IT NEWS

Twilio breached after social engineering attack on employees

Cloud-based communication platform provider Twilio has announced a breach via a social engineering attack on employees.

On August 4, 2022, Twilio says it became aware of unauthorized access to information related to a limited number of Twilio customer accounts, through the social engineering attack which was designed to steal employee credentials.

Text messages

A number of current and former employees received text messages that appeared to come from Twilio’s IT department. The messages said either the recipient’s password had expired, or that their schedule had changed, and that they needed to log in. To increase the credibility of the URLs they contained words including “Twilio,” “Okta,” and “SSO” (short for single sign-on) to try and trick users to click on a link which led to a fake log in site. At this site, the attacker could intercept the login credentals and use those to access the compromised accounts.

The attackers must have put in some effort to link the Twilio employees to their phone numbers. It seems likely they used data from another breach, or breaches, and searched for Twilio employee names with their phone numbers. It would be easy to assume that it might have been one of the LinkedIn data breaches from 2021, because employer data would be needed, but unfortunately there are many other options to combine data from other breaches.

It certainly does add a layer of credibility to the attack, since most people don’t give their telephone number to just anyone, but their employer would know it.

Take down

Once Twilio confirmed the incident, its security team revoked access to the compromised employee accounts to mitigate the attack and a forensics firm was engaged to aid the ongoing investigation.

The text messages originated from US carrier networks, and Twilio says it worked with these carriers to shut down the numbers, and worked with the hosting providers serving the malicious URLs to shut those accounts down. It’s possible, however, that the attackers will continue to rotate through carriers and hosting providers to resume their attacks.

Twilio customers

Twilio has notified the affected customers. If you were not contacted by Twilio, then it means there is no evidence that your account was impacted by this attack.

Protection

By providing employees with mobile devices or allowing them to use personal smartphones for work, organizations have increased the possible number of targets for phishing campaigns.

Since employees’ phones are usually outside of the scope of an organizations security software, protection against this sort of attack is not easy.

The massive use of smartphones, tablets and mobile applications in our daily lives, for personal and professional purposes, turns them into essential tools that we trust maybe a tad too much.

And it’s not just text messages you need to worry about. Social media, messaging apps, and even dating apps have created many other channels to deliver an attack.

Providing your employees with software that blocks malicious text messages and URLs will only be effective against long-running campaigns, so it’s likely that this one would have made it through.

The most effective strategy is education. Users need to learn that text messages are to be treated with the same amount of suspicion as unexpected emails. Especially if the text message contains a link.

Stay safe, everyone!

5 cybersecurity tips for students going back to school

The new school season is just around the corner. And while you are getting ready to go back to school, now is a good opportunity to check you are doing all you can to stay as safe as possible online.

Make sure you are doing these five things:

1. Use multi-factor authentication (MFA)

MFA has become a necessary security measure in a world where passwords still rule. It’s added security for your school-related accounts—and actually any online accounts you have, including social media.

MFA is an additional layer of security, after you enter your username and password. This could be a code generated by an app, a push notification you need to accept, a physical key you plug into your computer, or similar.

Use it wherever it is offered to you. Yes, it makes logging in take slightly longer, but it really does make your accounts safer.

2. Use strong passwords

By “strong”, we mean the best possible password string you can come up. If, for example, your school IT administrator sets a maximum password length of 10 and allows a mix of alphabets and numbers, then make your password 10 characters long with the maximum complexity you can.

And while we’re on the subject of passwords, remember to use a unique password for each of your online accounts. If you use the same email and password combination for every account, then if one gets breached you have to assume they have all been breached.

Of course, it’s impossible to remember a strong password for every account you have. This is where password managers come in. They can generate passwords for you, and will remember them all too. Just make sure you use a super strong password for your password manager itself, and protect it with MFA.

Lastly, never share passwords with anyone.

3. Be wary of links and attachments

When it comes to phishing and malware campaigns, danger doesn’t just lurk in emails. It’s on social media, SMS, chat platforms, gaming platforms, and other online watering holes, too.

