IT NEWS

The year is 2023 and there still are some people using Internet Explorer on planet Earth. More shocking perhaps, is the fact there are still threat actors maintaining exploit kit infrastructure and dropping new malware.

In this quick blog post, we review two well-known toolkits from the past, namely RIG EK and PurpleFox EK with the latest traffic captures we were able to collect.

RIG EK

The RIG exploit kit continues to be used by a single threat actor that leverages adult traffic schemes. In this latest instance, it dropped the Lumma Stealer.

PurpleFox EK

PurpleFox is more than just an exploit kit, it is a complete framework with rootkit capabilities. The exploit kit is one of the delivery mechanisms for the PurpleFox malware.

Thank you to researchers at First Watch Security for providing information on this attack chain.

Protection

Even after all these years, Malwarebytes continues to protect agains these exploit kits targeting vulnerabilities in Internet Explorer, the browser no longer supported by Microsoft.

Indicators of Compromise

RIG EK

adsgoandway[.]xyz
45.138.27[.]52

Lumma Stealer payloadd

07e06e8277980a60e595da9cd9e03a4ecd2e8f8bdbd3cf5c930ab878ac5b0836

Lumma Stealer C2

solopodvip-my[.]xyz

PurpleFox EK

oernatel[.]shop
uabeoee.otvidluioad[.]online
via0[.]com

Payload

f627070c4cbb03556896601870cf575b1c8f47b062fdfef5c3516ff5a07db40c

The 16 hospitals struck down by ransomware last week are still dealing with the fallout from the attack. The healthcare facilities located in Connecticut, Pennsylvania, Rhode island, and California had the ransomware attack confirmed by the FBI. Issues started to emerge last Thursday with patients diverted to other locations and some operations put on hold.

The AP reported that staff were forced to resort to pen and paper and manually running records to different departments. When dealing with potentially critical health issues, every second counts, and this is especially the case where so much critical healthcare equipment is reliant on networks and interconnected digital systems.

A recent Facebook update from Waterbury Hospital, CT reads as follows:

Our computer systems continue to be down throughout the network. We are following downtime procedures including the use of paper records. The outage has affected some of our outpatient services, mostly diagnostic imaging and blood draw and some patient appointments. We have contacted and will continue to contact any affected patients. 

The post also states that a diagnostic radiology department is affected.

At the time of the attack, no ransomware group had claimed responsibility for the network breach. Now, according to The Record, several sources told Recorded Future News that the ransomware group behind this widespread attack is Rhysida. It’s standard practice that law enforcement will not comment on a ransomware group directly while an investigation is taking place.

What’s interesting given the alleged claims from sources is that the US Department of Health and Human Services recently published a warning to hospitals last week about this specific group. The document said about Rhysida:

Rhysida is a new ransomware-as-a-service (RaaS) group that has emerged since May 2023. The group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. The group threatens to publicly distribute the exfiltrated data if the ransom is not paid. Rhysida is still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1.

The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin. Its victims are distributed throughout several countries across Western Europe, North and South America, and Australia. They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there has been recent attacks against the Healthcare and Public Health (HPH) sector. 

The HHS notes that the ransomware is relatively new. When it first made an appearance on our Ransomware Review in July of this year, we said the following:

Rhysida, a new ransomware gang claiming to be a “cybersecurity team,” has been in operation since May 17, 2023, making headlines for their high-profile attack against the Chilean Army. 

The gang published a whopping eighteen victims on their leak site in June, making it one of the most prolific newcomers in our month reviews to-date.

In terms of how Rhysia spreads, the primary methods of infection include phishing attacks, and dropping payloads across compromised systems once Cobalt Strike or other command and control frameworks are in place. Once the ransomware has taken hold, the group uses tried and tested double threat extortion tactics. A ransom note threatens to distribute stolen data publicly unless the ransom is paid.

The threat isn’t “just” locked computers, or patients unable to be assisted. There’s the very real possibility of said patients having their medical or other personal data thrown online for all to see.

Some ransomware groups won’t touch medical attacks for fear of reprisals. On many occasions where a medical facility or healthcare provider has been attacked, those responsible will apologise and provide free decryption tools. Others will do much the same thing alongside blaming rogue affiliates.

Certain attacks simply draw too much heat and generate waves of negative publicity for the culprits. If your entire gimmick is that you can (just about) be trusted to unlock PCs and return data if you receive a ransom, taking down hospitals will not encourage others to trust you.

All this leads to in the long term is a probable drop in ill-gotten gains, and you can bet the ransomware authors would prefer that to not be the case.

Hopefully, all of the impacted healthcare operations will be back up and running soon. We’d suggest anyone potentially affected keep in touch with their local hospital and pay attention to the updates page for more information.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Changes in the terms of service (TOS) of the Zoom video-conferencing software have caused some turmoil. Since the pandemic, Zoom (Video Conferencing) has become a household name. Zoom came up as the big winner in the video conferencing struggle that enabled us to work from home. Now that things are more or less returning to a new normal, this has also had an impact on their success. But the recent uproar about their TOS could turn out to be a bigger blow.

The strange thing should be that the offending bits of the changes were effectuated in March of 2023. But nobody noticed until August when people started posting and discussing a portion of Zoom’s TOS. They found that Zoom claimed the right to access, use, collect, create, modify, distribute, process, share, maintain, and store Service Generated Data, including for the purpose of product and service development, marketing, analytics, quality assurance, machine learning or artificial intelligence (AI).

For a better understanding, you will want to know that in May, Zoom announced a collaboration with Anthropic, an artificial intelligence company that conducts research into AI safety and develops tools based on that work. The AI called Claude is intended to be integrated into the Zoom platform.

After all the uproar about it, Zoom changed its Terms of Service to reflect that Zoom will require user consent to use content for training artificial intelligence.

“Notwithstanding the above, Zoom will not use audio, video, or chat Customer Content to train our artificial intelligence models without your consent.”

In a blogpost, Zoom explains that they updated the TOS (in section 10.4) to confirm that they will not use audio, video, or chat customer content to train the AI models without your consent. And that the section about training artificial intelligence only concerned certain information about how customers in the aggregate use their product. They claimed to only do this to improve the product—not to spy on users.

The explanation makes a lot of sense, but wouldn’t it have been easier if they’d said that in the first place? From the way the TOS was worded, I would have guessed that that’s what they wanted us to think and not what they actually meant.

Unfortunately, they are not alone. Many software companies have their legal documents and agreements drawn up by professionals, that do not care whether their products can be read by ordinary people. As long as the legal content is correct and covers all angles, it’s all good in their point of view.

For that reason, it happens a lot that TOS, EULA’s (End User License Agreements), Privacy Policies, and privacy agreements do not get read in full. And even if we do, some of them look like they are designed not to be understood even if we take the trouble of reading through all of it.

If you don’t believe me, have a look at the Zoom TOS. If you have no trouble understanding what it says there, you are probably a lawyer specialized in corporate law. Even now that we have summarized it for you, it still looks like a major case of letter soup designed to make your eyes roll.

What most of these pieces of text have in common is:

• You are supposed to have read them once you use the software, be it by putting a checkmark at the bottom of an endless text, or by simply proceeding to use the software
• They protect the rights of the issuer
• They restrict your usage
• They explain what the issuer can do with your information and content
• They are written by and for lawyers
• They often favor length and complexity

But most of the time we view them as something that stands in the way of our goal, which is to play the game, use the software, or start working. This has been a known problem for many years, even so much so that a friendly programmer set out to work on a solution. If you’re interested in what a EULA has to say, but no time or inclination to read through all of it to find the important parts, give Eulalyzer a try. It’s free for personal use.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google will have to appear in court after a judge denied their request for summary judgment in a lawsuit filed by users alleging the company illegally invaded the privacy of millions of people.

Lawsuits against big tech over privacy issues are not much of a surprise these days, unfortunate as that may be. What makes this case stand out is that Google allegedly misled Chrome users by implying that they could browse privately by using the Incognito mode.

The judge in the suit said that Google appears to confuse users by portraying Incognito mode as a distinct offering without clearly articulated privacy terms for the service.

But despite the implied promise of privacy, Google’s cookies, analytics, and tools in apps allegedly continued to track internet browsing activity even after users activated Incognito mode.

Incognito is an option which is often used in troubleshooting browser issues, since it disables extensions and caching. Two factors that are often at play when websites do not get displayed properly.

This mode is also useful in that it essentially starts up a fresh identity for you to browse the web with, then wipes it all as soon as you close the window. This is nice if you are using a computer that isn’t your own and you want to limit your footprint.

The option to start an incognito window can be found under the hamburger icon (3 vertical dots).

At the time of writing Chrome displays this information when you start an Incognito window.

Incognito Splash Sereen

Note: the “Block third-party cookies” section was not present years ago.

Google’s motion hinges on the idea that plaintiffs consented to Google collecting their data while they were browsing in private mode. The court ruled otherwise, because Google never explicitly told users that it does so.

Whenever a user visits a website that is running Google Analytics, Ad Manager, or some similar Google service, Google’ software directs the user’s browser to send a separate communication to Google. This happens even when users are touring the web in private browsing mode, unbeknownst to website developers or the users themselves.

The lawsuit was filed in 2020, and the plaintiffs are seeking a $5,000 in damages per user, which could end up amassing $5 billion.

Let the record show that all major web browsers include a private browsing mode that does not store browsing history, cookies, or temporary files across browsing sessions. Unfortunately, users have misconceptions about what this mode does—misconceptions that are encouraged by the wording these very same browsers use when describing their own features.

A 2018 study based on user surveys among 460 participants showed that participants use private mode to hide browsing activity, prevent the saving of log-in information, and avoid cookies. A very common and big misconception, that 56.3% of participants believed, was that even though a user was logged into a Google account, their search queries would not be saved while in private mode.

One of the conclusions of the study was that of the thirteen browser disclosures about private mode that were tested, only the current and old versions of Chrome’s desktop disclosure led to significantly more correct answers. Meaning that other browsers were doing an even worse job. The term “private” is heavily overloaded and the name “private mode” implies unintended meanings. The disclosures fail at the task of correcting misconceptions users derive from the name “private mode.”

It’s important to realize that a browser can be fingerprinted even in private mode and that many online tracking systems use techniques that are much more advanced than the use of cookies.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

August’s Patch Tuesday is a lot quieter than it was last month, when Microsoft patched a whopping 130 vulnerabilities. That number went down to 87 this month but it does include two actively exploited vulnerabilities.

Let’s start by looking at those two:

CVE-2023-38180 (CVSS score 7.5 out of 10): a .NET and Visual Studio Denial of Service (DoS) vulnerability. Although there is a Proof of Concept (PoC) available to exploit this vulnerability, Microsoft notes that the code or technique is not functional in all situations and may require substantial modification by a skilled attacker, probably because the attacker would need to be on the same network as the target system.

CVE-2023-36884 (CVSS score 7.5 out of 10): a Windows Search Remote Code Execution (RCE) vulnerability. We discussed it last month in detail when Microsoft offered mitigation advice. The CVSS score and scope of the vulnerability have been changed since then. Microsoft has issued a security advisory about this and recommends installing the Office updates it discusses, as well as installing the Windows updates from August 2023..

Other vulnerabilities that deserve some attention are six vulnerabilities in Microsoft Exchange Server including:

CVE-2023-21709 (CVSS score 9.8 out of 10): a Microsoft Exchange Server Elevation of Privilege (EoP) vulnerability which could allow an attacker to login as another user. In the FAQ about the vulnerability Microsoft says that additional steps are needed to protect against this vulnerability.

In addition to installing the updates a script must be run. Alternatively you can accomplish the same by running commands from the command line in a PowerShell window or some other terminal.

Follow these steps:

(Strongly recommended) Install Exchange Server 2016 or 2019 August SU (or later)

Do one of the following:

Apply the solution for the CVE automatically on your servers, run the CVE-2023-21709.ps1 script. You can find the script and the documentation here: https://aka.ms/CVE-2023-21709ScriptDoc.

or

Apply the solution for the CVE manually on each server, by running the following command from an elevated PowerShell window:

Clear-WebConfiguration -Filter “/system.webServer/globalModules/add[@name=’TokenCacheModule’]” -PSPath “IIS:”

To roll-back the solution for the CVE manually on each server, run the following:

New-WebGlobalModule -Name “TokenCacheModule” -Image “%windir%System32inetsrvcachtokn.dll”

Although Microsoft recommends installing the security updates as soon as possible, running the script or the commands on a supported version of Exchange Server prior to installing the updates will address this vulnerability.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has issued a critical security update for Acrobat and Reader.

Android’s August updates were released by Google.

Cisco released security updates for Cisco Secure Web Appliance and Cisco AnyConnect.

Fortinet has released a security update to address a vulnerability (CVE-2023-29182).

Ivanti has patched a second zero-day vulnerability (CVE-2023-35081).

SAP has released its August 2023 Patch Day updates.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

July saw one of the highest number of ransomware attacks in 2023 at 441, second only to a record-breaking 556 attacks in May. At the forefront of these attacks is, once again, Cl0p.

In June, Cl0p shot to the top of the charts due to their use of a zero-day exploit in MOVEit Transfer, and the story in July is no different. Using the same vulnerability, the gang attacked an additional 170 victims in July—the second highest number of attacks by a single gang all year, just two shy of MalasLockers’ record in May.

Amidst all the Cl0p chaos, however, a familiar foe seems to be quietly waning: LockBit.

The LockBit gang is experiencing a steady four-month decline in the number of attacks it has carried out. Since April 2023, we’ve observed an average decrease of 20 attacks a month from the group. LockBit’s 107 attacks in April to 41 in July represents a 62 percent dip in activity.

We’ve seen a similar pattern from LockBit before, and it’s not unusual for ransomware gang activity to ebb and flow. Still, it’s worth mentioning that a suspected LockBit affiliate was arrested last month. At least LockBit’s July numbers, then, could be explained by them simply wanting to lay low for a bit.

When another LockBit suspected affiliate was arrested in November 2022, we also saw a similar historic low in activity from the group.

“Big game hunting” numbers

Research published in July by Chainanalysis showed that ransomware gangs raked in around $449 million from victims in the last six months. The driving force behind this huge number? Chainanalysis says it is “big game hunting.” the practice of targeting large, financially well-off corporations in order to secure the biggest possible payouts.

Chainanalysis also mentions an increase in payouts less than $1000, meaning smaller companies are still being targeted by ransomware gangs as well.

At around this same time last year, total payouts were slightly under $300 million—a difference of over $150 million.

One possible reason for this increase, says Chainanalysis, could be that because fewer and fewer firms are willing to pay the ransom, ransomware gangs are increasing the size of their ransom demands, the idea being to squeeze the most money possible out of the firms still willing to pay.

Malwarebytes’ own data suggests that the increase in payouts could also be a simple consequence of there being more ransomware attacks in general. From March 2022 to July 2022, Malwarebytes recorded a total of 1,140 ransomware attacks. From March 2023 to July 2023, we recorded a total of 2,130.

Likely, there’s a combination of factors at play here. Our logic goes as follows:

Bigger targets + greedier gangs + more ransomware attacks in general = Historically high payouts.

Attacks on the US and UK are at a four-month high. Four-mouth trends on attacks in Italy, on the other hand, suggest that the country is a new regular in the monthly “Top Five” of most-attacked countries.

In an article published in October of last year, we speculated on the future evolution of ransomware and how, with the rise of double-extortion schemes, more and more gangs might pivot away from using encryptors entirely. Interestingly, new research last month by Huntress seems to support this idea—exemplified by the most active ransomware gang today no less.

In their massive zero-day exploitation sprees, Cl0p has apparently not deployed ransomware at all. Instead, the group has focused on simply stealing company data to then later use as leverage against victims.

This move represents a significant departure from the majority of top ransomware gangs, and it forces organizations to rethink the nature of the problem: i’s not about ransomware per se, it’s about an intruder in your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. 

Cl0p’s focus on exploiting zero-days for initial access is revolutionary on its own. Pairing this with a pure data-exfiltration approach could signal an even bigger paradigm shift in how ransomware gangs operate into the future.

Speaking of innovations from top gangs, last month ALPHV was observed offering an API for their data leak site. 

The new API is a conduit for swift data dissemination, helping other cybercriminals instantly access and distribute the stolen information on the dark web. The overarching goal here —especially considering that ALPHV failed to seek a ransom from recently-breached cosmetics company Estee Lauder—seems to be to pressure victims to pay as stolen data reaches wider audiences.

Time will tell if the move pays off, but if nothing else, it signals cybercriminal desperation amid declining ransomware payments.

