IT NEWS

Medical research data Advarra stolen after SIM swap

Clinical research company Advarra has reportedly been compromised after a SIM swap on one of their executives.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but one of the most common methods involves tricking the target’s phone carrier into porting the phone number to a new SIM which is under the control of the attacker.

In the case of Advarra, the ransomware group ALPHV reportedly managed to transfer the executive’s cellphone number, allowing them access to the company’s resources and copy information that the group is now threatening to sell.

Advarra entry on the ALPHV leak site

Advarra entry on the ALPHV leak site

However, Advarra isn’t willing to play ball, saying it doesn’t “pay digital terrorists”.

Advarra said it’s business as usual:

“An Advarra colleague was the victim of a compromise of their phone number. The intruder used this to access some of the employee’s accounts, including LinkedIn, as well as their work account.

We have taken containment actions to prevent further access and are investigating with third-party cyber experts. We also notified federal law enforcement. At this time we believe the matter is contained. We further believe that the intruder never had access to our clients’ or partners’ systems and it is safe to connect to Advarra’s systems. Importantly, we have no evidence that the Advarra systems and products that clients use to interface with us were compromised or accessed. At this time, our business operations have not been disrupted as a result of this activity and we continue to operate as normal. In addition, we continue to take steps to enhance the overall security of our systems in line with industry best practices.

Our investigation remains ongoing, and we will provide additional updates as appropriate.”

Octo Tempest

We recently wrote about the growing concern around criminal gang Octo Tempest. In 2022, Octo Tempest began selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals in order to steal their cryptocurrency. Since then the group has expanded its range of activities to include targeting organizations providing cable telecommunications, email, and tech services, and partnering with the ALPHV ransomware group.

So it’s quite possible that here Octo Tempest used their SIM swapping knowledge to compromise the executive’s account and use that leverage to steal information, which is now being used to extort Advarra

Even if the incident didn’t go down exactly as we think, there are a few takeaways:

  • Social engineering has shown time and again to be the most reliable tool for cybercriminals. It can even hurt companies with enterprise grade security.
  • The security of your private accounts matters to the company you work for. A breach of one of your accounts can provide an entrance to your employer.
  • SIM swapping is one of the reasons why some forms of MFA are better than others. Spoiler alert: text messages and call-based verification are not the best options.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.


Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

A week in security (October 30 – November 5)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

Apache ActiveMQ vulnerability used in ransomware attacks

On the 27 October, the Apache Software Foundation (ASF) announced a very serious vulnerability in Apache ActiveMQ that can be used to achieve remote code execution (RCE). The Cybersecurity and Infrastructure Security Agency has now added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by November 11, 2023 in order to protect their devices against active threats.

The catalog is a list of vulnerabilities criminals are actively using, so everyone else should act swiftly to patch or mitigate the problem. In this case the criminals are, or at least include, the HelloKitty ransomware group, also known as FiveHands ransomware. The group was first seen in November 2020 and typically uses the double extortion method of both stealing and encrypting data.

The ASF describes the vulnerability as follows:

The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Apache ActiveMQ® is “middleware”, a popular open source, multi-protocol, Java-based message broker. Message brokers like this are often found in enterprise systems where they are used to create reliable communication between different applications and system components. OpenWire is a protocol designed to work with message-oriented middleware. It is the native wire format of ActiveMQ.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE in Apache ActiveMQ is listed as:

CVE-2023-46604 (CVSS3 score 10 out of 10): because OpenWire commands are unmarshalled, by manipulating serialized class types in the OpenWire protocol an attacker could cause the broker to instantiate any class on the classpath. The classpath is a parameter in the Java Virtual Machine or the Java compiler that specifies the location of user-defined classes and packages. This caused a deserialization of untrusted data vulnerability. To fix the issue it was necessary to improve the Openwire marshaller validation test.

To successfully exploit this vulnerability, three things are required:

  • Network access
  • A manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter)
  • A class on the classpath which can execute arbitrary code simply by instantiating it with a String parameter.

A security update to patch the vulnerability was available on October 25, 2023, but as of October 30, there were still 3,329 internet-exposed servers using a version vulnerable to exploitation. Users are recommended to upgrade Apache ActiveMQ to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. Users of both “Classic” and “Artemis” are recommended to upgrade.

A lot of Indicators of Compromise (IOCs) can be found in this FBI report.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

Should you allow your browser to remember your passwords?

At Malwarebytes we’ve been telling people for years not to reuse passwords, and that a password manager is a secure way of remembering all the passwords you need for your online accounts.

But we also know that a password manager can be overwhelming, especially when you’re just getting started. Once you’ve stored your tens or even hundreds of passwords, a password manager is relatively convenient to use and keep updated. But you have to get to that stage first and not everyone is at the same level of computer literacy.

So, you may have wondered if there’s another way. No doubt, you’ll have seen the pop ups in your browser asking if you’d like it to save your password for next time. In fact, many browsers refer to that as their password manager.

It’s very convenient, since your browser is usually the application that needs the password, but is it a good idea?

As usual, there are pros and cons.

Encryption. With a browser password manager, someone with access to your browser could see your passwords in clear text, although Windows can be set to ask for authentication (the same you use at startup of your device).

screenshot showing the "Show password' option

The “Show password’ option

To see the passwords in an actual password manager, an attacker would need to know the password for the password manager or the recovery phrase, which are usually a lot harder to find out than the Windows authentication (if set).

A word of warning here, some password managers have the option to keep you logged in for hours or even days. If there is any chance that anyone may acquire physical access, such settings defeat the added security of a password manager, since the attacker could open the password manager and look at your passwords in more or less the same way as they could in your browser.

Lookalike phishing sites. Both a standalone password manager and the one in your browser will protect you here. They will not fill out your password if the domain doesn’t match the one you saved the password for, which could indicate a phishing site. This can be very useful and this is where it beats writing down the password on a piece of paper or storing it in a text file. I should add that the domains that are worth setting up a fake site for are usually the ones that we would advise you add multi-factor-authentication (MFA) to.

Syncing. If you’ve stored your passwords in the browser and have chosen to synchronize your browser between devices, your passwords will port over as well. This is obviously very convenient, but it’s also a potential danger if someone gets access to one of your devices. A true password manager doesn’t rely on syncing between the same browser on different devices. Once you have the password manager installed on a device, you have it handy to use in any browser or other apps.

Offline. Many password managers cache your passwords locally, so you still have access when your connection is broken. Browser password storage doesn’t allow for this.

Business devices. It’s hard for the IT department to keep track of which user has which passwords saved in their browser. Password managers for businesses give them a better insight and make it easier to revoke passwords when needed.

Password stealers. There are types of malware that are capable of harvesting passwords from your device. They know exactly where browsers store their passwords and the encryption key, so they can steal and send the credentials to the attacker. Password managers are separate to the browser so they’re not at risk in the same way.

Data breaches. Several password managers will warn you if they find that your credentials are involved in a data breach, so you can change them. Browser storage doesn’t do this.

Complex passwords. Humans are bad at creating and remembering complex passwords. A password manager and some browsers can help you create a password that meets the required complexity and store it so you don’t have to remember it.

Side channel attacks. As we saw with a recent bug in Safari, attackers can use the autofill feature in a browser to harvest login credentials for a site. This only works if you have autofill enabled, so to make things a bit safer you can tell your browser to wait for your OK before it fills out the data. Here’s how…

How to disabled autofill

  • Brave: Settings > Autofill and passwords > Password Manager > Settings. Toggle off “Sign in automatically”
  • Chrome: Settings > Autofill and passwords > Google Password Manager > Settings. Toggle off “Sign in automatically.”
  • Edge: Settings > Profiles > Passwords > Settings. There you can toggle off autofill for passwords and for Personal data separately.
  • Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and uncheck “Autofill logins and passwords.”
  • Opera: Settings > Advanced Settings > Autofill > Password Manager > Settings. Toggle off “Auto Sign-in.”
  • Safari: Safari (in the menu bar) > Settings > Autofill. Uncheck “Usernames and passwords” and “Credit cards”.

So should you allow your browser to remember your passwords?

Your browser password manager gives you “ease of use” but that costs you some of your security. Of course, password managers aren’t foolproof either, so it’s important to decide for yourself where you store your passwords.

If you’re confident the website is safe and anyone that can access it under your account will not learn anything new, feel free to store the password in your browser, but disable autofill so you are the one that is in control.

Use MFA where possible. It enormously reduces the risk should someone get hold of your password. And refrain from using the browser password manager to store your credit card details or other sensitive personally identifiable information (e.g. medical information).


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

YouTube launches “global effort” to block ad blockers

The ongoing struggle between YouTube and ad blockers is turning users into the victims.

YouTube has gone all out in its fight against the use of add-ons, extensions and programs that prevent it from serving ads to viewers around the world. It started out as just a small experiment, but it looks like the company has opened the floodgates for most users now.

A spokesperson for YouTube told Engadget:

“We’ve launched a global effort to urge viewers with ad blockers enabled to allow ads on YouTube or try YouTube Premium for an ad free experience. Ads support a diverse ecosystem of creators globally and allow billions to access their favorite content on YouTube.”

On a support page, YouTube says that if you use ad blockers, you’ll be asked to allow ads on YouTube or sign up for YouTube Premium. If you continue to use ad blockers, YouTube may block you from watching videos at all.

Now, users are flocking to places like Reddit to complain about YouTube’s hardened stance against ad blockers.

Privacy expert Alexander Hanff has filed a complaint with the Irish DPC (Data Protection Commission) about YouTube’s ad block blocking. Hanff says that YouTube needs permission to detect adblockers because by doing so it’s looking at something that is on the visitor’s system. In his complaint, Hanff demands that YouTube stop its anti-ad blocking policy, saying some experts call it “illegal”

The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), so any outcome of this complaint might only cause changes for EU residents. We have reported about plans to introduce ad free services by Meta, TikTok, and YouTube as a way to circumvent EU rules that require platforms to get users’ consent in order to show them targeted ads.

Watch out for fakes

With all this going on, users should be extra careful about downloading new ad blockers that claim to circumvent YouTube’s blocking. Oftentimes we’ll see miscreants trying to rip off users by launching non-functional products and promoting potentially unwanted programs (PUPs).

There are many examples of fake ad blocker extensions in the Chrome Web Store that we would advise against installing.

Browser Guard

As you may know, Malwarebytes Browser Guard has a built-in ad blocker. If you still need to access an important site but you’re being asked to disable your ad blocker, you can do this by clicking on the blue M logo in your browser taskbar and set the Ad/Trackers to be disabled for that site.

Browser Guard blocking on www.YouTube.com

Browser Guard blocks two entities on www.youtube.com


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Atlassian: “Take immediate action” to patch your Confluence Data Center and Server instances

Atlassian has released an advisory about a critical severity authentication vulnerability in the Confluence Server and Data Center.

All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. Atlassian Cloud sites are not impacted by this vulnerability, so if your Confluence site is accessed via an atlassian.net domain, it is not vulnerable.

Fixes of Confluence Data Center and Server are available for the following versions:

  • 7.19.16 or later
  • 8.3.4 or later
  • 8.4.4 or later
  • 8.5.3 or later
  • 8.6.1 or later

Atlassian strongly advises you apply the patch, even for instances that are not exposed to the public internet.

Customers who are unable to immediately patch their Confluence Data Center and Server instances should back them up. Instances accessible over the public internet, including those with user authentication, should be restricted from external network access until they have been patched.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is listed as:

CVE-2023-22518 (CVSS score 9.1 out of 10): a critical severity authentication vulnerability was discovered in the Confluence Server and Data Center. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.

Atlassian has said it is unaware of any exploits. Other than that an attacker may bypass User Account Control (UAC) mechanisms to elevate process privileges on system there are no details available.

Atlassian CISO Bala Sathaimurthy stated:

“Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker. There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances.”

Patching vulnerable Confluence servers is important, as cybercriminals have shown before that they make for an attractive target.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

SolarWinds and its CISO accused of misleading investors before major cyberattack

The Securities and Exchange Commission (SEC) has announced charges against software company SolarWinds Corporation and its chief information security officer (CISO), Timothy G. Brown, for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”

In 2020, SolarWinds announced it had been hacked and that its compromised software channel was used to push out malicious updates onto 18,000 of its Orion platform customers. The nearly two-years long cyberattack was dubbed SUNBURST.

The complaint by the SEC, filed in the Southern District of New York, alleges that during the cyberattack, and perhaps before and after too, SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices, as well as understating or failing to disclose known risks.

The SEC claims that SolarWinds “misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”

A 2018 presentation based on an internal assessment which was shared internally, including with Brown, stated that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late.”

In June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient.”

Instead of dealing with these problems, SolarWinds and Brown “engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

Even the disclosure about the SUNBURST attack was allegedly incomplete. The SEC’s complaint alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations.

The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

What Gen Z really cares about when it comes to privacy

It would be easy to think that Gen Z doesn’t care about privacy. They worry less about ad tracking, do little to stem the flow of their private information online, and, as Malwarebytes recently uncovered, monitor one another’s lives far more than other generations.

But it isn’t that Gen Z, wholesale, doesn’t care about privacy. It’s that they care about privacy in a different way.

Unlike other generations whose privacy fears are deeply entangled with concerns of traditional cybercrimes like identity and credit card theft, Gen Z worries most about the exposure of their private information because of the chance of harassment, bullying, and lost friendships.

In fact, when it comes to many privacy concerns that have a cybersecurity overlap, Gen Z cares less overall. According to our research, compared to 51 percent of non-Gen Z, 62 percent of Gen Z agreed or strongly agreed with the following statement:

“I’m more worried about my private information being exposed online (e.g., embarrassing/compromising photos/videos, mental health, sexuality, etc.) than I am about typical cybersecurity threats (like viruses, malware etc.).”

As privacy advocates (including Malwarebytes) continue to fight for expanded digital rights amongst all users, it is paramount that we understand how to appeal to a younger generation of future recruits. For Generation Z, that data privacy fight is unlikely to deal with data brokers, Bluetooth trackers, or privacy-invasive web browsers. It is also unlikely to lean on the same concept of “privacy” itself.

Instead, the fight for “privacy” may start from the inverse: The right to control what becomes public.

Losing the fight for traditional online privacy

In October, Malwarebytes published new research into the cybersecurity and online privacy habits of 1,000 respondents in the United States and Canada. Titled “Everyone’s afraid of the internet and no one’s sure what to do about it,” the report reveals that too many people spy on their spouses, too few use unique passwords, and too many who are worried about identity theft don’t actually do anything about it (and to those people, we say: We’ve got you covered).

Deeper inside the data, though, is a depressing, new finding: We have likely lost the fight on traditional online privacy. Online ad tracking and location monitoring—which privacy advocates have lobbied against for years—are of little importance to Gen Z.

A third, or 33 percent, of Gen Z agreed or strongly agreed with the statement “I don’t mind being tracked by websites or apps,” compared with 22 percent of non-Gen Z, and 49 percent of Gen Z agreed or strongly agreed that “Being able to track my spouse’s/significant other’s location when they are away is extremely important to me,” compared with 39 percent of non-Gen Z.

Looking at disagreement with certain statements also shines light on what Gen Z finds acceptable in their own relationships. When asked how they feel about the statement “I think monitoring apps and tools are an invasion of privacy,” fewer Gen Z respondents disagreed than non-Gen Z—18 percent compared to 24 percent—revealing, perhaps, that fewer members of this younger generation will ever stand up against this type of intimate surveillance.

But for all the spying and ad tracking that Gen Z allows, their approach to obtaining consent before posting about other people is, simply put, extraordinary.

When Gen Z shares photos, videos, or information about literally anyone in their lives, they always seek consent for every type of relationship more often than non-Gen Z. More often, Gen Z always seeks consent when posting about their spouse or significant other (39 percent compared to 32 percent non-Gen Z), their close friends (41 percent compared to 32 percent), their children (39 percent compared to 29 percent), other people’s children (41 percent compared to 35 percent), their parents (38 percent compared to 29 percent), other, older family members (34 percent compared to 29 percent), other, younger family members (36 percent compared to 30 percent), and even people they don’t know or don’t know well (32 percent compared to 26 percent).

Here, we see a kernel of an idea for Gen Z privacy, in that what is shown is what matters.

What Gen Z really cares about

Despite the differences discussed above, Gen Z’s privacy “calculus” is quite similar to that of non-Gen Z. Both groups worry about personal information being used in ways that they haven’t agreed to, which can lead to consequences they’ve personally experienced.

Where non-Gen Z worries about identity theft, credit card fraud, data breaches, and good old-fashioned hacking, Gen Z simply can’t be bothered.

A full 86 percent of non-Gen Z are concerned or very concerned about their financial accounts being hacked, compared to 72 percent of Gen Z who feel the same way. Similarly, 85 percent of non-Gen Z are concerned or very concerned about having personal information or data stolen by hackers or thieves, compared to the 74 percent of Gen Z, and 86 percent of non-Gen Z are concerned or very concerned about identity theft or fraud, compared to 69 percent of Gen Z.

Gen Z’s (relative) ease with these threats is understandable—these aren’t even “threats” to them, they’re facts of life. How do you define a “stolen” Social Security Number after the attack on Equifax? How do you spend time worrying about one company’s data breach when hundreds are hacked every year?

Instead, Gen Z worries about being unable to manage the information released about them online, and the potential fallout that could—and in many cases already has—come from it.

This is first visible in the fact that Gen Z is more concerned or very concerned about having their personal struggles shared online (59 percent compared to 57 percent for non-Gen Z), having their sexual orientation exposed online (45 percent compared to 37 percent), and having embarrassing photos, videos, or information posted about them online (61 percent compared to 55 percent).

From that type of exposure, Gen Z then worries more often about interpersonal consequences than non-Gen Z. More than a third, 34 percent, of Gen Z worry about “what my friends/family would think of me” compared to 26 percent of non-Gen Z, and 29 percent worry about “what would happen to my friendships/relationships” compared to 26 percent of non-Gen Z.

More consequentially, 34 percent of Gen Z worry about being physically harmed, compared to 27 percent of non-Gen Z, while 36 percent worry about being bullied, compared to 22 percent of non-Gen Z.

Now, it may be easy to excuse some of these numbers on youth—bullying is more prevalent for students, even if it extends online—but the same fears carry over into the workplace. Again, almost a third of Gen Z, 33 percent, worry about being fired or having a work opportunity taken away because of exposed private information, compared to 29 percent of non-Gen Z.

Buoying many of these fears is the fact that many members of Gen Z have already directly faced these types of events before. Disproportionately, Gen Z deals with more harassment, abuse, blowback, and upset feelings for the things that they and others share about them online than non-Gen Z.

In the research, Malwarebytes asked respondents “Have any of the following consequences ever happened to you because of something you or someone else did or posted online?” Gen Z revealed that:

  • 20 percent have had their confidence hurt because of how they were portrayed (compared to 12 percent of non-Gen Z)
  • 23 percent suffered worsened mental health (compared to 12 percent of non-Gen Z)
  • 18 percent had someone incorrectly assume something about them or their identity (compared to 12 percent of non-Gen Z)
  • 18 percent were stalked or bullied (compared to 9 percent of non-Gen Z)
  • 17 percent lost a friend, significant other, or someone important to them (compared to 8 percent of non-Gen Z)

Amidst all the data, these responses spotlight the largest discrepancies—twice as many Gen Zers have been stalked or bullied because of something posted online, and almost twice as many have lost a close friend or partner.

The response here cannot be blamed.

In the same way that people of all ages are forced to give up sensitive information to participate in modern society—divulging Social Security Numbers on mortgage applications or passport numbers on airline websites when flying internationally—Gen Z grew up in an era where posting on social media was the norm.

Further, the judgement that Gen Z faces online often applies a binary thinking to nuanced issues. With just one Instagram post, TikTok video, or tweet, people are separated into in-groups and out-groups. Jobs can be threatened, friendships can be enflamed.

If privacy is to continue, it must offer something to its youngest participants. Today and in the future, we hope Generation Z can consider that privacy isn’t about having something to hide—it’s about choosing what to broadcast.

Patch now! BIG-IP Configuration utility is vulnerable for an authentication bypass

Tech company F5 has warned customers about a critical authentication bypass vulnerability impacting its BIG-IP product line that could result in unauthenticated remote code execution.

F5 provides services focused on security, reliability, and performance. BIG-IP is a collection of hardware platforms and software solutions that provides a wide range of services, including load balancing, web application firewall, access control, and DDoS protection.

Two security researchers found a critical vulnerability in the configuration utility of several versions of BIG-IP:

  • 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
  • 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
  • 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
  • 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
  • 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

In a post, F5 said:

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.”

F5 also said customers can also use iHealth to check if they are vulnerable.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This CVEs is listed as:

CVE-2023-46747 (CVSS score 9.8 out of 10): Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

BIG-IP defines a self IP address as an IP address on the BIG-IP system that you associate with a virtual local area network (VLAN), to access hosts in that VLAN. A  customer normally assigns self IP addresses to a VLAN when they initially run the Setup utility on a BIG-IP system.

An authentication bypass happens when someone claims to have a given identity, but the software does not prove or insufficiently proves that the claim is correct.

Remote code execution (RCE) is when an attacker accesses a target computing device and makes changes remotely, no matter where the device is located.

In general you can say that if the BIG-IP Traffic Management User Interface is exposed to the internet, then the system in question is impacted. It’s estimated that there are over 6,000 external-facing instances of the application.

The researchers say exploitation of the vulnerability could lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system.

“A seemingly low impact request smuggling bug can become a serious issue when two different services offload authentication responsibilities onto each other.”

Actions

If you are running a vulnerable version, F5 has a list of updates here.

If you can’t install a fixed version for any reason, then F5 advises you can block Configuration utility access through self IP addresses or block Configuration utility access through the management interface.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Malvertising via Dynamic Search Ads delivers malware bonanza

Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.

The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.

Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it. Victims who clicked on the ad were taken to a hacked webpage with a link to download the application, which turned out to install over a dozen different pieces of malware instead.

Compromised website promotes software crack

While we identified the compromised ad before the website, we will first describe what happens from the point of view of the site owner to better understand what led to the ad creation in the first place.

This website is for a business that specializes in wedding planning and their portfolio includes testimonials from previous customers sharing their story and experience. Unfortunately, some of those pages have been injected with malware that spams malicious content into them.

In particular, it changes the page’s title and creates an overlay that promotes a serial key for various software programs. For example, the screenshot below shows that overlay advertising a license key for Pycharm, a popular program used by software developers:

image 54

Malvertising via Dynamic Search Ad

Dynamic Search Ads (DSA) are a type of Google ads that use the content of a website to automate the creation of ads. While this feature is very handy for advertisers, it also comes with the unlikely but potential for abuse. Indeed, if someone is able to modify the website’s content without the owner’s knowledge, automated ads may be entirely misleading.

image 55

Circling back to where our investigation started, this is what we first saw when doing a Google search for ‘pycharm’. The ad’s headline is showing “JetBrains PyCharm Professional” while the content snippet has gathered a bunch of keywords related to the wedding business. Obviously, there is a discrepancy here between what the ad’s title promotes (a program for developers) and the ad’s description (wedding planning).

image 56

What happened here is Google Ads dynamically generated this ad from the hacked page, which makes the website owner an unintentional intermediary and victim paying for their own malicious ad.

Fake serial leads to malware bonanza

People searching for PyCharm may not take the time to read the ad’s description, but instead will simply click on the headline. From there, they will be redirected to the compromised page showing the overlay with the link to download the serial key. While not everyone will proceed at this point, those who do will have an experience they aren’t likely to forget:

image 57

Running this installer will result in a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable:

image 58

Sometimes, an unexperienced criminal may want to monetize as many software loads as possible in order to earn a commission on each. Clearly this is not an elegant attack as the victim will be aware their computer has been loaded with unwanted programs.

Whatever the case may be, downloading cracks or serial keys is akin to walking across a mine field, and you typically only do it once.

Summary

This incident is not your typical malvertising case and in fact, it’s unlikely that whoever hacked that website was even aware of this happening. Compromised sites can be monetized in many different ways and usually threat actors expect traffic to come from organic search results, not ads.

From an ad quality point of view, this would be difficult to detect in the sense that the ad has been paid for by a legitimate business and takes users to the correct destination. There is no malicious redirect to a fake domain that attempts to deceive users like we have seen before.

Google may be able to detect that the website has been compromised because it contains spam injections. If that is the case, Dynamic Search Ads may inadvertently promote malicious content.

We recommend users to practice safe browsing and always be cautious with sponsored content. Downloading cracked software has never been a good idea, but if you do, always make sure it is clean before you run it.

We have informed the wedding planner business that their website is currently compromised and leading to malicious content.

Malwarebytes already detected all the payloads with its anti-malware and heuristic engines:

image 59

Indicators of Compromise

Download URL for fake serial:

eplangocview[.]com/wp-download/File.7z

Subsequent malware download URLs:

roberthamilton[.]top/timeSync[.]exe
109[.]107[.]182[.]2/race/bus50[.]exe
171[.]22[.]28[.]226/download/Services[.]exe
experiment[.]pw/setup294[.]exe
medfioytrkdkcodlskeej[.]net/987123[.]exe
171[.]22[.]28[.]226/download/WWW14_64[.]exe
185[.]172[.]128[.]69/newumma[.]exe
194[.]169[.]175[.]233/setup[.]exe
171[.]22[.]28[.]221/files/Ads[.]exe
171[.]22[.]28[.]213/3[.]exe
lakuiksong[.]known[.]co[.]ke/netTimer[.]exe
stim[.]graspalace[.]com/order/tuc19[.]exe
neuralshit[.]net/1298d7c8d865df39937f1b0eb46c0e3f/7725eaa6592c80f8124e769b4e8a07f7[.]exe
pic[.]himanfast[.]com/order/tuc15[.]exe
85[.]217[.]144[.]143/files/My2[.]exe
galandskiyher5[.]com/downloads/toolspub1[.]exe
gobr1on[.]top/build[.]exe
flyawayaero[.]net/baf14778c246e15550645e30ba78ce1c[.]exe
632432[.]space/385118/setup[.]exe
yip[.]su/RNWPd[.]exe
potatogoose[.]com/1298d7c8d865df39937f1b0eb46c0e3f/baf14778c246e15550645e30ba78ce1c[.]exe
185[.]216[.]71[.]26/download/k/KL[.]exe
walkinglate[.]com/watchdog/watchdog[.]exe
walkinglate[.]com/uninstall[.]exe