IT NEWS

Ransomware generates big money for the groups behind it, with new research confirming (some) of the scale of the problem. Chainalysis, a blockchain research firm, looked at data from monitored cryptocurrency wallets, concluding that around $449 million has been taken from victims in the last six months.

As The Record correctly notes, the actual figure will likely be significantly higher because only monitored wallets are included in the study. In terms of what’s going on out there, payments under $1,000 and above $100,000 are both on the up. It’s claimed that ransomware groups could pull in around $900 million in 2023, with the return of “big game hunting” being one of the key factors for the bump.

What is big game hunting? Well, this is the practice of targeting large, financially well-off corporations in order to secure the biggest possible payouts. Even with the increase in attacks on smaller companies, taking on the big entities is where the most enticing payouts are waiting to be had.

As an example of payout sizes, BlackBasta’s 2023 average payment size is $762,634 and its median is $147,106. Cl0p checks in with a $1,730,486 average and a $1,946,335 median. At the other end of the scale the smaller, less sophisticated deployments such as Phobos creep into view with a $1,719 average and a $300 median.

No matter the size of the payment, they are ultimately securing said payments and continuing to make bank. It’s also suspected that as more firms refuse to pay their extortionists, so too are the ransomware authors responding by increasing their ransom demands. The research also notes that additional tactics are being used in cases of non payment to up the ante further. Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics ransomware authors can make use of.

It’s not all doom and gloom where cryptocurrency payments are concerned. With the notable exception of ransomware, cryptocurrency crime across 2023 is in “sharp decline”. Cryptocurrency businesses are getting a handle on scams, users new and old are learning about how to protect their investments, and law enforcement pressure on cryptocurrency fraud is likely having an impact.

Back in the realm of ransomware, things aren’t perhaps quite as good with some of the big hitters from our June ransomware review serving up exploits, dubious “charity donation” requests, and an increase in attacks on education.

Elsewhere, we have students being used to apply pressure to impacted organisations and relentless attacks on schools. It would be unwise to think the scale of ransomware’s day to day impact is in any danger of dropping off anytime soon.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A group of seven US senators has sent a letter to the heads of the IRS, the Department of Justice, the Federal Trade Commission and the IRS watchdog, revealing that they have found evidence that reveals “a shocking breach of taxpayer privacy by tax prep companies and by Big Tech firms.”

According to the letter, information about tens of millions of US taxpayers was sent by three tax preparation firms to social media giant Meta. The letter asked the agencies to immediately open an investigation.

The tax firms used Pixel code on their websites to track and improve their media campaigns. Pixel is an integral part of Meta’s tracking infrastructure which collects data about people online. Data which is eventually used for targeted advertising, tailored content recommendations, and to train its algorithms.

The Pixel code is freely available and designed to help both the website owner and Meta. The code gathered information like names and email addresses, but also more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.

Despite what you might expect, it doesn’t matter whether the person using the tax filing service has an account on Facebook or other platforms operated by Meta.

One of the tax preparation firms stated that they used the Meta Pixel to deliver a more personalized experience for their customers.

“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel.”

Meta, on the other hand stated that it feels it has been clear in its policies that advertisers should not send sensitive information about people through its business tools.

“Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

With both sides agreeing that this should not have happened, we wholeheartedly agree, but it does not explain why it happened anyway.

The problem was flagged earlier by the Markup. We reported about their Pixel Hunt project in January of 2022. The Markup also found Google’s analytics tool on one of the tax preparator’s  websites, but that didn’t send out any names, although it did send some of the financial information to Google.

The three tax preparation firms mentioned in the letter are H&R Block, TaxAct, and TaxSlayer. The information gathered on the websites of these firms has been sent to Meta over the course of at least two years.

If you don’t want your information to be gathered and shared by trackers, you can use solutions like Malwarebytes Browser Guard, a browser extension that, among others, blocks third-party ad trackers.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

AV-TEST, a leading independent tester of cybersecurity solutions, has just given Malwarebytes two Advanced awards for the ability of our consumer and business products to protect against the latest attack techniques.

Let’s take a deeper dive into the test and the results.

Advanced Threat Protection test breakdown

AV-Test’s bi-monthly Advanced Threat Protection exam scrutinizes Windows 11 security products, testing their ability to counter new attack methods.

In the April 2023 trial, they assessed defenses against the “Inline Execute Assembly” technique used by data stealers and ransomware. The test involved 10 malware samples sent via spearphishing emails. If not caught early, data stealers could siphon off data, and ransomware could start encrypting data, while communicating with a C2 server. 

Points were given for detecting key attack phases, with a perfect score being 35 points.

In the latest results, both Malwarebytes Premium and Malwarebytes Endpoint Protection aced the test, earning the top “Advanced” rating for detecting 10/10 samples and receiving the full 35/35 points.

Check out the full results: https://www.av-test.org/en/news/advanced-threat-protection-against-the-latest-data-stealers-and-ransomware-techniques/

Advanced test: Enterprise results

Malwarebytes Endpoint Protection successfully detected and blocked all ten instances of malware (5 data stealers and 5 ransomware samples) sent via spearphishing emails in the initial two steps—when they first landed on the system and when they attempted to become active—thereby passing all tests in these phases.

Advanced test: Consumer results

Malwarebytes Premium fared no differently, having also successfully detected and blocked all ten instances of malware when they first landed on the system and attempted to become active.

The foundation for superior Endpoint Detection and Response (EDR)

Malwarebytes Endpoint Protection (EP) is not merely a standalone product; it’s the bedrock of our Malwarebytes Endpoint Detection and Response (EDR) solution.

Leveraging the robust detection and prevention capabilities validated by AV-Test, Malwarebytes EDR constantly monitors endpoint systems and automatically kills processes associated with advanced threat activity. Learn more about our endpoint security solutions.

GET A FREE BUSINESS TRIAL

Learn more about what experts and customers are saying about Malwarebytes:

Malwarebytes recognized as endpoint security leader by G2

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes outperforms competition in latest MRG Effitas assessment

An unpatched zero-day vulnerability is currently being abused in the wild, targeting those with an interest in Ukraine. Microsoft reports that CVE-2023-36884 is tied to reports of:

…a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

While the CVE is being updated with new information and links to appropriate security information, the Microsoft Security Blog is currently exploring the issue in detail.

This all ties back to a phishing campaign operated by a group being tracked as “Storm-0978” which targets defence and government entities in both Europe and North America. The campaign itself makes use of bait related to the Ukrainian World Congress, a non-profit organisation of “all Ukrainian public organisations in diaspora”.

These infections originate from remote code execution via Word documents exploiting the above Ukraine-themed bait, as well as an “abuse of vulnerabilities contributing to a security feature bypass”. A fake OneDrive loader delivers a backdoor with similarities to RomCom, their primary backdoor tool. It’s unusual to observe websites involved in this kind of attack still be online hours after a reveal, but here are some shots we took of both site and downloads (thanks to Jerome):

Some of the other attacks launched by this group involve distribution of trojanized versions of popular software. Once the backdoor has taken hold, the group “may steal credentials to be used in targeted operations”.

Popular tools used for these installations include trojanized versions of Solarwinds Network Performance Monitor, KeePass, Signal, and Adobe products. Bogus domains imitating the real thing are registered and used as convincing fronts for the infected software.

Microsoft notes that this group also has a hand in ransomware attacks, though it is less targeted in nature and unrelated to any espionage-themed operations. Attacks which have been identified as belonging to Storm-0978 in this realm have impacted finance and telecommunications industries.

A variety of attacks on several fronts, then. 

Microsoft gives the following advice for organisations concerned with the potential threat of compromise from the most recent attacks:

CVE-2023-36884 specific recommendations

• Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
• In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
• Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.  Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

You could also consider blocking outbound SMB traffic.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. The group’s 91 attacks come not long after their extensive GoAnywhere campaign in March, when they hit over 100 organizations using a nasty zero-day.

June also witnessed a staggering increase in attacks from relatively new gangs such as Akira (26) and 8Base (41), enough to propel both of them into the top five—a designation usually reserved for more familiar names like ALPHV, who was conspicuously silent in June. 

Other big stories in June include a suspected LockBit affiliate arrest, the Royal ransomware gang toying with a new encryptor, and a notable increase in attacks on the Manufacturing sector.

Comparing June to the earlier months of the year, we notice several shifts in ransomware activity. There was a massive decrease in the activity from Royal, for example, which normally dominates the monthly rankings—often cracking into the top five—with an average of roughly 30 attacks a month in that period. But last month, they posted just two victims. 

While a sudden dip in attacks isn’t too unusual for top ransomware gangs, it’s worth mentioning that in last month’s review we speculated that Royal might be going through a rebrand. That’s because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware.

Considering that both Royal and BlackSuit were active last month, however, a rebrand probably isn’t happening any time soon. Instead, it’s likely that Royal is simply testing a new encryptor—especially considering that BlackSuit was used in just two attacks last month—and that this lull can be explained as more or less of a research period for them.

Other interesting anomalies in June include 47 attacks on the Manufacturing industry (which usually averages around 20 attacks a month) and notable increases in attacks on Switzerland (14) and Brazil (13), both of which are normally attacked only two or three times a month. Part of this can be explained by the fact that 8BASE disproportionately attacked Brazil with 11 attacks last month, while PLAY focused on Switzerland (5).

Known ransomware attacks by country, June 2023

Cl0p’s precipitous rise to the top of the charts this month, on the other hand, can be explained by their exploitation of a zero-day in MOVEit Transfer, a widely used file transfer software.

The vulnerability, which could allow attackers to gain escalated privileges and unauthorized access to an environment, was first disclosed on May 31st in a security bulletin released by Progress. But while it was clear earlier on that attackers were actively exploiting CVE-2023-34362, it was only a few days later that it became clear that Cl0p was behind the attacks. A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend. What’s more, two other vulnerabilities in MOVEit were found while new victims were still coming forward.

In terms of the fallout, it’s tough to overstate the havoc Cl0p was able to wreck thanks to the zero-day.

The MOVEit data breaches had widespread impacts, affecting everything from the Oregon DMV and Louisiana OMV (Office of Motor Vehicles)—including the leak of nearly 10 million drivers’ licenses—to the University of Rochester and multiple corporations. PBI Research Services also reported a data breach that exposed information for 4.75 million people. The government even offered a reward of up to $10 million for information on Cl0p after several federal agencies in the US fell victim to the gang.

LockBit 

LockBit reportedly squeezed about $91 million out of US organizations with around 1,700 attacks since 2020, according to a June report by CISA. As confirmed by our own research data, CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022.

As for who was hit the hardest, around 16 percent of ransomware incidents affecting State, Local, Tribal, and Tribunal (SLTT) governments were from LockBit, says the MS-ISAC.

In other news, a suspected LockBit affiliate named Ruslan Magomedovich Astamirov, a 20-year-old from the Chechen Republic, was arrested in Arizona last month. The US Justice Department thinks he’s been deploying LockBit ransomware on victim networks both in the States and overseas, with the investigation having run from August 2020 through March 2023.

Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers, plus he’s accused of making ransom demands through deploying ransomware. The arrest makes him the third LockBit affiliate charged in the US since November.

Newcomers

NoEscape

NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023. Developed in-house using C++, the NoEscape ransomware uses a hybrid approach to encryption, combining ChaCha20 and RSA encryption algorithms for file encryption and key protection.

Last month, NoEscape posted 7 victims on their leak site.

Darkrace

DarkRace is a new ransomware group first discovered by researcher S!Ri. Darkrace specifically targets Windows operating systems and has several similarities to LockBit.

