IT NEWS

Cyber-criminals continue to impersonate brands via well-crafted phishing websites. We previously covered attacks on both consumers and businesses via online searches for popular brands leading to scams or malware.

Digital assets such as cryptocurrencies or NFTs are highly coveted by threat actors due to the high gains that can be made, even via a simple phishing attack.

In this blog post, we investigate a malicious ad on Microsoft Bing for LooksRare, an NFT marketplace. Malvertising is helping scammers to phish users with added credibility but also leaves victims irate about ads and top search engines.

Malicious ads for NFT marketplace

Non-fungible tokens (NFTs) are assets that have been tokenized via a blockchain. Whether you are into them or find them laughable, a lot of money is being invested, making them attractive to criminals. In a post on social media, one user claimed to have lost $300K worth of NFTs because they clicked on a Google ad:

We could not immediately find the same ad on Google, but we did see one on Microsoft Bing that is likely tied to the same campaign:

The “why you’re seeing this ad?” dialog shows the advertiser as being from China and the ad by a company named Fantacy Click Limited:

Microsoft’s Advertiser Identity Verification Program states that when ads don’t pass policy checks, they either stop serving the ads or suspend the advertiser’s account. In this example of brand impersonation, the phishing domain (looksrare-org[.]com) was freshly registered on August 7th 2023. While we can’t expect companies to track every possible brand out there, a simple domain registration check could easily reveal risky advertisers.

Decoy redirect

The threat actor invested minim efforts to deceive crawlers and other automation tools by setting up the usual cloaking page. In this example, you get redirected to an “about us” decoy page:

Unfortunately, while it is easy for humans to see that this site is completely fake, machines will find no security issue and validate it:

Redirect and phishing page

Legitimate users and intended victims clicking on the ad will get a different experience. They are redirected to a second website (www-market-lookshare[.]com) that was also registered very recently and that acts as the phishing site:

This site is a close replica of the official looksrare[.]org domain:

Draining wallets

The phishing site invites victims to connect their wallet by scanning a QR code:

If you are running the Coinbase extension, you will get a request such as the one below:

After connecting to the victim’s wallet, the threat actor will run a few queries and eventually prompt the user to sign a message, granting them access to their NFTs. Someone has analyzed the transactions associated with this campaign in a thread here.

Phishing and crypto assets

Many people have expressed concerns about cryptocurrencies and other digital assets due to how many scams there are, but also because of how easy it can be to lose very large sums of money with just a few wrong clicks.

Phishing sites can be very convincing especially if the user visited them via a paid Google or Bing search ad that they expect has already been verified as legitimate.

There are a number of tools that can help to protect your wallets and gain better visibility over incoming transactions. Malwarebytes Browser Guard can block those phishing websites and malicious ads to keep you out of harm’s way.

We have reported this malicious ad to Microsoft via their low quality ad submission & escalation form. An automated response informed us that Microsoft will review and take action on any ads found to be in violation within 3-5 days. Unfortunately, this gives criminals enough time to run their malvertising campaigns uninterrupted and switch accounts by the time they are caught.

Indicators of compromise

looksrare-org[.]info
looksrare-org[.]com
www-market-looksrare[.]com

The European Data Protection Board is expected to fine TikTok for violating the privacy of young children within the next four weeks.

The European Data Protection Board said a binding decision has been reached over TikTok’s processing of children’s data, after the ByteDance-owned app submitted legal objections to an earlier ruling in Ireland, the home of the company’s European headquarters. The size of the fine is not yet known but will surely be in the millions of Euros.

This proceeding started in 2021, when the Dutch DPA imposed a fine of € 750,000 ($820,000) on TikTok. The main reason was that the information provided during  the installation and usage of the app was in English and thus not readily understandable, especially for children. Not offering their privacy statement in Dutch was an infringement of privacy legislation by itself, because users have a right to be given a clear idea of what happens with their personal data.

The results of the Dutch investigation were handed to the Irish Data Protection Commission. Initially TikTok did not have its head office in Europe but in the course of the Dutch investigation, TikTok established operations in Ireland. If a company does not have its headquarters in Europe, any EU member state can engage in oversight with regard to its activities. In the case of companies that do have their headquarters in Europe, this responsibility would fall mainly to the country where the headquarters are located.

