IT NEWS

A new social network is currently in the news, billed as a positive space for teens to enjoy themselves. I’m all for positive spaces online, but what is it, and will teens really be happier there than (say) Instagram, or even just hanging out in WhatsApp groups?

Pump the gas

Launched in August of this year, Gas is an iPhone app aimed at teens. When you sign up, you use location services to allow the app to figure out which schools are nearby. During sign-up you add friends, and according to this review, it requests access to your contacts.

Once all of this is done, it allows users to share polls (with four options for each, based on what I’ve seen so far) and these happy, friendly polls let you “see who secretly likes you”, or feel a dopamine rush as you find out you’re most likely to do a really cool thing at band practice.

That seems to pretty much be it. The Gas app team refer to it as “The only wholesome place left on the internet” on their TikTok profile. In fact, with the app being very region restricted, it’s one of the first times I’ve had to figure out what something actually does by trawling through TikToks in the first place.

How restricted? We’re not talking about countries. We’re talking about individual states in the US, with Michigan being the initial launchpad, with several more added since.

A little too exclusive

This is the very definition of a super exclusive Internet club, but often to the app’s detriment if you’re trying to find out what it does and does not do. For example, I had to find out about location tracking and messaging policies through a TikTok video.

For reference, the TikTok clip states that messaging is not allowed; all that you can do is “answer polls about friends”. It also says that Gas “only uses your rough location to join a school and never saves it”. Even so, it’s not unreasonable to think that even if rough locations are never saved, having a user associated with a physical object (the school) means an association to location as far as the users are concerned, even if the app has no interest in such things. Generally speaking, school buildings don’t move around very much!

On the flip slide, this is something very unlikely to cause an issue given how limited the app is in terms of functionality. There isn’t much scope for social engineering when there’s no messaging allowed and only polls to click on.

A neutered net?

There don’t appear to have been any major complaints in relation to the app so far, and as far as we can tell, users’ experiences have been consistent with the developers’ claims. Even so, there are still a lot of unknowns here. Are you able to create custom polls, or is everything done via pre-selected polls which you can lightly customise? We don’t know, and poll creation isn’t touched on in the news.

Is there a possibility of Fear of Missing Out (FOMO) if children aren’t selected in polls? Perhaps, but as the developers mention, children who haven’t been picked “recently” will find themselves automatically dropped into other polls more frequently to give them a chance. How online can we consider these teens to be if all of their possible routes for interaction with other people is clicking one of four options in a poll? And how online will they feel, if their peers are using Instagram, SnapChat, WhatsApp, and TikTok?

Perhaps they’ll grow bored of Gas, or use it alongside their usual haunts. There isn’t enough data available yet, so we’re just going to have to see where it goes. Cyberbullying is an awful thing to have happen to your child, and the increasingly long list of things you need to do in these situations is always a cause for concern.

If the app is doing what it claims and kids are getting a positive buzz from interactions from a fairly closed circle, who am I to argue?

Patch management that is consistent and efficient has never been more critical in keeping your security infrastructure up to date and secure. Although today’s endpoint management solutions include patch management functionalities, third-party patching is an area that shouldn’t be forgotten.

In this post, we will cover the importance of third-party application patching and the challenges it can address for your organization.

What is a third-party application?

A third-party application is a type of software designed by an independent vendor other than the initial manufacturer of the device. Common examples of third-party app vendors, include Google Chrome, Adobe Acrobat Reader, TeamViewer, and others.

What is third-party patching and why is it important?

Third-party patching involves applying patch updates to third-party applications that have been installed on your business endpoints, which includes desktops, laptops, servers, and other devices. Third-party patch management patches vulnerabilities that, if exploited, can jeopardize the security and functionality of software. Vulnerabilities expose your company’s attack surfaces to malicious actors looking for opportunities to access your network.

So, why is patching third-party applications important to your business?

Patching software vulnerabilities is a key driver for preventing future cyberattacks on your organization. The vulnerabilities found in your business’s third-party apps opens the flood gates for hackers.

