IT NEWS

The Securities and Exchange Commission (SEC) has announced charges against software company SolarWinds Corporation and its chief information security officer (CISO), Timothy G. Brown, for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”

In 2020, SolarWinds announced it had been hacked and that its compromised software channel was used to push out malicious updates onto 18,000 of its Orion platform customers. The nearly two-years long cyberattack was dubbed SUNBURST.

The complaint by the SEC, filed in the Southern District of New York, alleges that during the cyberattack, and perhaps before and after too, SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices, as well as understating or failing to disclose known risks.

The SEC claims that SolarWinds “misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”

A 2018 presentation based on an internal assessment which was shared internally, including with Brown, stated that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late.”

In June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient.”

Instead of dealing with these problems, SolarWinds and Brown “engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

Even the disclosure about the SUNBURST attack was allegedly incomplete. The SEC’s complaint alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations.

The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

It would be easy to think that Gen Z doesn’t care about privacy. They worry less about ad tracking, do little to stem the flow of their private information online, and, as Malwarebytes recently uncovered, monitor one another’s lives far more than other generations.

But it isn’t that Gen Z, wholesale, doesn’t care about privacy. It’s that they care about privacy in a different way.

Unlike other generations whose privacy fears are deeply entangled with concerns of traditional cybercrimes like identity and credit card theft, Gen Z worries most about the exposure of their private information because of the chance of harassment, bullying, and lost friendships.

In fact, when it comes to many privacy concerns that have a cybersecurity overlap, Gen Z cares less overall. According to our research, compared to 51 percent of non-Gen Z, 62 percent of Gen Z agreed or strongly agreed with the following statement:

“I’m more worried about my private information being exposed online (e.g., embarrassing/compromising photos/videos, mental health, sexuality, etc.) than I am about typical cybersecurity threats (like viruses, malware etc.).”

As privacy advocates (including Malwarebytes) continue to fight for expanded digital rights amongst all users, it is paramount that we understand how to appeal to a younger generation of future recruits. For Generation Z, that data privacy fight is unlikely to deal with data brokers, Bluetooth trackers, or privacy-invasive web browsers. It is also unlikely to lean on the same concept of “privacy” itself.

Instead, the fight for “privacy” may start from the inverse: The right to control what becomes public.

Losing the fight for traditional online privacy

In October, Malwarebytes published new research into the cybersecurity and online privacy habits of 1,000 respondents in the United States and Canada. Titled “Everyone’s afraid of the internet and no one’s sure what to do about it,” the report reveals that too many people spy on their spouses, too few use unique passwords, and too many who are worried about identity theft don’t actually do anything about it (and to those people, we say: We’ve got you covered).

Deeper inside the data, though, is a depressing, new finding: We have likely lost the fight on traditional online privacy. Online ad tracking and location monitoring—which privacy advocates have lobbied against for years—are of little importance to Gen Z.

A third, or 33 percent, of Gen Z agreed or strongly agreed with the statement “I don’t mind being tracked by websites or apps,” compared with 22 percent of non-Gen Z, and 49 percent of Gen Z agreed or strongly agreed that “Being able to track my spouse’s/significant other’s location when they are away is extremely important to me,” compared with 39 percent of non-Gen Z.

Looking at disagreement with certain statements also shines light on what Gen Z finds acceptable in their own relationships. When asked how they feel about the statement “I think monitoring apps and tools are an invasion of privacy,” fewer Gen Z respondents disagreed than non-Gen Z—18 percent compared to 24 percent—revealing, perhaps, that fewer members of this younger generation will ever stand up against this type of intimate surveillance.

But for all the spying and ad tracking that Gen Z allows, their approach to obtaining consent before posting about other people is, simply put, extraordinary.

When Gen Z shares photos, videos, or information about literally anyone in their lives, they always seek consent for every type of relationship more often than non-Gen Z. More often, Gen Z always seeks consent when posting about their spouse or significant other (39 percent compared to 32 percent non-Gen Z), their close friends (41 percent compared to 32 percent), their children (39 percent compared to 29 percent), other people’s children (41 percent compared to 35 percent), their parents (38 percent compared to 29 percent), other, older family members (34 percent compared to 29 percent), other, younger family members (36 percent compared to 30 percent), and even people they don’t know or don’t know well (32 percent compared to 26 percent).

Here, we see a kernel of an idea for Gen Z privacy, in that what is shown is what matters.

What Gen Z really cares about

Despite the differences discussed above, Gen Z’s privacy “calculus” is quite similar to that of non-Gen Z. Both groups worry about personal information being used in ways that they haven’t agreed to, which can lead to consequences they’ve personally experienced.

Where non-Gen Z worries about identity theft, credit card fraud, data breaches, and good old-fashioned hacking, Gen Z simply can’t be bothered.

A full 86 percent of non-Gen Z are concerned or very concerned about their financial accounts being hacked, compared to 72 percent of Gen Z who feel the same way. Similarly, 85 percent of non-Gen Z are concerned or very concerned about having personal information or data stolen by hackers or thieves, compared to the 74 percent of Gen Z, and 86 percent of non-Gen Z are concerned or very concerned about identity theft or fraud, compared to 69 percent of Gen Z.

Gen Z’s (relative) ease with these threats is understandable—these aren’t even “threats” to them, they’re facts of life. How do you define a “stolen” Social Security Number after the attack on Equifax? How do you spend time worrying about one company’s data breach when hundreds are hacked every year?

Instead, Gen Z worries about being unable to manage the information released about them online, and the potential fallout that could—and in many cases already has—come from it.

This is first visible in the fact that Gen Z is more concerned or very concerned about having their personal struggles shared online (59 percent compared to 57 percent for non-Gen Z), having their sexual orientation exposed online (45 percent compared to 37 percent), and having embarrassing photos, videos, or information posted about them online (61 percent compared to 55 percent).

From that type of exposure, Gen Z then worries more often about interpersonal consequences than non-Gen Z. More than a third, 34 percent, of Gen Z worry about “what my friends/family would think of me” compared to 26 percent of non-Gen Z, and 29 percent worry about “what would happen to my friendships/relationships” compared to 26 percent of non-Gen Z.

More consequentially, 34 percent of Gen Z worry about being physically harmed, compared to 27 percent of non-Gen Z, while 36 percent worry about being bullied, compared to 22 percent of non-Gen Z.

Now, it may be easy to excuse some of these numbers on youth—bullying is more prevalent for students, even if it extends online—but the same fears carry over into the workplace. Again, almost a third of Gen Z, 33 percent, worry about being fired or having a work opportunity taken away because of exposed private information, compared to 29 percent of non-Gen Z.

Buoying many of these fears is the fact that many members of Gen Z have already directly faced these types of events before. Disproportionately, Gen Z deals with more harassment, abuse, blowback, and upset feelings for the things that they and others share about them online than non-Gen Z.

In the research, Malwarebytes asked respondents “Have any of the following consequences ever happened to you because of something you or someone else did or posted online?” Gen Z revealed that:

• 20 percent have had their confidence hurt because of how they were portrayed (compared to 12 percent of non-Gen Z)
• 23 percent suffered worsened mental health (compared to 12 percent of non-Gen Z)
• 18 percent had someone incorrectly assume something about them or their identity (compared to 12 percent of non-Gen Z)
• 18 percent were stalked or bullied (compared to 9 percent of non-Gen Z)
• 17 percent lost a friend, significant other, or someone important to them (compared to 8 percent of non-Gen Z)

Amidst all the data, these responses spotlight the largest discrepancies—twice as many Gen Zers have been stalked or bullied because of something posted online, and almost twice as many have lost a close friend or partner.

The response here cannot be blamed.

In the same way that people of all ages are forced to give up sensitive information to participate in modern society—divulging Social Security Numbers on mortgage applications or passport numbers on airline websites when flying internationally—Gen Z grew up in an era where posting on social media was the norm.

Further, the judgement that Gen Z faces online often applies a binary thinking to nuanced issues. With just one Instagram post, TikTok video, or tweet, people are separated into in-groups and out-groups. Jobs can be threatened, friendships can be enflamed.

If privacy is to continue, it must offer something to its youngest participants. Today and in the future, we hope Generation Z can consider that privacy isn’t about having something to hide—it’s about choosing what to broadcast.

Tech company F5 has warned customers about a critical authentication bypass vulnerability impacting its BIG-IP product line that could result in unauthenticated remote code execution.

F5 provides services focused on security, reliability, and performance. BIG-IP is a collection of hardware platforms and software solutions that provides a wide range of services, including load balancing, web application firewall, access control, and DDoS protection.

Two security researchers found a critical vulnerability in the configuration utility of several versions of BIG-IP:

• 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
• 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
• 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
• 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
• 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

In a post, F5 said:

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.”

F5 also said customers can also use iHealth to check if they are vulnerable.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This CVEs is listed as:

CVE-2023-46747 (CVSS score 9.8 out of 10): Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

BIG-IP defines a self IP address as an IP address on the BIG-IP system that you associate with a virtual local area network (VLAN), to access hosts in that VLAN. A  customer normally assigns self IP addresses to a VLAN when they initially run the Setup utility on a BIG-IP system.

An authentication bypass happens when someone claims to have a given identity, but the software does not prove or insufficiently proves that the claim is correct.

Remote code execution (RCE) is when an attacker accesses a target computing device and makes changes remotely, no matter where the device is located.

In general you can say that if the BIG-IP Traffic Management User Interface is exposed to the internet, then the system in question is impacted. It’s estimated that there are over 6,000 external-facing instances of the application.

The researchers say exploitation of the vulnerability could lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system.

“A seemingly low impact request smuggling bug can become a serious issue when two different services offload authentication responsibilities onto each other.”

Actions

If you are running a vulnerable version, F5 has a list of updates here.

If you can’t install a fixed version for any reason, then F5 advises you can block Configuration utility access through self IP addresses or block Configuration utility access through the management interface.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.

The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.

Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it. Victims who clicked on the ad were taken to a hacked webpage with a link to download the application, which turned out to install over a dozen different pieces of malware instead.

Compromised website promotes software crack

While we identified the compromised ad before the website, we will first describe what happens from the point of view of the site owner to better understand what led to the ad creation in the first place.

This website is for a business that specializes in wedding planning and their portfolio includes testimonials from previous customers sharing their story and experience. Unfortunately, some of those pages have been injected with malware that spams malicious content into them.

In particular, it changes the page’s title and creates an overlay that promotes a serial key for various software programs. For example, the screenshot below shows that overlay advertising a license key for Pycharm, a popular program used by software developers:

Malvertising via Dynamic Search Ad

Dynamic Search Ads (DSA) are a type of Google ads that use the content of a website to automate the creation of ads. While this feature is very handy for advertisers, it also comes with the unlikely but potential for abuse. Indeed, if someone is able to modify the website’s content without the owner’s knowledge, automated ads may be entirely misleading.

Circling back to where our investigation started, this is what we first saw when doing a Google search for ‘pycharm’. The ad’s headline is showing “JetBrains PyCharm Professional” while the content snippet has gathered a bunch of keywords related to the wedding business. Obviously, there is a discrepancy here between what the ad’s title promotes (a program for developers) and the ad’s description (wedding planning).

What happened here is Google Ads dynamically generated this ad from the hacked page, which makes the website owner an unintentional intermediary and victim paying for their own malicious ad.

Fake serial leads to malware bonanza

People searching for PyCharm may not take the time to read the ad’s description, but instead will simply click on the headline. From there, they will be redirected to the compromised page showing the overlay with the link to download the serial key. While not everyone will proceed at this point, those who do will have an experience they aren’t likely to forget:

Running this installer will result in a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable:

Sometimes, an unexperienced criminal may want to monetize as many software loads as possible in order to earn a commission on each. Clearly this is not an elegant attack as the victim will be aware their computer has been loaded with unwanted programs.

Whatever the case may be, downloading cracks or serial keys is akin to walking across a mine field, and you typically only do it once.

Summary

This incident is not your typical malvertising case and in fact, it’s unlikely that whoever hacked that website was even aware of this happening. Compromised sites can be monetized in many different ways and usually threat actors expect traffic to come from organic search results, not ads.

From an ad quality point of view, this would be difficult to detect in the sense that the ad has been paid for by a legitimate business and takes users to the correct destination. There is no malicious redirect to a fake domain that attempts to deceive users like we have seen before.

Google may be able to detect that the website has been compromised because it contains spam injections. If that is the case, Dynamic Search Ads may inadvertently promote malicious content.

We recommend users to practice safe browsing and always be cautious with sponsored content. Downloading cracked software has never been a good idea, but if you do, always make sure it is clean before you run it.

We have informed the wedding planner business that their website is currently compromised and leading to malicious content.

Malwarebytes already detected all the payloads with its anti-malware and heuristic engines:

Indicators of Compromise

Download URL for fake serial:

eplangocview[.]com/wp-download/File.7z

Subsequent malware download URLs:

roberthamilton[.]top/timeSync[.]exe
109[.]107[.]182[.]2/race/bus50[.]exe
171[.]22[.]28[.]226/download/Services[.]exe
experiment[.]pw/setup294[.]exe
medfioytrkdkcodlskeej[.]net/987123[.]exe
171[.]22[.]28[.]226/download/WWW14_64[.]exe
185[.]172[.]128[.]69/newumma[.]exe
194[.]169[.]175[.]233/setup[.]exe
171[.]22[.]28[.]221/files/Ads[.]exe
171[.]22[.]28[.]213/3[.]exe
lakuiksong[.]known[.]co[.]ke/netTimer[.]exe
stim[.]graspalace[.]com/order/tuc19[.]exe
neuralshit[.]net/1298d7c8d865df39937f1b0eb46c0e3f/7725eaa6592c80f8124e769b4e8a07f7[.]exe
pic[.]himanfast[.]com/order/tuc15[.]exe
85[.]217[.]144[.]143/files/My2[.]exe
galandskiyher5[.]com/downloads/toolspub1[.]exe
gobr1on[.]top/build[.]exe
flyawayaero[.]net/baf14778c246e15550645e30ba78ce1c[.]exe
632432[.]space/385118/setup[.]exe
yip[.]su/RNWPd[.]exe
potatogoose[.]com/1298d7c8d865df39937f1b0eb46c0e3f/baf14778c246e15550645e30ba78ce1c[.]exe
185[.]216[.]71[.]26/download/k/KL[.]exe
walkinglate[.]com/watchdog/watchdog[.]exe
walkinglate[.]com/uninstall[.]exe

Last week on Malwarebytes Labs:

• Malvertising via Dynamic Search Ads delivers malware bonanza
• Octo Tempest cybercriminal group is “a growing concern”—Microsoft
• Update now! Apple patches a raft of vulnerabilities
• Patch…later? Safari iLeakage bug not fixed
• Update vCenter Server now! VMWare fixes critical vulnerability
• Cyberattack hits 5 hospitals
• Face search engine PimEyes stops searches of children’s faces
• Announcing NEW Malwarebytes Identity Theft Protection
• Hong Kong residents targeted in malvertising campaigns for WhatsApp, Telegram
• 1Password reports security incident after breach at Okta
• Google Chrome wants to hide your IP address
• MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22
• Battling a new DarkGate malware campaign with Malwarebytes MDR

Stay safe!

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

We’re rolling out two new features to enhance usability in OneView, our multi-tenant platform for Managed Service Providers: Report 2.0 and the Global Site Filter. Here’s what you need to know:

Report 2.0: Improved Reporting in OneView

Report 2.0 offers a more streamlined approach to reporting within OneView:

• Scheduled Reporting: Admins can schedule individual reports directly from the OneView Reports page.
• Integrated Scheduling from Nebula: .CSV reports that could be scheduled from Nebula can now be scheduled directly through OneView.
• Unified Interface: Report page has an interface similar to Nebula, providing consistency across platforms.

Scheduling individual reports directly from the Reports page.

New Report (Dropdown Sites)

New Report (Dropdown report type)

New Report (Dropdown Delivery schedule)

Global Site Filter: Streamlined User Experience

The Global Site Filter aims to simplify operations between OneView and the Nebula console. Previously, users needed to toggle between OneView and Nebula to access and modify certain details, which was time-consuming and often cumbersome, especially when dealing with multiple sites.

With the Global Site Filter, we’ve bridged this gap, allowing users to perform tasks in OneView without needing to switch over to the Nebula console.

This is when the page (or tab) you are on is filtered

This is when the page you are on won’t be filtered due to Global data

The message you receive if you click Launch site from the Sites page.

Both updates are part of our commitment to improving the OneView experience by addressing user feedback and simplifying processes. We hope these changes make your interactions with OneView more efficient.

Stay safe out there!

Apple has released security updates for its phones, iPads, Macs, watches and TVs.

Updates are available for these products:

• iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later get iOS 17.1 or iPadOS 17.1.
• iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later get iOS 16.7.2 or iPadOS 16.7.2.
• iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) get iOS 15.8 or iPadOS 15.8.
• Macs get one of macOS Sonoma 14.1, macOS Ventura 13.6.1, macOS Monterey 12.7.1, and Safari 17.1.
• Apple TV HD and Apple TV 4K (all models) get tvOS 17.1.
• Apple Watch Series 4 and later get watchOS 10.1.

The important vulnerabilities that have been addressed in this raft of updates are:

CVE-2023-40423, a critical vulnerability in IOTextEncryptionFamily that could allow an app to execute arbitrary code with kernel privileges. Arbitrary code execution means an attacker could run any commands or code of their choice on a target machine or in a target process. Kernel privileges means the attacker would have the highest level of access to all machine resources.

CVE-2023-40413, a vulnerability in Find My that could allow another to read sensitive location information.

CVE-2023-40416, a vulnerability in ImageIO which means processing an image could result in disclosure of process memory.

CVE-2023-42847, a vulnerability in Passkeys could allow an attacker to access passkeys without authentication. A passkey is a way to sign in to an app or website account, without needing to create and remember a password.

CVE-2023-42841, a vulnerability in Pro Res could allow an app to execute arbitrary code with kernel privileges.

CVE-2023-41982, CVE-2023-41997, and CVE-2023-41988 are a set of vulnerabilities in Siri that would allow an attacker with physical access to use Siri to access sensitive user data.

CVE-2023-40447 and CVE-2023-42852 are vulnerabilities in WebKit that could be used for arbitrary code execution. Visiting a specially crafted website could cause WebKit to perform operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

CVE-2023-32434 is a vulnerability that could allow an app to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

CVE-2023-41989 could allow an attacker to execute arbitrary code as root from the Lock Screen due to a vulnerability in Emoji. The issue was addressed by restricting options offered on a locked device. Root is the superuser account in many opeating systems. It is a user account for administrative purposes, and typically has the highest access rights on the system.

CVE-2023-38403 is a vulnerability in iperf3 before 3.14 that could allow peers to cause an integer overflow and heap corruption via a crafted length field. iPerf3 is a tool for active measurements of the maximum achievable bandwidth on IP networks. An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

CVE-2023-42856 could be used to trigger unexpected app termination or arbitrary code execution due to a vulnerability in Model I/O. Model I/O provides the ability to access and manage 3D models.

CVE-2023-40404 could allow an app to execute arbitrary code with kernel privileges due to a vulnerability in Networking.

CVE-2023-41977 is a vulnerability in Safari that could allow a malicious website to reveal browsing history.

Notably absent from the bugs that have been fixed is iLeakage, a sophisticated side-channel attack in the Spectre family.

The updates above may already have reached you, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading your iPhone or iPad or your Mac.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations all over the world.

Initially the group made a name for itself by SIM swapping. SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but the most common ones involve social engineering attacks on the victim’s carrier.

In a security blog about Octo Tempest Microsoft states:

“Octo Tempest monetized their intrusions in 2022 by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.”

Since then the group has expanded its range of activities to include targeting organizations providing cable telecommunications, email, and tech services, and partnering with the ALPHV/BlackCat ransomware group.

In our monthly ransomware reviews you will typically see ALPHV as the world’s third most used ransomware-as-a-service (RaaS).

ALPHV is a typical RaaS group where several criminal organizations work together to extort victims for data theft and/or encryption of important files. ALPHV provides the ransomware, the infrastructure for negotiating ransoms, and a dark web site where stolen data is leaked. The service is used by criminal gangs called affiliates who actually carry out attacks.

As an ALPHV affiliate, Octo Tempest focused its deployments primarily on VMWare ESXi servers and other complex hybrid environments.

Microsoft reports that in doing so, Octo Tempest progressively broadened the number of industries it targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services. 

Having Octo Tempest as an affiliate brings specialized knowledge to ALPHV, such as SMS phishing, SIM swapping, and advanced social engineering techniques. The group includes members with extensive technical knowledge and multiple hand-on-keyboard operators.

Its social engineering attacks target accounts that have sufficient administrator rights to build out an impactful attack. For example, to keep their tracks hidden, Octo Tempest will target the accounts of security personnel, which allows them to disable security products and features.

The group uses all kinds of social engineering attacks and, as a last resort, they do not shy away from threatening targets with physical violence if they fail to comply.

