloud. Encrypted data is only decrypted on your devices, so it would not be exposed in the event of an iCloud data breach.

It isn’t new, nor is it complete, but it now covers more kinds of data. Until now, iCloud protected 14 different data categories in this way, including passwords in iCloud Keychain, and Health data. For those users that choose to enable Advanced Data Protection, this will rise to 23, including iCloud Backup, Notes, and Photos.

Apple notes that Mail, Contacts, and Calendar are not covered because of interoperability issues with global systems that would arise.

Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.

The most important part of this new protection are iCloud backups, which are basically a copy of everything on your device. So far, these backups weren’t end-to-end encrypted. Which meant, for example, that Apple could access the data and share it with other entities, like law enforcement.

EFF reaction

The Electronic Frontier Foundation (EFF), which has been campaigning for this option, seems pleased. It applauds Apple for listening to experts, child advocates, and users who want to protect their most sensitive data. They point out that user data will be protected even if there is a data breach in the cloud, a government demand, or a breach from within Apple (such as a rogue employee).

The ability to opt-in to encrypted iCloud backups is a really big win for users and bad news for law enforcement, who loved to request iCloud backups to save them the trouble of breaking into a phone.

— Eva (@evacide) December 7, 2022

Malwarebytes’ Director of Core Technology, and authority on everything Apple, Thomas Reed is equally happy with the new features. Although he fears that the use of hardware keys as a new option for MFA, is not something the average user will ever appreciate. He’s really happy with the Advanced Data Protection feature.

I’ve never been comfortable with putting my iPhone backups in iCloud, for example, but with this change I may start doing so.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.