Remember: if someone sends you an unsolicited link or attachment, you’re right to be suspicious. Treat it as suspect, and always verify with the sender if they’re someone you know, preferably via other means than the medium with which you received the link or attachment.

4. Share with caution

Students can do this in (at least) three ways:

  1. Limit what you share. Don’t give away personal details on social media, including those which tie you to your school.
  2. Be smart about what information you allow apps to access. Does that calendar app really need access to your location?
  3. For high school and college students, think twice before sharing private photos with someone. Consider that they may be shared with others, and how you might feel if that happened.

5. Lock down your files

The school does its part to secure your most important data, but you have a part to play, too.

You can start by locking down the devices you bring to school, such as your smartphone and laptop. Make sure there’s at least a password or code that stops anyone from casually picking up your device, and then opening it.

If you use the cloud to store files, learn how to secure that properly—the cloud-of-your-choice will have a guide on that. Remember, the cloud can only be as secure as you, the user, makes it.

It’s easy when you know how

Thankfully, securing data doesn’t get any more complicated for regular users than the five tips we have listed above. Remain vigilant and remind yourself that cybersecurity and privacy are shared goals and responsibilities. Students should do their part in the same way that your school’s IT team is doing theirs.

Stay safe, and have a pleasant, risk-free school year ahead!

A week in security (August 1 – August 7)

Last week on Malwarebytes Labs:

Stay safe!

KMSpico explained: No, KMS is not “kill Microsoft”

Thanks to Pieter Arntz and the Threat Intelligence Team who contributed to the research.

A hack tool is a program that allows users to activate software even without a legitimate, purchased key. Hack tools are often used to root devices in order to (among others) remove barriers that stop users from using apps from other markets. This is why the term “hack tool” is often interchanged with “crack tool” and “rooting program.”

Many seek such tools in the hopes of getting more control over their devices, or out of necessity if the software they want to use requires them. In this post, we’ll focus on one hack tool that has been a trusted tool for activating pirated copies of Microsoft products for free: KMSPico.

What is KMSPico?

KMSPico (often stylized as KMSPICO or KMS Pico) uses an unofficial key management services (KMS) server to activate Microsoft products—although several hack tools already do the same. Here are some of Malwarebytes’ detection of such tools:

  • RiskWare.AutoKMS
  • AutoKMS.HackTool.Patcher.DDS
  • RiskWare.KMS
  • HackTool.KMS
  • HackTool.Agent.KMS
  • HackTool.IdleKMS
  • HackTool.AutoKMS
  • HackTool.WinActivator

KMSPico is one of the most (if not the most) popular software activation tools for Windows and Office Suite, with millions of global users and endorsers. Funnily enough, it also seems to have a lot of “official websites.”

Searching for “official KMSpico site” on your favorite search engine will yield thousands of results, including pages of posts from various portals warning internet users not to download KMSPico from Website A or Website B as its malware. And they’re right.

Whatever KMSPico “official” website you find in your search results is undoubtedly fake, which leaves people wondering—or probably even believing—that KMSPico is a myth. This tool, however, is far from mythical. It does exist, and the latest version, 10.2.0, can only be downloaded from a members-only forum posted almost a decade ago.

How does it work?

To understand how KMSPico works, we should first understand how a KMS activation works.

KMS is a legitimate way to activate Windows licenses in client computers, especially en masse (volume activation). There is even a Microsoft document on creating a KMS activation host.

A KMS client connects to a KMS server (the activation host), which contains the host key the client uses for activation. Once KMS clients are validated, the Microsoft product on those clients contacts the server every 180 days (6 months) to maintain its validity. However, a KMS set-up is only viable for large organizations with Volume Licensed (VL) Microsoft products.

This is what KMSPico is trying to exploit. Once installed onto user clients, it changes a user’s retail version of their Microsoft to a “Volume Licensed” one by simply changing the key into a generic VL key. KMSPico then changes the default KMS server to an unofficial KMS server set up by the hack tool’s developer. 

