IT NEWS

Skater brand Vans emailed customers last week to tell them about a recent “data incident.”

On December 13, 2023, Vans said it detected unauthorized activities on its IT systems, attributed to “external threat actors.” An investigation revealed that the incident involved some personal information of Vans’ customers. The affected information could include:

• Email address
• Full name
• Phone number
• Billing address
• Shipping address

In certain cases, the affected data may also include order history, total order value, and information about the payment method used for the purchases. Vans notes that the payment method does not specify details like account number, just the method described as “credit card”, “Paypal”, or “bank account payment”, with no additional details attached.

The data incident turned out to be a ransomware attack. In a filing with the Securities and Exchanges Commission (SEC), parent company V.F. Corporation stated the hackers disrupted business operations and stole the personal information of approximately 35.5 million individual consumers.

The attack was claimed by the ALPHV/BlackCat ransomware group. This happened during the period that ALPHV was in a spot of trouble themselves by events eventually leading to faking their own death.  It is unclear whether VF Corporation was able to use the decryptor made available after law enforcement seized control of ALPHV’s infrastructure, even though ALPHV reportedly claimed that the company tried to obtain a decryptor from law enforcement.

Vans says there’s no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set, but it does warn about phishing and fraud attempts which could lead to identity theft.

Data breach tips

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check if your data has been breached

Check if your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll send you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

In October 2023, The British Library was attacked by the Rhysida ransomware gang in a devastating cyberattack.

The library, a vast repository of over 170 million items, is still deep in the recovery process, but recently released an eighteen page cyber incident review describing the attack, its impact, the aftermath, and the lessons learned. The report is full of useful information, and well worth a read, even if you’re responsible for security in a much smaller organisation.

The attack and its aftermath is a reminder that big game ransomware remains the preeminent cyberthreat to organisations of all sizes, and the tactics it describes will be familiar to anyone who has read the Big Game Ransomware section of our 2024 State of Malware report.

The ransomware itself was launched on October 28, 2023, but the library believes that the Rhysida group infiltrated its systems at least three days before that. During those three days the group conducted what the library calls “hostile reconnaissance,” and exfiltrated 600GB of data.

The report also describes how the gang “hijacked native utilities” to copy databases. Using tools that are already on a victim’s network (a technique know as Living off the Land) makes it easier for ransomware gangs to avoid detection while they prepare an attack.

However, there are some details about the attack that either add to the body of knowledge, or remind us of things that are easily overlooked, so I’ve picked out some lessons from the report that can probably be usefully applied by any IT team.

1. Complexity helped the attackers

One thing that leaps off the pages of the report is how the library’s complex infrastructure aided the attackers. The report describes the library environment as an “unusually diverse and complex technology estate, including many legacy systems.” Unless you work for a brand new startup, the chances are that you recognise some of your own company network in that description, even if it isn’t as complex as the British Library.

This technical debt prevented the library from complying with security standards, “contributed to the severity of the impact of the attack,” and offered the attackers wider access than they should have had.

Most damaging of all though is the effect that carrying too much complexity has had on the library’s ability to recover:

“Our reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack. These legacy systems will in many cases need to be migrated to new versions, substantially modified, or even rebuilt from the ground up, either because they are unsupported and therefore cannot be repurchased or restored, or because they simply will not operate on modern servers or with modern security controls.”

It concludes, “there is a clear lesson in ensuring the attack vector is reduced as much as possible by keeping infrastructure and applications current.”

2. Endpoint protection matters

While the issue of complexity crops up again and again in the report, there is another significant finding that’s covered in just a single line—the importance of effective endpoint protection.

As devastating as the attack on the library was, it could have been worse. The attack only succeeded in compromising the organisation’s servers, but its desktops and laptops were spared because they were running a more modern “defensive software” that successfully identified and prevented the attack.

“A different software system successfully identified and prevented the encryption attack from executing on our laptop and desktop estates, but older defensive software on the server estate was unable to resist the attack.”

The clear implication is that if the system that was running on the desktops and laptops had also been running on the servers then the attack would have been thwarted.

As important as monitoring technologies like SIEM, EDR and MDR have become, it remains as true today as it ever has that every endpoint and server, whether they’re Windows, Macs, or Linux machines, needs a next-gen antivirus engine that can detect and stop known threats and block suspicious behaviour, such as malicious encryption.

3. Ransomware is 24/7

The report also mentions another potential opportunity to stop the attack. It describes how “at 01:15 on 26 October 2023, the Library’s IT Security Manager was alerted to possible malicious activity on the Library network.” The IT manager took action, monitored the situation and the escalated the incident the following morning. A subsequent detailed analysis of activity logs, “did not identify any obviously malicious activity.”

Investigations performed after the attack “identified evidence of an external presence on the Library network at 23:29 on Wednesday 25 October 2023,” and that “an unusually high volume of data traffic (440GB) had left the Library’s estate at 1.30am on 28 October.” This suggests that there were further opportunities to detect the attackers’ “hostile reconnaissance.”

We highlight this to demonstrate an important point about how ransomware gangs operate, not to second guess the IT team at the library. It seems that everyone concerned treated the incident very seriously and took appropriate action, and they have our sympathy.

What we want to draw your attention to is that all three incidents happened in the dead of night.

Groups like Rhysida make significant efforts to cover their tracks, and are likely to work at times when their targets are least well staffed. However, even as stealthy as they are, their out-of-hours activities still create opportunities for skilled security staff to detect them. The problem for defenders is that their skilled security staff need to be working at the same time as the attackers.

For many organisations, the only practical way to achieve that is through a Managed Service Provider or a service like Managed Detection and Response (MDR).

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

This week on the Lock and Code podcast…

Few words apply as broadly to the public—yet mean as little—as “home network security.”

For many, a “home network” is an amorphous thing. It exists somewhere between a router, a modem, an outlet, and whatever cable it is that plugs into the wall. But the idea of a “home network” doesn’t need to intimidate, and securing that home network could be simpler than many folks realize.

For starters, a home network can be simply understood as a router—which is the device that provides access to the internet in a home—and the other devices that connect to that router. That includes obvious devices like phones, laptops, and tablets, and it includes “Internet of Things” devices, like a Ring doorbell, a Nest thermostat, and any Amazon Echo device that come pre-packaged with the company’s voice assistant, Alexa. There are also myriad “smart” devices to consider: smartwatches, smart speakers, smart light bulbs, don’t forget the smart fridges.

If it sounds like we’re describing a home network as nothing more than a “list,” that’s because a home network is pretty much just a list. But where securing that list becomes complicated is in all the updates, hardware issues, settings changes, and even scandals that relate to every single device on that list.

Routers, for instance, provide their own security, but over many years, they can lose the support of their manufacturers. IoT devices, depending on the brand, can be made from cheap parts with little concern for user security or privacy. And some devices have scandals plaguing their past—smart doorbells have been hacked and fitness trackers have revealed running routes to the public online.

This shouldn’t be cause for fear. Instead, it should help prove why home network security is so important.

Today, on the Lock and Code podcast with host David Ruiz, we’re speaking with cybersecurity and privacy advocate Carey Parker about securing your home network.

Author of the book Firewalls Don’t Stop Dragons and host to the podcast of the same name, Parker chronicled the typical home network security journey last year and distilled the long process into four simple categories: Scan, simplify, assess, remediate.

In joining the Lock and Code podcast yet again, Parker explains how everyone can begin their home network security path—where to start, what to prioritize, and the risks of putting this work off, while also emphasizing the importance of every home’s router:

Your router is kind of the threshold that protects all the devices inside your house. But, like a vampire, once you invite the vampire across the threshold, all the things inside the house are now up for grabs.

Carey Parker

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• New Go loader pushes Rhadamanthys stealer
• Canada revisits decision to ban Flipper Zero
• Patch Ivanti Standalone Sentry and Ivanti Neurons for ITSM now
• 19 million plaintext passwords exposed by incorrectly configured Firebase instances
• Apex Legends Global Series plagued by hackers
• Tax scammer goes after small business owners and self-employed people
• The ‘AT&T breach’—what you need to know
• Upcoming webinar: How a leading architecture firm approaches cybersecurity
• Social media influencers targeted by identity thieves
• Store manager admits SIM swapping his customers

Stay safe!

Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads.

A good loader avoids detection and identifies victims as legitimate (i.e. not sandboxes) before pushing other malware. This part is quite critical as the value of a loader is directly tied to the satisfaction of its “customers”.

In this blog post, we describe a malvertising campaign with a loader that was new to us. The program is written in the Go language and uses an interesting technique to deploy its follow-up payload, the Rhadamanthys stealer.

Malicious ad targets system administrators

PuTTY is a very popular SSH and Telnet client for Windows that has been used by IT admins for years. The threat actor bought an ad that claims to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.

In this example, the ad looks suspicious simply because the ad snippet shows a domain name (arnaudpairoto[.]com) that is completely unrelated. This is not always the case, and we continue to see many malicious ads that exactly match the impersonated brand.

Fake PuTTY site

The ad URL points to the attacker controlled domain where they can easily defeat security checks by showing a “legitimate” page to visitors that are not real victims. For example, a crawler, sandbox or scanner, will see this half finished blog:

Real victims coming from the US will be redirected to a fake site instead that looks and feels exactly like putty.org. One of the big differences though is the download link.

The malicious payload is downloaded via a 2 step redirection chain which is something we don’t always see.

puttyconnect[.]info/1.php
HTTP/1.1 302 Found
Location: astrosphere[.]world/onserver3.php

astrosphere[.]world/onserver3.php
HTTP/1.1 200 OK
Server: nginx/1.24.0
Content-Type: application/octet-stream
Content-Length: 13198274
Connection: keep-alive
Content-Description: File Transfer
Content-Disposition: attachment; filename="PuTTy.exe"

We believe the astrosphere[.]world server is performing some checks for proxies while also logging the victim’s IP address. This IP address will later be checked before downloading the secondary payload.

That PuTTy.exe is malware, a dropper written in the Go language (version 1.21.0).

Its author may have given it the name “Dropper 1.3“:

Follow-up payload

Upon executing the dropper, there is an IP check for the victim’s public IP address. This is likely done to only continue with users that have gone through the malicious ad and downloaded the malware from the fake site.

zodiacrealm[.]info/api.php?action=check_ip&ip=[IP Address]

If a match is found, the dropper proceeds to retrieve a follow-up payload from another server (192.121.16[.]228:22) as seen in the image below:

To get this data, we see it uses the SSHv2 (Secure Shell 2.0) protocol implemented via OpenSSH on a Ubuntu server. We can only think of using this protocol to make the malware download more covert.

That payload is Rhadamanthys which is executed by the parent process PuTTy.exe:

Malvertising / loader combo

We have seen different types of loaders via malvertising campaigns, including FakeBat which we profiled recently. Given how closely the loader is tied to the malvertising infrastructure it is quite likely that the same threat actor is controlling both. The service they offer to other criminals is one of malware delivery where they take care of the entire deployment process, from ad to loader to final payload.

We reported this campaign to Google. Malwarebytes and ThreatDown users are protected as we detect the fake PuTTY installer as Trojan.Script.GO.

ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent attacks that originate from malicious ads.

Indicators of Compromise

Decoy ad domain

arnaudpairoto[.]com

Fake site

puttyconnect[.]info

PuTTY

astrosphere[.]world
0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d

IP check

zodiacrealm[.]info

Rhadamanthys

192.121.16[.]228:22
bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203

In February 2024 the Canadian government announced plans to ban the sale of the Flipper Zero, mainly because of its reported use to steal cars.

The Flipper Zero is a portable device that can be used in penetration testing with a focus on wireless devices and access control systems.

If that doesn’t help you understand what it can do, a few examples from the news might help.

Flipper Zero made headlines in October because versions running third-party firmware could be used to crash iPhones running iOS 17 (since resolved in iOS 17.2).

Later, reporters found information that car thieves could use the Flipper Zero to intercept, record, and sometimes mimic the signal of a vehicle’s key fob, and if the car was in a garage, the signal of the garage door opener too.

Importantly, this only works on older car models that use fixed numeric codes for their fobs. Not on cars that use rolling codes, which change the numeric code transmitted from a key fob with each use. As a result, car thieves continued to ignore the Flipper Zero in favour of key fob signal boosters and keyless repeaters which are a lot more powerful.

Oddly enough, the car thieving option was mentioned as the main reason for putting a ban on the Flipper Zero in Canada. Although Canada’s Minister of Innovation, Science, and Industry, François-Philippe Champagne said:

“We are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

Very recently, a group of security researchers presented a series of vulnerabilities in the widely used Dormakaba Saflok electronic RFID locks. This vulnerability impacts over 3 million doors on over 13,000 properties in 131 countries, mostly in hotels.

Reportedly, an attacker only needs to read one keycard from the property to perform the attack against any of its doors. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.

Any device capable of reading and writing or emulating MIFARE Classic cards is suitable for this attack. MIFARE is a contactless card technology introduced in 1994. It’s primarly used for transport passes, but its technological capabilities quickly made it one of the most popular smart cards for storing data and providing access control.

One device that can be used for this attack is the Flipper Zero, but an attacker could just as easily use a Proxmark 3 or any NFC capable Android phone.

After an appeal by the security community, Canada now looks like it’s going to move forward with measures to restrict the use of devices like Flipper Zero to legitimate actors only. The specifics will be revealed after deliberation with Canadian companies, online retailers, and the automotive industry.

Conclusions

None of the technology housed within the Flipper Zero is very new, all it does is combine multiple functions into one handheld device. We have never seen any officially confirmed cases of theft using a Flipper Zero. If you want to ban something that helps against car theft, look at keyless repeaters, on the market for a host of car brands and which have no other purpose.

For all the vulnerabilities we described, updates came out that fixed the issues and made the world a safer place, although the patches haven’t been applied everywhere—it’s a lot of work to update all the locks in a hotel, and it’s not feasible to update the fob systems of older cars. Nevertheless, the research by pen testers has led to security improvements, so why would we want to take away their tools?

If we have peaked your interest to buy a Flipper Zero, we urge you to be careful. Due to limited availability there are scammers active that will take your money and send nothing in return.

You can learn more about Flipper Zero by listening to our Lock and Code podcast below. In December 2023, host David Ruiz had a long conversation in with Cooper Quintin, senior public interest technologist with the Electronic Frontier Foundation—and Flipper Zero owner—about what the Flipper Zero can do, what it can’t do, and whether governments should get involved in the regulation of the device.

Ivanti has issued patches for two vulnerabilities. One was discovered in the Ivanti Standalone Sentry, which impacts all supported versions 9.17.0, 9.18.0, and 9.19.0. Older versions are also at risk. The other vulnerability impacts all supported versions of Ivanti Neurons for ITSM—2023.3, 2023.2 and 2023.1, as well as unsupported versions which will need an upgrade before patching.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-41724 (CVSS score 9.6 out of 10), which allows an unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network.

This vulnerability was reported to Ivanti by the NATO Cyber Security Centre. Ivanti says it’s not aware of any customers being exploited by this vulnerability at the time of disclosure. The attack option is limited because an attacker without a valid Transport Layer Security (TLS) client certificate enrolled through Ivanti Endpoint Manager Mobile (EPMM) cannot directly exploit this issue on the internet.

Ivanti says its customers can access the patch (9.17.1, 9.18.1 and 9.19.1) via the standard download portal.

CVE-2023-46808 (CVSS score 9.9 out of 10) which allows an authenticated remote user to perform file writes to ITSM server. Successful exploitation can be used to write files to sensitive directories which may allow attackers to execute commands in the context of a web application’s user.

The patch has been applied to all Ivanti Neurons for ITSM Cloud landscapes. On-premise customers are advised to act immediately to ensure they are fully protected. Ivanti says it is not aware of any customers being exploited by this vulnerability prior to public disclosure.

The patch is available on the Ivanti Neurons for ITSM downloads page for each respective 2023.X version. This will require upgrading to 2023.X to apply the patch.

The vulnerabilities have a 2023 CVE because of a reservation made towards the end of 2023, when they were first found and reported. It is Ivanti’s policy that when a CVE is not under active exploitation to disclose the vulnerability when a fix is available, so that customers have the tools they need to protect their environment.

Get patching!

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Three researchers scanned the internet for vulnerable Firebase instances, looking for personally identifiable information (PII).

Firebase is a platform for hosting databases, cloud computing, and app development. It’s owned by Google and was set up to help developers build and ship apps.

What the researchers discovered was scary. They found 916 websites from organizations that set their Firebase instances up incorrectly, some with no security rules enabled at all.

One of the researchers told BleepingComputer that most of the sites also had write enabled (meaning anyone can change it) which is bad, and one of them was a bank.

During a sweep of the internet that took two weeks, the researchers scanned over five million domains connected to Google’s Firebase platform.

The total amount of exposed data is huge:

• Names: 84,221,169
• Emails: 106,266,766
• Phone Numbers: 33,559,863
• Passwords: 20,185,831
• Billing Info (Bank details, invoices, etc): 27,487,924

And as if that isn’t bad enough, 19,867,627 of those passwords were stored in plaintext. Which is a shame given that Firebase has a built-in end-to-end identity solution called Firebase Authentication that is specifically designed for secure sign-in processes and does not expose user passwords in the records.

So, an administrator of a Firebase database would have to go out of their way and create an extra database field in order to store the passwords in plaintext.

The researchers have warned all the affected companies, sending 842 emails in total. Only 1% of the site owners replied, but about a quarter of them did fix the misconfiguration.

In this case we can consider it a blessing that these researchers managed to get a lot of those instances correctly configured. On the other hand it’s frightening that the rest lives on in a state of insecurity.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

While most tax payers don’t particularly look forward to tax season, for some scammers it’s like the opening of their hunting season. So it’s no surprise that our researchers have found yet another tax-related scam.

In this most recent scam, we’ve not seen the lure the scammer uses, but it is likely to be an email telling the target to quickly go to this site to apply for your IRS EIN/Federal tax ID number.

EIN is short for Employer Identification Number. The IRS uses this number to identify taxpayers who are required to file various business tax returns. EINs are used by employers, sole proprietors, corporations, partnerships, non-profit associations, trusts, estates of decendents, government agencies, certain individuals, and other business entities.

Given the flow of the scam it’s very likely that the targets are self-employed and/or small business (SMB) owners. It’s possible that the phisher has obtained or bought a collection of email addresses from a data broker that fit a certain profile (for example, self-employed US residents).

To start this operation, the scammer doesn’t need a lot of information about their targets. A valid email address for a self-employed US resident could cost just a few cents on an underground forum on the dark web. However, the scammer might not even need to venture that far, as Senior Director of Technology and Engineering and Consumer Privacy at Malwarebytes, Shahak Shalev told us:

“I don’t think one would have to go to the dark web to get information like this as there are regular companies selling this information. They would probably qualify it as “lead generation”. According to our sources, pricing for one million self-employed US citizens usually goes for $1USD per contact, but for such a large amount it would probably be $0.1 per contact.”

The information the phishers are after is quite extensive and includes a person’s social security number (SSN).

A compromised social security number poses a major problem. A SSN stays with you for a lifetime, and is closely tied to your banking and credit history. Adding a person’s SSN to the scammers’ data could create far more opportunities for identity theft and fraud.

And if that wasn’t serious enough, the scammers here have the audacity to charge you for the tax ID number, even though applying for an Employer Identification Number (EIN) is a free service offered by the Internal Revenue Service (IRS).

We also found the scammer made a mistake when setting up their fake website. By looking at the privacy policy of the scammer’s site it became apparent that they forgot a small edit when they copied the privacy policy from someone else, but neglected to edit the original domain in one place.

If you’ve received a mail or other invitation including a link to the domain irs-ein-gov.us, please let us know in the comments. We would love to have a copy so we can complete this attack profile.

How to avoid falling for a tax scam

Before acting on an email’s request, stop and think about the following:

• Remember: The IRS doesn’t ask taxpayers for personal or financial information over email, text messages, or social media channels. This includes requests for PINs, passwords or similar access information for credit cards, banks, or other financial accounts.
• Do not interact with the sender, click any links, or open any attachments.
• Send the full email headers or forward the email as-is to phishing@irs.gov. Do not forward screenshots or scanned images of emails because this removes valuable information.
• Delete the email.

If you are unsure if a certain communication is from the IRS, you can go to IRS.gov and search for the letter, notice, or form number. If it is legitimate, you’ll find instructions on how to respond. If there’s a form to fill in the verify that it is identical to the same form on IRS.gov by searching forms and instructions.

Malwarebytes Premium customers are protected against this particular scam if they have Web Protection enabled.

IOCs

Domains

ustaxnumber[.]org

ustaxnumber[.]com

irs-ein-gov[.]us

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The North American finals of online shooter game Apex Legends has been postponed after games were disrupted by hacking incidents.

Apex Legends, published by EA, is currently in an important stage of its Global Series, the regional finals mode. This is a big deal for the top players since there is a $5 million prize pool, with a few of the top teams in each region set to battle it out in the finals.

But on Monday, the Apex Legends official X account tweeted that it had postponed the contest after deciding the “competitive integrity” of the series had been compromised.

According to PCGamer, there were at least two major incidents:

“First, Noyan “Genburten” Ozkose of DarkZero suddenly found himself able to see other players through walls, then Phillip “ImperialHal” Dosen of TSM was given an aimbot.”

An aimbot is a program or patch that allows the player to cheat by having the character’s weapon aimed automatically. Using cheats like those would lead to immediate disqualification and total loss of respect if done on purpose.

The volunteers of the Anti-Cheat Police Department warned players against playing any games protected by Easy Anti-Cheat (EAC) or any EA titles for a while, because they suspected a Remote Code Execution (RCE) exploit was being used against the players.

However, recent developments point less toward an RCE being the cause and more to an actual infection on the players’ computers…

Malwarebytes to the rescue

In a livestream, affected gamer ImperialHal spoke to cybersecurity expert “PirateSoftware,” who has been investigating the attacks.

ImperialHal uses Malwarebytes to scan his machine which flags an inbound connection from an IP address linked to a server known for malicious activities.

It appears that the attacker had direct access to ImperialHal’s computer, likely via a Trojan. PirateSoftware concluded:

“I don’t see evidence of Apex having RCEs. It does not mean that it’s impossible but I still don’t see evidence, while I do see evidence of him having direct access to your machine.”

Protect yourself

We recommend that all gamers scan their computers with reliable security software. Malwarebytes Premium for Windows’ Brute Force Protection feature blocked the connection from being made to ImperialHal’s computer, so make sure you enable that feature.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.