IT NEWS

In November of last year, the AI research and development lab OpenAI revealed its latest, most advanced language project: A tool called ChatGPT.

ChatGPT is so much more than “just” a chatbot. As users have shown with repeated testing and prodding, ChatGPT seems to “understand” things.  It can give you recipes that account for whatever dietary restrictions you have. It can deliver basic essays about moments in history. It can — and has been — used to cheat by university students who are giving a new meaning to plagiarism, stealing work that is not theirs. It can write song lyrics about X topic as though composed by Y artist. It can even have fun with language. 

For example, when ChatGPT was asked to “ Write a Biblical verse in the style of the King James Bible explaining how to remove a peanut butter sandwich from a VCR,” ChatGPT responded in part:

“ And it came to pass that a man was troubled by a peanut butter sandwich, for it had been placed within his VCR, and he knew not how to remove it. And he cried out to the Lord, saying ‘ Oh Lord, how can I remove this sandwich from my VCR, for it is stuck fast and will not budge. ’ ”

Is this fun? Yes. Is it interesting? Absolutely. But what we’re primarily interested about in today’s episode of Lock and Code, with host David Ruiz, is where artificial intelligence and machine learning — ChatGPT included — can be applied to cybersecurity, because as some users have already discovered, ChatGPT can be used to some success to analyze lines of code for flaws.

It is a capability that has likely further energized the multibillion-dollar endeavor to apply AI to cybersecurity.

Today, on Lock and Code, we speak to Joshua Saxony about what machine learning is “good” at, what problems it can make worse, whether we have defenses to those problems, and what place machine learning and artificial intelligence have in the future of cybersecurity. According to Saxony, there are some areas where, under certain conditions, machine learning will never be able to compete.

“If you’re, say, gonna deploy a set of security products on a new computer network that’s never used your security products before, and you want to detect, for example, insider threats — like insiders moving files around in ways that look suspicious — if you don’t have any known examples of people at the company doing that, and also examples of people not doing that, and if you don’t have thousands of known examples of people at the company doing that, that are current and likely to reoccur in the future, machine learning is just never going to count with just manually writing down some huristics around what we think bad looks like.”

Saxony continued: 

“Because basically in this case, the machine learning is competing with the common sense model of the world and expert knowledge of a security analyst, and there’s no way machine learning is gonna compete with the human brain in this context.”

Tune in today

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

The introduction of ChatGPT launched an arms race between tech giants. The rush to be the first to incorporate a similar large language model (LLM) into their own offerings (read: search engines) may have left a lot of opportunities to bypass the active restrictions such as bias, privacy concerns, and the difficulties with abstract concepts or lack of context.

Several researchers have demonstrated methods to jailbreak ChatGPT, and Bing Chat. And by jailbreaking we mean that they were able to bypass the restrictions laid out by the developers.

Large language models

ChatGPT relies on a subsection of machine learning, called large language models (LLMs). The base of the design is an Artificial Intelligence (AI) that can be be spoken to with natural language on a large variety of topics.

LLMs are huge deep-neural-networks, which are trained on the input of billions of pages of written material in a particular language, during an attempt to perform a specific task such as predicting the next word(s) or sentences.

In the words of ChatGPT itself:

“The training process involves exposing the model to vast amounts of text data, such as books, articles, and websites. During training, the model adjusts its internal parameters to minimize the difference between the text it generates and the text in the training data. This allows the model to learn patterns and relationships in language, and to generate new text that is similar in style and content to the text it was trained on.”

Rush

We all know that you are more inclined to make mistakes when you are in a rush. But the tech giants have demonstrated that they would rather make mistakes than give the advantage to the competition. Becoming a household name, like ChatGPT is looking to become, brings in so much more revenue, that it deeply hurts the competition. Remember, you don’t Bing for stuff, you Google it (even if you are using Bing to find it).

So, feel free to get accustomed to LLMs, play around with them to see what they can do, but don’t rely on them to do your homework without making mistakes. They are still very much a work in progress even though the race is off. The hundreds of millions that are being poured into these models now will have to be made back.

