IT NEWS

TrickBot takes down server infrastructure after months of inactivity

The king of tricks is dead. Long live the new king. Or will it make a comeback?

While we already assumed TrickBot was dead in the water, the shutdown of the server infrastructure on February 24, 2022, did not go unnoticed. Is this really the end of one of the most active botnets in the last decade?

History

The rise of TrickBot started when it was a banking Trojan designed to steal personal financial data. Initial development started in 2016, with many of its original features inspired by Dyreza which was another banking Trojan.

Fast forward a few years to 2018, and due to its modular build and the capabilities to move laterally in a network TrickBot has become the top-ranked threat for businesses. Back then, the authors of TrickBot were agile and creative, regularly developing and rolling out new features. The separate modules made it easier to develop new capabilities and use the malware for several purposes. For example, in 2019 researchers found a new feature in TrickBot that allows it to tamper with the web sessions of users who were on certain mobile carriers. Other features such as disabling real-time monitoring from Windows Defender were also added at some point.

In 2021, a number of arrests were made that provided some insight into the scale and complexity of the TrickBot group. These arrests also seem to have been some of the starting points that marked the end of the group. Some might have felt insecure, even with all the safety guards they deployed to keep their true identity secret, seeing some of their co-workers getting indicted.

Cooperation

The ransomware scene can be compared to any legitimate business vertical in more than one way. You will see short lived cooperation, fusions, and staff moving from one company to another. Some of the malware peddlers and ransomware gangs have established a relationship that can be described as being in league with each other. Given their nature and the amount of money that goes around in these ransomware groups, they are sometimes referred to as (cyber)crime syndicates.

Over the years we’ve seen several campaigns where Emotet acted as a dropper for the TrickBot trojan. TrickBot then stole the financial information it was after, and downloaded the Ryuk ransomware. This Emotet-TrickBot-Ryuk supply chain was feared worldwide and turned out to be extremely resilient. After Ryuk’s rebranding to Conti this did not change. But Conti has grown over the years and expanded to the point that it can now be considered one of the major players in this ”industry” in its own right.

Its relationship with TrickBot was one of the primary reasons for the rapid rise of Conti. At some point, Conti turned into the sole end-user of TrickBot’s botnet product. By the end of 2021, Conti had essentially acquired TrickBot, with multiple elite developers and managers making the move to join Conti.

The end(?)

There are a few contributing factors that indicate that this may really be the end of TrickBot.

  • The move of developers and managers to Conti, and possibly other gangs.
  • The high detection rate for TrickBot. A less actively developed malware becomes an easy target for detection and remediation routines.
  • The rise of the BazarLoader which used to be a part of Trickbot’s toolkit, but has now been developed into a fully autonomous tool. It seems the likely candidate for Conti to develop further.
  • The voluntary shutdown of the servers and the fact that they hadn’t set up any new servers for months.
  • The lack of new TrickBot email spam campaigns in the year 2022.

Renowned researchers expect this to be the end of TrickBot as we know it.

That doesn’t mean it can’t rise like a Phoenix from the flames with a new label or under different management. Most of the people who have led and developed TrickBot throughout its long run will not simply disappear from the scene, but find new employers, like Conti.

Whether we will notice that TrickBot is gone remains to be seen. Plenty of new infiltration methods are available to the ransomware gangs and their affiliates. And it will probably even take years before we stop seeing TrickBot detections, dormant or not, on some system.

The post TrickBot takes down server infrastructure after months of inactivity appeared first on Malwarebytes Labs.

How Crisis Text Line crossed the line in the public’s mind: Lock and Code S03E05

Last month, Politico reported that Crisis Text Line, a national mental health support nonprofit whose volunteers help people through text-based chats, was sharing those chats with a for-profit company that Crisis Text Line spun-off in an attempt to boost funding for itself. That for-profit venture, called Loris.AI, received “anonymized” conversational data from Crisis Text Line, which Loris.AI would use to hone its product—a customer support tool.

The thinking behind this application of data went a little something like this: Companies all over the world have trouble dealing with difficult customer support conversations. Crisis Text Line had trained an entire volunteer force on having broadly difficult conversations. What if the lessons from those conversations could be gleaned from the data trails they left behind? What if the lessons could be taught to a product, which would in turn help customer support representatives deal with angry customers?

But that setup, once exposed by Politico, infuriated many members of the public. Some thought it was wrong to keep conversational data, period. Some thought it was wrong to allow outside researchers to study the data of texters and the volunteers who support them. And some were primarily upset with the application of this data to bolster a for-profit venture.

Today, to help us understand that anger and to dive into data privacy principles for crisis support services, we’re speaking with Courtney Brown, the former director of a suicide hotline network that was part of the broader National Suicide Prevention Lifeline.

Interestingly, during her time with her suicide hotline network, Brown consulted with Crisis Text Line on the evaluation of its volunteer training program in their first year.

For Brown, the problems with Crisis Text Line are clear: The use of the data was not proven to help anyone in any way that hadn’t already been discovered in prior suicide research.

“[Crisis Text Line is] acting like there is a social good, that there must be—there must be a social good somewhere in here. But seriously, what is it. Tell me what it is. Maybe I’ll reevaluate it if you can tell me how using this data is different from using all of the other data that’s been collected about suicide prevention.”

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post How Crisis Text Line crossed the line in the public’s mind: Lock and Code S03E05 appeared first on Malwarebytes Labs.

Covid app’s privacy information ruled not clear enough

The UK’s data watchdog has issued a reprimand to both the Scottish government and NHS National Services Scotland about their Covid Status app. The Information Commissioner’s Office (ICO) urged both to act swiftly to address its concerns about the app that, according to the ICO, failed to provide people with clear details about how their personal information was being used.

Covid Status app

The NHS COVID Pass shows the holder’s Covid vaccination details, test results, and recovery information. The holder can use the app to prove their Covid status when travelling abroad or when visiting venues that require proof of a Covid status. The app can be used to display a QR code rather than details of the vaccination or test results, which can then be scanned by someone using a verifier app. They will need to see a green tick that confirms the person’s Covid status in order to allow them the requested access.

The displayed information is inherently personal because it says something about your medical history so it should be treated with the greatest care. However, the ICO said there were only three days between it receiving the full details on how the NHS Scotland Covid Status app would be using people’s information and the rollout of mandatory status checks. This did not provide authorities and users with ample time to review the privacy details.

Sharing information

Originally, there were plans to let the app share the images and passport details of Scottish users with the software company providing the facial recognition technology behind it, but this technology wasn’t necessary for the app to function and served no benefit to the user. The ICO concluded it would have been unlawful in these circumstances to share information with the software company in order to help them improve the facial recognition software.

As a result, the Scottish government and NHS National Services Scotland halted plans to share personal data with the software company. However, the ICO said the app was launched as planned without fully addressing its wider concerns about compliance with data protection law.

The investigation

The ICO followed up with an investigation and has now concluded that both parties failed to initially provide adequate information to users about how personal information would be used. They also didn’t correct this by failing to provide concise privacy information so the average person could realistically understand how the app was using their information. The ICO decided to make its ruling public due to the significant public interest in the issues raised.

The defense

Ministers accepted that the privacy information could have been clearer, but the Scottish government said the NHS Scotland Covid Status app was an important tool in their response to COVID-19, and served as a vital public health role during the pandemic. They went on to stress that at all times people’s data was held securely and used appropriately.

“Together with NHS National Services Scotland, we will continue to work with the ICO to implement the improvements they have asked for, and ensure that lessons are learned for future work.”

Other Covid apps

Given the limited timeframe to come up with an acceptable solution and the sensitive data held, it was almost inevitable there would be flaws in some of the apps that were designed for this purpose. The NHS Scotland Covid app was not alone.

Numerous tracing applications have been developed or proposed, with official government support in some territories and jurisdictions. These tracing apps are designed to notify users if they have been in close contact with a COVID-19 victim. Privacy concerns have been raised, especially about systems that are based on tracking the geographical location of app users.

The Dutch CoronaMelder-app got shut down for days because there were privacy issues with the Google layer of the app that potentially leaked data to standard apps on the Android platform. Later it was criticized again because public health service employees of the GGD would be able to link app data to a specific patient.

The Singapore TraceTogether-app, also a tracing app, was summoned to update its privacy conditions to reflect the fact that location data from the app could be used in criminal investigations.

In France, a researcher found that the contact tracer app collects more data than originally understood. His findings show that all cross-contacts are sent to the central server, contrary to the government guidance which states that only the app users who had been in contact for 15 minutes, closer than one meter away from a person who tested positive for COVID-19 would be stored, meaning that the app processes more data than necessary or specified, and is not compliant with the data minimization principle. The French Government has not denied the comments.

Stay safe, everyone!

The post Covid app’s privacy information ruled not clear enough appeared first on Malwarebytes Labs.

A week in security (February 21 – February 27)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (February 21 – February 27) appeared first on Malwarebytes Labs.

Google and Microsoft accused of feeding smaller search engines spam ads

Google and Microsoft appear to have been flooding their smaller search engine rivals with spam ads, to limit the number of higher-value ads that appear on them, according to data viewed by POLITICO.

Ads are considered “spam” if they appear in search results but have little to no relevance to the search terms a user has entered, and may direct users to less reputable sources. Such ads generate little value to search engines overall.

Pushing spammy ads to their smaller partners tilts the scales in favour of the bigger search engines in two ways. Firstly, it limits how much money smaller search engines can make, and gives Google and Microsoft a greater share of the more profitable ads. Secondly, users of alternative search engines like DuckDuckGo may be turned off by the poor ad choices when they search. This could encourage them to use Google and Bing instead, if they think those sites offer better and more reliable ads.

POLITICO reports that the findings come from data compiled by adtech researchers who wish to remain anonymous for fear of damaging their relationship with either Google or Bing.

Smaller search engines rely on the results of Google and Microsoft—so-called “gatekeeper search engines”—as they have the lion’s share of the search market. Google, of course, has by far the biggest share, with 90 percent, and up to 600 billion websites indexed. On the other hand, Bing has a 7 percent share but indexes more or less 150 billion web pages. POLITICO explains that these alternative search engines often have agreements with Google or Microsoft. This means that these two companies also supply the ads that appear on top of search result pages.

Readers may be surprised to discover that the privacy-focussed search engine DuckDuckGo uses Microsoft for its ads. According to DuckDuckGo “…your searches cannot be tied back to you”, however, that protection stops when you click on an ad: “When you leave our site, you are subject to other sites’ policies, including their data collection practices. For ads from Microsoft, you also pass through Microsoft Advertising’s platform.”

In its article, POLITCO compares the ads shown by DuckDuckGo and Bing for the search term “depression”, with DuckDuckGo showing obviously lower-quality ads. Search ads are subject to all kinds of factors so we thought we’d try it ourselves. We saw the same result.

DuckDuckGo ads for "depression"
Microsoft ads for the search “depression” on DuckDuckGo
Bing ads for "depression"
Microsoft ads for the search “depression” on DuckDuckGo

According to Marc-André Rousseau, a lawyer at the German law firm Schalast, the findings are in parallel with the Google Shopping saga as Google, once again, has conducted self-preferencing practices.

A spokesperson from Google told POLITICO that all ads signed up to search engine partners can appear on both Google’s and partner’s search results; however, the company “has certain algorithms in place that put controls on the types of ads shown.”

On the other hand, alternative search engines have reacted differently to the findings. DuckDuckGo said that it’s “constantly working to improve the quality of its results.” Qwant, a search engine that relies on Microsoft’s indexes, has started to study the advertising area in more detail in recent months. Startpage, a privacy search engine like Qwant, admits to using Google Ad Network for its ads but argues that the low-quality ads result from less user tracking. POLITICO, however, dispels this as the same ads appear on new machines that never used Bing or Google when they conducted their experiment.

The post Google and Microsoft accused of feeding smaller search engines spam ads appeared first on Malwarebytes Labs.

CISA warns of cyberespionage by Iranian APT “MuddyWater”

Cybersecurity agencies in the US and UK have issued a joint cybersecurity advisory (CSA) on MuddyWater, a government-sponsored Iranian advanced persistent threat (APT) actor. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), and the National Security Agency (NSA), together with the UK’s National Cyber Security Centre (NCSC), have detailed operations by this APT against a range of governments and private organizations around the world.

MuddyWater, also known as Earth Vetala, MERCURY, Seedworm, Static Kitten, and TEMP.Zargos, has its eyes set on the telecommunications, defense, local government, and oil and natural gas sectors—among others—in Africa, Asia, Europe, and North America.

“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS),” the advisory briefs its readers. “This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.”

“MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions.”

The full advisory can be read in this CISA web page. It can also be downloaded as a PDF file.

The advisory lastly reminds readers to take mitigating steps to protect themselves from malicious MuddyWater campaigns. Ensure that software is patched, prioritizing applications and operating systems with known, exploitable vulnerabilities. Back it up with an effective antivirus solution, EDR and SIEM. Use multifactor authentication (MFA) wherever you can. Limit access to resources according to the principle of least privilege.

Lastly, ensure that emplyees are trained to be alert for suspicious emails or social media posts—they could be the start of a phishing attack.

The post CISA warns of cyberespionage by Iranian APT “MuddyWater” appeared first on Malwarebytes Labs.

Cyber lures and threats in the context of the war in Ukraine

The conflict between Ukraine and Russia goes a long way back, but it took a dramatic turn after the 2014 Ukrainian revolution. Since then, the war in the Donbas region has resulted in a number of casualties as well as a constant feeling of insecurity among the population.

In recent months, Russia increased its pressure on Ukraine by placing more and more troops along its Eastern border. At the same time, a number of destructive cyber attacks against government websites and other organizations took place.

On February 24, Russia invaded Ukraine and started a full military conflict across that nation. While the kinetic war is by far the most pressing issue, cyber threats against Ukraine and Western countries are increasing as well.

In this blog, we will review some of the threats that have primarily targeted Ukraine but could also spill over globally.

Constant APT attacks

The Russian APT group Gamaredon has been actively targeting Ukraine for a number of years. However in recent months the interest has reached a new level and this was observed in campaigns using a number of lures. We caught one such sample recently that displays a decoy PDF of 40 pages supposedly detailing Russian military training:

Наставление по физической подготовке в Вооруженных Силах Российской Федерации разработано для командиров (начальников) всех степеней, специалистов физической подготовки, содержит указания и требования по вопросам физической подготовки личного состава. 

The Manual on Physical Training in the Armed Forces of the Russian Federation is designed for commanders (chiefs) of all degrees, specialists in physical training, contains instructions and requirements for physical training of personnel.

The malicious archive not only contains a decoy, but also a VNC server that allows the attacker to gain access to the victim’s computer. The command and control server (licensecheckout[.]com) is hosted on 45.139.186[.]190 (Russia).

Destructive malware

In January, a new destructive malware dubbed WhisperGate was unleashed against Ukrainian targets. It was followed in February by HermeticWiper, a piece of malware that is meant to render a machine unusable by corrupting the MBR partition.

Our Threat Intelligence team is currently analyzing this threat and will publish a technical report.

Retaliation threats

The infamous Conti ransomware group announced on February 25 that it will retaliate against any cyber (or physical) attack against Russia.

The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.

This was followed by another clarification:

conti

If there ever was any doubt that some of the world’s most damaging ransomware groups were aligned with the Kremlin, this sort of allegiance will put an end to it.

Since several countries have announced severe economic sanctions against Russia, we should expect retaliation via cyber means. Russia will perceive those sanctions as a direct attack against its economy, and they know how to respond in kind, not with sanctions but with cyber intrusions on critical infrastructure.

Uncertain times

Organizations have already faced the global ransomware threat for a number of years, and in many ways the same security recommendations continue to apply. What might be different is the intensity of attacks as well as the sheer determination from the adversary. For this reason, we would recommend following best practices outlined by CISA and your country’s CERT.

More than ever, individuals and organizations should be extremely vigilant to phishing attempts and preemptively hunt for possible threats within their environment. Remember to not only deploy but also properly configure your endpoint detection and response (EDR) solution.

At Malwarebytes, we are tracking those cyber threats and ensuring that our customers continue to be protected. According to AV-Comparatives, Malwarebytes Consumer and Enterprise versions were able to protect the system effectively against multiple variants of the Hermetic Wiper malware.

The post Cyber lures and threats in the context of the war in Ukraine appeared first on Malwarebytes Labs.

Potential cybersecurity impacts of Russia’s invasion of Ukraine

On Thursday night, Russia launched a military invasion of its neighbor and former Soviet Union member Ukraine, drawing a broad rebuke from international leaders, along with significant protest from the Russian public.

The toll of human life from this war is unknown, and, like the many international acts of aggression that have preceded it, future figures and statistics will not, alone, make sense of it. The threats and dangers posed by this conflict will be borne by the combatants and the people of Ukraine, and they are in our thoughts. Our collective priority must be people’s physical safety, but Russia’s assault could also produce a range of cybersecurity-related risks that organizations and people will need to protect themselves against, starting today.

Here are some of the ways in which Russia’s invasion of Ukraine may impact cybersecurity, and what organizations can do to stay safe in a continually evolving crisis.

The risk of increased stakes

In tandem with the physical strikes against Ukraine, a piece of wiper malware first detected by researchers at Symantec and ESET had already begun targeting organizations in Ukraine. Analyzed by SentinelOne, this wiper malware has been given the name HermeticWiper and it differentiates itself from typical malware in one, important way: Those responsible for it aren’t looking for any payment—they just want to do damage.

(AV-Comparatives quickly tested several known anti-malware and antivirus products against HermeticWiper and its variants and found that Malwarebytes, among others, detected the malware.)

Current analyses of HermeticWiper reveal that the malware is being delivered in highly-targeted attacks in Ukraine, Latvia, and Lithuania. Its operators seem to leverage vulnerabilities in external-facing servers while utilizing compromised account credentials to gain access and spread the malware further.

These tactics are nothing new, and familiar cybersecurity best practices around privileged access hold true. But here, the stakes have changed. Even in the worst-case-scenario of any ransomware attack, there’s at least a promise (which could admittedly be false) of a decryption key that can be purchased for a price. With a wiper malware, there is no such opportunity.

As described by Brian Krebs on his blog:

“Having your organization’s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with ‘wiper’ malware that simply overwrites or corrupts data on infected systems.”

The risk of collateral damage

Russia’s proclivity for cyber warfare is well recorded. In the past, the country has been credibly blamed or proven responsible for several cyberattacks against Ukraine and its surrounding neighbors, including DDoS attacks in Estonia in 2007, Georgia in 2008, and Kyrgyzstan in 2009. Russia is also believed to have been responsible for an email spam campaign against Georgia in 2008, and also for the delivery of the “Snake” malware against Ukraine’s government in 2014. And in 2015 and 2017, when Ukraine’s power grid suffered two separate shutdowns because of the malware variants BlackEnergy and Industroyer/CrashOverride, much of the evidence reportedly pointed back to Russia.

Though these attacks, like the current attacks involving HermeticWiper, were highly targeted, the idea of “tidy” cyber warfare is a farce.

In June 2017, Russia—as concluded by the CIA just months later—unleashed a cyberattack on Ukraine that spilled out into the world. The cyberattack involved a piece of malware reportedly developed by Russia’s military intelligence agency the GRU, called NotPetya. Though it presented itself as a common piece of ransomware, it actually worked more like a wiper, destroying the data of its victims, which included banks, energy firms, and government officials.

But the attack, which was reportedly carried out to harm Ukraine’s financial system, spread out, hitting networks in Denmark, India, and the United States.

It was at the time the most devastating cyberattack in history, costing the shipping company Maersk a reported $300 million, and the pharmaceutical giant Merck a reported $870 million.

Though it’s impossible to predict what type of collateral damage could occur, the US Cybersecurity and Infrastructure Security Agency has released a cybersecurity guide for all organizations in the US to follow during this turbulent time. You can read that guide, called Shields Up, here.

The risk of escalation

As Ukraine defends itself against Russian forces, world leaders are faced with a difficult decision. Should they deliver support to Ukraine in any material way, Russia may then retaliate against them with its own cyber-attacks, and these attacks are unlikely to be borne by world leaders. Instead, the “crossfire” between national cyber-fronts will likely inflict harm on everyday individuals and businesses.

Already, this decision has produced a wrinkle, as world leaders are not just defending themselves against Russia’s cyber-offensive regimes, but also against known ransomware gangs that have quickly sworn allegiance to Russia’s cause.

On February 25, the Conti ransomware group announced that it would retaliate against any known physical or cyberattacks against Russia. As we wrote on Malwarebytes Labs:

“Any doubt that some of the world’s most damaging ransomware groups were aligned with the Kremlin, this sort of allegiance will put an end to it.”

Despite a clarification about an hour later, which attempted to reframe the group’s “full support of Russian government” into “we do not ally with any government”, there can be no doubt about the threat the group poses.

Unfortunately, the risk of escalation seems likely, as countries ramp up economic sanctions against Russia, and as the US is walking a delicate balance about its own cyber initiatives. On February 24, multiple White House officials denied, as NBC News had earlier reported, that the Biden Administration was considering multiple “options” of cyber engagement “on a scale never before contemplated.”

According to White House Press Secretary Jen Psaki, who wrote on Twitter, NBC’s “report on cyber options being presented to @POTUS is off base and does not reflect what is actually being discussed in any shape or form.”

These denials, however, preceded a more recent statement made by President Joe Biden this week, in which he said that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond. For months, we’ve been working closely with the private sector to harden our cyber defenses [and] sharpen our response to Russian cyberattacks.”

The risk of misinformation

Already, countless videos have begun circulating online that either make unproven claims or make claims that have specifically been debunked. Earlier today, a video that purports to show a Ukrainian fighter pilot shooting down Russian air forces in the sky was proven to be fake—a product of a simulation game called Digital Combat Simulator.

Though that video was developed as an “homage” to the so-called “Ghost of Kyiv,” social media companies have been combatting a Kremlin-backed disinformation campaign taking place on Twitter, Facebook, YouTube, and TikTok.

According to recent reporting from Politico:

“Russia-backed media reports falsely claiming that the Ukrainian government is conducting genocide of civilians ran unchecked and unchallenged on Twitter and on Facebook. Videos from the Russian government — including speeches from Vladimir Putin — on YouTube received dollars from Western advertisers. Unverified TikTok videos of alleged real-time battles were instead historical footage, including doctored conflict-zone images and sounds.”

Users should digest any viral videos and news with caution, particularly during this conflict, as the primary aggressor has a proven history with information warfare. It is also worth remembering that during wartime even reporting from reputable sources may be based on innaccurate, incomplete or out-of-date information.

The risk of scams

In 2020, as infections of COVID-19 dramatically increased to the point of officially creating a global pandemic, online scammers pounced, sending bogus emails asking for donations to fake charities and registering thousands of COVID-19-related domains to trick unwitting victims into swiping their money or their account credentials.

With Russia’s invasion of Ukraine, the same strategy will likely happen, as online scammers constantly seek the latest crisis to leverage for an attack.

When asked on Twitter for advice on which organizations to donate to in order to help Ukraine, the user @RegGBlinker said that, after she’d read through a list of such organizations, she found many that raised suspicions.

The same Twitter user has already compiled a thread that links to multiple other Twitter users who have personally offered their cybersecurity help to small-to-medium-sized businesses (SMBs) affected by the attacks in Ukraine.

At the same time, several companies and organizations have begun offering their own support. F-Secure, for example, is offering its VPN tool for free to anyone in Ukraine, and The Tor Project has released a support channel for Russian-speaking users who want help in setting up Tor.

The full thread on support can be found here.

For any other donation offers that users think might be a scam, trust the same rules that apply to phishing emails—are there any misspellings, grammar mistakes, unknown senders, or unknown charities involved in the request? Check yourself before handing over any money.

The risk of focusing too heavily on Ukraine

While Ukraine is in crisis, several online threat actors have continued their own assault campaigns.

On February 24, multiple outlets reported that a ransomware gang that the cybersecurity firm Mandiant tracks as “UNC2596” was exploiting vulnerabilities in Microsoft Exchange to deliver its preferred ransomware, colloquially dubbed “Cuba.” On the same day, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that it had spotted “malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.” Those attacks were targeting both government and private-sector organizations in Asia, Africa, Europe, and North America.

An international human crisis is in no way a cause for inaction from online threat actors. Organizations should follow the same guidance they have before in protecting themselves from the most common online threats.

As CISA Director Jen Easterly warned on Twitter:

“Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners.”

The post Potential cybersecurity impacts of Russia’s invasion of Ukraine appeared first on Malwarebytes Labs.

How to update your drivers and when you need to

Many software vendors have a driver updater in their arsenal. But is it really that important to have the latest computer drivers? Where do you get them? And how do you go about updating?

Driver updates fix security and compatibility problems, errors, broken code, and sometimes even add features to the hardware. But we tend to forget about the need for the latest drivers as long as our systems are working fine, which is understandable as the procedure is not always clear and we all know the risk of making things worse.

How do I know if my drivers need updating?

Generally speaking, if your system is working properly and you don’t get prompted about an update, you will hardly ever feel the need to update your drivers. And as long as there are no security issues with the drivers you have, that is fine.

Device drivers are essential pieces of software that help different hardware components work smoothly on your system. These device drivers have often been installed by the system manufacturer. If your system has a hardware issue, it is likely to be a device driver problem. For devices that you connect to your system, for example a USB mouse, the Operating System (OS) can usually automatically check if there are (new) drivers available for those devices. For example, Windows Update can be set to look for updated drivers.

How do I update my drivers in Windows 10?

To quickly update device drivers using Windows Update, use these steps:

  1. Open Settings.
  2. Click on Update & Security
  3. Click on Windows Update
  4. Click the Check for updates button
  5. Click the View optional updates option
  6. Click the Driver updates tab
  7. Select the driver you want to update
  8. Click the Download and install button

Once you complete the steps, the newer driver will be downloaded and installed automatically on your device. Many device drivers will require a reboot to complete the installation.

Do Windows 10 and 11 install drivers automatically?

In Windows 10 and 11 you can choose whether to let Windows automatically download the driver software or do it yourself. Automatic updating is the default and the easiest method, whereby Windows will habitually check for driver updates and install them. So, unless you are using some niche devices, the built-in Windows Update service on your PC generally keeps most of your drivers up to date in the background.