A unique technique used by Octo Tempest is to use the data movement platform Azure Data Factory, and automated pipelines, to extract data to external servers, aiming to blend in with typical big data operations.

Similar to that the group uses many Living off the land (LOTL) techniques that make it hard to spot its activities. One of Microsoft’s recommendations is to keep close tabs on administrative changes in your environment.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

TRY NOW

Apple has released updates for its phones, Macs, iPads, watches, and TV streaming devices, fixing a bunch of security problems. But amid all that activity, one fix is notably absent—there is nothing to address the vulnerability dubbed iLeakage.

iLeakage is a side-channel attack that can force the Safari browser to divulge secrets like passwords and Gmail messages.

A side-channel attack looks at the indirect effects of a computer program, or computer hardware, which can reveal things about what’s happening under the hood. It’s like a thief looking at your house and concluding from the fact that there are no lights on and the car isn’t in the driveway that you aren’t home. The lights and the empty driveway are side channels.

In the case of iLeakage, the side channel is speculative execution, a performance enhancement feature found in modern CPUs. iLeakage is just the latest in a whole family of speculative execution bugs, known as Spectre, dating back to 2017.

Virtually every modern CPU uses some kind of performance optimization where it attempts to predict what a program will do next. Once a prediction is made, the CPU will execute instructions ahead of time, so that the answer is there immediately should you need it. If the CPU realizes its prediction was wrong it has to revert all the changes it made, but sometimes speculative execution leaves traces in the CPU’s microarchitectural state, and especially the cache.

A group of cybersecurity researchers used these traces to show how an attacker can make Safari reveal sensitive information. The attacks use a malicious web page that exploits iLeakage. The page can be used to open Instagram, Gmail, YouTube, or any other website in a new tab. Behind the scenes, the same Safari computer process renders both the malicious page and the target web page, allowing the malicious page to pull information from the target, such as auto-filled passwords, using iLeakage.

Although there are no fixes for iLeakage yet, there are mitigations. Unfortunately, all of them come with significant caveats. According to the researchers, the super-secure Lock Down mode that’s available on Apple’s Macs, phones, and tablets will disable iLeakage, but Lock Down mode can impact performance and, as Apple points out, “When Lockdown Mode is enabled, your device won’t function like it typically does.”

You can also stop iLeakage by disabling JavaScript execution in your browser, but this will likely impact the behavior of every website you visit, making many of them unusable.

There is another mitigation that specifically targets iLeakage, but it’s macOS only and it’s not enabled by default. On top of that, the mitigation is considered unstable, and it requires users to open a computer terminal window, which will be beyond many users’ comfort zones. If you really want to go there, you can read the instructions on the iLeakage site, under “How can I defend against iLeakage.” We suggest that unless you’re a high value target you probably don’t need to bother, and if you are a high value target you should enable Lock Down mode anyway.

There is no evidence that iLeakage has been abused in the wild, and figuring out how the researchers did it will be a significant undertaking for cybercriminals.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Canadian health service provider TransForm has published an update about the cyberattack at its member hospitals.

TransForm is a not-for-profit, shared service organization founded by the five hospitals in Erie St. Clair to manage their hospital IT, supply chain, and accounts payable needs.

The five affected hospitals, Bluewater Health, Chatham Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital, have had to reschedule appointments with their patients due to the attack.

On October 23, 2023, Transform released news that its member hospitals and Windsor-Essex Hospice were experiencing a systems outage, including email. In an update later that day it said that the incident is impacting the hospitals’ provision of care in various ways.

“For those patients who have care scheduled in the next few days, the hospitals will contact you directly, if possible, to reschedule or provide alternate arrangements.”

Even though TransForm does not provide any more details about the nature of the attack, it’s highly likely that this is a supply chain attack since all member hospitals are experiencing problems.

In a media release, the affected hospitals asked patients to reduce the impact by only visiting the hospitals if they need emergency care.

Because there is no clarity about the nature of the attack, it’s hard to say what other consequences it may have on the hospitals and their patients.

“We are investigating the cause and scope of incident, including whether any patient information was affected. Our investigation is ongoing and we will provide further updates, as appropriate.“

All parties have declined to comment until more information becomes available.

The risks of compromised supply chains keeps growing, and as long as organizations continue to rely on them without fully understanding the implications the risks are here to stay. It is essential for businesses and their suppliers to work together to harden their defenses, to minimize the risk of having their supply chain compromised.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.