IT NEWS

Educational institutions may face a range of cyberthreats in 2024, but our 2024 State of Malware in Education report identifies the six most critical ones.

Ransomware, for example, stands out as a key threat for schools and universities. The report covers how last year, we witnessed a 92% increase in ransomware attacks in K-12 schools and a 70% increase in Higher Education. The trend appears set to continue, partly due to specialized ransomware groups like Rhysida (formerly Vice Society) targeting educational sectors.  

Another major threat our 2024 State of Malware in Education covers is the reduction of conventional malware in favor of Living off The Land (LOTL) attacks. LOTL attacks exploit legitimate system tools to remain undetected while conducting harmful activities.

Our report suggests that educational institutions must employ expert staff to manually identify LOTL activities, which traditional malware detection tools miss. For example, we recently wrote how one K-12 district used MDR to uncover malicious PowerShell activity and stop an ongoing infection.

Some other trends and threats educational institutions can expect in the report to cover include:

• Why targeting Macs has become an easy choice for criminals 
• How CL0P is rewriting the ransomware playbook and why Big Game ransomware remains the most serious threat.
• How cybercriminals use ‘malvertising’ to target educational institutions with malicious ads for popular for remote learning such as Zoom. 

As we progress into 2024, the reality is that educational institutions’ success in pairing state of the art security software with skilled security staff will be a deciding factor in their ability to take down the most serious cyberthreats. 

To understand the complete list of threats facing educational institutions in 2024 and how to tackle them, get the full 2024 State of Malware in Education report—tailored to either K-12 or Higher Ed—below.

Researchers at HUMAN’s Satori Threat Intelligence have discovered a disturbing number of VPN apps that turn users’ devices into proxies for cybercriminals without their knowledge, as part of a camapign called PROXYLIB.

Cybercriminals and state actors like to send their traffic through other people’s devices, known as proxies. This allows them to use somebody else’s resources to get their work done, it masks the origin of their attacks so they are less likely to get blocked, and it makes it easy for them to keep operating if one of their proxies is blocked.

An entire underground market of proxy networks exists to service this desire, offering cybercriminals flexible, scalable platfroms from which to launch activities like advertising fraud, password spraying, and credential stuffing attacks.

The researchers at HUMAN found 28 apps on Google Play that turned unsuspecting Android devices into proxies for criminals. 17 of the apps were free VPNs. All of them have now been removed from Google Play.

The operation was dubbed PROXYLIB after a code library shared by all the apps that was responsible for enrolling devices into the ciminal network.

HUMAN also found hundreds of apps in third-party repositories that appeared to use the LumiApps toolkit, a Software Development Kit (SDK) which can be used to load PROXYLIB. They also tied PROXYLIB to another platform that specializes in selling access to proxy nodes, called Asocks.

Protection and removal

Android users are now automatically protected from the PROXYLIB attack by Google Play Protect, which is on by default on Android devices with Google Play Services.

The affected apps can be uninstalled using a mobile device’s uninstall functionality. However, apps like these may be made available under different names in future, which is where apps like Malwarebytes for Android can help.

Recommendations to stay clear of PROXYLIB are:

• Do not install apps from third-party websites.
• Do not install free VPNs.
• Use Malwarebytes for Android.

Victims of novel attacks like PROXYLIB might notice slow traffic, because their bandwidth is in use for other purposes. And at some point their IP address may be blocked by websites and other services.

The researchers included a list of applications they uncovered as part of PROXYLIB. If you installed any of the apps on the list before they were removed from Google Play you will need to uninstall them.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Last week on Malwarebytes Labs:

• MFA bombing taken to the next level
• How to back up your Mac
• How to back up your Windows 10/11 PC to OneDrive
• How to back up your iPhone to a Windows computer
• How to back up your iPhone to a Mac
• How to back up your iPhone to iCloud
• Powering the future of ThreatDown with AI
• Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR
• Facebook spied on Snapchat users to get analytics about the competition
• Update Chrome now! Google patches possible drive-by vulnerability
• Disturbing robocaller fined $9.9 million
• Meta to abandon social media tracking tool CrowdTangle
• Patch now: Mozilla patches two critical vulnerabilities in Firefox
• YouTube ordered to reveal the identities of video viewers
• Vans warns customers of data breach
• Securing your home network is long, tiresome, and entirely worth it, with Carey Parker: Lock and Code S05E07
• 3 important lessons from a devastating ransomware attack

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Simply put, MFA bombing (also known as “push bombing” or “MFA fatigue”) is a brute force attack on your patience. Cybercriminals use MFA bombing to break into accounts that are protected by multi-factor authentication (MFA).

MFA normally requires a user to enter a six-digit code sent by SMS, or generated by an app, or to respond to a push notification, when they enter a username and password. It provides an enormous increase in security and makes life much harder for criminals.

Because it’s so hard to break, criminals have taken to getting users to defeat their own MFA. They do this by using stolen credentials to try logging in, or by trying to reset a user’s password over and over again. In both cases this bombards the user with push notifications asking them to approve the login, or messages asking them to change their password. By doing this, the criminals hope that users will either tap the wrong option or get so fed up they just do whatever the messages are asking them to do, just to make the bombardment stop.

Now, according to this blog by Bran Krebs, these attacks have evolved. If you can withstand the pressure of the constant notifications, the criminals will call you pretending to come to your rescue.

In one example Krebs writes about, criminals flooded a target’s phone with password reset notifications for their Apple ID. Each notification required the user to choose either “Allow” or “Don’t Allow” before they could go back to using their device.

After withstanding the temptation to click “Allow”, and declining “100-plus” notifications, the victim receved a call from a spoofed number pretending to be Apple Support.

The call was designed to get the victim to trigger a password reset, and then to hand over the one-time password reset code sent to their device. Armed with a reset code, the criminals could change the victim’s password and lock them out of their account.

Luckily, in this situation the victim thought the callers seemed untrustworthy, so he asked them to provide some of his personal information, and they got his name wrong.

Another victim of MFA bombing learned that the notifications kept coming even after he bought a new device and created a new Apple iCloud account. This revealed that the attacks must have been targeted at his telephone number, because it was the only constant factor between the two device configurations.

Yet another target was told by Apple that setting up an Apple Recovery Key for his account would stop the notifications once and for all, although both Krebs and the victim dispute this.

Unfortunately, there doesn’t seem to be a lot you can do once an MFA bombing attack starts other than be patient, and be careful not to click Allow. If you get a call, know that Apple Support will never call you out of the blue, so don’t trust the caller, no matter how convenient their timing.

If you lose control of your Apple ID, go to iforgot.apple.com to start the account recovery process.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

They say the only backup you ever regret is the one you didn’t make. Starting in Windows 10, the operating system (OS) now comes with a built-in tool to back up your files, themes, some settings, many of your installed apps, and your Wi-Fi information.

First, you’ll need to sign in with your Microsoft account

Go to Start  > Settings  > Accounts  > Your info . Select Sign in with a Microsoft account instead. You’ll see this only if you’re using a local account. If you see Sign in with a local account instead, you’re already using your Microsoft account.

To start the backup process select Start  > Windows Backup.

Select Folders to drop down a list, and select which of your user folders you want to back up by toggling them On or Off. The ones you have already backed up will say Backed up next to them.

Next, you can move forward to back up your settings. You can use the drop down for each category and select the items you want to back up by setting them to On or Off.

First choose your apps:

Then your settings:

Then your credentials:

When you’ve decided on what to back up, click Back up and the backup will be made.

From this point on, Windows will synchronize these backups at regular intervals. If it’s been a while since you made your backups or changed your settings, you can check the status by going to Start  > Settings  > Accounts  > Windows backup.

Current status

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Backing up your Mac computer doesn’t need to be intimidating.

By taking advantage of a user-friendly feature released by Apple several years ago, the entire backup process can be handled almost automatically, preserving your most important files, photos, applications, and emails from cyberthreats and mishaps.

Before starting the backup process, you will need an external storage device that can connect to your Mac with a USB or Thunderbolt cable. External storage devices, which are sometimes called external hard drives, are developed and sold by many different companies, including Lacie, SanDisk, and Western Digital.

If you do not have an external storage device, you must first get one. You should also follow Apple’s recommendation that your external storage device be twice as large as the hard drive of your Mac computer.

To find the hard drive size of your current Mac, open the System Settings app on your computer. On the left-hand rail, click General and then, in the window open to the right, click Storage.

Several statistics and options will be shown.

At the top of the Storage section, the hard drive space is shown. Here, it is 494.38 GB, or 500 GB roughly.

The Mac shown here has 500 GB of internal storage. If we were to back this Mac up, we would need to use an external storage device of 1 TB (terabyte).

Once you have your external storage device, you can begin the actual backup processs.

The simplest way to back up your Mac is with the built-in feature “Time Machine.”

First, connect your external storage device to your Mac.

Then, you need to set up that storage device as your “backup disk.” This means that, from this point forward, your external storage device will have one primary use, and that is as a backup device that syncs with Time Machine. Apple recommends that you do not use your external storage device that you are using with Time Machine for anything other than Time Machine backups.

To set up your storage device as your backup disk, follow these instructions:

Go to System Settings.  

Click on General in the left sidebar.

From here, click on Time Machine in the main window displayed to the right.

From the Time Machine menu, click Add Backup Disk or click the “Add” button (+).

From here, select your external storage device and then click Set Up Disk.

At this point in the process, you may receive two options from Time Machine:

1. If your device has other files on it, you will be asked if you want to erase the device so that it can be used solely as a backup with Time Machine. You can erase the files immediately and then continue the backup process through Time Machine. If you do not want to erase the files, you need to get a separate external storage device that will be used exclusively as a backup with Time Machine.
2. If your external storage device already has backups from a prior computer, you will be asked whether you can to keep those backups and roll them into new backups made with Time Machine. This is up to you.

From here, the backup process is nearly done.

To make a backup, simply click on Back Up Now from the Time Machine menu.

Your first backup could take a long time to complete, but know that you can continue using your computer like normal while the process happens in the background.

From here on, whenever you attach your external storage device to your Mac, Time Machine will automatically ask to make a backup of the changes to your Mac. You can also change the frequency of your backups in your Time Machine Settings.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

We’ve published posts on how to back up your iPhone to iCloud, and how to backup an iPhone to a Mac. Another method is to backup using the iTunes app on a Windows system.

Choose whichever backup method works best for you, and will continue to work.

First, connect your iPhone to the Windows system with a cable.

You are likely to see a prompt on your iPhone asking whether it can trust this computer.

To proceed, tap Trust and entering your passcode.

Then open the iTunes app on your Windows device.

In iTunes click the Device symbol in the upper left corner (next to the Music drop down box).

Note: It may take a while before the device icon appears

In the Settings of the iTunes app select Summary.

You’ll see some device data about your iPhone, and below that a Backups menu.

Here you can select either iCloud or This Computer.

To create a local backup select This Computer and click on Back Up Now to create a new backup of your iPhone on your Windows System.

To encrypt your backups, select Encrypt local backup, type a password, then click Set Password.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

One of the most cost effective ways to backup your iPhone is to save backups to your Mac. Backups are made automatically whenever you connect your iPhone to your Mac with a lead. Be aware though that backups can take up a lot of space on your Mac, and that if your Mac is lost, stolen, or inoperable, then you won’t be able to access your iPhone backups. If you need daily backups or backups that can always be accessed from anywhere, you may prefer to backup your iPhone to iCloud.

This guide tells you how to enable backups to your Mac, and how to check that everything is working as you expect.

First, connect your iPhone or iPad to a Mac using a cable.

Open the Finder app and select your iPhone from the list of Locations.

Click General.

Under Backups, choose Back up all of the data on your iPhone to this Mac.

To encrypt your backup data and protect it with a password, select Encrypt local backup. You will be prompted for a password.

Click Back Up Now.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Nobody can deny the influence of AI today. In just a few years, we have observed AI’s capacity to be as transformative as the internet and smartphones, especially for cybersecurity. Indeed, the potential of AI to radically simplify complex security environments is unmistakable, and aligns closely with our mission at ThreatDown to reduce threats, complexity, and costs for our customers.

With continuous advancements in AI and its ever-expanding potential to enhance user experiences, ThreatDown remains dedicated to integrating these technologies into our solutions going forward. Let’s dive into where we are with AI and where we’re headed.

What led us here

We’ve always been big on democratizing security for all, and we believe AI has the potential to do just that. With this in mind, in late March 2024 we added a powerful AI functionality to our industry-leading Security Advisor. Users can now use simple natural language requests to search for information about their environment, ask for recommendations on how to optimize their security posture, and more.

The deployment of generative AI into our Security Advisor propels us closer to our goal to make security management more accessible, especially for companies with constrained IT resources. Generative AI’s ability to sift through vast datasets to highlight essential issues and suggest actions significantly lowers the barrier to advanced security, eliminating the necessity for deep security know-how among users. But we’re not done yet.

Where we’re going

As we integrate generative AI, we envisage a host of potential advancements that could further revolutionize security management:

• Global AI search: Our team is considering the development of a universal AI search feature, integrated across all products, that can comprehend natural language queries and surface relevant data.
• Evolving summarization techniques: Imagine an AI that can not only summarize threats detected by EDR tools but also provides remediation steps with contextual help to follow along.
• Dynamic security recommendations: We’re exploring the possibility of AI that not only provides recommendations but also adapts them in real-time based on the evolving security context of each user.

Pioneering simplicity in security with AI

AI will likely become a bigger and bigger fixture in security as the years go on, and as it evolves, ThreatDown is deeply committed to simplifying security management through the power of AI.

Nebula users can use Security Advisor and its AI capabilities today. Learn more.

Social media giant Facebook snooped on Snapchat users’ network traffic, engaged in anticompetitive behavior and exploited user data through deceptive practices. That’s according to a court document filed March 23, 2024.

The document mentions Facebook’s so-called In-App Action Panel (IAAP) program, which existed between June 2016 and approximately May 2019. The IAAP program, used an adversary-in-the-middle method called to intercept and decrypt Snapchat’s—and later YouTube’s and Amazon’s—SSL-protected analytics traffic to provide information for Facebook’s competitive decision making. Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client.

On June 9, 2016, Facebook CEO Mark Zuckerberg complained about the lack of analytics about competitor Snapchat.

“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . .

Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

So, as part of the IAAP program, the company started Project Ghostbusters by using Onavo. Onavo was a VPN-like research tool that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

The Project Ghostbusters technique relied on technology known as a server-side SSL bump performed on Facebook’s Onavo servers. SSL bumping, also known as SSL interception, involves intercepting and decrypting SSL/TLS traffic, inspecting it for malicious content or policy violations, and then re-encrypting and forwarding it to the intended destination.

To gain access to the data about their competitor, Facebook incentivized users to install “kits” on both Android and iOS devices that impersonated official servers and decrypted traffic that Facebook had no right to access.

These kits allowed Facebook to intercept traffic for specific sub-domains, allowing them to read what would otherwise be encrypted traffic and to measure in-app usage of their competitor’s apps. The users were clueless about what the kits did exactly, but it allowed the operators to view and analyze the traffic before it got encrypted.

According to the court documents, advertisers suing Meta claim that Facebook later expanded the program to Amazon and YouTube. This practice is likely in violation of wiretapping laws and “potentially criminal.” Facebook’s secret program likely violated the Wiretap Act, because it prohibits intentionally intercepting electronic communications with no applicable exception and the use of such intercepted communications.

We’ll keep you updated on how this develops.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.