IT NEWS

Ransomware attacks have shown no signs of slowing down in 2023.

A new report from the Malwarebytes Threat Intelligence team shows 1,900 total ransomware attacks within just four countries—the US, Germany, France, and the UK—in one year.

The findings, compiled together in the 2023 State of Ransomware Report, show alarming trends in the global ransomware surge from July 2022 to June 2023. For example, the report shows that the US shouldered a hefty 43 percent of all global attacks and that ransomware attacks in France nearly doubled in the last five months.

To say ransomware gangs have been unkind to the US in the past year is an understatement.

Malwarebytes found that a total of 48 separate ransomware groups attacked the US in the observed period. To boot, there was a 75 percent increase in the average number of monthly attacks in the US between the first and second half of the last 12 months.

The UK, on the other hand, emerged as the second-largest ransomware target, enduring close to 200 ransomware attacks.

Malwarebytes tracked 32 separate ransomware groups attacking the UK, seven of which recorded more than ten known attacks. In addition, more ransomware gangs are attacking targets multiple times a month: the number of groups carrying out more than one known attack per month in the UK has climbed steadily for a year, from just one in July 2022 to eight in June 2023.

Neither France or Germany have been spared by the growing menace of ransomware, either.

Germany retained its place as the fourth most attacked country in the world, and the most attacked country outside of the anglosphere. France meanwhile experienced a disproportionately high rate of attacks on its government sector (9 percent of attacks).

Perhaps the biggest takeaway from the report, however, is that the ascension of the CL0P group—which has effectively harnessed zero-day vulnerabilities to amplify its attacks—could signal a change in the game.

A New Threat on the Horizon: CL0P

For a year and a half, LockBit, which claims to have 100 affiliates, has been the most dominant form of “Ransomware-as-a-Service” (RaaS) in the US, averaging about 24 attacks per month.

However, twice this year, in March and June, LockBit’s considerable rate of attacks was vastly exceeded by CL0P, which was otherwise dormant.

The drive behind the sudden change? CL0P used separate zero-days in GoAnywhere MFT and MOVEit Transfer to gain an edge. This gave them the ability to launch an unprecedented number of attacks within a short time frame and across a massive scale.

The use of zero-day vulnerabilities by ransomware groups like CL0P may trigger a significant shift in ransomware strategies, mirroring the adoption of the “double extortion” tactic in 2019.

If more groups start adopting CL0P’s zero-day exploitation techniques, the ransomware landscape could tilt from service-oriented attacks to a more aggressive, vulnerability-focused model—a move that could skyrocket the number of victims.

Want to learn more?

Read our 2023 State of Ransomware Report

Are you ready for a challenge? A real challenge? Do you laugh in the face of shark cages, scoff at the Marathon des Sables, and waft a dismissive finger in the direction of the Everest ascent? Are you ready to conquer the impossible?

If so, then you might be ready for the ultimate challenge—taking a vacation while working in IT or computer security. Our handy flow chart will help you decide if you’re ready (TL;DR, you aren’t, but you already knew that).

Click on the image to view it full size.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

As we have mentioned before, identity theft is a serious problem, especially when it affects children. Identity thieves love preying on minors, simply because it usually takes longer before the theft is noticed.

A person’s identity represents a certain value. If it is stolen and abused, it can cause a lot of harm.

Stolen identities (even childrens’) can be abused to:

• Apply for credit cards
• Obtain loans
• Seek benefits
• Open bank accounts

In many cases, the consequences are only financial and there is a good chance you will be compensated if you can show the theft was not a consequence of negligence on your part. If your identity is used for criminal activities, it could be a lot worse. Suppose a criminal uses the bank account opened in your name as a money mule. A money mule is someone who is used to accepting money from scammers, keeping it in their account for a period of time, and then forwarding it on to a second account. Intentional money muling is a form of money laundering. Those found guilty can face imprisonment of up to 14 years.

The additional problem for children is that they typically don’t receive the bank statements, credit card bills, and other communications that would alert adults about suspicious financial activity. This is why child identity theft can go on for years before it is discovered.

And when it is discovered it’s often in a very annoying way. For example when the child’s first student loan application is denied.

You should never share a child’s Social Security Number (SSN) with anyone who doesn’t have a very good reason for having it. Even those that mean well can have their data stolen at some point. Sometimes we read advice stating that you can limit the consequences by only providing the last four digits of the SSN, but you should be aware that even the “last four” can be useful to identity thieves.

When your child gets their first phone, explain to them that caller-IDs can be spoofed. And if they receive a call from someone claiming to be from banks or other trusted institutions, have them answer that this person needs to call one of the parents and hang up.

Also tell your children not to give their email address to just anyone when they get their own, and have them ask permission before registering for an online contest or a service. Many spammers and phishers watch these groups or emailing lists to get new email addresses.

If a site or service is covered by the Children’s Online Privacy Protection Act (COPPA), it has to get your consent before collecting personal information from your child if they are under the age of 13, and it has to honor your choices about how that information is used. This is a reason why you should tell your kids never to lie about their ages when they’re signing up for new accounts. The age requirements are there to protect them from online harm.

Be aware that you are a role model. Don’t spy on your children, but openly follow their social media accounts. It’s a win-win that keeps you in the loop and it makes them a bit more conscious of what they post.

Still, even if you have been careful, an identity can be stolen. More often than not identities get stolen in data breaches. With most data breaches, cybercriminals want to steal names, email addresses, usernames, passwords, and credit card numbers. But most cybercriminals will steal any data that can be sold, used to breach other accounts, steal your identity, or make fraudulent purchases with.

Countermeasures

You have every right to become anxious when your child starts receiving credit offers in the mail, or if you see unexpected activity on their email, phone or bank accounts. It may mean that their personal information has been compromised.

If you become aware of anything suspicious you can request a security freeze for your child at each of the three national credit bureaus (Experian, TransUnion and Equifax). When you request a security freeze, the bureau creates a credit report for your child and then locks it down, so that any lender who attempts to process an application that uses your child’s credentials will be denied access to their credit history. This prevents any loans or credit cards from being issued in the child’s name. When the child becomes an adult you’ll have to lift the freeze by contacting each credit bureau individually.

For more tips on how to protect your identity, or if you believe you are the victim of on identity crime, contact the Identity Theft Resource Center. You can speak to an advisor toll-free by phone (888.400.5530) or live-chat on the company website idtheftcentidtheftcenter.orger.org.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Minecraft players interested in modding are potentially at risk of compromise. A Remote Code Execution (RCE) vulnerability in certain Minecraft mods allows for malicious commands on both servers and clients. The vulnerability, named BleedingPipe, allows attackers to take over a targeted server.

Minecraft modding is immensely popular, with a potentially huge number of servers in the wild doing their own thing. There’s a custom game type or world state for everybody.

The problem is that so many of them have been set up in a way which allows for this vulnerability to take hold. As Bleeping Computer notes, the compromised servers are only the first link in the chain. With the server taken over, attackers can then turn their attention to the players inhabiting those servers.

They exploit the issues residing in the mods used by the people playing, which permits them to make malicious installations on their PCs. Given that Minecraft has around 140 million monthly active players, this isn’t great news. While a lot of them are playing on console and so not susceptible to Windows malware, a huge modding base exists in PC land.

From the Minecraft security (MMPA) article highlighting details of the attack:

BleedingPipe is an exploit being used in the wild allowing FULL remote code execution on clients and servers running popular Minecraft mods on 1.7.10/1.12.2 Forge (other versions could also be affected), alongside some other mods.

This is a vulnerability in mods using unsafe deserialization code, not in Forge itself.

The article goes on to list some of the affected mods, and it’s worth noting that this list is by no means exhaustive:

EnderCore (dependency of EnderIO). The GT New Horizons fork has been fixed, and the original has been as well, but EnderIO’s minimum versions has not yet been updated.

LogisticsPipes. This has once again been fixed in GT New Horizons version as of July 25, 2023, and the original is fixed since version 0.10.0.71. MC 1.12 versions are not affected. If you have played on a server with a vulnerable version, assume you are infected.

The 1.7-1.12 versions of BDLib. Once again, GTNH fork has this fixed, but the developer of the original currently does not plan to fix it. Assume you are infected if you have played on a server and are not on the GTNH fork.

Smart Moving 1.12

Brazier

DankNull

Gadomancy

The article also claims a similar issue was first reported back in 2022. After having been addressed, this problem has resurfaced in various forms and impacting several mods along the way. The individuals behind the attack have “scanned all Minecraft servers on the IPv4 address space to mass-exploit vulnerable servers”. At time of writing, nobody knows the payload content being sent to potentially vulnerable servers.

Server admins are advised to check for suspicious files, along with updating or removing vulnerable mods. For players, the news isn’t particularly reassuring:

As a player if you don’t play on servers, you are not affected.

Essentially, don’t play or run various scans after a Minecraft session and hope for the best. There is also the option of installing a mod called PipeBlocker on forge servers and clients, which protects against the BleedingPipe vulnerability.

Abusing game servers is an occasionally used technique to infect as many people as possible. Something similar happened this past week when Call of Duty servers were taken offline due to a similar approach. The smash hit DayZ game was famously attacked back in 2014 in much the same fashion.

Connecting to other devices or servers is always a potential risk, and where modding is thrown into the mix you can never be 100% sure that everything is as it should be. Stay safe, Minecraft fans!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Ivanti has issued a patch to address a second critical zero-day vulnerability that is under active attack. The vulnerability is said to be used in combination with the first vulnerability we discussed some days ago.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation since at least April of 2023. This means all Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by August 21, 2023 to protect their networks against active threats.

Thousands of large organizations, including governments and those providing critical infrastructure, use Ivanti Endpoint Manager Mobile (EPMM). CISA and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA) about the threat actors that are exploiting the Ivanti EPMM vulnerabilities.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in the latest updates is CVE-2023-35081. A remote arbitrary file write vulnerability in Ivanti EPMM (formerly known as MobileIron Core) with a CVSS score of 7.2 out of 10.

Further on, Ivanti explains that CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server. Chained with with CVE-2023-35078 to bypass administrator authentication and access-control lists (ACLs) restrictions, it allows an attacker to create, modify, or delete files on a victim’s system remotely.

Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute operating system (OS) commands on the appliance as the Tomcat user.

Apache Tomcat is a popular open source web server and servlet container for Java code. By adding files to a running Apache Tomcat instance an external actor is able to run malicious java bytecode on the affected servers.

EPMM users are advised to upgrade supported versions of EPMM with patch releases (11.8.1.2, 11.9.1.2, and 11.10.0.3) from system manager portal. Ivanti is urging users of unsupported versions to upgrade to the latest version of EPMM to ensure they have the latest security and stability fixes. More information about upgrading can be found in the 11.x release notes.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Public organisations in the US impacted by a cyberattack will now have to disclose it within four days…with some caveats attached. On Wednesday, new rules were approved by the US Securities and Exchange Commission (SEC). These rules mean that publicly traded companies will need to reveal said attack details in cases where it had a “material impact” on their finances.

From the SEC press release:

The Securities and Exchange Commission today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Disclosures of a breach can be held off in cases where the US Attorney general decides that such an action would pose a risk to national security or public safety. Otherwise, the new rules regarding the four day time limit will apply:

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.

That’s not all. Registrants will also have to describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents”.

Both management and the board of directors will also have to explain their oversight of potential risks and threats, all required in the organisation’s annual report.

This all sounds like a good idea. However, some folks believe it may help people doing the attacking more than it potentially hinders them. SEC commissioner Hester Pierce, who voted against the new rules, is not impressed as per his comments in Security Week.

He believes the new rules could end up providing attackers with a kind of road map of potential targets. New filings will continually give them updates on how the company is coping with their attack. They could then plan new strategies, or other groups watching the chaos unfold could swoop in to cause more problems for the victim.

While this seems unlikely, it’s probably worth thinking about how the updates are worded just to be on the safe side. As Security Week notes, these concerns are included in the SEC’s document, but ultimately the SEC considered their inclusion to be justified.

For the world of business, the ball is now in your court. You have four days to pass it back.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A supply chain attack rendered two ambulance trusts incapable of accessing electronic patient records in the UK. The two services, which operate in a region of 12 million people, were not targeted directly. Instead, the attack was aimed at a third-party technology provider used by both the South Central Ambulance Service (SCAS) and the South Western Ambulance Service (SWASFT).

According to reports, the systems were attacked sometime on the evening of July 18, impacting “customer systems within its hosted datacentre environment”.

The targeted organisation, Ortivus, has the following to say in a statement regarding the attack:

The electronic patient records are currently unavailable and are until further notice handled using manual systems. No patients have been directly affected. No other systems have been attacked and no customers outside of those in the hosted datacenter have been affected. 

Ortivus are currently working in close collaboration with the affected customers to restore the systems and recover data. The affected customers are the ones using MobiMed ePR, electronic patient record systems in a hosted environment. 

The organization behind the cyber-attack is not known at this stage and the incident has been reported to the authorities as a crime. 

The targeted platform is called MobiMed. This is a “modular platform that connects and enable(s) real-time information sharing throughout the prehospital care chain”. It is claimed to be used by “over 12,000 paramedics in over 2,700 emergency vehicles”.

To lose access to patient record data under these conditions is clearly far from ideal. The Register reports that healthcare workers are having to resort to pen and paper, alongside staff being warned of the potential for phishing attacks.

While there is a backup system able to take MobiMed’s place “within 24 hours” of an attack, integration with other systems is not 100%. Until a full analysis of the attack has taken place, the backup system will remain in place.

Regular readers of the blog will know of the chaos that accompanies attacks on healthcare providers. If crucial systems are compromised, people’s lives are put at risk. It’s something of a hot-button issue for ransomware authors, to the extent that some of them will apologise and offer up free decryption tools. They have calculated that it is simply not worth the press heat and possibility of angering law enforcement. Much better to blame an affiliate (whether an affiliate is responsible or not) and try to salvage some good PR from the situation.

Supply chain attacks are another large wrinkle on top of the original problem. Whether the attacker knows their target is used for medical work or something else altogether, it impacts organisations along the supply chain either way. Everything from healthcare to fuel suppliers are at risk when the supply chain attacks come to town.

Securing your supply chain

Here’s how you can protect your organization from risks your suppliers might pose:

1. Know who your vendors are. Knowing this allows you to look for risks and vulnerabilities in the chain that threat actors might exploit.
2. Use EDR or MDR. Invest in an effective endpoint detection and response (EDR) system, or managed detection response (MDR) if you don’t have the expert staff to monitor EDR 24/7.
3. Segment your network. This limits attackers ability to move laterally, either stopping them or forcing them into actions your monitoring is more likely to pick up.
4. Develop an incident response (IR) plan. If you don’t know what framework to build on, check out this incident handling guide from the National Institute of Standards and Technology. Include transparent and timely communication between your stakeholders and customers when something happens, so your business can provide steps to mitigate the problem if needed.
5. Have a plan for patching. Patching in an organisation of any size is difficult: You need a systematic way to understand what hardware you have, what software it’s running, what patches that software needs, how important they are, and what the risks of deploying them are.
6. Create and test offline backups. Speaking of backups, never assume they work, test them.
7. Apply the principle of least privilege. Give suppliers the access they actually need and nothing more.
8. Make multi-factor authentication (MFA) a norm. Supply chain attackers have been known to use stolen credentials to compromise systems. They know business systems trust credentials, regardless of who uses them.
9. Train your employees. Gaps in security hygiene practices can open up opportunities for attackers. It’s important to keep employees and partners aware of the possible risks and red flags associated with supply chain attacks.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Meta has run into yet another bout of court related issues—two subsidiaries have been ordered to pay $14 million regarding undisclosed data collection. The Australian case, which has rumbled on for the best part of two and a half years, has focused on claims related to a now discontinued Virtual Private Network (VPN).

The subsidiary Onavo, acquired in 2013 by Facebook, was supposed to be keeping the VPN a separate brand from the main flagship company. Among various privacy based claims were “peace of mind when you browse” and “keep you and your data safe online”. It was certainly popular, with more than 270,000 downloads in Australia.

One of the app’s major selling points was that users were told their data would not be used for any purposes other than “the provision of Onavo Protect’s products”.

However the app, functional from 2016 to 2017, was found to be sending data to Facebook. This included user location, frequency using other apps, time, and also unrelated websites visited for the purposes of advertising. Here’s a rundown of some of the things the app was tracking, from the original research in 2018:

• When a mobile is turned on and off
• Daily Wi-Fi data usage (even when the app is off)
• Daily cellular data usage (even when the app is off)
• Amount of time the VPN connection is used

This was not what app users had signed up for, and so things quickly turned legal as a result. From the judgement:

Facebook Israel and Onavo admit that they offered, advertised and promoted Onavo Protect and made the app available to download by users in Australia via the App Store (for iOS users) and the Play Store (for Android users) during the Available Period.

Meta and Facebook Israel’s internal documents state that Onavo Protect was “a business intelligence tool” for Meta, which provided Meta with “a sample of users who we are able to know nearly everything they are doing on their mobile device” (which was in the form of anonymised, aggregated data). Meta then used anonymised and aggregated data derived from sets of the Onavo Protect Data (in the form of statistical information) for a range of purposes, including in relation to its advertising and marketing activities, improving its products and services and developing commercial strategies.

Disclosures related to how consumer data would be used for purposes other than providing Onavo Protect were listed in the Terms of Service and Privacy Policy, in the form of website links promoting the product. Additionally, users were taken to a page containing said documents when using Onavo Protect for the first time after installation. However, the disclosures in question were not “sufficiently prominent or proximate to the listings”.

Back to the judgement, where there is every sense that those responsible have dodged a potentially much larger fine:

Facebook Israel and Onavo admit that, given the above facts, the Listings that contained the Statements were likely to mislead or deceive (within the meaning of s 18 of the ACL), and liable to mislead the public (within the meaning of s 33 of the ACL), in the absence of sufficient disclosures to Australian consumers (which they admit were not made in those Listings) of the fact that Australian users’ data would be used for purposes other than providing Onavo Protect.

Where the theoretical maximum penalty is in the billions or trillions of dollars, the overall maximum penalty will not be a meaningful factor in the court’s assessment. In these circumstances, the appropriate range is best assessed by reference to factors other than where the conduct falls in the range of seriousness of offending in relation to the maximum penalty.

Last year, Instagram received a record fine of $400m for the abuse of children’s data. Elsewhere, Meta was fined $277m for a data breach which impacted around 500 million users. Some believe that social networks simply consider fines like these to be the cost of doing business. A few million dollars here or there doesn’t necessarily convince those responsible to do anything about it.

Even so, the fines keep coming. It remains to be seen if the long-term impact will eventually amount to anything meaningful.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Zimbra issues awaited patch for actively exploited vulnerability
• Patch now! Ivanti Endpoint Manager Mobile Authentication vulnerability used in the wild
• 60,000 Androids have stalkerware-type app Spyhide installed
• Ransomware groups claim responsibility for double-attack on Yamaha
• Update now! Apple fixes several serious vulnerabilities
• How to set up computer security for your parents
• Tampa General Hospital half thwarts ransomware attack, but still loses patient data

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Two weeks ago, we urged readers to apply a workaround for an actively exploited vulnerability in Zimbra Collaboration Suite (ZCS) email servers. Zimbra has released ZCS 10.0.2 that fixes two security issues, including the known bug that could lead to exposure of internal JSP and XML files.

Zimbra is an open source webmail application used for messaging and collaboration. The vulnerability, which could impact the confidentiality and integrity of users’ data, exists in Zimbra Collaboration Suite Version 8.8.15.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

• CVE-2023-38750: Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability impacting the confidentiality and integrity of data.

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog which means that all Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by August 17, 2023.

Reportedly, Maddie Stone from the Google Threat Analysis Group (TAG)—which first reported the vulnerability—confirmed that this issue was used by an Advanced Persistent Threat (APT) group in targeted attacks.

An XSS vulnerability allows attackers to inject malicious code into otherwise benign websites. In this case a command that could expose internal JSP and XML files.

A JSP file is a Java document used to dynamically generate a webpage using Jakarta Server Pages (JSP) functions. It is similar to an .ASP or .PHP file, except it contains Java code instead of ActiveX or PHP. Web servers parse JSP files and use them to generate HTML, which is sent to a user’s web browser.

Extensible Markup Language (XML) is the underlying technology in thousands of applications, ranging from common productivity tools like word processing to book publishing software and even complex application configuration systems.

CVE-2023-0464: A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. The OpenSSL package has been upgraded.

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end.

Users that are not ready to install the new version are advised to apply the workaround as recommended by Zimbra.

The Zimbra workaround suggests you apply the following fix manually on all of your mailbox nodes:

1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
2. Then open to edit the active file and go to line number 40
3. Change
   <input name="st" type="hidden" value="${param.st}"/>
   to
   <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

Zimbra notes that a service restart is not required so you can apply the manual workaround without any downtime.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.