The gang attacked 10 victims last month, the majority of them being from the Information and Communications Technology (ICT) sectors. Geographically, most victims are located in Europe, specifically Italy. 

Rhysida

Rhysida, a new ransomware gang claiming to be a “cybersecurity team,” has been in operation since May 17, 2023, making headlines for their high-profile attack against the Chilean Army. 

The gang published a whopping eighteen victims on their leak site in June, making it one of the most prolific newcomers in our month reviews to-date.

Our recent webinar From Malvertising to Ransomware highlight the clear connection between malvertising—the practice of embedding malicious code within legitimate online advertisements—and the epidemic of ransomware attacks affecting businesses globally.

Presented by Mark Stockley, security evangelist at Malwarebytes, and Jerome Segura, Director of Threat Intelligence at Malwarebytes, the webinar explains how malvertising has evolved into an effective entry point in the cyberattack “kill chain.”

By leveraging the broad reach and precision targeting of digital advertising, threat actors can compromise systems, gather valuable credentials, and ultimately lay the groundwork for debilitating ransomware attacks. Speakers mention the Royal ransomware group as just one example of a threat actor using this tactic.

Toward the end of the webinar, the speakers provide a set of tips for protecting businesses from these attacks, including the importance of tools such as Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) in combatting them.

If you missed the live session, it’s not too late to get the low-down on the malvertising-ransomware connection. Watch the full webinar here to ensure you’re informed and prepared to tackle these nasty threats!

Watch the webinar 

Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that redirect to fake Microsoft alert pages, but there are also threats targeting businesses that use Facebook to promote their products and services.

In the past few weeks, there’s been a resurgence in sponsored posts and accounts that impersonate Meta/Facebook’s own Ads Manager. Crooks are promising better advertising via optimization, and increased performance when you use their (malware-laden) software. Meta has tracked and analyzed several threat actors such as DuckTail that have been active for a number of years with a particular interest for Facebook advertising accounts.

Now, we’ve discovered a new attack that uses malicious Chrome extensions to steal Facebook account credentials and is not related to the DuckTail malware. While tracking this campaign, we noticed the threat actors made a mistake when they packaged one of the malware files with their own stolen data.

We have passed the information about this campaign and the threat actors to Meta and thank it for taking prompt action following our reporting.

Key takeaways

• Vietnamese threat actors are actively targeting Facebook business accounts
• Victims are lured via fake Ads Manager software promoted on Facebook
• Malicious Google Chrome extensions are used to steal and extract login information
• Over 800 victims worldwide, 310 in the US
• More than $180K in compromised ad budget

Fake Ads Manager accounts

Ads Manager is the product that enables users to run online ads on Facebook, Instagram and other platforms owned by Meta. An article in TechCrunch from May describes how scammers were buying ads from Meta via verified accounts. They were trying to entice potential victims into downloading software to manage their advertising via a “more professional and secure tool”.

In early June, we identified fraudulent accounts running the same scam using similar lures. It is also worth noting that these accounts often have tens of thousands of followers and any of their posts can quickly become viral. Scammers are primarily targeting business users who may spend ad dollars on the platform.

In order to compromise those accounts, they first need to redirect potential victims onto external websites. We’ve seen several different domains that are essentially phishing pages using the Meta logo and branding. The lure is the Facebook Ads Manager program that is pushed via a download link. We’ve seen various cloud providers abused to host these password-protected RAR archives ranging from Google to Trello, as seen below.

Malicious Chrome extension

Once extracted from the archive, the file is an MSI installer package that installs several components under C:Program Files (x86)Ads ManagerAds Manager. We can see a batch script (perhaps named after Google Bard), and two folders. One of them is for a custom Chrome extension while the System folder contains a standalone WebDriver file.

The batch script is launched after the MSI installer completes and essentially spawns a new browser window launched with the custom extension from that previous installation path, pointing the victim to the Facebook login page.

taskkill /F /IM chrome.exe
taskkill /F /IM chromedriver.exe
timeout /t 1 >nul
start chrome.exe --load-extension="%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4" "https://www.facebook.com/business/tools/ads-manager"

That custom extension is cleverly disguised as Google Translate and is considered ‘Unpacked’ because it was loaded from the local computer, rather than the Chrome Web Store. A quick look at its source code reveals immediate hex obfuscation in an attempt to hide what it is actually doing.

After reverse engineering this extension, it became quite clear that it had nothing to do with Google Translate. In fact, the code is entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts. We can see that the threat actors are interested in Facebook cookies which they request via the cookies.getAll method.

We also notice an interesting way to exfiltrate that data by using Google Analytics. This technique was previously documented by HUMAN as a way to bypass CSP.

Accidental leak

In total, we identified over 20 different malicious Facebook Ad Manager archives that installed Chrome extensions or instead went with traditional malware executables. While there are variations between samples, the attackers’ main goal appears to be the same, namely to collect Facebook business accounts.

While investigating a new phishing site, we saw an archive for download that looked quite different from the others. Ironically, it seems like the threat actors made a mistake and instead of putting the payload, they leaked their own stolen data, or rather the data they stole from victims.

The site we came across pretends to be Meta Ads Manager and boasts the same claims of increasing ad performance that we’ve seen before. There is a button to download a file called Meta Ads Manager.rar which is hosted on Google Drive.

However, this archive does not contain the expected MSI installer, but instead several text files that were last modified on June 15:

While the file names are self-explanatory, we can see that they contain information about authentication (checkpoint, cookie, token). There is also information about the threat actor who shared this file (file owner) via Google Drive and their Gmail email address (this information has been passed to Meta for further action).

The first row of the file called List_ADS_Tach.txt contains column headers with some names in Vietnamese, confirming the nationality of the individuals behind these attacks. In total, there are 828 rows, which translates into just as many Facebook accounts that were breached.

As expected, the threat actors are particularly interested in their victims’ advertising accounts. We can see different metrics related to ad budget (column titles were translated from Vietnamese and may be slightly inaccurate) as well as currencies:

Prized accounts will be those that have a large remaining balance for ad spend. While we do not know if this threat actor is directly associated with DuckTail, they have the same motives of financial profit from hacked Facebook business accounts.

Finally, by converting the data into a map, we can see that victims are not confined to a particular geolocation, in fact they are distributed worldwide.

The threat actors realized their mistake a few days later and trashed the file from their Google Drive account. They also updated the download link on the phishing site, with a new file hosted via MediaFire (fortunately for users, the file was detected as malware and the download is blocked).

A low cost, high yield threat

Business users may be tempted to optimize their ad campaigns on Facebook by clicking on certain posts and downloading programs that claim to increase their earnings. This is, however, a very dangerous practice even if (or especially if) the instructions claim that the software is secure and free of malware. Remember that there is no silver bullet and anything that sounds too good to be true may very well be a scam in disguise.

Fraudsters have a lot of time of their hands and spend years studying and understanding how to abuse social media and cloud platforms, where it is a constant arm’s race to keep bad actors out. Based on reports highlighted in TechCrunch’s recent article, the threat actors may also reinvest some of the stolen ad budgets to place out malicious ads to ensnare more victims and perpetuating this cycle.

If you did happen to download one of those malicious Facebook Ad Manager installers, Malwarebytes has your back. We were already picking up several components from these campaigns and have added additional protection for optimal detection coverage. Victims will also want to revoke access to unknown users from their Business Manager account profile that the fraudsters may have added, as well as review their transactions history.

We would like to thank Meta for being receptive to our report and helping to keep users safe.

Indicators of Compromise

Decoy site

fbadmanage[.]info

RAR archives (password 888 or 999)

e73f53ea5dca6d45362fef233c65b99e5b394e97f4f2fe39b374e49c6a273e60
2082e4a8cd0495aabb0f72a41224f134214d0959e208facbfe960c8c74166cda
3638702c83364fc625c0f91388e9b06d94c3486ac0357038f66667d05f9c52e6
547955e97c945ad7283e1637ec0f5e2dbf13c7fb4885a854fb0744542579c6ff
587698e967d05a649428d3a4e45fd64fcea18affd5b021f15d01b8a39a244f8a
6719e6ba89b0a59d325f4531432195afe65154c1d63b9c3bab8ad8925f2f911d
72ba4254e94b7308de92652d1aaf29084fae55d01e0643df1050a638a3bd9dc8
76731d0ed28a552c6f673b6c3e1b08c0499d4b44050df6838439055e01990406
81d9bc3eabe578d606787ab191dd0ff7e8f58a06e35813591e17855daef8505b
8564962190135783b2f21c64cc05fdb226a89a7cbd309ca353fcc31a2a669f0e
8a6a2d439e537b5985b7492f0dded6ae3e1e80133c073d09849712c08927ca55
99057370f8c0312bb5b4a7ed0bd3753b60488e71576af210edd7f813514acb55
a29131934b589eb325a76c7d638ac3a0a55c5f185189c71cdf79d8d662129fb7
b146d19f7ea988f36449463931758935a54b58e1052dd3a5d20060b2e991b1da
c3704b2250e0e8663c86ad5a63e1051004d6967827ef90aab553ddfce682ca5a
c9f0da6aa38d4c3d38dc734d7937cdac47c272cca3e2df030242854a9661d314
d43d288368bad68e600dae08db5e4846adcaeb4a7d1902ab76417fca3f4c0cf7
e94b66b1a3f27dc282a451d3820b3d3d8380be9b9ebab04eedcf4bb0020908e8
f128cbfddf3d5c2f5742d3d5d5dae1a041023eba543ee2ddf4d8afdbd42f29b3
f1b14728d9f42def90e6eec8c32b2ef5eef43e73383eefa70bf70d8be953c3e5
f9ccac29307547adbf779338d6f22bde128feea847012f6392d7ef69cab30878

Analyzed MSI file

fd637520a9ca34f7b4b21164581a4ec498bf106ba168b5cb9fcd54b5c2caafd0

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Cellular location phone data may be banned from sale in the state of Massachusetts, under a proposed law set to ruffle some data broker feathers.

The selling of location data has long been a point of contention for privacy experts. As with so much bulk user data, claims of anonymity from the sellers are never far behind. The reality is often quite different, with individuals or more general patterns routinely revealed in ways nobody thought possible. People were singled out from 500k AOL search records, and interesting findings were made from comparing a Netflix dataset to IMDB ratings back in 2006/07.

With location services, it’s even more important that anonymity is done correctly. Indeed, some would claim that attempts to anonymise data can never be 100% successful. Meanwhile location data can illustrate precise movements, patterns, a daily routine, or information regarding specific activities and pastimes—all of which can be used for nefarious purposes in the wrong hands.

Even when precautions have been taken, user data can still slip through the net in unusual ways. Not so long ago, researchers found it was possible to look at aggregate data from Strava and track the beginning and end positions of user routes via heat maps and social features.

It’s important, then, to try and get it right the first time with mobile data. Sadly, the odds are stacked against this when dedicated firms exist to tie IDs to names and addresses. With brokers selling the data behind the scenes, this proposed law aims to tackle the problem by simply taking the data off the table.

The Location Shield Act would do the following in Massachusetts:

It shall be unlawful for a covered entity or service provider that lawfully collects and processes location information to:—

(1)collect more precise location information than necessary to carry out the permissible purpose;

(2)retain location information longer than necessary to carry out the permissible purpose;

(3)sell, rent, trade, or lease location information to third parties; or

(4)derive or infer from location information any data that is not necessary to carry out a permissible purpose.

(5)disclose, cause to disclose, or assist with or facilitate the disclosure of an individual’s location information to third parties, unless such disclosure is (i) necessary to carry out the permissible purpose for which the information was collected, or (ii) requested by the individual to whom the location data pertains.

As the American Civil Liberties Union Massachusetts (ACLU) notes, the buying and selling of this data is unregulated and can impact on all manner of privacy and safety issues. Domestic abusers can track ex-partners. Foreign governments can use data for intelligence and tracking purposes. Employers can track and discriminate against employees. A variety of health and abortion access situations could lead to prosecution or harassment.

Owning a mobile device should not lead to this data being potentially made available to anyone with a credit card. There is strong voter support in Massachusetts for a law which would prevent this selling of personal location data, and the bill seems likely to pass.

The big question is whether or not it will inspire other states to follow suit and draft their own versions of a privacy issue sorely in need of rebalancing. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

It’s that time of the month again. For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities. Nine of the vulnerabilities are rated as critical and four of them are known to be actively exploited.

The Cybersecurity & Infrastructure Security Agency (CISA) has already added these four vulnerabilities to the catalog of known to be exploited vulnerabilities.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited vulnerabilities are listed as:

CVE-2023-32049 (CVSS score 8.8 out of 10): a Windows SmartScreen Security Feature Bypass vulnerability. The user would have to click on a specially crafted URL to be compromised by the attacker in which case the attacker would be able to bypass the Open File – Security Warning prompt.

CVE-2023-35311 (CVSS score 8.8 out of 10): a Microsoft Outlook Security Feature Bypass vulnerability. The user would have to click on a specially crafted URL to be compromised by the attacker in which case the attacker would be able to bypass the Microsoft Outlook Security Notice prompt. The Preview Pane is an attack vector, but additional user interaction is required.

CVE-2023-32046 (CVSS score 7.8 out of 10): a Windows MSHTML Platform Elevation of Privilege (EoP) vulnerability. Exploitation of the vulnerability requires that a user open a specially crafted file. An attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file in which case the attacker would gain the rights of the user that is running the affected application.

CVE-2023-36874 (CVSS score 7.8.out of 10): a Windows Error Reporting Service Elevation of Privilege vulnerability. An attacker who successfully exploited this vulnerability could gain administrator privileges but the attacker must have local access to the targeted machine and the user must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default.

The CVE below is under investigation and we will tell you more about it in a separate blogpost.

CVE-2023-36884 (CVSS score 8.3 out of 10): an Office and Windows HTML Remote Code Execution (RCE) vulnerability. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

Additionally, Microsoft issued an advisory titled Guidance on Microsoft Signed Drivers Being Used Maliciously. The advisory warns about drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) which were being used maliciously in post-exploitation activity. In these attacks, the attacker gained administrative privileges on compromised systems before using the drivers. As a result of a Microsoft investigation, the partners’ seller accounts were suspended and detections for all the reported malicious drivers were added. Whether this really solves the problem of digitally signed malicious drivers is doubtful since there are publicly available tools to sign drivers.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities affecting ColdFusion and InDesign. 

Apple has issued an RSR update for a vulnerability which it says may have been actively exploited.

Cisco has released security updates for several products.

Fortinet has released a security update to address a critical vulnerability (CVE-2023-33308) affecting FortiOS and FortiProxy.

Last week, Google patched three actively exploited Android zero-days.

MOVEit has fixed 3 new vulnerabilities in the Transfer software.

Mozilla has released a security update to address a vulnerability in Firefox and Firefox ESR.

SAP has released its July 2023 Patch Day updates.

VMware released VMware SD-WAN updates to fix a vulnerability.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

For many, the summer months should be a time of peace: Maybe taking some vacation, maybe strolling across warm, soft sands as sapphire waves lap up against your feet, maybe even spending time with family (that you like).

But for determined cybercriminals, these periods of near-universal rest and relaxation are actually moments of attack.

In particular, ransomware gangs have shown a nasty habit of starting their attacks at the least convenient times: When computers are idle, when employees who might notice a problem are out of the office, and when the IT or security staff who might deal with it are shorthanded. 

Cybercriminals like to attack at night and at weekends, and they love holidays and special events. On the July 4 weekend in 2021, the REvil ransomware gang was likely hosting its own celebrations after pulling off an enormous supply-chain attack on Kaseya, one of the biggest IT solutions providers in the US for managed service providers (MSPs). Threat actors used a Kaseya VSA auto-update to push ransomware into more than 1,000 businesses.

But it isn’t just holiday weekends that cybercriminals leverage for attacks. They can also likely predict when IT professionals go on vacation—the summer.  

Why out-of-office attacks work

Ransomware works by encrypting huge numbers of files on as many of an organization’s computers as possible. Performing this kind of strong encryption is resource intensive and can take a long time, so even if an organization doesn’t spot the malware used in an attack, its tools might notice that something is amiss. 

“You never think you’re gonna be hit by ransomware,” said Ski Kacoroski, a system administrator with the Northshore School District in Washington state, speaking on Malwarebytes’ Lock & Code podcast. On the podcast, Kacoroski spoke about Northshore’s nighttime attack: 

“It was an early Saturday morning. I got a text from my manager saying ‘something is up’…after a short while I realized that [a] server had been hit by ransomware. It took us several more hours before we realized exactly how much had been hit.”

Kacaroski added “We had some high CPU utilizations alert the night before when they started their attack, but most of us were already asleep by midnight.”

Be prepared 

When REvil first attacked Kaseya in 2021, Malwarebytes Labs relied on the expertise of Adam Kujawa, a cybersecurity evangelist, to understand what steps organizations should take to minimize the chance that a holiday weekend could be ruined by a cyberattack. That advice is still good today—including for any IT or security employee going on vacation—so we’re offering it again for readers. 

Do these before leaving for vacation 

• Run a deep scan on all endpoints, servers, and interconnected systems to ensure there are no threats lurking on those systems, waiting to attack! 
• Once you know those systems are clean, force a password change a week or two out from the holiday or vacation time so any guessed or stolen credentials are rendered useless. 
• Employ stricter access requirements for sensitive data, such as multi-factor authentication (MFA), Manager Authorization, and requiring a local network connection. Although this will make it a more difficult for employees (for a short amount of time), this will also make it significantly more difficult for attackers to traverse networks and gain access to unauthorized data. Once the holiday or vacation time ends, you can revert these policies since you’ll have more eyes to watch out for threats. 
• Provide guidance to employees on not posting about vacations and/or holiday plans on social media. 
• Provide free—or free for a limited time—security software to employees to use on personal systems 
• Ensure all remotely accessible connections (e.g., VPNs, RDP connections) are secured with MFA. 

Schedule these during vacation 

• Ensure all non-essential systems and endpoints are shut down at the end of the day. 
• Reduce risk by disabling or shutting down systems and/or processes which might be exploitable, if they aren’t needed. 
• Ensure there is always someone watching the network during the holiday or planned vacation, and make sure they are equipped to handle a sudden attack situation. We suggest creating a cyberattack reaction and recovery plan that includes call sheets, procedures on communicating with law enforcement and collecting evidence, and what systems can be isolated or shut down without seriously affecting the operations of the organization.

“The only mistake in life is a lesson not learned”

When we asked Kacaroski why he came forward to tell his ransomware story when many others are reluctant to, he told us: “The only mistake in life is a lesson not learned.”

A lesson we can all learn here is that cybercriminals are not reluctant to ruin somebody’s vacation plans. So don’t wait for an attack to happen to your organization before you decide you need to be ready. Prepare now, and enjoy uninterrupted peace of mind during your vacation.

Ready to learn more about staying safe before heading out on vacation? Read more at our “Stay on Vacation” hub:

Stay on vacation