Manually installing drivers on macOS

Many drivers on mac OS systems are installed simply by updating your Mac, but third-party devices often require an additional driver installation.

  1. Download the correct driver from the manufacturers site.
  2. Double click on the driver and extract it.
  3. Open the folder and run the .pkg install file.
  4. In some cases, a warning message will pop up. For a properly signed and notarized installer, this message will be shown only when the Allow apps downloaded from setting in System Preferences > Security & Privacy > General is set to App Store only. To solve this problem, please go to System Preferences, and Security & Privacy, then click Open anyway to identify the driver.
  5. After the driver is identified, it will be installed automatically. During the process, an authentication window will pop up to ask for username and password, which is the administration account of your Mac
  6. Then click Install Software to continue the process
  7. Next click Continue Installation and Restart if prompted to finish the installation process
  8. A driver on macOS is often implemented as either a kernel extension or a system extension, and either of those will require an extra step where you go to System Preferences > Security & Privacy > General, unlock the pane by clicking the lock in the lower left corner and entering your password, and click the Allow button

On recent versions of macOS, when the installer is not properly signed and notarized, the user won’t be able to open it at all. There are workarounds to be found, but we would advise you to shy away from them.

Device drivers on Linux

In Linux, when a device is connected to the system, a device file is created in the /dev directory. The hardware devices are treated like ordinary files, which makes it easier for the software to interact with the device drivers. Most of the available hardware drivers will already be on your computer, included along with the kernel, graphics server, and print server.

However, some manufacturers provide their own, closed-source, proprietary drivers. How you install proprietary drivers largely depends on your Linux distribution. On a few distributions installing drivers is relatively easy. On Ubuntu and Ubuntu-based distributions, there’s an Additional Drivers tool. Open the dash, search for Additional Drivers, and launch it. It will detect which proprietary drivers you can install for your hardware and allow you to install them. Linux Mint has a Driver Manager tool that works similarly.

Don’t get led astray

A number of download sites that will offer files pretending to be the drivers you need are hosting malware. They try to trick users into installing this malware on their system. Other sites combine the drivers you need in a bundle which, besides the driver, also install adware or a potentially unwanted program on your system.

And, unfortunately, a lot of the advertised driver updater software feels the need to exaggerate the scan results in order to get users to buy the software. Needless to say that paying for such software is a waste of your money. As is the case with a lot of potentially unwanted programs, they offer functionality that is already built into Windows.

The post How to update your drivers and when you need to appeared first on Malwarebytes Labs.

Yik Yak “cyberbullying”: What can be done?

In August 2021, Yik Yak, the once-popular anonymous social media platform on Android and iOS, made a comeback after shutting its doors in 2017. Six months after its return, it’s started to gain attention once more, as a result of cyberbullying—the main reason why it declined years ago.

However, this new Yik Yak has a new commitment: the new owners say they will make it “a fun place free of bullying, threats, and all sort of negativity.”

Background: Yik Yak’s success and downfall

Yik Yak was the brainchild of two Furman University graduates who decided to put their careers on hold—one was supposed to go to medical school; the other was already in finance—to give starting a business of their own a shot.

Aimed at college students, it didn’t take long for the Yik Yak app to take off after it began spreading from one campus to another and then on to high schools. What made it so popular among students was its anonymity and hyper-local context (Messages posted on Yik Yak can be viewed by people using the app within a five mile radius). Within a year of its official release in November 2013, Yik Yak secured $75M USD from investors. In 2017, it was valued at $400M USD.

But as quickly as popularity came, the social media platform also promptly nosedived. Many attributed its demise to the growing number of cyberbullying, harassment, and threat incidents within the app fueled by the very features the platform thrived on. Such incidents brought about a lot of complaints from parents and school administrators, which led to schools eventually banning the app from being accessed using school networks. Not only that, Yik Yak cut off its high-school users—its second largest group of users—from using the app while on campus.

In 2015, Yik Yak was caught automatically downvoting posts containing names of competing brands like Fade, Sneek, and Unseen, a tactic that Techcrunch noted was entirely against its mission of providing “organic, unfiltered feed of news.”

Amid all the challenges and a painful decline of 76% in its userbase, Yik Yak made changes to save its business. In January 2016, Yik Yak introduced a web version, but probably the most notable change happened in August 2016 when the company did away with anonymity entirely while keeping the hyperlocality of the app. However, the changes weren’t enough and by the end of 2016, the company had laid off 60 percent of its team. Then, in May 2017, the inevitable happened: Yik Yak founders said their goodbyes, and servers were shut down a month later.

Reactions to the Yak being back

Then, after nearly five years, Yik Yak made an unexpected comeback, with a $6.25M USD seed funding to boot.

In the comeback announcement, “Team Yik Yak” introduced themselves as the new owners, saying that they purchased back the rights to redevelop Yik Yak after it was sold to Square, Inc (now called Block, Inc).

“We’re bringing Yik Yak back because we believe the global community deserves a place to be authentic, a place to be equal, and a place to connect with people nearby. We’re committed to making Yik Yak a fun place free of bullying, threats, and all sort of negativity.”

Yik Yak appears to be staying true to the mission of the original platform, which is to make Yik Yak a place for people within five miles of each other to connect, free from labels and risk. The company re-affirmed its stance against bullying and hate speech, saying it has a “one strike and you’re out” rule if someone violates the Community Guardrails or Terms of Service.

But with anonymity still in place on the platform, people are still concerned.

“It is time to have that conversation with kids about online behavior and etiquette. Again,” wrote Director of Technology Josh Sumption for the Southwest West Central (SWWC) Service Cooperative, a Minnesota-based educational service agency, in an article entitled, “Yik Yak, Yuk.”

Sumption points out that, unlike its previous version, the current Yik Yak doesn’t have geofencing enabled, so anyone with a phone in school can use it, may they be college students or not. On top of that, he also revealed that Yik Yak’s downvote feature is being used to eliminate the positive statements school administrators and student champions post to overpower negative conversation in their area.

Some of those who were around when Yik Yak made it big have some public Twitter thoughts to share about its comeback, too:

Anonymity isn’t bad

Not everyone is against the anonymity that Yik Yak has to offer. In fact, some argue that being anonymous might encourage people to step in when they see something horrible happening.

“Bullying will unfortunately always happen online and offline, however, being able to remain anonymous helps motivate people to aide victims of harassment,” wrote Rey Junco, Harvard alum and currently a senior researcher at the Center for Information and Research on Civic Learning and Engagement (CIRCLE) at Tufts University, in a Wired article in 2015. “Unfortunately, it is very difficult for bystanders to remain anonymous in offline spaces; thereby making it less likely bystanders will intervene when they see someone being bullied.”

Junco also argued that an anonymous space gives students the ability to “take creative risks” and develop their identities. “For instance, a student who is exploring a gay identity often feels more comfortable exploring the coming out process anonymously in online spaces because of an increased feeling of safety.”

People have been abusing anonymity before the dawn of social media, and ending it is not the solution (Techdirt highlighted three reasons why in a post last year). Many, many studies have also shown that anonymity alone isn’t the reason for people behaving badly online. There are many cases on Twitter, for example, where users post harassing replies under their real names with real photos of their faces.

Going about with Yik Yak and anonymous apps

“Instead of being afraid of Yik Yak, campus professionals should embrace it as not only a way for young people to explore creativity and develop their identities, but also as a way for professionals to learn more about the campus environment through students’ eyes,” Junco advised in the same article. Great advice, if you ask me. It is wise for parents and carers to take heed as well.

Things may have been different seven years ago, but it stands to reason that the upsides of anonymity remain the same. That being said, everyone in the community and not just parents and school administrators could shape the conversation exchanged within their five mile radius.

There will always be negativity in online spaces we frequent, no doubt, but there are several ways it can be combatted. As we’ve already seen, talking to our kids about Yik Yak and anonymous apps, in general, is essential. Parents, carers, and school administrators can start by saying that one is never truly anonymous on Yik Yak. Posts are tied to accounts linked to phone numbers. And numbers can be traced, especially by law enforcement. That alone should make a student think twice about posting threats of bodily harm online. Take the case of a Louisiana State University (LSU) student who was arrested for terrorizing by falsely warning of a campus shooting, even though he used someone else’s phone to post on Yik Yak.

Regularly posting positive posts, offering genuine help to those who need it, showing support to someone who decided to be vulnerable and share their testimonies, and starting conversations with interesting topics could also shift the conversation away from the negative. Foster empathy within your herd and promote bystander intervention should they encounter incidents of cyberbullying, hate, or other nasty yaks aimed at one person or a group.

And if some Yik Yak users are actively downvoting such tone-changing posts, then report it.

Yik Yak could have been better then. Now it’s back, if you’re a Yik Yak user and stand behind what its for, the opportunity to make this platform the way it was designed to be is here now. Own it, Yak responsibly, and together with your herd, shape it into a space that benefits everyone.

The post Yik Yak “cyberbullying”: What can be done? appeared first on Malwarebytes Labs.