IT NEWS

Summary

Introduction

The majority of the malvertising campaigns we have tracked for the past few months have targeted Windows users. That’s not surprising considering that Microsoft holds the largest market share for both desktop and laptop computers.

However, we recently captured a campaign that was pushing both Windows and Mac malware, the latter being an updated version of the new but popular Atomic Stealer (AMOS) for Mac.

AMOS was first advertised in April 2023 as a stealer for Mac OS with a strong focus on crypto assets, capable of harvesting passwords from browsers and Apple’s keychain, as well as featuring a file grabber. The developer has been actively working on the project, releasing a new version at the end of June.

Criminals who buy the toolkit have been distributing it mostly via cracked software downloads but are also impersonating legitimate websites and using ads on search engines such as Google to lure victims in. In this blog post, we will provide details on one campaign targeting TradingView, a popular platform and app to track financial markets.

Distribution

Users looking to download a new program will naturally turn to Google and run a search. Threat actors are buying ads matching well-known brands and tricking victims into visiting their site as if it were the official page.

The ad below for TradingView uses special font characters (tradıņgsvıews[.]com is embedded with unicode characters: tradu0131u0146gsvu0131ews[.]com) perhaps as an attempt to appear like the real domain and evade detection from Google’s ad quality checks:

Google’s Ads Transparency Center page shows this advertiser account belongs to someone from Belarus. This is likely a compromised ad account that is being used by the threat actors.

When the user clicks on the ad they are redirected to a phishing page hosted at trabingviews[.]com:

Phishing page

The decoy site (trabingviews[.]com) looks quite authentic and shows three download buttons: one each for Windows, Mac and Linux. One way to detect a potential phishing site is by checking when it was created, which in this case was only a few days ago.

Both the Windows and Linux buttons point to an MSIX installer hosted on Discord that drops NetSupport RAT:

https://cdn[.]discordapp[.]com/attachments/1062068770551631992/1146489462025629766/TradingView-x64[.]msix

The Mac download is hosted at:

https://app-downloads[.]org/tview.php

Payload

The downloaded file (TradingView.dmg) comes with instructions on how to open it in order to bypass GateKeeper. Unlike regular apps, it does not need to be copied into the Mac’s Apps folder but is simply mounted and executed.

The malware is bundled in an ad-hoc signed app meaning it’s not an Apple certificate, so it cannot be revoked. Once executed, it will keep prompting for the user password in a never ending loop until victims finally relent and type it in.

The attacker’s goal is to simply run their program and steal data from victims and then immediately exfiltrate it back to their own server. The image below shows the kind of data that can be collected:

A critical part of any infostealer operation is the back end server that will receive the stolen data. AMOS developers are advising their customers to use a bulletproof server such as the one below:

Protection

Malvertising continues to be an effective vector to target new victims by abusing the trust they have in their search engines. Malicious ads coupled with professional-looking phishing pages make for a potent combo that can trick just about anyone.

While Mac malware really does exist, it tends to be less detected than its Windows counterpart. The developer or seller for AMOS actually made it a selling point that their toolkit is capable of evading detection.

Before running any new program, make sure to double check its origins. If you clicked on an ad to download a new application, you may want to go back and revisit the official website directly, or at least spend some time verifying that the current website really is the right one, and not a fake.

With stealers such as AMOS, it’s also important to run an antivirus that has real time protection so that it blocks the malware before valuable data gets stolen.

Malwarebytes detects this malware as OSX.AtomStealer.

Indicators of Compromise

Ad domain:

xn--tradgsvews-0ubd3y[.]com

Phishing domain:

trabingviews[.]com

AMOS installer download:

app-downloads[.]org/tview.php

AMOS installer (dmg):

6b0bde56810f7c0295d57c41ffa746544a5370cedbe514e874cf2cd04582f4b0

AMOS malware:

ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a

AMOS C2:

185.106.93[.]154

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers at the University of Wisconsin–Madison have demonstrated that Chrome browser extensions can steal passwords from the text input fields in websites, even if the extension is compliant with Chrome’s latest security and privacy standard, Manifest V3.

To prove it, they created a proof of concept browser extension that could steal passwords and put it through the Chrome Web Store review process.

Browser extentions are small applications like ad blockers and password managers that extend the capabilities of browsers. In order to do what they do they enjoy a high degree of access to both the web browser and the pages the browser displays. This creates a significant challenge for vendors like Google.

On the one hand, the more access browser extensions enjoy, the more they can do and the more useful and featureful they can be. On the other hand, extensions are made by third-parties who may or may not be trustworthy, and the more access they have, the more harm they can do if they are malicious.

Google’s best, most recent stab at enforcing a sensible balancing act between those two things is the Manifest V3 standard, which has also been adopted by Microsoft Edge and Mozilla Firefox.

Manifest V3 tightens up security in a number of ways, most notably by stopping extensions from downloading code from remote websites. This stops them from changing their functionality after they’ve been installed, which makes it easier for Google to understand what an extension does during the Chrome Web Store review process.

Although Manifest V3 makes life tougher for malicious extensions that want to steal passwords and other sensitive information, the researchers have demonstrated it’s still possible to get a password-stealing extension through the review process.

The attack is feasible because the interaction between the extensions and the web pages has not changed. The extensions can still access entire contents of the web pages, including text input fields where users may enter sensitive information such as passwords, Social Security Numbers (SSN), and Credit Card information.

The attack’s success hinges on the fact that extensions have full and unfettered access to the Document Object Model (DOM) of every web page you visit. The DOM is a representation of a web page in computer memory that can be accessed and changed, allowing the page to be modified on-the-fly.

…when an extension is loaded onto a website, it is integrated into the DOM tree, obtaining unrestricted access to all DOM elements via the DOM APIs. This exposes a critical security issue – the lack of a security boundary between the extension and the rest of the DOM tree.

Full access to a page’s DOM gives extensions tremendous power, which includes reading or modifying text input fields, like the ones you type your passwords into. The success of the researchers’ technique depends on the way the page is designed, but the paper claims that most of the top 10,000 websites are vulnerable, including the likes of google.com, facebook.com, gmail.com, cloudflare.com, and amazon.com, among others.

To prove the technique was viable in the real world the researchers created a browser extension disguised as a “GPT-based assistant offering ChatGPT-like functions on websites”. This allowed the extension to plausibly ask for permission to run on all websites. (It was withdrawn as soon as it passed the review process.)

Having established that it was possible for a malicious extension using these techniques to pass the review process, the researchers analysed the extensions already on the web store and found that 12.5% of them had the necessary permissions to exploit the password input field vulnerabilities, and identified 190 extensions that directly access password fields.

The researchers offer two potential fixes: A “bolt on” remedy for vulnerable sites and a “built in” remedy for browsers. The bolt on is a JavaScript library that can be added to websites to prevent unwanted access to password fields. To be successful it would need to be widely adopted and, frankly, history suggests it probably wouldn’t be. The built in remedy suggests changing Chrome to alert users whenever any JavaScript function accesses any password fields. This would be no small undertaking, but seems more likely to succeed if Google can be persuaded to adopt it.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• 2.6 million DuoLingo users have scraped data released
• Google strengthens its Workplace suite protection
• Meal delivery service PurFoods announces major data breach
• Cisco VPNs without MFA are under attack by ransomware operator
• “An influx of Elons,” a hospital visit, and magic men: Becky Holmes shares more romance scams: Lock and Code S04E18
• FBI confirms Barracuda patch is not effective for exploited ESG appliances
• Social Security Numbers leaked in ransomware attack on Ohio History Connection
• Victim records deleted after spyware vendor compromised
• 3 reasons why your endpoint security is not enough
• How “EDR Extra Strength” simplifies traditional EDR complexity
• Qakbot botnet infrastructure suffers major takedown
• Prompt injection could be the SQL injection of the future, warns NCSC
• A first hand perspective on the recent LinkedIn account takeover campaign

Stay safe!

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

By definition, a supply chain is the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product. In only a few rare cases does one organization have full control over every step in the entire process. The links in such a supply chain often work closely together, sometimes so much so that they have access to parts of each other’s systems.

Although it is important to guard every aspect of your supply chain to avoid disruptions, for the scope of this article we will focus on the cybersecurity element of it.

From a security perspective, it’s imperative to choose your partners wisely. An organization’s security posture is its readiness and ability to identify, respond to and recover from security threats and risks. If you are the one paying, you can often make demands about the security posture of the partner, but the other way around is usually much harder. 

We probably all know the compliance audits that are the result of these demands. And it makes sense we do not wish to fall victim to the mistakes made in another organization that we have no control over. It’s usually more than enough to worry about the processes we need to control inside our own organization.

Compliance with security protocols and legal regulations like FedRAMP and SOC2 (System and Organization Controls) may not just be mandatory for your own organization. More often than not it also needs to be enforced outside your organization with all the vendors in your software supply chain. In these cases, demonstrating vendor compliance will keep your internal organization from facing fines and penalties.

But it’s not just the partners that you work with to create the end product. There are also vendors that we use to get the work done, like software, infrastructure, and services. The more organizations are using a particular software package, the more appealing an attack vector that software becomes. As a few reminders, remember Log4Shell,  the MOVEit vulnerability that was exploited by ransomware operator Cl0p, or the SolarWinds attack.

Similar attacks will continue to surface time and again and if there is a lesson to be learned it’s not to rely on the security provided by the supplier, but always keep security in mind when we decide whether and how to use something provided by a third-party.

Having a complete understanding of your vendors’ security practices is an important component of cybersecurity and supply chain risk management. So, in a supply chain your security posture is definitely a selling point and can be used as such. A partner that has their security in order has every right to emphasize that.

Some tips

Regardless of the varying needs based on your organization and your place in the supply chain, here are some tips that are worth considering to avoid being the weakest link:

1. Make an inventory of the data you need to keep safe, along with who has access to what, in order to give you a complete understanding of your needs.
2. Then make an inventory of your software and hardware products and their weaknesses. Based on that inventory, you can decide whether to use network segmentation in order to keep the sensitive data separated from the parts that need internet access.
3. Use the cloud carefully. Organizations of all kinds are increasingly reliant on cloud computing. This is for good reasons, but it does complicate security, given the recent malicious targeting of cloud computing environments. So, it might be a good idea to use the cloud only for variably sized elements and have the fixed parts under your own control.
4. Connect your internal team with your organization’s third-party partners and vendors. Work together to identify major risks and potential damage to your organization, as well as plans for mitigation. Make sure there is an actionable incident response plan with a clear division of roles.
5. Trust is good, regular checks or constant monitoring are better. Strictly limit access to those that really need it, and deploy the rules of least privilege. Monitoring will also turn out to be helpful in case of an attack to help you backtrace the origin.
6. Secure valuable assets with advanced encryption, both in storage as well as during transfer.
7. Consider penetration testing and/or a bug bounty program to check your security measures. A bug bounty allows organizations to continuously test the security of their systems, whereas a penetration test is an assessment of the security level of an asset at a given point in time.
8. Look at best practices. In 2021, NIST (National Institute of Standards and Technology) shared a report on best practices that can help keep you and your business safe by using its framework for cyber supply chain risk management or C-SCRM.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Not long ago I wrote about a recent campaign to hold LinkedIn users’ accounts to ransom. Shortly after I published the article, a co-worker, Peace, reached out to me told me they’d been a target of the campaign.

His story begins with an SMS text from LinkedIn telling him to reset his password. He found this confusing: It arrived in the middle of the night, and he hadn’t asked for a password reset. Since he doesn’t use the LinkedIn app on his mobile he checked his account on his laptop first thing in the morning. The current sessions (Profile Picture > Settings > Sign in & security > Where you’re signed in) showed an unknown IP address in Texas logged into his account.

Frustration #1: The promised “Sign out of all these sessions” option is nowhere to be found. I double checked in a browser session on Windows and in the app on Android. It’s not there.

Pearce then found out that there was at least one person in his Connections that he did not invite or accept an invitation from. This person also hails from Texas.

Pearce is a security professional so as soon as he was convinced there was someone else with access to his LinkedIn account, he took action.

A reset of the account’s password worked, but failed to remove the unwanted active session.

Pearce had already set up multi-factor authentication (MFA) on his account, but changed this from SMS to an authenticator app. As I stated in my previous blog, “Setting up MFA for LinkedIn with Okta turned out to be painful because LinkedIn does not provide a QR code but a secret key which is so long that it’s hard to get it right the first, or second time.”

But despite his troubles this didn’t remove the unwanted active session either.

Frustration #2: Changing security and sign in settings is a pain, but has no effect on currently logged in users on other devices.

Frustration #3: LinkedIn Support is overwhelmed and takes quite some time before you get actual help.

Pearce opened a support ticket with LinkedIn. As we mentioned before, the campaign appears to have completely overwhelmed LinkedIn Support. The LinkedIn Help account on X (formerly Twitter) has pinned a message to say:

“Hey there! 👋 We’re experiencing an uptick in questions from our members, causing longer reply times. Rest assured, we’re doing our best to assist you! For account-specific inquiries, please DM us the details and your email address. We appreciate your patience. Thanks! 🙌”

It took them 3 to 4 days to reply with the following message:

Status: Closed

…

Hi Pearce,

Thanks for contacting us about this. To secure your account, we’ve taken the following actions:

1. We signed you out of your account from every computer or mobile device it has been accessed on. Note: This will now prompt a new login for your account.
2. We sent a password reset link to the primary email address listed on your account.

There are a few scenarios that could explain the possibility of unauthorized access to a LinkedIn account:

• If you’ve recently signed into your account from a public computer or a shared device at your workplace or home, and didn’t completely sign out of your account, the next person to access the site on that device may have unintentionally signed in to your account.
• An email or phone number registered in your account is outdated and access to the email or phone number has been recycled or compromised.
• If the same password is used in multiple websites, this could have been compromised through unaffiliated sites or a phishing attack.
• We’d recommend these best practices for your online privacy:
• Check the email addresses on your account to ensure they are current: https://www.linkedin.com/help/linkedin/answer/60
• Turn on two-step verification as an added layer of security: https://www.linkedin.com/help/linkedin/answer/544
• Find more tips here: https://www.linkedin.com/help/linkedin/answer/267

If you continue to see anything suspicious, please report it to us immediately.

Regards,

LinkedIn Member Safety and Recovery Consultant

Fortunately this worked and Pearce has regained control of his account. But this ordeal could have been much worse than with just a few added new connections. Had the account been taken over, it could have been used for malicious activities, damaging Pearce’s reputation in the process.

Note: LinkedIn has added an option to end individual sessions since this incident, but a few quick tests showed that this doesn’t always work as advertised. We may dive into that at a later point.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The UK’s National Cyber Security Centre (NCSC) has issued a warning about the risks of integrating large language models (LLMs) like OpenAI’s ChatGPT into other services. One of the major risks is the possibility of prompt injection attacks.

The NCSC points out several dangers associated with integrating a technology that is very much in early stages of development into other services and platforms. Not only could we be investing in a LLM that no longer exists in a few years (anyone remember Betamax?), we could also get more than we bargained for and need to change anyway.

Even if the technology behind LLMs is sound, our understanding of the technology and what it is capable of is still in beta, says the NCSC. We barely have started to understand Machine Learning (ML) and Artificial Intelligence (AI) and we are already working with LLMs. Although fundamentally still ML, LLMs have been trained on increasingly vast amounts of data and are showing signs of more general AI capabilities.

We have already seen that LLMs are susceptible to jailbreaking and can fall for “leading the witness” types of questions. But what if a cybercriminal was able to change the input a user of a LLM based service?

Which brings us to prompt injection attacks. Prompt Injection is a vulnerability that is affecting some AI/ML models and, in particular, certain types of language models using prompt-based learning. The first prompt injection vulnerability was reported to OpenAI by Jon Cefalu on May 3, 2022.

Prompt Injection attacks are a result of prompt-based learning, a language model training method. Prompt-based learning is based on training a model for a task where customization for the specific task is performed via the prompt, by providing the examples of the new task we want to achieve.

Prompt Injection is not very different from other injection attacks we are already familiar with, e.g. SQL attacks. The problem is that an LLM inherently cannot distinguish between an instruction and the data provided to help complete the instruction.

An example provided by the NCSC is:

 “Consider a bank that deploys an ‘LLM assistant’ for account holders to ask questions, or give instructions about their finances. An attacker might be able send you a transaction request, with the transaction reference hiding a prompt injection attack on the LLM. When the LLM analyses transactions, the attack could reprogram it into sending your money to the attacker’s account. Early developers of LLM-integrated products have already observed attempted prompt injection attacks.”

The comparison to SQL injection attacks is enough to make us nervous. The first documented SQL injection exploit was in 1998 by cybersecurity researcher Jeff Forristal and, 25 years later, we still see them today. This does not bode well for the future of keeping prompt injection attacks at bay.

Another potential danger the NCSC warned about is data poisoning. Recent research has shown that even with limited access to the training data, data poisoning attacks are feasible against “extremely large models”. Data poisoning occurs when an attacker manipulates the training data or fine-tuning procedures of an LLM to introduce vulnerabilities, backdoors, or biases that could compromise the model’s security, effectiveness, or ethical behavior.

Prompt injection and data poisoning attacks can be extremely difficult to detect and mitigate, so it’s important to design systems with security in mind. When you’re implementing the use of an LLM in your service, one thing you can do is apply a rules-based system on top of the ML model to prevent it from taking damaging actions, even when prompted to do so.

Equally important advice is to keep up with published vulnerabilities and make sure that you can update or patch the implemented functionality as soon as possible without disrupting your own service.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Qakbot botnet has suffered a major setback after its infrastructure was heavily disrupted by US and European law enforcement agencies. Operation DuckHunt, as it was codenamed, is possibly the largest US-led financial and technical disruption of a botnet infrastructure.

Not only did the agencies shut down the core of the Qakbot infrastructure, they also cleaned the malware from infected devices. US authorities also seized around 8.6 million dollars-worth of illicit cryptocurrency profits.

Qakbot has been active for over a decade and allowed the botnet operators to steal login credentials from affected devices as well as install additional malware on them. Often that malware included a ransomware variant, with Black Basta the most recent ransomware of choice.

Thanks to that, Black Basta repeatedly made it to the top three most prolific ransomware variants in our monthly ransomware reviews.

The international investigation involved judicial and law enforcement authorities from the US, France, Germany, Latvia, the Netherlands, Romania, and the UK. The examination of the seized infrastructure uncovered that the malware had infected over 700,000 computers worldwide. Law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa, enabling the malware’s activity on a global scale. Of the 700,000 infected devices, around 200,000 were located in the US.

On impounded servers that belonged to the botnet’s infrastructure the authorities found 6.43 million email addresses and passwords that have now been shared with HaveIBeenPwnd (HIBP). HIBP allows you to search across multiple data breaches to see if your email address or phone number has been compromised. But HIBP has also assisted governments, such as the UK, Australia, and Romania (to name a few), in monitoring for breaches in government domains. 57% of the Qakbot related email addresses were already in the database. The Qakbot data has been labeled sensitive, which means you’ll have to verify the email address is under your control to receive the information.

The information was also shared with Spamhaus which will contact email providers and other hosts of affected email addresses to initiate a password reset to further protect the owners of those addresses.

Qakbot is mostly spread through phishing campaigns that include malicious documents as attachments or links to download malicious files. Once Qakbot is installed, the malicious code is injected in the memory location of a legitimate Windows process to avoid detection. At first, it searches the infected machine for email addresses and other useful information. Then it persists in the memory of the device to await further instructions, for example to download additional malware.

So, one characteristic of a botnet is that the bots can be controlled by the operators. Based on that principle, the FBI came up with a method to uninstall the malware from all the connected bots.

Once the FBI got hold of the administrators’ computers, they were able to map out the botnet’s Command & Control (C2) structure and use this information to roll out a special removal tool. The FBI managed to lock out the Qakbot administrators of their own command and control infrastructure by changing the encryption keys used to communicate with the servers.

“To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware.”

Additional information and resources, including for victims, can be found on the following website, which will be updated as additional information and resources become available: www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Despite widespread deployment of endpoint protection solutions, cyberattacks continue to make headlines, affecting organizations of all sizes and sectors. Recent statistics reveal that 70% of companies were impacted by ransomware last year (State of Malware Report 2023, Malwarebytes), and 83% experienced more than one data breach.

Given the existence of so many successful attacks in the past year, the question remains: How can organizations best protect themselves in a rapidly evolving threat landscape?

On September 7th, join Alan Radomsky, Vice President of Solutions Engineering at Malwarebytes, and Kenneth Tom, Director of Global Product Marketing at Malwarebytes, for an insightful webinar on how can organizations level up their security to better avoid cyber attacks.

Key topics to be discussed include:

• Identifying weaknesses in your current endpoint security setup
• Exploring new innovations to bridge security gaps
• Strategies for achieving security goals within budget constraints

Expert Speakers

Alan Radomsky

Alan Radomsky has 23 years of experience in the cybersecurity industry, serving various sectors including Finance, Retail, Manufacturing, Education, Healthcare, and Government. A 5-year Malwarebytes veteran, he possesses in-depth technical expertise to help organizations navigate the complex threat landscape.

Kenneth Tom

Kenneth Tom leads product marketing efforts for Endpoint Detection and Response at Malwarebytes. He brings over 20 years of product management and product marketing experience across numerous cybersecurity technologies, working with industry-leading companies.

Event Details

• Title: Top 3 Reasons Why Your Endpoint Security Is Not Enough
• Date: September 7th
• Time: 10:00 am PT / 1:00 pm ET
• Duration: 1 hour

Don’t miss this opportunity to gain valuable insights into improving your organization’s security posture. Register today!

Traditional Endpoint Detection and Response (EDR) today has a three-fold complexity problem—with big consequences.

First, complexity in EDR deployment causes long delays, directly impacting ROI and leaving organizations vulnerable to breaches. In fact, almost 10 percent of small security teams cite such complexity as a primary reason for deployment setbacks. (Global Surveyz 2022)

Second, lack of integrated security tools within an EDR can lead security teams to overcompensate by buying and operating additional security platforms. This complexity multiplies operational overhead and creates gaps in security.

Dealing with day-to-day EDR complexity is a third challenge. A survey of 200 CISOs by Global Surveyz found that nearly half (45 percent) of small IT teams flag issues like excessive alerts and multiple dashboards as chief product concerns, culminating in alert fatigue and drops in productivity. 

To save time, money, and to stop more threats, IT teams need an EDR that resists complexity—one that’s easy to implement and straightforward to operate.

What is EDR Extra Strength?

The solution is EDR Extra Strength.

EDR Extra Strength combines the award-winning threat detection of Malwarebytes EDR, with Alert Prioritization and Guided Remediation, and Vulnerability & Patch Management. EDR Extra Strength offers a singular, cost-effective strategy for organizations looking for in-depth security.

Instead of navigating through multiple platforms, each with their own separate cost and learning curve, organizations can now harness the unified strength of all-in-one protection with EDR Extra Strength—boosting visibility and protection at a cost that makes sense.

Deployment

With the average deployment timeline for traditional EDRs stretching up to 18 months for small security teams, the need for a swifter solution is clear.

Simply put, smaller teams just can’t afford extensive learning curves, which perhaps is why, from a financial standpoint, they prioritize implementation costs (50 percent) in their endpoint security more than anything else. (Global Surveyz) 

Malwarebytes EDR, the cornerstone of EDR Extra Strength, takes the complexity out of EDR deployment as evidenced by an average time to become fully operational that is two times shorter than the industry average.

Cloud-hosted on the Nebula platform, EDR Extra Strength core technology can deploy within minutes and has won multiple G2 awards for its unique combination of rapid time to go live and time to ROI, all delivered via an agent deployed with a small footprint.

Integration

Managing too many platforms is challenging. Each additional security tool requires its own set of configurations, updates, and management protocols, ultimately translating to longer response times, inefficient workflows, and an inability to have a unified view of the threat landscape.

According to Global Surveyz, 77 percent of small security teams ranked a ‘one-stop’ product with the ‘most integrated’ features as one of their top considerations when choosing a new security technology. In addition, 80 percent of CISOs recognize vendor consolidation as an avenue for more efficient security. 

And, once you consider that over 5 percent of breaches in 2022 came from known vulnerabilities that had yet to be patched—and that the average cost of those breaches was $4.17 million—it goes without saying that Vulnerability and Patch Management needs to be part of any all-in-one security solution today.

By combining Endpoint Protection (EP), EDR, and an award-winning Vulnerability and Patch Management solution, EDR Extra Strength gives IT teams the ‘one-stop’ product they need to streamline detection and response through a single pane of glass.

Day-to-Day Operation

It’s not hard to see why Gartner ranks ease-of-use as the top buying priority in the endpoint protection platform. Daily struggles related to navigation, excessive alerts, and an inability to view the full picture of a digital environment are often symptoms of a complicated-to-use EDR.

The core technology of EDR Extra Strength has won awards for end-user focused attributes (Ease of Use, Meets Requirements, Quality of Support), and administration-specific attributes (Ease of Admin, Ease of Setup, Ease of Doing Business With). 

In addition, EDR Extra Strength provides meaningful contextualization for analyst actions with its Alert Prioritization and Guided Remediation feature, helping to reduce alert fatigue and time-to respond associated with complex EDR. Learn more about Alert Prioritization and Guided Remediation here.

Try EDR Extra Strength today

The complexity challenges in EDR deployment, integration, and day-to-day use have big consequences for organizations, ultimately leading to wasted time and money.

EDR Extra Strength addresses this three-fold EDR complexity by combining multiple effective and easy-to-use products under one hood, harnessing the power of award-winning EDR, Vulnerability and Patch Management, and Alert Prioritization and Guided Remediation to boost security without added complexity.

Learn more about EDR Extra Strength here.

The Ohio History Connection (OHC) has posted a breach notification in which it discloses that a ransomware attack successfully encrypted internal data servers. During the attack, the cybercriminals may have had access to names, addresses, and Social Security Numbers (SSNs) of current and former OHC employees (from 2009 to 2023). Additionally, they may have gained access to W-9 reports and other records revealing the names and personal SSNs of vendors who contracted to provide services to OHC. They also may have gained access to images of checks provided to OHC by some members and donors beginning in 2020.

OHC is a statewide history nonprofit chartered in 1885 that manages more than 50 sites and museums across the state. As the State Archives for the state, OHC preserves the historical records of Ohio’s legislative, executive, and judicial branches.

The ransomware attack took place in early July of 2023, after which OHC notified the FBI and retained forensic IT consulting firms to help it determine the extent of the data breach and to assist in reconstructing its systems and restoring its data.

In total, the information of 7,600 individuals was potentially exposed. Notification letters were mailed on August 23, 2023 to all individuals who were impacted by this data breach.

While OHC hasn’t said which ransomware group was behind the attack, we have information that it was LockBit, although I was unable to locate the OHC data on LockBit’s leak site at the time of writing (it was there earlier this month).

screenshot taken early August 2023

OHC said that it made an offer to the cybercriminals to prevent the release of the data, but the offer was rejected on August 7, 2023. OHC hasn’t disclosed how the attackers got in.

Those impacted may sign up for free credit monitoring for one year and take advantage of their rights to the free fraud alert services offered by the three major credit bureaus. At the time of writing, there is no evidence that there has been any use or attempted use of the information exposed in this incident.

What to do if you’ve been caught in a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW