IT NEWS

Last week on Malwarebytes Labs:

• 2.6 million DuoLingo users have scraped data released
• Google strengthens its Workplace suite protection
• Meal delivery service PurFoods announces major data breach
• Cisco VPNs without MFA are under attack by ransomware operator
• “An influx of Elons,” a hospital visit, and magic men: Becky Holmes shares more romance scams: Lock and Code S04E18
• FBI confirms Barracuda patch is not effective for exploited ESG appliances
• Social Security Numbers leaked in ransomware attack on Ohio History Connection
• Victim records deleted after spyware vendor compromised
• 3 reasons why your endpoint security is not enough
• How “EDR Extra Strength” simplifies traditional EDR complexity
• Qakbot botnet infrastructure suffers major takedown
• Prompt injection could be the SQL injection of the future, warns NCSC
• A first hand perspective on the recent LinkedIn account takeover campaign

Stay safe!

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

By definition, a supply chain is the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product. In only a few rare cases does one organization have full control over every step in the entire process. The links in such a supply chain often work closely together, sometimes so much so that they have access to parts of each other’s systems.

Although it is important to guard every aspect of your supply chain to avoid disruptions, for the scope of this article we will focus on the cybersecurity element of it.

From a security perspective, it’s imperative to choose your partners wisely. An organization’s security posture is its readiness and ability to identify, respond to and recover from security threats and risks. If you are the one paying, you can often make demands about the security posture of the partner, but the other way around is usually much harder. 

We probably all know the compliance audits that are the result of these demands. And it makes sense we do not wish to fall victim to the mistakes made in another organization that we have no control over. It’s usually more than enough to worry about the processes we need to control inside our own organization.

Compliance with security protocols and legal regulations like FedRAMP and SOC2 (System and Organization Controls) may not just be mandatory for your own organization. More often than not it also needs to be enforced outside your organization with all the vendors in your software supply chain. In these cases, demonstrating vendor compliance will keep your internal organization from facing fines and penalties.

But it’s not just the partners that you work with to create the end product. There are also vendors that we use to get the work done, like software, infrastructure, and services. The more organizations are using a particular software package, the more appealing an attack vector that software becomes. As a few reminders, remember Log4Shell,  the MOVEit vulnerability that was exploited by ransomware operator Cl0p, or the SolarWinds attack.

Similar attacks will continue to surface time and again and if there is a lesson to be learned it’s not to rely on the security provided by the supplier, but always keep security in mind when we decide whether and how to use something provided by a third-party.

Having a complete understanding of your vendors’ security practices is an important component of cybersecurity and supply chain risk management. So, in a supply chain your security posture is definitely a selling point and can be used as such. A partner that has their security in order has every right to emphasize that.

Some tips

Regardless of the varying needs based on your organization and your place in the supply chain, here are some tips that are worth considering to avoid being the weakest link:

1. Make an inventory of the data you need to keep safe, along with who has access to what, in order to give you a complete understanding of your needs.
2. Then make an inventory of your software and hardware products and their weaknesses. Based on that inventory, you can decide whether to use network segmentation in order to keep the sensitive data separated from the parts that need internet access.
3. Use the cloud carefully. Organizations of all kinds are increasingly reliant on cloud computing. This is for good reasons, but it does complicate security, given the recent malicious targeting of cloud computing environments. So, it might be a good idea to use the cloud only for variably sized elements and have the fixed parts under your own control.
4. Connect your internal team with your organization’s third-party partners and vendors. Work together to identify major risks and potential damage to your organization, as well as plans for mitigation. Make sure there is an actionable incident response plan with a clear division of roles.
5. Trust is good, regular checks or constant monitoring are better. Strictly limit access to those that really need it, and deploy the rules of least privilege. Monitoring will also turn out to be helpful in case of an attack to help you backtrace the origin.
6. Secure valuable assets with advanced encryption, both in storage as well as during transfer.
7. Consider penetration testing and/or a bug bounty program to check your security measures. A bug bounty allows organizations to continuously test the security of their systems, whereas a penetration test is an assessment of the security level of an asset at a given point in time.
8. Look at best practices. In 2021, NIST (National Institute of Standards and Technology) shared a report on best practices that can help keep you and your business safe by using its framework for cyber supply chain risk management or C-SCRM.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Not long ago I wrote about a recent campaign to hold LinkedIn users’ accounts to ransom. Shortly after I published the article, a co-worker, Peace, reached out to me told me they’d been a target of the campaign.

His story begins with an SMS text from LinkedIn telling him to reset his password. He found this confusing: It arrived in the middle of the night, and he hadn’t asked for a password reset. Since he doesn’t use the LinkedIn app on his mobile he checked his account on his laptop first thing in the morning. The current sessions (Profile Picture > Settings > Sign in & security > Where you’re signed in) showed an unknown IP address in Texas logged into his account.

Frustration #1: The promised “Sign out of all these sessions” option is nowhere to be found. I double checked in a browser session on Windows and in the app on Android. It’s not there.

Pearce then found out that there was at least one person in his Connections that he did not invite or accept an invitation from. This person also hails from Texas.

Pearce is a security professional so as soon as he was convinced there was someone else with access to his LinkedIn account, he took action.

A reset of the account’s password worked, but failed to remove the unwanted active session.

Pearce had already set up multi-factor authentication (MFA) on his account, but changed this from SMS to an authenticator app. As I stated in my previous blog, “Setting up MFA for LinkedIn with Okta turned out to be painful because LinkedIn does not provide a QR code but a secret key which is so long that it’s hard to get it right the first, or second time.”

But despite his troubles this didn’t remove the unwanted active session either.

Frustration #2: Changing security and sign in settings is a pain, but has no effect on currently logged in users on other devices.

Frustration #3: LinkedIn Support is overwhelmed and takes quite some time before you get actual help.

Pearce opened a support ticket with LinkedIn. As we mentioned before, the campaign appears to have completely overwhelmed LinkedIn Support. The LinkedIn Help account on X (formerly Twitter) has pinned a message to say:

“Hey there! ? We’re experiencing an uptick in questions from our members, causing longer reply times. Rest assured, we’re doing our best to assist you! For account-specific inquiries, please DM us the details and your email address. We appreciate your patience. Thanks! ?”

It took them 3 to 4 days to reply with the following message:

Status: Closed

…

Hi Pearce,

Thanks for contacting us about this. To secure your account, we’ve taken the following actions:

1. We signed you out of your account from every computer or mobile device it has been accessed on. Note: This will now prompt a new login for your account.
2. We sent a password reset link to the primary email address listed on your account.

There are a few scenarios that could explain the possibility of unauthorized access to a LinkedIn account:

• If you’ve recently signed into your account from a public computer or a shared device at your workplace or home, and didn’t completely sign out of your account, the next person to access the site on that device may have unintentionally signed in to your account.
• An email or phone number registered in your account is outdated and access to the email or phone number has been recycled or compromised.
• If the same password is used in multiple websites, this could have been compromised through unaffiliated sites or a phishing attack.
• We’d recommend these best practices for your online privacy:
• Check the email addresses on your account to ensure they are current: https://www.linkedin.com/help/linkedin/answer/60
• Turn on two-step verification as an added layer of security: https://www.linkedin.com/help/linkedin/answer/544
• Find more tips here: https://www.linkedin.com/help/linkedin/answer/267

If you continue to see anything suspicious, please report it to us immediately.

Regards,

LinkedIn Member Safety and Recovery Consultant

Fortunately this worked and Pearce has regained control of his account. But this ordeal could have been much worse than with just a few added new connections. Had the account been taken over, it could have been used for malicious activities, damaging Pearce’s reputation in the process.

Note: LinkedIn has added an option to end individual sessions since this incident, but a few quick tests showed that this doesn’t always work as advertised. We may dive into that at a later point.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The UK’s National Cyber Security Centre (NCSC) has issued a warning about the risks of integrating large language models (LLMs) like OpenAI’s ChatGPT into other services. One of the major risks is the possibility of prompt injection attacks.

The NCSC points out several dangers associated with integrating a technology that is very much in early stages of development into other services and platforms. Not only could we be investing in a LLM that no longer exists in a few years (anyone remember Betamax?), we could also get more than we bargained for and need to change anyway.

Even if the technology behind LLMs is sound, our understanding of the technology and what it is capable of is still in beta, says the NCSC. We barely have started to understand Machine Learning (ML) and Artificial Intelligence (AI) and we are already working with LLMs. Although fundamentally still ML, LLMs have been trained on increasingly vast amounts of data and are showing signs of more general AI capabilities.

