IT NEWS

Reddit breached, here’s what you need to know

On Thursday, February 9, 2023, Reddit reported that it had experienced a security incident as a result of an employee being phished.

What happened?

According to Reddit, it “became aware of a sophisticated phishing campaign” late on February 5, 2023, that attempted to steal credentials and two-factor authentication tokens.

One of its employees fell for the phish, and then self-reported, alerting Reddit to what had happened. It says its “security team responded quickly, removing the infiltrator’s access and commencing an internal investigation.”

The employee’s credentials were reportedly used to gain access to “some internal docs, code, as well as some internal dashboards and business systems”, which exposed “limited contact information” for company contacts and employees, and information about advertizers.

According to Reddit, your passwords are safe. As a result, there is no need to alter your login details. It also says there are no signs the breach affected “the parts of our stack that run Reddit and store the majority of our data” or “any of your non-public data.”

Reddit deserves praise for reporting what happened so clearly: Clear messaging, no evasion, and a clear indication of what users should take into consideration. Ironically, the one piece of advice that Reddit offers it users is to set up two-factor authentication (2FA) to protect their accounts.

The right kind of 2FA—2FA that relies on hardware keys or FIDO2 devices—could have prevented its own employee from being phished. Still, any form of 2FA is better than none, so we encourage you to set up 2FA on Reddit. Its app-based 2FA can’t protect you from phishing, but it will stop all kinds of assaults on your passwords.

How to set up 2FA on Reddit

You’ll need to make use of an app to generate the six-digit code required to log in alongside your password. From the FAQ:

  • Click on your username in the top right of your screen.
  • Select User Settings and click on the Privacy & Security tab. 
  • Under Advanced Security, you’ll see the Use two-factor authentication control. To enable it, click the toggle to on.
  • Next, enter your password and click Confirm. 
  • Follow the step-by-step instructions to set up your authentication and don’t forget to save your backup codes
  • After setup, you may be asked to log out and log back in to your account. Moving forward, you’ll need to enter a 6-digit code from your authenticator app every time you log in to Reddit.

With this in place, your account will be a lot more secure with or without a breach of some kind lurking in the background. Now it’s time to take a look at the breach notification. In their own words:

An incident notification done well

As anyone in security will tell you, breaches are a matter of “if, not when”, so it matters how companies respond when they are breached. Reddit has handled it well so far.

The very first paragraph of its notification is a “too long, didn’t read” for those in a real hurry. It reads as follows and is very clear about what went on, and what users need to do:

“Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.”

Although the main body of text of the notification is not particularly complicated, this shorter paragraph breaks things down to their bare bones, so absolutely anyone can understand what’s taken place. This doesn’t always happen in breach notification situations!

The Reddit staff also held an “Ask Me Anything” (AMA) in the comments underneath the notification. Yes, Reddit is ideally suited to a Q&A interaction given its posting format, but they could just as easily have turned off replies. Can you remember the last time a breach notification gave users of a service a way to directly interact with staff dealing with the incident?

Finally, the employee concerned is not being fired, instead its notification says it is “working with our employees to fortify our security skills.”

Kudos to Reddit for being so open and approachable where this breach is concerned.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

KillNet hits healthcare sector with DDoS attacks

At the end of January, the Health Sector Cybersecurity Coordination Center warned that the KillNet group is actively targeting the US healthcare sector with distributed denial-of-service (DDoS) attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) says it helped dozens of hospitals respond to these DDoS incidents.

DDoS

A distributed denial-of-service attack uses numerous systems to send network communication requests to one specific target. Often the attackers use enslaved computers, “bots”, to send the requests. The result is that the receiving server is overloaded by nonsense requests that either crash the server or keep it so busy that normal users are unable to connect to it.

This type of attack has been popularized by numerous hacker groups, and has been used in state-sponsored attacks conducted by governments. Why? Because they are easy to pull off and hard to defend against.

