IT NEWS

Update now! ASUS fixes nine security flaws

ASUS has released firmware updates for several router models fixing two critical and several other security issues.

The new firmware with accumulated security updates is available for the models GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

You will find the latest firmware available for download from the ASUS support page or the appropriate product page. ASUS has also provided a link to new firmware for selected routers at the end of their security advisory.

When in doubt you can find the model number on the sticker which can usually be found on the back side of the router.

screenshot of a sticker on an ASUS routerExample: the model RT-AX86U which is on the list

General instructions on how to update router firmware can be found here

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The new firmware incorporates the following security fixes:  CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, and CVE-2022-26376.

The critical CVEs patched in these updates are:

CVE-2022-26376: A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

The Asuswrt-Merlin New Gen is an open source firmware alternative for Asus routers. The unescaped function in this firmware assumes that after a % there are always at least two characters. If this is not the case, one of the instructions in the function cause an out-of-bounds read. Out of bounds reads can lead to crashes or other unexpected vulnerabilities, and may allow an attacker to read sensitive information that they should not have access to.

CVE-2018-1160: Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

Netatalk is a free, open-source implementation of the Apple Filing Protocol (AFP). It allows Unix-like operating systems to serve as file servers for Macintosh computers running macOS or Classic Mac OS.

This is a 5 year old vulnerability for which several exploits are publicly available.

Since many, especially home users will shy away of applying firmware, it is important to heed the advice offered by ASUS that says:

“Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.”

General instructions on how to disable the WAN access can be found here under point 7.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Why businesses need a disinformation defense plan, with Lisa Kaplan: Lock and Code S04E13

When you think about the word “cyberthreat,” what first comes to mind? Is it ransomware? Is it spyware? Maybe it’s any collection of the infamous viruses, worms, Trojans, and botnets that have crippled countless companies throughout modern history. 

In the future, though, what many businesses might first think of is something new: Disinformation. 

Back in 2021, in speaking about threats to businesses, the former director of the US Cybersecurity and Infrastructure Security Agency, Chris Krebs, told news outlet Axios: “You’ve either been the target of a disinformation attack or you are about to be.”

That same year, the consulting and professional services firm Price Waterhouse Coopers released a report on disinformation attacks against companies and organizations, and it found that these types of attacks were far more common than most of the public realized. From the report: 

“In one notable instance of disinformation, a forged US Department of Defense memo stated that a semiconductor giant’s planned acquisition of another tech company had prompted national security concerns, causing the stocks of both companies to fall. In other incidents, widely publicized unfounded attacks on a businessman caused him to lose a bidding war, a false news story reported that a bottled water company’s products had been contaminated, and a foreign state’s TV network falsely linked 5G to adverse health effects in America, giving the adversary’s companies more time to develop their own 5G network to compete with US businesses.”

Disinformation is here, and as much of it happens online—through coordinated social media posts and fast-made websites—it can truly be considered a “cyberthreat.” 

But what does that mean for businesses? 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Lisa Kaplan, founder and CEO of Alethea, about how organizations can prepare for a disinformation attack, and what they should be thinking about in the intersection between disinformation, malware, and cybersecurity. Kaplan said:

“When you think about disinformation in its purest form, what we’re really talking about is people telling lies and hiding who they are in order to achieve objectives and doing so in a deliberate and malicious life. I think that this is more insidious than malware. I think it’s more pervasive than traditional cyber attacks, but I don’t think that you can separate disinformation from cybersecurity.”

Tune in today. 

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Black Cat ransomware group wants $4.5m from Reddit or will leak stolen files

The ramifications of a Reddit breach which occurred back in February are now being felt, with the attackers threatening to leak the stolen data. The February attack, billed as a “sophisticated phishing campaign” by Reddit, involved an attempt to swipe credentials and two-factor authentication tokens.

One employee was tricked into handing over details, and then reported what had happened to Reddit. Its security team locked things down and began investigating.

The employee’s credentials were reportedly used to gain access to “some internal docs, code, as well as some internal dashboards and business systems”, which exposed “limited contact information” for company contacts and employees, and information about advertisers.

Reddit advised users that their passwords were safe, and so there was no need to alter login details. There were also “no signs” that the breach impacted “the parts of our stack that run Reddit and store the majority of our data, or any of your non-public data”. At the time, Reddit received praise for the clarity of the messaging. “This happened, that didn’t, your login is fine” is somewhat unusual in these situations and messaging is often confusing or even simply absent for far too long.

It seems we’re finally about to find out how on the money Reddit’s assessment of the situation was. Bleeping Computer reports that the Black Cat ransomware group is claiming responsibility for the attack. Worse, its threatening to drop roughly 80GB of data online after supposed attempts to claim a ransom of $4.5m were ignored.

Here’s what Black Cat—also known as ALPHV—has to say about this one:

…I am very happy to know that the public will be able to read all about the statistics they track about their users and all the interesting confidential data we took. Did you know they also silently censor users?

Bold claims indeed, but nobody will know for sure how much of the claims is true or simply bluster until and unless the files are leaked. Interestingly, Black Cat is also demanding that Reddit alters its controversial API pricing changes.

Bleeping Computer notes that nothing was encrypted in this attack; it appears that this was “just” about grabbing as much data as possible and using it to extort money from the victim. A double threat ransomware attack without the ransomware, if you will. Even so, this still presents a major headache for Reddit even without having to worry about encrypted devices.

At this point, nobody knows what exactly may leak when the data drop comes (if it ever does). There is no suggestion from the Black Cat group that passwords were grabbed, so that’s one plus point for Reddit users. As for the rest of it, this seems like a mess for the Reddit CEO and team to deal with.

Black Cat is definitely one of the more prominent ransomware players in recent times, with a string of high-impact and notable attacks. Lehigh Valley Health network in Pennsylvania was hit hard in February of this year, with an understandable furore over photos of breast cancer patients. Elsewhere, the dedicated leak site continues to play to its strengths as we can see with the current Reddit story. As you can see from our June Ransomware review, Black Cat is always close to the top of the pile where infections are concerned. Time may be running out for Reddit as far as the above breach goes, but with a little bit of pre-planning your organisation doesn’t have to meet the same fate.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Baby monitor safety: What you need to know

Do you have an impending new arrival in your family of the small and very noisy variety? If so, you’re probably going to invest in a baby monitor for peace of mind both at night and during the day. But do you know what kind of monitor you’re going to buy? Will it be audio only, or have images? Will it be Wi-Fi, or the non Wi-Fi kind? Did you know there’s a non Wi-Fi kind?

As it happens, you don’t have to buy an internet connected device for one of the most private areas of your home. There’s plenty of cheap Internet of Things (IoT) baby monitors out there with default passwords baked in, insecurely stored data, and an alarming amount of compromise stories in the news. If you wish, you can bypass this problem almost completely and go for a device entirely lacking in internet functionality.

The trade-off in this situation is that the device you buy won’t have as many features as a Wi-Fi product, such as the ability to check in on your baby on an app on your phone if you’ve got a babysitter for the evening. However, if all you really care about is monitoring your baby when you’re not in the same room as them, then you can probably go for something more basic.

Non-internet connected baby monitors come with a standalone screen. These screens connect back to the camera in your child’s room. Instead of Wi-Fi, they use other technologies called Digital Enhanced Cordless Telecommunications (DECT) and Frequency Hopping Spread Spectrum (FHSS).

FHSS is one alternative to smart home networks and IoT devices. It rapidly switches frequency when in operation, which can mean a very low chance of someone trying to compromise the device. This isn’t to say a non Wi-Fi camera is unhackable, but given the short range of transmission for these devices, someone would have to be very close to your home to begin poking around. Much the same can be said with baby monitors that use DECT

An internet-connected baby monitor is more out of your control. Even if you lock things down at your end with secure passwords it could go wrong if the company you use reveals that footage of your child was stored on an open server somewhere.

