IT NEWS

If you have been forgoing updating your Mac, this article might make you think twice.

The Microsoft 365 Defender Research Team has discovered a vulnerability in macOS, which allows malicious apps to successfully bypass a user’s privacy preferences. This means attackers could access personal data that was once private, as well as install a malicious app—or hijack one that’s already installed—to access the microphone to record conversations or capture screenshots of the user’s screen without them knowing.

Dubbed “Powerdir,” it is the latest in a lengthening line of Transparency, Consent, and Control (TCC) security framework bypasses that have been hitting Apple these past few months. The Microsoft team is said to have reported Powerdir to Apple in mid-July 2021, and Apple patched it 6 months after. It is tracked as CVE-2021-30970.

The TCC is essentially the technology that keeps user data within a device private, so apps without full disk access rights cannot just access data without the user’s consent. It also houses a database of consent history for app requests.

While Apple has set up restrictions and blocking mechanisms against unauthorized code execution, the Microsoft team was able to successfully change a user’s home directory and plant a second TCC database (a specially crafted one, of course). In doing so, they were able to access protected user information.

A bypass similar to Powerdir was presented by Wojciech Reguła and Csaba Fitzl in Black Hat USA on August 2021, along with over 20 more TCC bypasses. This flaw was tracked as CVE-2020-27937. However, despite Apple patching this, the Microsoft team’s PoC still worked until Apple released macOS Monterey in October 2021.

The Microsoft team then modified their first Powerdir PoC to make it work in the new macOS. Here’s a link to the demo video of how it now works in Monterey. This, too, has been patched by Apple and included as part of CVE-2021-30970.

How to protect yourself from Powerdir

All Mac users have to do is download and apply the fixes. Easy!

Stay safe!

The post Mac users, update now! “Powerdir” flaw could allow attackers to spy on you appeared first on Malwarebytes Labs.

Researchers at FingerprintJS, a Chicago-based firm that specializes in online fraud prevention, have published a software bug introduced in Safari 15’s implementation of the IndexedDB API that lets any website track your internet activity and may even reveal your identity.

They found that in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy; a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins.

Safari

Safari is developed by Apple and designed to be the default browser for the Operating Systems macOS, iOS and iPadOS. As such, it has a market share of around 20%, which makes it the most used browser after Chrome, which has a market share of over 60%.

The researchers found that the current version of WebKit, the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS, can be tricked into skipping the same-origin check. To put it simply, the names of all IndexedDB databases are available to any site that you are visiting in the same session. Actual access to the content of each database is restricted however.

IndexedDB

IndexedDB is a browser API for client-side storage designed to hold significant amounts of data. It’s supported in all major browsers and is very commonly used. Normally, information stored in IndexedDB storage can only be accessed by a web page from the same domain that created it. If Google creates it, for example, the information cached there can only be accessed by another Google web page.

Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID. This ID can be retrieved using this leak as well.

The leak

The information that can be gathered by exploiting this bug may seem limited at first sight. But it can disclose information about your recent browsing history and even some info about the logged-in Google account. So, it lets arbitrary websites learn what other websites you visit(ed) in different tabs or windows.

Additionally, some websites use unique user-specific identifiers in database names, which means that authenticated users can be uniquely and precisely identified. This includes, for example, your Google profile picture, which can be looked up using an ID attached to certain sites’ IndexedDB caches.

Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user.

Exploitability

Note that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time. So, all the criminals have to do is get you to visit a site designed by them. In such a case of actively controlled exploitation, the attacker could tell websites to open any other website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.

Mitigation

Apple has acknowledged the bug and worked on a solution, marking the issue as resolved. This does not mean the fix will take effect immediately, however. Updates take time to roll out, and it could be a while before your devices receive the fix.

If you are worried about this leak, you can use private mode in Safari 15. But this only helps partially because private mode in Safari 15 is also affected by the leak. It only helps because private Safari windows are restricted to a single tab, which reduces the extent of information available via the leak. If you visit multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites.

Another way to limit the impact is to block all JavaScript by default and only allow it on sites that are trusted. But this makes web browsing very inconvenient and is likely not a good solution for everyone. Moreover, vulnerabilities like cross-site scripting make it possible to get targeted via trusted sites as well, although the risk is much smaller.

MacOS users can switch to another browser but, unfortunately, this is not an option on iOS and iPadOS as all browsers are affected on these operating systems.

Demo

For those interested, the researchers have created a demo that demonstrates how a website can learn the Google account identity of any visitor. The demo is available at safarileaks.com.

If you open the page and start the demo in an affected browser, you will see how the current browsing context and your identity is leaked right away. Identity data will only be available if you are authenticated to your Google account in the same browsing session.

Stay safe, everyone!

The post Browsers on iOS, iPadOS and Mac leak your browsing activity and personal identifiers appeared first on Malwarebytes Labs.

Europol has announced that law enforcement has seized or disrupted the 15 servers that hosted VPNLab.net’s service, rendering it no longer available.

Led by the Central Criminal Office of the Hannover Police Department in Germany, the coordinated operation took place in Germany itself, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom.

What was VPNLab.net?

VPNLab.net was a virtual private network provider that mostly advertised its services on the criminal side of the Dark Web, and provided services for various cybercriminals, including ransomware gangs. VPNLab had been around since 2008 and had built its service around the OpenVPN technology, used strong encryption, and provided double VPN, with servers located in many different countries.

According to its own website before it was taken down, VPNLab said it was a service providing your security on the Internet by using encryption of original traffic.

“Our service is designed for a broad spectrum of clients who care about their personal security. We set a special encrypted channel between your computer and our foreign servers. The channel is installed based on OpenVPN technology and encrypted using 2048 bit key and thanks to sophisticated algorithms all the information is unreadable for your provider. Average users don’t see the necessity of the described procedure and may even find it useless.”

At a cost of $60 per year and the multitude of accepted payment methods that included WebMoney, Perfect Money, and a host of cryptocurrencies, this would not indicate to visitors that they were looking at a predominantly illicitly used service but at one that certainly took privacy seriously.

What is double VPN?

Double VPN is basically what the name suggests. Your online activities are not hidden behind one, but two servers. The basic technology is called VPN server chaining and the idea behind it is pretty simple, but that doesn’t mean the technology is.

• Your traffic is encrypted on your device and sent to an external VPN server.
• Upon reaching the server it is encrypted again.
• The double encrypted data goes to a second server where it is decrypted.
• And then the information is sent to its destination, secure and private.

Double VPN is not a common feature, because it is very slow. When your traffic runs through two VPN servers located in different countries thousands of miles apart, the slow down becomes inevitable. Also, using double encryption is especially resource-demanding.

The will to keep your traffic private will really have to be worth the time and resources, before you use double VPN. This narrows down the interested users, but certainly includes many criminals.

DoubleVPN was also the name of a similar service used by cybercrime groups that got taken down in a coordinated effort between global law enforcement agencies, led by the Dutch National Police in June of 2021.

The impact

During this week’s operation, 15 servers were taken offline and the domain name was seized. No arrests were mentioned which probably means that none were made.

According to  the Head of Europol’s European Cybercrime Centre, Edvardas Šileris:

“The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online. Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches.”

The intent of the actions is not directed at the services per se, but if service providers support illegal action and are unwilling to provide any information on legal requests from law enforcement authorities, then cooperation of international law enforcement agencies will be initiated in order to shut down a global network and destroy such brands that are clearly servicing criminals.

The bulletproof nature of the service made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of being detected by authorities. Law enforcement took interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution.

Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware. It was even advertised as such a service on the Dark Web.

All in all, it is another dent in the infrastructure provided to cybercriminals, which may have prevented or postponed a few crimes.

The post Cybercriminals’ friend VPNLab.net shut down by law enforcement appeared first on Malwarebytes Labs.

UniCC, the largest site on the dark web that sells credit card and debit card information, will close up shop for good, taking its affiliate site, LuxSocks, with it, too. According to Elliptic, a company that offers risk solutions for cryptoassets, the unknown UniCC administrators have made an estimated $358M USD in cryptocurrency for selling stolen credit card details.