These malicious adversaries spread in your systems through techniques such as privilege escalation and lateral movement, seeking out sensitive information and valuable data. Patching third-party vulnerabilities reduces the likelihood of an attack while also fixing the bugs to improve software functionality. Another reason your organization should consider third-party patching is that it can help your business satisfy necessary compliance regulations.

The risks to your business when neglecting to patch third-party applications

In 2021, 93% of companies experienced a cybersecurity breach of some kind due to third-party vendors or supply chain weakness. With the average cost of a data breach in the US at an astounding $9.4 million, the repercussions of a cyber incident caused by unpatched vulnerabilities are detrimental. Consequentially, an attack of such magnitude causes disruption to daily workflows, productivity, and in cases causes reputational harm. Neglecting to patch third-party apps is a risk your company can’t afford.

When security teams choose not to consistently patch endpoints, your risk of exposure to potential cyberattacks increases. In 2021 for instance, Log4Shell, a software vulnerability in Apache Log4j 2, took the world by storm. For more information on Log4Shell, read the Malwarebytes blog post – What SMBs can do to protect against Log4Shell attacks.

What can businesses learn from vulnerabilities like Log4Shell? The third-party application patch management process is essential. Although third-party app vendors don’t strictly adhere to a patch release schedule, they normally do this when a vulnerability is discovered with a patch being released to address it. Read our article on Security vulnerabilities: 5 times businesses (and governments) got hacked for more information on how hackers exploited vulnerabilities like Log4Shell to attack organizations.

It’s challenging for organizations to keep up with all the software updates and available patches for third-party apps. More companies rely on third-party applications for their day-to-day business operations. Adhering to patch management best practices can help alleviate your security team’s load and enhance your organization’s cyber prevention.

What is automated third-party patching?

Automated patch management allows businesses to automatically scan endpoint devices for patches that are needed and automate the distribution of patches. In some situations, automated patching allows businesses to flexibly schedule patching deployments so that the third-party patching process doesn’t interrupt daily workflows. This automation eliminates the grunt work of manual patching where system admins would otherwise spend hours applying software patches themselves.

What are the drawbacks of automated patch management software?

Automated patch management can help minimize manual workloads and improve your company’s security posture. But it should be noted that automating the patch management process comes with increased operational risk depending on the situation.

Depending on the type of security infrastructure your organization has, implementing automated patch management software to a system that relies heavily on manual infrastructure deployment and managing may not be the best option. Security architecture that’s legacy-application heavy is not ideal for automated patch management. This is especially the case for integral applications – a minute of downtime causes dramatic organizational losses.

A common misconception is that automated third-party patching means your systems are more secure. While automatic patching helps your company maintain strong security posture, it is not a cure-all for security and is limited to its pre-programmed policies used to scan and identify missing patches. As more companies adopt cloud-native security infrastructure, the easier it will be to automate third-party patching.

Third-party patch management vs vulnerability management – Let’s compare the two processes

Third-party software patch management is centralized on grouping, prioritizing, and identifying missing patches in third-party applications. Patch management vendors created patch management solutions to tackle patches, but not all patches will resolve security flaws. For this reason, patch management products alone can’t effectively secure your organization.

Vulnerability management addresses your security risks by identifying security vulnerabilities in your systems. These vulnerabilities include a range of security issues where in some cases deploying a patch is not the solution to a particular vulnerability. Other vulnerabilities could involve security training for staff, configuring firewall policies, or making changes to your network.

Third-party Patch Management and Compliance

Timely and consistent third-party patching reinforces your cybersecurity prevention.

Third-party applications need to be continually updated to decrease your risk of infection. Leaving third-party apps unpatched or out of date can hinder your organization from achieving patch compliance requirements. Cybersecurity regulatory compliance such as PCI (Payment Card Industry Security Standards Council), GDPR (General Data Protection Regulation), and HIPAA (Health Insurance Portability and Accountability Act), all set standards for patch deployment and security patching protocols.

Interested in learning more about cyberattack prevention with vulnerability assessment and patch management tools? Visit our Vulnerability and Patch Management Modules and explore related content below.

