IT NEWS

On January 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about several recent successful cyberattacks on various organizations’ cloud services.

What methods did the attackers use?

In the initial phase, the victims were targeted by phishing emails trying to capture the credentials of a cloud service account. Once the attackers had stolen a set of valid credentials, they logged into the compromised account and used it to send phishing emails to other accounts within the organization. Those phishing emails used links to what appeared to be existing files on the organization’s file hosting service.

In some cases, threat actors modified victims’ email rules. On one user’s account an existing rule was set up to forward mail to their personal account. The threat actors updated the rule to forward all email to their own accounts. In other cases, the attackers created new rules that forwarded mails containing certain keywords to their own accounts.

As an alternative to the phishing attempts, attackers also used brute force attacks on some accounts.

Perhaps most eye-catching of all though, in some cases multi-factor authentication (MFA) logins were defeated by re-using browser cookies. These attacks are called “pass-the-cookie” attacks and rely on the fact that web applications use cookies to authenticate logged-in users.

Once a user has passed an MFA procedure, a cookie is created and stored in a user’s browser. Browsers use the cookie to authenticate each subsequent request, to spare visitors from having to log in over and over again in the same session. If an attacker can capture an authentication cookie from a logged-in user they can bypass the login process completely, including MFA checks.

Who is behind these attacks on cloud services?

Even though the attacks that CISA noticed had some overlap in the tactics they used, it is unlikely that they were all done by the same group. While some were clear attempts at a business email compromise (BEC) attack, there could be other groups active that are after different targets.

Countermeasures

Educate users on cybersecurity in general and point out the extra risks that are involved in working from home (WFH). For these specific attacks, extra training to recognize phishing certainly wouldn’t hurt.

Use a VPN to access an organization’s resources, such as its file hosting service. The temptation to leave these resources openly accessible for remote employees is understandable, but dangerous.

Sanitize email forwarding rules or at least let the original receiver of the mail be notified when a forwarding rule has been applied. If there are rules against forwarding mails outside of the environment (and maybe there should be) it should not be too hard to block them.

Use MFA to access all sensitive resources. (It’s important to note that although the CISA report mentions a successful attack where MFA was bypassed, it also mentions unsuccessful attacks that were defeated by MFA.)

Ensure resources are only be accessible to people authorized to use them, and enable logging so you can review who has used their access.

Set the lifespan of authentication cookies to a sensible time. Find a balance between keeping session duration short, without annoying legitimate users and “allowing” attackers to use stale cookies to get access.

Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.

IOCs

The CISA report also links to a downloadable copy of IOCs for those that are interested.

The post Cybercriminals want your cloud services accounts, CISA warns appeared first on Malwarebytes Labs.

Every second Tuesday of the month it’s ‘Patch Tuesday’. On Patch Tuesday Microsoft habitually issues a lot of patches for bugs and vulnerabilities in its software.

It’s always important to patch, but the update that was released on January 12 is one to pay attention to. That’s because it contains a patch for a vulnerability in Windows Defender that is already being exploited in the wild.

The vulnerability in Windows Defender

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list—a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability in Windows Defender was registered as CVE-2021-1647—a Remote Code Execution (RCE) vulnerability—and was found in the Malware Protection Engine component (mpengine.dll). According to Microsoft:

“While this issue is labeled as an elevation of privilege, it can also be exploited to disclose information. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.”

I don’t see an update for this vulnerability

If you are missing this fix in your list, it’s possible that this bug has already been patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle. But you may want to check whether you are using a patched version.

What version of Windows Defender am I using?

The first patched version is 1.1.17700.4. If you want to make sure that you have a patched version of Windows Defender, here is how you can check this on a Windows 10 computer:

• From the Windows Start Menu, search for Windows Security and click on the result that has the App text and the “white on blue” shield.
• When Windows Security opens, click on the gear box icon with the Settings text at the bottom left of the Window.
• When the Settings screen opens, click on the About link.
• The Windows Security About page will now be open and will show the Antimalware Client Version (Microsoft Defender version), the Engine version (Scanning Engine), the Antivirus version (Virus definitions), and the Antispyware version (Spyware definitions).
• The engine version is the one that matters here. It needs to be at 1.1.17700.4 or newer.

The rest of the Microsoft updates

The total package contained over 80 patches. Ten of them were classified as critical, which means that they could possibly be used in the future by cybercriminals to attack unpatched systems. And even the ones that are not rated as critical could put you at risk at some point. It’s always important to apply all the patches as soon as you possibly can, especially when it concerns your operating system. So, please do go install these patches as soon as possible.

Stay safe, everyone!

The post Microsoft issues 83 patches, one for actively exploited vulnerability appeared first on Malwarebytes Labs.

Networking equipment manufacturer Ubiquiti sent out an email to warn users about a possible data breach. The email stated there had been unauthorized access to its IT systems that are hosted with a third-party cloud provider.

Ubiquiti Networks sells networking devices and IoT devices. It did not specify which products were affected but pointed at UI.com, which is its customer web portal. The servers in this domain store user profile information for account.ui.com, the web portal that Ubiquiti makes available to customers who bought one of its products. From there, users can manage devices from a remote location and access a help and support portal.

According to Ubiquiti, the intruder accessed servers that stored data on UI.com users, such as names, email addresses, and salted and hashed passwords, although the company says there’s no evidence of the attacker accessing the specific databases that contained user information.

Ubiquiti advised users to change their password and enable 2FA for their Ubiquiti account. The manufacturer also warned customers who stored their physical address and phone number in their account that these may also have been accessed.

What happened exactly?

Unfortunately, there is very little other information about this breach. How many Ubiquiti users are impacted and how the data breach occurred is unknown at this time.

Ubiquiti’s advice

The advice provided by Ubiquiti as shown in a copy of the email is sensible:

• Change the password.
• Enable 2FA.
• Don’t forget to change passwords on sites where you have used the same credentials.

Other IoT shenanigans

In other IoT news this week, a security flaw in a chastity belt for men made it possible for hackers to remotely lock all the devices in use simultaneously. The internet-linked sheath has no manual override, so owners might have been faced with the fear of having to use a grinder or bolt cutter to free themselves from its metal clamp. Luckily a workaround was provided by the Chinese developer.

Also, a group of Dutch safety experts have demonstrated that a traffic light system for bikes connected to a smartphone app can be hacked, potentially causing an accident. The smart system, part of which is still in the testing phase, has currently only been installed by ten local councils, but future plans included all the traffic at some 1,200 crossroads to be regulated via the internet to improve the flow of the traffic.

IoT insecurity

These are all examples of IoT insecurity that reached us this week alone, and clearly there is still a lot of work to be done to improve IoT security in general.

The examples show that there are a lot of angles that attackers can look at when they want to breach devices or interfere with their operations. The Ubiquiti attack was carried out through the online customer portal. The chastity belts were operated by compromising the server that provided remote control. The Dutch white hats were able to send false information to the traffic lights by reverse engineering and altering the signal sent by the app.

Advice for IoT users

Firstly, users should ask themselves if they need the device they are buying to be an IoT device. Is the remote functionality a mere “gadget” or is it something you expect to use regularly?

Secondly, look at the manufacturers track record when it comes to data privacy and the nature of the data you are providing them with. If it looks dodgy, it may well be.

Stay safe, everyone!

The post Ubiquiti breach, and other IoT security problems appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we released survey results about VPN usage and found that 36 percent of our respondents use it. We also talked about Adobe Flash Player reaching its end of life—meaning, Adobe won’t be supporting the updating and patching of its Flash Player software; covered the ransomware attack against Funke Media Group, one of Germany’s largest publishers; and reported on a new Bitcoin sextortion scam making rounds since the eve of 2021. Lastly, we profiled the latest campaign of APT37, a North Korean threat actor, wherein they used a self-decoding VBA Office file to inject RokRat, a cloud-based RAT, onto Notepad.

Other cybersecurity news:

• A couple of Chinese APT groups moved to doing ransomware attacks. (Source: BleepingComputer)
• Juspay, a company that processes payments for companies like Amazon, MakeMyTrip, Swiggy, and others, revealed it was a victim of a data breach in Q3 of 2020. (Source: Business Insider – India)
• More than haf a million leaked employee credentials of leading video games companies were found for sale on the Dark Web. (Source: SiliconANGLE)
• Babuk Locker was hailed as the first new enterprise ransomware of 2021. (Source: BleepingComputer)
• COVID-19 vaccine phishing scams are growing. (Source: InfoSecurity Magazine)
• News of several Instagram scams are making the rounds: One is about a fake copyright violation, and the other is a fake overpayment of a service, which police call an overpayment scam.
• Think twice about using IoT chastity belts as hackers can—and have—locked up their wearers with ransomware. (Source: TechRadar Pro)
• The United Nations revealed that it might have been breached. (Source: ITProPortal)

Stay safe, everyone!

The post A week in security (January 4 – January 10) appeared first on Malwarebytes Labs.

On December 22, Germany’s third largest publisher fell victim to a cyberattack that affected systems in offices all around the country. The Funke Media Group publishes dozens of newspapers, like Berliner Morgenpost, Hamburger Abendblatt, and Bergedorfer Zeitung, as well as magazines, several local radio stations, and online news portals. It reaches over 3 million readers on a daily basis.

The impact of the ransomware attack

The attack hindered work at the newspaper editorial offices and halted some of its major printing houses. As a result, subscribers received only emergency issues of a few pages. Because of this impact on the printed editions of the newspapers, the publishing house has decided to temporarily remove the paywall that is normally active on its news site, so everyone has full access to all of its articles. Unlike the newspapers, the publishing of the magazines that belong to the Funke Media Group are not expected to be delayed.

The press release by Funke states that several of its main systems in offices around Germany had been encrypted. This would indicate a ransomware attack. In a later press release, Funke stated that over 6000 laptops and thousands of other systems (endpoints and servers) were affected, and that its IT staff worked with the help of cybersecurity professionals throughout the holidays to get as many systems as possible up and running again. The attack is under investigation by police.

Getting the damage undone

The IT specialists have organized wipe and rebuild lines in the style of a digital car wash. These are functional in three of the publisher’s main locations where all the laptops are checked, cleaned, re-installed, and then returned to users. On January 4, some 1200 endpoints had undergone this procedure.

As we’ve pointed out many times before, the damage that’s done by ransomware is far greater than the amount of the ransom. It takes huge efforts to get a large-scale operation up and running again, especially in this case where the victim is a wide-spread and highly computerized organization like a major publisher.

Leaked data

A lot of the major current ransomware families threaten to publish breached data in order to create greater leverage for the victim to pay the ransom. With over three million subscribers and maybe even some interesting information unearthed by journalists, the obtained information could be very costly.

Since it’s unknown which type of ransomware was used in this attack, it is not yet possible to tell whether any data were exfiltrated during the attack, and whether any such data will be published if the Funke Media Group refuses to pay the ransom. Of course, we will keep you posted about any developments.

Stay safe, everyone!

The post Funke Media Group suffers nationwide ransomware attack in Germany appeared first on Malwarebytes Labs.

Malwarebytes recently received a report about a fresh spate of Bitcoin sextortion scam campaigns doing the rounds.

Bitcoin sextortion scams tend to email you to say they’ve videoed you on your webcam performing sexual acts in private, and ask you to pay them amount in Bitcoin to keep the video (which doesn’t exist) private. This type of blackmail has become quite popular since the middle of 2018.

Sextortion scammers frequently use spoofed or made up email addresses to contact their targets. Previous campaigns have targeted those with compromised account passwords scraped from third-party breaches, minors, and other vulnerable groups. In this case, our experts believe that these emails have been targeting .org email addresses, and senior leadership almost exclusively.

From: {spoofed sender name}

Subject: I have full control of your device

Message body:

Hi

Did you notice that I sent you an email from your address? Yes, that means I have full control of your device. I am aware you watch adults [sic] content with underage teens frequently. My spyware recorded a video of you masturbating. I also got access to your address book. I am happy to share these interesting videos with your address list and social media contacts. To prevent this from happening, you need to send me 1000 (USD) in bitcoins.

Bitcoin wallet part 1: 1C1FfgyNsJGJZfuR2ePXxTraa

Bitcoin wallet part 2: CqE6WLWSM

Combine part 1 and part 2 with no space between them to get the full bitcoin wallet.

Quick tip! You can procure bitcoins from Paxful. Use Google to find it.Once I receive the compensation (Yes, consider it a compensation), I will immediately delete the videos, and you will never hear from me again. You have three days to send the amount. I will receive a notification once this email is opened, and the countdown will begin.

What we may perceive as a-dime-a-dozen, cookie-cutter blackmail email may be something new to someone, especially those who aren’t aware of such a charade. Make no mistake: Email scams that contain little to no threats towards recipients have worked repeatedly like a charm.

This is why it’s important to keep up with what’s happening in cybersecurity, how online threats affect aspects of our lives, and how we can better protect ourselves, our data, and the people around us from those who scare, threaten, and bluff their way into our wallets. Treat all emails like this with a healthy amount of skepticism and you should be able to really see the email as it truly is: a fake.

Malwarebytes has extensively written about Bitcoin sextortion scams through the years. And what we advised then is still relevant to these new sextortion scams.

Change your passwords—or, better yet, consider using a password manager to help you create and store more complicated passwords for you.

Always use multi-factor authentication (MFA) to add an extra step of security. Most companies with an online presence have this, so make full use of it.

Do not pay the scammer.

If you received a sextortion email at work, let your IT department know. If you’re in the United States, feel free to report this to the FBI’s IC3.

Our Director of Mac and Mobile, Thomas Reed, had drafted a post aimed at Mac users who have received such scammy emails but need guidance on what these are what they need to do.

Stay safe, as always, and remain vigilant.

Bitcoin addresses related to this scam (as of this writing):

• 1Nd3JST1daeyzmPovkRoemjysA6JfXjVRg
• 17qBCU7Y5yrS9eimxvydRYw3XNF9meuSCY
• 1C1FfgyNsJGJZfuR2ePXxTraaCqE6WLWSM

The post “I have full control of your device”: Sextortion scam rears its ugly head in time for 2021 appeared first on Malwarebytes Labs.

This post was authored by Hossein Jazi

On December 7 2020 we identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that this attack took place almost a year ago.

The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad.

Based on the injected payload, we believe that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea.

In the past, this APT has relied on Hangul Office documents (hwp files) to target victims, as it’s software that’s commonly used in South Korea. However, in this blog we describe an interesting alternative method, delivered via self-decoding VBA Office files. To the best of our knowledge, this is a first for this APT group.

Document analysis

The actor used the VBA self-decoding concept in its macro that was first introduced in 2016. A malicious macro is encoded within another that is then decoded and executed dynamically.

We can consider this technique an unpacker stub, which is executed upon opening the document. This unpacker stub unpacks the malicious macro and writes it into the memory of Microsoft Office without being written to disk. This can easily bypass several security mechanisms.

Figure 3 shows the macro used by this document. This macro starts by calling the “ljojijbjs” function, and based on the results will take different paths for execution.

Microsoft by default disables the dynamic execution of the macro, and if an attacker needs to execute one dynamically—which is the case here—the threat actor needs to bypass the VB object model (VBOM) by modifying its registry value.

To check if it can bypass the VBOM, it looks to see if the VBOM can be accessed or not. The “ljojijbjs” function is used for this purpose and checks read access to the VBProject.VBComponent. If it triggers an exception, it means the VBOM needs to be bypassed (IF clause). If there is no exception, it means the VBOM is already bypassed and VBA can extract its macro dynamically (Else clause).

“fngjksnhokdnfd” is called with one parameter to bypass VBOM. This function sets the VBOM registry key to one.

After bypassing VBOM, it calls another function which creates a Mutex in the victims’s machine by calling CreateMutexA API call and names it “mutexname”. This could be used by the actor to make sure it infects its victim only once but in this document we didn’t observe any evidence of checking the mutex.

Finally, in order to perform the self-decoding process, it needs to open itself by creating a new Application object and load the current document in it in invisible mode.

If VBOM is already bypassed, The function Init is called and generates the malicious macro content in obfuscated format.

In the next step, this obfuscated macro is passed to “eviwbejfkaksd” to be de-obfuscated and then executed into memory.

To de-obfuscate the macro, two string arrays have been defined:

• StringOriginal which contains an array of characters before de-obfuscation
• StringEncoded which contains an array of characters after de-obfuscation

A loop has been defined to de-obfuscate the macro. For each iteration it takes a character in the obfuscated macro and looks for its index in StringEncoded. When it finds its index, it looks for its equivalent index in StringOriginal, takes that character from it and adds it to the new macro. As an example “gm* bf” as encoded macro will be decoded to “Option”.

Following this process gives us the final macro that will be executed in the memory space of Microsoft Office. In order to execute this decoded macro, it creates a module and writes into it before calling its main function to execute the macro.

The main function defines a shellcode in hex format, and a target process which is Notepad.exe. Then, based on the OS version, it creates a Notepad.exe process and allocates memory within its address space using VirtualAlloc. It then writes the shellcode into the allocated memory using WriteProcessMemory. At the end it calls CreateRemoteThread to execute the shellcode within the address space of Notepad.exe.

Shellcode analysis (RokRat):

The shellcode injected into Notepad.exe downloads an encrypted payload from http://bit[.]ly/2Np1enh which is redirected to a Google drive link.

Downloaded payload is a variant of a cloud-based RAT known as RokRat which has been used by this group since 2017. This sample compilation date is 29 Oct 2019. This RAT is known to steal data from a victim’s machine and send them to cloud services (Pcloud, Dropbox, Box, Yandex).

Similar to its previous variants, it uses several anti-analysis techniques to make sure it is not running in an analysis environment. Here are some of the checks:

• Checking the DLLs related to iDefense SysAnalyzer, Microsoft Debugging DLL and Sandboxies
• Calling IsDebuggerPresent and GetTickCount to identify a debugger
• Checking VMWare related file

This RAT has the following capabilities:

• Capture ScreenShots

• Gather system info (Username, Computer name, BIOS)

• Data exfiltration to cloud services

• Stealing credentials
• File and directory management

For more detailed analysis of this RAT you can refer to the reports from NCC Group and Cisco Talos.

Conclusion

The primary initial infection vector used by APT37 is spear phishing, in which the actor sends an email to a target that is weaponized with a malicious document. The case we analyzed is one of the few where they did not use Hwp files (Hangul Office) as their phish documents and instead used Microsoft Office documents weaponized with a self decode macro. That technique is a clever choice that can bypass several static detection mechanisms and hide the main intent of a malicious document.

The final payload used by this threat actor is a known custom RAT (RokRat) that the group has used in previous campaigns. In the past, RokRat has been injected into cmd.exe, whereas here they chose Notepad.exe.

Indicators of Compromise

Maldoc:
3c59ad7c4426e8396369f084c35a2bd3f0caa3ba1d1a91794153507210a77c90

RokRat:
676AE680967410E0F245DF0B6163005D8799C84E2F8F87BAD6B5E30295554E08
A42844FC9CB7F80CA49726B3589700FA47BDACF787202D0461C753E7C73CFD2A
2A253C2AA1DB3F809C86F410E4BD21F680B7235D951567F24D614D8E4D041576
C7CCD2AEE0BDDAF0E6C8F68EDBA14064E4A9948981231491A87A277E0047C0CB

The post Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat appeared first on Malwarebytes Labs.

“What now? My farm is no longer working. Can you have a look, honey?”

Like millions of other people my wife likes to play online browser games. You know, the ones that don’t require a fast connection because your virtual life is not in constant danger, and an occasional harvest is enough to make progress in the game.

So, when her browser refused to open her virtual farm, and there were many, many other users like her, this caused some turmoil in the community. Especially when some of the developers acted as if it came as a surprise and took their time to decide what to do next.

Facebook and some other social platforms used to host a ton of these games and what most had in common is that they were using Adobe Flash Player for their animations. Flash let web designers and animators deliver animated content that could be downloaded relatively quickly.

But as of last month, the major browsers have stopped supporting Adobe Flash Player after Adobe itself announced to stop support as of the 31^st of December 2020. Specifically, Adobe announced years ago that it will stop updating and distributing Flash Player.

What caused this end of life?

Adobe Flash Player has seen more than its fair share of exploits and vulnerabilities. Arguably, it’s because the software was so popular that it made for an attractive target, but since it was based on a 1996 release it may have become impossible to keep on patching it. Developers are changing to HTML5, and other options, to produce new content.

Advice for Flash users

Home users should uninstall Adobe Flash Player as it will no longer receive any security updates. The general feeling among security professionals is that it will not take long before unpatched vulnerabilities will be exploited in the wild. In some cases, simply having Adobe Flash Player installed is all it takes to compromise your system. So, if there are no legitimate use-cases left, don’t run the risk of having it installed. Adobe has instructions for removing Flash on Windows and Mac computers on its website.

It could be a different scenario for business users, as some companies may still be using Adobe Flash Player for internal use. As it stands, it will become increasingly difficult to maintain this situation since Adobe will prevent Flash Player from displaying content from 12 January 2021.

If your site is reliant on the plugin for developing or playing content, it’s high time to consider a revamp of your website content. Adobe has some options for its customers who were taken by surprise.

Expected cybercrime abuse

We’ve seen fake Flash Player updates for years, which are in reality bundlers that sometimes include the actual latest version of Flash but might just as easily include older versions or no version of Flash at all. We suspect these will continue to show up. They might even become more popular as people have no way of finding legitimate versions and updates.

You may also see malicious campaigns promoting alternatives for playing Flash content, which could in reality install any kind of malware or potentially unwanted program.

And there may be some exploit kits that will take it upon themselves to incorporate all the latest vulnerabilities in their setup to victimize those that still have Adobe Flash Player installed.

End-of-life

End-of-life (EOL) is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. Many companies, including Microsoft, announce the EOL dates for their products far in advance. Adobe announced this EOL in 2017, so most developers should have been aware. Many will be sad to see it go and some will be glad to point it to the door. Our advice will be the same as always.

Stay safe, everyone!

The post Adobe Flash Player reaches end-of-life appeared first on Malwarebytes Labs.

I won’t reveal my mom’s exact age, but she’s in her late 60s. Other than her phone, my mom doesn’t own or use a computer—but she knows what Zoom is. Not since “Kleenex” has a brand become so pervasive that people use the brand name as a generic term for the product. For my mom, any kind of video call is now a “Zoom.” A FaceTime call, for example, is Zoom. I’ve stopped trying to correct her.

As the world returns to work and school from the unhappiest holiday season of our lifetimes, the majority of us continue to do so remotely. Whether you’re using Zoom, Google Hangouts, or Microsoft Teams, technologies like these will continue to play a central role in the way we get things done for the foreseeable future. As we spend more and more time online, it stands to reason that we will all be exposed to a greater number of online threats (and we are, by the way).

So, what about VPNs?

Here’s why VPNs matter more than ever. A VPN, shorthand for a virtual private network, is a handy tool that allows users to send and receive data as if they were on the same network, for example, someone working from home or taking classes from home as so many of us are at the moment.

For the latest Malwarebytes Labs reader survey we asked “Do you use a VPN?” 2,330 responded and an impressive 36 percent said they now used a VPN. For perspective, ten years ago, only 1.5 percent of Americans used VPNs.

Of those who do not use a VPN, 58 percent said they at least knew what one was. That’s a long way from being the next Zoom, but VPN awareness is starting to change thanks to COVID.

Google Trends shows that searches for “VPN” and “virtual private networks” hit an all time high in March of 2020, just as stay-at-home orders were issued for the majority of the world.

With interest in VPNs rising, what’s preventing some people from actually using one?

Survey says…

Taking a deeper dive into the survey results, most of the people who said they didn’t use a VPN cited cost as the main reason for not using one:

“Peace of mind is important; but, on a limited income, it is difficult to pay out additional funds—especially during this pandemic.”

Some said they didn’t think they needed a VPN, while others still said they didn’t like how VPNs they had tried in the past slowed down their Internet speeds. This may be a legacy thing, as newer technology—like the WireGuard VPN protocol used by Malwarebytes Privacy—tends to deliver speeds faster than traditional VPNs.

Of those who used a VPN, half said they used it all the time. The top five activities for using a VPN were: making purchases online, online banking, sending email or chatting, protecting personal information from hackers, and stopping businesses or advertisers from tracking online activity.

When asked why they used a VPN, the majority of users liked the additional layer of security:

“I value my security and privacy. Having a VPN is essential for doing anything online.”

One respondent provided a useful analogy, likening VPNs to the fence around your house:

“Good fences make for good neighbors.”

As we head into 2021, will my mom casually drop “VPN” into a sentence before year’s end? That remains to be seen, but the results of our latest Malwarebytes Labs reader survey suggests VPNs might get their moment in the sun very soon.

The post VPN usage is increasing, says December 2020 survey appeared first on Malwarebytes Labs.

First off we would like to wish all our readers a happy and secure 2021!

Last week on Malwarebytes Labs we presented an overview of developments in the SearchDimension hijackers, we looked at the most enticing cyberattacks of 2020, and we also looked back at the strangest cybersecurity events of 2020.

Other cybersecurity news:

• Google patched a bug in its feedback tool that could be exploited by an attacker to potentially steal screenshots of sensitive Google Docs documents. (Source: The Hacker News)
• Section 230: The social media law that is clogging up stimulus talks. (Source: CNet)
• Apple has lost its copyright battle against iOS virtualization startup Corellium. (Source: TechSpot)
• Microsoft confirmed that the suspected Russian hackers behind the SolarWinds security breach also viewed some of the company’s source code. (Source: CNN)
• Over 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to connected devices. (Source: ZDNet)
• A data breach broker is selling allegedly stolen user records for 26 companies on a hacker forum. (Source: BleepingComputer)
• Hackers have livestreamed police raids on innocent households after hijacking their victims’ smart home devices and making a hoax call to the authorities. (Source: BBC News)
• The US Department of Homeland Security (DHS) has published a guide to the risks that businesses run if they use tech created in China. (Source: The Register)

Stay safe, everyone!

The post A week in security (December 28 – January 3) appeared first on Malwarebytes Labs.