IT NEWS

An alarm system company that allows those in need to ask for help at the touch of a button has suffered a cyberattack, causing serious disruption.

Tunstall Netherlands says the attack left the control room struggling to receive distress calls from clients on Sunday November 12, 2023.

Tunstall, among others, provides services and systems to allow smart monitoring in various healthcare settings. One of the services provides sick or disabled persons, and the elderly with an alarm button that can be used in case of an emergency.

Under normal circumstances, the control room would relay the distress call to a caregiver so they can check on and provide help.

The alarm button systems are used in situations where people that require care are not constantly surrounded by caregivers, like care homes that provide independent living, elderly who live at home but need the ability to call for help, and people with a heightened risk of falling.

It’s unknown what the exact nature of the cyberattack is. In case of a ransomware attack, it is unlikely that any group will claim responsibility or demand a ransom. These types of services are usually the type that they want to avoid for fear of repercussions.

Estimates say that tens of thousands of people are unable to reach the control room at the press of a button and will have to call an emergency number instead.

Tunstall says it’s worked hard to remediate the situation. It has engaged a specialized cybersecurity company to investigate the situation. Meanwhile it advised clients to keep their mobile phones handy so they can reach out in case of an emergency. At the moment the first services have been brought back online and the hope is that soon everything will be fully functional again.

Some organizations that use Tunstall’s system say they have provided their clients with the direct number they would need to call when they need help. But obviously pressing a button is a lot easier when you are in distress than having to call a phone number.

How you can call without having to unlock your phone first

Having the number pre-programmed and available at the press of a button makes things a bit easier if you do need to call for help via your phone. If you have or are someone who may need immediate help and you don’t have an alarm button or it doesn’t work, there are methods to make it easier to use your phone to raise help.

iPhones provide an “Emergency” option on the lock screen. Tapping it opens an on-screen keyboard, which allows you to dial a number. The restriction with this option however, is that it is designed primarily to call emergency numbers. Another option is to use the smart assistant by saying ‘Hey Siri’, and then ask it to call one of your contacts or a phone number. 

Some Android phones offer the option to add emergency contacts. Activating Emergency SOS requires you to save at least one emergency contact to your phone. This will need to be done first. Please note that Android phones’ menus may differ from vendor to vendor and version to version.

• Open the Settings app.
• Scroll down and tap Safety & emergency. On some types this menu can be found in the Advanced Settings menu.
• Tap Emergency contacts > Add contact
• Select one or more emergency contacts from your contact list.
• Now you can enable Emergency SOS
• In Safety & emergency, toggle the Use Emergency SOS and set the Use Emergency SOS slider to enabled
• Confirm the setting and select what information you want to share.
• You will need to provide the app with the necessary permissions.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Another important update round for this month’s Patch Tuesday. Microsoft has patched a total of 63 vulnerabilities in its operating systems. Five of these vulnerabilities qualify as zero-days, with three listed as being actively exploited. Microsoft considers a vulnerability to be a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in these updates are listed as:

CVE-2023-36025: a Windows SmartScreen security feature bypass vulnerability that would allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts. SmartScreen is a built-in Windows component designed to detect and block known malicious websites and files.

It requires user interaction since the user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker. Microsoft listed this vulnerability with the remark “Exploitation Detected.”

CVE-2023-36033: a Windows Desktop Window Manager (DWM) Core Library elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

CVE-2023-36036: a Windows Cloud Files Mini Filter Driver EoP vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

EoP type of vulnerabilities are typically used in attack chains. Once the attacker has gained entrance, the vulnerabilities allow them to increase their permission level.

CVE-2023-36413: a Microsoft Office security feature bypass vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. Full exploitation requires that the attacker sends the target a malicious file and convince them to open it. This is a publicly disclosed vulnerability but there are no known cases of exploitation.

CVE-2023-36038: a vulnerability in ASP.NET that could lead to core denial of service. This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. A successful exploitation might result in a total loss of availability. So, basically an attacker would send requests and then cancel them until the program runs out of memory and crashes. Microsoft notes that this vulnerability was publicly disclosed, however no in-the-wild exploitation has been observed, which is not likely to happen either if the denial of service is the best achievable goal for an attacker.

An extra warning for organizations running Microsoft Exchange Server: Prioritize several new Exchange patches, including CVE-2023-36439, which is a vulnerability that enables attackers to install malicious software on an Exchange server.

Other vendors

Other organizations have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities affecting multiple Adobe products:

• APSB23-52: Adobe ColdFusion
• APSB23-53: Adobe RoboHelp Server
• APSB23-54: Adobe Acrobat and Reader
• APSB23-55: Adobe InDesign
• APSB23-56: Adobe Photoshop
• APSB23-57: Adobe Bridge
• APSB23-58: Adobe FrameMaker Publishing Server
• APSB23-60: Adobe InCopy
• APSB23-61: Adobe Animate
• APSB23-62: Adobe Dimension
• APSB23-63: Adobe Media Encoder
• APSB23-64: Adobe Audition
• APSB23-65: Adobe Premiere Pro
• APSB23-66: Adobe After Effects

Android’s November updates were released by Google.

SAP released its November 2023 Patch Day updates.

SysAid released security updates for a zero-day vulnerability that is actively being exploited by a ransomware affiliate.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In October, 318 new victims were posted on ransomware leak sites. The top active gangs were LockBit (64), NoEscape (40), and PLAY (36). Major stories for the month included the takedown of several high-profile groups, including alleged Sony Systems attacker RansomedVC, new data shedding light on Cl0p’s education sector bias, and a deep-dive revealing the danger of the group behind September’s infamous casino attacks.

Last month three major ransomware groups—RansomedVC, Ragnar, and Trigona—were shut down, the first two by law enforcement and the third by Ukrainian hacktivists. Let’s dive into RansomedVC, a group which burst onto the scene in August and quickly gained notoriety for allegedly breaching several well-known companies. In late October, the lead hacker behind the group was seen on Telegram trying to sell the operation. Just days later, the account announced that it was “putting an end to” the group after learning that six of its affiliates may have been arrested. The group had posted 42 victims on their leak site at the time of their take down.

While law enforcement is yet to come forward confirming the RansomedVC arrests, the same is not true for RagnarLocker group, which Europol and Eurojust announced they had taken down last month. RagnarLocker started in 2019 and was responsible for numerous high-profile attacks against municipalities and critical infrastructure across the world. At the time of the takedown action, the group had posted a total of 42 victims on their leak site.

Trigona’s demise, on the other hand, was not at the hands of investigators but activists, highlighting the impact that broader geopolitical struggles can have on the ransomware landscape. In mid-October, the Ukrainian Cyber Alliance (UCA) breached the Trigona Confluence server and completely deleted and defaced their sites. Formed around 2016 to defend Ukraine’s cyberspace against Russian interference, the UCA used a public exploit for CVE-2023-22515 to gain access to Trigona infrastructure. Trigona is responsible for at least 30 attacks across various sectors since first emerging in October 2022.

In other October news, Resilience, a cyber insurance company, reported that 48% of all MOVEit cyberattack victims in its client base during the first half of 2023 were from the education sector. This suggests a possible targeting preference of the Cl0p campaign towards educational institutions. However, this figure might not fully represent the situation.

For instance, if Resilience has a higher proportion of clients in the education sector, it could bias the data towards that sector. On the other hand, data from Malwarebytes indeed indicates that while the education sector comprises only 3% of all MOVEit hosts, they account for 6% of the victims. However, this trend is likely not due to a deliberate focus by Cl0p, whose attacks were more opportunistic in scope, but rather because educational sectors often have fewer resources to promptly address vulnerabilities like those in MOVEit. Thus, the bias observed is more circumstantial than intentional. At any rate, given that the education sector frequently relies on third-party applications like MOVEit, the impact of Cl0p’s activities serves as a stark reminder for these institutions to adopt robust third-party security best practices.

Microsoft’s deep dive into Scattered Spider last month shed new light on the relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their use of Living Of The Land (LOTL) techniques to avoid detection: Scattered Spider employs everyday tools like PowerShell for reconnaissance and stealthily alters network settings to bypass security measures. They also exploit identity providers and modify security systems, blending their malicious activities with normal network operations.

With the success of groups like Scattered Spider increasingly relying on LOTL attacks, it’s vital for defenders to focus on detecting anomalous activities within legitimate tools and network configurations. Strengthening monitoring and analysis capabilities can help identify and counter the subtle, sophisticated techniques employed by these ransomware gangs.

New(?) player: Hunters International

Hunters International is a new ransomware player suspected to be a rebrand of the Hive ransomware, which was shutdown in January 2023 by law enforcement. Despite Hunters International’s denial, claiming they are a distinct entity that purchased Hive’s source code, the overlap in their malware’s coding and functionality suggests a direct lineage from Hive.

Their activity, though limited, includes a notable attack on a UK school.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

As we head into shopping season, customers aren’t the only ones getting excited. More online shopping means more opportunities for cybercriminals to grab their share using scams and data theft.

One particular threat we’re following closely and expect to increase over the next several weeks is credit card skimming. Online stores are not always as secure as you might think they are, and yet you need to hand over your valuable credit card information in order to buy anything.

When a merchant website is hacked, any purchase made has the potential of being intercepted by bad actors. Often, the malicious code is right underneath the surface and yet completely invisible to shoppers.

One particular skimming campaign we have been following picked up the pace drastically in October after a lull during the summer. With hundreds of stores compromised, you may come across it if you shop online on a regular basis.

The Kritec campaign

We first discovered this credit card skimming operation back in March 2023, as it stood out from the rest due to its large volume. The threat actors were also taking the time to customize their skimmer for each victim site with very convincing templates that were even localized in several languages.

The experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen.

Threat actors ramp up their activity just in time for the holiday season

In April this skimming campaign reached a peak and then slowed down during the summer. However it came back, increasing to its highest volume in October. We measured this activity based on the number of newly registered domain names attributed to this threat actor.

The infrastructure is located on the IT WEB LTD network (ASN200313) registered in the British Virgin Islands.

How to shop safely online

If you are shopping online, and especially via smaller merchants (i.e. not Amazon, Walmart, etc), you absolutely need to be extra careful. Unless you are able to perform a full website audit yourself, you simply can’t be sure that the platform hasn’t been compromised.

Having said that, if the website looks like it hasn’t been maintained in a while (for example it is displaying outdated information, such as ”Copyright 2018′) you probably should stay away from it. Most compromises happen because a website’s content management system (CMS) and its plugins are outdated and vulnerable.

There are tools that can also detect malicious code embedded into websites. Most antivirus products offer some kind of web protection that detects malicious domains and IP addresses. But because threat actors are constantly swapping their infrastructure, it is also a good idea to have some kind of heuristic detection for things like malicious JavaScript snippets.

Malwarebytes Premium offers web protection and is complemented by the Malwarebytes Browser Guard extension for more advanced in-browser detection.

We are also publishing a list of the infrastructure that includes domains we had previously not seen but obtained via retrohunting, so that those can be included in community blocklists ingested by third-party products.

Indicators of Compromise

Kritec domains

Kritec IPs

The US State of Maine says it has suffered a data breach impacting around 1.3 million people. According to the census from July 2022, that’s more or less the the entire population of Maine.

The State of Maine says it was compromised via a known vulnerability in secure transfer service MOVEit Transfer. This vulnerability is known to be used by the Cl0p ransomware gang.

The type of stolen data varies from person to person, likely because the data breach affected multiple agencies in the State. More than 50% of the data exposed in the breach came from Maine’s Department of Health and Human Services, while between 10 and 30% came from the state’s Department of Education. The breach also impacted several other departments.

For what we can gather, the cybercriminals may have obtained names, Social Security numbers (SSN), dates of birth, driver’s licenses, state identification numbers, and taxpayer identification numbers. The stolen data may involve certain types of medical information and health insurance for some individuals.

Progress Software, who make MOVEit Transfer, issued a patch for the exploited vulnerability on May 31, 2023. However, the State of Maine says the cybercriminals gained access and started downloading files between May 28 and 29, 2023, before the patch was available.

Data breach

The State of Maine is encouraging people to contact Maine’s dedicated call center to find out if their data was involved or if they have questions about this incident. The phone number is (877) 618-3659, with representatives available from Monday to Friday, 9 AM to 9 PM ET.

If your Social Security Number or taxpayer identification number is involved, the call center will provide you with a complimentary credit monitoring code which give you two years of credit monitoring and identity theft protection services.

If you suspect your data has been stolen, it’s worth watching out for people posing as the State of Maine. There’s nothing like a data breach to bring out the scammers, and they will be looking to target people affected by the breach. If someone does contact you, make sure to verifying they are who they say they are using another communication channel. Watch out for phishing emails, too.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

Messaging service Signal is testing support for usernames as a replacement for phone numbers to serve as user identities.

Signal provides encrypted instant messaging and is popular among people that value their privacy. Compared to more popular services like WhatsApp, Signal offers more layers of privacy protection, customization of settings, and enhanced data security. These layers include hiding metadata, not using a user’s data, allowing call relay, and others.

The current Signal setup requires users to sign up with a phone number and this number will be shared if you want to message other users on the app. But not everyone wants to share their phone number when messaging someone and so Signal is doing something about that.

 On its forums, Signal announced the feature is ready for pre-beta-testing.

“After rounds of internal testing, we have hit the point where we think the community that powers these forums can help us test even further before public launch.”

So, for now, the announced feature is currently only available for the app’s testers on Android, iOS, and desktop users. Once it’s finally released, you’ll be able to select your username by going to Settings > Profile and Settings > Privacy > Phone Number section.

From a screenshot posted on X, it looks like you’ll be able to invite new contacts by sending them a link or a QR code.

Screenshot of new options

It’s also likely you still have to have a phone number to create an account. The new feature just allows you to hide your number behind a username. Phone numbers will still be used as a unique identification and as an anti-spam measure.

We don’t know when the new feature will be generally available, but in an earlier interview, president Meredith Whitaker said she expected the feature’s launch in early 2024. However, this seems unlikely as it requires a major overhaul of the app’s architecture.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Last week on Malwarebytes Labs:

• Defeating Little Brother requires a new outlook on privacy: Lock and Code S04E23
• Medical research data Advarra stolen after SIM swap
• Okta breach happened after employee logged into personal Google account
• Introducing ThreatDown: A new chapter for Malwarebytes
• ThreatDown powered by Malwarebytes: A 15 Year Journey
• QNAP warns about critical vulnerabilities in NAS systems
• Using ChatGPT to cheat on assignments? New tool detects AI-generated text with amazing accuracy
• Introducing Security Advisor Site Scores for OneView: Easy assessment of client security for MSPs
• Introducing Advanced Device Control: Shielding businesses from USB threats
• Malvertiser copies PC news site to deliver infostealer
• Update now! SysAid vulnerability is actively being exploited by ransomware affiliate
• Nude “before and after” photos stolen from plastic surgeon, posted online, and sent to victims’ family and friends
• Meta whistleblower says company has long ignored how it sexually endangers children
• Judge rules it’s fine for car makers to intercept your text messages
• YouTube shows ads for ad blocker, financial scams

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

After performing local experiments for a few months, YouTube recently expanded its effort to block ad blockers. The move was immediately unpopular with some users, and raised some questions in Europe about whether it was breaking privacy laws.

In addition, there are some still some fundamental issues that have some people concerned. In this blog post, we look at a couple of examples that erode our trust in online ads. In fact, it’s not really an argument about free content, it’s about being able to consume content safely, and it seems as though we aren’t quite there yet.

Inconsistent and untrustworthy ads

YouTube has made it quite clear that using an ad blocker goes against its Terms of Service, reminding users that they have a choice between accepting ads or paying for a premium subscription.

Yet, as of November 9 2023, YouTube was still showing an ad for Total Adblock, a browser extension that blocks… ads. It certainly looks confusing and is sending mixed messages.

While there is some irony here, the greater concern is that perhaps YouTube doesn’t have a good handle on its ads and maybe that is why users have resorted to ad blockers in recent years.

It’s not that people want an ad-free experience to purposely hurt content creators. They more likely want a scam-free and malware-free experience but perhaps aren’t in a position to pay for a subscription.

While looking for evidence of scammy ads, it took us less than a minute to come across one of those infamous Quantum AI crypto scams:

The ad used typical click-bait tactics and redirected to a website that was obviously a scam. An unverified advertiser was allowed to serve this ad and expose users to a financial scam where they can lose hundreds or even thousands of dollars.

We have yet to see if YouTube will maintain its stance or take any actions to address those core issues. In the meantime, Malwarebytes continues to protect users from scams and malware, from whichever website they choose to visit. The Malwarebytes Browser Guard extension is the easiest way to block malicious ads and other web threats.

A federal judge has refused to bring back a class action lawsuit that alleged four car manufacturers had violated Washington state’s privacy laws by using vehicles’ on-board infotainment systems to record customers’ text messages and mobile phone call logs.

The judge ruled that the practice doesn’t meet the threshold for an illegal privacy violation under state law. The plaintiffs had appealed a prior judge’s dismissal.

Car manufacturers Honda, Toyota, Volkswagen, and General Motors were facing five related privacy class action suits. One of those cases, against Ford, had been dismissed on appeal previously.

Infotainment systems in the company’s vehicles began downloading and storing a copy of all text messages on smartphones when they were connected to the system. Once messages have been downloaded, the software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access, the lawsuit said.

The Seattle-based appellate judge ruled that the interception and recording of mobile phone activity did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In a recent Lock and Code podcast, we heard from Mozilla researchers that the data points that car companies say they can collect on you include social security number, information about your religion, your marital status, genetic information, disability status, immigration status, and race. And they can sell that data to marketers.

This is alarming. Given the increasing number of sensors being placed in cars every year, this is becoming an increasingly grave problem.

In the same podcast, we also explored the booming revenue stream that car manufacturers are tapping into by not only collecting people’s data, but also packaging it together for targeted advertising.

According to the Mozilla research, popular global brands including BMW, Ford, Toyota, Tesla, Kia, and Subaru:

“Can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive. Researchers found data is being gathered by sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics.”

In fact, the seasoned Mozilla team said “cars are the worst product category we have ever reviewed for privacy” after finding that all 25 car brands they researched earned the “Privacy Not Included” warning label.

Since that doesn’t give us much of a choice to go for a brand that respects our privacy, I suggest we turn of our phones before we start the car. It’s both safer and better for your privacy.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

Users of SysAid on-premises should take action to deal with a vulnerability. SysAid is a widely used IT service management solution that allows IT teams to manage tasks.

Microsoft discovered an ongoing exploitation of a zero-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest. Lace Tempest is an initial access broker (IAB) usually associated with the Cl0p ransomware.

Once SysAid were notified by Microsoft on November 2, 2023, they started an investigation which confirmed that it was indeed a zero-day vulnerability. By definition, a zero-day vulnerability is any software vulnerability exploitable by hackers that doesn’t have a patch yet.

The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software. Path traversal vulnerabilities allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths.

The attackers used the vulnerability to upload a web shell and other payloads into the web root of the SysAid Tomcat web service. Tomcat is an open-source web server and servlet developed by the Apache Software Foundation. A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application.

The web shell provided the attacker with unauthorized access and control over the affected system. The attackers then used two PowerShell scripts to expand their hold. One to launch the Gracewire malware loader and the other to erase other evidence of the intrusion.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to this vulnerability is:

CVE-2023-47246: a path traversal vulnerability that affects all SysAid On-Premises installations running versions before 23.3.36. SysAid Cloud customers are not affected by this vulnerability.

If you are a SysAid customer using a SysAid On-Prem server, you are under advise you to ensure that your SysAid systems are updated to version 23.3.36 or later, which includes the patches for the identified vulnerability.

Organizations using SysAid should apply the patch as soon as possible and look for any signs of exploitation prior to patching (see Indicators of Compromise below). The Lace Tempest group exploited the vulnerability in the SysAid software to deliver a malware loader for the Gracewire malware. Once this foothold is established, it’s usually followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.

You should also review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior.

IOCs

File:

b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d     Malicious loader

IPs:

81.19.138.52     GraceWire Loader C2

45.182.189.100 GraceWire Loader C2

179.60.150.34  Cobalt Strike C2

45.155.37.105  Meshagent remote admin tool C2

Malwarebytes blocks the Cobalt Strike C2 179.60.150.34

File Paths:

C:Program FilesSysAidServertomcatwebappsusersfilesuser.exe

C:Program FilesSysAidServertomcatwebappsusersfiles.war  

C:Program FilesSysAidServertomcatwebappsleave  

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.