Note that if the KMSPico developer decides to kill the server, then whoever their users are would no longer have an activated version of their Microsoft product.

Why we don’t recommend it

Hack tools can be qualified as riskware, a category of software that may be risky to install on your computer or device. This is because a legitimate copy of the software may be bundled with adware, or it’s actually malware named after popular software. Such is the case for KMSPico.

On top of that, using KMSPico violates Microsoft’s ToS (terms of service) for its products.

Our 2021 State of Malware report found that hack tools plagued our consumer and enterprise clients for the previous two years. 

easset upload file45014 224302 e

easset upload file40378 224302 e

Perhaps the most critical data we have of KMS hack tools are that they are ranked as a top threat for consumers (with a 2,118 percent growth) and enterprises (with a 2,251 percent growth). We attributed this to the sudden change in work life due to many moving to a work-from-home (WFH) set up during the COVID-19 pandemic. Many employees—and potentially even employers—resorted to using cracked versions of Microsoft products.

easset upload file90945 224302 e

Finally, regarding software updates or patching, it’s also likely that KMSPico blocks any activated Microsoft product from “calling home.” If it does, then that would stop these products from getting updates or patches, and KMSPico users would be left with very vulnerable Microsoft software.

Does Malwarebytes detect KMSPico?

Yes. We detect components from the same toolset. So if you have downloaded the KMSPico tool, expect your Malwarebytes product to alert you of files detected as HackTool.KMSpicoCrackTool.KMSPico, or both.

Patch now! Cisco VPN routers are vulnerable to remote control

Cisco has released a security advisory about several vulnerabilities in the Cisco Small Business RV series routers, covering the RV160, RV260, RV340, and RV345.

There are no workarounds available that address these vulnerabilities, so you need to patch.

Vulnerabilities

The vulnerabilities are dependent on one another—exploitation of one of the vulnerabilities may be required to exploit another vulnerability.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the ones included in these updates listed below.

CVE-2022-20842

CVE-2022-20842 is a vulnerability in the web-based management interface of the Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

This vulnerability is due to insufficient validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.

CVE-2022-20827

CVE-2022-20827 is a vulnerability in the web filter database update feature of Cisco Small Business RV160, RV260, RV340, and RV345 series routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to perform a command injection and execute commands on the underlying operating system with root privileges.

This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted input to the web filter database update feature.

CVE-2022-20841

CVE-2022-20841 is a vulnerability in the Open Plug and Play (PnP) module of Cisco Small Business RV160, RV260, RV340, and RV345 series routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system. To exploit this vulnerability, an attacker must leverage a machine-in-the-middle position or have an established foothold on a specific network device connected to the affected router.

Input validation

After reading the vulnerability descriptions above you may wonder what “input validation” means, since the absence of it seems to be one of the underlying issues.

As you probably suspected, input validation is the name for the checks that are done on data being added to a system. It is necessary to ensure only properly formed data enters the workflow in an information system. When a system does not properly validate its inputs, it gives threat actors a chance to attempt several attacks, depending on the type of system.

The most common type is SQL injection, an attack used against databases. SQL commands are a mixture of actions (code) and things being acted upon (data). The external inputs that feed into SQL commands should only ever be interpreted as data. If they are interpreted as code then an attacker can inject input that changes the behaviour of an application’s SQL commands.

Insufficient input validation could allow an attacker to execute SQL commands that could destroy your database or provide the attacker with data stored in the database.

Mitigation

There are no workarounds that address these vulnerabilities but Cisco has released free software updates for them. Cisco states it is not aware of any public announcements or malicious use of the vulnerabilities. So, now is your chance to install those updates before that changes.

A list of releases in which these vulnerabilities have been fixed is available in the Cisco Security Advisory.

Stay safe, everyone!

The post Patch now! Cisco VPN routers are vulnerable to remote control appeared first on Malwarebytes Labs.

Phishy calls and emails play on energy cost increase fears

Gas and electricity price concerns are rife at the moment, with spiralling costs and bigger increases waiting down the line. Sadly this makes the subject valuable material for fraudsters, playing into people’s fears with a dash of social engineering to make them worse off than they were previously.

Warnings abound of several energy / cost of living-themed scams doing the rounds. Shall we take a look?

Identifiers of an attack

These attacks target individuals living in countries where oil or electricity prices are a concern. If you have an imminent set of price increases on the horizon, you may be a target. Phone calls, emails, whatever it takes to extract some cash. The UK is a particularly hot flashpoint for these fraud attempts at the moment.

The senders will typically claim to be from an organisation with authority. Maybe an energy watchdog, or a consumer rights group, or maybe an energy company.

Refunds, rebates, and discounts generally are the order of the day. There’s a number of schemes along these lines at the moment due to be rolled out, and you can expect fraudsters to ride on their coat tails.

Energy refund scam types

Fake rebates

This scam involves cold calling and a spin on the (genuine) rebate plan put together by the British Government. Fraudsters inform potential victims that they need to hand over bank details in order to qualify. Normally we’d say “this is not true”. However: There are some cases where people do hand over payment information. Local councils in the UK have reached out to many people pre-emptively to arrange rebate payments. Where the scammers have an angle is that lots of other residents have not been contacted.

In those cases, the onus is on the individual to reach out and apply. They can choose to have the rebate applied to their next local council bill, or have the money paid directly into their bank account. To do this, they need to hand over payment details. The caveat is that the person applying does this themselves, on their local council website. Nobody should be cold-calling asking for payment information.

Ofgem impersonators

Fraudsters are claiming to represent Ofgem, Britain’s independent energy regulator. They claim to be able to help you get a better energy deal and then ask for your payment details. These attacks come via text and email, and have been around for at least a month or so. Some of these also tap into the rebate scam, claiming to offer a “secure application” which is really just a phishing website.

Fake energy company refunds

This is a fairly common scam, just like fake tax refunds during tax season. They are definitely more relevant during the current energy crisis though. In this case, we’re talking fake refunds and a double-threat attack technique. The victim is lured in with emails offering a refund. Once the information is taken by the phishing website, the scammer calls the victim claiming to be working on behalf of their bank. The scammer goes on to highlight several types of fraud to be wary of, all the while trying to extract around $1,200 during the call.

How to avoid these threats

  • Any email or phone call asking for payment information is not going to be legitimate. You should also never be asked for login details for your online banking or other accounts from a cold-caller.
  • If you receive an unexpected call about energy prices or rebates, Insist on calling “them” back on their official number, taken from an official website, directly. If the caller objects to this, that’s an immediate red flag. A genuine caller would have no possible reason to object to this.
  • Bogus fake energy company websites are very popular and easy to set up. Visit the official website listed in official correspondence only, and pay close attention to URLs sent to you by text or email.

Stay safe out there!

The post Phishy calls and emails play on energy cost increase fears appeared first on Malwarebytes Labs.

FCC warns of steep rise in phishing over SMS

After the FCC (Federal Communications Commission) made a huge splash weeks ago when it told Google and Apple to pull TikTok from their respective app stores, the federal agency is now warning Americans of an increased wave of SMS phishing attacks.

SMS phishing, otherwise known as smishing or robotexts (FCC’s own terminology), is a form of phishing that attempts to trick people into handing over their personally identifiable information (PII) and/or money using SMS instead of email, which standard phishing usually starts. The FCC has noted that scammers use various lures to trick someone into replying, giving out their information, or clicking a link.

“Like robocallers, a robotexter may use fear and anxiety to get you to interact,” the FCC consumer alert reads. “Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems or law enforcement action against you. They may provide confusing information—as if they were texting someone else—, incomplete information, or utilize other techniques to spur your curiosity and engagement.”

What motivates criminals to engage in smishing tactics is to get money and personal information or to simply confirm that the number they’re messaging is active, so they can target it in future scam campaigns.

According to the FCC, it tracks consumer complaints instead of text volume. The agency noted a steady climb of unwanted SMS messages, from approximately 5,700 in 2019 to 8,500 by June 30, 2022.

A separate study confirmed this, too, but revealed more sobering numbers. RoboKiller, an app that screens scammy calls and messages, found that Americans were sent a mind-blowing 12 billion spam texts in July 2022.

“That’s nearly 44 spam texts for every person in the country!” And the numbers were no different in June and May 2022.

RoboKiller also pointed out in the report that spam texts have outpaced spam calls for two consecutive years. And one of the notable reasons for this is the FCC mandating the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) framework, which was designed to curb spam calls. It’s effective, which is why scammers switched to spam texts.

The FCC posted bite-sized, back-to-back tweets on signs of scam text messages and how Americans can avoid getting scammed.

When you receive a spam text, do not engage with the sender.

Ignore them, but file a complaint to the FCC.

Finally, if you think you were the victim of an SMS text scam, the FCC recommends you report the incident to your local law enforcement agency and notify your bank and mobile carrier.

Stay safe!

The post FCC warns of steep rise in phishing over SMS appeared first on Malwarebytes Labs.

Ransomware review: July 2022

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In July, LockBit maintained the place it has occupied all year as the most active ransomware variant. Notably, BlackBasta, a relatively new ransomware variant that first appeared in April, took the place occupied by Conti for much of the year as the second most active variant. BlackBasta has been strongly linked to the gang behind Conti and may be the closest thing it has to a successor.

Two other gangs linked to Conti, Hive and KaraKurt, were also very active during July, ensuring that the gang behind “the costliest strain of ransomware ever documented” by the FBI continues to cast a long shadow, despite the retirement of the Conti “brand”.

The international picture followed a familiar pattern, with the USA suffering the largest number of attacks by far, distantly followed by a collection of the largest European economies. Services remained the sector most afflicted, suffering almost a quarter of all attacks.

Known ransomware attacks by group, July 2022
Known ransomware attacks by group, July 2022
Known ransomware attacks by country, July 2022
Known ransomware attacks by country, July 2022
Known ransomware attacks by industry sector, July 2022
Known ransomware attacks by industry sector, July 2022

LockBit

We wrote extensively about LockBit, and the appearance of LockBit 3.0, in last month’s ransomware review. Part of the gang’s success seems to have come from simply avoiding the attention-seeking pitfalls of other gangs. We wrote “…while some ransomware gangs seem to want to tell the world what they think, and how great they are, LockBit seems to care more about what its users think.”

Perhaps we spoke to soon. In July LockBit responded to an interview request by Red Hot Cyber in which it trotted out it’s version of the careworn old nonsense that criminal hackers help security, saying “we are ordinary pentesters and make this world safer”. Thanks to the gang’s threats and ruthless exploitation “companies can learn a security lesson and close vulnerabilities”, apparently. Whatever helps you sleep at night, we suppose.

The interview did contain some useful information too though, revealing that between 10%-50% of LockBit victims pay the ransom. The numbers we report each month are victims who appear on leak sites because they have not paid the ransom, so this tidbit helps us understand the true scale of the ransomware problem.

The interviewee also confirmed the suspected relationship between LockBit 3.0 (also known as LockBit Black) and DarkSide/BlackMatter ransomware, revealing that the LockBit gang paid for DarkSide source code and based the latest version of its ransomware on it. If DarkSide sounds familiar, you may recall that it was the ransomware used in the infamous Colonial Pipeline attack. The DarkSide gang disappeared shortly after the attack “due to the pressure from the US”, only to reemerge as BlackMatter in July, before disappearing again in October 2021, again due to pressure from “authorities”.

BlackBasta

BlackBasta was the second most prolific ransomware variant behind LockBit in July, and it has occupied either the second or third place in our list ever since May, having only emerged the month before.

It burst into existence in April with 11 known victims. Being able to hit so many victims in its first month led some to speculate that it must be the work of an established gang that had a network of experienced affiliates in place, ready to work. It has since been linked to the gang behind the recently retired Conti ransomware, with which it enjoys an eye-catching overlap.

Conti and BlackBasta attacks in the last six months
Known Conti and BlackBasta attacks in the last six months

As we reported in May and June, Conti hatched a scheme to fake its own death this year, after its support for Russia’s invasion of Ukraine caused ransom payments to dry up. Members of the gang were alleged dispersed to other “brands” owned by the Conti gang, as well as other gangs it had a relationship with.

Apparent beneficiaries included operators of three of the five most prevalent ransomware variants in July: BlackBasta, Hive, and the resurgent KaraKurt.

REvil returns

July was also notable for the reappearance of REvil, aka Sodinokibi, perhaps the most notorious name in ransomware. A single victim appeared on the gang’s Tor leak site in July, the first since April.

The REvil leak site
A new victim appeared on the REvil leak site for the first time in months

While many other groups were far more active, the group’s reputation ensures that any sign of life demands to be taken seriously.

REvil is responsible for two of the most significant ransomware attacks in history: The 2021 attack on JBS, the world’s largest meat processing company, and an enormous, cascading supply-chain attack against Kaseya VSA and its customers a month later. The attack on Kaseya was ultimately resolved when the company announced that it had acquired the decryption key needed to free the victims, without paying REvil its $70 million ransom demand. The source of the key was later revealed to have been the FBI, which had successfully infiltrated the group’s infrastructure.

Since then REvil has led a stop-start existence. Under pressure from US law enforcement, the gang went dark in July 2021. It reappeared a few months later before being forced offline when its infrastructure was hijacked by a multi-country law enforcement operation in October.

In January, in a highly unusual move, eight of its members were arrested in Russia by the FSB. However, even that wasn’t enough to keep the gang down for long. It’s infrastructure sparked back into life in April before going dark again, only for it to reappear in July.

New gangs appear

Last month also saw a glut of new ransomware gangs appear. The newcomers in our list are BianLian, Yanluowang, 0mega, Cheers, and RedAlert. With 11 known victims, the debut of BianLian is comparable in size to the appearance of BlackBasta in April, so we will be watching it closely in August.

The leak site of the new BianLian ransomware
The leak site of the new BianLian ransomware showed 11 victims in July
Yanluowang leak site
Yanluowang leak site
0mega leak site
0mega leak site
Cheers leak site
Cheers leak site
RedAlert leak site
RedAlert leak site

The post Ransomware review: July 2022 appeared first on Malwarebytes Labs.

Ransomware protection with Malwarebytes EDR: Your FAQs, answered!

We get a few questions about ransomware protection and how our Endpoint Detection and Response software can protect you from ransomware. In this post, our security experts answer some of your most frequently asked questions about ransomware and how our EDR can help—let’s get started.

Q: When considering an EDR solution, what anti-ransomware features should I be looking for?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“First, it should quickly identify and isolate systems that are infected with ransomware. Second, it should detect ransomware-like behavior and automatically kill and remove the threat from the system. Third, it should provide options for file recovery (in case something does get encrypted). Fourth, it should have features that are valuable for detecting and thwarting malware in general, such as exploit prevention, behavioral detection of never-before-seen malware, malicious website blocking, and brute force protection.”

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Ransomware stems from the exploitation of trust. We know that in society and computer systems, trust is essential and foundational for communication productivity and growth. What’s needed is encapsulated in a principle called trust-but-verify! In the context of EDR, trust-but-verify means the algorithmic “detection” part of EDR must employ heuristics to look for anomalous encryption that deviates from known-good encryption. This is the trust-but-verified part of a modern EDR tool. To make the EDR tool a solution, it must offer four essential functionalities:

  1. Contain threats, allowing time to investigate and document.
  2. Easy, non-vendor-specific language describing detected suspicious activity.
  3. Precision instrumentation for eradicating malware, potentially unwanted programs, and potentially unwanted changes.
  4. Instrumentation to search for indicators across the rest of your managed endpoints for early signs.”

Q: Other than the percentage of malware-detected efficacy, what other factors should I consider when acquiring an anti-ransomware solution? 

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Other than efficacy, you need to look also at integration—the EDR must become part of your system. It should not be a standalone solution; it should be usable and not complex. Have a “single pane of glass”—with Malwarebytes cloud-based Nebula platform, for example, you have access to an intuitive UI which helps you gain visibility into all activity across your entire organization. If I could summarize it into a single sentence, you don’t want just a next-gen solution; you need a solution that any IT professional will understand without specialized cyber-forensic knowledge.”

Q: How is detecting ransomware different from other malware?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“Up until around 2013, most malware infections were problems that could easily be solved ‘after the fact’.  For example, a bank credential stealing bot can infect a system, steal your credentials and commit fraud. Well the bank can clear out those fraud charges, you can change your credentials and you can clean the system, suddenly the whole attack can be treated as an inconvenience rather than a significant disruption, almost like it didn’t happen. Ransomware, on the other hand, immediately encrypts files and sometimes locks down vital system settings used for recovery, as well as deleting locally stored backups, and it’s often used against multiple endpoints at the same time. So, recovery after the fact is nearly impossible without being prepared, or paying the ransom. This kind of threat requires a lot more planning, redundancy and threat monitoring than any other type of malware out there. Imagine regular malware infections as seasonal allergies, while ransomware is like being hit with pepper spray in the face.”

Q: How does Malwarebytes EDR protect against ransomware attacks?

Robert DeStefano, Senior Global Product Marketing Manager at Malwarebytes:

“First, Malwarebytes’ EDR anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity. It features a dedicated real-time detection engine that does not use signatures, and doesn’t require updates. Second, our solution uses multiple combined modes of endpoint isolation, so if an endpoint is attacked, it can easily halt malware from spreading and causing harm—minimizing disruption to IT and users during attacks. Third—we give you up to 72 hours of ransomware rollback. We make use of local cache on each endpoint, storing all relevant changes to the device for up to 72 hours. If you’re infected, Malwarebytes simply backs out device changes and restores files that were encrypted, deleted, or modified. You don’t have to lose all that time reimaging an endpoint. And perhaps most importantly, all of this is offered through the ‘single pane of glass’ that Zamani mentioned earlier—meaning you can easily manage endpoints to prevent threats from entering, detect infections that find their way into your environment, and remediate with one click, keeping your servers and workstations secure against ransomware while keeping your end users productive.”

Q: How often and at what intervals are files backed up? How much space does it take?

David Pier, Senior Sales Engineer at Malwarebytes:

“Our file backup is not triggered on a time basis—it’s really driven by our activity monitoring feature. The backups are only going to be created in an instance where Malwarebytes has detected suspicious behavior. And for the second question, data storage space isn’t an issue, as our proprietary dynamic exclusion technology learns ‘good’ behavior of applications and minimizes storage utilization. Additionally, administrators can configure their policies to dynamically manage disk space requirements, based on the remaining available disk space.”

Q: Can you identify when the first infection took place and if the same threat process has been installed across the environment or on other devices, such as malicious scheduled tasks?

David Pier, Senior Sales Engineer at Malwarebytes:

“Yes! You can do this with the Flight Recorder feature of our EDR, which allows you to search event data captured from all of your managed endpoints to investigate and identify indicators of compromise. You can search data like files, registry, processes, and networking activity up to the past 7 days to threat hunt or analyze when a compromise occurred in your environment. You can search through file properties, such as the file hash or the file name, or you could leverage something like searching actual command line arguments that were used by the attacker to try and locate the original infection points.”

Q: How many full time employees are needed to deploy and manage your EDR?

David Pier, Senior Sales Engineer at Malwarebytes:

“That is something we hear very frequently at Malwarebytes; customers are coming from other EDR solutions or other security solutions, and a large concern is your team may only be two to three, maybe five people at most. An EDR solution that you might be interested in may require you to have full-time staff to manage, or configure it. Malwarebytes EDR is not that kind of solution. This is something that we’ve successfully deployed with teams as small as two people managing this. You do not need additional headcount, you don’t need a dedicated SOC to make this program work. That being said, this solution works very well at scale. We have customers with 1000s of endpoints running this solution and effectively using it as an EDR so really, it’s a tool built for customers of any size.”

Q: Would we need a physical server or can this be operated from a cloud-based system?

David Pier, Senior Sales Engineer at Malwarebytes:

“There’s no requirement for any physical architecture,” says Pier. “You could use it entirely cloud-based if you have cloud-based servers or cloud-based VMs. Really the only requirement we have is making sure that your endpoints can reach the Malwarebytes cloud infrastructure, which is all done through HTTPS traffic. So typically, it’s not something you need to customize unless you have a very restrictive network.”

Read about how companies used Malwarebytes EDR to fend off ransomware 

To help you understand the ransomware threat and how Malwarebytes EDR can help, we’ve curated a collection of customer case studies that illustrate the common patterns of ransomware protection and recovery across a variety of industry sectors and business sizes. Check out a few of them below!

City of Vidalia gains a ransomware and vulnerability-free zone

Mike Carney Toyota tackles the rising ransomware threat

Alden Central Schools gains peace-of-mind protection against ransomware threats

The post Ransomware protection with Malwarebytes EDR: Your FAQs, answered! appeared first on Malwarebytes Labs.

For months, JusTalk messages were accessible to everyone on the Internet

JusTalk, a popular mobile video calling and messaging app with 20 million global users, exposed a massive database of supposedly private messages to the public Internet for months. According to security researcher Anurag Sen, who discovered the open database, the messages were stored unencrypted, and the database itself was not locked behind a password.

“Rest assured your calls and messages are secured,” the JusTalk website reads, “Only you and the person you communicate with can see, read, or listen to them: even the JusTalk team won’t access your data!”

your calls and messages are secured
The JusTalk website assures users their messages are secured

But, as we know, “won’t access” is not the same as “can’t access”. And when anybody has the ability to see somebody else’s private data, it opens the door for both malice and mistakes.

The open database is a logging database the company, Ningbo Jus Internet Technology, uses to keep track of app bugs and errors. It also houses hundreds of gigabytes of data and is hosted on a Huawei cloud server in China. Sen said anyone can access the data using a web browser if they have the right IP address.

Data collected from Shodan, a search engine for exposed devices and databases, shows that the company continued to use the database until it was first exposed in early January (at least).

Because the database is, essentially, a smorgasbord of every data the company collects—chat logs, video logs, granular location data, data of child users of their JusTalk Kids app, records from their JusTalk second phone number—it’s complicated to put a number on affected victims of this breach. However, it is prudent to assume everyone using Ningbo Jus’s products is affected.

The server was collecting and storing more than 10 million individual logs each day, including millions of messages sent over the app, including the phone numbers of the sender, the recipient and the message itself. The database also logged all placed calls, which included the caller’s and recipient’s phone numbers in each record.

~ Zack Whittaker, TechCrunch

Shortly after TechCrunch published a story on JusTalk not really having end-to-end encryption, the open database was no longer accessible.

As Shodan is used by security researchers and online criminals alike, TechCrunch found evidence that someone had already accessed the database—perhaps even created copies of the data there. The outlet found an undated ransom note left by a data extortionist in the database for the company to find.

Because the database has all collected data stored in one place, it’s doubtful that the company even noticed this ransom note. Ningbo Jus may not even know that it’s already being extorted.

The blockchain address associated with the ransom note has not yet received any funds.

The post For months, JusTalk messages were accessible to everyone on the Internet appeared first on Malwarebytes Labs.