Vulnerability response for SMBs: The Malwarebytes approach

Listen to Lock and Code – Why software has so many vulnerabilities, with Tanya Janca

Malwarebytes’ modernized bug bounty program – here’s all you need to know

5 technologies that help prevent cyberattacks for SMBs

Request a demo of our Vulnerability Assessment and Patch Management module 

It’s time for another tale of remote desktop disaster, as a newish form of ransomware carves out a name for itself. Bleeping Computer reports that individuals behind Venus ransomware are breaking into “publicly exposed Remote Desktop services”, with the intention of encrypting any and all Windows devices. Since at least August 2022, Venus has been causing chaos and has become rather visible lately.

This “Venus” is some skidware ransomware. For example samples:
One from July/August: 2e2cef71bf99594b54e00d459480e1932e0230fb1cbee24700fbc2f5f631bf12
And one from September: 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05

— MalwareHunterTeam (@malwrhunterteam) October 6, 2022

Venus brings bad remote tidings

It seems these attacks very much follow the typical Remote Services/Remote Desktop Protocol (RDP) gameplan. Break into the network via insecure access, stop processes and services according to the whims of the ransomware authors, and then encrypt the desired files. Confused people on the network will now find their filenames end with the .venus extension, and additional file markers with no currently obvious purpose placed inside the encrypted files.

The incredibly overt ransom note, which is somewhat difficult to read given it sports white text on a bright orange background, reads as follows:

“We downloaded and encrypted your data. Only we can decrypt your data. IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.”

You know, as opposed to being the victim of this scam instead.

A risk whether at home or in the office

Bleeping Computer notes one victim on their forum made several posts about being struck by this particular slice of ransomware. This individual found their home network under attack, external drives compromised, and a PC elsewhere in the house being used as a server receiving similar treatment.

In this case, the issue was RDP left running as a way to access a computer remotely. The victim notes that RDP was password protected, but it seems the password may not have been enough. This—and the timeless classic of having backup devices available but not getting round to doing the actual backing up—proved to be a dreadful combination blow.

Tips for avoiding the RDP to ransomware pipeline

RDP specifically continues to be a sore point for networks whether at home or in the office. Even with password protection, it may not be enough, as we’ve just seen to devastating effect for one unlucky individual.

If you’re running Windows 11, you’ll be pleased to know that Microsoft is taking action to help shore up the ways attackers can use RDP to break in. This has been achieved by limiting the number of times you can attempt to login, as per our article from back in July. If you’re interested in locking down your RDP in other ways, we have a long list of tactics for you to try out. The full list of tricks and tips from March can be seen here. Some of the key actions you should consider taking right now include:

• Use multifactor authentication for your RDP access. Attackers may crack your password, but without that second form of authentication to hand they’re going to find it a lot harder to get in.
• Rate limiting may now be somewhat redundant if you’re using Windows 11 considering recent security changes, but if not, this will slow down the speed that attackers can keep trying to guess your login.
• Place your RDP behind a VPN, but make sure you focus on keeping the VPN login secure as this is now your new point of access. This can be done by using multifactor authentication for login, and ensuring any email address tied to your account is similarly protected. If you’re able to use rate limiting alongside your VPN login too, then so much the better.

Stay safe out there!

A phishing campaign known to specifically target employees with access to their company’s Facebook Business and Ads accounts has significantly widened its net and begun using a first-of-its-kind information-stealing malware to go after crypto wallets.

The Ducktail (Woo-ooh!) campaign was first made public three months ago in July, but it’s thought to have been active since 2018. The cybercriminal behind the campaign is thought to be from Vietnam.

Ducktail 101

Social engineering attacks and malware form the core of Ducktail’s modus operandi. In previous campaigns, it used a .NET Core malware that specifically steals Facebook Business and Ads accounts and saved browser credentials. All stolen data was then exfiltrated to its command & control (C2) server, a private Telegram channel.

In this latest campaign, the cybercriminals replaced .NET Core with malware written in PHP. Not only does Ducktail continue to steal Facebook credentials and browser data, but it also steals cryptocurrency wallets, too. These are then stored on a command & control (C2) website in JSON (JavaScript Object Notation) format, wherein texts are easy to understand.

Note that Ducktail also broadened its target to include all Facebook users.

The attacker lures their target into downloading and installing a malicious installer (usually compressed in a ZIP file) by making them believe it’s a video game, subtitle, adult video, or cracked MS application file (among others). This ZIP is hosted on popular file-sharing platforms.

Once the file is opened, the malware shows a fake “Checking Application Compatibility” pop-up to distract users while it installs in the background. The malware then executes two processes: The first is for establishing persistence on the affected system, meaning the malicious script is scheduled to run daily and regularly; The second is for data stealing tasks. 

Zscaler researchers broke down the kinds of data this PHP malware steals:

• Browser information (machine ID, browser version, user profiles). In particular, this malicious script is after sensitive data stored in Chrome browsers. 
• Information stored in browser cookies
• Crypto account information from the wallet.dat file
• Data from various Facebook pages, such as API graph, Ads Manager, and Business, which are not limited to: 
  • Accounts and their status
  • Ads payment cycle
  • Currency details
  • Funding source
  • Payment method
  • PayPal payment method (email address tied to PayPal accounts)
  • Verification status

Data stored on the C2 website is retrieved and used to conduct further information theft within the affected system. Additional stolen information is fed back to the C2 server.

Stay safe from the Ducktail infostealer

As Ducktail uses clever social engineering tactics as the precursor to infection and information theft, it is more important than ever for Facebook users, especially those responsible for their business’s Facebook accounts, to be wary of this information stealer’s risks. Prevention is key.

• Never download files not relevant to your work, especially if you’re using company-provided computers and mobile devices.
• Be wary of downloading files from popular file-sharing sites. Malware is usually shared there, too.
• If something seems too good to be true, it probably is. You’d be better off avoiding it.

If you suspect you’ve been infected by Ducktail malware and you’re a Facebook Business administrator, check if any new users have been added to Business Manager > Settings > People. Revoke access to any unknown users with admin access.

Lastly, it is essential to have security software you can count on installed on your computer to protect against risky files that may still end up on the computer, regardless of one’s vigilance. Remember that some malware campaigns don’t need human intervention to infect systems. You have to watch out for those, too.

Stay safe!

Microsoft customers find themselves in the middle of a data breach situation. The Microsoft Security Response Center blog reports that researchers reported a misconfigured Microsoft endpoint on September 24. This miscongifuration resulted in the possibility of “unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers”.

Misconfigured servers are a major cause of unintentional data loss and unauthorised access. While the issue was apparently “quickly secured”, there are still questions as to what exactly happened and what the potential fallout could be.

Assessing the impact

The first and most important point: Microsoft sees no evidence of customer systems or accounts having been compromised, and affected customers have been “directly notified”.

As per Microsoft:

“The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability.  We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints.”

Of course, this isn’t the whole story and some data was unintentionally exposed. What is it, and how bad might things be as a result? Let’s hear from Microsoft again:

“The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorised Microsoft partner.”

The numbers game

What kind of scale are we talking about here? Bleeping Computer notes that the researchers who first discovered this claim to have linked this data to “more than 65,000 entities from 111 countries”. This data supposedly ranges from 2017 to August 2022. However, Microsoft disagrees with the assessment of what’s taken place. From its writeup:

“…after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users.”

Microsoft goes on to advise how to operate a searchable database of compromised data without risking further issues by locking down who, exactly, can access it. This is an ongoing situation, and some of those impacted are finding that obtaining specifics is proving to be difficult. For now, the best we can do is wait and see what other developments this one has in store for us.

The Brazilian Federal Police have arrested a suspect after an investigation into last year’s breach of the Brazilian Ministry of Health. Responsibility for the breach was claimed by the LAPSUS$ group, when users found a message stating that system data had been copied and deleted and was in the hands of the group.

LAPSUS$ is a relative newcomer to the cybercrime scene that first appeared in the summer of 2021. It has made a name for itself by leaking sensitive information from some big targets. At the time it was thought that the group hailed from South America, based on its earliest targets and the near-native use of Spanish and Portuguese.

LAPSUS$ is also believed to be responsible for invading the systems of Empresa Brasileira de Correios e Telégrafos, and Localiza Rent a Car, as well as several others in South America, the United States and Europe, including Sociedade Independente de Comunicação, a private television channel in Portugal, the group Impresa, Electronic Art, Globant, Nvidia, Okta, Uber, and many others.

Members

In March 2022, the City of London Police said they had arrested seven teenagers in relation to LAPSUS$. Two of the seven suspects were charged with hacking offenses and one was re-arrested later after an attack on Rockstar Games.

The group is likely to be widespread. It has been growing due to its big successes and even bigger claims. The group has an international outreach, especially since it is very active on Telegram and the Dark Web. Based on linguistic analysis, the group is believed to also have Russian, Turkish, and German native speakers among their admins.

Methods

LAPSUS$ is mainly an information stealing operation that uses every possible method it can. Paying insiders, SIM-jacking, exploit vulnerabilities in software like Confluence, JIRA, and GitLab, buying or searching for leaked credentials, and AD Explorer—a publicly available tool to enumerate all users and groups in a network.

Most of the times the breached organization is extorted to pay a ransom to prevent the group from leaking the exfiltrated information, but in a few cases the group simply sold or published the stolen information without contacting the victim organization. In the case of the Nvidia breach, LAPSUS$ claimed it was mainly after the removal of the lite hast rate (LHR) limitations in all GeForce 30 series firmware—apparently all to help out gamers and the mining community.

Organized crime

The availability of fast internet has brought cybercriminals from all over the world together and allows them to cooperate internationally. Using end-to-end encrypted communications and the Dark Web allows them to do business below the radar of law enforcement agencies.

Koen Hermans, Dutch national public prosecutor for cybercrime said at the ONE-conference:

“At least 80% of cyberattacks are now caused by organized crime groups and data, tools and expertise are widely shared. Cybercriminal knowledge and skills are shared and offered for sale online, via messaging services, the dark web and other platforms. There is a revenue model behind it, in which cybercrime – according to experts – has already overtaken the international drug trade in terms of profitability.”

This requires law enforcement agencies to cooperate internationally, which seems to be easier for some. The FBI and Europol have been able to achieve some successes by deploying cybertechniques against criminals, but their success rate seems to be lower when the criminal activities are conducted digitally and require virtually no physical activities. It is easier to track a shipment of weapons or drugs than to monitor the trade in stolen information.

The result is a growing demand for specialized experts, for which the police force will need a good deal of extra funds and staff. 

Dutch police and other law enforcement agencies have managed to trick the DeadBolt ransomware operators into releasing 150 decryption keys for free. 

The method of obtaining decryption keys was found by a Dutch incident response company called Responders.NU, who shared the method with the police. The basis for the trick iss that it was possible to cancel an unconfirmed Bitcoin transaction before payment went through through, but after the decryption key was released.

Because of the large amount of Bitcoin transactions taking place at one time, it can take a while for payment to actually go through. That gave police enough time to block the transactions from going through before the payment actually took place. By then they’d already received the decryption key and could pass it on to the victims. They managed to repeat the process around 150 times before the ransomware gang pulled the plug on their system that gave out the decryption keys.

Deadbolt

DeadBolt is a ransomware that specializes in encrypting online network attached storage (NAS) devices. Owners of QNAP  (Quality Network Appliance Provider) devices have recently been the target of this ransomware operator. QNAP and DeadBolt have history. In January 2022, news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers’ DeadBolt ransomware, which annoyed part of its userbase.

More recently, QNAP detected that cybercriminals known as DeadBolt were exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that were directly connected to the internet. This DeadBolt campaign also targeted Asustor users. According to the police there are around 20,000 affected devices worldwide. Each of them received instructions to pay 0.05 Bitcoin (around $1000 at the time of writing) to get a decryption key for their files.

Decryption keys

The police wanted to emphasize that it is always important to file a complaint about cybercrime, even though the chances of apprehending the cybercriminals may seem slim. So they started by helping victims, from 13 countries, who had filed a complaint with their local police.

Most of the victims who they helped should have received instructions on how to access their personal decryption key by now.

If you have not been notified by the police but you still want to check if you are one of the lucky ones, you can follow the instructions on the site deadbolt.responders.nu and find out if your decryption key is available.

Mitigation

It is important to file a complaint if you are a victim of a cybercrime. Not only does it give law enforcement agencies a better understanding of what’s going on and how widespread a campaign is, it also provides them with information that may help them apprehend the criminals or recover your data or money.

To avoid falling victim to the DeadBolt ransomware, the obvious advice is to not connect your NAS directly to the internet, but we understand that that ruins the whole purpose of a NAS for some users.

Make sure that the firmware of your device and all the software running on it is up to date. These criminals will not only find new vulnerabilities, but also use old ones that have not yet been patched.

To enhance the security of your NAS, QNAP recommends users use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. Or you can use another VPN of your choice.

The Apache Software Foundation has acknowledged a vulnerability in Apache Commons Text, a library focused on algorithms for string manipulation.

The vulnerability has been assigned CVE-2022- 42889, but security researchers have dubbed it Log4Text. The name provides an immediate association with Log4Shell which had quite the impact and ranked #1 in the CISA top 5 most routinely exploited vulnerabilities of 2021.

Apache Commons Text is a library that focuses on algorithms for string manipulation, which means it is used for various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators.

The problems lies in those interpolators. You can compare these interpolators to environmental variables. When called, an interpolator will return the value of that variable, and in order to do that they sometimes have to execute commands.

Vulnerability

The full description of the vulnerability is:

“Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is ${prefix:name}, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.”

Quickly summarized, this means an attacker with a successful exploit could extract information from the memory, set up internet connections, and execute arbitrary commands.

Similarities

Log4Shell and Log4Text are both vulnerabilities in widely used Apache libraries and they do have some things in common, so it’s understandable that people are worried.

Both of the vulnerabilities rely on un-sanitized input, which means that the input provided by users is not checked, cleaned, and filtered before it reaches the application.

The possible implications of a successful exploit are very similar to those of Log4Shell. Both of the vulnerabilities are found in a widely used Apache library and both depend on variable substitution, which look for patterns like ${something}, and replace them with other pieces of information.

The difference

The big difference lies in the use-case for the two Apache libraries. Apache Commons Text is specifically designed for this kind of text manipulation while Log4j was built for logging only. This also has implications for where the libraries are used. IT and security folk want to log as much as they can, so Log4j shows up in more online applications than we would ever expect Apache Commons Text to.

It also means that the interpolators are used in a library where they are expected and they’ll usually be there on purpose. It also limits the options that it provides an attacker. Where Log4Shell was very easy to exploit, Log4Text requires a lot more effort and advanced knowledge of the target to be successfully exploited.

Mitigation

Users should upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Make sure that user input gets sanitized before it reaches your application, service, or server. This will also help to prevent abuse as a result of vulnerabilities that haven’t been found or published yet.

Several German newspapers were left unable to release printed versions of their papers after a ransomware attack affected their printing systems.

Speaking to BleepingComputer, Uwe Ralf Heer, editor-in-chief of Heilbronn Stimme, said the attack hit the entire Stimme Mediengruppe media group, which Heilbronn is a member. Other affected companies under the group are Echo, Pressedruck, and RegioMail.

Heer said a “well-known cybercriminal group” carried out the attack last Friday, October 14, leaving systems encrypted. Despite leaving ransom notes. the attackers are yet to make any specific ransom demands. 

Just four days after the attack, Heilbronn Stimme was able to begin delivering printed newspapers again. The newspaper had released Monday’s issue in e-paper form, temporarily lifting the paywall on its website.

Editors were told to work from home using their personal computers following the ransomware attack. New email addresses were also provided for them.

Slowly returning to normal

The media company’s IT team, who worked with external cybersecurity experts, jump-started production again on Monday evening. An official police investigation has begun. However, the media group has made clear it won’t be providing information regarding the status of the investigation and “possible letter of confession and ransom demands”.

“Thanks to a sophisticated data backup strategy, we were able to restore the production-critical systems with great effort and thanks to the great know-how of the IT team,” said Andreas Reischle, head of IT of Heilbronn Stimme.

Tobias Sobkowiak, Heilbronn Stimme’s head of press printing, is pleased papers are in production again. “We are glad that we were able to produce a newspaper again so quickly under these conditions. This was mainly possible due to the great teamwork in production and the good and long-term cooperation with our service providers. Hand in hand, we managed what didn’t seem possible at the end of last week,” he said.

Regio Mail, Echo, and others newspapers the media company distributes, such as Süddeutsche Zeitung and Stuttgarter Zeitung, also began printing and distribution.

Although full recovery from the attack will take some time, Cornelia Neuberger, head of the regional delivery service for the media group, was proud of what they’ve already achieved.

“The clerks in personnel dispatch at Stimme Logistik, the delivering freight forwarders, the employees in product distribution and the area managers on site are in constant communication. The current situation brings us even closer together. We would like to thank everyone involved for their active support,” she said.

If you’re looking to sell an item which you’ve advertised online, be on your guard. Even when everything looks to be working as it should, things can go wrong very quickly as one unfortunate IT graduate recently discovered. You would think that there’s no way the in-person sale of an expensive device, with money exchanging digitally on your own doorstep, could possibly go wrong. And yet…

Fake apps, real items

Chris Gray of Howdon possesses an IT degree, and considers himself to be tech-savvy. Sometimes having a preconceived idea of what a scam may look like can contribute to being caught off-guard by something completely out of left field. In this case, the scam involved the sale of an expensive mobile device which had been listed online.

The buyer appeared at Gray’s home and agreed to pay a bank transfer using a mobile app in front of Gray. Gray says the app appeared to display the agreed sum being sent to his bank account. When the money still hadn’t arrived after 20 minutes, Gray did a quick Google and, seeing it could “up to 2 hours” for the transaction to show up, sent the buyer on his way. The buyer left with the phone, and Gray was left with nothing. No money ever turned up in his bank account.

There was no reversing of the funds, no claim backs. So what happened?

Gray believes the scammer was using a fake mobile app designed to look like it was processing a bank transfer. No matter which details were punched in, it would have looked as though a transaction was taking place. In reality, it seems it was all just a very clever front to part someone from their mobile device. This tale ends with Gray being blocked on social media by the phone thief, their only other point of contact.

The continued problem of fake payment apps

This isn’t the first time this has happened, and law enforcement is definitely taking an interest in these fake app payment scams.

Just last month, West Yorkshire police warned about this exact type of fraud. Following a similar pattern to the above, targets are usually selling items on social media when the criminals make their move. From the release:

“When a meeting takes place to hand over the item being sold, the victim puts their bank details into a fake app on the criminal’s phone. It then produces a screen which makes it appear that the money has been successfully transferred.

But when the victim then checks their account, they find that the funds haven’t actually transferred. 

The criminal then pretends to call his bank saying that it takes up to two hours for the funds to show. But the money is never received by the victim.”

There’s that two hour window warning again! We don’t know if these dubious purchase attempts are from the same person, different groups of people, or if it’s some sort of group dedicated to going up and down the UK making bogus purchases. One thing is for certain, this makes the prospect of social media selling a bit riskier than it already is.

How to avoid selling to a scammer

People will often sell items away from sites such as eBay for various reasons, but when doing so they’re at the mercy of people who may not have the best intentions. Here are some of the ways you can keep yourself safe from harm, courtesy of West Yorkshire Police:

• Accept that selling away from more traditional online marketplaces means you won’t have any backup protection in place as a buyer or a seller. No third party will come to your assistance if you’re making deals on Twitter.

• If you agree to make a payment transfer via a buyer’s “app”, feel free to ask them in advance of them coming to your home about the app’s name and other details. If it’s something you’re unfamiliar with, Google it. Check if you need an account on the supposed app to be able to receive money in the first place.

• Don’t feel pressured to accept a payment. Rush tactics are very common in scams, whether online or off. This scam grants the criminal a little more leeway under the guise of “payments taking up to 2 hours”.

• Contact your bank once a payment has supposedly been made prior to handing over any goods, and see if there is indeed a payment pending.

• Use an app of your choosing to receive money. It may not be prudent to have the supposed buyer make the call where this is concerned. If you’re using recognised payment services, you’ll likely have some measure of additional protection if things go wrong down the line.

• Don’t hand anything over until the money is in your bank account or payment app.

Stay safe out there!