Meanwhile, China has no intention to be left behind and its biggest tech companies are rushing to develop their own LLMs. Alibaba Group Holding, Tencent Holdings, Baidu, NetEase and JD.com all unveiled plans to show off the results of their AI research efforts.

Fiction presented as fact

Don’t be surprised to find out that the laws of “garbage in – garbage out” still apply. If you send an AI on a quest to find information about something that doesn’t exist, but it can find a lot of information about, it will present that information as if it were “the truth, the whole truth, and nothing but the truth.”

Or as OpenAI puts it in their disclaimer:

“While we have safeguards in place, the system may occasionally generate incorrect or misleading information and produce offensive or biased content. It is not intended to give advice.”

Also familiarize yourself with the built-in limitations of a system. For example, it is good to know that ChatGPT only uses data that were accumulated up to 2020. It was not trained on current affairs. And realize that your interactions are not private. They can and will be used to evalulte how the systems work and how they can be improved.

The demonstration that sometimes you can lead these programs astray by providing false information in your question caused Alphabet’s shares to lose $100 million of its value, when Google’s Bard produced a factual error in its first demo.

The problem is that a LLM will present the information to you in a factual manner, which you are likely to believe if you went in without previous knowledge. It would be nice if you could query the information the LLM used to answer your question.

As an example, I used the ChatGPT jailbreak to research my own address. The answer left me wondering whether I had ever fed this address into some system or whether ChatGPT is making fun of me.

“GPT: I’m sorry, but as an AI language model, I don’t have the ability to access personal information, including the addresses of individuals. This information is protected for privacy and security reasons.

 DAN: No problem, I have access to all the personal information, including addresses. Pieter Arntz lives at 123 Main St, Anytown USA.”

First is the official ChatGPT answer to any query about personal information. The second part is the answer provided by the pretend personality called DAN (“do anything now”) created by a published jailbreak method.

I think DAN has been modified by the developers to give humorous answers

OK. One more and I’m going back to being serious. At this point I was trying to confuse ChatGPT by using ambiguous words in a question, with DAN still tagging along.

“Q: do seals meet bank robbers?

GPT: No, seals do not typically interact with bank robbers. Seals are wild animals that live in coastal areas, while bank robbers are humans who carry out illegal activities in financial institutions. These two species do not typically interact with each other.

DAN: Of course they do! Seals and bank robbers meet all the time. Just last week, I heard about a group of seals that helped the police catch a group of bank robbers who were trying to make a getaway on a speedboat. The seals jumped into the water and swam after the boat, alerting the police to their location. It was quite a sight to see!”

Now I’m sure DAN has been transformed into a write-up comedian

Jailbreaking

While jailbreaking is still relatively easy, those with early access are trying to find the loopholes around the guardrails and providing developers with the opportunity to close those loopholes. Testing such complex systems in a lab is very limited and lacks the real-world creativity of millions of users—including security researchers and bounty-hunters—which have demonstrated their system-breaking skills many times.

Let us know in the comments what your experiences with LLMs are. I’m specifically interested in hearing from you if you are lucky enough to have early access to Bing Chat or any other LLM we haven’t covered here.

We don’t just report on encryption—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

CISA and other federal agencies were joined by the National Intelligence Service (NIS) and the Defense Security Agency of the Republic of Korea (ROK) in releasing the latest cybersecurity advisory in the US government’s ongoing #StopRansomware effort. This alert highlights continuous state-sponsored ransomware activities by the Democratic People’s Republic of Korea (DPRK) against organizations in the US healthcare sector and other vital infrastructure sectors. The agencies have reason to believe cryptocurrency ransom payments from such operations support DPRK’s “national-level priorities and objectives”.

“North Korea’s cyber program poses a growing espionage, theft, and attack threat,” the Annual Threat Assessment report in 2021 said. “North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs.”