The following investigation by the data protection commissioner in Ireland into TikTok’s level of compliance with its general data protection regulation (GDPR) and how it handles the data of children between the ages of 13 and 17, brought to light problems regarding TikTok’s processing of children’s personal data, and age verification measures for children under 13.

In April of 2023, TikTok was ordered to pay a fine of £12.7M ($15.6M) for failing to protect 1.4 million UK children under the age of 13 from accessing its platform in 2020. The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, imposed the fine after finding the company used children’s data without parental consent. According to the ICO, many children were able to access the site despite TikTok setting 13 as the minimum age to create an account. This exposed them to vulnerabilities and inappropriate content. According to the ICO, the company may have used the data for tracking and profiling purposes. It may have also presented children with content deemed potentially harmful or inappropriate.

To improve compliance with new European Union regulations on content TikTok announced a number of new features for European users:

• Making it easier for EU users to report illegal content
• Allowing them to turn off personalized recommendations for videos
• Removing targeted advertising for users aged 13 to 17

The company stated:

 “We will continue to not only meet our regulatory obligations, but also strive to set new standards through innovative solutions.”

In the US TikTok has received a lot of criticism in the last few years as well. Among other things it’s been called an “unacceptable security risk” by the commissioner of the FCC and was accused of gathering data on people who don’t even use the app by a US consumer non-profit.

In April we explained what was going on and whether you had reasons to be worried from an organizational standpoint. The risks of allowing TikTok on corporate or hybrid devices very much depends on your threat model. While it is understandable that governments, the military, or defense contractors are among the first to ban TikTok from these devices, many other organizations are facing a lot of threats that are a much greater concern.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• The end looms for Meta’s behavioural advertising in Europe
• Microsoft Teams used in phishing campaign to bypass multi-factor authentication
• Film companies lose battle to unmask Reddit users
• FAQ: How does Malwarebytes ransomware rollback work?
• How to protect your child’s identity
• Hey, are you REALLY ready to go on vacation? (No, you aren’t)
• Global ransomware attacks at an all-time high, shows latest 2023 State of Ransomware report
• Phishing campaigns are using AMP URLs to avoid detection
• Minecraft fans beware: Players and servers at risk from BleedingPipe vulnerability
• Ivanti patches second zero-day vulnerability being used in attacks
• Public companies must now disclose breaches within 4 days
• Meta subsidiaries must pay $14m over misleading data collection disclosure
• Supply chain attacks disrupt emergency services communications
• Compromised Barracuda appliances equipped with persistent backdoors by attackers

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Malwarebytes Security Advisor, a transformation of the Nebula customer experience, enables organizations to visualize and improve their organization’s security posture in just a few clicks.

“If you’re not fully configured, you aren’t fully protected,” says Jonny Rivera, Director, Customer Experience Strategy. Rivera has worked with Malwarebytes customers to optimize their deployments and saw that there were big gaps in understanding their overall cybersecurity posture, including what assets they had and how policies were configured.

Security Advisor Dashboard

Security Advisor analyzes an organization’s cybersecurity health—such as by assessment of current inventory and which assets are vulnerable—and generates a score based off what it finds, illuminating gaps in defenses and providing actionable recommendations for improvements that can be made in minutes.

In this post, we’ll demonstrate how Security Advisor works and how it’s improving organizations’ security postures.

Read the full features here: https://service.malwarebytes.com/hc/en-us/articles/18242146189587-Understanding-the-Security-Advisor-in-Nebula

Why Security Advisor?

In a world where a whopping 70% of IT security personnel cite increasing workload and lack of visibility into IT infrastructure as top barriers to success, it’s easy to see why simplicity is the key to optimizing security while reducing employee burnout.

But there’s a problem.

Without a real-time snapshot of device usage or quick summaries of outdated applications, for example, IT teams are left scrambling to pick up the pieces of the information most important to them—ultimately increasing the mean time to resolution (MTTR) from days to possibly months.

Enter Malwarebytes Security Advisor.

A Leap Beyond Traditional Reporting

Security Advisor overview page

Security Advisor understands the specific tasks IT & security teams must perform, and flags which are crucial before a security issue arises.

With Security Advisor, organizations now have a real-time view into four key areas:

1. The CURRENT STATE of their security posture. Security Advisor provides a comprehensive snapshot of the existing security measures, revealing vulnerabilities and strengths such as properly configured policies or endpoint deployment.

2. The steps to IMPROVE the organization’s current security posture. Once the current state is understood, Security Advisor outlines actionable steps that organizations can take to enhance security measures, mitigate risk and safeguard assets.

Security Advisor policy optimization 

3. How to MAINTAIN the improved security posture. Since security doesn’t end with the implementation of improvements, Security Advisor guides customers on how to maintain the elevated security status over time, ensuring sustained protection.

4. How to REPORT the organization’s current posture. Crucial for transparency and accountability, Security Advisor equips users with the tools to effectively communicate the company’s security status.

By guiding and facilitating immediate actions, Security Advisor speeds a holistic approach to security management.

Key Features

Inventory Check

Security Advisor offers a complete inventory of physical and digital assets, identifies which devices and services are in use and by whom, and presents this information in a user-friendly dashboard.

Current State Analysis

Assesses the vulnerabilities associated with your assets. It checks for out-of-date devices, scans for threats, evaluates data security, and identifies any employees who may pose a greater security risk.

Security Advisor issues by severity

Access Control

Security Advisor enables simple and intuitive configuration of permissions and keeps track of changes over time, providing clear visibility of user permissions.

Maintenance and Reporting

Security Advisor’s maintenance and reporting capabilities provides real-time status updates and prompt alerts on any emerging issues, while also supporting compliance reporting for various regulations.

Adaptive Recommendations

As your business changes and grows, Security Advisor offers suggestions for additional security solutions that can further enhance the organization’s security portfolio.

Benchmarking

Security Advisor leverages anonymized data from all Malwarebytes customers to provide benchmark comparisons with other organizations with a similar security mix.

“Whether it’s checking to see if EDR policies are properly configured or making sure scheduled scans are running regularly, we’re providing the recommended actions organizations need to quickly improve security and get back to running their business,” said Jonny Rivera.

Try Security Advisor Today

Ready to improve your organization’s security posture? Nebula users can start using Security Advisor today, free-of-charge.

Not a Nebula user? Get a free demo.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners have released a joint Cybersecurity Advisory (CSA) called the 2022 Top Routinely Exploited Vulnerabilities.

We went over the list and it felt like a bad trip down memory lane. If you adhere to the expression “those who ignore history are doomed to repeat it” then you may consider the list as a valuable resource that you can derive lessons from. Unfortunately as George Bernard Shaw said:

“We learn from history that we learn nothing from history.”

But since that’s a self-contradicting expression, let’s assume there are lessons to be learned.

Last year’s top vulnerabilities

First let me show you the bad memories. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use the CVE codes to uniquely identify the covered vulnerabilities.

• CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution which results in remote code execution (RCE). When word of this vulnerability came out it was already clear that it was being exploited in the wild. Noteworthy is that this vulnerability also made it into the top 5 routinely exploited vulnerabilities of 2021.
• CVE-2021-44228, aka Log4Shell, is a vulnerability in Apache’s Log4j library, an open-source logging framework incorporated into thousands of other products. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest throughout the first half of 2022.
• CVE-2018-13379 is a vulnerability affecting Fortinet SSL VPNs, which was also routinely exploited in 2020 and 2021.
• ProxyShell is a combination of three vulnerabilities in Microsoft Exchange Server (CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523) that can be chained together to allow a remote attacker to break in, take control, and then do bad things on an unpatched server. Proxyshell also made it into the top 5 routinely exploited vulnerabilities of 2021.
• CVE-2021-26084 is a vulnerability affecting Atlassian Confluence Server and Data Center which could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof-of-concept (PoC) was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021 and also made it into the top 5 routinely exploited vulnerabilities of 2021.

Looking at the above, it looks like Shaw was at least partly right. We are not learning from history. It also indicates that we should be able to predict some of the vulnerabilities that will show up in next year’s list. Let’s take a stab at that. So we’re looking for easy to overlook and/or hard to patch vulnerabilities in the 2022 list that we haven’t already covered above.

This year’s top vulnerabilities?

These are the ones that I think will make it to the top 10 next year, maybe together with the ones that have already been around for years.

• CVE-2022-22954, CVE-2022-22960 are two vulnerabilities that can be chained to allow Remote Code Execurion (RCE), privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. Exploitation of these VMware vulnerabilities began in early 2022 and attempts continued throughout the remainder of the year.
• CVE-2022-26134 is a critical RCE vulnerability that affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (see CVE-2021-26084 above), which cyber actors also exploited in 2022.
• CVE-2022-1388 is a vulnerability in the F5 BIG IP platform that allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.
• CVE-2022-30190, aka Follina, is a Microsoft Windows Support Diagnostic Tool RCE vulnerability. An attacker can send you a malicious Office document that will compromise your machine with malware when you open it.

So I was hoping we can strike a deal. I’ll check next year how well this prediction does and you all patch these vulnerabilities real quick, so I can write about some new ones next year.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Robocallers are in the news after the FCC issued a $300 million forfeiture to a persistent offender and shut down their operation.

A robocall network makes use of automated software diallers to spam out large numbers of cold calls to unsuspecting recipients. These calls promise much but give very little. Anyone taking the bait stands a good chance of losing control of their personal data or suffering from all manner of dubious payments leaving their bank account.

Cold calling has been associated with scam tactics for decades, and the growing number of ways to combat these techniques (like Do Not Call lists) are routinely ignored by the robocallers. This has, inevitably, brought us to our eye-wateringly large $300m fine aimed squarely at one of the most persistent robocalling operations yet seen.

From the official statement(s) regarding the record penalty:

The Federal Communications Commission today issued a record-breaking $299,997,000 fine for auto warranty scam robocalls made by the largest illegal robocall operation the agency has ever investigated. An international network of companies violated federal statutes and the Commission’s regulations when they executed a scheme to make more than five billion robocalls to more than 500 million phone numbers during a three-month span in 2021, including violating federal spoofing laws by using more than one million different caller ID numbers in an attempt to disguise the true origin of the robocalls and trick victims into answering the phone.

The enterprise violated a multitude of robocall prohibitions by making pre-recorded voice calls to mobile phones without prior express consent, placing telemarketing calls without written consent, dialing numbers included on the National Do Not Call Registry, failing to identify the caller at the start of the message, and failing to provide a call-back number that allowed consumers to opt out of future calls. The calls also violated spoofing laws by using misleading caller ID to disguise the enterprise’s role and prompt consumers to answer.

Insurance, claims, and compensation are all robocall topics you should avoid when the phone inevitably rings. This kind of call will never quite go to plan for anyone other than the individuals operating the robocalling software.

In this case, the bait being used was the claim of auto warranties in return for the collection of personal data from call recipients.

TechCrunch notes that the robocalls “exhibited the standard robocall characteristics” of failing to identify the caller, spoofing area codes, and ignoring various consent laws like the Do Not Call list.

No fewer than an astonishing five billion calls were made by the companies responsible for this operation. Members of the FCC themselves received some of these calls, which on reflection seems like a very poor decision made by the robocalling technology.

The FCC explains the sheer scale of the operation, alongside some of the tactics used to shut it down permanently:

Since at least 2018, this enterprise operated a complex scheme designed to facilitate the sale of vehicle service contracts under the false and misleading claim of selling auto warranties. Two of the central players of the operation, Roy M. Cox and Aaron Michael Jones, were under lifetime bans against making telemarketing calls following lawsuits by the Federal Trade Commission and State of Texas.  The multi-national enterprise did business as Sumco Panama, Virtual Telecom, Davis Telecom, Geist Telecom, Fugle Telecom, Tech Direct, Mobi Telecom, and Posting Express.

Last year, to stop this then-ongoing telemarketing campaign in its tracks, the FCC directed all U.S.-based voice service providers to cease carrying traffic associated with certain members of the enterprise.  As a result, these illegal auto warranty robocalls dropped by 99%. That enforcement action was taken in coordination with the Ohio Attorney General’s Office, which brought a lawsuit under the Telephone Consumer Protection Act against several entities and individuals associated with the enterprise. The Commission also proposed a fine and offered the parties a chance to respond, which they did not do, resulting in today’s unprecedented fine. Should the parties not pay the fine promptly, this matter will be referred to the U.S. Department of Justice for collection.

Sadly it remains to be seen whether the eye-watering fine will be enforced and those responsible made to pay up. Robocalling is so popular that even with such massive fines being thrown around, people making use of it will not simply abandon ship. We’ll be stuck with all manner of robocalling technology for some time to come.

Back to the FCC:

What happens next?  Under the law we will refer this Forfeiture Order to the Department of Justice to collect payment.  I hope, however, that Congress will consider giving the FCC authority to go to court and collect these fines ourselves. In the meantime, we will keep using the tools we have to hold those behind fraudulent calling schemes accountable. In fact, just this week the Enforcement Bureau identified another source of illegal robocalls and we have put all phone companies on notice they can block these calls.  We know the scam artists behind these calls are relentless—but we are coming for them and won’t stop until we get this junk off the line.  

Sounds good! In the meantime though, you’ll have to take some action of your own to help ward off the threat posed by robocallers. Entities such as the FCC can and will go into battle on your behalf, but we can speed things along by doing our part too.

What you can do to stem the tide of robocalling

• Report the call to the FCC, Federal Trade Commission (FTC), and your attorney general. Doing so will help the collective efforts of regulators and phone companies in blocking these numbers.
• Do not give out your number online or post it publicly in your social media profiles. They will likely be collected by scammers.
• Some apps can help analyse the calls you receive and respond or reroute the call effectively. Your mobile provider may already include this technology in their network, so it’s worth asking before opening up your iOS or Android store. Additionally, the FCC passed a rule that gives phone companies the power to proactively block numbers that do not or cannot make outgoing calls.
• Go old-school by turning off your landline’s ringer and then feeding the call to an answering machine with a caller ID. You can always return the call if you have determined that the caller is using a legitimate number or has actually left a message worth returning.
• If you happen to pick up a call from a robocaller, hang up immediately and don’t say anything down the line because it’s almost certainly being recorded.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Attackers believed to have ties to Russia’s Foreign Intelligence Service (SVR) are using Microsoft Teams chats as credential theft phishing lures. Microsoft Threat Intelligence has posted details about the perceived attacks targeted at fewer than 40 unique global organizations. The targeted organizations are mostly found among government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

According to Microsoft the attackers are part of the same group that was behind the attacks against SolarWinds, the Sunburst backdoor, TEARDROP malware, GoldMax malware, and other related components. Malwarebytes tracks that group as APT29/Cozy Bear. A group well-known for finding and deploying novel tactics, techniques, and procedures (TTPs).

In the phishing attacks the group leverages previously compromised Microsoft 365 instances, mostly owned by small businesses, to create new domains that look like technical support accounts. From these instances the group reaches out through Teams messages and persuades targets to approve multi-factor authentication (MFA) prompts initiated by the attacker.

The compromised instances are renamed and used to set up a new onmicrosoft.com subdomain. Onmicrosoft.com domains are legitimate Microsoft domains which are automatically used by Microsoft 365 for fallback purposes in case a custom domain is not created.

The attackers often use security terms or product-specific names in these subdomain names to give credibility to the technical support themed messages which are sent out as a lure.

example image courtesy of Microsoft

The objective is to target users with passwordless authentication configured on their account, or accounts for which they have obtained credentials previously. In both cases they require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

Once the target has done this, the attacker can use the gained access to further compromise the account. Typically, this involves information theft from the now compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

Microsoft says it has successfully blocked the Russian threat group from utilizing the compromised instances in other attacks and is now actively working to address and limit the impact of the campaign.

How to avoid tech support scammers

In the blog Microsoft provides a very important ground rule to remember: Authentication requests not initiated by the user should be treated as malicious.

As a security provider with a good reputation, we do get a lot of impersonators. Maybe we should be flattered, but frankly we are annoyed. So here are a few tell-tale signs that you are dealing with an impersonator:

• The company gives you any name at all other than Malwarebytes. Malwarebytes does not outsource support. We have our own Support team. There are no third parties “authorized” to provide support. Nobody is “licensed” to use our name, logo, or any other intellectual property. 
• The company can’t or won’t take your credit card the first time you ask. Reputable organizations don’t do this. Period. Malwarebytes has a credit card processor that takes payments for all transactions. Credit card processors do things like vet clients for risk, fraud, and abuse. So any company having trouble doing business with one, probably fits into one of those three categories. Credit cards also have reasonably robust consumer fraud protection, so if you’re being steered away from using one, that is also a red flag that the company is about to do something they probably shouldn’t.
• The company makes outbound support calls. Malwarebytes, and Microsoft, do not do this. Tech support companies that make outbound unsolicited calls tend to do so because they bought your personal information from a data broker who classified you as a vulnerable target. How would they know you have a problem with your computer? How would they even know you own a computer? Generally speaking, if someone calls you out of the blue claiming your computer has a problem, hang up.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The EU is going toe to toe with Meta once more, with the social network giant conceding defeat yet again. After having taken Meta to task for various privacy violations and data breaches, Meta is now having to provide European users with a way to opt out of behavioural advertising. The threat of fines totalling $100,000 a day probably helped things along a little bit.

This has been a long time coming. In fact, it’s taken no fewer than five years of “extensive litigation” to reach this landmark moment. Two complaints from the European Center for Digital Right (NYOB) back in 2018 set the wheels in motion. Additional interest from the European Data Protection Board and decisions made by the Court of Justice of the European Union (CJEU) heaped additional pressure on the now relenting Meta.

From Meta’s most recent post on this subject:

Today, we are announcing our intention to change the legal basis that we use to process certain data for behavioural advertising for people in the EU, EEA and Switzerland from ‘Legitimate Interests’ to ‘Consent’. This change is to address a number of evolving and emerging regulatory requirements in the region, notably how our lead data protection regulator in the EU, the Irish Data Protection Commission (DPC), is now interpreting GDPR in light of recent legal rulings, as well as anticipating the entry into force of the Digital Markets Act (DMA). 

As The Record explains, behavioural advertising typically involves the display of adverts customised by someone’s browsing habits and / or app usage. A picture is built up over time of said user, and it essentially follows them around the web. Web browsers have been pushing back against some of this behaviour for some time now, with some of them isolating third party cookies or looking to sunset them completely.

In this case, Meta may be looking to get ahead of the game somewhat in the face of what The Record calls “an inevitable near-term regulatory reality”, and so look proactive while getting its own preferred time frame for changes in order.

There’s no solid dates set yet for when these changes may come into force. October has been referenced as a possibility, but (as with the delays to cookie sunsetting) there may well be similar delays here. From the Meta blog:

We will share further information over the months ahead, because it will take time for us to continue to constructively engage with regulators to ensure that any proposed solution addresses regulatory obligations in the EU, including GDPR and the upcoming DMA.

Whenever these changes come into force, many meta users will not see the benefit. If you’re located outside of the EU, the European Economic Area (EEA), or Switzerland, then unfortunately you’re out of luck on the behavioural advertising avoidance front.

This may well create additional pressure regardless, given the many privacy and safety organisations located in the US who will no doubt be watching these developments closely to see what can be replicated.

Meta has had a very rough time of things where the EU is concerned. Back in July 2022, regulators were threatening to ban Facebook in relation to data transfers to the US. In September of the same year, Instagram was counting the cost of a $400m fine related to the handling of children’s data. November? That would be the $277m fine issued by the Irish Data Protection Commision because of a Facebook data breach. March was all about Facebook having “illegally processed” user data. July of this year saw Meta subsidiaries ordered to pay $14m over misleading data collection disclosure.

Wherever you look, no matter which part of the business we’re talking about, there’s often a fine and an EU regulator thrown into the mix. It’s a very large and costly legal war of attrition, and the message is loud and clear. The EU will keep doing this for as long as it takes for Meta to get its house in order.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

As the old cybersecurity saying goes: “It’s not if, but when.”

Everyone and their grandma have repeated this foreboding maxim about the nature of ransomware attacks, but sadly, that doesn’t make it any less true. Time and again we’re reminded that ransomware can slip past even the best defenses.

Prevention alone, it seems, can only take us so far—so when ransomware hits, organizations need a way to emerge safely from the fallout, data intact.

Enter Malwarebytes Ransomware Rollback, which rescues your data from encryption by effectively “turning back the clock” of a ransomware attack. Dr. Strange style.

But how does it work, exactly? And what are some of the advanced settings that are available?

Let’s dive into the finer details in this post.

How It Works

The bedrock of Ransomware Rollback is a kernel mode driver to monitor file system changes and make a copy of files before modification. This includes self-protection against attack to the backups.

Malwarebytes Endpoint Detection and Response (EDR) first spends a 14-day period learning what applications on the system can be trusted. During this time, it logs the various applications that typically interact with files. After this period, the EDR establishes a list of trusted, or “whitelisted,” applications.

Advanced settings includes additional features for Ransomware Rollback. Learn more here.

For performance optimization, an application that is on the whitelist is ignored.

Before any application can make any changes, apart from ignored applications, Malwarebytes EDR saves a backup copy of the file it’s trying to modify. It is unknown at the time of modification whether a process is malicious, so every file is backed up.

If the application is later found to be ransomware that encrypts the file, making it unreadable and demanding a ransom for its decryption, the EDR system can use the backup copy it saved to restore the file to its previous state. This is what is meant by “rollback.”

When all’s said and done, the system effectively nullifies the ransomware attack by ensuring a recent clean, unencrypted copy of the file is always available.

FAQ

Does ransomware rollback use Volume Shadow Copy Service?

No, ransomware rollback does not use Volume Shadow Copy Service. Instead, it uses proprietary and patent-pending technology, with protected folders as malware often targets the Volume Shadow Copy Service.

How does the service know which files to restore, is it a snapshot?

Backups are continuous, for any files modified, and are not a snapshot

The process making the change is recorded for each file. Subsequently when a rollback is performed, it is precise because only files modified by the specific process are restored.

Where is the rollback cache stored in the system?

The rollback cache is stored in a hidden Windows system folder. Typically, you can find it under: C:ProgramDataMalwarebytes Endpoint AgentPluginsEDRPluginBackup.

Does ransomware rollback always use some amount of disk space? Why is that?

Yes, ransomware rollback always uses some disk space due to its buffer and cleanup operations. This means there will always be some small disk space used by the feature.

For every file modified, e.g., documents, pictures, etc., space for a copy is required. If there is no activity, then after a few days there would be zero used. However, if ransomware encrypted 10 Gb of files, then there would be 10 Gb of backup/before copies.

How much space does the rollback cache take up on a typical laptop or desktop?

On a typical laptop using common applications like Microsoft Office, the endpoint usually uses less than 200MB of space for a 72-hour rollback window and a maximum individual file size of 20MB – 100 Mgb.

If a computer is under attack and 10 Gb of files were encrypted, how much space would we use for the ‘before’ encryption file backup?

If a computer is under attack and 10 GB of files were encrypted, we would use approximately 10 GB of space for each ‘before’ encryption file. The system will back up the files in their original state before encryption, so the space used is equal to the size of the original files.

How far back can I rollback if my files are encrypted by ransomware?

By default, ransomware rollback stores the last 48 hours and is configurable up to 72 hours of file changes for files. You can alter these parameters in the Endpoint Protection Advanced policy.

What types of files does ransomware rollback back up? Are there any limitations or exclusions?

Ransomware rollback preemptively backs up all file types including pictures, documents, JSON/XML configurations, EXEs, unless they are explicitly excluded, globally excluded, or exceed the maximum file size.

What happens to my files in case of a ransomware attack if my disk is full?

If the hard drive is full and file encryption starts without enough disk space for a backup copy of the files, the data will be lost. Therefore, it’s crucial for users to monitor for low disk space.

Does Malwarebytes clean up files that have been backed up by Endpoint Detection and Response (EDR) after 72 hours?

Yes, our system is designed to be self-cleaning. Files that are backed up by EDR are frequently cleaned, if they are older than the configured period.

Try Ransomware Rollback Today

To recap, Malwarebytes Ransomware Rollback is a last-resort recovery tool within Malwarebytes EDR, designed for swift recovery after other defense layers have been compromised.

While useful, Ransomware Rollback doesn’t replace classic backups or EDR’s other proactive measures like Suspicious Activity Monitoring. It’s a rarely needed, but vital last-resort option. 

Read our Ransomware protection with Malwarebytes EDR: Your FAQs, answered! article for more on how Malwarebytes EDR stops ransomware attacks.

For a more technical deep-dive into Ransomware Rollback, check out https://service.malwarebytes.com/hc/en-us/articles/4413802760851-Configure-Ransomware-Rollback-in-Nebula 

Get a free EDR demo today

An interesting case marking the limits of what data big business can expect to dig up has concluded its day (or to be more accurate, many days) in court. Ars Technica reports that film companies have lost their battle to make social site Reddit identify anonymous users discussing piracy. No fewer than 20 popular movie producers felt they needed this information in order to show that ISP Grande is liable for their subscriber’s copyright infringement.

Reddit was urging a US court to maintain the anonymity of six Reddit users who’d mentioned piracy all the way back in 2011 and 2018. Reddit argued that the First Amendment “protected their right to anonymous speech” in one of several similar cases which the movie industry had previously lost. From the relevant court filing:

Plaintiffs’ Motion seeks to unmask six anonymous Reddit users that Plaintiffs assume to have committed copyright infringement using Grande, an Internet service provider (ISP). If these Reddit users did engage in copyright infringement on Grande’s networks, then Plaintiffs hope to learn whether the users were drawn to Grande for the ease of infringement. Weeks ago, this Court denied a nearly identical motion by these same Plaintiffs… But rather than returning with better facts capable of meeting the applicable First Amendment standard, Plaintiffs here offer worse facts–expressly acknowledging that they have no need to identify these Reddit users at all.

As it happens, we’re now right back in our own movie industry Groundhog Day: Another case, another loss. The Reddit users here are stepping stones in a battle against an ISP called Grande. The movie producers are trying to prove liability for user piracy because the ISP “allegedly ignores piracy on its network”.

The justification for needing to know the identities of said reddit users comes from comments like the below:

In a 2018 Reddit thread titled “Texas ISP [Grande] slams music biz for trying to turn it into a ‘copyright cop,'” one user says, “I have Grande and torrent a lot. Always thought it was pretty cool of them to not snitch.” a user said, “[l]ike everyone else I miss Grande and I’m stuck with Spectrum or AT&T in my area. I use Spectrum. Those [expletive deleted] have turned my connection off completely on one occasion and would not turn it back on until I agreed to stop pirating media.”

According to Ars Technica, the most recent Reddit users were in the firing line for having their identities revealed for similar posts made in 2011. One individual posted that “I have Grande. No issues with torrent or bandwidth caps”. This was seemingly enough to gain the attention of the movie producers.

You’ll note that the post does not mention piracy, nor do they specify what they were doing. There are plenty of instances where Torrenting something (download files using the BitTorrent peer-to-peer protocol) is absolutely legal and above board. You may be downloading a large piece of software or a game broken up into chunks, for example.

Despite this, the film industry had another go anyway.

US Magistrate Judge Laurel Beeler observed that although users of Reddit and other sites do have their details turned over when appropriate, it would not be in this particular situation. 

The film companies claimed that user comments demonstrated Grande’s lack of policy implementation with regard to terminating the account(s) of offenders. They also went on to claim that they’d obtained 118 of Grande’s “top pirating IP addresses” in May but had little success communicating with said alleged pirates.

The Judge had this to say:

As with the last subpoena, the plaintiffs have not shown that the identifying information is directly or materially relevant or unavailable from another source. This is a high standard. The plaintiffs already have 118 subscribers’ identifying information: they primarily resist serving those subscribers with subpoenas as burdensome and inconsistent with their August expert-disclosure deadline. They are the top pirating IP addresses, and they are from a more recent time period: it is not obvious why subpoenaing even a subset of those addresses would not yield information at least equivalent to, if not better than, information from the six Reddit subscribers. The information may be relevant, but it also is attenuated: it is at best weak evidence about Grande’s insufficient policy regarding repeat infringers or its appeal to pirating subscribers.

Essentially: Dredging around the internet for the slightest available slice of data from a decade or more ago, in relation to specific data you have now which still isn’t really helping, is likely not going to help you very much either.

There’s no real way to know the specifics of what people in 2011 were talking about, or what they downloaded. The ISP may not even carry records for that far back. Maybe the Reddit accounts are abandoned, or perhaps some of the users have died. All in all, it seems like an incredible amount of work to put in for what would almost certainly be zero useful result.

This case is a valuable reminder that every single thing you post online, no matter how innocent (or otherwise) could end up rattling around a court of law many years down the line.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.