In fact, the data doesn’t need to be accidentally stored on an open server at all. Sometimes, the people responsible for keeping your information safe have other ideas in mind. Amazon’s Ring was recently fined by the FTC after it was discovered that every employee had previously had access Ring videos, with some abusing that power to look through users’ personal videos. The FTC also highlighted lack of proper security precautions related to warding off attacks, such as credential stuffing.

If you sign up to a home IoT system managed by one organisation, this is what you might be facing from the very entities you’re entrusting with the most personal details of your living space. It’s probably low risk, but it’s a risk all the same. With this in mind, if you want to go down the Wi-Fi route, here are some tips for securing your baby monitor.

Tips for keeping your baby monitor safe

  1. Change your password: Some cheap devices may ship with passwords that cannot be changed, ever. If this is the case, those passwords are almost certainly available online for anyone to see. Avoid those at all costs and get one where you can change the password. Then change the password as soon as you set up your monitor.
  2. Make your password strong: A weak password could let someone into your baby monitor and allow them to view videos, or even speak over the monitor.
  3. Use multi-factor authentication (MFA): Pick a baby monitor that allows you to use multi-factor (or 2-factor) authentication. This means that even if someone manages to guess your password, they won’t be able to get into your account.
  4. Keep your videos stored locally: There are perhaps specific reasons why you may want recordings from your child’s room stored somewhere. If so, go for a product which allows local saving. It’s simply not worth the risk of footage making its way into the cloud, and other people’s hands.
  5. Turn it off: If you don’t need a camera enabled in your baby’s room, then consider powering it down when not needed. The window of opportunity for breaking into a device is made even smaller if nobody can access it, so when your baby is elsewhere just flip that switch.

As with all digital toys, really have a think about what you need in a device. If you don’t need to see your baby over an app when you’re away from home, then maybe there’s no need for an internet enabled monitor. The more connected you make your home, the more potential security risks you introduce.


We don’t just write about threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A week in security (June 12 – 18)

Phishing scam takes $950k from DoorDash drivers

A particularly nasty slice of phishing, scamming, and social engineering is responsible for DoorDash drivers losing a group total of around $950k.

DoorDash drivers are contractors who pick up food deliveries from stores and restaurants and deliver the products to the customer. A 21 year old man named David Smith, from Connecticut, allegedly figured out a way to extract large quantities of cash from drivers with a scam stretching back to 2020. Incredibly, this means it all began when he was 18. There’s picking up a new hobby, and then there’s this.

The theft would begin by placing a bogus DoorDash order, receiving the driver details, and then contacting said driver by text and / or phone claiming to be DoorDash support. From here, the driver would be convinced to hand over banking details or log in to a fake portal. The end result would be a loss of funds, and potentially not being able to do their job.

Considering that this took place during the pandemic, targeting drivers may have had a significant impact on vulnerable people whose only way to get food was via services like DoorDash. As with so many scams of this nature, the impact ripples out from the initial victim and never quite stops where you expect it to.

A typical example of how the scam would play out is highlighted in the Stamford Advocate. One driver on her way to a supermarket received a text which advised her not to complete her current order. A call followed, with the individual claiming to be from DoorDash support. He claimed a scam was being perpetuated by drivers, and he needed to make sure that she wasn’t involved.

He sent her a link to verify her identity, and then said she wouldn’t be able to access her earnings / account for roughly four days. Thankfully a reference to a fictitious DoorDash promo tipped her off that something wasn’t right, and she altered her login credentials just in time. Others were not so lucky, with one driver named in the Stamford article losing close to $5,000. A third lost somewhere in the region of $2,000 after being tricked by three scams in a row.

1,750 transactions in total ensured a steady stream of ill-gotten gains for the individual allegedly at the heart of the scheme. Variations on this scam included calls from “DoorDash security” which eventually resulted in banking details being handed over. In some cases, victims may never be identified due to the way some of the reports of theft have been stored in DoorDash’s systems.