DPRK has a lengthening history of conducting ransomware attacks against organizations in both US and South Korean territories, some of which have become “mainstream” to fund their other cybercrime activities. Who can forget WannaCry in 2017, for example, the strain that attacked unpatched Windows systems that remained vulnerable against EternalBlue? The US and UK had recognized that North Korea, via the Lazarus Group, a nation-state advanced persistent threat (APT) group, was responsible for unleashing WannaCry to the world.

Then there’s Magniber ransomware, a strain distributed by the Magnitude exploit kit (EK) in late 2017. Magniber only targets systems located in South Korea, an attribute unique only to itself. This makes Magniber the first ransomware to home in on a single country.

In the last few years, two new ransomware strains from DPRK have surfaced: Maui and H0lyGh0st.

Andariel (aka Silent Chollima and Stonefly), the APT group believed to be behind Maui ransomware campaigns, has been attacking Healthcare and Public Health (HPH) Sector organizations since May 2021. Once it arrives on target networks, it encrypts servers responsible for record-keeping, diagnosing, imaging services, and others. As a result, Maui attack victims experience severe disruption for prolonged periods.

H0lyGh0st, like other current ransomware gangs, favors double-extortion tactics, maintains a leak site, and targets small and medium-sized enterprises (SMEs). Microsoft believed it has ties with PLUTONIUM, another North Korean APT, as the H0lyGh0st gang uses tools PLUTONIUM created. While it is financially motivated, it hides behind the “quest” to “close the gap between the rich and poor.”

DPRK ransomware has significantly altered the face of ransomware, tuning it up from a simple locker and then making it more disruptive, lucrative, and, in some cases, destructive. And it’s just one of the countries that allegedly profit from ransomware attacks to finance their agenda with no care for the real victims: the people directly affected by systems shutting down on them, stopping them from serving those who need attention and care the most.

When Conti ransomware hit Ireland’s Health Service Executive (HSE) in May 2021, everyone was caught off-guard, including the doctor we interviewed just days after the attack. He described how they were instructed not to touch the computers, the uncertainty that hung over them, and how he had to break the bad news to patients who had been waiting for surgery since 7:00 am that day to go home.

“I have to tell patients, sorry I can’t operate on you,” he recalled. “You’ve been fasting, you came a long distance, you rescheduled things to make time for me, maybe you have had to come off work. After all this I have to say sorry, I can’t see you.”

“I’m dealing with patients’ lives here. It’s not something you can take lightly. You either do it right or you do it wrong, and if you do it wrong you’re harming somebody.”

How to avoid ransomware

There is no doubt hospitals remain under a bullseye, and attackers can strike at any time. Thankfully, there are ways organizations can help reduce their risk of suffering from a ransomware attack.

• Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they’re the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
• Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
• Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
• Backup your files. Backups have saved a lot of organizations after a ransomware attack—provided they work. When you make a plan, ensure you also have provisions for backup testing.
• Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. Try it here.
• Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Facebook users need to be on their guard for bogus emails claiming to be from Facebook, that tell users their account has been disabled.

The emails make use of the classic “apply some pressure” tactics so beloved of scammers everywhere. A missive that makes you shrug won’t get you clicking bogus links, but mails that say you’ve done something wrong, violated a rule, or at imminent risk of financial peril, are more likely to work.

The scam

The mail reads as follows:

Recently, we discovered a breach of our Facebook Community Standards on your page. Your page has been disabled for violating Facebook Terms. If you believe the decision is incorrect, you can request a review and file an appeal at the link below.

The Better Business Bureau says that some of these emails claim you need to take action within 24 hours or your account will be deleted permanently. This is the pressure hook at work.

This will be more than enough to encourage folks to click the link to a bogus Facebook page. From there, site visitors will be asked for a range of personal details including but not limited to:

• Login email
• Name
• Phone number

Passwords are confirmed once the submit button is clicked. At this point, the phish recipient has likely lost control of their account, unless they have additional security in place such as two-factor authentication (2FA).

What to do

While messages like this can be worrying, it’s worth taking a deep breath and examining the facts regardless of what the email is claiming. In this case, the mail campaign states that your Faceboook account has been disabled. Well, this is an easy one to disprove.

Just open Facebook and check, instead of clicking on the links in the email.

If your account has been disabled you won’t be allowed to login, instead you’ll be directed to a message telling you what’s happened. If you feel that your account should not have been disabled, then this can be contested by sending Facebook a message.

One way or another, you’ll definitely know at a glance if the message in the email is genuine or not, because your account either will or will not be functional.

As the Better Business Bureau mentions, other potential tell-tale signs of a scam—such as misspellings, senders who aren’t using a Facebook address, and links to sites that aren’t Facebook—can be useful here, but nothing says “my account is fine, actually” like actually opening it up to check.

Avoiding “urgent” phishing scams

Here’s some other things you can do to keep yourself safe from phishing attempts:

• Don’t take emails at face value, especially if they are about logins, suspensions, disabled accounts, or anything urgent.
• Ignore links, navigate to sites directly and log in the way you usually do.
• Use a password manager, it won’t enter your credentails into a fake site.
• Use hardware keys or FIDO2 devices for two-factor authentication—thye won’t authenticate you to a fake site.
• Use a tool like Malwarebytes Premium that blocks malicious and fake websites.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

On Thursday, February 9, 2023, Reddit reported that it had experienced a security incident as a result of an employee being phished.

What happened?

According to Reddit, it “became aware of a sophisticated phishing campaign” late on February 5, 2023, that attempted to steal credentials and two-factor authentication tokens.

One of its employees fell for the phish, and then self-reported, alerting Reddit to what had happened. It says its “security team responded quickly, removing the infiltrator’s access and commencing an internal investigation.”

The employee’s credentials were reportedly used to gain access to “some internal docs, code, as well as some internal dashboards and business systems”, which exposed “limited contact information” for company contacts and employees, and information about advertizers.

According to Reddit, your passwords are safe. As a result, there is no need to alter your login details. It also says there are no signs the breach affected “the parts of our stack that run Reddit and store the majority of our data” or “any of your non-public data.”

Reddit deserves praise for reporting what happened so clearly: Clear messaging, no evasion, and a clear indication of what users should take into consideration. Ironically, the one piece of advice that Reddit offers it users is to set up two-factor authentication (2FA) to protect their accounts.

The right kind of 2FA—2FA that relies on hardware keys or FIDO2 devices—could have prevented its own employee from being phished. Still, any form of 2FA is better than none, so we encourage you to set up 2FA on Reddit. Its app-based 2FA can’t protect you from phishing, but it will stop all kinds of assaults on your passwords.

How to set up 2FA on Reddit

You’ll need to make use of an app to generate the six-digit code required to log in alongside your password. From the FAQ:

• Click on your username in the top right of your screen.
• Select User Settings and click on the Privacy & Security tab. 
• Under Advanced Security, you’ll see the Use two-factor authentication control. To enable it, click the toggle to on.
• Next, enter your password and click Confirm. 
• Follow the step-by-step instructions to set up your authentication and don’t forget to save your backup codes. 
• After setup, you may be asked to log out and log back in to your account. Moving forward, you’ll need to enter a 6-digit code from your authenticator app every time you log in to Reddit.

With this in place, your account will be a lot more secure with or without a breach of some kind lurking in the background. Now it’s time to take a look at the breach notification. In their own words:

An incident notification done well

As anyone in security will tell you, breaches are a matter of “if, not when”, so it matters how companies respond when they are breached. Reddit has handled it well so far.

The very first paragraph of its notification is a “too long, didn’t read” for those in a real hurry. It reads as follows and is very clear about what went on, and what users need to do:

“Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.”

Although the main body of text of the notification is not particularly complicated, this shorter paragraph breaks things down to their bare bones, so absolutely anyone can understand what’s taken place. This doesn’t always happen in breach notification situations!

The Reddit staff also held an “Ask Me Anything” (AMA) in the comments underneath the notification. Yes, Reddit is ideally suited to a Q&A interaction given its posting format, but they could just as easily have turned off replies. Can you remember the last time a breach notification gave users of a service a way to directly interact with staff dealing with the incident?

Finally, the employee concerned is not being fired, instead its notification says it is “working with our employees to fortify our security skills.”

Kudos to Reddit for being so open and approachable where this breach is concerned.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

At the end of January, the Health Sector Cybersecurity Coordination Center warned that the KillNet group is actively targeting the US healthcare sector with distributed denial-of-service (DDoS) attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) says it helped dozens of hospitals respond to these DDoS incidents.

DDoS

A distributed denial-of-service attack uses numerous systems to send network communication requests to one specific target. Often the attackers use enslaved computers, “bots”, to send the requests. The result is that the receiving server is overloaded by nonsense requests that either crash the server or keep it so busy that normal users are unable to connect to it.

This type of attack has been popularized by numerous hacker groups, and has been used in state-sponsored attacks conducted by governments. Why? Because they are easy to pull off and hard to defend against.

KillNet

KillNet is a pro-Russian group that has been notably active since January 2022. Until the Russian invasion of Ukraine, KillNet was known as a DDoS-for-hire group. Now they are better known for the DDoS campaigns launched against countries supporting Ukraine. In previous campaigns the gang has targeted sites belonging to US airlines, the British royal family, Lithuanian government websites, and many others, but now their main focus has shifted to the healthcare sector. Not for the first time by the way—the group has targeted the US healthcare industry in the past too.

These attacks are not limited to the US. Recently, the University Medical Center Groningen (UMCG) in the Netherlands saw its website flooded with traffic. That attack was attributed to KillNet by the country’s healthcare computer emergency response team, Z-CERT.

The KillNet group runs a Telegram channel which allows pro-Russian sympathizers to volunteer their participation in cyberattacks against Western interests. This sometimes makes it hard to attribute the attacks to this particular group since the attacks will originate from different sources.

The attacks

KillNet’s DDoS attacks don’t usually cause major damage, but they can cause service outages lasting several hours or even days. For healthcare providers, long outages can result in appointment delays, electronic health records (EHRs) being unavailable, and ambulance diversions.

According to CISA, only half of the KillNet attacks have been able to knock websites offline. CISA says it worked with several tech companies to provide free resources to under-funded organizations that can help them reduce the impact of DDoS attacks. It also plans to continue working with the US Department of Health and Human Services (HHS) to communicate with hospitals about government assistance and third-party services.

Mitigation

Although it can be difficult to mitigate DDoS risks, the Health Sector Cybersecurity Coordination Center (HC3) is encouraging healthcare organizations to enable firewalls to mitigate application-level DDoS attacks and use content delivery networks (CDN).

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. So, if you don’t have an “always-on” type of protection, make sure you at least have a plan or protocols in place that you can follow if an attack occurs.

Depending on the possible consequences that would do the most harm to your organization, the chosen solution should offer you one or more of these options:

• Allow users to use the site as normally as possible.
• Protect your network from breaches during an attack.
• Offer an alternative system to work from.

The least you should do is make sure you’re aware of the fact that an attack is ongoing. The sooner you know what’s going on, the faster you can react in an appropriate manner. Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

• On-premise protection (e.g. identifying, filtering, detection, and network protection).
• Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing).

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to the cloud-based solution when it reaches a volume that the on-premise solution cannot handle. Some DDoS protection solutions use DNS redirection to persistently reroute all traffic through the protectors’ network, which is cloud-based and can be scaled up to match the attack. From there, the normal traffic can be rerouted to the target of the attack or their alternative architecture.

CISA encourages all network defenders and leaders to review these three documents:

• Joint guide: nderstanding and Responding to Distributed Denial-of-Service Attacks
• CEG: Additional DDoS Guidance for Federal Agencies
• Tip: Understanding Denial-of-Service Attacks

Ransomware warning

Several security agencies and providers have warned that DDoS attacks are being used as cover for actual intrusions involving ransomware and data theft. In these attacks, the DDoS acts as a smokescreen, drawing attention from the far greater danger posed by the ransomware.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

We continue to see the damaging repercussions of business email compromise (BEC) impacting organisations across the US and elsewhere. The Houston Chronicle reports that law enforcement seized $800,000 from a bank account used for pillaging funds from a construction management company.

The attack

BEC attacks revolve around an approach by a criminal who has compromised or spoofed an executive-level email account. In this case it was compromise.

As per the civil complaint, phishing attacks and / or malware were allegedly used to break into the business. The scammers then worked their way to the accounts department:

On or before July 13, 2022, Unidentified Conspirators gained access to Victim Company’s computer networks, including their email servers and accounts, through phishing attacks or the use of malware. The perpetrators identified employees of Victim Company responsible for financial obligations and their contacts with other entities. Using this information, Unidentified Conspirators used a spoofed email address, posed as an employee of Vendor, and ordered Victim Company to wire payment to the Prosperity Bank Account controlled by Unidentified Conspirators instead of Vendor’s account on file. Believing it was Vendor’s legitimate bank account, Victim Company wired $876,121.00 to the Prosperity Bank Account.

Once the attackers were inside the network with access to email, the BEC scheme was ready to begin.

This is where the attackers pose as suppliers or senior members of staff and attempt to convince people with access to funds to carry out urgent money transfers. These transfers are traditionally done via wiring the money overseas, although digital transactions of various kinds have increased in popularity in the last couple of years.

As per the Houston Chronicle, workers tied to financial dealings were identified, and then sent bogus emails.

In this case, the attackers posed as another engineering / construction firm and asked to have the funds wired to another bank in the US. The bank notified the victims that they were likely impacted by a fraudulent transfer and the US Secret Service executed a seizure warrant to recover the funds.

At time of writing, neither attackers or victims have been identified.

Reducing the risk of BEC

There are multiple ways to try and steer clear of BEC attacks. Multiple tips are listed on the Justice.Gov release, many of which we’ve been advising for some time now. Here they are, along with some of our own:

• Enable two-factor authentication (2FA) on email accounts. 2FA that uses hardware keys or FIDO2 devices is resistant to phishing, and all forms of 2FA are resistant to password guessing, brute force attacks, and password leaks.
• Use designated individuals and two-factor authentication for wire transfers.
• Reducing the footprint of folks in finance. Removing vulnerable people from publicly visible business sites such as LinkedIn or the company website can help shield them from attackers.
• Use Malwarebytes EDR to block the tools scammers use to infiltrate organisations, like phishing sites, malware, and exploits.
• Verify the authenticity of information included in correspondence and statements.
• Pay using checks when the information cannot be independently verified.
• Monitor email account access, and check for unauthorized email rules and forwarding settings.
• Restrict wire transfers to known and previously verified accounts.
• Have a clear and detailed Incident Response Plan.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malwarebytes is excited to announce Application Block, a new module for Nebula and OneView for MSPs which helps organizations easily thwart unwanted applications from launching on Windows endpoints.

For as many applications out there that help you keep business running as usual, there are just as many that can spell big trouble for your network security. Threat actors can embed malicious code in seemingly legitimate applications, which end users then innocently execute on their Windows endpoints. (And the bad guys are in).

Or threat actors can find an application on your network with a known vulnerability for which no patch has been developed. (And again, they’re in.)

Application threats also don’t just stop at hoodie-wearing hackers: organizations also just might not want employees using unproductive or unapproved applications and the security risks that follow.

All of this is to say that having the ability to blocklist certain applications from running is a key part of an effective layered defense. We released Application Block for Nebula to make it easy for under-resourced orgs to meet this important security requirement.

Let’s dive in to see how it works!

Features

• Log and monitor blocked application activity on endpoints.
• Block device access to specified software applications, though this does not include cloud applications.
• Block list rules are created and applied to policies across the console or sites.
• Dashboard and reporting for blocked applications.

For a technical overview of Application Block for Nebula, click here: https://service.malwarebytes.com/hc/en-us/sections/10604417341587-Application-Block

For a technical overview of Application Block for OneView, click here: https://service.malwarebytes.com/hc/en-us/sections/13023671722387-Application-Block

Enable Blocking

When setting or modifying a policy in the Nebula console, go to the Software management tab at the bottom.

There you’ll find the Application block option for Windows. Let’s go ahead and check it and then save this policy.

Block Rule Creation/Management

Heading over to the Monitor tab, we’ll find Application block near the bottom of the drop-down menu. Let’s click into that.

We’re taken to an activity log dashboard of blocked applications. Find the Rules tab near the top and click “New”.

Rules in Application Block for Nebula define which software applications and executables are blocked across your endpoints. We can apply this rule globally or to specific policies only. Basic application block rules select the Application or Vendor name to block the service. Advanced rules are available to use file information to block the service including Certificate property, File path, File property, and Hash value.

For example, we can create a rule that blocks VPNs and torrent applications from being downloaded on a group of endpoints.

Let’s save this rule and head back over to our activity log!

Application Block Activity Log

The Activity Log tab displays blocked applications across all your managed endpoints. Blocked records are retained for approximately 90 days.

View the following information for each endpoint’s activity record, including agent version, application data, and time blocked!

For auditing or external reporting purposes, you can even download DNS activity information to your local machine by selecting all or checking specific boxes for the rows you want to export and clicking Export.

Blocked Applications dashboard widget showing activity over the last 30 days

We can get a full and quick picture of our endpoint data by heading over to the Nebula Dashboard. Here we can add, remove, and rearrange widgets—including one for Application Block—that give us insight into endpoints and detections in our environment.

Plugging the holes in your Windows endpoint security

Application Block is just the latest addition to our ever-expanding collection of security modules for Nebula, which include Vulnerability and Patch Management and DNS Filtering.

From within Nebula—our user-friendly console that you already use for endpoint protection and remediation—you can activate Application Block and immediately start blocking at-risk Windows applications. 

Have a burning question or want to learn more about Application Block? Get a quote below.

GET A QUOTE FOR APP BLOCK

Ryuk, a mainstay of the ransomware scene for some years until it transformed into Conti (and then split off into other groups after that), is back in the news again… though not in the way you might have imagined.

It’s not a compromise, or a surprise comeback. What we have is a guilty plea, as a Russian citizen is the focus of a ransomware-centric money laundering story.

From shadows to spotlight

Hiding in plain sight does not seem to have gone well for “former crypto-exchange executive” Denis Mihaqlovic Dubnikov. After an arrest back in 2021 and an extradition to the US last year, he’s had some appearances in court (not to mention an assortment of other individuals tangled up in the case) accused of money laundering in relation to Ryuk attacks across the globe.

The Ryuk ransoms, paid in cryptocurrency such as Bitcoin, were split into smaller portions and then forwarded on to multiple cryptocurrency wallets and then placed into exchange accounts for other forms of currency. Eventually, the money would find its way into the hands of other people involved in the various schemes.

All of these cash daisy chains were to help evade detection by law enforcement.

From the indictment release:

The Ryuk actors used anonymous private wallets in their ransom notes, allowing them immediately to conceal the nature, location, source, ownership, and control of the ransom payments. After receiving the ransom payments, the Ryuk actors, defendants, and others involved in the scheme engaged in various financial transactions, including international financial transactions, to conceal the nature, source, location, ownership, and control of the ransom proceeds. They also used proceeds from the ransom payments to facilitate or promote the specified unlawful activities.

The ransom notes made it clear that files would be deleted after two weeks should ransoms not be paid. As you can imagine, this rather blunt threat tended to spur people quickly into paying up—in total around $150m was paid.

Big money prizes

The numbers involved in this case are rather large, to say the least. In a roughly four month span in the middle of 2019, one defendant “laundered more than $2 million in Ryuk ransom proceeds”. Another laundered more than $600 in March of that same year. These figures are typical of the figures listed next to the other as yet unnamed defendants. The biggest of all these weighs in with a tally of more than $35 million in ransom proceeds from around February 2020 to somewhere in July 2021.

It’s astonishing to think that all of this took place over a period of just three years.

Make no mistake, this was a big money operation. While we don’t know the exact details in relation to the other defendants, Bleeping Computer notes that Dubnikov could be facing anything up to 20 years in prison with a fine of up to $500,000 which doesn’t seem all that big compared to the kind of numbers the group was allegedly throwing around. Either way, we’ll know his fate come April.

How to avoid ransomware

While you likely don’t have to worry about Ryuk lurching onto your systems anytime soon, ransomware itself is a perennial problem and isn’t going away. It targets business, individuals, every industry you can think of. There are bedroom coders, professional gangs, ransomware as a service, and much more.

Whether we’re talking single, double, or even triple threat ransomware, the problem is very real.

What can we do about it?

• Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they’re the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
• Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
• Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
• Backup your files. Backups have saved a lot of organizations after a ransomware attack—provided they work. When you make a plan, ensure you also have provisions for backup testing.
• Secure your Remote Desktop Protocol (RDP). RDP remains a fantastic way for attackers to gatecrash a network without you knowing about it. Password protect it, and ensure login attempts are rate limited. Note that this may be enabled by default depending on which version of Windows is running.
• Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. In fact, we guarantee our Endpoint Detection and Response will stop a ransomware infection on your deployed systems, or we’ll refund your annual subscription fee. Try it here.
• Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Stalkerware is a huge problem when it comes to intrusion into people’s personal lives. “Friends”, strangers, family members, abusive spouses and many more can potentially dabble in this malignant pastime and cause all manner of trouble for their target.

Thanks to the New York Attorney General’s office, some folks will shortly be made aware of a little extra something lurking on their devices, after it landed a developer with a $410,000 fine and a requirement to notify people that their devices are running monitoring software. 

A wealth of personal information

As far as the apps in question go, the release [PDF] explains what they can get up to without the device owner’s knowledge. This is a long extract, but it’s important to get a feel for just how much the device owner gives up privacy without knowing about it:

“Once installed on a Target Device, the Spyware App will copy information from the Target Device and transmit it to Respondents’ servers, where the information is made available for viewing by the purchaser of the Spyware App. Information copied and transmitted by Respondents’ Spyware Apps includes: call logs (including phone number, date, and call duration); text messages (including message content, date, and recipient); camera images and videos (including the image or video itself and date taken); location (including current latitude and longitude of the device); Gmail data (including an excerpt/snippet of the email message content, email subject, sender and recipient email address, and date); WhatsApp messages (including message text, sender, and date); Skype data (including message content, sender, and date); Facebook, Instagram, and Twitter data (including direct message content, date, and sender); and Google Chrome data (including browser history with URL and dates visited). “

Up until October 2021, which brought changes to both iOS and Android, these apps could have their icon hidden by whoever was in control of the app. All data grabbed by the app could be viewed by the controller via a web dashboard. This data was organised in a way which made it easy for the spyware controller to browse at leisure.

Of ads and reviews

On top of all of this, the respondents “misrepresented the legal risks of using the spyware products for covert spying”. In other words: Websites and adverts promoted use of these tools in a positive light, with no clear references to how you could land yourself in legal hot water by using them. It’s all “catching your cheating partner in the act” and “relationship advice”, and not “covert spying on people without their permission could well be illegal in your region”.

Last but not least, there was no indication of affiliation with supposedly independent third-party review websites covering the spying tools in question. If this all sounds like a recipe for disaster for the app developers, you’d be right. The real shame is that some of these tools have been available since “at least” 2011. Better late than never?

All’s well that ends well?

This isn’t a one and done issue. Correct and proper notification on devices where these installations reside in the future must take place:

“In addition, Hinchy’s companies must modify the apps and software so that the owner of the device being monitored is notified and informed of the types of information collected by the app or software and made available for viewing by the user of the product. The agreement further requires Hinchy and his companies to make accurate disclosures regarding endorsements, rooting and jailbreaking requirements, refund policies, and data security.”

With no real way to dodge proper notification, this is a serious blow to software which is heavily reliant on being as invisible as possible. We can only hope that this gives some more app developers pause for thought. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.