We have already seen that LLMs are susceptible to jailbreaking and can fall for “leading the witness” types of questions. But what if a cybercriminal was able to change the input a user of a LLM based service?

Which brings us to prompt injection attacks. Prompt Injection is a vulnerability that is affecting some AI/ML models and, in particular, certain types of language models using prompt-based learning. The first prompt injection vulnerability was reported to OpenAI by Jon Cefalu on May 3, 2022.

Prompt Injection attacks are a result of prompt-based learning, a language model training method. Prompt-based learning is based on training a model for a task where customization for the specific task is performed via the prompt, by providing the examples of the new task we want to achieve.

Prompt Injection is not very different from other injection attacks we are already familiar with, e.g. SQL attacks. The problem is that an LLM inherently cannot distinguish between an instruction and the data provided to help complete the instruction.

An example provided by the NCSC is:

 “Consider a bank that deploys an ‘LLM assistant’ for account holders to ask questions, or give instructions about their finances. An attacker might be able send you a transaction request, with the transaction reference hiding a prompt injection attack on the LLM. When the LLM analyses transactions, the attack could reprogram it into sending your money to the attacker’s account. Early developers of LLM-integrated products have already observed attempted prompt injection attacks.”

The comparison to SQL injection attacks is enough to make us nervous. The first documented SQL injection exploit was in 1998 by cybersecurity researcher Jeff Forristal and, 25 years later, we still see them today. This does not bode well for the future of keeping prompt injection attacks at bay.

Another potential danger the NCSC warned about is data poisoning. Recent research has shown that even with limited access to the training data, data poisoning attacks are feasible against “extremely large models”. Data poisoning occurs when an attacker manipulates the training data or fine-tuning procedures of an LLM to introduce vulnerabilities, backdoors, or biases that could compromise the model’s security, effectiveness, or ethical behavior.

Prompt injection and data poisoning attacks can be extremely difficult to detect and mitigate, so it’s important to design systems with security in mind. When you’re implementing the use of an LLM in your service, one thing you can do is apply a rules-based system on top of the ML model to prevent it from taking damaging actions, even when prompted to do so.

Equally important advice is to keep up with published vulnerabilities and make sure that you can update or patch the implemented functionality as soon as possible without disrupting your own service.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Qakbot botnet has suffered a major setback after its infrastructure was heavily disrupted by US and European law enforcement agencies. Operation DuckHunt, as it was codenamed, is possibly the largest US-led financial and technical disruption of a botnet infrastructure.

Not only did the agencies shut down the core of the Qakbot infrastructure, they also cleaned the malware from infected devices. US authorities also seized around 8.6 million dollars-worth of illicit cryptocurrency profits.

Qakbot has been active for over a decade and allowed the botnet operators to steal login credentials from affected devices as well as install additional malware on them. Often that malware included a ransomware variant, with Black Basta the most recent ransomware of choice.

Thanks to that, Black Basta repeatedly made it to the top three most prolific ransomware variants in our monthly ransomware reviews.

The international investigation involved judicial and law enforcement authorities from the US, France, Germany, Latvia, the Netherlands, Romania, and the UK. The examination of the seized infrastructure uncovered that the malware had infected over 700,000 computers worldwide. Law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa, enabling the malware’s activity on a global scale. Of the 700,000 infected devices, around 200,000 were located in the US.

On impounded servers that belonged to the botnet’s infrastructure the authorities found 6.43 million email addresses and passwords that have now been shared with HaveIBeenPwnd (HIBP). HIBP allows you to search across multiple data breaches to see if your email address or phone number has been compromised. But HIBP has also assisted governments, such as the UK, Australia, and Romania (to name a few), in monitoring for breaches in government domains. 57% of the Qakbot related email addresses were already in the database. The Qakbot data has been labeled sensitive, which means you’ll have to verify the email address is under your control to receive the information.

The information was also shared with Spamhaus which will contact email providers and other hosts of affected email addresses to initiate a password reset to further protect the owners of those addresses.

Qakbot is mostly spread through phishing campaigns that include malicious documents as attachments or links to download malicious files. Once Qakbot is installed, the malicious code is injected in the memory location of a legitimate Windows process to avoid detection. At first, it searches the infected machine for email addresses and other useful information. Then it persists in the memory of the device to await further instructions, for example to download additional malware.

So, one characteristic of a botnet is that the bots can be controlled by the operators. Based on that principle, the FBI came up with a method to uninstall the malware from all the connected bots.

Once the FBI got hold of the administrators’ computers, they were able to map out the botnet’s Command & Control (C2) structure and use this information to roll out a special removal tool. The FBI managed to lock out the Qakbot administrators of their own command and control infrastructure by changing the encryption keys used to communicate with the servers.

“To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware.”

Additional information and resources, including for victims, can be found on the following website, which will be updated as additional information and resources become available: www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Despite widespread deployment of endpoint protection solutions, cyberattacks continue to make headlines, affecting organizations of all sizes and sectors. Recent statistics reveal that 70% of companies were impacted by ransomware last year (State of Malware Report 2023, Malwarebytes), and 83% experienced more than one data breach.

Given the existence of so many successful attacks in the past year, the question remains: How can organizations best protect themselves in a rapidly evolving threat landscape?

On September 7th, join Alan Radomsky, Vice President of Solutions Engineering at Malwarebytes, and Kenneth Tom, Director of Global Product Marketing at Malwarebytes, for an insightful webinar on how can organizations level up their security to better avoid cyber attacks.

Key topics to be discussed include:

• Identifying weaknesses in your current endpoint security setup
• Exploring new innovations to bridge security gaps
• Strategies for achieving security goals within budget constraints

Expert Speakers

Alan Radomsky

Alan Radomsky has 23 years of experience in the cybersecurity industry, serving various sectors including Finance, Retail, Manufacturing, Education, Healthcare, and Government. A 5-year Malwarebytes veteran, he possesses in-depth technical expertise to help organizations navigate the complex threat landscape.

Kenneth Tom

Kenneth Tom leads product marketing efforts for Endpoint Detection and Response at Malwarebytes. He brings over 20 years of product management and product marketing experience across numerous cybersecurity technologies, working with industry-leading companies.

Event Details

• Title: Top 3 Reasons Why Your Endpoint Security Is Not Enough
• Date: September 7th
• Time: 10:00 am PT / 1:00 pm ET
• Duration: 1 hour

Don’t miss this opportunity to gain valuable insights into improving your organization’s security posture. Register today!

Traditional Endpoint Detection and Response (EDR) today has a three-fold complexity problem—with big consequences.

First, complexity in EDR deployment causes long delays, directly impacting ROI and leaving organizations vulnerable to breaches. In fact, almost 10 percent of small security teams cite such complexity as a primary reason for deployment setbacks. (Global Surveyz 2022)

Second, lack of integrated security tools within an EDR can lead security teams to overcompensate by buying and operating additional security platforms. This complexity multiplies operational overhead and creates gaps in security.

Dealing with day-to-day EDR complexity is a third challenge. A survey of 200 CISOs by Global Surveyz found that nearly half (45 percent) of small IT teams flag issues like excessive alerts and multiple dashboards as chief product concerns, culminating in alert fatigue and drops in productivity. 

To save time, money, and to stop more threats, IT teams need an EDR that resists complexity—one that’s easy to implement and straightforward to operate.

What is EDR Extra Strength?

The solution is EDR Extra Strength.

EDR Extra Strength combines the award-winning threat detection of Malwarebytes EDR, with Alert Prioritization and Guided Remediation, and Vulnerability & Patch Management. EDR Extra Strength offers a singular, cost-effective strategy for organizations looking for in-depth security.

Instead of navigating through multiple platforms, each with their own separate cost and learning curve, organizations can now harness the unified strength of all-in-one protection with EDR Extra Strength—boosting visibility and protection at a cost that makes sense.

Deployment

With the average deployment timeline for traditional EDRs stretching up to 18 months for small security teams, the need for a swifter solution is clear.

Simply put, smaller teams just can’t afford extensive learning curves, which perhaps is why, from a financial standpoint, they prioritize implementation costs (50 percent) in their endpoint security more than anything else. (Global Surveyz) 

Malwarebytes EDR, the cornerstone of EDR Extra Strength, takes the complexity out of EDR deployment as evidenced by an average time to become fully operational that is two times shorter than the industry average.

Cloud-hosted on the Nebula platform, EDR Extra Strength core technology can deploy within minutes and has won multiple G2 awards for its unique combination of rapid time to go live and time to ROI, all delivered via an agent deployed with a small footprint.

Integration

Managing too many platforms is challenging. Each additional security tool requires its own set of configurations, updates, and management protocols, ultimately translating to longer response times, inefficient workflows, and an inability to have a unified view of the threat landscape.

According to Global Surveyz, 77 percent of small security teams ranked a ‘one-stop’ product with the ‘most integrated’ features as one of their top considerations when choosing a new security technology. In addition, 80 percent of CISOs recognize vendor consolidation as an avenue for more efficient security. 

And, once you consider that over 5 percent of breaches in 2022 came from known vulnerabilities that had yet to be patched—and that the average cost of those breaches was $4.17 million—it goes without saying that Vulnerability and Patch Management needs to be part of any all-in-one security solution today.

By combining Endpoint Protection (EP), EDR, and an award-winning Vulnerability and Patch Management solution, EDR Extra Strength gives IT teams the ‘one-stop’ product they need to streamline detection and response through a single pane of glass.

Day-to-Day Operation

It’s not hard to see why Gartner ranks ease-of-use as the top buying priority in the endpoint protection platform. Daily struggles related to navigation, excessive alerts, and an inability to view the full picture of a digital environment are often symptoms of a complicated-to-use EDR.

The core technology of EDR Extra Strength has won awards for end-user focused attributes (Ease of Use, Meets Requirements, Quality of Support), and administration-specific attributes (Ease of Admin, Ease of Setup, Ease of Doing Business With). 

In addition, EDR Extra Strength provides meaningful contextualization for analyst actions with its Alert Prioritization and Guided Remediation feature, helping to reduce alert fatigue and time-to respond associated with complex EDR. Learn more about Alert Prioritization and Guided Remediation here.

Try EDR Extra Strength today

The complexity challenges in EDR deployment, integration, and day-to-day use have big consequences for organizations, ultimately leading to wasted time and money.

EDR Extra Strength addresses this three-fold EDR complexity by combining multiple effective and easy-to-use products under one hood, harnessing the power of award-winning EDR, Vulnerability and Patch Management, and Alert Prioritization and Guided Remediation to boost security without added complexity.

Learn more about EDR Extra Strength here.

The Ohio History Connection (OHC) has posted a breach notification in which it discloses that a ransomware attack successfully encrypted internal data servers. During the attack, the cybercriminals may have had access to names, addresses, and Social Security Numbers (SSNs) of current and former OHC employees (from 2009 to 2023). Additionally, they may have gained access to W-9 reports and other records revealing the names and personal SSNs of vendors who contracted to provide services to OHC. They also may have gained access to images of checks provided to OHC by some members and donors beginning in 2020.

OHC is a statewide history nonprofit chartered in 1885 that manages more than 50 sites and museums across the state. As the State Archives for the state, OHC preserves the historical records of Ohio’s legislative, executive, and judicial branches.

The ransomware attack took place in early July of 2023, after which OHC notified the FBI and retained forensic IT consulting firms to help it determine the extent of the data breach and to assist in reconstructing its systems and restoring its data.

In total, the information of 7,600 individuals was potentially exposed. Notification letters were mailed on August 23, 2023 to all individuals who were impacted by this data breach.

While OHC hasn’t said which ransomware group was behind the attack, we have information that it was LockBit, although I was unable to locate the OHC data on LockBit’s leak site at the time of writing (it was there earlier this month).

screenshot taken early August 2023

OHC said that it made an offer to the cybercriminals to prevent the release of the data, but the offer was rejected on August 7, 2023. OHC hasn’t disclosed how the attackers got in.

Those impacted may sign up for free credit monitoring for one year and take advantage of their rights to the free fraud alert services offered by the three major credit bureaus. At the time of writing, there is no evidence that there has been any use or attempted use of the information exposed in this incident.

What to do if you’ve been caught in a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Cisco Product Security Incident Response Team (PSIRT) has posted a blog about Akira ransomware targeting VPNs without Multi-Factor Authentication (MFA).

The Cisco team states that it is aware of reports of the Akira ransomware group going specifically after Cisco VPNs that are not configured for MFA. And they have observed instances where cybercriminals appear to be targeting organizations that do not configure MFA for their VPN users.

One of the reports the team may be aware of was tweeted weeks ago by security researcher and incident responder Aura:

“I’m just gonna go ahead and say it. If you have:
Cisco VPN
No MFA for it
You may get a surprise knock from #Akira #Ransomware soon.”

Cisco VPN solutions are widely used to provide secure, encrypted data transmission between users and corporate networks, often used by remote employees. Gaining access could allow attackers to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed.

What the researchers haven’t been able to determine is how the ransomware operators gained access to Cisco VPN’s account login credentials in the first place, also hindered by the fact that Cisco ASA (Adaptive Security Appliance) doesn’t feature a logging function for successful logins. Only login attempts with invalid username/password combinations can be found in the logs if logging is configured in the affected Cisco’s ASAs.

It is possible that the criminals acquired valid credentials by purchasing them on the dark web, that they are using a zero-day exploit, or that they are using brute-force or credential stuffing attacks. Credential stuffing is a popular tactic of attempting to access online accounts using username-password combinations acquired from already-breached data dumps. In a brute force attack, attackers typically try a lot of common passwords, or a few common passwords across many usernames which is called password spraying. Password spraying focuses on trying a few passwords across many accounts, often to avoid account lockouts and detection.

Cisco says it has seen evidence of brute force and password spraying attempts. Other researchers say they have found evidence of Akira using Cisco VPN gateways in leaked data posted on the group’s extortion page and seem to be leaning towards the vulnerability scenario.

Whichever way was used to gain access, it has become even more apparent that adding MFA is an important factor in fighting off these attacks.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Becky Holmes is a big deal online. 

Hugh Jackman has invited her to dinner. Prince William has told her she has “such a beautiful name.” Once, Ricky Gervais simply needed her photos (“I want you to take a snap of yourself and then send it to me on here…Send it to me on here!” he messaged on Twitter), and even Tom Cruise slipped into her DMs (though he was a tad boring, twice asking about her health and more often showing a core misunderstanding of grammar). 

Becky has played it cool, mostly, but there’s no denying the “One That Got Away”—Official Keanu Reeves. 

After repeatedly speaking to Becky online, convincing her to download the Cash app, and even promising to send her $20,000 (which Becky said she could use for a new tea towel), Official Keanu Reeves had a change of heart earlier this year: “I hate you,” he said. “We are not in any damn relationship.” 

Official Keanu Reeves, of course, is not Keanu Reeves. And hughjackman373—as he labeled himself on Twitter—is not really Hugh Jackman. Neither is “Prince William,” or “Ricky Gervais,” or “Tom Cruise.” All of these “celebrities” online are fake, and that isn’t commentary on celebrity culture. It’s simply a fact, because all of the personas online who have reached out to Becky Holmes are romance scammers. 

Romance scams are serious crimes that follow similar plots. 

Online, an attractive stranger or celebrity—coupled with an appealing profile picture—will send a message to a complete stranger, often on Twitter, Instagram, Facebook, or LinkedIn. They will flood the stranger with affectionate messages and promises of a perfect life together, sometimes building trust and emotional connection for weeks or even months. As time continues, they will also try to remove the conversation away from the social media platform where it started, instead moving it to WhatsApp, Telegram, Messages, or simple text. 

Here, the scam has already started. Away from the major social media and networking platforms, the scammers persistent messages cannot be flagged for abuse or harassment, and the scammer is free to press on. Once an emotional connection is built, the scammer will suddenly be in trouble, and the best way out, is money—the victim’s money.

These crimes target vulnerable people, like recently divorced individuals, widows, and the elderly. But when these same scammers reach out to Becky Holmes, Becky Holmes turns the tables.

Becky once tricked a scammer into thinking she was visiting him in the far-off Antarctic. She has led one to believe that she had accidentally murdered someone and she needed help hiding the body. She has given fake, lewd addresses, wasted their time, and even shut them down when she can by coordinating with local law enforcement.

And today on the Lock and Code podcast with host David Ruiz, Becky Holmes returns to talk about romance scammer “education” and the potential involvement in pyramid schemes, a disappointing lack of government response to protect victims, and the threat of Twitter removing its block function, along with some of the most recent romance scams that Becky has encountered online.

“There’s suddenly been this kind of influx of Elons. Absolutely tons of those have come about… I think I get probably at least one, maybe two a day.”

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)