KillNet

KillNet is a pro-Russian group that has been notably active since January 2022. Until the Russian invasion of Ukraine, KillNet was known as a DDoS-for-hire group. Now they are better known for the DDoS campaigns launched against countries supporting Ukraine. In previous campaigns the gang has targeted sites belonging to US airlines, the British royal family, Lithuanian government websites, and many others, but now their main focus has shifted to the healthcare sector. Not for the first time by the way—the group has targeted the US healthcare industry in the past too.

These attacks are not limited to the US. Recently, the University Medical Center Groningen (UMCG) in the Netherlands saw its website flooded with traffic. That attack was attributed to KillNet by the country’s healthcare computer emergency response team, Z-CERT.

The KillNet group runs a Telegram channel which allows pro-Russian sympathizers to volunteer their participation in cyberattacks against Western interests. This sometimes makes it hard to attribute the attacks to this particular group since the attacks will originate from different sources.

The attacks

KillNet’s DDoS attacks don’t usually cause major damage, but they can cause service outages lasting several hours or even days. For healthcare providers, long outages can result in appointment delays, electronic health records (EHRs) being unavailable, and ambulance diversions.

According to CISA, only half of the KillNet attacks have been able to knock websites offline. CISA says it worked with several tech companies to provide free resources to under-funded organizations that can help them reduce the impact of DDoS attacks. It also plans to continue working with the US Department of Health and Human Services (HHS) to communicate with hospitals about government assistance and third-party services.

Mitigation

Although it can be difficult to mitigate DDoS risks, the Health Sector Cybersecurity Coordination Center (HC3) is encouraging healthcare organizations to enable firewalls to mitigate application-level DDoS attacks and use content delivery networks (CDN).

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. So, if you don’t have an “always-on” type of protection, make sure you at least have a plan or protocols in place that you can follow if an attack occurs.

Depending on the possible consequences that would do the most harm to your organization, the chosen solution should offer you one or more of these options:

  • Allow users to use the site as normally as possible.
  • Protect your network from breaches during an attack.
  • Offer an alternative system to work from.

The least you should do is make sure you’re aware of the fact that an attack is ongoing. The sooner you know what’s going on, the faster you can react in an appropriate manner. Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

  • On-premise protection (e.g. identifying, filtering, detection, and network protection).
  • Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing).

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to the cloud-based solution when it reaches a volume that the on-premise solution cannot handle. Some DDoS protection solutions use DNS redirection to persistently reroute all traffic through the protectors’ network, which is cloud-based and can be scaled up to match the attack. From there, the normal traffic can be rerouted to the target of the attack or their alternative architecture.

CISA encourages all network defenders and leaders to review these three documents:

Ransomware warning

Several security agencies and providers have warned that DDoS attacks are being used as cover for actual intrusions involving ransomware and data theft. In these attacks, the DDoS acts as a smokescreen, drawing attention from the far greater danger posed by the ransomware.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

$800,000 recovered from Business Email Compromise attack

We continue to see the damaging repercussions of business email compromise (BEC) impacting organisations across the US and elsewhere. The Houston Chronicle reports that law enforcement seized $800,000 from a bank account used for pillaging funds from a construction management company.

The attack

BEC attacks revolve around an approach by a criminal who has compromised or spoofed an executive-level email account. In this case it was compromise.

As per the civil complaint, phishing attacks and / or malware were allegedly used to break into the business. The scammers then worked their way to the accounts department:

On or before July 13, 2022, Unidentified Conspirators gained access to Victim Company’s computer networks, including their email servers and accounts, through phishing attacks or the use of malware. The perpetrators identified employees of Victim Company responsible for financial obligations and their contacts with other entities. Using this information, Unidentified Conspirators used a spoofed email address, posed as an employee of Vendor, and ordered Victim Company to wire payment to the Prosperity Bank Account controlled by Unidentified Conspirators instead of Vendor’s account on file. Believing it was Vendor’s legitimate bank account, Victim Company wired $876,121.00 to the Prosperity Bank Account.

Once the attackers were inside the network with access to email, the BEC scheme was ready to begin.

This is where the attackers pose as suppliers or senior members of staff and attempt to convince people with access to funds to carry out urgent money transfers. These transfers are traditionally done via wiring the money overseas, although digital transactions of various kinds have increased in popularity in the last couple of years.

As per the Houston Chronicle, workers tied to financial dealings were identified, and then sent bogus emails.

In this case, the attackers posed as another engineering / construction firm and asked to have the funds wired to another bank in the US. The bank notified the victims that they were likely impacted by a fraudulent transfer and the US Secret Service executed a seizure warrant to recover the funds.

At time of writing, neither attackers or victims have been identified.

Reducing the risk of BEC

There are multiple ways to try and steer clear of BEC attacks. Multiple tips are listed on the Justice.Gov release, many of which we’ve been advising for some time now. Here they are, along with some of our own:

  • Enable two-factor authentication (2FA) on email accounts. 2FA that uses hardware keys or FIDO2 devices is resistant to phishing, and all forms of 2FA are resistant to password guessing, brute force attacks, and password leaks.
  • Use designated individuals and two-factor authentication for wire transfers.
  • Reducing the footprint of folks in finance. Removing vulnerable people from publicly visible business sites such as LinkedIn or the company website can help shield them from attackers.
  • Use Malwarebytes EDR to block the tools scammers use to infiltrate organisations, like phishing sites, malware, and exploits.
  • Verify the authenticity of information included in correspondence and statements.
  • Pay using checks when the information cannot be independently verified.
  • Monitor email account access, and check for unauthorized email rules and forwarding settings.
  • Restrict wire transfers to known and previously verified accounts.
  • Have a clear and detailed Incident Response Plan.

Stay safe out there!


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Introducing Malwarebytes Application Block: How to block unauthorized software from executing on Windows endpoints

Malwarebytes is excited to announce Application Block, a new module for Nebula and OneView for MSPs which helps organizations easily thwart unwanted applications from launching on Windows endpoints.

For as many applications out there that help you keep business running as usual, there are just as many that can spell big trouble for your network security. Threat actors can embed malicious code in seemingly legitimate applications, which end users then innocently execute on their Windows endpoints. (And the bad guys are in).

Or threat actors can find an application on your network with a known vulnerability for which no patch has been developed. (And again, they’re in.)

Application threats also don’t just stop at hoodie-wearing hackers: organizations also just might not want employees using unproductive or unapproved applications and the security risks that follow.

All of this is to say that having the ability to blocklist certain applications from running is a key part of an effective layered defense. We released Application Block for Nebula to make it easy for under-resourced orgs to meet this important security requirement.

Let’s dive in to see how it works!

Features

  • Log and monitor blocked application activity on endpoints.
  • Block device access to specified software applications, though this does not include cloud applications.
  • Block list rules are created and applied to policies across the console or sites.
  • Dashboard and reporting for blocked applications.

For a technical overview of Application Block for Nebula, click here: https://service.malwarebytes.com/hc/en-us/sections/10604417341587-Application-Block

For a technical overview of Application Block for OneView, click here: https://service.malwarebytes.com/hc/en-us/sections/13023671722387-Application-Block

Enable Blocking

When setting or modifying a policy in the Nebula console, go to the Software management tab at the bottom.

There you’ll find the Application block option for Windows. Let’s go ahead and check it and then save this policy.

easset upload file90813 258977 e

Block Rule Creation/Management

Heading over to the Monitor tab, we’ll find Application block near the bottom of the drop-down menu. Let’s click into that.

We’re taken to an activity log dashboard of blocked applications. Find the Rules tab near the top and click “New”.

Rules in Application Block for Nebula define which software applications and executables are blocked across your endpoints. We can apply this rule globally or to specific policies only. Basic application block rules select the Application or Vendor name to block the service. Advanced rules are available to use file information to block the service including Certificate property, File path, File property, and Hash value.

For example, we can create a rule that blocks VPNs and torrent applications from being downloaded on a group of endpoints.

Let’s save this rule and head back over to our activity log!

easset upload file47565 258977 e

Application Block Activity Log

The Activity Log tab displays blocked applications across all your managed endpoints. Blocked records are retained for approximately 90 days.

View the following information for each endpoint’s activity record, including agent version, application data, and time blocked!

For auditing or external reporting purposes, you can even download DNS activity information to your local machine by selecting all or checking specific boxes for the rows you want to export and clicking Export.

easset upload file66291 258977 e

Blocked Applications dashboard widget showing activity over the last 30 days

We can get a full and quick picture of our endpoint data by heading over to the Nebula Dashboard. Here we can add, remove, and rearrange widgets—including one for Application Block—that give us insight into endpoints and detections in our environment.

easset upload file32890 258977 e

Plugging the holes in your Windows endpoint security

Application Block is just the latest addition to our ever-expanding collection of security modules for Nebula, which include Vulnerability and Patch Management and DNS Filtering.

From within Nebula—our user-friendly console that you already use for endpoint protection and remediation—you can activate Application Block and immediately start blocking at-risk Windows applications. 

Have a burning question or want to learn more about Application Block? Get a quote below.

GET A QUOTE FOR APP BLOCK

Ryuk ransomware laundering leads to guilty plea

Ryuk, a mainstay of the ransomware scene for some years until it transformed into Conti (and then split off into other groups after that), is back in the news again… though not in the way you might have imagined.

It’s not a compromise, or a surprise comeback. What we have is a guilty plea, as a Russian citizen is the focus of a ransomware-centric money laundering story.

From shadows to spotlight

Hiding in plain sight does not seem to have gone well for “former crypto-exchange executive” Denis Mihaqlovic Dubnikov. After an arrest back in 2021 and an extradition to the US last year, he’s had some appearances in court (not to mention an assortment of other individuals tangled up in the case) accused of money laundering in relation to Ryuk attacks across the globe.

The Ryuk ransoms, paid in cryptocurrency such as Bitcoin, were split into smaller portions and then forwarded on to multiple cryptocurrency wallets and then placed into exchange accounts for other forms of currency. Eventually, the money would find its way into the hands of other people involved in the various schemes.

All of these cash daisy chains were to help evade detection by law enforcement.

From the indictment release:

The Ryuk actors used anonymous private wallets in their ransom notes, allowing them immediately to conceal the nature, location, source, ownership, and control of the ransom payments. After receiving the ransom payments, the Ryuk actors, defendants, and others involved in the scheme engaged in various financial transactions, including international financial transactions, to conceal the nature, source, location, ownership, and control of the ransom proceeds. They also used proceeds from the ransom payments to facilitate or promote the specified unlawful activities.

The ransom notes made it clear that files would be deleted after two weeks should ransoms not be paid. As you can imagine, this rather blunt threat tended to spur people quickly into paying up—in total around $150m was paid.

Big money prizes

The numbers involved in this case are rather large, to say the least. In a roughly four month span in the middle of 2019, one defendant “laundered more than $2 million in Ryuk ransom proceeds”. Another laundered more than $600 in March of that same year. These figures are typical of the figures listed next to the other as yet unnamed defendants. The biggest of all these weighs in with a tally of more than $35 million in ransom proceeds from around February 2020 to somewhere in July 2021.

It’s astonishing to think that all of this took place over a period of just three years.

Make no mistake, this was a big money operation. While we don’t know the exact details in relation to the other defendants, Bleeping Computer notes that Dubnikov could be facing anything up to 20 years in prison with a fine of up to $500,000 which doesn’t seem all that big compared to the kind of numbers the group was allegedly throwing around. Either way, we’ll know his fate come April.

Stop ransomware

How to avoid ransomware

While you likely don’t have to worry about Ryuk lurching onto your systems anytime soon, ransomware itself is a perennial problem and isn’t going away. It targets business, individuals, every industry you can think of. There are bedroom coders, professional gangs, ransomware as a service, and much more.

Whether we’re talking single, double, or even triple threat ransomware, the problem is very real.

What can we do about it?

  • Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they’re the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
  • Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
  • Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
  • Backup your files. Backups have saved a lot of organizations after a ransomware attack—provided they work. When you make a plan, ensure you also have provisions for backup testing.
  • Secure your Remote Desktop Protocol (RDP). RDP remains a fantastic way for attackers to gatecrash a network without you knowing about it. Password protect it, and ensure login attempts are rate limited. Note that this may be enabled by default depending on which version of Windows is running.
  • Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. In fact, we guarantee our Endpoint Detection and Response will stop a ransomware infection on your deployed systems, or we’ll refund your annual subscription fee. Try it here.
  • Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Stalkerware-type app developers fined by NY Attorney General

Stalkerware is a huge problem when it comes to intrusion into people’s personal lives. “Friends”, strangers, family members, abusive spouses and many more can potentially dabble in this malignant pastime and cause all manner of trouble for their target.

Thanks to the New York Attorney General’s office, some folks will shortly be made aware of a little extra something lurking on their devices, after it landed a developer with a $410,000 fine and a requirement to notify people that their devices are running monitoring software. 

A wealth of personal information

As far as the apps in question go, the release [PDF] explains what they can get up to without the device owner’s knowledge. This is a long extract, but it’s important to get a feel for just how much the device owner gives up privacy without knowing about it:

“Once installed on a Target Device, the Spyware App will copy information from the Target Device and transmit it to Respondents’ servers, where the information is made available for viewing by the purchaser of the Spyware App. Information copied and transmitted by Respondents’ Spyware Apps includes: call logs (including phone number, date, and call duration); text messages (including message content, date, and recipient); camera images and videos (including the image or video itself and date taken); location (including current latitude and longitude of the device); Gmail data (including an excerpt/snippet of the email message content, email subject, sender and recipient email address, and date); WhatsApp messages (including message text, sender, and date); Skype data (including message content, sender, and date); Facebook, Instagram, and Twitter data (including direct message content, date, and sender); and Google Chrome data (including browser history with URL and dates visited). “

Up until October 2021, which brought changes to both iOS and Android, these apps could have their icon hidden by whoever was in control of the app. All data grabbed by the app could be viewed by the controller via a web dashboard. This data was organised in a way which made it easy for the spyware controller to browse at leisure.

Of ads and reviews

On top of all of this, the respondents “misrepresented the legal risks of using the spyware products for covert spying”. In other words: Websites and adverts promoted use of these tools in a positive light, with no clear references to how you could land yourself in legal hot water by using them. It’s all “catching your cheating partner in the act” and “relationship advice”, and not “covert spying on people without their permission could well be illegal in your region”.

Last but not least, there was no indication of affiliation with supposedly independent third-party review websites covering the spying tools in question. If this all sounds like a recipe for disaster for the app developers, you’d be right. The real shame is that some of these tools have been available since “at least” 2011. Better late than never?

All’s well that ends well?

This isn’t a one and done issue. Correct and proper notification on devices where these installations reside in the future must take place:

“In addition, Hinchy’s companies must modify the apps and software so that the owner of the device being monitored is notified and informed of the types of information collected by the app or software and made available for viewing by the user of the product. The agreement further requires Hinchy and his companies to make accurate disclosures regarding endorsements, rooting and jailbreaking requirements, refund policies, and data security.”

With no real way to dodge proper notification, this is a serious blow to software which is heavily reliant on being as invisible as possible. We can only hope that this gives some more app developers pause for thought. 


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Encrypted messaging service eavesdropped on by police, users arrested

After eavesdropping on yet another encrypted messaging service for five months, law enforcement agencies decided to shut down the service that was popular among members of organized crime groups.

The service called Exclu claims to use the “most secure encryption protocols”, as well as end-to-end encryption to ensure that only the sender and the person they’re communicating with can read what’s sent, not even Exclu itself.

That these claims were not entirely true can be concluded after 42 arrests on Friday February 3, 2023 In the Netherlands, Belgium, and Germany. Among the arrested were not only users of the messaging service, but also the owners and operators of Exclu.

Exclu

Exclu was an app marketed as an end-to-end-encrypted messaging service and users paid €500 (roughly $540) for three months’ use. The police estimate there were some 3000 users, most of them involved in criminal activities and many of them part of organized crime groups.

Exclu joins a list of encrypted messaging services—including Ennetcom, Encrochat, and Sky ECC—that eventually saw a lot of their users getting arrested. And let’s not forget the fake An0m service that was set up and run by law enforcement in a sting operation.

You’d almost recommend criminals to save themselves some money and use WhatsApp or Signal, but maybe it’s better this way.

Broken how?

Assuming that the Exclu operators knew what they were doing, how is it possible that law enforcement could listen in on end-to end encrypted messages?

Options that are available to various levels of law enforcement include, but are not limited to:

  • Eavesdropping on unencrypted or misconfigured communications of a suspect’s contact.
  • Collecting unencrypted metadata to characterize the encrypted data.
  • Detaining the suspect indefinitely until they “voluntarily” decrypt the device.
  • Grabbing unencrypted data at rest.
  • Eavesdropping on other channels where the suspect describes the encrypted data.

I think the most important clue can be found in the statement by the German department of justice (Generalstaatsanwalt). It says the investigation, which was initiated in 2020, came about after finding a “Cyberbunker” in Germany’s TrabenTrarbach, where the messaging service was hosted and operated from. Seizing a server or copying the contents of a server could provide the investigators with enough data at rest, clues about weaknesses in the encryption routine, or even encryption keys to enable eavesdropping on all or same conversations.

In the case of Ennetcom, the Dutch police managed to decrypt a number of messages stored on a server found in Canada, despite a similar claim that messages supposedly were being protected with end-to-end encryption. The Dutch police were contacted in 2020 by German police to assist in the investigation, and have had quite a lot of experience with this kind of operation.

Encryption and law enforcement

Listening in on the conversations of people that you have no evidence against is not allowed in many countries. But in this case, the authorities had very good reason to assume that this was a service provided with the intention to enable organized crime.

The high fees may explain why many of the Exclu clientele operated on the wrong side of the law. Other parties that might have a vested interest in keeping their chat messages secret include government parties, journalists, security professionals, or lawyers. However, there are cheaper alternatives for legitimate secret-keeping that law enforcement does not target.

Thankfully, breaking encryption is not easy. Finding a way to break the encryption will depend on a flaw in the implementation. Usually, eavesdropping will depend on a possibility to intercept messages before the encryption on the sender’s end or after the encryption on the receiver’s end. Or finding one or more keys on a server.


We don’t just report on encryption—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Update now! GoAnywhere MFT zero-day patched

An emergency patch (7.1.2) has been released for an actively exploited zero-day vulnerability found in the GoAnywhere MFT administrator console.

GoAnywhere MFT, which stands for managed file transfer, is a software solution that allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, mostly those with more than 10,000 employees and 1B USD in revenue.

Some of these organizations are part of vital infrastructures; such as local governments, financial companies, healthcare organizations, energy firms; and technology manufacturers. A breach resulting from a GoAnywhere exploitation would lead to a serious supply chain attack.

Fortra (formerly HelpSystems), the company behind GoAnwhere MFT and Cobalt Strike, released the patch to finally secure the vulnerability, which allows an attacker to perform unauthenticated remote code execution during instances when the administrator console is made accessible in the public internet. Florian Hauser (@frycos), IT security consultant at Code White, released a proof-of-concept (PoC) exploit for the vulnerability on Monday.

Brian Krebs of KrebsOnSecurity graciously shared what Fortra said in its advisory, which can only be accessed by creating a free account:

“The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).” However, a scan using Shodan, the search engine for internet-connected devices, revealed more or less a thousand instances of exposed GoAnywhere admin panels, the majority of which were found in Europe and the US.

easset upload file52763 258910 e
Shodan results came up after security professional Kevin Beaumont did some digging. He said the GoAnywhere admin consoles use ports 8000 and 8001. (Source: Kevin Beaumont on Mastadon)

Fortra urges clients to apply emergency patch 7.1.2 as quickly as possible. If for some reason you can’t, Fortra says you should follow the mitigation steps it put out days before, which involves implementing some access control wherein the administrator console interface should only be accessed from trusted sources, or disabling the licensing service altogether. There is also a technical mitigation configuration shared in the advisory.

Furthermore, clients must take the following additional steps after applying the mitigation steps if they suspect that attackers have already compromised their systems:

  • Rotate the master encryption key.
  • Reset credentials.
  • Review audit logs and delete suspicious admin or user accounts.
  • Contact Fortra support by going to its portal, emailing technicians at goanywhere.support@helpsystems.com, or phoning them up at 402-944-4242.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Ransomware review: February 2023

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

LockBit started off the new year just as it ended the last one, topping the charts once again as January’s most prolific ransomware-as-a-service (RaaS). The Hive ransomware group meanwhile found itself shut down by the FBI.

It’s not all old news for Lockbit, however: Last month the gang was seen using a new Conti-based encryptor named ‘LockBit Green’. This latest ransomware version, the third from the gang after LockBit Red and LockBit Black, shares 89% of its code with Conti v3 ransomware and has already been used to attack at least five victims.

Considering the success of LockBit Black, it’s unusual (and unclear) why the gang is offering a new variant. One possible explanation is that it wants to attract affiliates who are more comfortable using Conti-based ransomware, such as ex-Conti members. Expanding marketing operations, so to speak.

A post on the Dark Web by LockBit (translated from the original Russian) suggests the group is supplementing the ransomware (“lockers”) it already sells, rather than replacing it:

I have repeatedly said that I want to collect as many top lockers as possible in one panel, who have well-known and good sources lying around, write – I will buy. I don’t care what the reviewers think and say. It is important for me to expand the arsenal in my wonderful panel. Each advert decides for himself what to work with or combines several lockers in an attack on one company if time permits. Agree, it would be nice if I had some other Petya Ransomware or something else epic in my panel?

Known ransomware attacks by gang in January 2023
Known ransomware attacks by gang in January 2023
Known ransomware attacks by country in January 2023

Known ransomware attacks by country in January 2023

Known ransomware attacks by industry sector in January 2023

Known ransomware attacks by industry sector in January 2023

While LockBit was plowing through the new year, however, there was nothing but radio silence from another notorious ransomware player: BlackBasta. Ever since we started tracking them in April 2022, BlackBasta’s high placement every month among the ranks of other ransomware groups has been more or less a foregone conclusion. Their absence of activity in January therefore bears mentioning.

Apparent inactivity by ransomware gangs is complicated by the fact that their Dark Web leak sites only show companies that didn’t pay a ransom, so an extremely successful month for them also looks like an inactive month. A month where nobody refused to pay would be hugely unusual though.

Having said that, the Black Basta News Tor site, where it publishes new victims, has been down for several weeks. We saw that it was reactivated on January 22, but the next day it went down again. The backend to the site used to contact the victims seems to be down as well.

The BlackBasta contact site
The BlackBasta contact site

On the other hand, attacks by Vice Society—the ransomware gang responsible for an infamous attack on the LA Unified School District—have shot up to their highest level in three months. Vice Society is believed to be a Russian-based group whose ideal prey appears to be universities, colleges, and K-12 schools. The Federal Bureau of Investigation (FBI) even released a joint Cybersecurity Advisory (CSA) in September, after observing that Vice Society has disproportionately targeted the education sector.

In January, Vice Society published the data of nine schools on its leak site. It’s perhaps not a coincidence then that attacks on the education sector are the highest they have been in three months.

Last month we introduced a newcomer named Endurance, a solo actor who successfully infiltrated big corporations and breached several US government entities. In January the lone wolf managed to crack the top five biggest ransomware gangs for the month, launching successful attacks on places such as car marketplace Autotrader, where they stole data belonging to 1.4 million users. Another newcomer we introduced last month, Unsafe, which recycles leaks from other ransomware groups, added seven new victims to its rap sheet in January.

Play’s surge in December activity fell by about 76% percent in January. At the same time, we witnessed the ‘return of the dead’ with AvosLocker, placing itself back on the map for the first time since October 2022.

Hive seized

Hive ransomware is no stranger to the Threat Intelligence team: It was one of the most widely used RaaS in 2022 and indeed if their 15 attacks in December was any indication, Hive showed no signs of slowing down going into the new year.

Hive’s final chapter came to a close in late January, however, after the United States Department of Justice (DoJ) confirmed it had launched a successful disruption campaign against them.

Known attacks by ransomware gangs, based on data leaked since April 2022
Known attacks by ransomware gangs, based on data leaked since April 2022

The disruption campaign has reportedly had access to Hive’s infrastructure since July of 2022. Its access became public on Thursday when Hive’s Dark Web site began showing a notice that “this hidden site has been seized”.

According to the DoJ, the Hive ransomware group has targeted over 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure, attempting to extort hundreds of millions of dollars from victims in the United States and around the world.

We can’t say we’re sad to see them go.

What's left of the Hive leak site
What’s left of the Hive leak site

Nevada Ransomware

Nevada is a relatively new ransomware which emerged on the Dark Web right before the start of 2023, but it wasn’t until late January that it got a serious upgrade.

On December 10, an actor named ‘nebel’ published a post promoting the project on the RAMP underground community, which is known as a space for initial access brokers (IABs) and Russian and Chinese hackers. On January 30, researchers at Resecurity released a report on how the operators behind the project “updated and significantly improved the functionality of the locker for Windows and Linux/ESXi, and distributed new builds for their affiliates”.

Nevada ransomware promotion on RAMP
Nevada ransomware promotion on RAMP

Ransomware revenue down

According to blockchain data platform Chainalysis, ransomware revenue “plummeted” from $765.6 in 2021 to at least $456.8 in 2022. The data is based on an analysis of the cryptocurrency addresses known to be controlled by ransomware attackers.

Total value received by ransomware gangs 2017-2022
Image courtesy of Chainalysis

While the real numbers are likely much higher, it does present us with an idea of the development of ransomware payments. Last year’s estimate at this point seemed to show a decline from $765 million to $602 million, but turned out to be a small gain after correction.

According to our own research and Chainalysis, the declining numbers are likely due to victim organizations increasingly refusing to pay ransomware attackers.

In our Ransomware Emergency Kit, you’ll find tips your organization needs to defend against RaaS gangs. 

GET THE RANSOMWARE EMERGENCY KIT

ION starts bringing customers back online after LockBit ransomware attack

ION Group, a financial software firm, is reportedly beginning to bring clients back online after being hit by a ransomware attack late last week.

The Russian-linked LockBit ransomware group claimed responsibility for attacking a division of ION Group, which affecting 42 clients in Europe and the United States. The incident forced several banks and brokers to process trades manually.

The subsidiary, ION Cleared Derivatives, which offers software for automating the trading cycle and the clearing process for derivatives, released a very short statement regarding the “cybersecurity event” on Tuesday.

The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available.

In a statement last week, Deputy Assistant Secretary of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection Todd Conklin was quoted saying the disruption to Cleared Derivatives’ platform does not pose a “systemic risk to the financial sector”, adding that the incident is isolated to a small number of smaller and mid-size firms. “We remain connected with key financial sector partners, and will advise of any changes to this assessment,” he further said.

easset upload file88213 257447 e
The ION Group leak site post (Source: Malwarebytes)

On Friday, February 4, the ransomware group claimed the ransom had been paid, with Reuters quoting the attackers as saying the money was paid by a “very rich unknown philanthropist”. Both ION and LockBit declined to reveal further details.

In an interview with The Register, Tom Kellermann, senior VP of cyber strategy at Contrast said that supply chain attacks like this are becoming common in the financial sector. “Shared service providers are being increasingly targeted by cybercrime cartels to manifest island hopping,” he said. “Cyberattacks in the financial sector are no longer merely about conducting a heist but rather to hijack the digital transformation of the victim so as to launch attacks against their customer base.”

Last month, the LockBit ransomware group attacked Royal Mail during the first week and the Housing Authority of the City of Los Angeles (HACLA) just days after.

Stop ransomware

How to avoid ransomware

There is no doubt hospitals remain under a bullseye, and attackers can strike at any time. Thankfully, there are ways organizations can help reduce their risk of suffering from a ransomware attack.

  • Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they’re the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
  • Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
  • Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
  • Backup your files. Backups have saved a lot of organizations after a ransomware attack—provided they work. When you make a plan, ensure you also have provisions for backup testing.
  • Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. In fact, we guarantee our Endpoint Detection and Response will stop a ransomware infection on your deployed systems, or we’ll refund your annual subscription fee. Try it here.
  • Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

Stay safe!


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.