IT NEWS

Cloudflare Tunnel increasingly abused by cybercriminals

Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. Cybercriminals are increasingly using this service to  keep their activities from being detected.

Cloudflare Tunnel, also known by its executable name, Cloudflared, reaches out to the Cloudflare Edge Servers by creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel’s controller makes services or private networks accessible via Cloudflare console configuration changes. It’s used to allow external sources to directly access important services, including SSH (Secure Shell), RDP (Remote Desktop Protocol), SMB (server Message Block), and others.

Researchers have found that cybercriminals are shifting from using ngrok to Cloudflare Tunnel probably because it provides a lot more usability for free. It allows an attacker to execute a single command from a victim machine to establish a foothold and conduct further operations once they have achieved a foothold.

Once the tunnel is established, Cloudflared obtains the configuration and keeps it in the running process. All the victim will be able to find when the discreet communication channel is discovered is a unique tunnel token which will make them none the wiser. The attacker however is able to easily modify the tunnel configuration on the fly.

Since this tool is a legitimate binary which is supported on every major operating system, and the initial connection is initiated through an outbound HTTPS connection to Cloudflare-owned infrastructure, this method might prove to become even more popular among cybercriminals. It provides them with a tool to establish persistence when they need it, and to then turn it off when they don’t, in order to avoid being found out.

Because of the HTTPS connection and the port the data exchange takes place on (QUIC on port 7844), it is unlikely to be picked up by protection software like firewalls unless specifically instructed to do so.

As if that wasn’t worrying enough, the researchers found that they could abuse Cloudflare’s ‘Private Networks’ feature to access an entire range of internal IP addresses remotely once they established a tunnel to a single client (victim).

Mitigation

The researchers note that on the victim machine, RDP and SMB need to be enabled before attempting to connect. So, if you don’t need those, this is another good reason to disable them.

To detect unauthorized use of Cloudflare Tunnels, the researchers recommend that organizations monitor for specific DNS queries (as shared in the report) and use non-standard ports like 7844.

Other, more general recommendations are:

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Facial recognition tech lands innocent woman with bogus carjacking charge

Detroit law enforcement wrongly arrested a 32 year old woman for a robbery and carjacking she did not commit. She was detained for 11 hours and had her phone taken as evidence before finally being allowed to leave. The reason for the false arrest is down to a facial recognition error, the kind that privacy and civil liberty organisations have been warning about for some time now.

What makes this one particularly galling is that the surveillance footage used in this case did not show a pregnant woman. Meanwhile, Porsche Woodruff was eight months pregnant at the time of the arrest.

How did this all begin? A Detroit police officer made a facial recognition request on a woman returning the carjacking victim’s phone to a gas station. The facial recognition tool flagged Woodruff via a 2015 mug shot on file from a previous unrelated arrest. Despite being aware that the individual in the footage was not visibly pregnant, the victim was shown a line up which included the old photo. The robbery victim wrongly identified Woodruff as the culprit.

Shortly after, she was arrested for the alleged crime of carjacking and robbery.

Ars Technica reports that law enforcement used something called DataWorks Plus to match surveillance footage against a criminal mug shot database. DataWorks Plus bills itself as a “facial recognition and case management” technology. It provides “accurate, reliable facial candidates with advanced comparison…tools for investigations”. It also offers up similar services with regard to fingerprints, iris, and tattoo recognition.

Unfortunately for Woodruff, accuracy was on vacation the day her 2015 mug shot was wrongly identified as a match for the robbery in question.

She was charged in court with robbery and carjacking, with all charges dismissed about a month later. She has now filed a lawsuit for wrongful arrest against the city of Detroit which seems quite reasonable given the circumstances.

The New York Times claims that this is the sixth recently reported example of an individual being wrongly accused due to facial recognition technology not working as expected. This is the third such example to have taken place in Detroit, and all 6 wrongly accused individuals are black. A long running concern regarding these technologies is that they tend to perform very badly when dealing with women and people with dark skin. The Ars post has multiple links to various reports and studies highlighting some of these consistent flaws.

Indeed, multiple cities in the US have banned the use of facial recognition technology, though this may be something which may change in the future due to lobbying and “a surge in crime”.

One would think that “you look like this person even though you’re 8 months pregnant and they’re not” would keep this person out of a cell. Is the trust in the supposed accuracy of this technology so great that Detroit police trusted it over the evidence of their own eyes?

They took Woodruff away at her front door, and even used her older photo despite having access to her current driver’s licence photo which was issued in 2021. It does seem very strange that nobody appears to have intervened at the point the technology side of the workflow was going off the rails. From the complaint, via CNN:

When first confronted with the arrest warrant, Woodruff was “baffled and assuming it was a joke, given her visibly pregnant state,” the suit says. She and her fiancé “urged the officers to check the warrant to confirm the female who committed the robbery and carjacking was pregnant, but the officers refused to do so,” the complaint says.

You can go as far back as 2018 to find Detroit law enforcement getting it wrong with facial recognition technology. There, a man was wrongly flagged as a watch thief. In 2019, another individual was briefly accused of stealing a phone until his attorney was able to prove they’d once again accused the wrong individual.

American Civil Liberties Union (ACLU) Michigan is now taking an interest, and the outcome of the lawsuit remains to be seen. While it’s impossible to predict the outcome, Woodruff would appear to have a fairly strong case. The question is, will this result in any meaningful change to how law enforcement incorporates decision making into their technology workflow? Or will we be seeing yet another of these cases six months down the line?


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Voter data stolen in UK Electoral Commission systems breach

The UK’s Electoral Commission has revealed it suffered a compromise which has the potential to expose aspects of registered voters’ data. While much of this data may already be public, there are some privacy and safety concerns to consider.

First of all, let’s take a look at what’s been affected. The UK has something called an Electoral Roll (or Register). This is a list of all eligible registered voters residing in the UK. This list is divided into three types: the full, public register; the edited version; and the “opt-out” version.

From the Information Commissioner’s Office:

The full register is published once a year and is updated every month. It is used by electoral registration officers and returning officers across the country for purposes related to elections and referendums. Political parties, MPs and public libraries may also have the full register.

Regular folks going about their business can’t access the full version. The edited version of the register works as follows:

The open register, also called the edited register, contains the same information as the full register but is not used for elections or referendums. It is updated and published every month and can be sold to any person, organisation or company for a wide range of purposes. It is used by businesses and charities for checking names and address details; users of the register include direct marketing firms and also online directory firms.

This is one way that people end up on marketing lists, or “find a phone number/person” type websites. It’s the kind of data you’d occasionally find up for grabs on CD-ROMs.

The “opt-out” version of the register omits your details from this list. You used to have to manually opt out every time you updated your details, but these days your selection stays the same unless you specifically decide to alter it.

What has been compromised?

The Electoral Commision has this to say regarding the attack:

The Electoral Commission has been the subject of a complex cyber-attack, it has announced today, highlighting that the UK’s democratic process and its institutions remain a target for hostile actors online.

The incident was identified in October 2022 after suspicious activity was detected on the regulator’s systems. It became clear that hostile actors had first accessed the systems in August 2021. The Commission has since worked with external security experts and the National Cyber Security Centre (NCSC) to investigate and secure its systems.

As part of the attack, hostile actors were able to access reference copies of the electoral registers, held by the Commission for research purposes and to enable permissibility checks on political donations. The registers held at the time of the cyber-attack include the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. The registers did not include the details of those registered anonymously. The Commission’s email system was also accessible during the attack.

How serious is this breach?

A full FAQ is available, but I would draw attention to this comment from the Electoral Commission:

“While the data contained in the electoral registers is limited, and much of it is already in the public domain, we understand the concern that may have been caused by the registers potentially being accessed and apologise to those affected.”

People on the opt-out version of the register may be unsure if this actually means their data is included in that which was available to the attackers. From the FAQ:

Please note, the addresses of those on the open register are already publicly available. The addresses of those who opt out of the open register, are not made publicly available, but were accessible during this cyber-attack.

While using the opt-out is by no means a magic solution to the perils of real world unpleasantness, it does help. Many at-risk or vulnerable people use it as a quick and easy way to prevent (for example) abusive ex-partners from tracking them down.

Knowing that their data is included in the pile is likely to be somewhat unsettling.

There is a way to be fully anonymous where voting registration is concerned. However, the process can be complex and off-putting. It requires items like court documents or attestations from authorised individuals to support the application. In other words, you may need to request that police officers come to your home and then explain your situation with evidence to back up your claims.

If the application is granted, you’ll be fully anonymous. The Electoral Commission does point out that anonymised individuals are not impacted by this breach, but this will be scant consolation to those who didn’t receive approval, or did not know the option existed.

For now, no additional details are forthcoming. There’s not much anyone can do with regard to the data exposure at this point. We just have to hope that those responsible aren’t in the mood for throwing everything online. So far, there’s no evidence that anyone has made use of the data in this way specifically. As for anything else, we’ll have to wait and see.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Digital assets continue to be prime target for malvertisers

Cyber-criminals continue to impersonate brands via well-crafted phishing websites. We previously covered attacks on both consumers and businesses via online searches for popular brands leading to scams or malware.

Digital assets such as cryptocurrencies or NFTs are highly coveted by threat actors due to the high gains that can be made, even via a simple phishing attack.

In this blog post, we investigate a malicious ad on Microsoft Bing for LooksRare, an NFT marketplace. Malvertising is helping scammers to phish users with added credibility but also leaves victims irate about ads and top search engines.

Malicious ads for NFT marketplace

Non-fungible tokens (NFTs) are assets that have been tokenized via a blockchain. Whether you are into them or find them laughable, a lot of money is being invested, making them attractive to criminals. In a post on social media, one user claimed to have lost $300K worth of NFTs because they clicked on a Google ad:

Original post

We could not immediately find the same ad on Google, but we did see one on Microsoft Bing that is likely tied to the same campaign:

Bing search for looksrare

The “why you’re seeing this ad?” dialog shows the advertiser as being from China and the ad by a company named Fantacy Click Limited:

Ad details

Microsoft’s Advertiser Identity Verification Program states that when ads don’t pass policy checks, they either stop serving the ads or suspend the advertiser’s account. In this example of brand impersonation, the phishing domain (looksrare-org[.]com) was freshly registered on August 7th 2023. While we can’t expect companies to track every possible brand out there, a simple domain registration check could easily reveal risky advertisers.

Decoy redirect

The threat actor invested minim efforts to deceive crawlers and other automation tools by setting up the usual cloaking page. In this example, you get redirected to an “about us” decoy page:

Decoy traffic

Unfortunately, while it is easy for humans to see that this site is completely fake, machines will find no security issue and validate it:

easset upload file98452 275928 e

Redirect and phishing page

Legitimate users and intended victims clicking on the ad will get a different experience. They are redirected to a second website (www-market-lookshare[.]com) that was also registered very recently and that acts as the phishing site:

Web traffic

This site is a close replica of the official looksrare[.]org domain:

Comparing the phishing page with the real site

Draining wallets

The phishing site invites victims to connect their wallet by scanning a QR code:

QR code on phishing site

If you are running the Coinbase extension, you will get a request such as the one below:

Coinbase request

After connecting to the victim’s wallet, the threat actor will run a few queries and eventually prompt the user to sign a message, granting them access to their NFTs. Someone has analyzed the transactions associated with this campaign in a thread here.

Phishing and crypto assets

Many people have expressed concerns about cryptocurrencies and other digital assets due to how many scams there are, but also because of how easy it can be to lose very large sums of money with just a few wrong clicks.

Phishing sites can be very convincing especially if the user visited them via a paid Google or Bing search ad that they expect has already been verified as legitimate.

There are a number of tools that can help to protect your wallets and gain better visibility over incoming transactions. Malwarebytes Browser Guard can block those phishing websites and malicious ads to keep you out of harm’s way.

We have reported this malicious ad to Microsoft via their low quality ad submission & escalation form. An automated response informed us that Microsoft will review and take action on any ads found to be in violation within 3-5 days. Unfortunately, this gives criminals enough time to run their malvertising campaigns uninterrupted and switch accounts by the time they are caught.

Indicators of compromise

looksrare-org[.]info
looksrare-org[.]com
www-market-looksrare[.]com

Server breach could be fatal blow for LetMeSpy

A mobile app designed to let people spy on others will shortly be going out of business after a server breach and mass deletion incident. The app, LetMeSpy, sits silently and invisibly on a phone and collects call logs, location data, and even text messages.

This kind of program is commonly referred to as stalkerware. As the name suggests, people aren’t doing anything good with this kind of software. You’ll most commonly see it on Android devices, put there by someone with temporary physical access. Depending on the program, it may access phone records, texts, photos, camera, microphone, GPS…you name it, it can possibly do it.

The device owner will have no idea that this is going on, because these programs come with no app icon and stay hidden.

A domestic abuser or someone up to no good generally installs the app on the phone without the victim’s consent or knowledge. Once done, it can be used to keep track of the person for as long as it remains on the device.

In this case, LetMeSpy first made notification of the breach in June, with the following message:

On June 21, 2023, a security incident occurred involving obtaining unauthorized access to the data of website users.

As a result of the attack, the criminals gained access to email addresses, telephone numbers and the content of messages collected on accounts. For 100% clarity: Everything collected from mobile devices where the owner wouldn’t have been aware LeMeSpy was present in the first place.

Given that someone with this app on their phone could potentially be in a perilous position to begin with, it’s even worse that such an individual would have their data stolen in this way. Polish site Niebezpiecznik, which first reported the breach, said that the database dumped online contained:

  • 26,000+ email addresses of the tool’s “operators” along with hashes of their passwords.
  • 16,000+ text messages, including passwords and codes for various services.
  • Telephone numbers of people who had contacted the tracked phones.
  • Telephone numbers of the people whom the tracked phone owner had called (along with the names associated with them in the contacts list).
  • A database dump in SQL format, containing more data, including locations.

A terrible situation, needlessly caused by an app most folks wouldn’t want on their devices.

Well, it seems the breach was a step too far for LetMeSpy too. So much data was deleted that new users are now blocked from creating an account. A permanent shutdown will take place in August. TechCrunch notes that the app is no longer available for download, and currently installed versions seem to be completely dead, as per a network traffic analysis.

A nonprofit transparency collective called DDoSecrets told TechCrunch that the app had been used to steal data from more than 13,000 compromised devices “until recently”. This is quite a bit lower than the 236k devices the LetMeSpy website claimed to be residing on.

We recently covered the LetMeSpy hack on our Lock and Code podcast, asking (among other things) if there’s ever a situation where a hack like this could be considered “good”.

How to prevent spyware and stalkerware-type apps

  • Set a screen lock on your phone and don’t let anyone else access it
  • Keep your phone up-to-date. Make sure you’re always on the latest version of your phone’s software.
  • Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you’re sharing with each app on Android, so you can keep an eye on your privacy. Malwarebytes detects the LetMeSpy app as Android/Monitor.LetMeSpy.

Coalition Against Stalkerware

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.


We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

TikTok facing fines for violating children’s privacy

The European Data Protection Board is expected to fine TikTok for violating the privacy of young children within the next four weeks.

The European Data Protection Board said a binding decision has been reached over TikTok’s processing of children’s data, after the ByteDance-owned app submitted legal objections to an earlier ruling in Ireland, the home of the company’s European headquarters. The size of the fine is not yet known but will surely be in the millions of Euros.

This proceeding started in 2021, when the Dutch DPA imposed a fine of € 750,000 ($820,000) on TikTok. The main reason was that the information provided during  the installation and usage of the app was in English and thus not readily understandable, especially for children. Not offering their privacy statement in Dutch was an infringement of privacy legislation by itself, because users have a right to be given a clear idea of what happens with their personal data.

The results of the Dutch investigation were handed to the Irish Data Protection Commission. Initially TikTok did not have its head office in Europe but in the course of the Dutch investigation, TikTok established operations in Ireland. If a company does not have its headquarters in Europe, any EU member state can engage in oversight with regard to its activities. In the case of companies that do have their headquarters in Europe, this responsibility would fall mainly to the country where the headquarters are located.

The following investigation by the data protection commissioner in Ireland into TikTok’s level of compliance with its general data protection regulation (GDPR) and how it handles the data of children between the ages of 13 and 17, brought to light problems regarding TikTok’s processing of children’s personal data, and age verification measures for children under 13.

In April of 2023, TikTok was ordered to pay a fine of £12.7M ($15.6M) for failing to protect 1.4 million UK children under the age of 13 from accessing its platform in 2020. The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, imposed the fine after finding the company used children’s data without parental consent. According to the ICO, many children were able to access the site despite TikTok setting 13 as the minimum age to create an account. This exposed them to vulnerabilities and inappropriate content. According to the ICO, the company may have used the data for tracking and profiling purposes. It may have also presented children with content deemed potentially harmful or inappropriate.

To improve compliance with new European Union regulations on content TikTok announced a number of new features for European users:

  • Making it easier for EU users to report illegal content
  • Allowing them to turn off personalized recommendations for videos
  • Removing targeted advertising for users aged 13 to 17

The company stated:

 “We will continue to not only meet our regulatory obligations, but also strive to set new standards through innovative solutions.”

In the US TikTok has received a lot of criticism in the last few years as well. Among other things it’s been called an “unacceptable security risk” by the commissioner of the FCC and was accused of gathering data on people who don’t even use the app by a US consumer non-profit.

In April we explained what was going on and whether you had reasons to be worried from an organizational standpoint. The risks of allowing TikTok on corporate or hybrid devices very much depends on your threat model. While it is understandable that governments, the military, or defense contractors are among the first to ban TikTok from these devices, many other organizations are facing a lot of threats that are a much greater concern.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

FCC comes down hard on robocallers with record $300m fine

Robocallers are in the news after the FCC issued a $300 million forfeiture to a persistent offender and shut down their operation.

A robocall network makes use of automated software diallers to spam out large numbers of cold calls to unsuspecting recipients. These calls promise much but give very little. Anyone taking the bait stands a good chance of losing control of their personal data or suffering from all manner of dubious payments leaving their bank account.

Cold calling has been associated with scam tactics for decades, and the growing number of ways to combat these techniques (like Do Not Call lists) are routinely ignored by the robocallers. This has, inevitably, brought us to our eye-wateringly large $300m fine aimed squarely at one of the most persistent robocalling operations yet seen.

From the official statement(s) regarding the record penalty:

The Federal Communications Commission today issued a record-breaking $299,997,000 fine for auto warranty scam robocalls made by the largest illegal robocall operation the agency has ever investigated. An international network of companies violated federal statutes and the Commission’s regulations when they executed a scheme to make more than five billion robocalls to more than 500 million phone numbers during a three-month span in 2021, including violating federal spoofing laws by using more than one million different caller ID numbers in an attempt to disguise the true origin of the robocalls and trick victims into answering the phone.

The enterprise violated a multitude of robocall prohibitions by making pre-recorded voice calls to mobile phones without prior express consent, placing telemarketing calls without written consent, dialing numbers included on the National Do Not Call Registry, failing to identify the caller at the start of the message, and failing to provide a call-back number that allowed consumers to opt out of future calls. The calls also violated spoofing laws by using misleading caller ID to disguise the enterprise’s role and prompt consumers to answer.

Insurance, claims, and compensation are all robocall topics you should avoid when the phone inevitably rings. This kind of call will never quite go to plan for anyone other than the individuals operating the robocalling software.

In this case, the bait being used was the claim of auto warranties in return for the collection of personal data from call recipients.

TechCrunch notes that the robocalls “exhibited the standard robocall characteristics” of failing to identify the caller, spoofing area codes, and ignoring various consent laws like the Do Not Call list.

No fewer than an astonishing five billion calls were made by the companies responsible for this operation. Members of the FCC themselves received some of these calls, which on reflection seems like a very poor decision made by the robocalling technology.

The FCC explains the sheer scale of the operation, alongside some of the tactics used to shut it down permanently:

Since at least 2018, this enterprise operated a complex scheme designed to facilitate the sale of vehicle service contracts under the false and misleading claim of selling auto warranties. Two of the central players of the operation, Roy M. Cox and Aaron Michael Jones, were under lifetime bans against making telemarketing calls following lawsuits by the Federal Trade Commission and State of Texas.  The multi-national enterprise did business as Sumco Panama, Virtual Telecom, Davis Telecom, Geist Telecom, Fugle Telecom, Tech Direct, Mobi Telecom, and Posting Express.

Last year, to stop this then-ongoing telemarketing campaign in its tracks, the FCC directed all U.S.-based voice service providers to cease carrying traffic associated with certain members of the enterprise.  As a result, these illegal auto warranty robocalls dropped by 99%. That enforcement action was taken in coordination with the Ohio Attorney General’s Office, which brought a lawsuit under the Telephone Consumer Protection Act against several entities and individuals associated with the enterprise. The Commission also proposed a fine and offered the parties a chance to respond, which they did not do, resulting in today’s unprecedented fine. Should the parties not pay the fine promptly, this matter will be referred to the U.S. Department of Justice for collection.

Sadly it remains to be seen whether the eye-watering fine will be enforced and those responsible made to pay up. Robocalling is so popular that even with such massive fines being thrown around, people making use of it will not simply abandon ship. We’ll be stuck with all manner of robocalling technology for some time to come.

Back to the FCC:

What happens next?  Under the law we will refer this Forfeiture Order to the Department of Justice to collect payment.  I hope, however, that Congress will consider giving the FCC authority to go to court and collect these fines ourselves. In the meantime, we will keep using the tools we have to hold those behind fraudulent calling schemes accountable. In fact, just this week the Enforcement Bureau identified another source of illegal robocalls and we have put all phone companies on notice they can block these calls.  We know the scam artists behind these calls are relentless—but we are coming for them and won’t stop until we get this junk off the line.  

Sounds good! In the meantime though, you’ll have to take some action of your own to help ward off the threat posed by robocallers. Entities such as the FCC can and will go into battle on your behalf, but we can speed things along by doing our part too.

What you can do to stem the tide of robocalling

  • Report the call to the FCC, Federal Trade Commission (FTC), and your attorney general. Doing so will help the collective efforts of regulators and phone companies in blocking these numbers.
  • Do not give out your number online or post it publicly in your social media profiles. They will likely be collected by scammers.
  • Some apps can help analyse the calls you receive and respond or reroute the call effectively. Your mobile provider may already include this technology in their network, so it’s worth asking before opening up your iOS or Android store. Additionally, the FCC passed a rule that gives phone companies the power to proactively block numbers that do not or cannot make outgoing calls.
  • Go old-school by turning off your landline’s ringer and then feeding the call to an answering machine with a caller ID. You can always return the call if you have determined that the caller is using a legitimate number or has actually left a message worth returning.
  • If you happen to pick up a call from a robocaller, hang up immediately and don’t say anything down the line because it’s almost certainly being recorded.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A week in security (July 31 – August 6)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

New Security Advisor amps up security in minutes

Malwarebytes Security Advisor, a transformation of the Nebula customer experience, enables organizations to visualize and improve their organization’s security posture in just a few clicks.

“If you’re not fully configured, you aren’t fully protected,” says Jonny Rivera, Director, Customer Experience Strategy. Rivera has worked with Malwarebytes customers to optimize their deployments and saw that there were big gaps in understanding their overall cybersecurity posture, including what assets they had and how policies were configured.

easset upload file47211 275930 e

Security Advisor Dashboard

Security Advisor analyzes an organization’s cybersecurity health—such as by assessment of current inventory and which assets are vulnerable—and generates a score based off what it finds, illuminating gaps in defenses and providing actionable recommendations for improvements that can be made in minutes.

In this post, we’ll demonstrate how Security Advisor works and how it’s improving organizations’ security postures.

Read the full features here: https://service.malwarebytes.com/hc/en-us/articles/18242146189587-Understanding-the-Security-Advisor-in-Nebula

Why Security Advisor?

In a world where a whopping 70% of IT security personnel cite increasing workload and lack of visibility into IT infrastructure as top barriers to success, it’s easy to see why simplicity is the key to optimizing security while reducing employee burnout.

But there’s a problem.

Without a real-time snapshot of device usage or quick summaries of outdated applications, for example, IT teams are left scrambling to pick up the pieces of the information most important to them—ultimately increasing the mean time to resolution (MTTR) from days to possibly months.

Enter Malwarebytes Security Advisor.

A Leap Beyond Traditional Reporting

easset upload file88486 275930 e

Security Advisor overview page

Security Advisor understands the specific tasks IT & security teams must perform, and flags which are crucial before a security issue arises.

With Security Advisor, organizations now have a real-time view into four key areas:

1. The CURRENT STATE of their security posture. Security Advisor provides a comprehensive snapshot of the existing security measures, revealing vulnerabilities and strengths such as properly configured policies or endpoint deployment.

2. The steps to IMPROVE the organization’s current security posture. Once the current state is understood, Security Advisor outlines actionable steps that organizations can take to enhance security measures, mitigate risk and safeguard assets.

easset upload file67993 275930 e

easset upload file28626 275930 e

Security Advisor policy optimization 

3. How to MAINTAIN the improved security posture. Since security doesn’t end with the implementation of improvements, Security Advisor guides customers on how to maintain the elevated security status over time, ensuring sustained protection.

4. How to REPORT the organization’s current posture. Crucial for transparency and accountability, Security Advisor equips users with the tools to effectively communicate the company’s security status.

By guiding and facilitating immediate actions, Security Advisor speeds a holistic approach to security management.

Key Features

Inventory Check

Security Advisor offers a complete inventory of physical and digital assets, identifies which devices and services are in use and by whom, and presents this information in a user-friendly dashboard.

Current State Analysis

Assesses the vulnerabilities associated with your assets. It checks for out-of-date devices, scans for threats, evaluates data security, and identifies any employees who may pose a greater security risk.

easset upload file84924 275930 eSecurity Advisor issues by severity

Access Control

Security Advisor enables simple and intuitive configuration of permissions and keeps track of changes over time, providing clear visibility of user permissions.

Maintenance and Reporting

Security Advisor’s maintenance and reporting capabilities provides real-time status updates and prompt alerts on any emerging issues, while also supporting compliance reporting for various regulations.

Adaptive Recommendations

As your business changes and grows, Security Advisor offers suggestions for additional security solutions that can further enhance the organization’s security portfolio.

Benchmarking

Security Advisor leverages anonymized data from all Malwarebytes customers to provide benchmark comparisons with other organizations with a similar security mix.

“Whether it’s checking to see if EDR policies are properly configured or making sure scheduled scans are running regularly, we’re providing the recommended actions organizations need to quickly improve security and get back to running their business,” said Jonny Rivera.

Try Security Advisor Today

Ready to improve your organization’s security posture? Nebula users can start using Security Advisor today, free-of-charge.

Not a Nebula user? Get a free demo.

2022’s most routinely exploited vulnerabilities—history repeats

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners have released a joint Cybersecurity Advisory (CSA) called the 2022 Top Routinely Exploited Vulnerabilities.

We went over the list and it felt like a bad trip down memory lane. If you adhere to the expression “those who ignore history are doomed to repeat it” then you may consider the list as a valuable resource that you can derive lessons from. Unfortunately as George Bernard Shaw said:

“We learn from history that we learn nothing from history.”

But since that’s a self-contradicting expression, let’s assume there are lessons to be learned.

Last year’s top vulnerabilities

First let me show you the bad memories. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use the CVE codes to uniquely identify the covered vulnerabilities.

  • CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution which results in remote code execution (RCE). When word of this vulnerability came out it was already clear that it was being exploited in the wild. Noteworthy is that this vulnerability also made it into the top 5 routinely exploited vulnerabilities of 2021.
  • CVE-2021-44228, aka Log4Shell, is a vulnerability in Apache’s Log4j library, an open-source logging framework incorporated into thousands of other products. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest throughout the first half of 2022.
  • CVE-2018-13379 is a vulnerability affecting Fortinet SSL VPNs, which was also routinely exploited in 2020 and 2021.
  • ProxyShell is a combination of three vulnerabilities in Microsoft Exchange Server (CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523) that can be chained together to allow a remote attacker to break in, take control, and then do bad things on an unpatched server. Proxyshell also made it into the top 5 routinely exploited vulnerabilities of 2021.
  • CVE-2021-26084 is a vulnerability affecting Atlassian Confluence Server and Data Center which could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof-of-concept (PoC) was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021 and also made it into the top 5 routinely exploited vulnerabilities of 2021.

Looking at the above, it looks like Shaw was at least partly right. We are not learning from history. It also indicates that we should be able to predict some of the vulnerabilities that will show up in next year’s list. Let’s take a stab at that. So we’re looking for easy to overlook and/or hard to patch vulnerabilities in the 2022 list that we haven’t already covered above.

This year’s top vulnerabilities?

These are the ones that I think will make it to the top 10 next year, maybe together with the ones that have already been around for years.

  • CVE-2022-22954, CVE-2022-22960 are two vulnerabilities that can be chained to allow Remote Code Execurion (RCE), privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. Exploitation of these VMware vulnerabilities began in early 2022 and attempts continued throughout the remainder of the year.
  • CVE-2022-26134 is a critical RCE vulnerability that affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (see CVE-2021-26084 above), which cyber actors also exploited in 2022.
  • CVE-2022-1388 is a vulnerability in the F5 BIG IP platform that allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.
  • CVE-2022-30190, aka Follina, is a Microsoft Windows Support Diagnostic Tool RCE vulnerability. An attacker can send you a malicious Office document that will compromise your machine with malware when you open it.

So I was hoping we can strike a deal. I’ll check next year how well this prediction does and you all patch these vulnerabilities real quick, so I can write about some new ones next year.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.