IT NEWS

Last week on Malwarebytes Labs:

• Microsoft Recall delayed after privacy and security concerns
• (Almost) everything you always wanted to know about cybersecurity, but were too afraid to ask, with Tjitske de Vries: Lock and Code S05E13
• 43% of couples experience pressure to share logins and locations, Malwarebytes finds
• Explained: Android overlays and how they are used to trick people
• TikTok facing fresh lawsuit in US over children’s privacy
• Was T-Mobile compromised by a zero-day in Jira?
• US bans Kaspersky, warns: “Immediately stop using that software”
• First million breached Ticketmaster records released for free

Last week on ThreatDown:

• UEFI vulnerability for Intel processors opens the doors for a bootkit
• US gov bans Kaspersky sales and updates, says “switch to an alternative” immediately
• Microsoft 365 users targeted in 2FA-busting phishing campaigns
• Patch now! VMWare releases fix for critical vulnerabilities
• Compromised F5 BIG-IP appliances abused in three-year infiltration
• Why are browser vulnerabilities going unpatched?
• Anything but science fiction: The anatomy of an Akira ransomware attack
• Enhancing ThreatDown Admin App notifications: Multi-method delivery now available
• Black Basta ransomware exploits Windows Error Reporting Service vulnerability

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

The US government will ban the sale of Kaspersky antivirus products to new customers in the United States starting July 20, with a follow-on deadline to prohibit the cybersecurity company from providing users with software updates after September 29.

The move follows years of allegations that the cybersecurity firm served as a hacking conduit for Russian intelligence agencies—allegations that the company has consistently denied.  

While current US Kaspersky customers will see no immediate impact from the ban, the September 29 software update deadline signals a bigger change. Without available updates, any cybersecurity product becomes less secure over time, and means the company won’t be able to protect customers against the newest threats.

In a briefing call with reporters on Thursday, US Department of Commerce Secretary Gina Raimondo offered consolation and advice to current customers of the antivirus products:

“You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”

Kaspersky rebuffed the Biden Administration’s decision in a statement shared on social media Thursday.

“Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interested and allies,” the company said. “The company intends to purse all legally available options to preserve its current operations and relationships.”

The ban, first reported by Reuters and released Thursday, includes “AO Kaspersky Lab,” “OOO Kaspersky Group,” and “Kaspersky Labs Limited.”

According to the US Department of Commerce, all three Kaspersky entities are being banned “for their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives.”

In October 2017, The New York Times reported that Israeli intelligence officers managed to catch Russian government hackers using Kaspersky to conduct clandestine searches across the globe. That reporting followed a bombshell investigation from The Wall Street Journal that claimed that Russian hackers stole classified NSA materials from a contractor’s personal computer which had Kaspersky software installed on it.

That reported hacking incident allegedly resulted in the US government’s decision that same year to remove Kaspersky antivirus software from US government devices.

In the same Thursday briefing call, Secretary Raimondo cited the threat of Russian influence in the Department’s decision to ban Kaspersky:

“Russia has shown it has the capacity and… the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans and that is why we are compelled to take the action that we are taking today.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The cybercriminal acting under the name “Sp1d3r” gave away the first 1 million records that are part of the data set that they claimed to have stolen from Ticketmaster/Live Nation. The files were released without a price, for free.

When Malwarebytes Labs first learned about this data breach, it happened to be the first major event that was shared on the resurrected BreachForums, and someone acting under the handle “ShinyHunters” offered the full details (name, address, email, phone) of 560 million customers for sale.

The same data set was offered for sale in an almost identical post on another forum by someone using the handle “SpidermanData.” This could be the same person or a member of the ShinyHunters group.

Following this event, Malwarebytes Labs advised readers on how to respond and stay safe. Importantly, even when a breach isn’t a “breach”—in that immediate moment when the details have yet to be confirmed and a breach subject is readying its public statements—the very news of the suspected breach can be used by advantageous cybercriminals as a phishing lure.

Later, Ticketmaster confirmed the data breach.

Bleeping Computer spoke to ShinyHunters who said they already had interested buyers. Now, Sp1d3r, who was seen posting earlier about Advance Auto Parts customer data and Truist Bank data, has released 1 million Ticketmaster related data records for free.

In a post on BreachForums, Sp1d3r said:

“Ticketmaster will not respond to request to buy data from us.

They care not for the privacy of 680 million customers, so give you the first 1 million users free.”

The cybercriminals that are active on those forums will jump at the occasion and undoubtedly try to monetize those records. This likely means that innocent users that are included in the first million released records could receive a heavy volume of spam and phishing emails in the coming days.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile.

The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find a reference to them anywhere, so perhaps it’s a mistranslation or typo.)

To prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges to a Confluence server and T-Mobile’s internal Slack channels for developers.

But according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older screenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party vendor’s servers, from where they were stolen.

When we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of them.

This screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams to plan, track, release and support software. It’s typically a place where you could find the source code of works in progress.

The search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a cybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the form is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May security bulletin.

For a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian, where Jira is the project management and issue tracking tool and Confluence is the collaboration and documentation tool. They are often used together.

If IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that they have the source code of three internal tools used at Apple, including a single sign-on authentication system known as AppleConnect.

This theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.

“I’m selling a zero-day RCE for Atlassian’s Jira.

Works for the latest version of the desktop app, as well as Jira with confluence.

No login is required for this, and works with Okta SSO.”

If this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.

Meanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a breach at a third-party provider.

“We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The Federal Trade Commission (FTC) has announced it’s referred a complaint against TikTok and parent company ByteDance to the Department of Justice.

The investigation originally focused on Musical.ly which was acquired by ByteDance on November 10, 2017, and merged it into TikTok.

The FTC started a compliance review of Musical.ly following a 2019 settlement with the company for violations of the Children’s Online Privacy Protection Act (COPPA). In the settlement, Musical.ly received a fine of $5.7m for collecting personal information from children without parental consent.

One of the main concerns was that Musical.ly did not ask the user’s age and later failed to go back and request age information for people who already had accounts.

COPPA requires sites and services like Musical.ly and TikTok – among other things – to get parental consent before collecting personal information from children under 13.

Musical.ly also failed to deal with complaints properly. The FTC found that—in just a two-week period in September 2016—the company received over 300 complaints from parents asking Musical.ly to delete their child’s account. However, under COPPA it’s not enough just to delete existing accounts, companies have to remove the kids’ videos and profiles from the company’s servers; Musical.ly failed to do this.

In 2022, TikTok itself faced a $28m fine for failing to protect children’s privacy after an investigation of a possible breach of the UK’s data protection laws.

In the US, TikTok agreed to pay $92 million in 2021 to settle dozens of lawsuits alleging that it harvested personal data from users, including information using facial recognition technology, without consent, and shared the data with third parties.

The FTC states that during the investigation it uncovered reasons to believe that “defendants are violating or are about to violate the law and that a proceeding is in the public interest.”

The FTC also said it usually doesn’t publicize the referral of complaints but feels it is in the public interest to do so now.

TikTok has been in the crosshairs of privacy and security professionals and politicians for years.

In June 2022,  the FCC (Federal Communications Commission), called on the CEOs of Apple and Google to remove TikTok from their app stores considering it an unacceptable national security risk because of its Chinese ownership.

In 2023, General Paul Nakasone, Director of the National Security Agency (NSA) referred to TikTok as a loaded gun in the hands of America’s TikTok-addicted youth.

Recently, we reported about the take-over of some high-profile TikTok accounts just by opening a Direct Message.

And the clock is ticking when it comes to TikTok’s presence in the US, after the US Senate has approved a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the still immensely popular app.

Somehow we don’t think we’ve heard the last of this.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Sometimes you’ll see the term “overlays” used in articles about malware and you might wonder what they are. In this post we will try to explain what overlays—particularly on Android devices—are, and how cybercriminals deploy them.

Most of the time, overlays are used to make people think they are visiting a legitimate website or using a trusted app while in reality they are not.

Simply put, the Android overlay is a feature used by an app to appear on top of another app. The legitimate use of overlays is to offer functionality to the app’s user without them having to leave the app itself, for example for messages or alerts, such as Android bubbles on Messenger.

The possible malicious use of overlays, then, is not hard to guess. Overlays can be used to draw a full window on top of a legitimate app and, as such, intercept all the interactions the user has with the app. But they can also be superimposed over certain critical areas of an app like the text in a message box.

Some examples of malicious uses of overlays:

• Requesting permissions under false pretenses, malicious apps can hide their requests by covering the legitimate app’s permissions text.
• Clickjacking, where a user is tricked into clicking on actionable content thinking they are interacting with a legitimate app.
• Intercepting information like login credentials and even some multi-factor authentication (MFA) tokens, by making the user think they are entering them on a legitimate app or website.

Whether the overlays are transparent or whether they mimic the legitimate app does not influence the way they work. As long as they blend with the original application’s interface, they are incredibly hard to spot.

Most of the time, a malicious overlay’s goal is to intercept certain user data which enables cybercriminals to steal money or cryptocurrencies. This is why many banking apps have protection in place. In modern Android versions, developers can successfully block any non-system Android overlay to protect against overlay attacks.

Protection against overlays

As we said, screen overlay attacks are most common on Android devices, and they are a significant threat, so we will explain how you can check which apps have the permission to use overlays and how you can disable it.

Tap Settings > Apps > Options (three stacked dots) > Special access > Appear on top. Here you can see a list of apps with the permission to “Appear on top” and you can disable the ones you don’t recognize or don’t need to have this permission.

Using an anti-malware solution for your Android device will be effective against known malicious apps. You can uninstall these apps using the mobile device’s uninstall functionality, but the tricky part lies in identifying the offending behavior and app. That is where Malwarebytes for Android can help—by identifying these apps and removing them.

It also helps to use authentication methods which are harder to phish. MFA is vital to enable, and will protect you from many types of attacks, so please continue to use it. However, authentication-in-the-middle attacks only work with certain types of MFA, and passkeys for example won’t allow the cybercriminals to login to your account in this way.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

All isn’t fair in love and romance today, as 43% of people in a committed relationship said they have felt pressured by their own partners to share logins, passcodes, and/or locations. A worrying 7% admitted that this type of pressure has included the threat of breaking up or the threat of physical or emotional harm.

These are latest findings from original research conducted by Malwarebytes to explore how romantic couples navigate shared digital access to one another’s devices, accounts, and location information.

In short, digital sharing is the norm in modern relationships, but it doesn’t come without its fears.

While everybody shares some type of device, account, or location access with their significant other (100% of respondents), and plenty grant their significant other access to at least one personal account (85%), a sizeable portion longs for something different—31% said they worry about “how easy it is for my partner to track what I’m doing and where I am all times because of how much we share,” and 40% worry that “telling my partner I don’t want to share logins, PINs, and/or locations would upset them.”

By surveying 500 people in committed relationships in the United States, Malwarebytes has captured a unique portrait of what it means to date, marry, and be in love in 2024—a part of life that is now inseparable from smart devices, apps, and the internet at large.

The complete findings can be found in the latest report, “What’s mine is yours: How couples share an all-access pass to their digital lives.” You can read the full report below.

Here are some of the key findings:

• Partners share their personal login information for an average of 12 different types of accounts.
• 48% of partners share the login information of their personal email accounts.
• 30% of partners regret sharing location tracking.
• 18% of partners regret sharing account access. The number is significantly higher for men (30%).
• 29% of partners said an ex-partner used their accounts to track their location, impersonate them, access their financial accounts, and other harms.
• Around one in three Gen Z and Millennial partners report an ex has used their accounts to stalk them.

But the data doesn’t only point to causes for concern. It also highlights an opportunity for learning. As Malwarebytes reveals in this latest research, people are looking for guidance, with seven in 10 people admitting they want help navigating digital co-habitation.

According to one Gen Z survey respondent:

“I feel like it might take some effort (to digitally disentangle) because we are more seriously involved. We have many other kinds of digital ties that we would have to undo in order to break free from one another.”

That is why, today, Malwarebytes is also launching its online resource hub: Modern Love in the Digital Age. At this new guidance portal, readers can learn about whether they should share their locations with their partners, why car location tracking presents a new problem for some couples, and how they can protect themselves from online harassment. Access the hub below.

Microsoft has announced it will postpone the broadly available preview of the heavily discussed Recall feature for Copilot+ PCs. Copilot+ PCs are personal computers that come equipped with several artificial intelligence (AI) features.

The Recall feature tracks anything from web browsing to voice chats. The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them locally. The user would then be able to search the database for anything they’ve seen on their PC.

However, Recall received heavy criticism by security researchers and privacy advocates since it was announced last month. The ensuing discussion saw a lot of contradictory statements. For example, Microsoft claimed that Recall would be disabled by default, while the original documentation said otherwise.

Researchers demonstrated how easy it was to extract and search through Recall snapshots on a compromised system. While some may remark that the compromised system is the problem in that equation—and they are not wrong—Recall would potentially provide an attacker with a lot of information that normally would not be accessible. Basically, it would be a goldmine that spyware and information stealers could easily access and search.

In Microsoft’s own words:

“Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

Microsoft didn’t see the problem, with its vice chair and president, Brad Smith even using Recall as an example to demonstrate how Microsoft is secure during the Committee Hearing: A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.

But now things have changed, and Recall will now only be available for participants in the Windows Insider Program (WIP) in the coming weeks, instead of being rolled out to all Copilot+ PC users on June 18 as originally planned.

Another security measure taken only as an afterthought was that users will now have to log into Windows Hello in order to activate Recall and to view your screenshot timeline.

In its blog, Microsoft indicates it will act on the feedback it expects to receive from WIP users.

“This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”

Our hope is that the WIP community will convince Microsoft to abandon the whole Recall idea. If not, we will make sure to let you know how you can disable it or use it more securely if you wish to do so.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This week on the Lock and Code podcast…

Ready to know what Malwarebytes knows?
Ask us your questions and get some answers.
What is a passphrase and what makes it—what’s the word?
Strong?

Every day, countless readers, listeners, posters, and users ask us questions about some of the most commonly cited topics and terminology in cybersecurity. What are passkeys? Is it safer to use a website or an app? How can I stay safe from a ransomware attack? What is the dark web? And why can’t cybercriminals simply be caught and stopped?

For some cybersecurity experts, these questions may sound too “basic”—easily researched online and not worth the time or patience to answer. But those experts would be wrong.

In cybersecurity, so much of the work involves helping people take personal actions to stay safe online. That means it’s on cybersecurity companies and practitioners to provide clarity when the public is asking for it.  it’s on us to provide clarity. Without this type of guidance, people are less secure, scammers are more successful, and clumsy, fixable mistakes are rarely addressed.

This is why, this summer, Malwarebytes is working harder on meeting people where they are. For weeks, we’ve been collecting questions from our users about WiFi security, data privacy, app settings, device passcodes, and identity protection.

All of these questions—no matter their level of understanding—are appreciated, as they help the team at Malwarebytes understand where to improve its communication. In cybersecurity, it is critical to create an environment where, for every single person seeking help, it’s safe to ask. It’s safe to ask what’s on their mind, safe to ask what confuses them, and safe to ask what they might even find embarrassing.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes Product Marketing Manager Tjitske de Vries about the modern rules around passwords, the difficulties of stopping criminals on the dark web, and why online scams hurt people far beyond their financial repercussions.

“We had [an] 83-year-old man who was afraid to talk to his wife for three days because he had received… a sextortion scam… This is how they get people, and it’s horrible.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• Truist bank confirms data breach
• Update now! Google Pixel vulnerability is under active exploitation
• Adobe clarifies Terms of Service change, says it doesn’t train AI on customer content
• 23andMe data breach under joint investigation in two countries
• When things go wrong: A digital sharing warning for couples
• Google’s Chrome changes make life harder for ad blockers

Last week on ThreatDown:

• 20,000 Fortinet VPN appliances compromised, investigation reveals
• Patch now! Critical RCE vulnerability in Microsoft Message Queuing
• Snowflake “breach” looks like 165 individual incidents
• Update now! June’s Patch Tuesday—one zero-day, but it’s a doozy
• 5 early signs of a ransomware attack (based on real examples)
• Teams of AI agents can exploit zero-day vulnerabilities
• SmartApeSG walkthrough
• Ransomware review: June 2024, a year-high 470 attacks recorded

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.