A little bit about UniCC

UniCC opened shop in 2013, and specialized in credit card fraud and the sale of card details to criminals, collectively called carding. As you may already know, once online criminals get hold of your card details, they can use these to conduct unauthorized transactions. Such details can also be resold for cash, used in identity theft or the making of a synthetic identity, or used to further cash out cryptocurrencies gained from other online crimes.

The underground market accepts cryptocurrency payments of Bitcoin, Litecoin, Ether, and Dash.

And so, after nearly a decade of being active, administrators have announced their “retirement” on a carding forum. The announcement is in both Russian and English.

“Our team retires,” the announcement reads. After expressing their appreciation to clients, partners, and colleagues, they then proceed to shoot down potential gossip on why they suddenly decided to close shop: “…we are not young and our health do [sic] not allow to work like this any longer.” They then ended their piece with a warning, which is the final nail to the coffin: “We ask you to be smart and not follow any fakes tied to our comeback and other things.”

UniCC has filled the void left in the underground carding market after Joker’s Stash, deemed one of the founders of the carding industry in the dark web, voluntarily pulled the plug in February 2021. It’s believed that the administrator behind Joker’s Stash came away a “Bitcoin billionaire”.

Sunsetting and mixed feelings

UniCC and Joker’s Stash aren’t the only carding markets that have voluntarily exited this illicit industry.

“Right now it seems to be happening more,” said Professor David Décary-Hétu, a criminologist at the University of Montreal, in a BBC interview, “Markets gracefully exit and say, ‘We’ve made enough money, and before we get caught, we’re just going to retire and go into the sunset.”

Eight months after Joker’s Stash went caput, White House Market (WHM), a darknet marketplace, shut down. Then in November 2021, Cannazon, the largest marketplace for buying marijuana-based products, shut after a DDoS attack. Then to round off the year, ToRReZ Market, a site selling illegal products, closed in December 2021.

According to research conducted by the BBC, Europol, and European Monitoring Centre for Drugs and Drug Addiction (EMCDDA), there are at least five known reasons why markets in the dark web close.

Voluntary retirement, or “sunsetting”, is second to “exit scam”, which is where the market admins pull the rug from under their clients and partners and run away with the money. That’s exactly what happened recently with Arbix Finance.

While this wave of sunsetting may sound like great news to a lot of us, law enforcement have mixed feelings about it.

Alex Hudson, the Head of Darknet Intelligence at the National Crime Agency (NCA), is quoted by the BBC as saying: “I always celebrate anybody who perhaps realises that they’re in an occupation, which is criminalised and decided not to enhance that further. If there is a regret, it’s that we do need to hold them accountable for it and they need to understand that they will still be held accountable.”

The post Infamous dark net carding site UniCC to close appeared first on Malwarebytes Labs.

Brave indeed is the soul who decides to take on Nintendo with scam-filled behaviour online. The console legends have a long history of crunching down on fraud, as well as gaming past-times some would consider to be harmless.

Whether you create fan-made games, offer up plundered ROMs for use in emulators, or even just want to rent out some titles: Nintendo has almost certainly made the news.

This is before we even get to the Switch hacker improbably named Bowser who had to pay Nintendo $4.5 million as a result of said hacking.

It’s dangerous to hack alone

In a nutshell: perilous is the path of Nintendo fandom, and activities Nintendo may strongly disagree with. The company has always come down particularly hard on scams and hardware fakeouts, because it simply does not want people tampering with physical devices. The crown jewels are the online services and digital products, and Nintendo doesn’t want bogus consoles or cartridges mixing and matching with the real thing.

Last year, a big Nintendo story was the breach of around 300,000 Nintendo accounts. Suspected reasons for the spill included phishing and/or credential stuffing, with a fair bit of probable password reuse thrown in for good measure. There’s also the famous 2017 breach where files dating back to the 80s were accessed via the use of VPNs.

At this point, we can safely say two things. One: Nintendo absolutely does not want to entertain phishers, or bogus Nintendo websites. That path leads to bad experiences for Nintendo customers. Two: Nintendo absolutely does not want to entertain unofficial hardware, or suspicious device sales. This is another path filled with knock-off devices or tampered game cartridges.

The end result is that combining fake sites (which may or may not be phishing) with unofficial hardware sales will draw Nintendo’s attention extremely quickly.

Nintendo impersonations, phantom products?

For that reason, Nintendo has published a warning in relation to a fake site. A rough translation follows:

We have confirmed the existence of a fake site that impersonates the Nintendo homepage. These fake sites have nothing to do with us.

The fake site uses our logo illegally, making it look as if it is operated by us, and you can purchase our products such as Nintendo Switch at a significantly discounted price. If you purchase a product on a fake site, you may be scammed by fraudulent acquisition of personal information. Please be careful not to mistake it for our website, and do not purchase products from fake websites.

Nintendo usually holds on to lots of additional data where hacks or scams are concerned, likely because they are spending a lot of time investigating behind the scenes. This is how you eventually end up with people in front of judges.

Sadly, this sometimes makes it a bit tricky to figure out the who, what, when, where, and of course, why of any given situation. As Nintendo hasn’t released any information with regards to the fake site, it’s tricky to add much beyond what’s already been said.

Sounding out the scam

This definitely sounds like bogus device sales…if those devices even exist. It may well just be a fake store selling absolutely nothing at all, but that captures victims’ payment details. It’s possible the site in question also asks visitors to log in with their Nintendo accounts too. We simply don’t know.

The announcement on social media and the press release appear to (currently) be aimed at Japanese consumers only, so impact from this site may be more limited than usual. The release also points people to nintendo(dot)co(dot)jp as the official site, and doesn’t mention other regional variations.

For some semblance of completeness, there’s also Nintendo(dot)co(dot)uk, Nintendo-europe(dot)com, and Nintendo(dot)com for the US. I imagine there’s almost certainly more, but those tend to be the main first ports of call. If you haven’t set up two factor authentication on your Nintendo account then now is the perfect time to do it. The Princess may well be in another castle, but we don’t have to say the same thing about your login details.

The post Nintendo warns of imitation websites and suspicious hardware appeared first on Malwarebytes Labs.

In 2017, the largest ransomware attack ever recorded hit the world, infecting more than 230,000 computers across more than 150 countries in just 24 hours. And it could have been solved with a patch that was released nearly two months prior.

This was the WannaCry ransomware attack, and its final, economic impact—in ransoms paid but also in downtime and recovery efforts—has been estimated at about $4 billion. All of it could have been avoided if every organization running a vulnerable version of Windows 7 had patched that vulnerability, as Microsoft recommended. But that obviously didn’t happen.

Why is that?

In today’s episode of Lock and Code with host David Ruiz, we speak with cybersecurity professional Jess Dodson about why patching is so hard to get right for so many organizations, and what we could all do to better improve our patching duties.

According to Dodson, the problem of patching isn’t just a problem of resources—time, staffing, funding—but also of mindset. For some organizations, refusing to patch almost brings with it a bizarre sense of pride, Dodson said.

“I was having a chat to a fellow security professional who was doing some work for an organization where they were boasting about servers being up for 1,000 days. That’s not something to be proud of. I don’t get the whole idea of being proud of your uptime.t That just means you haven’t done any updates on that thing for three years.”

Jess Dodson

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why we don’t patch, with Jess Dodson: Lock and Code S03E02 appeared first on Malwarebytes Labs.

Eight members of the REvil ransomware group have been arrested in Russia and will be pressed with criminal charges.

Russia’s intelligence bureau, the FSB, announced on Friday that it had conducted an operation together with the Interior Ministry in Moscow, St. Petersburg, and the regions of Moscow, Leningrad and Lipetsk to detain the gang members.

In total, the FSB raided 25 homes of 14 members of the group and seized more than 426 million rubles ($5.6 million) including $600,000 in cryptocurrency; €500,000; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.

Eight of the suspects have been indicted. They are suspected of committing a crime stipulated under Part 2 of Article 187 of Russia’s Criminal Code (‘Illegal Circulation of Payments’).

US input

The FSB began the investigation after receiving information from US agencies about a criminal group and its involvement in attacks on foreign high-tech companies, by implanting malware, encrypting data and extorting money for its decryption. Based on the information provided, the FSB managed to identify all members of the REvil gang, document their illegal activities, and establish their participation in “illegal circulation of means of payment.”

The question about whether the arrests are a direct result of the pressure the Biden administration has been applying on Russian President Vladimir Putin to move against ransomware groups operating in Russia will probably never receive an official Russian answer. The United States government hasn’t indicate how it planned to respond to attacks emanating from Russia, but in July 2021 Biden hinted at digital retaliation if Russian cooperation was not forthcoming.

A Kremlin statement back then said Putin told Biden that Russia had not received any requests from the relevant US departments in the last month, and said that Russia was ready to jointly stop crime.

Now it looks like that might have happened, and hopefully not for the last time. There are many other ransomware groups believed to be based in the CIS.

REvil

We have talked about REvil here many times. Among other articles, you can find a threat spotlight from 2019, and a detailed report about REvil’s supply chain attack against Kaseya. That one even made it into the three most significant cyberattacks of 2021.

According to the FSB, as a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the REvil gang now ceases to exist after their information infrastructure used for criminal purposes was neutralized.

A lot of writing and speculation has been done about REvil’s origin, whether the gang would come back after a part of their infrastructure was shut down, or when affiliates were arrested. So, if you ask us whether this will be the end of REvil, it’s hard to give a definitive answer.

But whether the gang reopens operations under the same name, or whether it spawns a new organization under new management, the result will be the same. The infection methods, the extortion tactics, and the merciless attacks will undoubtedly continue.

Stay safe, everyone!

The post REvil ransomware gang busted by Russian Federal Security Service appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Ransomware cyberattack forces New Mexico jail to lock down
• Some Android users can disable 2G now and why that is a good thing
• Phishers on the prowl with fake parking meter QR codes
• Update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one
• Software engineer hacked webcams to spy on girls—Here’s how to protect yourself
• FIFA 22 phishers tackle customer support with social engineering
• Ransomware targets Edge users
• Intimate photo hacker spared from jail, said he “liked the detective work”
• The Facebook Pixel Hunt aims to unravel Facebook’s tracking methods. Will you join?
• How to share your Wi-Fi password safely
• Night Sky: the new corporate ransomware demanding a sky high ransom
• Attackers are mailing USB sticks to drop ransomware on victims’ computers

Stay safe!

The post A week in security (January 10 – 16) appeared first on Malwarebytes Labs.

The Electronic Frontier Foundation (EFF) has happily informed people that Google has quietly pushed a new feature to its Android operating system allowing users to optionally disable 2G at the modem level in their phones.

This is beneficial because 2G uses weak encryption between the tower and device that can be cracked in real time by an attacker to intercept calls or text messages.

What is 2G?

Knowing that some countries are already preparing for 6G, you will understand that 2G, which is short for second generation, is an outdated communication standard. Another name for the 2G network that you may be familiar with is GSM (global system for mobile communications). 2G was set up in 1991 and in 2017 some providers started closing down their 2G networks. However, some carriers think that closing down 2G is not the best idea and continue their operations.

Why should I not use 2G?

You should avoid using 2G since it doesn’t use strong encryption and, over the years, many vulnerabilities have been found.

The encryption between the tower and the device is so weak that it can be cracked in real time by an attacker to intercept calls or text messages. In fact, the attacker can do this passively without ever transmitting a single packet.

Another major problem is that there is no authentication of the tower to the phone, which means that anyone can impersonate a real 2G tower, and a device using the 2G protocol will happily use it without questioning.

Cell-site simulators

Cell-site simulators, also known as Stingrays or IMSI catchers, are devices that pretend to be legitimate cell-phone towers, tricking devices within a certain range into connecting to the simulator rather than a tower.

Cell-site simulators operate by conducting a general search of all cell phones within range, in violation of basic constitutional protections.  Law enforcement use cell-site simulators to pinpoint the location of phones with greater accuracy than phone companies. Cell-site simulators can also log IMSI numbers (International Mobile Subscriber Identifiers are numbers which identify a mobile subscriber by their SIM card) of all of the mobile devices within a given area. Some cell-site simulators may have advanced features allowing law enforcement to intercept communications or even alter the content of communications.

3G, 4G, and 5G deployments fix the worst vulnerabilities in 2G that allow for cell-site simulators to eavesdrop on SMS text messages and phone calls. It’s not that they don’t have vulnerabilities, it’s just that they are a big step forward.

Who can disable 2G?

For now, only the newest Android models will have the option to disable 2G. These users can disable 2G right now by going to Settings > Network & Internet > SIMs > Allow 2G and turning that setting off. On older Android phones, these steps may or may not work. Unfortunately due to limitations of old hardware, Google was only able to implement this feature on newer phones.

The EFF urged Apple to support this feature as well, and has started a Twitter campaign to nudge Apple along. The EFF also strongly encouraged Google, Apple, and Samsung to invest more resources into radio security so they can better protect smartphone owners.

Completely abandoning 2G is not an option yet, since many people still rely on it as the main mobile technology, especially in rural areas. That’s why brand-new, top-of-the-line phones on the market today still support 2G technology. But they should at least offer those users that do not depend on it, the option to disable 2G. The first step has been made, so let’s keep things moving.

Stay safe, everyone!

The post Some Android users can disable 2G now and why that is a good thing appeared first on Malwarebytes Labs.

Five days after the new year, the Metropolitan Detention Center (MDC) in Bernalillo County, New Mexico suddenly went on lockdown. The reason? A ransomware cyberattack has knocked the jail’s internet connection offline, rendering most of their data systems, security cameras, and automatic doors unusable. Prisoners were confined in their cells while MDC technicians struggled to get everything back up and running again.

This attack forced the facility to suspend all prison visits, including from family members and lawyers, which the facility claimed was for the safety of everyone involved. And according to a public defender who represents some of the inmates, the facility’s response to the attack also threatened the prisoners’ constitutional rights.

No, the Metropolitan Detention Center was not targeted

According to a 7-page emergency notice, the entire Bernalillo County was attacked by unknown ransomware threat actors on the 5th of January, Wednesday, between midnight and 5:30AM local time. While the MDC itself isn’t the target, the after effects of the attack have spread within the facility just the same. County Internet systems were said to be compromised with staff having limited access to email. This greatly affects MDC staff, because the facility’s structure and location prevents them from using cellular data, which is usually a good alternative if the county experiences an internet outage.

On top of this, several databases within MDC have been confirmed to be corrupted by the attack. Two important systems, namely the facility’s Incident Tracking System (ITS), a system where incident reports are created and stored, and the Offender Management System (OMS), a system housing prisoner account data, were rendered inaccessible and were suspected to be corrupted.

“One of the most concerning impacts of the cyber attack is that MDC is unable to access facility cameras,” per the notice, “As of this evening, January 5th, there was no access to cameras within the facility.”

The only known reprieve at that time had been the immediate restoration of the automatic doors in the afternoon. Staff would no longer have to manually lock and unlock facility doors using keys.

A breach in the system could result in unforseen problems

This ransomware cyberattack has pushed Bernalillo County into potentially violating a settlement agreement [PDF] from a two-decade old lawsuit, which is why it filed an emergency notice to the federal court. This agreement requires county jails to improve conditions within the facility and address complaints like overcrowding. This also includes providing inmates with regular access to telephones and other communications devices (e.g. tablets). But because the attack affected their internet connection—rendering inmates unable to use such devices—and because jail staff decided to keep inmates confined to their cells, the county has found itself unable to fulfill conditions in the settlement.

The county has already reached out to federal law enforcement to assist in addressing the ransomware attack. For now, Bernalillo County has taking steps to mitigate the effects of the attack.

We’ve entered 2022 with many of us only hoping that we’d have less ransomware attacks. But as we already know, what we hope for doesn’t always equate to reality. Ransomware has been a top threat for years now. Unless organizations take a serious stance on cybersecurity, there is no way we can (at least) slow these attacks down.

The post Ransomware cyberattack forces New Mexico jail to lock down appeared first on Malwarebytes Labs.