It seems the only reason law enforcement has a name for this case at all is by sheer chance, after stumbling upon $700,000+ inside lockboxes while investigating an unrelated incident. At this point in time, it’s not clear that all of the 700 drivers will get their lost funds back.

The Stamford Advocate notes that Smith faces charges of “first-degree larceny, third-degree identity theft, two counts of second-degree forgery, trafficking in personal identifying information and first-degree computer crime”.

The court appearance is scheduled for July 6.

DoorDash mentions that drivers are trained to look out for scams and attacks, but this one managed to sneak in under the radar. While most people wouldn’t dream of targeting gig economy workers during a pandemic, unfortunately some people aren’t most people. All it took here was one individual with a game plan to cheat 700 folks out of close to a million dollars.

How to avoid phishing

  • Block known bad websites. Malwarebytes DNS filtering blocks malicious websites used for phishing attacks, as well as websites used to spread or control malware.
  • Don’t take things at face value. Phishing attacks often seem to come from brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Take action. If you receive a phishing attempt act work, report it to your IT or security team. If you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, change the card.
  • Use a password manager. Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won’t enter your credentials into a fake site.
  • use a FIDO 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

US dangles $10 million reward for information about Cl0p ransomware gang

The US Department of State’s national security rewards program, Rewards for Justice (RFJ), is offering a reward of up to $10 million for information linking the Cl0p ransomware gang, or any other malicious cyber actors targeting US critical infrastructure, to a foreign government.


This is not really new. RFJ’s statutory authorities offers rewards for information in four broad categories and one of them is:

Malicious Cyber Activity For information that identifies or locates any individual who, while acting at the direction or under the control of a foreign government, aids or abets a violation of the Computer Fraud and Abuse Act  (“CFAA”), 18 U.S.C. § 1030. This includes foreign election interference.

But the Tweet explicitly mentioning Cl0p is new. The gang is thought to be behind a recent ransomware spree that compromised a large number of organizations by exploiting a zero-day flaw in Progress’ MOVEit Transfer software.

With as many as 2,500 targets exposed on the Internet, the number of potential victims could be in the hundreds. Some of them have already confirmed, either by the firms themselves or by  being mentioned on the Cl0p leak site.

Campaigns like Cl0p’s abuse of the MOVEit vulnerability, or high profile attacks like the one on Colonial Pipeline in 2021, can trigger an extra focus on the specific ransomware group responsible. Perhaps aware of this, Cl0p took to its website to preemptively promise that it was not going to use data stolen from government organizations and would delete it instead.

It seems that was not enough to avoid getting in the cross-hairs of the US federal government, as we predicted just hours before. The tweet appeared shortly after our own Cybersecurity Evangelist, Mark Stockley, expressed his doubts that Cl0p’s plan would help them avoid unwanted attention from law enforcement.

“Cl0p’s approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware’s squeakiest wheel.”

And don’t think that all these ransomware operators sit safely out of reach, behind what used to be an iron curtain. The recent arrest of Ruslan Magomedovich Astamirov, a ransomware actor associated with LockBit, in Arizona, shows that the cybercriminals think they can hide anywhere if they are careful enough.

US Attorney Philip R. Sellinger for the District of New Jersey said:

“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended. The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

Also, some criminals can’t help themselves and need to show off how rich they are or how clever they think they are. The best example may be Mark Sokolovsky. This Ukrainian national and alleged cybercriminal loved posting selfies with fistfuls of cash. When the Russian invasion of Ukraine caused him to flee the country, his girlfriend posted pictures of the couple’s journey on her Instagram account. Sokolovsky was arrested in the Netherlands and is awaiting extradition to the US, accused of being a key player in the cybercrime operation behind Raccoon Stealer.

So, if you’re in the market for a $10 million reward, happy hunting. And for anyone eligible, I’m throwing in a free copy of Malwarebytes Premium. You’ll need it.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

MOVEit discloses THIRD critical vulnerability

In chess, the threefold repetition rule states that a player may claim a draw if the same position occurs three times during the game. Whether this means that customers of the popular file transfer utility MOVEit Transfer can ask for their money back remains to be seen, but we do hope it signals the end of the game.

Let’s do a small recap first, because it’s easy to lose track here. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use these CVE numbers where available.

Timeline:

This latest vulnerability could lead to escalated privileges and potential unauthorized access to the environment.

Please note that it is very important to follow the instructions outlined in the latest advisory regarding the order in which the patches need to be applied and based on how many patches have already been applied.

The best advice provided by Progress is probably to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard the environments while a patch is being prepared to address the vulnerabilities and in case even more of them come to the surface.

Meanwhile the Cybersecurity and Infrastructure Security Agency (CISA)  says it’s providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications. Among the probably hundreds of victims are Payroll provider Zellis who serves British Airways and the BBC, oil giant Shell, several financial services organizations, insurance companies, and many others. Reportedly, two US Department of Energy (DOE) entities were also compromised.

Victims have been identified in the UK, US, Germany, Austria, Switzerland, Luxembourg, France, and the Netherlands. Organizations in the US make for most of the victims, but no ransom demands have been made of federal agencies according to a CISA spokesperson.

Cl0p re-emphasized that it was not going to use data stolen from government organizations with a message on its dark web site:

“We got a lot of emails about government data, we don’t have it. We have completely deleted this information. We are only interested in business, everything related to the government has been deleted.”

We shouldn’t mistake this for altruism. It could be they are simply afraid of the consequences and because they are fully aware that governmental organizations are not allowed to pay the ransom anyway, so there is no profit to be made there.

Our own Cybersecurity Evangelist, Mark Stockley, has his doubts about Cl0p’s methods:

“Cl0p’s approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware’s squeakiest wheel.”

Stay tuned for future developments.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Fake security researchers push malware files on GitHub

Researchers from VulnCheck have observed a campaign using real security researchers as bait for malware. The campaign goes to some lengths to appear genuine, using fake profiles, downloads, websites, and bogus GitHub profiles, to paint a convincing picture of security professionals offering up exploit code for popular programs.

The campaign included a network of fictitious Twitter accounts posing as employees of a firm called “High Sierra Cyber Security”. The Record notes that several photographs of real security researchers working at well known firms were misused in the campaign.

The tale begins in May of this year, with the discovery of a malicious GitHub repository claiming to be for a zero-day attack for the Signal messaging app. This bogus offering was taken down, but the group behind the page were determined to stick around.

New downloads were offered, but this time in the guise of the previously mentioned security entities. Every High Sierra Cyber Security account claiming to offer exploits for well known products was actually offering up malicious repositories harbouring malware. The supposedly exploitable products included Chrome, Discord, and Exchange. All popular programs, and guaranteed to grab the attention of anyone interested in the security space.

The people behind this leaned heavily into social media to make it all look real, promoting their “finds” on networks such as Twitter. This was a risky gambit for the creators of this malware scam. While it added legitimacy to the overall gameplan, it ran the risk of someone realising that one of the security researchers actually worked somewhere else. This is indeed exactly what happened, and more researchers were identified from the stolen images as the days went by.

The GitHub pages also leaned into social aspects, making use of popular tags like “discordapp”, “cve”, and “rce-exploits” to draw more potential victims in to look at the rogue pages. They must have known that using tags like that would guarantee actual security researchers taking a look and saying “Wait a minute…”

While the GitHub pages are all now offline, the fake Twitter accounts are still live. VulnCheck notes that if you’ve interacted with any of the GitHub pages and Twitter accounts listed on its advisory, you may have been compromised if you downloaded and executed the files.

The GitHub accounts and repositories discovered by VulnCheck are as follows:

GitHub Accounts

  • github.com/AKuzmanHSCS
  • github.com/RShahHSCS
  • github.com/BAdithyaHSCS
  • github.com/DLandonHSCS
  • github.com/MHadzicHSCS
  • github.com/GSandersonHSCS
  • github.com/SSankkarHSCS

Malicious Repositories

  • github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
  • github.com/MHadzicHSCS/Chrome-0-day
  • github.com/GSandersonHSCS/discord-0-day-fix
  • github.com/BAdithyaHSCS/Exchange-0-Day
  • github.com/RShahHSCS/Discord-0-Day-Exploit
  • github.com/DLandonHSCS/Discord-RCE
  • github.com/SSankkarHSCS/Chromium-0-Day

If any of the above look familiar, and if you recognise any of the usernames from their matching Twitter accounts, it may well be time to run some security scans on your PC. It’s not unusual for security researchers themselves to be targeted by scams and attacks. If nothing else it’s a major win for malware authors and people up to no good, the bigger the target’s name the better.

However, it’s not quite as common to see security researchers themselves used as a way to infect others online. This is a valuable reminder to always check code you download before executing it. If in doubt, ask someone more familiar with whatever it is you’re trying to do. As a general rule, “download this cool exploit for popular program X” tends to not work out very well for the person or organisation downloading it.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

LockBit ransomware advisory from CISA provides interesting insights

The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the cybersecurity authorities of AustraliaCanadaUnited KingdomGermanyFrance, and New Zealand (CERT NZNCSC-NZ) have all published a joint Cybersecurity Advisory about LockBit.

To help organizations understand and defend against this global threat and its large number of unconnected LockBit affiliates, the advisory titled Understanding Ransomware Threat Actors: LockBit includes:

  • A list of approximately 30 freeware and open-source tools used by LockBit actors
  • Over 40 of their TTPs mapped to MITRE ATT&CK
  • Observed common vulnerabilities and exposures (CVEs) used for exploitation
  • An evolution of LockBit RaaS (Ransomware as a Service) along with worldwide trends and statistics
  • Resources and services available from authoring agencies and recommended mitigations to help protect against the worldwide LockBit activity

The advisory points out that in 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on its data leak site.

This confirms Malwarebytes findings that LockBit is the most active Ransomware-as-a-Service operator. In our monthly Ransomware Reviews, LockBit often ranks top for victim count, although Cl0p is a close rival. Cl0p has switched to a different modus operandi, where the gang acquires a vulnerability in popular business tools, develops an exploitation method, and then uses it on every vulnerable instance it can find. Because of this, the attacks come in waves, while LockBit is more constant.

One of the advantages of being a RaaS operator is the diversity of attack vectors that the initial access brokers (IABs) bring to the table. Some specialize in malspam, while other use known vulnerabilities against organizations that are behind on patches, or try to brute force Internet-facing systems like VPNs, RDP, or SSH. So when one affiliate has a bad month, another is likely to compensate.

This variety has another downside for the defenders. The advisory states:

“Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.”

A disadvantage for operators of an RaaS model is the mutual trust that is needed. When you’re among anonymous criminals that must prove to be an exceptional challenge, which is very likely the reason why many other RaaS operators like DarkSide and Avaddon shut down.

The geographical distribution of the IABs is also grounds for some remarkable differences. Some of the participating countries provided their own statistics for LockBit’s share in ransomware attacks, with Australia noting that in the last year the gang made up 18% of total reported ransomware incidents. In Canada (22%) and New Zealand (23%), LockBit was responsible for over one in every five attacks in 2022.

France said 11% of the attacks it has seen since 2020 involved LockBit. In the US, however, the main target of almost every commercial ransomware group, LockBit is responsible for 16% of attacks on public entities, which include municipal and county governments, public higher education and K-12 schools, as well as vital services like law enforcement agencies.

The advisory also provides long lists of the legitimate tools, vulnerabilities, tactics, and techniques deployed by the LockBit affiliates. As we said, due to the number (over 100) and diversity of the affiliates these lists are long and subject to change. 

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW