IT NEWS

In-game cheats are about to have an even harder time of things in triple AAA titles such as Call of Duty. Activision’s “Ricochet” software – a kernel level driver anti-cheat system – has added another twist to the tale of how players are protected via a new system called “Cloaking”.

Making all new punishments fit the crime

Anti-cheat software typically sniffs out people breaking the rules and penalises them. Ricochet adds some perks into the mix for people who aren’t cheating, whenever someone up to no good joins a gaming session.

As an example, if I’m using an aim-bot to assist me in scoring cheap kills and I join your Call of Duty server, I won’t just be instantly kicked out. Two things will happen:

1. Mitigations are deployed to help regular players not lose unfairly to cheaters like me, running round with aim-bots and wall hacks.. The already existing “Damage Shield” disables critical damage applied to non-cheating individuals. This means I can do everything in my power to win, but it almost certainly won’t be enough thanks to the second thing that happens.
2. The new feature called “Cloaking” kicks in, which combined with the Damage Shield will scupper my chances of victory forever. This is because, hilariously, all other players vanish from view. I can’t see their characters, their bullets, or even hear the noises they make. Essentially, I’ll be twirling around in an empty space, firing bullets that do no damage. The best is yet to come. From the FAQ:

“Legitimate players, however, can see cheaters impacted by Cloaking and can dole out in-game punishment. Similar to Damage Shield, Cloaking gives legitimate players a leg up on cheaters.”

That’s nothing to brag about: Shaming cheater out of gaming

Exploiters in games traditionally love bragging rights. Anything to score a cheap win is acceptable, and bragging rights arising from that is one of the reasons people continue to do it.

Many common anti-cheat methods exist which involve loading up tools prior to game launch, seeing if anything is running which shouldn’t be, and then simply preventing a cheater from joining in the first place.

From experience, people just load up another game and try it there instead until they’re allowed in.

This system is a curious remix of more typical anti-cheat tactics. Not only are the developers accepting that cheats will eventually end up in a session somehow, they’re also obtaining valuable game data in real-time as to how the cheats react to this approach.

Can you imagine the embarrassment when other players in the session upload incredibly funny clips of cheaters helplessly spinning into walls and firing guns at lamp posts to YouTube or stream it on Twitch? It’s possible the threat of this alone will deter some people from that level of social shaming. Nobody’s cool factor can survive an encounter like that.

No stopping the ban train

Conscious of controversy surrounding anti-cheat tools, the developers have reassured players several times. The Ricochet system only operates when playing, and it isn’t always running when playing. It also shuts down when the game is closed.

I don’t know for sure how many anti-cheat tools actually do run outside of a game being active. I suspect it’s not many, but it is good to see an organisation being very clear about what additional software needed to run a game does (and does not) do.

With 54,000 new account bans added to the 90,000 in March, the gamble seems to have paid off. We can expect to see more slightly weird and unusual approaches to shutting down cheaters in games. Letting them run free in a gaming hamster maze while both regular players and developers observe at their expense? This is simply too good an opportunity to pass up.

The post Call of Duty cheats can expect embarrassment with new anti-cheat feature appeared first on Malwarebytes Labs.

You’ve likely only seen cybercrime insurance primarily mentioned in relation to attacks on businesses. Most commonly, it’s cited with regard to ransomware attacks in the workplace, or associated data loss. Some folks think the mere presence of insurance simply encourages more attacks, and is hurting more than it’s helping. Now we have another string to the bow to consider. Personal insurance plans are slowly becoming a more visible and talked about topic.

A brave new world, or same-old same-old?

I’m fascinated to see talk of personal cyber insurance, in an area dominated by business.

The plans referenced in the article are for people seeking cyber insurance in India. It provides personal cover in a manner somewhat similar to contents insurance for the items in your home. The major difference is losing your digital items due to online shenanigans, as opposed spilling orange juice on your TV.

Premiums are based on how much you have to lose, and tailoring types of cybercrime to your package needs. If you make a lot of financial transactions online, that’ll bump the cost of the plan up too.

A transactional offering

Some of the exclusions listed are fairly eye-catching. For example, you’ll pay a higher premium the more online transactions you engage in. Despite this, losses incurred through cryptocurrency aren’t included which could be a deal breaker for many people. The Indian Government has floated the idea of banning cryptocurrency on at least one occasion, but eventually moved to a less aggressive regulatory approach at the end of 2021.

While it makes sense that insurers will be cautious around such rapidly changing stances, it’s no real consolation to cryptocurrency fans.

Some cyber threats listed may not have realistic or obtainable legal solutions in some countries, but they will in others. For people not in the latter group, an additional insurance safety blanket might be very useful.

A helping hand against online stalking

There’s some solid defence against people harassing others online in the policy types mentioned. For example, expenses are covered to prosecute people found to be stalking/bullying you online. So far, so good.

This same cover which provides legal fees to prosecute stalkers also provides the insured with costs against invasion of privacy.

So many examples of cyber insurance only ever focus on the technical aspects of online crime, or ransomware backups. It’s nice to see a more human aspect working its way into the mix. In some countries, the rules are fairly stacked against people and aren’t necessarily conducive to tackling online harassment. Knowing there’s a bit of backup to help with this kind of situation may itself make harassers think twice.

From add-on to standalone

Seeing cyber insurance as a standalone package for individuals is rather novel. In the UK at least, most—if not all—cyber offerings I’ve seen are add-on packages to regular insurance policies. For example, one major insurer offers it across all their insurance tiers and it covers the usual issues like ransom, fraud, restoration of systems, defamation and so on. Unlike the India-centric policy above, identity theft is included by default in regular, non-cyber packages.

The standalone offerings I’ve seen usually ask you to contact them to arrange a premium, as opposed to having a default one-size-fits all price. Some include monitoring customer data for breaches, including issuing alerts when necessary. Others seem to fall into more traditional areas of cover, offering to replace or repair damaged devices and recover data.

I’ve seen a few offer 24/7 cyber-helplines, credit reports, and “ransom monies” made available in ransomware cases. Some insurers have grey areas related to working from home, or just flat out refuse to cover it. All this, without the added complexity of business insurance and the question of whether it’s right to pay out to ransomware authors in the first place.

Drawing insurance lines in the sand

It’s a bit of a tumultuous time for insurers in the digital realm as they try to define what, exactly, is or isn’t up for coverage. Real world insurers use act of God policies, not covered by insurance. Cyber insurers are quickly coming up with their own non-coverable issues.

Then there’s the thorny problem of insurance companies themselves being juicy targets for attackers. I’m fairly certain they don’t have to look for decent cyber insurance quotes from competitors themselves. It’s still a very odd thing to think about in an industry still figuring out its role where rogues costing their customers money don’t play by the rules.

The post What’s happening in the world of personal cyber insurance? appeared first on Malwarebytes Labs.

We’ve received several emails over the last couple of days which follow the classic 419 mail scam method. Titled “URGENT BUSINESS PROPOSAL!!!”, the mail reads as follows:

Greetings,

I am Mukhtar M. Hussain. I got your contact information from a reputable business/professional directory. I'm working with HSBC Berhad Malaysia as one of the Senior Vice Presidents. I am writing you this memo, because I have an urgent BUSINESS PROPOSAL for you that will benefit both of us and it’s urgent.

For more details, write me on my personal contact e-mail on: {redacted}

Yours Sincerely,

Mukhtar Malik Hussain.

The mail the scammers want you to reply to is different to the mail it came from. They’re also trying to make the mail look more respectable by using the name of an actual person.

People naturally suspicious of the mail will go looking in search engines, and seeing this is a real person may be enough to convince them to reply. It’s worth noting that this is also a short mail by typical scam standards, but will become incredibly involved should you continue with it.

We were curious to see what the next stage of the scam was, so we replied and then waited to see what would come back. What we received was an even shorter email and a PDF attachment.

Attention,

Find attached the urgent BUSINESS PROPOSAL. I await your correspondence.

Best regard,

Mukhtar Malik Hussain

The PDF we received does not appear to be infected. The scammer is probably just trying their best to keep the meat of the attack away from non-curious individuals.

The document says that a bank customer died, and the bank appointed our contact to hand out the inheritance. If it’s not done in time, it goes to the Malaysian government despite them having moved the money to a “secret” account similar to Swiss banking.

Recipients have 21 days to complete the fund transfer. Despite the document hitting about 1,800 words in length, all it asks for is name in full, current address, and telephone number in order to “harmonise my records”. It’s very likely that the scammers will continue to ask for more information, including bank account number, should contact continue.

They close with the usual warning of not telling anyone:

Please observe this instruction religiously, again note I am a family man; I have a wife and children’s I send you this mail not without a measure of fear as to what the consequences, but I know within me that nothing ventured is nothing gained and that success and riches never come easy or on a platter of gold. This is the one truth I have learnt from my private banking clients. Do not betray my confidence. If we can be of one accord, we should plan a meeting soon.

So all I require from you is your consent and solemn confidentiality on this from you as it shall remain our secret forever. Deals like this take place every day in the banking world and the reason you never hear about them is because they never fail.

As good as it sounds, nothing in the mail scheme is true. You run the risk of losing all your money, or becoming a money mule, or both should you proceed.

As you’re reading this on a security site, it’s likely you’ve seen lots of these before and you’re well aware of the scam. But it doesn’t take a minute to talk to the less security-aware people in your life about this and other scams. Warn them, and help keep them safe online.

The only thing to do in this situation is report the message for spam, block the sender, and go about your day.

Stay safe!

The post “URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance appeared first on Malwarebytes Labs.

So Elon Musk is buying Twitter, and you can be sure that scammers are making the most of this news.

As Elon Musk spends most of the week in the headlines, so pop up Elon Musk-themed scams—and it looks like they may be ramping up.

We witnessed a flurry of replies from the man himself in response to someone making a comment.

Sadly, it isn’t him but rather an army of bots, all bearing the same current profile picture of the Tesla CEO as his official Twitter account.

All of the URLs in their responses are shortened. No matter which one a user clicks, they all lead to the same website. You may be surprised when you see what it is.

Musk must have taken the leap into longform blogging and is now a Medium author. He’s also off to a flying start with fewer than 5,326 claps on his first post. However, pulling at the page threads reveals more than the creator may have been bargaining for.

The page claims that Musk is doing an “official” ETH (Ethereal) and BTC (Bitcoin) giveaway. This giveaway aims to hand out a significant amount of BTC, ETH, and DOGE (Dogecoin) to winning participants. Appealing—if you’re a big cryptocurrency user.

Everything about the page is intended to convince the visitor that it’s all genuine, down to the numerous comments from “Medium users” saying they received their funds.

We checked all of the profiles in the replies. With one exception—an account seemingly posting spam blogs—all of them lead to the official Medium front page, 404 pages, or suspended profiles.

This isn’t very reassuring. When we checked out the three links for the “giveaways,” it gets worse. Here’s a familiar face:

Tesla 100 000 ETH Giveaway!

To verify your address, just send from 0.5 to 100 ETH to the address below and get from 5 to 1000 ETH back!

Regular readers will recognize this design, as it’s similar to the landing page we covered concerning a fictional space marathon Tesla giveaway.

While this setup throws ETH and DOGE into the mix, it’s notable that the maximum donation suggested through BTC has increased. In contrast, the fake marathon giveaway asked visitors to send between 0.02 to 1 BTC.

Donations via DOGE and ETH coins are no joke either. For the former, it asks for amounts between 2,000 and 100,000 DOGE coins, hoping to get 20,000 to 1,000,000 back. That’s worth $276 to $13,801, with participants wishing to receive between $2,769 and $13,846 (based on rates at time of writing).

For the latter, it asks for between 0.5 to 100 ETH coins with a promised return of 5 to 1,000 ETH. That’s between $1,425 and $285,045 with a significant return of $14,252 to an extraordinary $2,850,458 (based on rates at time of writing).

We don’t know if whoever runs these sites is also responsible for the space marathon, but the giveaway page seems easy to reuse as a template. Scammers on this one appear to be a lot more ambitious than the space marathon people ever were.

The BTC address flags up across several spam or warning databases. One particular report is interesting, in which it claimed the address was involved in ransomware and appeared to be from a victim who claims to have recovered their money in “less than 48 hours”.

The report says:

Good work deserves recommendation... i lost over 2.3 BTC on Instagram bitcoin scam.. Right about 2 weeks after my ordeal with them I tried using the recommendation from someone on one of the comment section {redacted}. I was able to get all my money back in less than 48 hours. Contact {redacted} to recover all your stolen bitcoins free of charge.

Visiting the URL in the comment opens a non-HTTPs site claiming it is the Internet Crime Complaint Center (IC3), asking visitors to submit their name, address, phone number, email, transaction date, and “proof of payment”.

If you’ve lost funds to the relevant BTC address, we suggest contacting the official IC3 site or the closest equivalent in your region. As for the many, many Elon Musk-themed Bitcoin giveaways, we advise you to ignore them.

What’s noticeable with these is that the scammers are creative in their ways to get you on board. These aren’t effort-free generic sites, and they’re just off the wall enough to make Elon Musk fans think they’re the real deal.

Stay vigilant, and stay safe!

The post Elon Musk-themed cryptocurrency scam uses fake Medium as the promotion site appeared first on Malwarebytes Labs.

Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.

The bug—a flaw in how Emotet is installed onto a system after a victim opens a malicious email attachment—forced the actors to prematurely halt their campaign.

Emotet is spammed around in emails claiming to contain invoices, forms, or payment details. The attachment is a password-protected ZIP file with a shortcut link file (has the .LNK extension) inside pretending to be a Word document file.

Normally, once users double-click the file, Emotet is loaded into memory, steals email addresses to use in future campaigns, and drops a payload, usually another malware like ransomware or Cobalt Strike. However, the bug happened immediately after the attachment was clicked.

You see, double-clicking the file sets off a chain. A command looks for a string hidden in the .LNK file containing code written in Visual Basic. This code is then appended to a new VBS file before executing that file. But, the shortcut file a command statically calls to does not match the actual name of the attached shortcut file. For example, the command code calls for “Password2.doc.lnk”, but the attached file itself is named “INVOICE 2022-04-22_1033, USA.doc”. This error breaks the infection chain.

Cryptolaemus (@Cryptolaemus1) has provided a more technical explanation in this Twitter thread:

Emotet’s current use of .LNK files as attachments is a tried-and-tested tactic that can bypass antivirus detection and Mark-of-the-Web (MOTW) “marking.” Mark of the Web is a Windows feature that determines the origin of a file downloaded from the Internet.

Our Threat Intelligence Team has seen APT threat actors use .LNK files in their attack campaigns (the Higaisa APT comes to mind). It’s no surprise that other cybercriminal groups have adopted this. Proponents of Emotet and IcedID were just some of them.

Emotet has been revolutionizing its way of reaching victims during its years of activity. Historically, it was spread via malicious Windows App Installer packages and malformed Word documents. Emotet is a sophisticated and versatile Trojan, which has been used by other criminal groups to drop their own malware, causing multiple system infections. Some of the files it drops are QBot, QakBot, TrickBot, and Mimikatz (a legitimate tool used to steal credentials).

BleepingComputer shared a list of attachment names the new Emotet email spam campaign is using, courtesy of Cofense, a security company specializing in email security:

• ACH form.zip
• ACH payment info.zip
• BANK TRANSFER COPY.zip
• Electronic form.zip
• form.zip
• Form.zip
• Form – Apr 25, 2022.zip
• Payment Status.zip
• PO 04252022.zip
• Transaction.zip

If you have received any emails bearing attachments with the above names, it would be wise to delete them immediately to prevent the risk of accidentally opening the attachment.

Stay safe out there!

The post Emotet fixes bug in code, resumes spam campaign appeared first on Malwarebytes Labs.

Google will soon be giving European countries a “Reject All” button in the Search and YouTube cookie consent banner.

This change, which was revealed by Google’s Product Manager for Privacy, Safety & Security Sammit Adhya in a blog post, has already been rolled out in France and will be cascaded to the rest of the European Economic Area, the UK, and Switzerland. Adhya didn’t provide a date on the cascade.

From the Adhya’s post:

“In the past year, regulators who interpret European laws requiring these banners, including data protection authorities in France, Germany, Ireland, Italy, Spain and the UK, have updated their guidance for compliance. We’re committed to meeting the standards of that updated guidance and have been working with a number of these authorities.”

With directions from France’s Commission Nationale de l’Informatique et des Libertés (CNIL), Google finished a redesign of its cookie banner and changed the infrastructure behind how it handles cookies.

CNIL slapped Google with a $170M (€150M) fine for the confusing language in its cookie consent banners earlier this year. CNIL also found the asymmetry of letting users accept all tracking cookies with one click but allowing them to painstakingly untick individual options to reject them all as “unlawful.” Because the average user typically doesn’t want to bother doing this, they are left with no choice but to click “Accept all”—a win for Google’s business.

France has a strong case for declaring Google’s cookie consent behavior. In a 2019 study conducted by academics at Ruhr University Bochum (Germany) and the University of Michigan (USA), researchers found that European consumers think that most cookie consent notices are meaningless or manipulative.

Adhya implied that this could be the first step for Google to change the way cookies work on its sites. He said he knew the implications of these changes and how they impact other sites and content creators who conduct business online.

“We believe this update responds to updated regulatory guidance and is aligned with our broader goal of helping build a more sustainable future for the web. We believe it is possible both to protect people’s privacy online and to give companies and developers tools to build thriving digital businesses.”

The post “Reject All” cookie consent button is coming to European Google Search and YouTube appeared first on Malwarebytes Labs.

The GHT Coeur Grand Est has become a victim of a cyberattack on the hospital centers of Vitry-le-François and Saint-Dizier. The hospital’s administration has warned [French] that data have been exfiltrated and might be used for phishing in the future.

As a consequence, the GHT Cœur Grand Est has cut all incoming and outgoing internet connections from its franchises in order to protect and secure information systems and data.

GHT Coeur Grand Est

The GHT (Groupements Hospitaliers de Territoire) Coeur Grand Est is a group of nine hospitals in the Northeast of France (around Bar-le-Duc). Together they employ some 6,000 healthcare professionals and serve around 300,000 inhabitants of the region. Most of the hospitals within the GHT network operate their own IT infrastructure, but they do share certain resources. The stolen data come from the hospital centers of Vitry-le-François (Marne) and Saint-Dizier (Haute-Marne).

The attack

On April 19, staff discovered a network breach in the systems of the GHT. During that breach, the attackers managed to copy essential administrative data. As a result, the GHT decided to cut all incoming and outgoing internet connections until the situation was resolved.

The applications and software used internally on a daily basis were not affected by the attack and remain operational, but certain services like making online appointments aren’t possible at the moment. The computerized patient file system is fully functional.

The hospitals said the IT team is working to assess and identify the damage and, as quickly as possible, re-establish secure links with the outside world. The information flows that come from outside, mainly lab results, are handled in old-fashioned paper format or, as was done years ago, by fax.

Vigilance

The GHT has warned customers to be vigilant, saying there is no guarantee that the exfiltrated files will not be shared and used by malicious people.

GHT customers should stay on the lookout for targeted phishing attempts and scams that may look more trustworthy because the scammers have information you wouldn’t expect them to have.

• Pay attention to the sender of messages, even if they appear to be an official sender.
• Be careful with attachments. Don’t open them until you verified the origin.
• Never respond to a request for confidential information, in particular banking information.
• Pay attention to the content and wording of the message received. Phishing attempts often introduce some kind of urgency by scaring the receiver or putting time pressure behind the response.
• Be wary of phone calls or texts from unknown numbers.

Stolen data for sale

While the hospital center’s announcement doesn’t contain any attribution clues, Bleeping Computer spotted a new entry on Industrial Spy’s website, a new marketplace for stolen data.

Industrial Spy is a dark web platform that promotes itself as a marketplace for buying corporate data that contain sensitive information like schematics, financial reports, trade secrets, and client databases.

In this case, however, Industrial Spy isn’t offering anything that could draw the attention of a competitor. Instead, the data set exposes patient data among other administrative documents. The threat actors claim that the stolen personal data of patients includes social security numbers, passport scans, banking information, email addresses, and phone numbers.

Stay safe, everyone!

The post Hospitals taken offline after cyberattack appeared first on Malwarebytes Labs.

Bad ads are at it again. Rogue Google ads caused no end of misery for cryptocurrency enthusiasts, costing them roughly $4.31 million between the 12th and the 21st of April. This is an astonishing slice of cryptocurrency cash to lose for the sake of clicking on something in a search engine.

The bogus links were at the top of results for Terra blockchain projects. Searches for projects like Astroport or Anchor resulted in the below search results:

The design of the phish page is quite similar to many that we’ve seen. They’re quite basic, and include little beyond a set of “connect your wallet” buttons. However, as you can see in the below tweet, they’re after people’s seed phrase:

We’ve talked about seed/recovery phishing several times. Seed phrases are your keys to the kingdom, and giving them to a phisher could have serious consequences. It’s no wonder these phishers made off with so much money.

The problem with bad ads

Rogue adverts have been around pretty much for as long as paid adverts have existed. They’ve been the stomping ground of exploit kits, ransomware, fake tech support scams, and much more for years.

One of the main ways to hurt yourself in a search engine used to be SEO poisoning. That didn’t involve ads, but rather involved the search results themselves being bad. If a site got compromised and the content altered, innocent looking results could end up whisking you away to spam or malware. Alongside SEO poisoning, which search engines really tried to clamp down on, bogus ads started making major inroads.

Big numbers, big rewards

Ad fraud costs billions each year. Any network could potentially allow a bad actor onboard, and that’s before you consider that there are rogue ad networks who simply don’t care what’s being pushed to end-users. Slow, cumbersome static ads were replaced by real time bidding, and techniques to push bad content became ever more inventive.

On top of that, you have the usual tricks like fingerprinting and browser search string agents to ensure your bad content reaches specific people. For example, only allowing certain mobile users to land on your mobile-centric scam page. Or how about stopping users at a gateway to see if they run exploitable types of software before letting them progress to the exploit page?

The SEO poisoning tactics all look a bit antiquated next to the “paid-for ad might lose you a fortune” merry-go-round.

Blink and you’ll miss it?

The big problem with paid ads in search engines is one of assumed legitimacy. The fact that they usually appear at the top of the page originally led to complaints that they were being mixed up with “proper” results. This brought about many changes to make it clearer that paid ads were just that.

Sadly, people still struggle with figuring out paid ads vs organic. Close to 60% in one survey didn’t know the difference. This is despite changes from search engine providers for both desktop and mobile platforms.

Does the word “Ad” next to the result in Google really leap out enough to be noticeable? Or when “Ad” appears in Yahoo! or the additional “Ads related to…” under the main ads? How about Bing’s very tiny “Ad” next to the results?

I vaguely recall a search engine placing paid results in a prominent box a few years back, but I suppose I could just be mixing it up with a screenshot of someone highlighting a rogue advert instead.

Avoiding bad ads

There’s multiple ways to avoid bad ads, but some of them come at a cost to either yourself or the sites serving the ads. It’s one of those very personal choices for which there’s no single fit. I’m not going to suggest you do any of these; I’m merely going to give you examples of what people do and leave the decision in your hands.

1. Some folks have simply had enough of adverts. They’ll install ad-blockers, hit the “disallow all” button, and that’s that. However, one drawback is that sites you like may not work. You’ve definitely seen a “please unblock our ads to continue” message at this point. Some sites take a hard line on this, and it’s a case of unblock or go elsewhere. Others will allow you to choose whether to view the site with the ads still blocked, or add them to your “safe site” list. Sometimes this goodwill gesture is enough to have the visitor unblock the ads. If it doesn’t and someone becomes a repeat visitor anyway (with ads still blocked), then the site loses ad revenue.
2. Others may go down the script blocker route. This may allow ads, but will potentially contribute to preventing forms of redirect and/or malicious script loading. Script blocking tools are a lot better than they used to be, with more customisation available than ever before. In the bad old days, it was mostly a case of “enable this and break hundreds of websites”. The trade-off here is that you may end up enabling something that renders the site usable, but also allows for bad things to happen.
3. Security tools. This is one of the more hands-on ways to shut bad things down. Browser extensions, security tools with real-time protection, regular security scans, and keeping your system (and programs) up to date will all help keep exploits, phishing pages, and malware far away, even with all adverts enabled. Nothing is guaranteed, of course, and that’s why several layers of defence tailored to your specific requirements will do significant heavy lifting on your behalf.

Rogue ad attacks are sadly a fact of internet life, and targeting cryptocurrency enthusiasts means potentially massive payouts in comparison to some other forms of phishing. With no way to get your stolen coins back in most cases, it’s not something you can afford to ignore. Start shoring up those defences now, and have a long think about the level of advert exposure you’re comfortable with.

The post Rogue ads phishing for cryptocurrency: Are you secure? appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Why you shouldn’t automate your VirusTotal uploads
• North Korean Lazarus APT group targets blockchain tech companies
• Watch out for Ukraine donation scammers in Twitter replies
• Beware tragic “my daughter died…” Facebook posts offering free PS5s
• US warns of APT groups that can “gain full system access” to some industrial control systems
• Oracle releases massive Critical Patch Update containing 520 security patches
• The fake Elon Musk Bitcoin giveaway marathon will NOT make you rich
• It’s legal to scrape public data—US appeals court
• Beware of fake Twitter philanthropists offering to put $750 into your Cash App account
• Pegasus spyware found on UK government office phone

Stay safe!

The post A week in security (April 18 – 24) appeared first on Malwarebytes Labs.

Running a small- to medium-sized business (SMB) requires expertise in everything, from marketing and sales to management and hiring, but in the ever-expanding list of executive responsibilities, one particular item demands attention: Cybersecurity.

Cyberattacks can—and have—shuttered entire businesses. Cyberattacks can ruin reputations. Cyberattacks can lock up your workforce, grind revenue to a halt, send clients and customers looking for alternatives, and cost millions of dollars in recovery.

Running an SMB today, then, requires effective cybersecurity. But cybersecurity vendors don’t make it easy. Every few months another vendor promises the best, fastest, and most effective protection, appending new, three-letter acronyms to features that may not appropriately serve your business, or may require a level of time and resources that your business can’t afford.

For SMBs, one particular third-party evaluation can help clear up some of the clutter. The MITRE ATT&CK Evaluation, run by cybersecurity researchers at MITRE Engenuity, analyzes the performance of dozens of cybersecurity vendors against known, real-world attacks, testing their capabilities not against theoretical damage, but actual harm.

According to the researchers at MITRE:

“While organizations know that robust security solutions are imperative, determining what’s best is no easy feat. There is often a disconnect between security solution providers and their users, particularly related to how these solutions address real-world threats.

Our mission is to bridge this gap by enabling users to better understand and defend against known adversary behaviors through a transparent evaluation process and publicly available results – leading to a safer world for all.”

Though the MITRE ATT&CK results are not quick to comprehend—after all, MITRE does not rank or select any “winners” or “losers” in its testing—they are important to understand. MITRE results can reveal which vendors can best prevent incoming cyberattacks, which can provide high visibility into current problems, and which can detail the most information about those problems.

Crucially, MITRE results can detail which cybersecurity vendor will offer your business the most effective “out-of-the-box” experience, protecting your business from cyberattacks while requiring less daily input from you and your team.

Here’s what the MITRE researchers evaluate in their testing and why it matters to your SMB.

Protection

“Protection” is a term that describes whether a cybersecurity product can prevent an attack before it even reaches your computers or systems. Protection is the first line of defense for any business and its significance cannot be overstated. Preventing an attack is always preferrable to responding quickly to an attack after it has happened.

The MITRE ATT&CK Evaluation does not require its participants to be tested on their protection capabilities. In the most recent testing by MITRE, 22 out of 30 vendors entered the protection test. Just 10, including Malwarebytes, scored 100 percent on protection.

While no cybersecurity product can stop every single cyberthreat in existence—it just isn’t possible as cybercriminals constantly advance their tactics—a good cybersecurity product will still rank highly on MITRE’s protection analysis.

Visibility and alert quality

Cyberattacks do not happen in seconds. Instead, cybercriminals can plan their attacks for days or even weeks, brute-forcing their way into an insecure Remote Desktop Protocol port or simply tricking an employee into opening a malicious email attachment which then allows them to gain remote control of a machine, where they will then spread laterally through a network, deploying dangerous hacking tools along the way, until they launch a massive attack that can derail any business.

Any decent cybersecurity product should be able to flag any malicious or suspicious behavior happening on a network and deliver related warnings to the end-user. This capability to see potential attacks as they’re happening and then signal those attacks to users is called “Visibility,” and MITRE tests this in its own evaluations. The Visibility score reflects the number of dangerous steps that a cybersecurity solution caught and sent warnings about during a simulated attack.

Visibility is just one half of a cybersecurity response, though. The other half is “Alert quality.”

As we explained in our previous article describing the most recent MITRE ATT&CK Evaluation results:

“Not every alert is equal. Some provide far more detailed information that can be acted upon by security teams, while other alerts only notify a security team of a problem. In the MITRE ATT&CK evaluation results, alerts are given three tiers of specificity, from least to most specific—General, Tactic, and Technique.

Techniques are the types of alerts that empower security teams to solve problems faster. Going beyond a basic description of what happened, a Technique alert will explain the surrounding context. That can include what threat actors are trying to accomplish with a malicious script.”

Cybersecurity products that achieved both high Visibility and Alert Quality in the most recent MITRE testing can equip SMBs with the support they need: A product that will not only tell you when something is wrong, but also what, specifically, is happening, and what the outcome could be.

Malwarebytes detected  83 out of 90 steps involved in the MITRE ATT&CK Evaluation—a rate of 92 percent—and of those 83 alerts, 82 were Technique alerts.

“Out-of-the-box” experience

The reality that many SMBs face is that they do not have the time or the budget for an in-house security team or even a single devoted security hire. But that shouldn’t mean that these same SMBs are left vulnerable to cyberattacks. What they need most is a cybersecurity product that works seemingly “out of the box,” which could approach a level of “set it and forget it” ease.

The MITRE ATT&CK Evaluation does not incorporate any of this rhetoric in its testing, but there is a way to interpret MITRE results that takes into account just how engaged a business must be to achieve solid cybersecurity.

Here, we have to explain “configuration changes.” Configuration changes are settings that a cybersecurity vendor can change while MITRE is actually analyzing that vendor’s product. These configuration changes reflect the real-world use of cybersecurity products by some enterprise companies—changes in what a product notifies its end-users about that may help catch emerging threats as they evolve every few weeks.

But, as we wrote before, such configuration changes are not universally applied by businesses everywhere, and in fact, these changes could lead to adverse results:

“Importantly, these customers may actually lose some value if they try to implement the same types of configuration changes that MITRE Engenuity allows, as these changes will likely produce a greater quantity of alerts, leaving these customers to spend more time deciphering the importance of these alerts and how to respond. This adversely affects the visibility and alert quality components as customers spend time sifting through a potentially significant number of additional, low-quality alerts in order to determine priority actions. A productivity loss no organization—big or small—is willing to accept.”

Configuration changes can be a powerful tool specifically for the businesses that have the resources to implement them responsibly and nimbly. But for the countless number of businesses that would not realistically take advantage of these settings, any cybersecurity product worth its cost should provide efficient and effective cybersecurity with zero configuration changes made during the MITRE ATT&CK Evaluation.

Malwarebytes is one of the few cybersecurity vendors that achieved its results with zero configuration changes. For a full breakdown on how Malwarebytes ranks with this frame of analysis, read our full blog here.

Understanding MITRE for your SMB

The MITRE ATT&CK Evaluation can be overwhelming to understand at first glance, but interpreting the results is worth the effort. By looking at what products can offer your business effective cybersecurity while respecting your limited resources, you can better protect your business for the future.

The post Why MITRE matters to SMBs appeared first on Malwarebytes Labs.