New players

CATCUS 

CACTUS emerged in March 2023 as a fresh strain of ransomware, zeroing in on large-scale commercial operations. Last month, they published 18 victims on their leak site.

To infiltrate systems, this gang exploits well-known vulnerabilities present in VPNs. Once CACTUS operatives gain access to a network, they enumerate local and network user accounts and reachable endpoints. Following this, they craft new user accounts and deploy their ransomware encryptor. The uniqueness of CACTUS lies in their use of specialized scripts that automate the release and activation of the ransomware through scheduled tasks.

The CACTUS leak site

Cyclops/Knight 

Though the underworld caught wind of Cyclops in May 2023, it’s only recently that evidence of their activities surfaced as new victims’ details appeared on their dark web portal. In addition, they’ve announced a shift in branding to “Knight.” Last month, they published 6 victims on their leak site.

This ransomware is versatile, capable of compromising Windows, Linux, and macOS systems alike. Cyclops stands out with its intricate encryption methodology, which mandates a unique key to decrypt the execution binary. Cyclops also comes equipped with a distinct stealer component designed to extract and transfer sensitive information.

The Cyclops/Knight leak site

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. Cybercriminals are increasingly using this service to  keep their activities from being detected.

Cloudflare Tunnel, also known by its executable name, Cloudflared, reaches out to the Cloudflare Edge Servers by creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel’s controller makes services or private networks accessible via Cloudflare console configuration changes. It’s used to allow external sources to directly access important services, including SSH (Secure Shell), RDP (Remote Desktop Protocol), SMB (server Message Block), and others.

Researchers have found that cybercriminals are shifting from using ngrok to Cloudflare Tunnel probably because it provides a lot more usability for free. It allows an attacker to execute a single command from a victim machine to establish a foothold and conduct further operations once they have achieved a foothold.

Once the tunnel is established, Cloudflared obtains the configuration and keeps it in the running process. All the victim will be able to find when the discreet communication channel is discovered is a unique tunnel token which will make them none the wiser. The attacker however is able to easily modify the tunnel configuration on the fly.

Since this tool is a legitimate binary which is supported on every major operating system, and the initial connection is initiated through an outbound HTTPS connection to Cloudflare-owned infrastructure, this method might prove to become even more popular among cybercriminals. It provides them with a tool to establish persistence when they need it, and to then turn it off when they don’t, in order to avoid being found out.

Because of the HTTPS connection and the port the data exchange takes place on (QUIC on port 7844), it is unlikely to be picked up by protection software like firewalls unless specifically instructed to do so.

As if that wasn’t worrying enough, the researchers found that they could abuse Cloudflare’s ‘Private Networks’ feature to access an entire range of internal IP addresses remotely once they established a tunnel to a single client (victim).

Mitigation

The researchers note that on the victim machine, RDP and SMB need to be enabled before attempting to connect. So, if you don’t need those, this is another good reason to disable them.

To detect unauthorized use of Cloudflare Tunnels, the researchers recommend that organizations monitor for specific DNS queries (as shared in the report) and use non-standard ports like 7844.

Other, more general recommendations are:

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Detroit law enforcement wrongly arrested a 32 year old woman for a robbery and carjacking she did not commit. She was detained for 11 hours and had her phone taken as evidence before finally being allowed to leave. The reason for the false arrest is down to a facial recognition error, the kind that privacy and civil liberty organisations have been warning about for some time now.

What makes this one particularly galling is that the surveillance footage used in this case did not show a pregnant woman. Meanwhile, Porsche Woodruff was eight months pregnant at the time of the arrest.

How did this all begin? A Detroit police officer made a facial recognition request on a woman returning the carjacking victim’s phone to a gas station. The facial recognition tool flagged Woodruff via a 2015 mug shot on file from a previous unrelated arrest. Despite being aware that the individual in the footage was not visibly pregnant, the victim was shown a line up which included the old photo. The robbery victim wrongly identified Woodruff as the culprit.

Shortly after, she was arrested for the alleged crime of carjacking and robbery.

Ars Technica reports that law enforcement used something called DataWorks Plus to match surveillance footage against a criminal mug shot database. DataWorks Plus bills itself as a “facial recognition and case management” technology. It provides “accurate, reliable facial candidates with advanced comparison…tools for investigations”. It also offers up similar services with regard to fingerprints, iris, and tattoo recognition.

Unfortunately for Woodruff, accuracy was on vacation the day her 2015 mug shot was wrongly identified as a match for the robbery in question.

She was charged in court with robbery and carjacking, with all charges dismissed about a month later. She has now filed a lawsuit for wrongful arrest against the city of Detroit which seems quite reasonable given the circumstances.

The New York Times claims that this is the sixth recently reported example of an individual being wrongly accused due to facial recognition technology not working as expected. This is the third such example to have taken place in Detroit, and all 6 wrongly accused individuals are black. A long running concern regarding these technologies is that they tend to perform very badly when dealing with women and people with dark skin. The Ars post has multiple links to various reports and studies highlighting some of these consistent flaws.

Indeed, multiple cities in the US have banned the use of facial recognition technology, though this may be something which may change in the future due to lobbying and “a surge in crime”.

One would think that “you look like this person even though you’re 8 months pregnant and they’re not” would keep this person out of a cell. Is the trust in the supposed accuracy of this technology so great that Detroit police trusted it over the evidence of their own eyes?

They took Woodruff away at her front door, and even used her older photo despite having access to her current driver’s licence photo which was issued in 2021. It does seem very strange that nobody appears to have intervened at the point the technology side of the workflow was going off the rails. From the complaint, via CNN:

When first confronted with the arrest warrant, Woodruff was “baffled and assuming it was a joke, given her visibly pregnant state,” the suit says. She and her fiancé “urged the officers to check the warrant to confirm the female who committed the robbery and carjacking was pregnant, but the officers refused to do so,” the complaint says.

You can go as far back as 2018 to find Detroit law enforcement getting it wrong with facial recognition technology. There, a man was wrongly flagged as a watch thief. In 2019, another individual was briefly accused of stealing a phone until his attorney was able to prove they’d once again accused the wrong individual.

American Civil Liberties Union (ACLU) Michigan is now taking an interest, and the outcome of the lawsuit remains to be seen. While it’s impossible to predict the outcome, Woodruff would appear to have a fairly strong case. The question is, will this result in any meaningful change to how law enforcement incorporates decision making into their technology workflow? Or will we be seeing yet another of these cases six months down the line?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The UK’s Electoral Commission has revealed it suffered a compromise which has the potential to expose aspects of registered voters’ data. While much of this data may already be public, there are some privacy and safety concerns to consider.

First of all, let’s take a look at what’s been affected. The UK has something called an Electoral Roll (or Register). This is a list of all eligible registered voters residing in the UK. This list is divided into three types: the full, public register; the edited version; and the “opt-out” version.

From the Information Commissioner’s Office:

The full register is published once a year and is updated every month. It is used by electoral registration officers and returning officers across the country for purposes related to elections and referendums. Political parties, MPs and public libraries may also have the full register.

Regular folks going about their business can’t access the full version. The edited version of the register works as follows:

The open register, also called the edited register, contains the same information as the full register but is not used for elections or referendums. It is updated and published every month and can be sold to any person, organisation or company for a wide range of purposes. It is used by businesses and charities for checking names and address details; users of the register include direct marketing firms and also online directory firms.

This is one way that people end up on marketing lists, or “find a phone number/person” type websites. It’s the kind of data you’d occasionally find up for grabs on CD-ROMs.

The “opt-out” version of the register omits your details from this list. You used to have to manually opt out every time you updated your details, but these days your selection stays the same unless you specifically decide to alter it.

What has been compromised?

The Electoral Commision has this to say regarding the attack:

The Electoral Commission has been the subject of a complex cyber-attack, it has announced today, highlighting that the UK’s democratic process and its institutions remain a target for hostile actors online.

The incident was identified in October 2022 after suspicious activity was detected on the regulator’s systems. It became clear that hostile actors had first accessed the systems in August 2021. The Commission has since worked with external security experts and the National Cyber Security Centre (NCSC) to investigate and secure its systems.

As part of the attack, hostile actors were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. The registers held at the time of the cyber-attack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack.

How serious is this breach?

A full FAQ is available, but I would draw attention to this comment from the Electoral Commission:

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

People on the opt-out version of the register may be unsure if this actually means their data is included in that which was available to the attackers. From the FAQ:

Please note, the addresses of those on the open register are already publicly available. The addresses of those who opt out of the open register, are not made publicly available, but were accessible during this cyber-attack.

While using the opt-out is by no means a magic solution to the perils of real world unpleasantness, it does help. Many at-risk or vulnerable people use it as a quick and easy way to prevent (for example) abusive ex-partners from tracking them down.

Knowing that their data is included in the pile is likely to be somewhat unsettling.

There is a way to be fully anonymous where voting registration is concerned. However, the process can be complex and off-putting. It requires items like court documents or attestations from authorised individuals to support the application. In other words, you may need to request that police officers come to your home and then explain your situation with evidence to back up your claims.

If the application is granted, you’ll be fully anonymous. The Electoral Commission does point out that anonymised individuals are not impacted by this breach, but this will be scant consolation to those who didn’t receive approval, or did not know the option existed.

For now, no additional details are forthcoming. There’s not much anyone can do with regard to the data exposure at this point. We just have to hope that those responsible aren’t in the mood for throwing everything online. So far, there’s no evidence that anyone has made use of the data in this way specifically. As for anything else, we’ll have to wait and see.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Cyber-criminals continue to impersonate brands via well-crafted phishing websites. We previously covered attacks on both consumers and businesses via online searches for popular brands leading to scams or malware.

Digital assets such as cryptocurrencies or NFTs are highly coveted by threat actors due to the high gains that can be made, even via a simple phishing attack.

In this blog post, we investigate a malicious ad on Microsoft Bing for LooksRare, an NFT marketplace. Malvertising is helping scammers to phish users with added credibility but also leaves victims irate about ads and top search engines.

Malicious ads for NFT marketplace

Non-fungible tokens (NFTs) are assets that have been tokenized via a blockchain. Whether you are into them or find them laughable, a lot of money is being invested, making them attractive to criminals. In a post on social media, one user claimed to have lost $300K worth of NFTs because they clicked on a Google ad:

We could not immediately find the same ad on Google, but we did see one on Microsoft Bing that is likely tied to the same campaign:

The “why you’re seeing this ad?” dialog shows the advertiser as being from China and the ad by a company named Fantacy Click Limited:

Microsoft’s Advertiser Identity Verification Program states that when ads don’t pass policy checks, they either stop serving the ads or suspend the advertiser’s account. In this example of brand impersonation, the phishing domain (looksrare-org[.]com) was freshly registered on August 7th 2023. While we can’t expect companies to track every possible brand out there, a simple domain registration check could easily reveal risky advertisers.

Decoy redirect

The threat actor invested minim efforts to deceive crawlers and other automation tools by setting up the usual cloaking page. In this example, you get redirected to an “about us” decoy page:

Unfortunately, while it is easy for humans to see that this site is completely fake, machines will find no security issue and validate it:

Redirect and phishing page

Legitimate users and intended victims clicking on the ad will get a different experience. They are redirected to a second website (www-market-lookshare[.]com) that was also registered very recently and that acts as the phishing site:

This site is a close replica of the official looksrare[.]org domain:

Draining wallets

The phishing site invites victims to connect their wallet by scanning a QR code:

If you are running the Coinbase extension, you will get a request such as the one below:

After connecting to the victim’s wallet, the threat actor will run a few queries and eventually prompt the user to sign a message, granting them access to their NFTs. Someone has analyzed the transactions associated with this campaign in a thread here.

Phishing and crypto assets

Many people have expressed concerns about cryptocurrencies and other digital assets due to how many scams there are, but also because of how easy it can be to lose very large sums of money with just a few wrong clicks.

Phishing sites can be very convincing especially if the user visited them via a paid Google or Bing search ad that they expect has already been verified as legitimate.

There are a number of tools that can help to protect your wallets and gain better visibility over incoming transactions. Malwarebytes Browser Guard can block those phishing websites and malicious ads to keep you out of harm’s way.

We have reported this malicious ad to Microsoft via their low quality ad submission & escalation form. An automated response informed us that Microsoft will review and take action on any ads found to be in violation within 3-5 days. Unfortunately, this gives criminals enough time to run their malvertising campaigns uninterrupted and switch accounts by the time they are caught.

Indicators of compromise

looksrare-org[.]info
looksrare-org[.]com
www-market-looksrare[.]com