IT NEWS

The Federal Bureau of Investigation (FBI) has released a notification that highlights two trends emerging across the ransomware environment.

The trends the FBI says it’s noticed since July 2023 are:

• Multiple ransomware attacks on the same victim in close date proximity.
• New data destruction tactics in ransomware attacks.

With multiple, or dual ransomware attacks, the FBI says cybercriminals deployed two different ransomware variants against victim companies, using the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. These variants were deployed in various combinations.

This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Although some of the same principles apply, these tactics are even worse than experiencing a ransomware reinfection. Second ransomware attacks against an already compromised system could cause significant harm: Besides making it harder to remediate and causing extra delays in getting everything back up and running, it also frustrates and discourages those working on the affected systems.

According to the FBI’s data, the majority of ransomware incidents targeting the same victim take place within a 48-hour timeframe. The FBI report doesn’t say anything about the possible reasons why this is happening, but there are a few we could think off.

• Rivalry between ransomware gangs
• Initial Access Brokers selling to multiple ransomware operators
• Extra pressure on the victim to pay the ransom

The second trend, according to the FBI, is that multiple ransomware groups have increased the use of custom data theft, wiper tools, and malware to pressure victims to negotiate. In some cases, new code was added to known data theft tools to prevent detection. In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.

We can safely say that these are indeed tactics that may drive a victim to the negotiation table. Having a ticking time-bomb next to your network that may wipe critical data at a certain time will leave you looking frantically for the trigger and other ways to escape the ordeal.

The FBI wants victims to notify it of an attack. If your organization has experienced a ransomware event, you should provide law enforcement agencies with the most complete reporting possible. A complaint can be filed to the Internet Crime Complaint Center (IC3) here.

Organizations can also contact their local FBI field office, which will ask for the following information:

• The date of ransomware attack.
• How the infection occurred.
• Ransom amount demanded.
• Ransom amount paid, if any.
• The ransomware variant.
• Information about your company, such as industry, size, etc.
• Victim impact statement.
• Losses due to the ransomware attack.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In what sounds like a new step towards Skynet, footage from a food delivery robot has been used as part of a criminal investigation.

As 404 Media reports, the food delivery robots that are deployed for Uber Eats in Los Angeles are operated by Serve Robotics, which ultimately wants to deploy up to 2,000 robots. These robots are autonomous, although remotely supervised.

In emails obtained by 404 Media, the news outlet learned that Serve Robotics uploaded robot camera footage in a grand larceny case where two men tried to steal one of its robots. Based on the footage, the suspects were arrested and convicted.

image courtesy of 404 media

Serve Robotics mentioned the incident in a blog about how its robots make use of public resources. In this blog it states;

“This [trust] principle also means not using robots for surveillance or other purposes that violate the public’s sense of privacy, and upholding strict data policies that do not undermine privacy.”

The first time I read about the case, I must admit I shrugged as well. It seems reasonable that the company would provide evidence in a case where their own property was involved. However, what’s more worrying is that 404 Media has learned that Serve Robotics wants to work more with the LAPD, who are no doubt excited by the opportunity to have additional eyes moving around the city.

In the same blog, Serve Robotics states:

“And when it comes to engaging law enforcement in rare instances of robot vandalism or attempted theft, our policy is to report to police any violent incidents or serious criminal conduct that may put public safety at risk (e.g., organized crime, use of weapons, etc.).”

Serve Robotics handing over video evidence from a single Uber Eats delivery does not represent a widespread surveillance network. In fact, the company’s policy is to routinely delete video captured by robots during their delivery work except when “compelling safety or security concerns” exist.

The privacy policy of the company that operates the robots, unsurprisingly, focuses on its customers. It doesn’t mention the people that might be filmed by a robot they happen to encounter on the streets.

But one thing history has taught us is that eventually most computer vision will be used for surveillance purposes against human beings. The Electronic Frontier Foundation has already warned about the impending privacy threat brought about by self-driving cars.

“The sheer amount of visual and other information collected by a fleet of cars traveling down public streets conjures the threat of the possibility for peoples’ movements to be tracked, aggregated, and retained by companies, law enforcement, or bad actors—including vendor employees. The sheer mass of this information poses a potential threat to civil liberties and privacy for pedestrians, commuters, and any other people that rely on public roads and walkways in cities.”

The EFF mentions at least nine warrants served to a self-driving car company and calls for strong privacy laws that address both the personal data that the cars process and police access to that data. Combined with the robots and all the static cameras, that makes for a whole lot of eyes watching us in the streets. And as we learned from our most recent episode of Lock and Code, cars are not just spying on people outside of the car.

This growing fleet of moving eyes combined with already present static ones, are posing a serious threat to our privacy. Basically, we are—justifiably—pointing a finger at totalitarian regimes that are constantly monitoring their population, while at the same time we are allowing commercial parties with privacy policies that are designed to defend themselves in court, to spy on us and hand over the gathered information to law enforcement.

We are not capable of sending someone back to the past to rectify these developments, so we need to act now if we don’t like what on the privacy horizon.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Attack. Remediate. Repeat?

Speak to any organization infiltrated by ransomware—the most dangerous malware in the world—and they’ll be blunt: They’d do anything to avoid getting hit twice. But ransomware attacks have been ramping up in 2023 and reinfections are occurring all over the globe, forcing lean IT teams to prepare.

Why are businesses getting hit with ransomware more than once? Those that pay the ransom and trust that cybercriminals will leave them alone afterwards (they don’t) represent a small portion. Most reinfections are an indication that the weaknesses that led to the initial breach still haven’t been addressed. In other words, multiple ransomware attacks are the result of improper remediation. And with fewer resources, smaller budgets, and lower levels of security maturity, remediation mistakes are far more common for smaller IT-constrained organizations than most enterprises.

While a single ransomware incident could cause serious financial and reputational problems, multiple attacks could close a company’s doors for good. Read on to learn how to avoid remediation mistakes, prevent multiple cyberattacks, and keep cyber enemy #1 out of your organization’s systems. And let me know if you’d like to connect about how our solutions can help your organization remain resilient against ransomware and reinfections.

Ransomware woes doubled by reinfection after improper remediation

In November 2022, a small trades contractor in Alberta, Canada, received an alert for an elevated account running unauthorized commands and dumping credentials. One day later, their company’s systems and data were encrypted with ransomware.

After cleaning all remnants of the attack from the network, security experts recommended password resets for all privileged, non-privileged, and service accounts, as well as two-factor authentication (2FA) for VPN and email access. The business followed most of the recommendations for password resets but failed to implement 2FA. By December 2022, they were encrypted with ransomware again. There were just 47 days between the initial and secondary attacks.

The Canadian contractor represents a problem that’s scaled into full-blown crisis for organizations around the world: Ransomware attacks are on an unprecedented upswing, with more gangs and affiliates launching more strikes against more businesses than ever before. A new report from the Malwarebytes Threat Intelligence team determined that between July 2022 and June 2023, US organizations were besieged by 1,460 ransomware attacks—43 percent of all reported ransomware events globally—as much as the next 22 countries combined.

To add insult to injury, the 2023 State of Ransomware Report found that the number of monthly ransomware attacks climbed 75 percent between the first and second halves of the year, with a total of 48 separate ransomware groups assailing US businesses. All in all, nearly three-quarters of all US organizations have been impacted by ransomware this year.

Although companies of all sizes are feeling the heat, small businesses—which often have resource-constrained IT teams—have become the choice target of threat actors. A Devolutions report on IT security for SMBs found 60 percent have experienced at least one cyberattack in the past year, while 18 percent have endured six or more. Meanwhile, 66 percent of SMBs testified to one or more ransomware attacks on their business this year—an increase of 44 percent over just three years.

While it’s easy to see how a ransomware attack can destroy a small business, remember that it isn’t just small businesses under threat. Any corporation that is lacking in IT staff, budget, resources, or time to investigate and prioritize cyberthreats could be at risk: A single ransomware attack can cause massive financial, logistical, and reputational damage—sometimes enough to shutter a business for good. Of the organizations that reported ransomware losses in 2022, more than two-thirds (67 percent) said their costs reached between $1 million and $10 million, while 4 percent estimated a staggering $25–$50 million.

But how and why are some organizations suffering multiple attacks? The answer lies in remediation.

How do ransomware reinfections happen?

Many ransomware attacks aren’t the start of an organization’s problem; they’re the result of a long unresolved network compromise. Threat actors gain initial access by stealing login credentials, deploying malware, or establishing a backdoor—a secret gateway into the network that can be exploited later. This is like leaving a hidden door unlocked for future visits.

Once cybercriminals gain entry, they’ll look to further infiltrate the organization by searching for vulnerabilities, escalating privileges, reconfiguring security controls, stealing additional credentials, and exfiltrating other sensitive data. If they still haven’t been discovered, they’ll launch ransomware, encrypting data and systems so employees can no longer access them. The 2023 Verizon DBIR confirms that ransomware is present in more than 62 percent of all incidents committed by organized crime actors, 59 percent of incidents with financial motivation, and 24 percent of data breaches—i.e., the majority of security incidents.

When ransomware actors attack businesses today, they leave behind artifacts and reconfigurations that many security programs can’t or won’t detect as suspicious. Even after mitigating a ransomware attack, hidden doors may remain unnoticed, enabling threat actors to reactivate dormant artifacts or use access that was previously attained through stolen credentials, backdoors, or reconfigurations. This is the essence of ransomware reinfection: It’s essentially a problem with remediation.

Why are organizations suffering ransomware reinfections?

While the “how” of ransomware reinfection is almost entirely technical, the “why” is quite human.

Businesses with small IT teams that have fewer resources, lower budgets, and fatigued IT staff—or no IT or security staff at all—must often place their faith in an increasing number of complex security products. And while those products can help IT teams clean endpoints and restore systems after cyberattacks, and provide fully automated ransomware recovery processes in minutes, they often require robust, well-rested IT teams behind them.

Only 36 percent of SMBs have added security staff since the beginning of the pandemic and just 8 percent are now working with an external vendor like a managed service provider (MSP). Separately, security fatigue affects 42 percent of businesses overall, and it can impact a wide range of activities from authentication to notification.

These are the human problems of technical solutions. Small IT teams need something different.

Most common remediation fails

Now that you know the how and why of ransomware reinfections, it’s time to learn about the most common remediation mistakes that lead to reinfection. Often, the “mistake” is not a mistake at all, but an oversight or a stealthy artifact that remains undetected. The following sections demonstrate just how difficult remediation can be and why resource-constrained IT teams benefit from partnering with a third-party security firm or MSP for their cybersecurity needs.

Tough to detect or remove malware

After a cyberattack, remnants of malware and related artifacts can be left behind. Some artifacts are detected and quarantined by antivirus software, but the malware is still active on some level. If there’s a run key in the registry, all it takes for the infection to reassert itself is a reboot. Malware can also remain undetected while beaconing to a command and control (C2) server for weeks before finally receiving instructions.

Case in point: After recovering from a ransomware attack in December 2022, an SMB purchased Malwarebytes Managed Detection and Response (MDR) and EDR. Immediately after installing EDR, detections for additional ransomware were identified. Our MDR analyst also spotted files linked to the previous attack, attempted outbound communications to a known malicious C2 server, and remote inbound RDP connection attempts. Despite having completely rebuilt their systems from backup, the ransomware was never fully remediated.

Some malware and related artifacts have tricky persistence mechanisms that make them difficult to detect and remove, such as fileless malware, scripts, or droppers like QBot. Just a few days after the MDR analyst helped the new customer identify and remove additional ransomware, an unencountered persistent mechanism was discovered, triggering a threat hunt that revealed even more hidden gems: two compromised domain admin accounts, a domain controller, and an SQL server.

Sometimes legitimate software programs, including IT admin tools, can be leveraged against networks by cybercriminals. This happens most frequently when companies fail to patch in a timely manner. Even a threat scan wouldn’t quarantine the program because the software itself is safe. Exploits such as Log4j take advantage of vulnerabilities in networks and applications to download legitimate remote IT admin tools, which they then use to take control of servers, change access permissions, exfiltrate data, and ultimately hold organizations for ransom.

In some cases, cybercriminals can even compromise one legitimate program for access to another, abusing both for nefarious purpose. One customer had Office 365 compromised and worked with Microsoft to resolve the threat. But unbeknownst to them (and knownst to us), criminals had also reset login access to Malwarebytes Nebula using the compromised email.

Once access to the email was terminated in the initial remediation with Microsoft, the bad guys began using Nebula and audience response systems (ARS) to continue the attack, running commands, disabling protections, and changing policies. In fact, cybercriminal reconfigurations would never show up in security sweeps unless IT staff routinely audit controls and recognize unfamiliar changes.

Failure to act

Responding to and remediating ransomware is about more than identifying hidden malware and artifacts. It’s also about taking the proper precautions in the wake of an incident. The following is a shortlist of inaction that’s most likely to lead to repeated attacks.

Failing to patch: Among the companies who suffered one or more ransomware attacks in the last year, 36 percent were carried out via exploited vulnerabilities. Most of these could have been avoided if organizations practiced diligent patching. In over half of attacks where an exploited vulnerability was the root cause, either ProxyShell or Log4Shell vulnerabilities were present, despite having patches available in 2021.

Neglecting to reset credentials: Once systems have been recovered and cleaned, and it’s confirmed the network is secure, SMBs should reset all passwords for privileged, non-privileged, and third-party accounts. Compromised credentials were the root cause of 29 percent of ransomware attacks against businesses this year. Chances are cybercriminals have at least one employee’s password that could be used to infiltrate your company—especially if staff members reuse passwords across business and personal accounts.

Declining to collect and preserve log data: Log data can be crucial to identifying how cybercriminals accessed and compromised your systems in the first place. If critical logs are not retained for a sufficient time, IT teams may not be able to determine key information about the incident, including which assets were affected and whether other threats were present.

Lack of planning: 44 percent of SMBs do not have a comprehensive, updated incident response plan. Without a blueprint for action during arguably the most stressful event an IT team might encounter, blunders are bound to occur. Incident response plans should highlight segregation of duties, key team members, top-level data assets, risk factors, and communications protocols during an attack.

Only fixing symptoms, not root cause: Playing “whack-a-mole” by blocking an IP address, without taking steps to determine the binary and how it got there, leaves threat actors an opportunity to change tactics and retain network access. One SMB customer discovered repeated blocked outbound connections from PowerShell and learned it was a command contacting a website and running a .log file. The customer deleted the .log file thinking it was the solution, but there were scheduled tasks and more still left in the system. Because they didn’t address the whole problem, the outbound blocks started again the next day.

Acting too fast

After determining that company systems are compromised, IT admins might be tempted to take immediate action. Although well intentioned to limit potential damage, some actions have the adverse effect of either modifying data that could help the investigation or tipping threat actors off that you’re aware of the compromise, forcing them to hide their tracks or launch more damaging attacks. To avoid this outcome, organizations should refrain from:

• Mitigating affected systems before responders can protect and recover data. This can cause loss of volatile data, such as memory and other host-based artifacts, and let the adversary know you’re onto them.
• Touching or preemptively blocking cybercriminal infrastructure (pinging, NSlookup, browsing, etc.). Network infrastructure is fairly inexpensive, so enemies can easily change to new command and control infrastructure, causing the target organization to lose sight of their activity.
• Resetting credentials too soon. Threat actors likely have multiple credentials or, worse, access to your entire Active Directory. If you reset before confirming all systems are clear, criminals will simply use other credentials, create new credentials, or forge tickets.
• Communicating over the same network as the incident response is being conducted. This is a surefire way to let the bad guys know exactly what you know. Ensure all communications are held out-of-band during response and remediation.
• Paying the ransom. This could not only fail in restoring critical data, but it invites cybercriminals to attack again. In fact, a 2022 Cybereason report found 81 percent of ransomware victims that paid the ransom were hit a second time. More than two-thirds of businesses said the second attack came less than a month after the first, with an increased ransom demand to boot. If that situation isn’t desperate enough, consider that 40 percent paid the second ransom and 10 percent shelled out for a third.

Ways to avoid ransomware reinfection

While a numbered list could never replace our remediation experts, there are a few tried-and-true, high-level actions that resource-constrained IT teams can take to help protect against ransomware attacks, whether it’s the first or sixth time getting hit.

1. Turn on real-time monitoring and logging to stay up-to-date on suspicious activity within your networks and devices. The alerts may be overwhelming, but it’s important to at least be aware of them. If a security incident does take place, retain critical log data for at least one year.
2. Audit access privileges on a regular basis, especially for anyone with administrator permissions. Remove any unknown admins immediately.
3. Deploy 2FA or MFA for everyone in the organization, especially remote workers using VPNs, to stop attackers from using stolen passwords or brute forcing their way in. In most cases, cybercriminals are stopped by the second authentication request.
4. Update all software regularly and as soon as patches are released to plug any vulnerabilities. Turn on automatic updates, if possible.
5. Do not rely solely on automated software to resolve security incidents and attacks. Ensure any access points, security configurations, and IT admin programs are clear before closing the case.
6. Back up data: Once you’ve confirmed all systems are clean, backup copies of data from endpoints and preserve them offline in another physical location. According to Sophos’ 2023 ransomware report, 45 percent of businesses that used physical backups were able to fully recover from a ransomware attack in a week vs. one to six months.
7. Take employees on a cybersecurity journey, showing them how important their role is to the safety of the organization. This can be done through training, shadowing, inviting staff to security meetings, and giving them the tools to help themselves, such as access to awareness resources or AV software for personal devices.
8. If a particular threat is difficult to remove, bring in cybersecurity experts to look at your network traffic and logs and give a concise report on what’s happening.
9. If possible, engage with a dedicated security organization or MSP to keep expert eyes on the glass 24/7 and stop cyberattacks before they get off the ground. However, if onboarding a security partner during incident response, they should provide subject matter expertise and technical support, ensure that the threat actors are eradicated from the network, and catch residual issues that could result in follow-up compromise once the incident is closed.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Dependabot impersonators cause trouble on GitHub
• Update Chrome now! Google patches another actively exploited vulnerability
• Google’s Bard conversations turn up in search results
• Malicious ad served inside Bing’s AI chatbot
• Pegasus spyware and how it exploited a WebP vulnerability
• Xenomorph hunts cryptocurrency logins on Android
• Malwarebytes MDR wins G2 awards for “Best ROI,” “Easiest to Use,” and more
• Malwarebytes Admin update: New Detection screens to manage threats!
• Webinar: Bridging digital transformation & cybersecurity
• Child health data stolen in registry breach
• Credit card thieves target Booking.com customers
• Ransomware group claims it’s “compromised all of Sony systems”
• TikTok flooded with fake celebrity nude photo Temu referrals
• What does a car need to know about your sex life? Lock and Code S04E20

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google has updated the Stable Channel for Chrome to 117.0.5938.132 for Windows, Mac and Linux. This update includes ten security fixes. According to Google there is an active exploit for one of the patched vulnerabilities, which means cybercriminals are aware of the vulnerability and are using it.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update, the version should be 117.0.5938.132 for Windows, or later.

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day patched in this update is listed as CVE-2023-5217, which is described as a heap buffer overflow in vp8 encoding in libvpx.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

The open source video codec library libvpx serves as the reference software implementation for the VP8 and VP9 video coding formats. Reportedly, the  weakness lies in the VP8 encoding part of the library. The exploitation occurs when a program uses one method to allocate or initialize a resource, but an incompatible method then accesses that resource, potentially providing unsecured access to the browser’s memory.

As we have seen, such attacks can be leveraged in an attack chain to fully compromise a vulnerable device. And given the huge Chrome userbase, this makes the browser an attractive target. Libvpx, as part of the WebM Project, is used in many other applications, so there could be more updates coming your way.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

GitHub is experiencing issues of the “breached account and malicious code” variety. ITPro reports that unnamed individuals have been compromising accounts and using them to install malware capable of password theft. It’s a fairly elaborate scam which even includes imitation of GitHub’s popular Dependabot feature.

To make this scam work, attackers first obtained access tokens belonging to their targets. Once the attackers have control over the stolen accounts, they would change the alias for said accounts to “Dependabot[bot]” and begin making potentially dangerous code commits.

If you’re unfamiliar with the language of GitHub, don’t worry. GitHub is the place where developers can manage their project code. Bug tracking, software feature requests, task management, and wikis for each and every project are available to users.

When a developer is writing their code, they can eventually publish from their local workstation to GitHub’s staging directory. At this point, a “Commit” is made. The Commit is another way of saying “a snapshot”, a version of your project as it exists at a specific moment in time.

In this case, the attackers deploy malicious code into the projects they hijack. They then steal secrets from the compromised project and send it back to base. Additionally, existing JavaScript files already present in the project are tampered with to add malware. Said malware will attempt to steal passwords from form submissions and send them to the command and control server run by the attackers. Stolen tokens gave access to many private repositories so both public and private projects were impacted.

In terms of how the attackers initially got in, some accounts were found to have been taken over by stolen personal access tokens. As Bleeping Computer notes, these tokens allowed developers to access GitHub without having to make use of two-factor authentication (2FA) steps. 

With the tokens stored locally on the developer’s machine, it’s possible that someone hijacking the system could easily grab the tokens required to breach individual GitHub accounts. Whether this was achieved by malware, social engineering or phishing, nobody has the answers at time of writing.

The sneaky part of this escapade is the imitation of the previously mentioned Dependabot. This helpful addition to GitHub assists developers in keeping on top of their project and all associated dependencies tied to it. Dependabot automates dependency updating tasks which helps to keep security issues at bay.

What’s happening up above is that the attackers are disguising their bogus updates under the visage of Dependabot. If you’re on GitHub for any length of time, seeing Dependabot popping up in relation to an update is commonplace. As a result, seeing the imitation Dependabot on a page is going to fool quite a few people who will assume all is well.

While the imitation helper isn’t perfect and doesn’t replicate the real thing exactly, those behind this will still reap some rewards. If you’re wanting to be on the lookout for fake Dependabot posts, the most overt signifier of fake activity is the profile avatar. Dependabot has a square profile image and a “bot” tag. Regular accounts have a circular avatar and are also unable to properly replicate the bot tag signifier.

Fake commit attacks have been seen before using a variety of techniques, but imitating the bot helper is new. It’s also somewhat ironic to see a GitHub function dedicated to keeping things secure being imitated in a way which severely impacts the safety of platform users. It may be that GitHub makes the Dependabot even more distinctive than it already is to help ward off future similar attacks.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In February 2023, Microsoft disclosed its new AI-assisted search engine, Bing Chat, powered by OpenAI’s GPT-4. Even though Google has been dominating the search industry for years, this event was significant enough to generate not only interest but also plant the seed for a possible change in the balance in the future.

Considering that tech giants make most of their revenue from advertising, it wasn’t surprising to see Microsoft introduce ads into Bing Chat shortly after its release. However, online ads have an inherent risk attached to them. In this blog, we show how users searching for software downloads can be tricked into visiting malicious sites and installing malware directly from a Bing Chat conversation. 

Malvertising via a Bing Chat conversation

Bing Chat is an interactive text and image application that provides a very different experience for online searches. After six months of it being public, Microsoft celebrated user engagement with over one billion chats.

Ads can be inserted into a Bing Chat conversation in various ways. One of those is when a user hovers over a link and an ad is displayed first before the organic result. In the example below, we asked where we could download a program called Advanced IP Scanner used by network administrators. When we place our cursor over the first sentence, a dialog appears showing an ad and the official website for this program right below it:

Users have the choice of visiting either link, although the first one may be more likely to be clicked on because of its position. Even though there is a small ‘Ad’ label next to this link, it would be easy to miss and view the link as a regular search result.

Phishing site serves malware

Upon clicking the first link, users are taken to a website (mynetfoldersip[.]cfd) whose purpose is to filter traffic and separate real victims from bots, sandboxes, or security researchers. It does that by checking your IP address, time zone, and various other system settings such as web rendering that identifies virtual machines.

Real humans are redirected to a fake site (advenced-ip-scanner[.]com) that mimics the official one while others are sent to a decoy page. The next step is for victims to download the supposed installer and run it.

The MSI installer contains three different files but only one is malicious and is a heavily obfuscated script:

Upon execution, the script reaches out to an external IP address (65.21.119[.]59) presumably to announce itself and receive an additional payload.

Search evolves, malicious ads follow

Threat actors continue to leverage search ads to redirect users to malicious sites hosting malware. While Bing Chat is a different search experience, it serves some of the same ads seen via a traditional Bing query.

In this case, the malicious actor hacked into the ad account of a legitimate Australian business and created two malicious ads, one targeting network admins (Advanced IP Scanner) and another lawyers (MyCase law manager):

With convincing landing pages, victims can easily be tricked into downloading malware and be none the wiser.

We recommend users pay particular attention to the websites they visit but also use a number of security tools to get additional protection. Malwarebytes provides security software for both consumers and businesses that includes web protection, ad blocking and malware detection.

This security incident was reported to Microsoft along with a few other related malicious ads.

Indicators of Compromise

Ad URL and cloaker

mynetfoldersip[.]cfd

Fake website

advenced-ip-scanner[.]com

Malicious MSI

ca83b930c2b34a167a39dc04c7917b9f360a95586bce45842868af6b9ad849a2

Script C2

65.21.119[.]59

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google is coming under scrutiny after people discovered transcripts of conversations with its AI chatbot Bard are being indexed in Google search results.

Bard is Google’s answer to ChatGPT, and allows users to have conversations with an AI. Services like these have attracted a lot of attention, because with a bit of tweaking and getting used to they can be really helpful in speeding up tasks. However, many are worried about the security and privacy implications of using services like Bard and ChatGPT.

As an illustration of why people might be worried, after an update to Bard, users found Google Search had begun to index shared Bard conversational links into its search results pages. 

“Haha Google started to index share conversation URLs of Bard don’t share any personal info with Bard in conversation, it will get indexed and may be someone will arrive on that conversation from search and see your info Also Bard’s conversation URLs are ranking as snippets for some queries as well” 

As it turns out, this happens only if the user chooses to share the conversational link with someone. That means that if you share your Bard conversation with a co-worker or relative by sending them the link, your conversation can be scraped by Google’s crawler. And when they’re scraped by the crawler then—you’ve guessed it—they show up as search results, spilling information you never meant to make public.

If you are curious and want to have a peek at the sort of conversations that have been scraped, you can type ‘site:bard.google.com/share‘ into the Google Search bar and hit enter. At the time of writing I got 464 results, some of which really don’t look as if they were intended to be public knowledge.

Google says that sharing chats with Search was an accident and is currently working on a fix:

“Bard allows people to share chats, if they choose. We also don’t intend for these shared chats to be indexed by Google Search. We’re working on blocking them from being indexed now.”

For those that actually find damaging content in the search results, you can file a removal request with Google. 

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We released version 1.2 of the Malwarebytes Admin app for iOS and Android last week, adding new Detection features make it easier to see and manage threats.

Designed as a companion to the Nebula console, Malwarebytes Admin allows administrators to quickly review, investigate, and resolve security issues in just a few taps. The latest version of the app features major new additions such as a Detections Screen, a Detections details screen, and dashboard filters.

With this update, customers get a detailed look at malicious activity in their environment so they can quickly spot and take action on infected endpoints. Let’s take a look at the new additions!

Dashboard View

In the dashboard view, scroll down to see the widget for latest Detections by category. 

Detections Screen

The Detections Screen feature allows Nebula administrations to see all of the detections in their environment. For each item in detections list, admins can see:

• Threat Name
• Action Taken Category (Malware, PUP, etc)
• Endpoint Name

Administrators are also able to filter detections by Endpoint Name, Threat Name, Action Taken, Category, and more. Filtering by date options, such as Today, Yesterday, Last 7 days, and so on, are also available.

Detections Individual Screen

On the Detections Individual Screen, Nebula administrators can view further details for individual detections by tapping on one of them. Endpoint actions are also available on the Detections Individual Screen.

Detections on Individual Endpoint Screen

Admins are able to navigate from the individual endpoint screen to a list of detections for that endpoint. The same filters from the Detections screen apply here.

Try Malwarebytes Admin today

No more having to make a beeline out of the bathtub to resolve critical alerts. Receive instant notifications on your phone and quickly review, investigate, and resolve issues in just a few taps—now with new Detection features to further streamline threat management.

Download the app for iOS or Android today and experience the convenience of having the power of Nebula right in your pocket.

Malwarebytes Managed Detection and Response (MDR) earned a placed in 12 new reports on G2’s Fall 2023 reports, winning badges for “Easiest to do Business With,” “Best Est. ROI,” “Easiest to Use,” and “Easiest Admin.”

Purpose-built for resource constrained teams, Malwarebytes MDR provides IT staff with high-focus alert monitoring and prioritization with flexible options for remediating threats.

Each quarter, the peer-to-peer review source G2 releases reports highlighting MDR products with the highest customer satisfaction and strongest market presence. Badges are awarded to products that receive the highest overall ratings among certain categories, including the most satisfied customers. 

Let’s take a closer look at what real users said about using Malwarebytes MDR.

Easiest to Use, Easiest Admin

Malwarebytes MDR builds on the award-winning user experience of Malwarebytes Endpoint Detection and Response (EDR), enabling customers to seamlessly communicate with Malwarebytes MDR Analysts for recommendation and guidance.

On the Mid-Market Usability Index for Managed Detection and Response (MDR) in Fall 2023, G2 users rated Malwarebytes MDR customers several points above the industry average on the “Ease of Use” and “Ease of Admin” sub-scores.

“Malwarebytes MDR is simple to deploy and manage. They increase our security posture, meet cyber security insurance requirements, and make a great partner to augment my small IT team.”

Steve S.

“Malwarebytes MDR enables us to meet the need for 24×7 coverage with professional security experts who work in the industry every day.”

Matthew Verniere, IT Project Manager

Best Est. ROI

Malwarebytes MDR earned a “Best Estimated ROI” badge on the Mid-Market Results Index for Managed Detection and Response (MDR) in Fall 2023. Based on the survey results, customers with Malwarebytes MDR wait half as long as the industry average to go live and see ROI.

“Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With Malwarebytes MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulders and making sure it’s all clear.” 

Dennis Davis, IT Systems Manager

Experience Malwarebytes MDR: Award-winning ROI, user-friendly, and effective threat defense

Malwarebytes MDR provides IT staff with award-winning business protection, offering 24×7 alert monitoring and guidance, active remediation, and threat hunting across endpoints. 

Try Malwarebytes MDR today and join the ranks of those who have already discovered the amazing results, support, and ROI of our exceptional managed service solutions: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote