IT NEWS

Some hoaxes on Facebook are years old, but like a cat with nine lives they keep coming back again and again. This is certainly the case with this most recent hoax.

Fact-checking site Snopes is reporting on a hoax that concerns Meta’s use of our photos, messages and other posts on Facebook. Users are told in numerous ways to repost something that contains the phrase:

“I do not authorize META, Facebook or any entity associated with Facebook to use my photos, information, messages or posts, past or future.”

“Hello It’s official. Signed at 8:44 PM. It was even on TV. Mine really turned blue. Don’t forget that tomorrow starts the new Facebook rule (aka… new name, META) where they can use your photos. Don’t forget the deadline is today!!!

I do not authorize META, Facebook or any entity associated with Facebook to use my photos, information, messages or posts, past or future.

With this statement, I notify Facebook that

it is strictly prohibited to disclose, copy, distribute or take any other action against me based on this profile and/or its contents. Violation of privacy may be punishable by law.

Here’s how to do it:

Hold your finger anywhere in this message and “copy” will appear. Click “copy”. Then go to your page, create a new post and place your finger anywhere in the empty field. “Paste” will appear and click Paste.

This will bypass the system….

He who does nothing consents.”

The first round of hoax posts similar to this one surfaced in 2012 (and have resurfaced many times since then). As you can see in this page on the Internet archives, Facebook even issued a statement about it:

“Fact Check

Copyright Meme Spreading on Facebook

There is a rumor circulating that Facebook is making a change related to ownership of users’ information or the content they post to the site. This is false. Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.”

It’s not a Real Thing

With all the—legitimate—concern around keeping personal data private, one can see why people fall for hoaxes like this. However, this copy-paste post does nothing. Facebook doesn’t get to “own” your content and you don’t need to make any declarations about copyright issues since the law already protects you.

Equally, Facebook users cannot retroactively negate any of the privacy or copyright terms they agreed to when they signed up for their accounts, simply by posting a contrary legal notice on to Facebook.

In other words, you agreed to Facebook’s terms of use and when you did, you provided Facebook with a right to use, distribute, and share the things you post, subject to the terms and applicable privacy settings. If that doesn’t sit well with you, it’s worth considering deactivating or deleting your Facebook account.

Sharing posts like this “just in case” continues the hoax and unnecessarily worries people who might see your post. If you’re not sure about whether you should share something, it’s worth googling the post’s text to check if there are any alerts about it.

Check your own digital footprint

If you are worried about how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.

One malware family we have been tracking on this blog is FakeBat. It is very unique in that the threat actor uses MSI installers packaged with heavily obfuscated PowerShell code. For weeks, the malvertiser helping to distribute this malware was abusing the same URL shortener services which may have made the attack somewhat predictable. We saw them experimenting with new redirectors and in particular leveraging legitimate websites to bypass security checks.

Another interesting aspect is the diversity of the latest campaigns. For a while, we saw the same software brands (Parsec, Freecad) being impersonated over and over again. With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.

All the incidents described in this blog have been reported to Google.

New redirection chain

During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs. As observed in other malvertising campaigns, they were abusing URL/analytics shorteners which are ideal for cloaking. That practice enables a threat actor to use a ‘good’ or ‘bad’ destination URL based on their own defined parameters (time of day, IP address, user-agent, etc.).

The other type of redirect was using subdomains from expired and sitting .com domains reassigned for malicious purposes. This is a common trick to give the illusion of credibility. However, in the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.

It’s worth noting that the few examples we found were all Argentinian-based (.ar TLD):

Victims click on the ad which sends a request to those hacked sites. Because the request contains the Google referer, the threat actor is able to serve a conditional redirect to their own malicious site:

The full infection chain can be summarized in the web traffic image seen below:

Several active brand impersonations

There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application. A number of those malicious domains can be found on Russian-based hoster DataLine (78.24.180[.]93).

Each downloaded file is an MSIX installer signed with a valid digital certificate (Consoneai Ltd).

Once extracted, each installer contains more or less the same files with a particular PowerShell script:

When the installer is ran, this PowerShell script will execute and connect to the attacker’s command and control server. Victims of interest will be cataloged for further use. ThreatDown EDR detects the PowerShell execution and creates an alert:

Conclusion

FakeBat continues to be a threat to businesses via malicious ads for popular software downloads. The malware distributors are able to bypass Google’s security checks and redirect victims to deceiving websites.

It is as important to defend against the supporting infrastructure as the malware payloads. However, that is not always easy since legitimate websites may be used to defeat domain blocklists. As always, blocking ads at the source via system policies such as ThreatDown DNS Filter, remains one the most effective ways to stop malvertising attacks in their tracks.

Indicators of Compromise

Hacked sites

cecar[.]com[.]ar
estiloplus[.]tur[.]ar

Decoy sites

obs-software[.]cc
bandi-cam[.]cc
breavas[.]app
open-project[.]org
onenote-download[.]com
epicgames-store[.]org
blcnder[.]org

Download URLs

bezynet[.]com/OBS-Studio-30[.]0[.]2-Full-Installer-x64[.]msix
bezynet[.]com/Bandicam_7[.]21_win64[.]msix
church-notes[.]com/Braavos-Wallet[.]msix
church-notes[.]com/Epic-Games_Setup[.]msix
church-notes[.]com/Onenote_setup[.]msix

File hashes

07b0c5e7d77629d050d256fa270d21a152b6ef8409f08ecc47899253aff78029
0d906e43ddf453fd55c56ccd6132363ef4d66e809d5d8a38edea7622482c1a7a
15ce7b4e6decad4b78fe6727d97692a8f5fd13d808da18cb9d4ce51801498ad8
40c9b735d720eeb83c85aae8afe0cc136dd4a4ce770022a221f85164a5ff14e5
f7fbf33708b385d27469d925ca1b6c93b2c2ef680bc4096657a1f9a30e4b5d18

Command and control servers

ads-pill[.]xyz
ads-pill[.]top
ads-tooth[.]top
ads-analyze[.]top

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. But February didn’t just bring unprecedented numbers, but unprecedented developments as well: law enforcement shut down LockBit, the largest ransomware gang, while ALPHV, the second-largest, appeared to fake its demise and abscond with its own affiliates’ funds.

Before we dive into the two biggest stories of the month, however, let’s start with a quick overview of other significant ransomware developments, including a new Coveware report revealing a record low of 29% of victims paying ransoms in the last quarter of 2023.

A few years ago, paying ransomware attackers was almost a given—85% of hit organizations in early 2019 felt they had no choice. But fast forward to 2024, and Coveware data suggests that that trend has completely reversed—not only have the number of victims paying dropped but so have the dollar amounts of actual ransom payments. In other words, we’re seeing fewer and smaller ransomware payouts than ever before. 

At first glance, the trend appears counterintuitive: with global ransomware attacks hitting record highs annually, one might expect a proportional increase in the number of victims choosing to pay a ransom. But as it turns out, all the attention on ransomware is effectively shooting attackers in the foot: the more these attacks make headlines, the more businesses understand ransomware as a prime threat, leading to improved security measures that can allow victims to recover from an attack without paying a ransom. Also discouraging payments are increasing doubts about cybercriminals’ reliability and stricter anti-ransom laws.

But all of this begs the question: with fewer payments, will ransomware gangs adapt their strategies to remain a threat, or will the decrease in successful ransoms lead to a decline in attacks as they seek more lucrative avenues? Will ransomware attacks always remain profitable, albeit less so over time? The report raises just about as many questions as it answers. 

Our prediction? Ransomware gangs aren’t backing down any time soon; in fact, they’ll likely continue getting more inventive in pressuring companies to pay up. Our coverage on “big game ransomware” showed ransomware gangs aren’t just hiking up demands when companies resist paying, they’re also turning to more aggressive tactics. “Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics gangs can make use of” to force reluctant businesses to pay, writes former Malwarebytes Labs author Christopher Boyd.

In other words, despite fewer companies paying up, we foresee ransomware attackers compensating with higher ransom demands and more sophisticated, aggressive negotiation tactics.

In other February news, new reports highlighted ALPHV’s surge of targeted attacks against the healthcare sector. Coincidentally, a day after these reports were published, there was news of ALPHV’s severe attack on Change Healthcare, one of the largest healthcare technology companies in the US.

The report indicated that since mid-December 2023, out of nearly 70 leaked victims, the healthcare sector has been ALPHV’s most frequent target. This seems to be a response to the ALPHV Blackcat administrator’s encouragement for its affiliates to target hospitals following actions against the group and its infrastructure in early December 2023.

The Roman historian Tacitus once said, “Crime, once exposed, has no refuge but in audacity.” Well, the exposure of ALPHV’s crimes has seemingly emboldened them further, pushing them to undertake even more brazen acts of revenge against the very institutions aiming to curb their criminal activities. At the end of the day, ALPHV’s actions are unsurprisingly petty, pointless, and endanger human lives, but they at the very least they hint at the group’s last desperate gasps for relevance.

On the vulnerability front, ransomware gangs like Black Basta, Bl00dy, and LockBit were seen exploiting vulnerabilities in ConnectWise ScreenConnect last month that exposed servers to control by attackers. It appears that almost every other month, our ransomware reviews uncover a new vulnerability being exploited with great success—whether it was MOVEit in the summer of 2023 or Citrix Bleed at the end of 2023. The vulnerabilities in ScreenConnect are once again part of this broader trend we’ve noticed of ransomware gangs finding ever-new points of entry—perhaps even more quickly and extensively than in previous years.

LockBit down, ALPHV out

February 2024 is likely to be remembered for years as the month when two of the most dangerous ransomware gangs in the world suffered some serious turbulence.

LockBit has been the preeminent ransomware menace since the demise of Conti in spring 2022, but for the first time there are serious reasons to doubt its status and longevity. On February 19, the ransomware gang’s dark web site announced “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

What followed was something quite unique in the annals of ransomware takedowns. Alongside the usual dry press releases, the law enforcement agencies responsible used the site it had acquired to showcase the details of what it had done.

It was an act of exquisite trolling that looked designed to damage the LockBit brand by humiliating it in the eyes of its peers and affiliates.

There was substance to the disruption too—some arrests, “a vast amount of intelligence” gathered, infrastructure seized, cryptocurrency accounts frozen, decryption keys captured, and the revelation that LockBit administrator LockBitSupp “has engaged with law enforcement.”

LockBit quickly established a new site and insisted everything was fine in exactly the way that people do when things aren’t fine, by releasing a stream of concious 3,000-word essay that explained precisely how fine things were, thanks. It remains to be seen if LockBit’s rebound will last. When ransomware gangs start to feel the hot breath of law enforcement on their neck a rebrand normally follows.

LockBit’s main rival, ALPHV, used February to demonstrate an alternative ending. It decided to leave the ransomware world behind by ripping off its own customers (which are really just affiliates in crime) in a sloppily executed exit scam. ALPHV had suffered its own brush with law enforcement in December and, like LockBit, appeared to have recovered.

Perhaps it was spooked by its brush with the feds, or perhaps the $22 million ransom an affiliate extracted from its devastating attack on Change Healthcare was just too hard to resist. Whatever the reason, ALPHV cut and ran, taking the cash and leaving its criminal affiliates high and dry. A half-hearted attempt to pin the blame for its disappearance on the FBI fooled no one.

Preventing Ransomware

Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough. 

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through. 

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood. 

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.

How ThreatDown Addresses Ransomware

ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:

• Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access.
• RDP Shield: Securing remote access points with Brute Force Protection.
• Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them.
• Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network.
• Ransomware Rollback: Reversing the impact of any successful attacks.

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

This week on the Lock and Code podcast…

A disappointing meal at a restaurant. An ugly breakup between two partners. A popular TV show that kills off a beloved, main character.

In a perfect world, these are irritations and moments of vulnerability. But online today, these same events can sometimes be the catalyst for hate. That disappointing meal can produce a frighteningly invasive Yelp review that exposes a restaurant owner’s home address for all to see. That ugly breakup can lead to an abusive ex posting a video of revenge porn. And even a movie or videogame can enrage some individuals into such a fury that they begin sending death threats to the actors and cast mates involved.

Online hate and harassment campaigns are well-known and widely studied. Sadly, they’re also becoming more frequent.

In 2023, the Anti-Defamation League revealed that 52% of American adults reported being harassed online at least some time in their life—the highest rate ever recorded by the organization and a dramatic climb from the 40% who responded similarly just one year earlier. When asking teens about recent harm, 51% said they’d suffered from online harassment in strictly the 12 months prior to taking the survey itself—a radical 15% increase from what teens said the year prior.

The proposed solutions, so far, have been difficult to implement.

Social media platforms often deflect blame—and are frequently shielded from legal liability—and many efforts to moderate and remove hateful content have either been slow or entirely absent in the past. Popular accounts with millions of followers will, without explicitly inciting violence, sometimes draw undue attention to everyday people. And the increasing need to have an online presence for teens—even classwork is done online now—makes it near impossible to simply “log off.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Tall Poppy CEO and co-founder Leigh Honeywell, about the evolution of online hate, personal defense strategies that mirror many of the best practices in cybersecurity, and the modern risks of accidentally becoming viral in a world with little privacy.

“It’s not just that your content can go viral, it’s that when your content goes viral, five people might be motivated enough to call in a fake bomb threat at your house.”

Leigh Honeywell, CEO and co-founder of Tall Poppy

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Information newly made available under California law has shed light on data broker practices, including exactly what categories of information they trade in.

Any business that meets the definition of data broker must register with the California Privacy Protection Agency (CPPA) annually. The CPPA defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses.

Where there’s money to be made you’ll find companies and individuals that will go to any length to get a piece of the action. At the moment there are around 480 data brokers registered with the CPPA. However, that might be just the tip of the iceberg, because there are a host of smaller players active that try to keep a low profile. There are 70 fewer data brokers listed than last year, but it is questionable whether they went out of business or just couldn’t be bothered with all the regulations tied to being a listed data broker.

The law requires registered data brokers to disclose in which of the following categories they actively trade information in:

• Minors (24)
• Precise Geolocation (79)
• Reproductive healthcare data (25)

Four of these data brokers are active in all three of these categories: LexisNexis Risk Solutions, Harmon Research Group, Experian Marketing Solutions, and BDO USA, P.C., Global Corporate Intelligence group.

What is particularly disturbing is the traffic in the data of minors. Children require special privacy protection since they’re more vulnerable and less aware of the potential risks associated with data processing.

When it comes to children’s data, the CCPA requires businesses to obtain opt-in consent to sell the data of a person under the age of 16. Children between the ages of 13 and 16 can provide their own consent, but for children under the age of 13, businesses must obtain verifiable parental consent before collecting or selling their data.

Data brokers were under no obligation to disclose information about selling data belonging to minors until the Delete Act was signed into law on October 10, 2023. The Delete Act is a Californian privacy law which provides consumers with the right to request the deletion of their personal information held by various data brokers subject to the law through a single request.

The next step forward would be if more states followed California’s example. So far only four states—California, Vermont, Oregon, and Texas—have enacted data broker registration laws.

The Children’s Online Privacy Protection Act (COPPA), which regulates children’s privacy, does not currently prevent companies from selling data about children. An update for the bill (COPPA 2.0), that would enhance the protection of minors, is held up in Congress.

In Texas, data brokers are governed by Chapter 509 of the Business and Commerce Code and this includes the specification that each data broker has a “duty to protect personal data held by that data broker.” This is important because, as we have seen, breaches at these data brokers can be combined with others and result in a veritable treasure trove of personal data in the hands of cybercriminals.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

Last week on Malwarebytes Labs:

• Patch now! VMWare escape flaws are so serious even end-of-life software gets a fix
• Update now! JetBrains TeamCity vulnerability abused at scale
• PetSmart warns customers of credential stuffing attack
• Predator spyware vendor banned in US
• ALPHV ransomware gang fakes own death, fools no one
• Update your iPhones and iPads now: Apple patches security vulnerabilities in iOS and iPadOS
• Check your DNS! Abandoned domains used to bypass spam checks
• American Express warns customers about third party data breach
• No “Apple magic” as 11% of macOS detections last year came from malware
• Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

VMWare has issued secuity fixes for its VMware ESXi, Workstation, Fusion, and Cloud Foundation products. It has even taken the unusual step of issuing updates for versions of the affected software that have reached thier end-of-life, meaning they would normally no longer be supported.

This flaws affect customers who have deployed VMware Workstation, VMware Fusion, and/or VMware ESXi by itself or as part of VMware vSphere or VMware Cloud Foundation.

A virtual machine (VM) is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and the VM (the guest system).

VMWare’s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.

Besides instructions about how to update the affected products, the advisory lists possible workarounds that would block an attacker from exploiting the vulnerabilities. Since three of the vulnerabilities affect the USB controller, applying the workarounds will effectively block the use of virtual or emulated USB devices. For guest operating systems that do not support using a PS/2 mouse and keyboard, such as macOS, this means they will effectively be unable to use a mouse and keyboard.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2024-22252 and CVE-2024-22253 are use-after-free vulnerabilities in the XHCI and UHCI USB controllers of VMware ESXi, Workstation, and Fusion. A malicious actor with local administrative privileges on a virtual machine can exploit the issues to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation of either is contained within the VMX sandbox, but on Workstation and Fusion this may lead to code execution on the machine where Workstation or Fusion is installed.

The VMX process is a process that runs in the kernel of the VM and is responsible for handling input/output (I/O) to devices that are not critical to performance. The VMX is also responsible for communicating with user interfaces, snapshot managers, and remote consoles.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2024-22254 is an out-of-bounds write vulnerability in VMWare ESXi. A malicious actor with privileges within the VMX process can trigger an out-of-bounds write leading to an escape of the sandbox.

A sandbox environment is another name for an isolated VM in which potentially unsafe software code can execute without affecting network resources or local applications.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data being written to memory is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written

CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller of VMware ESXi, Workstation, and Fusion. A malicious actor with administrative access to a VM may be able to exploit this issue to leak memory from the VMX process.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

JetBrains issued a warning on March 4, 2024 about two serious vulnerabilities in TeamCity server. The flaws can be used by a remote, unauthenticated attacker with HTTP(S) access to a TeamCity on-premises server to bypass authentication checks and gain administrative control of the TeamCity server.

TeamCity is a build management and continuous integration and deployment server from JetBrains that allows developers to commit code changes into a shared repository several times a day. Each commit is followed by an automated build to ensure that the new changes integrate well into the existing code base and as such can be used to detect problems early.

Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts. Which, depending on the use-case of your projects, could make for a suitable attack vector leading to a supply chain attack.

The two vulnerabilities are CVE-2024-27198, an authentication bypass vulnerability with a CVSS score of 9.8, and CVE-2024-27199, a path traversal issue with a CVSS score of 7.3. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-27198 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by March 28, 2024 in order to protect their devices against active threats.

These two vulnerabilities allow an attacker to create new administrator accounts on the TeamCity server which have full control over all TeamCity projects, builds, agents and artifacts.

Exploitation code is readily available online and has already been integrated in offensive security tools like the MetaSploit framework.

So, it doesn’t come as a surprise that researchers are now reporting abuse of the vulnerabilities.

Bleeping Computer reports that attackers have already compromised more than 1,440 instances, while a scan for vulnerable instances by Shadowserver showed that the US and Germany are the most affected countries.

The vulnerabilities affect all TeamCity on-premises versions through 2023.11.3 and were fixed in version 2023.11.4. Customers of TeamCity Cloud have already had their servers patched, and according to JetBrains they weren’t attacked.

To update your server, download the latest version (2023.11.4) or use the automatic update option within TeamCity. 

JetBrains has also made a security patch plugin available for customers who are unable to upgrade to version 2023.11.4. There are two security patch plugins, one for TeamCity 2018.2 and newer and one for TeamCity 2018.1 and older. See the TeamCity plugin installation instructions for information on installing the plugin.

If your server is publicly accessible over the internet, and you are unable to immediately mitigate the issue you should probably make your server inaccessible until you can.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Pet retail company PetSmart has emailed customers to alert them to a recent credential stuffing attack.

Credential stuffing relies on the re-use of passwords. Take this example: User of Site A uses the same email and password to login to Site B. Site A gets compromised and those login details are exposed. People with access to the credentials from Site A try them on Site B, often via automation, and gain access to the user’s account.

If the user had different passwords on Site A and Site B, the attacker would have been stopped before they got in to Site B. This is why we are continuously telling people to not reuse their passwords. If all your logins are hard to remember (and they should be), you can use a password manager to help you.

We’d like to like to praise PetSmart for the way in which it handled the attack, setting a good example by warning customers.

“Dear Pet Parent,

We want to assure you that there is no indication that petsmart.com or any of our systems have been compromised. Instead, our security tools saw an increase in password guessing attacks on petsmart.com and during this time your account was logged into. While the log in may have been valid, we wanted you to know.

In an abundance of caution to protect you and your account, we have inactivated your password on petsmart.com. The next time you visit petsmart.com, simply click the “Forgot password” link to rest your password. You can also reset your password by visiting www.petsmart.com/account/.

Across the internet, fraudsters are constantly trying to obtain user names and passwords and they often try and test the credentials they find on various websites, like ours. To help keep your accounts secure, remember to use strong passwords for each of your important accounts.

Thank you for your understanding. If you have any questions about this, or any other issue, please feel free to contact us at customercare@petsmart.com or 888-839-9638.

Sincerely,

The PetSmart Data Security Team”

While we don’t agree with everything in the email—a strong password would not have made a difference here—it is informative, to the point, and helpful.

Digital Footprint scan

If you were one of those customers and the login was not you, that means the attacker knew your email and password. Maybe they found them in the proceeds of a previous data breach.

Malwarebytes has a tool that can help you find out how much of your own data is currently exposed online. Our free Digital Footprint scan scours the internet to find your exposed passwords and much more. Fill in your email address (it’s best to submit the one you most frequently use) and we’ll send you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

Predator can turn infected smartphones into surveillance devices. Intellexa is based in Greece but the Treasury Department imposed the sanctions because of the use of the spyware against Americans, including US government officials, journalists, and policy experts.

Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said:

“Today’s actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens.”

Since its founding in 2019, the Intellexa Consortium has marketed the Predator label as a suite of tools created by a variety of offensive cybercompanies that enable targeted and mass surveillance campaigns.

Predator is capable of infiltrating a range of electronic devices without any user interaction (known as ‘zero-click’). Once installed, Predator deploys its extensive data-stealing and surveillance capabilities, giving the attacker access to a variety of applications and personal information on the compromised device. The spyware is capable of turning on the user’s microphone and camera, downloading their files without their knowledge, tracking their location, and more.

Under the sanctions, Americans and people who do business with the US are forbidden from transacting with Intellexa, its founder and architect Tal Dilian, employee Sara Hamou and four of the companies affiliated with Intellexa.

Sanctions of this magnitude leveraged against commercial spyware vendors for enabling misuse of their tools are unprecedented, but the US has expressed concerns about commercial spyware vendors before.

“A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists.”

In July 2023, the US Commerce Department’s Bureau of Industry and Security (BIS) added Intellexa and Cytrox AD to the Entity List for trafficking in cyber exploits used to gain access to information systems. Cytrox AD is a North Macedonia-based company within the Intellexa Consortium and acts as a developer of the consortium’s Predator spyware.

The Entity List is a trade control list created and maintained by the US government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten US national security or foreign policy interests.

Earlier this month, a California federal judge ordered spyware maker NSO Group to hand over the code for Pegasus and other spyware products used to spy on WhatsApp users.

While you’ll see Predator and Pegasus usually deployed in small-scale and targeted attacks, putting a stop to the development and deployment of spyware by these commercial entities is good news for everyone.

How to remove spyware

Because spyware apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.

1. Open Malwarebytes for Android and navigate to the dashboard
2. Tap Scan now
3. It may take a few minutes to scan your device, but it will tell you if it finds spyware or any other nasties.
4. You can then uninstall the app.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.