IT NEWS

The intel you need to secure your business—delivered straight to your inbox

From industry tips and best practices to the latest Malwarebytes product releases and how-tos, our Business newsletter is chock-full of the best of our business blog. Subscribe to our Business newsletter today.

Now more than ever, threat actors are trying to attack company networks. In fact, there were 50% more attack attempts per week on corporate networks globally in 2021 than in 2020.

Small-and-medium-sized businesses need to be on the lookout particularly, as cybercriminals are more likely to target them for their perceived (and sometimes actual) lack of cyberdefenses.

This article focuses on helping to prevent cyberattacks purely through technology; though of course, businesses need a combination of technology, people, and strategy to truly become cyber resilient. 

That being said, security experts advise against relying solely on a single technology or technique to protect business endpoints. Effective prevention requires a layered approach capable of addressing not only today’s threats, but preventing tomorrow’s as well. 

In this post, we break down five must-have technologies that help prevent cyberattacks for SMBs.

Your level of prevention is determined by how much risk you accept to take on

There are two extremes to prevent cyberattacks: Overly permissive prevention and absolute prevention—and where you fall on that spectrum depends on the level of risk in your organization.

Let’s start over at one end of the extreme. 

In the medical industry for example, doctors in large hospitals use a virtual machine. The machine they use operates in a virtual environment, and that virtual environment is destroyed and recreated when they log back in in another room. They can’t install anything or change anything. Data is kept separate. 

Moving towards the other end of the extreme, you might find startups or smaller companies with very lax prevention. Something like, “Here’s a laptop. We’ve provided you with the basic software, call us if you have a problem.”

What’s important to note here is that, because the risk level of every organization is different, there’s no “one-size-fits-all” approach to prevent cyberattacks. Your level of prevention will vary drastically depending on industry, company size, and so on.

Having said that, the average small-to-medium-sized business falls somewhere in the middle of these two extremes. At a medium level of risk, you want to find that perfect balance between too strict and too permissive. 

Remember the maxim: The cyberattacks you cannot prevent, you need to mitigate. For mitigation, we assume your business uses (outsources) endpoint detection and response—but you still need the right technology to prevent cyberattacks in the first place. Especially ransomware. 

Read Our Defender’s Guide to Ransomware Resilience!

The question for any IT leader then is: What can I prevent, without slowing down my business?

5 technologies that help prevent cyber attacks for SMBs (ranked in order of importance)

(Note: these aren’t hard-and-fast rankings, just a good rule of thumb. They may look different for your individual business—for example, you might put 2FA first before anything else and that’s totally OK.)

1. Endpoint protection

Before anything else, endpoint protection should be the first thing you set out to pair with your EDR.

Through a combination of web protection, application hardening, and more, EP provides businesses with full attack chain protection against both known and unknown malware, ransomware, and zero-hour threats. Multi-stage attack protection provides the ability to stop an attacker at every step.

Read our “Endpoint Protection Buyers Guide” for details of the core requirements to help you navigate your enterprise endpoint protection solution analysis, which provides a solution questionnaire to help you with your evaluation process.

Read more: What is endpoint protection?

2. Vulnerability assessment AND patch management (tied) 

Hold on a sec, you’re telling me vulnerability assessment and patch management are preventative? Don’t both of these mitigate being compromised, since the vulnerability is already technically present?

Well, sure—but the only surefire way to prevent a vulnerability from being exploited is through patching it. Therefore, the process of finding vulnerabilities (and categorizing them by severity) so that you can then systematically patch them before they can be exploited, are two vital preventative measures.

And no, you don’t want to do either of these things manually if you can help it. A vulnerability assessment platform can automatically find and score vulnerabilities with the Common Vulnerability Scoring System (CVSS), while a patch management platform can help you patch those vulnerabilities automatically.

Read more: Vulnerability response for SMBs: The Malwarebytes approach

3. DNS filtering

The next technology you need to prevent cyberattacks is a DNS filter. But first, a little bit about what DNS (domain name system) is. 

Every time a customer types in your web address, their computer makes a request to a DNS server. The DNS server, in turn, tells the computer where to go. If all goes well, then voila, your customer is at your website. 

A DNS filter prevents you from accessing unsafe websites—including those posing a strong malware risk. But which web-based cyberthreats in particular does DNS filtering stop, you ask? There are three big ones:

• Phishing: If you have a DNS filter, as soon as someone in your business clicks a link to a malicious website, they’re prevented from visiting it. 

• DDoS attacks: Being able to continuously monitor DNS activity is a great way to catch the warning signs of a DNS DDoS attack—and with a DNS filter, you can do exactly that.

• Machine-in-the-middle attacks: A good DNS filter uses DNS encryption, which secures the connection between your computer and the DNS resolver. That way, cybercriminals cannot sit between you and feed you spoofed DNS entries.

Read more: 3 ways DNS filtering can save SMBs from cyberattacks

4. Cloud scanning

No matter what cloud storage service you use, you likely store a lot of data: A mid-sized company can easily have over 40TB of data stored in the form of millions of files. 

Needless to say, it can be difficult to monitor and control all the activity in and out of cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. That’s where cloud storage scanning comes in.

Most cloud storage apps already have malware-scanning capabilities. However, businesses use multiple different cloud storage repositories, and due to lack of integration options, they are unable to get a centralized view of all of their scan results, across multiple repositories, in a single pane of glass.

To better prevent cyberattacks, look for a cloud scanning service that uses multiple anti-malware engines, using a combination of signatures, heuristics and machine learning to increase detection rates. Also, look for one that provides a comprehensive view to monitor the health of all your enterprise data.

Read more: Cloud-based malware is on the rise. How can you secure your business?

5. 2FA

Two-factor authentication (2FA) is a cost-effective option for SMBs. 2FA adds an extra layer of protection by asking users to provide two forms of identification to prove their validity.

According to Robert Zamani, Regional Vice President, Americas Solutions Engineering at Malwarebytes, 2FA is relatively quick and easy to implement.

“2FA is simple.” says Zamani. “You roll a device quickly, you enroll a device—that’s something they have, which is usually a smartphone—something they know, which is a password—and then you enforce password minimum.”

Read more: Understanding the basics of two-factor authentication

Bonus: Cyber insurance 

OK, it’s not a technology, but hear me out.

Let’s say your business has just suffered a data breach and it’s time to dig deep in your pockets to pay all the resulting expenses. Without cyber insurance, you can expect to pay a dizzying amount of cash.

In 2022 alone, the average cost of a data breach for businesses under 1,000 employees was close to $3 million—and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach.

So when it comes to preventing having to pay huge out of pocket costs in the event that you’re hit with a cyberattack, cyber insurance is a must. The harsh truth is that if you don’t have cyber insurance and are hit with ransomware with no way to recover files, you will likely go out of business—especially if you’re a small-and-medium-sized business. 

Read more: 4 ways businesses can save money on cyber insurance 

A “Matryoshka approach” to cyber prevention

Let’s recap. 

Relying solely on a single technology or technique to protect your businesses’ endpoints is a fool’s errand. 

At the same time, we have to understand that each business has different needs when it comes to prevention: Your level of risk is the chief decider of what tech you ultimately employ to prevent cyberattacks. Depending on your industry and company size, you could justifiably use all of these technologies and more—or none of them.

However, most SMBs will find themselves in the middle of the risk-prevention spectrum. To that end, the following are strongly recommended: Endpoint protection, VPM, DNS filtering, cloud storage scanning, and 2FA (and cyber insurance!). 

Of course, you can’t prevent 100% of threats. Therefore, you need an EDR solution to detect and respond to what does get through. That is to say, you should pair any preventative technology with an EDR solution, and a good EDR can seamlessly integrate with all of the preventative technologies listed here.

Want to see what effective prevention and response look like in action? See below for a live demonstration of Malwarebytes Endpoint Detection and Response (EDR):

TAKE ME TO a LIVE DEMO OF EDR!

The “passwordless future” is something many internet users—and a great majority of the cybersecurity industry—have hoped for. Now Apple is about to make those hopes a reality.

With the release of iOS 16 yesterday, and macOS Ventura next month, Apple fans will be able to use passkeys, its password replacement, for iPhones, iPads, and Macs. The word “passkey” is not unique to Apple, however. Microsoft and Google are using the term, too.

Apple’s passkey works like a password in that it is built into entry boxes where you put your password. It also acts as a digital key that users create to access their apps or websites.

A video demonstrating passkey’s use in Apple’s WWDC 2022 event shows a prompt on the user’s device before sign-in or during account creation, asking if they would like to “save a passkey” for the account in use. Once users say yes, they are prompted to authenticate the passkey creation using Face ID, Touch ID, or another method. The created passkey is stored in the user’s iCloud Keychain and synced across all Apple devices and Safari web browsers.

Whenever a passkey is created, the device’s system creates a pair of digital keys: public and secret keys. According to Garrett Davidson, an Apple engineer, in the demo video, these keys are created “securely and uniquely” for every account. The public key is stored on Apple’s servers, while the secret key is kept on the device.

When signing in to an account protected by a passkey, the website or app looks for the secret key kept safe on the device to prove that the user is who the user claims they are. And because Apple’s passkey is based on passwordless standards defined by the FIDO Alliance, it’s likely the passkey can be stored anywhere, including some password managers with a provision for the passkey, such as Dashlane.

Those with other devices besides Apple can still take advantage of passkey. However, how things are done is slightly different because passkeys won’t be stored on non-Apple devices. For example, accessing a browser account on a Windows machine would require a user to use a QR code containing a URL to a single-use encryption key and their iPhone. Once scanned, the machine and the device can communicate using end-to-end encryption via Bluetooth and share information.

“That means a QR code sent in an email or generated on a fake website won’t work, because a remote attacker won’t be able to receive the Bluetooth advertisement and complete the local exchange,” Davidson said in the video.

“This has the potential to be far superior to weak passwords and chosen by people who don’t use a password manager or don’t know how to choose a password,” said Thomas Reed, Malwarebytes’ Director for Mac & Mobile. “So even if this isn’t 100% perfect, it’s still going to be better than what most people are doing today.”

Users of WordPress may need to perform an urgent update related to the popular BackupBuddy plugin. BackupBuddy is a plugin which offers backup solutions designed to combat “hacks, malware, user error, deleted files, and running bad commands”. Unfortunately, running an older version of BackupBuddy could leave your site open to potential breaches. According to Security Week, the issue tagged as CVE-2022-31474 is down to an “insecure method of downloading the backups for local storing”. This results in people being able to grab files from the server without having been properly authenticated first.

Traversing a WordPress installation

The vulnerability is listed as a “Directory Traversal Vulnerability”, and affects users running BackupBuddy from version 8.5.8.0 up to 8.7.4.1. The developers make the following observations:

• Using this vulnerability, attackers can view the contents of any file on your server which is readable by the WordPress installation. Sensitive files could be made available to the attackers, which is not something you’d want to happen.
• The vulnerability is being actively exploited in the wild. Sometimes you get lucky and find that something has been patched before anyone can make use of it. This isn’t the case here, sadly.
• The developers have made the security update available to anybody running BackupBuddy, regardless of version. No matter which licence you’re using, you can apply the fix. In theory, there is no need for anyone, anywhere to be running a vulnerable installation with the fix available to install.

Next steps to take for BackupBuddy users

• Backup to version 8.7.5 right away. You should be doing this whether or not you’re concerned by the above security issue. Old versions of products frequently fall victim to additional security issues over time, especially if they’re no longer maintained.
• Reset your database password if you suspect there’s been a compromise of your WordPress installation.
• Change your WordPress salts. These are tools at your disposal used to help keep passwords for your site secure.
• Reset and update anything else not for public consumption in your wp-config.php, for example stored API keys for other services.

The risks of not updating your site and plugins

WordPress is an immensely popular target for people fully invested in site compromise. Hijacked sites can be used for SEO poisoning, redirecting to malicious sites, spam, malware installation, phishing, and more.

If you’re running BackupBuddy, go and check your current version and update right away. Once that’s done, it would be wise to ensure everything else on your WordPress installation is fully up to date too. Let’s not make it easy for those up to no good: It won’t help your business, or the people who make use of your site.

Google’s Pixel Update Bulletin for September included two security patches that are Pixel specific.

Both underlying vulnerabilities are rated critical and could lead to privilege escalation and device takeover.

The vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that are Pixel specific:

CVE-2022-20231: a critical Elevation of Privileges vulnerability in Trusty. This buffer overflow vulnerability allows a local application to escalate privileges on the system.

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. The Trusty OS runs on the same processor as the Android OS, but Trusty is isolated from the rest of the system by both hardware and software. Trusty and Android run parallel to each other. Trusty has access to the full power of a device’s main processor and memory but is completely isolated. Trusty’s isolation is designed to protect it from malicious apps installed by the user and potential vulnerabilities that may be discovered in Android.

CVE-2022-20364: a critical Elevation of Privileges vulnerability in Kernel. The Android kernel is based on an upstream Linux Long Term Supported (LTS) kernel. At Google, LTS kernels are combined with Android-specific patches to form what are known as Android Common Kernels (ACKs). This buffer overflow vulnerability exists due to a boundary error within the kernel component. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

Buffer overflow

A buffer overflow occurs when a program or process attempts to write more data to a fixed-length block of memory, or buffer, than the buffer is allocated to hold. Buffers contain a defined amount of data. Any extra data could overwrite assigned data values in memory addresses adjacent to the destination buffer.

Elevation of privileges

Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Mitigation

All supported Google devices will receive an update to the 2022-09-05 patch level. The update also includes patches for the 46 bugs that Google addressed in Android this month. We encourage all Pixel users to accept these updates to their devices.

To learn how to check a device’s security patch level, read the instructions on the Google device update schedule.

Stay safe, everyone!

On Monday, Apple released a long list of patched vulnerabilities to its software, including a new zero-day flaw affecting Macs and iPhones. The company revealed it’s aware that threat actors may have been actively exploiting this vulnerability, which is tracked as CVE-2022-32917.

As it’s a zero-day, nothing much is said about CVE-2022-32917, only that it may allow malformed applications to execute potentially malicious code with kernel privileges. Apple says it’s patched this flaw with improved bounds checks. Below is a list of products this bug affects:

• Macs running macOS Monterey 12.6 and macOS Big Sur 11.7
• iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

CVE-2022-32917 is the eighth zero-day flaw that Apple has addressed since the beginning of 2022. The first seven are as follows:

• CVE-2022-32894, a flaw in the iOS Kernel, was patched in August
• CVE-2022-32893, a flaw in WebKit, was patched in August
• CVE-2022-22674, an Intel Graphics Driver bug, was patched in March
• CVE-2022-22675, a bug in AppleACD, was patched in March
• CVE-2022-22620, a WebKit bug affecting iPhones, Macs, and iPads, was patched in February
• CVE-2022-22587, a privileged code execution flaw, was patched in January
• CVE-2022-22594, a web browser activity tracking flaw, was patched in January

As this latest vulnerability is already being exploited, it’s really important that you update your devices as soon as you can. Stay safe!

Steam users are once again under threat from a particularly sneaky tactic used to steal account details. As with so many Steam attacks currently, it accommodates for the possibility of users relying on Steam Guard Mobile Authentication for additional protection. It also makes use of a recent “browser within a browser” technique to harvest Steam credentials.

The attack leans into a common threat tactic where Steam is concerned, which is E-sports and other tournament related events. This is a tactic that has been around for years, and it usually takes one of two forms.

1. Steam users are asked via Steam Chat or forum posts to “vote” for someone’s favourite team on a competition website. These requests often come from compromised accounts themselves. The bogus site phishes the victim at what claims to be the voting stage. These sites may also ask users to turn off their Steam Guard protection before submitting their username and password.

2. Scammers ask Steam users to join a team or league, and direct them to malware or phishing pages.

It’s the second of these possibilities that is used as this particular scam’s launch pad.

A browser in a browser

In this case, people are asked if they can play. If not, they’re asked if they can at least vote for the scammer’s non-existent team. In this case, it’s a Roblox team in the “Metanola Cup”.

The fake site emulates what appears to be a site dedicated to organising and promoting various E-sport competitions and teams. This is where the sneaky part comes into play. This particular scam makes use of a “browser in a browser” attack first mentioned on Bleeping Computer in March of this year. The fake browser window sitting inside the real thing can make it very difficult to realise you’re looking at a phishing attempt.

In this case, most potential victims would assume the popup inside the main browser window, which appears to display the genuine Steam URL and “Valve Corp. [US]” next to the green padlock, is the real thing. It even detects your language from the browser preferences and then selects one of 27 different types.

Finally, the site asks for the user’s Steam Guard authentication code. This is the 2FA code displayed on the Steam mobile app when logging into your account. Without the code, you can’t login. The scammers will harvest these codes and either have the details entered automatically, or do it manually. If they choose to do this manually and they’re not around when victims are handing over details, their window for success is going to be quite short.

Avoiding Steam-focused attacks

As mentioned in the Bleeping Computer article, this is not an easy tactic to spot in the wild. Blocking JavaScript is one way to do it, but you risk compromising the functionality of many websites if you go down this path. The best defence is to studiously ignore any and all messages sent your way from strangers in relation to the below, and this includes topics unrelated to E-sports:

• Joining an E-sports league

• Joining or helping out an E-sports team

• Voting for a team or individual

• The promise of cheap items or trades/discounts

• Free games, bonus promotional offers and items

• The “I accidentally reported you” scam

Stay safe out there!

The in-person cybersecurity conference has returned.

More than two years after Covid-19 pushed nearly every in-person event online, cybersecurity has returned to the exhibition hall. In San Francisco earlier this year, thousands of cybersecurity professionals walked the halls of Moscone Center at RSA 2022. In Las Vegas just last month, even more hackers, security experts, and tech enthusiasts flooded the Mandalay Bay hotel, attending the conferences Black Hat and DEFCON. 

And at nearly all of these conferences—and many more to come—cybersecurity vendors are setting up shop to show off their latest, greatest, you-won’t-believe-we’ve-made-this product. 

The dizzying array of product names, features, and promises can overwhelm even the most veteran security professional, but for one specific group of attendee, sorting the value from the verve is all part of the job description. 

We’re talking today about managed service providers, or MSPs. 

MSPs are the tech support and cybersecurity backbone for so many small businesses. Dentists, mom-and-pop restaurants, bakeries, small markets, local newspapers, clothing stores, bed and breakfasts off the side of the road—all of these businesses need tech support because nearly everything they do, from processing credit card fees to storing patient information to managing room reservations, all of that, has a technical component to it today.

These businesses, unlike major corporations, rarely have the budget to hire a full-time staff member to provide tech support, so, instead, they rely on a managed service provider to be that support when needed. And so much of tech support today isn’t just setting up new employee devices or solving a website issue. Instead, it’s increasingly about providing cybersecurity. 

What that means, then, is that wading through the an onslaught of marketing speak at the latest cybersecurity conference is actually the responsibility of some MSPs. They have to decipher what tech tools will work not just for their own employees, but for the dozens if not hundreds of clients they support. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts at Malwarebytes about how MSPs can go about staying up to date on the latest technology while also vetting the vendors behind it. As our guests Eddie Phillips, strategic account manager, and Nadia Karatsoreos, senior MSP growth strategist, explain, the work of an MSP isn’t just to select the right tools, but to review whether the makers behind those tools are the right partners both for the MSP and its clients. 

As Karatsoreos said:

“You need to do your research… Do they have the right background to match what you’re offering? Do they have training for you? Do they have integrations? … Do they have a partner program? Because, as we know with MSPs, they don’t just want a product that just gets installed… They need that support of the partner program. Do they allow you to have a trial or a demo to make sure that it works in your environments? Are they constantly updating? And what does their security system look like? Are they protected?”

She continued:

“These are all things behind the technology that an MSP really needs to consider when considering those vendors.”

Tune in today to listen to Karatsoreos and Phillips discuss the many responsibilities of being an MSP today. 

If it takes a village to raise a child, apparently it takes Facebook a team to tell you what data the company keeps about you and where they keep it.

In the recently unsealed transcript of a hearing led by “Discovery Special Master” Daniel Garrie, an expert appointed by the court, two Facebook engineers were grilled regarding what user data the company keeps about its users and where they are. To everyone’s frustration, their response was, essentially, “We don’t know.”

The hearing is part of an ongoing lawsuit concerning the Facebook-Cambridge Analytica scandal.

Garrie has attempted to get Facebook to reveal where personal data is stored in its 55 subsystems, but two veteran Facebook engineers—Eugene Zarashaw and Steven Elia—who were present at the hearing, couldn’t give satisfying answers.

“I don’t believe there’s a single person that exists who could answer that question,” Zarashaw said, according to the transcript. “It would take a significant team effort to even be able to answer that question.”

The Intercept, which first reported this story, has noted Garrie’s seeming disbelief over simple questions left unanswered. However, the engineers’ inability to give solid answers as to where Facebook user data is kept doesn’t surprise Dina El-Kassaby, a spokesperson from Meta. In a statement, she said, “Our systems are sophisticated and it shouldn’t be a surprise that no single company engineer can answer every question about where each piece of user information is stored.”

“We’ve built one of the most comprehensive privacy programs to oversee data use across our operations and to carefully manage and protect people’s data. We have made—and continue making—significant investments to meet our privacy commitments and obligations, including extensive data controls.”

The engineers not knowing where user data is kept also lends credence to an internal document leaked in April 2022, claiming Facebook can’t tell where all the data it gathers comes from or is stored.

This internal document was written in 2021 by Facebook privacy engineers on the Ad and Business Product team, the group tasked to build and maintain the social network’s ads system.

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And, yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the document read.

Vulnerability Assessment:

Patch Management: 

More resources:

What is patch management?

What is vulnerability assessment?

Podcast: Why software has so many vulnerabilities

Last week on Malwarebytes Labs:

• Phishers use verified status as bait for Instagram users
• Microsoft will disable Basic authentication for Exchange Online in less than a month
• Zero-day puts a dent in Chrome’s mojo
• Update now! QNAP warns users DeadBolt is exploiting Photo Station vulnerability
• Don’t share the WhatsApp ‘Martinelli’ phone hacking alert: It’s a hoax
• YouTuber on the run after allegedly swiping $55m from followers
• Instagram receives record fine of $400M for abuse of children’s data
• InterContinental Hotels’ booking systems disrupted by cyberattack
• Warning issued about Vice Society ransomware targeting the education sector
• Sextortionists used mobile malware to steal nude videos, contact lists from victims
• How to set up an Android for your kids
• YouTube transparency report shows battle against misinformation
• Evasive Shikitega Linux malware drops Monero cryptominer
• Your HP Support Assistant needs an update!
• Vulnerability response for SMBs: The Malwarebytes approach
• Ransomware review: August 2022

Stay safe!