There’s been a lot of weird and frankly bizarre attacks over the course of 2022, nestled in amongst the usual ransomware outbreaks and data breaches.

Whether we’re talking social media, email, or even malware, there’s been a mind bending tale of tall behaviour in almost every corner. It’s time to forget about nation state attacks and the nagging sensation that every single piece of data ever created has ended up on a TOR site somewhere.

For one brief moment in time, we’re going to wallow in weirdness.

419 scams…in spaaaaaaaaaace

There’s not many individual scams which can put “18 years and counting” on their resume. However, what we have here is something very odd and very special. Way back in 2004, a spam email claimed that assistance was needed for a lost astronaut. Supposedly trapped on a top secret Soviet space station, the astronaut’s cousin implored recipients to help bring the missing astronaut home. Of course, this was tied into a nonsensical scam about recovering lots of lost money should he be brought safely back.

So yes, it’s weird…but it’s just a one off. Right?

Well, no. Turns out this baffling attempt at parting people from their money would come back around every so often. To be more precise, 2010, 2016, and now 2022 with a whole new astronaut to recover. This feels like less of a final frontier and more of a never ending, he’ll be back again in a few years frontier. See you in 2026?

A dance off of destruction

If you’ve ever pondered how certain people give off bad vibes, you’ll be one step closer to understanding how other types of bad vibes stand a chance of destroying your hard drive. If you happened to be one of the few people running a certain type of OEM hard drive on a Windows XP desktop, Janet Jackson was someone to avoid.

How so? Because the video for Rhythm Nation matched a resonant frequency identical to those hard drives. When the two clashed, there would be only one winner and it wasn’t the hard drive.

Amazingly, it was possible to crash a second device in the same room while playing the video on the first. Even Michael wasn’t able to pull something like that off.

Monkeying around with digital artists

Apes! NFTs! Cyberpunk! Wait, what?

In May, artists offering their wares on several platforms were approached by individuals claiming to represent the “Cyberpunk Ape Executives”, because of course they were. The “executives” claimed to have wonderful ape-related NFT projects waiting in the wings. $200 to $350 per day is not an untidy sum for artists, many of who may not pull in anything close to that from commissions.

Sadly, it was all a large ape-shaped lie. The supposed promo zip for the project contained a number of ape pictures and an infostealer. While there was no direct evidence of account theft from the malware file, numerous accounts caught out by this attack were indeed compromised. Whether those compromises specifically were via some additional form of social engineering, we’ll likely never know.

Invisible ads for thee but not for me

You might think that adverts designed not to be seen sounds like some sort of wonderful utopia. Finally, you can set down your ad blockers and your beacon trackers and presumably wander into the woods a free person.

However, you might miss the ads in the woods, but the people watching you walk around will see ads galore. Amazon decided to trial ad technology which displays ads in Twitch streams, but the ads are only visible to certain people. If you’re the player, you won’t see them. If you’re watching the stream, you will.

Given how hard game developers work to ensure players are often funnelled into locations where they see ads, this all sounds somewhat counterintuitive. You’re not only trying to drag a player to a place where an ad exists, but also draw them towards the nice shiny ad in the first place. If you have a darkly lit area and the one beacon of light is a giant billboard containing an ad, you’re achieving both of your goals in one fell swoop. If there’s no cool looking ad further pulling the player where you want them to go, they might simply not go there.

This may well turn out to be a case of Amazon seeing how well we’ve trained players to follow the trail of digital breadcrumbs. Will they gravitate towards ads while not being able to see them? Or wander off in all the wrong places, much to the frustration of the ad teams? Only time will tell.

Mark Ruffalo deepfake smashes life savings

“Mark Ruffalo deepfake romance scam”. What a sentence. What a world. One of the biggest questions about this whole endeavour is “Why Mark Ruffalo”? He seems nice enough, but why did a scammer sit down and decide to use the Hulk actor specifically as bait for this romance scam? Was deepfake Chris Evans not available?

What we do know is that a well known Manga artist was tricked into handing over large amounts of money at the behest of a deepfake Mark Ruffalo. A video call lasting just half a minute was enough to convince Chikae Ide to part with roughly half a million dollars in return for deepfake Mark Ruffalo’s undying love. While all of the other deepfake scammers in 2018 were making dubious pornography or supposedly figuring out how to cause trouble during elections, this scammer decided to ignore all of that and smash and grab someone’s savings.

A carnival of fake cricket

In what may perhaps be the oddest story of this year, a small village became the stage for a fake cricket gambling operation, complete with live streams of the fake cricket games, a commentator used who sounds like an actual syndicated cricket commentator, and even fake crowd cheers piped in through speakers as the games went on.

The bogus operation hit 47 videos and 49k views on its YouTube channel before law enforcement broke up the operation.

There really is no limit to how far some people will go to turn a quick bit of profit.

We can only hope that 2023 is slightly more sensible, with significantly fewer scams and technical oddities. No more fake movie stars, an end to lost astronauts, and most definitely an End of Line for hard drives vibrating themselves into the digital afterlife.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Epic have made some alterations to how accounts for kids work, with multiple features disabled for what are now known as “Cabined Accounts”.

If your children are big fans of Epic games like Fortnite and Rocket League, you may well have worried about their gaming interactions with other players at some point. There’s many risks from voice chat, text chat, random downloads from external sources, trading and much more. Scammers will happily target younger gamers, hoping their naivety will leave them vulnerable to bad passwords, password reuse, social engineering tricks, or the promise of free gifts and rewards.

Games consoles have some incredibly granular controls for child safety, and you can almost always guarantee that there’s a setting just right for your needs on PS4/5 or Xbox. Where PCs are concerned, that has not  always been the case.

Into the gaming cabin

If someone signs up for an Epic account and they’ve indicated that they’re under 13 years of age—to the cabin they go. The account will remain this way until the child hits 13 or reaches the “age of digital consent” in their region. These are the features you can expect to have turned off with a cabined account:

• Communicating with other players using voice chat or free text chat
• Purchasing items with money
• Downloading games that are not owned by Epic
• Recommendations based on past activity
• Email marketing or push notifications
• Trades in Rocket League
• Sign in with Epic, including linking accounts to certain external services, such as social media websites or video streaming applications
• Custom display names
• SMS-based two-factor authentication (2FA)

As you may have noticed, it’s a combination of external factors (random people sending your child not very nice messages) and Epic’s own internal features and functionality (recommendations of games, email marketing, in game trading).

If your child had some sort of monthly subscription, it’s now cancelled and will remain that way until the parent gives permission. Was their Epic account linked to social media services, but now isn’t? Same deal. Did they enjoy the news / forum / marketplace tab inside the Epic game launcher? You’ll never guess what’s happened there too!

With all of these options and features, parental permission is now key. The child now has to navigate to the “Request Parental Permission” tab inside the Epic account portal. This will enable the child to have an email sent to the parent regarding consent and what steps to take next.

Restrictions, restrictions

You may think these accounts are severely restricted in comparison to regular accounts, and you’d be right. In most cases, someone under the age of 13 probably doesn’t need to be making trades with strangers, or talking to random people in game sessions. If the account is on a monthly subscription of some sort, the person paying is almost certainly the parent or guardian in any case, so this is just making the whole process a little more formal.

As has been noted, children can and will lie about their age when signing up to a product or service. For the moment, all pre-existing accounts have been snatched up and dropped into the cabin.

I am who I say I am

Could other aspects of the sign up process for a new account potentially be abused too? Perhaps, but it seems like it’d be tricky for a youngster to get around the current process. Sure, they could enter a fake email under their own control and pretend to be their own parent. However, look at the process they’d need to bypass:

When entering your age as being lower than 13 at sign up, the Epic site displays the following message:

Enter a parent or guardian email address

Some features are unavailable until your parent or guardian gives you permission to use them. We’ll send them an email to let them know about your account and how to give you permission.

“Well, that won’t stop me from entering a fake parent email address”, a child might think. Sadly for the child, everyone involved in the process has already thought of this and inserted some verification into the mix. Depending on country, the parent or guardian will need to come up with at least one of the below:

• Credit or Debit Card (available globally)
• Social Security Number (available only in the US)
• CPF Number (available only in Brazil)
• CURP (available only in Mexico)
• ID Scan (available outside the US and South Korea)
• Face Scan (available outside the US and South Korea)

If none of the verification methods work, support can be asked for an alternative solution.

A little bit safer in gaming land

The registered adult can enable most of the “cabined” features, and also possesses the ability to revoke or even delete the child’s account outright. While none of this is guaranteed to keep children from potential harm when playing games online, it’s one of the more comprehensive attempts in PC gaming land. While modern generation consoles retain the crown for walled garden customised child safety controls, it’s nice to see PC platforms moving in the same direction.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has announced three new security features focused on protecting user data in the cloud: iMessage Contact Key Verification, Security Keys for Apple ID, and Advanced Data Protection for iCloud.

iMessage Contact Key Verification and Security Keys for Apple ID will be available globally in 2023. Advanced Data Protection for iCloud is available in the US today for members of the Apple Beta Software Program, and will be available to US users by the end of the year. The feature will start rolling out to the rest of the world in early 2023.

3 new features

iMessage Contact Key Verification

Apple’s messaging app, iMessage, already uses end-to-end encryption so that messages can only be read by the sender and recipients. It’s new iMessage Contact Key Verification ramps up the protection for “users who face extraordinary digital threats”, such as journalists, human rights activists, and politicians.

Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications.

Security Keys for Apple ID

In what can be considered another step towards a password-less future, Security Keys for Apple ID will give users the choice to use third-party hardware security keys. A hardware security key uses public-key encryption to authenticate a user, and is much harder to defeat than other forms of authentication, such as passwords, or codes sent by SMS or generated by apps.

For users who opt in, Security Keys strengthen Apple’s two-factor authentication by requiring a hardware security key as one of the two factors.

This new Apple ID support for physical authentication keys is another feature long-sought by users and announced months ago in cooperation with Google and Microsoft.

Advanced Data Protection for iCloud

Advanced Data Protection for iCloud is end-to-end encyption for data that is synced between devices via iCloud. Encrypted data is only decrypted on your devices, so it would not be exposed in the event of an iCloud data breach.

It isn’t new, nor is it complete, but it now covers more kinds of data. Until now, iCloud protected 14 different data categories in this way, including passwords in iCloud Keychain, and Health data. For those users that choose to enable Advanced Data Protection, this will rise to 23, including iCloud Backup, Notes, and Photos.

Apple notes that Mail, Contacts, and Calendar are not covered because of interoperability issues with global systems that would arise.

Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.

The most important part of this new protection are iCloud backups, which are basically a copy of everything on your device. So far, these backups weren’t end-to-end encrypted. Which meant, for example, that Apple could access the data and share it with other entities, like law enforcement.

EFF reaction

The Electronic Frontier Foundation (EFF), which has been campaigning for this option, seems pleased. It applauds Apple for listening to experts, child advocates, and users who want to protect their most sensitive data. They point out that user data will be protected even if there is a data breach in the cloud, a government demand, or a breach from within Apple (such as a rogue employee).

The ability to opt-in to encrypted iCloud backups is a really big win for users and bad news for law enforcement, who loved to request iCloud backups to save them the trouble of breaking into a phone.

— Eva (@evacide) December 7, 2022

Malwarebytes’ Director of Core Technology, and authority on everything Apple, Thomas Reed is equally happy with the new features. Although he fears that the use of hardware keys as a new option for MFA, is not something the average user will ever appreciate. He’s really happy with the Advanced Data Protection feature.

I’ve never been comfortable with putting my iPhone backups in iCloud, for example, but with this change I may start doing so.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

NetGear has made a hotfix available for its Nighthawk routers after researchers found a network misconfiguration in the firmware allowed unrestricted communication with the internet facing ports of the device listening through IPv6.

No auto-update

The hotfix is available for the model RAX30, also known as the Nighthawk AX5 5-Stream AX2400 WiFi 6 Router.

The NetGear Nighthawk RAX 30 (image courtesy of NetGear)

To update your router’s firmware, follow the instructions in your router’s user manual, which can be found online.

Important to note is that having the “check for updates” or even the auto-update options enabled is not sufficient to get this hotfix. It needs to be downloaded manually and applied following the instructions.

What other security vulnerabilities were fixed in this hotfix or in the newer 1.0.9.92 hotfix, which also addresses security vulnerabilities, is unknown at this point.

Popular

The researchers found the bug while looking to enter Pwn2Own Toronto. The NetGear Nighthawk RAX30 is a popular model for home users and small businesses, which is one of the reasons why it was selected as a target for the Pwn2Own contest. Contestants set out to find previously unknown vulnerabilities in widely used software and mobile devices.

NetGear frustrated a lot of participants by issuing the 1.0.9.90 hotfix one day before the registration deadline for Pwn2Own. The patch invalidated the submission of this vulnerability and, it seems, some others as well.

The vulnerability

The vulnerability found by the researchers and patched just before the deadline, allowed unrestricted communication with any services listening via IPv6 on the WAN (internet facing) port of the device, including SSH and Telnet operating on ports 22 and 23 respectively.

Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.

Secure Shell (SSH) is a network communication protocol that enables two computers to communicate and share data.

Although the researchers shared no further details  about their attack chain that was crippled by the patch, having telnet and SSH available makes it very likely they could have reconfigured the router, stolen data, or at least put it out of service.

Stay safe, everyone!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

It’s not been a great week for cloud computing service provider Rackspace.

On December 2, customers began experiencing problems connecting and logging into their Exchange environments. Rackspace started investigating and discovered an issue that affected its Hosted Exchange environments. 

Now Rackspace has announced it was actually a ransomware incident that caused the service disruptions.

While the investigation is ongoing, there are no details known about which ransomware is at play or how the threat actor gained initial access. In a press release Rackspace said that the incident was isolated to its Hosted Exchange business. Rackspace has not showed up on any of the known leak sites that ransomware groups use to apply extra pressure on their victims, but this could also be due to the fact that there are ongoing negotiations.

Hosted Exchange

Rackspace’s Hosted Exchange customers are mostly small to medium size businesses that don’t have the need or staff to run a dedicated on-premise Exchange server. The outage still affects all services in its Hosted Exchange environment, including MAPI/RPC, POP, IMAP, SMTP, and ActiveSync, as well as the Outlook Web Access (OWA) interface that provides access to online email management.

Workaround

Rackspace said it will help affected customers implement a temporary forwarding while the disruption is ongoing:

“As a temporary solution while you set up Microsoft 365, it is possible to also implement a forwarding option that will allow mail destined for a Hosted Exchange user to be routed to an external email address. Please log in to your customer account for a ticket with instructions to request this option. Customers should reply to the ticket to request the forwarding rule be put into place for each of their users.”

Impact

In an 8-K SEC filing Rackspace states that it expects a loss of revenue due to the ransomware attack’s impact on its $30 million Hosted Exchange business. An 8-K form is required to report any events concerning a company that could be of importance to the shareholders of that company or the Securities and Exchange Commission (SEC).

The attack vector

One possible attack vector was pointed out by security researcher Kevin Beaumont. It might be due to exploitation of the Microsoft Exchange vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, known as ProxyNotShell.

Beaumont found a Rackspace Exchange server cluster—currently offline—was running a build number from August 2022 a few days prior to the incident disclosure. Since the ProxyNotShell vulnerabilities were only fixed in November, it’s possible that threat actors exploited the flaws to breach Rackspace servers.

One important conclusion Beaumont notes in his post is:

“For a managed service provider (MSP) running a shared cluster, such as Hosted Exchange, it means that one compromised account of one customer will compromise the entire hosted cluster.”

This is what may have happened at Rackspace. Don’t let it happen to you.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Two women filed a proposed class-action lawsuit on Monday, December 5, in the United States District Court for the Northern District of California against Apple, the makers of AirTags.

Airtags are a small Bluetooth-enabled devices designed to track personal belongings. The suit accuses the company of failure to introduce measures to combat abuse of the technology as stalkers have and continue to use AirTags to track people. Both claimed their ex-partners did just that.

Lauren Hughes, one of the plaintiffs, learned she was being tracked in August 2021 after ending a three-month relationship. According to The New York Times, Hughes’s stalker sent her threatening voicemails and made abusive posts on social media. She moved to a hotel after receiving plants from her stalker at her doorstep.

At the hotel, she received an iPhone notification that an unknown AirTag had been traveling with her. Eventually, Hughes found it in the wheel well of her car tire, colored with a Sharpie marker and wrapped in a plastic bag to disguise it. Discovering the AirTag “terrified” her. 

Hughes then found a new home, but months later, her stalker shared a picture of a taco truck in her new neighborhood, captioned with a winky emoji and the text “#airt2.0”, the suit said. This, the suit alleges, showed the stalker’s continued use of the AirTag to track Hughes.

“Ms. Hughes continues to fear for her safety—at minimum, her stalker has evidenced a commitment to continuing to use AirTags to track, harass, and threaten her, and continues to use AirTags to find her location,” the suit said.

The second plaintiff, referred to as Jane Doe in the court papers, alleged that her ex-husband was stalking her when she found an AirTag planted in her child’s backpack. She got rid of it, but it was replaced with another.

“In the wake of a contentious divorce, she found her former spouse harassing her, challenging her about where she went and when, particularly when she was with the couple’s child,” the suit said.

Apple introduced the AirTag in April 2021, with executives and publicists actively portraying the AirTag as a “harmless—indeed ‘stalker-proof’“—product, the suit said. It’s been a controversial product since its release and has raised concerns among privacy advocates and law enforcement that it could be misused to track people. And, true enough, AirTags have been used in stalking incidents, even murder, and theft of luxury cars.

In a blog post in February, Apple said it would add more safeguards to AirTags to curb unwanted tracking. Apple said it has been working with law enforcement to update the device’s safety warnings, such as providing a privacy warning when using AirTags for the first time.

An Apple spokesperson also pointed to the February blog post about the company’s stance on unwanted tracking:

“AirTag was designed to help people locate their personal belongings, not to track people or another person’s property, and we condemn in the strongest possible terms any malicious use of our products. Unwanted tracking has long been a societal problem, and we took this concern seriously in the design of AirTag.”

The suit, however, alleges that Apple’s safeguards were “woefully inadequate, and do little, if anything, to promptly warn individuals if they are being tracked.”

Hughes and Doe are seeking a jury trial with no monetary damages.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Just about anywhere you look, organizations are relying on Software-as-a-Service (SaaS) apps like Dropbox and Hubspot to help power their businesses. With more SaaS apps, however, comes increased security risks.

While SaaS is without a doubt the easiest and most accessible way for businesses to reap the benefits of the cloud, these services are delivered online—which can make it easier for data leaks to happen or threat actors to get a hold of sensitive data. In fact, 43 percent of organizations have dealt with one or more security incidents caused by a SaaS misconfiguration. 

You might be asking yourself though: Doesn’t my cloud provider take care of security for me? Well, yes and no.

Your cloud provider will protect your cloud infrastructure in some areas, but under the shared responsibility model, your business is responsible for handling things such as identity and access management, endpoint security, data encryption, and so on. 

The good news is that there’s a set of SaaS security best practices to help keep your business from becoming another statistic. 

Whether your business uses Office 365, Salesforce, Google Drive, or another SaaS app, this blog will help guide your journey to SaaS security with five best practices.

1. Manage SaaS sprawl 

You might be surprised to find that our journey into SaaS security begins not with an answer, but with a question: are you suffering from SaaS sprawl? 

SaaS sprawl is a situation where a business is bloated with so many different (and even duplicate) SaaS apps that IT can no longer manage them effectively. 

Most departments now have 40 – 60 SaaS tools each, with 200+ apps at the company level—and for small businesses, only 32 percent of these apps are IT-approved. Not only does SaaS sprawl waste money, but it has security risks as well. 

For one, SaaS sprawl makes it harder for IT and security teams to ensure compliance or identify security risks that expose sensitive data. Admins just don’t have the time (or the visibility) to individually check and update potential issues for each app. 

Another issue is that SaaS sprawl and “shadow IT” (i.e. SaaS apps that have bypassed IT’s typical vetting procedures) are closely related—the more shadow IT, the worse the SaaS sprawl. As if trying to manage a ton of authorized SaaS apps wasn’t enough, IT teams don’t even know about the unauthorized ones—and they definitely can’t fix what they can’t see!

All of this is to say: tackling SaaS sprawl before anything else will make it easier for you to get into the more granular aspects of SaaS security. Some best practices to manage SaaS sprawl include:

• Discover all apps: Regularly audit all SaaS apps being used across the business, IT-approved or not.

• Create a vetting process: Have a consistent method to audit app requests for security, compliance, and other details.

• Educate employees: IT should regularly caution employees about the risks of using unauthorized apps. 

• Bridge the gap between IT and other departments: Put a process in place that allows team members to freely approach IT with new apps they wish to use.

2. Use Single Sign-On (SSO) paired with Multi-Factor Authentication (MFA)

SSO is a nonnegotiable security requirement for any company with more than five employees.

SSO solutions such as Okta, Duo, and Microsoft Azure Active Directory (AD) allow you to access all SaaS applications after entering your credentials just one time. Not only is SSO more convenient for end users, but it gives IT and Security teams the ability to effectively manage user accounts across dozens or hundreds of vendors. 

SSO also makes it much easier to enforce Multi-Factor Authentication (MFA), a crucial extra level of SaaS security, across all of your accounts.  

After signing in using SSO, for example, a user is prompted with MFA to confirm the session using “something they have” (i.e by receiving a push notification or text on their phone). 

3. Manage identity and access to SaaS applications

Each user in a cloud environment has their own roles and permissions governing the access they get to certain parts of the cloud, and because SaaS workloads are accessed online, all hackers need are your credentials to get the “keys to the kingdom.”

This is why strong identity and access management (IAM) policies are so essential to cloud security.

Identity and access management is a means of controlling the permissions and access for users of cloud resources. You can think of IAM less as a single piece of software and more of a framework of processes, policies, and technology. Some IAM best practices include:

• Removing dormant accounts

• Only giving privileged access to those who truly need it

• Enforcing strict password policies 

According to Palo Alto Networks, most known cloud data breaches start with misconfigured IAM policies or leaked credentials.

Specifically, researchers found that IAM misconfigurations cause 65 percent of detected cloud data breaches, with the runners up being weak password usage (53 percent) and allowing password reuse (44 percent).

4. Use a strong cloud malware scanner

Did you know that malware delivered through cloud storage apps such as Microsoft OneDrive, Google Drive, and Box accounted for 69 percent of cloud malware downloads in 2021?

It can be difficult to monitor and control all the activity in and out of SaaS cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. 

That’s where cloud storage scanning comes in.

Cloud storage scanning is exactly what it sounds like: it’s a way to scan for malware in cloud storage apps like Box, Google Drive, and OneDrive. And while most cloud storage apps have malware-scanning capabilities, it’s important to have a second-opinion scanner as well.

Reduce risk from cloud-based malware today

A second-opinion cloud storage scanner is a great second line of defense for cloud storage because it’s very possible that your main scanner will fail to detect a cloud-based malware infection that your second-opinion one catches. 

Look for a third-party cloud storage scanner that aggregates threats across different vendor’s repositories and uses multiple anti-malware engines when scanning files.

5. Define your Software Security Edge (SSE)

In 2021, Gartner introduced the concept of “Security Service Edge” (SSE),  which they defined as an evolving stack of different cloud-based security tools to secure access to the internet, SaaS and specific internal applications. A subset of Secure Access Service Edge (SASE), SSE can help you with SaaS security using tools such as: 

• Zero Trust Network Access (ZTNA):  ZTNA is an IT solution that secures boundaries around SaaS applications. With ZTNA, your business can enforce “least privilege” access to specific apps and ensure no users are given network access, eliminating unauthorized lateral movement.

• Cloud secure web gateway (SWG): SWGs filter unsafe content from web traffic and hence can help prevent your SaaS apps from being compromised through a phishing attack, for example. Features include URL Filtering, application control, Data Loss Prevention (DLP), and anti-malware detection and blocking.

• Cloud access security broker (CASB): A CASB sits between you and your SaaS provider, enforcing security policies and practices including authentication, authorization, alerts and encryption. CASBs offer feature sets across four pillars: data security, compliance, threat protection, and visibility.

• Firewall-as-a-service (FWaaS): FWaaS is a firewall delivered via the cloud, acting as a barrier to prevent unauthorized access to the network. FWaaS inspects all traffic coming into your network (including SaaS app traffic) to detect and address threats.

SaaS security doesn’t have to be scary

No doubt, SaaS is here to stay. At the same time that businesses are reaping enormous benefits from the cloud, however, SaaS security is top-of-mind. With everything from shadow IT, misconfigurations, access management, and cloud malware threatening the security of your SaaS environment at all times, it has never been more important to adhere to a few best practices.

But SaaS security doesn’t have to be scary.

The combination of processes, technologies, and outsourcing outlined here can vastly improve your SaaS security posture for SMBs, helping to prevent a much-dreaded data breach. 

More resources

Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories

Cloud data breaches: 4 biggest threats to cloud storage security

Cloud-based malware is on the rise. How can you secure your business?

Case study: Cloud-based environment now vulnerable to cyber-attacks

In the Android security bulletin of December 5, 2022 you can find an overview of the security vulnerabilities affecting Android devices that are fixed in patch level 2022-12-05 or later.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed.

Mitigation

If your Android phone is at patch level 2022-12-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Vulnerabilities

The total number of patched issues is 81, and four of them are security issues labelled as critical.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below are details for the four critical ones.

CVE-2022-20472: a critical remote code execution (RCE) vulnerability in the Framework component.

CVE-2022-20473: another critical RCE vulnerability in the Framework component.

The Android framework consists of a group of Java classes, interfaces, and other precompiled code upon which apps are built.

CVE-2022-20498: a critical information disclosure (ID) vulnerability in the System component.

CVE-2022-20411: a critical RCE vulnerability in the System component. Exploiting this vulnerability could allow an attacker to perform remote code execution over Bluetooth with no additional execution privileges needed.

Google didn’t provide any details about the vulnerabilities in order to protect the Android users that haven’t been able to patch yet.

Patch gap

Depending on the manufacturer of your Android device, the patch may not available to you yet.

There is a patch gap that exists when software patches have to wait for a second vendor to incorporate them into their software before they reach an end user.

This has always been a particularly acute problem on Android phones. If there is an update for the Android operating system—software that sits at the core of about 70% of all mobile devices—it can take a very long time to reach end users. This is because many mobile phone vendors sell their devices with their own tweaked versions of Android and any fix has to be tested in that slightly different environment.

We know that Samsung has issued the patch including a fix for CVE-2022-20411 and the other critical vulnerabilities.

Stay safe, everyone!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The US Department of Justice has indicted a Ukrainian national for his involvement in Raccoon Stealer, a noteworthy password-stealing Trojan leased in the underground for criminals to use as part of a malware-as-a-service (MaaS) business model.

According to court documents, Mark Sokolovsky, 26, is currently held in the Netherlands under an extradition request from the US government. Dutch authorities arrested Sokolovsky, known online as “raccoonstealer,” in March 2022. At the same time, the FBI (Federal Bureau of Investigation) partnered with Italian and Dutch law enforcement to dismantle Raccoon Stealer’s digital infrastructure, taking the existing version offline.

In a press release, Deputy Attorney General Lisa O. Monaco said:

“This case highlights the importance of the international cooperation that the Department of Justice and our partners use to dismantle modern cyber threats. As reflected in the number of potential victims and global breadth of this attack, cyber threats do not respect borders, which makes international cooperation all the more critical. I urge anyone who thinks they could be a victim to follow the FBI’s guidance on how to report your potential exposure.”

Sokolovsky is charged with four counts of computer crime: conspiracy to commit computer fraud; conspiracy to commit wire fraud, conspiracy to commit money laundering, and aggravated identity theft.

On September 13, 2022, the Amsterdam District Court ordered Sokolovsky’s extradition to Texas, where many of his victims were located. He is currently appealing for his extradition. If convicted, he will be sentenced to a maximum of 20 years for wire fraud and money laundering, five years for computer fraud charges, and a mandatory two-year term for identity theft offenses.

About Raccoon Stealer

Raccoon Stealer was popular on the dark web from 2019 to early 2022 for its simplicity and customization. Its operations temporarily ceased sometime in March 2022 after an operator revealed that a key developer of the Trojan died at the beginning of the Russia-Ukraine invasion. In June 2022, Raccoon Stealer resumed operations with the release of V2.

Administrators of Raccoon Stealer rent out the malware for $200 per month, paid in cryptocurrency. Cybercriminals use the Trojan to steal data from victim computers. This data includes login credentials, financial and banking information, and personally identifiable information (PII). They trick users into downloading the malware via email phishing campaigns (among others). 

The FBI identified at least 50 million unique credentials stolen by Raccoon Stealer from victims worldwide. Because of this, the agency has created a dedicated website, raccoon.ic3.gov, where potential victims can check if their data has been stolen. All they need to do is to enter their email address. Note, however, that the website only contains data for US-based victims. 

The FBI also encourages potential victims to fill out a detailed complaint and share the harm the malware caused them at the FBI’s Crime Complaint Center (IC3).

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Brownsville Police Department is warning about scammers impersonating law enforcement in order to extract money from potential victims. The scam involves pressure from an immediate threat, several ways to extract yourself from this non-existent claim of wrongdoing, and multiple levels of officialdom to scare you into making a wrong move. 

How the fake warrant call works

Calls from individuals pretending to be energy suppliers offering discounts, or fake parcel delivery firms are all the rage at the moment. However, don’t discount fake law enforcement ploys! The way this scam works is as follows:

1. You receive a call from someone claiming to be in law enforcement. This individual knows at least some of your personal information, though there’s no indication as to where they obtained it. Depending on your region, they may claim to be city, county, state, or federal law enforcement officers. This specific technique is aimed at residents of the US, though it can of course be tailored to work anywhere.

2. The victim is informed that there is a warrant out for their immediate arrest. In fact it’s so immediate that the scammer claims they will visit your house and place you under arrest there and then. The only way to get out of this entirely fictitious predicament and avoid going to fake jail is to pay a fee or a fine via payment apps such as Zelle or Cash App, or gift cards.

Not this scam’s first rodeo

This isn’t the only time such a scam has been reported by Brownsville Police Department. Back in 2020, they alerted residents of the following scam attempt doing the rounds:

“…a group of scammers impersonating county judges and Brownsville Police Department Officers. These scammers are calling people via telephone telling them they have warrants for their arrests and that they have to pay a fine. The scammers are requesting credit card information and over the phone payment.”

Somewhere along the way, the Judges apparently dropped out of the scam leaving only law enforcement doing the heavy lifting. Perhaps they thought Judges supposedly making these calls is a little bit too unbelievable. You may be tempted to assume the same for police, but consider that these calls are entirely based around the pressure point of “Pay this fine, or we’re coming to arrest you immediately”. This is absolutely not something you want to hear down the phone out of the blue, and how many people would stop to question such a thing when put on the spot?

Ways to avoid this bogus warrant fakery

Brownsville PD has the following advice for anyone who may be on the receiving end of one of these calls:

1. Get the caller’s name, phone number, and agency.

2. Tell them you are going to contact the agency with the warrant, not the number they give you.

3. Call the agency that has the warrant, and verify the person by name. Get the agency’s phone number via the internet.

4. If the call was a scam, report it immediately to the proper authorities.

Law enforcement asking directly for payment on pain of immediate arrest is simply not a thing which is going to happen. Nobody wants to receive an unpleasant call like the ones mentioned above, but if you do receive something along these lines: don’t panic. Ask the caller for as much information as possible, and inform them that you’re going to ring a number you’ve verified is the real deal. If the person calling is genuine, there should be no problem with you doing this. If they hesitate, or insist that this is a case of “do it now or else,” you can almost guarantee that this is a fake out.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.