IT NEWS

Malvertising: A stealthy precursor to infostealers and ransomware attacks

This article is based on research by Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, who oversees data collection from spam feeds and telemetry to identify the most relevant threats.

Malvertising, the practice of using online ads to spread malware, can have dire consequences—and the problem only seems to be growing.

New research from the Malwarebytes Threat Intelligence team shows over 800 malvertising-related attacks in 2023 so far alone, an average of almost 5 attacks per day. But even these are only the ones reported by security researchers—in reality the number is much higher.

Our research indicates that malvertising ads often deliver infostealer malware such as IcedID, Aurora Stealer, and BATLOADER among others. These programs steal credentials from users’ browsers or computers, sowing the seeds for a future ransomware attack. easset upload file7485 270834 e

Malvertising attack count throughout 2023

Ransomware gangs often buy stolen credentials from other cyber criminals involved in the dirty work of initial access brokering. In the case of malvertising, the chain of events looks something like this:

  1. Malvertising campaigns infect users with infostealers.
  2. Infostealers harvest user credentials.
  3. Stolen credentials are sold in underground forums.
  4. Ransomware actors buy these credentials to infiltrate networks.

Alternatively, some ransomware gangs have been observed use malvertising themselves to launch an attack on a victim machine directly.

The Royal ransomware group, for example, used malvertising to disguise BATLOADER as legitimate installers for applications like TeamViewer. BATLOADER then drops a Cobalt Strike Beacon as a precursor to the ransomware execution. 

For organizations looking to nip the malvertising-ransomware connection in the bud, however, perhaps the biggest challenge is how hard malvertising can be to spot. Threat actors often impersonate the official brand name and website in the ad snippet, making attacks extremely deceptive for the average user.

easset upload file75932 270834 eCan you spot the typo in this malvertising attempt? 

Even experts at Google have struggled to identify malicious redirects from an ad, underscoring the fact that malvertising is a nuanced, technical problem that requires advanced tools to spot.

In other words, your defense strategy against malvertising shouldn’t hinge entirely on your team recognizing brand impersonation. Instead, focus on equipping your team with advanced security tools to do the heavy lifting.

Some of the main tools you can use to prevent malvertising include:

  • Vulnerability and patch management software: Malvertising often exploits known vulnerabilities in systems, applications, or browsers. These tools can help ensure that web browsers (including plug-ins) are up-to-date with the latest security patches.
  • Web protection applications: Since malvertising campaigns often rely on connecting to malicious servers to download additional malware or steal information, blocking these connections can stop the attack in its tracks.
  • Ad blockers: These can filter out potential malvertising threats and prevent hazardous content from loading. Malwarebytes Browser Guard provides additional protection to standard ad-blocking features by covering a larger area of the attack chain all the way to domains controlled by attackers.

Download the Malwarebytes Threat Intelligence Threat Brief today for comprehensive insights on malvertising and its role in stealing credentials.

Download Now

9 basic security tips for seniors

Before we get into the tips: a caveat. We know many seniors who are digitally more up to date than people 20 years younger, but for those who aren’t, this guide is for you.

If you’re offended by the word seniors in the title, feel free to replace it with “computer illiterate people.” And keep in mind that this piece was written by a 60-year old who happens to be the “computer guy” among his family and friends. 

With the world’s increasing digitalization, even those that are not a big fan of computers are compelled to use them for various urgent reasons. Seniors in a digital world can be overwhelmed by all the new technology. And just when you think you’ve caught up, something new’s been invented. 

In security terms, it can feel like there’s a lot to do in order to keep your data and devices secure. Multiple passwords, reading through EULAs, website cookie notifications, and more. All of this can contribute to a serious case of security fatigue.

Many of today’s most dangerous threats are delivered through social engineering, i.e., by tricking users into giving up their data, or downloading malware from an infected email attachment. Therefore, knowing more about what not to click on and what not to download can keep a good portion of threats out the door.

So, with that in mind, here are 9 basic security tips for seniors:

  1. Do not click on links asking to fill out your personal information. Banks and other financial institutions will not send emails with links, especially if those links are asking you to update your personal information. If a website promises you something in return for filling out your personal data, they are likely phishing. In return for your data, you will probably get lots more annoying emails, possibly an infection, and no gift.
  2. Don’t fall for too-good-to-be-true schemes. If you get offered a service, product, or game for free, and it’s unclear how the producers of the service or item are making money, don’t take it. Chances are, you will pay in other ways, such as sitting through overly-obnoxious ads, paying for in-game or in-product purchases, or being bombarded with marketing emails or otherwise awful user experiences.
  3. Don’t believe pop-ups and phone calls saying your computer is infected. Unsolicited phone calls and websites that do this are known as tech support scams. The only programs that can tell if you have an infection are security platforms that either come built into your device or antimalware software that you’ve personally purchased or downloaded. Think about it: Microsoft does not monitor billions of computers just to call you as soon as it notices a virus on yours.
  4. Don’t download programs that call themselves system optimizers. We consider these types of software, including driver updaters and registry cleaners, potentially unwanted programs. Why? They do nothing helpful—instead, they often take over browser home pages, redirect to strange landing pages, add unnecessary toolbars, and even serve up a bunch of popup ads. While not technically dangerous themselves, they’re unneeded and could let other nasties in through the door.
  5. Disable web push notifications. These are almost never useful to the user, they can be easily spoofed, and they are regularly used for social engineering and obtrusive advertising purposes.
  6. Keep your browser up-to-date. Major browsers such as Firefox, Safari, and Chrome all have their own strengths and weaknesses, so it’s a matter of personal preference which one you use. However, browsers regularly have vulnerabilities and any updates should be applied as soon as possible. Remember: You must restart your browser in order for updates to take effect.
  7. Look for HTTPS and the padlock sign. Just because there is a padlock next to the address bar doesn’t mean the site is safe, but it does mean all the traffic between your computer and the website is encrypted. That means that if someone tried to snoop on what you were sending the website, they’d get nowhere because the data would be scrambled.
  8. Use multi-factor authentication wherever you can. You can set this up on most sites and usually involves you entering a code from either an app or a text message, after you’ve entered your password. Bonus points for healthcare or banking organizations with logins that use passkeys, a hardware key, or behavioral biometrics.
  9. Use a password manager. They help you create and remember safe passwords and they won’t automatically put your passwords into fake sites, which helps you tell if something is a phishing site. This step might require some time and help from someone more technical, but it makes things much safer in the long run.

We don’t just write about threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A week in security (June 19 – 25)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

5 facts to know about the Royal ransomware gang

When we first introduced the Royal ransomware gang in our November 2022 review, little did we know they’d rapidly evolve into one of the most potent threats in our ongoing monthly threat intelligence briefings.

In fact, the Malwarebytes Threat Intelligence team has tracked down a staggering 195 ransomware incidents credited to Royal from November 2022 to June 2023.

easset upload file78455 270872 e

Known Royal attacks up to May 2023

These figures put Royal in a formidable third place for that time frame, trailing behind ALPHV (with 233 incidents) and the relentless LockBit (at 542 incidents).

In the rest of this post, we’ll be shedding some light on five key facts to know about the Royal ransomware gang.

1. 66% of their initial access is done through phishing

It seems there are three things certain in life: death, taxes, and phishing as a reliable attack vector.

Royal likes to send phishing emails with nasty PDFs attached. They have also been spotted using callback phishing attacks to lure victims into installing remote desktop malware.

Once someone falls for Royal’s phishing scam and ends up with malware on their computer, that malware tries to reach out to its command and control (C2) base. Then it starts downloading malicious tools to aid in lateral movement or exfiltration.

2. They have a massive USA bias

The Malwarebytes Threat Intelligence team found that 64% of Royal’s victims are from the USA.

easset upload file56179 270872 e

Known Royal attacks up to May 2023 by country

For comparison, 43% of all known ransomware attacks were on the USA in the same November 2022 to June 2023 time period. For gangs with more than 50 attacks, Royal was only second to Black Basta (67%) for attackers on the USA.

3. Cobalt Strike is one of the many legit tools they repurpose for malicious activities

Royal has been spotted using a host of legitimate tools to carry out their attacks under the radar. Just some of these tools include:

  • Cobalt Strike: A legitimate commercial pen test to assess network security and simulate advanced threat actor tactics. Attackers use it for command and control, lateral movement, and exfiltration of sensitive data.
  • System Management (NSudo): NSudo allows administrators to run programs with full system rights. Attackers use it to execute malicious programs with elevated privileges.
  • PsExec (Microsoft Sysinternals): PsExec lets admins execute remote processes. Attackers use it to execute malware on remote systems.

By mimicking normal behavior, these tools can make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities.

4. We’ve observed them reinfecting victims

Shortly after Royal rose to prominence in late 2022, a new customer joined the Malwarebytes Managed Detection and Response (MDR) service. The customer was previously a casualty of a Royal ransomware attack and thought they had dusted themselves off completely.

But soon after plugging in with us, we spotted some shady activities.

easset upload file61872 270872 e

Malwarebytes MDR detecting “Ransomware.Royal” in the client’s network.

It turns out that Royal wasn’t content with having ‘merely’ attacked our customer once—they were still messing around in their system, potentially setting the stage for another damaging attack.

Fortunately, our EDR tech halted the ransomware in its tracks, and our MDR team managed to stop the post-ransomware havoc from spiraling further.

Still, it goes to show that attacks Royal doesn’t simply move on after a successful attack; they stay engaged for future exploitation, if they can help it.

5. The Services, Wholesale, and Technology industries are their top victims

When we look at Royal ransomware’s victimology, no overwhelming pattern stands out like it does for Vice Society.

easset upload file61980 270872 e

Known Royal attacks up to May 2023 by industry sector

Their victims per industry more or less match the averages across all ransomware gangs, suggesting they are sheer opportunists without a particular industry focus.

Like any ransomware gang, they leverage any potential vulnerabilities and security gaps across sectors, launching their attacks wherever they find the easiest point of entry. 

Getting the upper-hand against the Royal gang

Royal has made a big name for itself in a short amount of time.

While it looks like Royal will attack anyone they think is an easy target, it’s safe to say that organizations in the USA should be particularly wary of Royal considering their strong focus on that country.

We recommend the organizations across all sectors follow a few best practices to prevent (and recover) from ransomware attacks from every angle. That includes: 

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes’ EDR anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity, including Royal ransomware. 

easset upload file51216 270872 e

Malwarebytes EDR blocking Royal ransomware On-Execution

In our Ransomware Emergency Kit, you’ll find more tips your organization needs to defend against RaaS gangs. 

Get the emergency kit

Microsoft Azure AD flaw can lead to account takeover

Researchers have found that a flaw in Microsoft Azure AD can be used by attackers to take over accounts that rely on pre-established trust.

In a nutshell, Microsoft Azure AD allows you to change the email address associated with an account without verification of whether you are in control of that email address. And in Microsoft Azure AD OAuth applications that email address can be used as a unique identifier.

So, how can this be used in an account take-over?

To understand how this flaw—dubbed nOAuth by the researchers—works we need to take a few steps back and explain how OAuth works.

OAuth (short for Open Authorization) is a standard authorization protocol. It allows us to get access to protected data from an application. Generally, the OAuth protocol provides a way for resource owners to provide a client, or application with secure delegated access to server resources. It specifies a process for resource owners to authorize third-party access to their server resources without providing credentials.

Chances are you have dealt with OAuth many times without being aware what it is and how it works. For example, some sites allow you to log in using your Facebook credentials. The same reasoning that is true for using the same password for every site is true for using your Facebook credentials to login at other sites. We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised.

In the example we used above, Facebook is called the identity provider (IdP). Other well-known IdPs are Google, Twitter, Okta, and Microsoft Azure AD. For the “Open” concept in OAuth to work, the authentication is based on pre-established trust with the IdP. In our example, because you are logged into Facebook, the other site or service accepts your identity and allows you access.

Azure AD manages user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other software as a service (SaaS) applications using OAuth apps. The difference is that most IdPs advise against using an email-address as an identifier, but Microsoft Azure AD accepts it.

The attacker that wishes to abuse this flaw needs to set up an Azure AD account as admin. They can do this using an email address which is under their control. When they are all set, they can change the Email attribute to one that belongs to the target. The main flaw here is that this requires no validation whatsoever.

Now, all the attacker has to do is open the site or service they wish to take over and choose the “Login with Microsoft” option. They will automatically get logged into the account associated with the provided email address. Which was the one that belongs to the victim and not to the actual operator.

From that point on they can make the necessary changes to either gain persistence, steal information, or completely take over the account. With any luck the victim will get a “you logged in from a new device” type of notice, but that’s the best case scenario.

There is one caveat for the attacker though. Not all sites and services use the email address as a unique identifier.

The researchers have informed Microsoft and other stakeholders of the issue and steps are being taken to thwart this type of account takeover.

Microsoft already had existing documentation informing developers not to use the “email” claim as a unique identifier in the access token, and after the disclosure it published a dedicated page on Claims Validation with all the information a developer needs to consider when implementing authentication.

The researchers say they tested their proof-of-concept on hundreds of websites and applications and found many of them vulnerable. They shared the PoC with each affected organization and informed them of the vulnerability. While most of the affected apps were quick to respond and fix the issue, the number of tested apps was just a drop in the ocean of the Internet.

So, if you are running a site or service that uses Azure AD as an IdP, please check that you do not accept the Email attribute, because the email claim is both mutable and unverified so it should never be trusted or used as an identifier.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update now! Apple fixes three actively exploited vulnerabilities

Apple has released security updates for several products to address a set of flaws that it says are being actively exploited.

Updates are available for these products:

Safari 16.5.1

macOS Big Sur and macOS Monterey

iOS 16.5.1 and iPadOS 16.5.1

iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

iOS 15.7.7 and iPadOS 15.7.7

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

macOS Ventura 13.4.1

 

macOS Monterey 12.6.7

 

macOS Big Sur 11.7.8

 

watchOS 9.5.2

Apple Watch Series 4 and later

watchOS 8.8.1

Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE

 

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three actively exploited CVEs are:

CVE-2023-32434: a vulnerability in the Kernel due to an integer overflow. Successful exploitation would enable the attacker to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. This vulnerability was part of the so-called Operation Triangulation.

CVE-2023-32435: a memory corruption issue in the WebKit component  for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.This vulnerability was also part of the so-called Operation Triangulation.

CVE-2023-32439: a type confusion issue in the WebKit component. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. So let’s say you have a program that expects a number as input, but instead it receives a string (i.e. a sequence of characters), if the program doesn’t properly check that the input is actually a number and tries to perform arithmetic operations on it as if it were a number, it may produce unexpected results which could be abused by an attacker.

Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this could allow attackers to execute arbitrary code on a vulnerable device. So, an attacker would have to trick a victim into visiting a malicious website or open such a page in one of the apps that use WebKit to render their pages. In the case of Operation Triangulation these were reportedly delivered via iMessage as zero-click exploits.


We don’t just report on iOS security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

UPS warns customers of phishing attempts after data accessed

UPS Canada is warning customers in Canada of potential data exposure and the risk of phishing. People have started to receive letters like the one below from UPS, which some have assumed were “just” regular phishing alerts. As it turns out, the letter is specifically about the potential exposure of data via a look-up tool.

One example of the letter is below, via a tweet from threat analyst Brett Callow.

You’ll notice why recipients assumed it was a generic phish warning straight away: There is no reference to any actual incident until halfway down the page. The whole first half is a generic description of what phishing and smishing involve, alongside a link to examples and where genuine UPS texts originate.

I would think many people looking at this would have already tuned out and thrown it into the garbage. In this case, that would be a mistake. Anyone who reads on will (eventually) discover that all is not right in the land of parcel deliveries:

UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered. UPS has been working with partners in the delivery chain to try to understand how that fraud was being perpetrated.

The letter goes on to mention that an internal review took place to see if information it received from shippers was somehow contributing to these attempts taking place:

During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient’s phone number.

UPS states that access to this information has now been limited, and people whose information may have been impacted are being notified out of “an abundance of caution”.

In terms of the data potentially accessed:

The information available through the package look up tools included the recipient’s name, shipment address, and potentially phone number and order number. We cannot provide you with the exact time frame that the misuse of our package look-up tools occurred. It may have affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.

This isn’t great, and it’s exactly the kind of data needed to get the phishing ball rolling. Bleeping Computer notes some other messages doing the rounds which may be tied to this campaign, which include delivery fee charges owed, and missing shipments of Lego.

Parcel Delivery scams are a big problem, and target firms like UPS and even the US Postal Service. Being able to grab personal details from actual delivery firms is a major boon for scammers so it’s essential to be on your guard where mysterious parcel texts and emails are concerned.

How to avoid fake parcel scams

  • Check your orders. The email isn’t going anywhere, and neither is your order. You have plenty of time to see if you recognise parcel details, and also the delivery network. 
  • Avoid attachments. So-called invoices or shipping details enclosed in a ZIP file should be treated with suspicion.
  • Watch out for a sense of urgency. Be wary of anything applying pressure to make you perform a task. A missing payment and only 24 hours to make it? A time-sensitive refund? Mysterious shipping charges? These are all designed to hurry you into action.
  • If in doubt, make contact with the company directly via official channels.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malwarebytes only vendor to win every MRG Effitas award in 2022 & 2023

MRG Effitas, a world leader in independent IT research, published their anti-malware efficacy assessment results for Q1 2023. Malwarebytes Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware.

These results mark the seventh time in a row we have received all certification awards and we are now officially the only vendor to win every single certification & award in 2022 and so far into 2023.

MRG Effitas assesses a product’s ability to meet today’s most pressing threats, including stopping zero-day malware, ransomware, exploits, and more—and doing so with speedy performance and low false positives.

The signature and behavior-based detection techniques and proprietary anti-exploit technology of Malwarebytes EP allowed it to detect and block more malware than any other competitor on the Q1 test. As an integral foundation layer for our EDR and MDR solutions, these results prove that Malwarebytes EP provides reliable and comprehensive protection against a wide range of threats. 

For the full results and to see how we stack up against competitors, our “Endpoint Security Evaluation Guide” eBook—based on MRG Effitas’ independent lab assessment—is an essential tool for any organization looking to make an informed decision about endpoint security. Download below!

GET THE ENDPOINT SECURITY EVALUATION GUIDE

Let’s dive into where we prevented more than the rest and how we were able to do it.

100% of ransomware blocked

Using a blend of signature and signature-less technologies, the anti-ransomware layer of Malwarebytes EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.

MRG Effitas tested security products for 30 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running Malwarebytes EP also ran three benign programs designed to mimic ransomware behavior.

Malwarebytes blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.

easset upload file17171 270852 e

Nebula view of detected ransomware activity 

100% of banking malware blocked

In 2021, 37% of banking malware attacks targeted corporate users.

We were one of the few vendors who earned a 360° Online Banking Certification, which means Malwarebytes EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.

Malwarebytes EP autoblocked 100% of the 25 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials. 

100% of zero-day threats blocked

One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.

Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled Malwarebytes EP to detect and autoblock 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.

100% of exploits blocked

The anti-exploit feature of Malwarebytes EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities. But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running Malwarebytes EP—but they didn’t get very far.

Malwarebytes earned the 360° Exploit Certification for autoblocked 100% of Exploit/Fileless attacks, entirely protecting the system from infection.

We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode.

easset upload file69489 270852 eOur four layers of exploit protection

easset upload file95627 270852 e

Anti-exploit settings in Nebula

Consistency is key

If there is one shining take away from this accomplishment, it’s that consistency is key.

You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, Malwarebytes EP, and by extension our EDR and MDR, is that solution.

easset upload file6637 270852 e

For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated—more constantly than anybody else—that Malwarebytes for Business has what it takes to keep your business safe from today’s most pressing cyberthreats.

Download THE ebook for full results

easset upload file12390 270852 e

6 tips for a cybersecure honeymoon

You’ve done it, you’ve got married. The big day is over, and while you’re relaxing on honeymoon you definitely don’t want to get distracted by security problems. So, we rounded up some quick tips to keep you safe.

  • Refrain from posting on social media about your honeymoon. This is good practice before you leave as well. You don’t want people knowing that your home will be empty, so it’s better to wait to show off your honeymoon happiness until you get back home.
  • Feel free to use a VPN. Hotel and airport Wi-Fi is safer now than years ago, thanks to HTTPS everywhere. But if you still can’t shake the feeling of being “exposed,” use a VPN you trust
  • Turn on Find My device. Both iOS and Android offer ways for you to track your device. So turn this on before you go, and if you lose your device you can remotely wipe it, or even leave a message on the screen for whoever finds it.
  • Use strong passwords and encryption. If you don’t use a strong password on all devices, now is the time to change that. Better still, invest in a Password Manager. And make sure that all data stored on your devices is encrypted and backed up before you go.
  • Turn off Bluetooth connectivity. As a rule of thumb, turn it off it if you don’t use it. If you can’t do that, disable it when it’s not in use. Keeping it enabled could allow someone to discover what other devices you have connected to before, pretend to be one of those devices, and gain access to your device.
  • Leave your device in the hotel’s safe. When you’re not using a device, keep it in the safe. What you don’t bring along, you can’t lose or drop in the ocean.

Happy honeymoon!

Reducing your attack surface is more effective than playing patch-a-mole

On June 13, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-02. BOD 23-02 is titled Mitigating the Risk from Internet-Exposed Management Interfaces, and requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet, or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.

Harsh as that may sound, there is a lot to be said for the strategy of shielding management interfaces from public internet access, or if that’s not an option, to apply every possible access control to make sure that only authorized people have access to the management part of the application.

As we have experienced a few times, applying timely patches is absolutely no guarantee you’ll be safe. Take for example the recent MOVEit vulnerability that was used against hundreds of victims before anyone even became aware of the fact that the vulnerability existed.

And new vulnerabilities are disclosed at a worrying rate. To demonstrate that point, here’s a quick roundup of the ones I looked at just yesterday.

  • Researchers discovered two dangerous vulnerabilities with Azure Bastion and Azure Container Registry that could allow attackers to achieve cross-site scripting (XSS), injecting malicious scripts into trusted websites. Exploitation of the vulnerabilities could have potentially allowed hackers to gain access to a target’s session within the compromised Azure service.
  • Zyxel warned its NAS (Network Attached Storage) devices users to update their firmware to fix a critical severity command injection vulnerability. The newly discovered vulnerability, CVE-2023-27992, is a pre-authentication command injection problem that could allow an unauthenticated attacker to execute operating system commands by sending specially crafted HTTP requests.
  • VMWare published a security advisory about multiple vulnerabilities in Aria Operations for Networks. Of these vulnerabilities, CVE-2023-20887 was confirmed to be exploited in the wild. Successful exploitation would allow a malicious actor with network access to VMware Aria Operations for Networks to perform a command injection attack resulting in remote code execution.
  • We reported about ASUS fixing nine security flaws in several router models. Among them were two critical vulnerabilities that could lead to memory corruption, and one vulnerability that could allow a remote unauthenticated attacker to achieve arbitrary code execution.

These are applications and services that we find in many organizations’ networks. Finding the vulnerable instances and applying the patches could be more than a day’s work in some cases.

But, a workaround that would have worked for many of the above is disablingor minimizing the internet facing access.

This supports the warning from CISA director Jen Easterly, who said:

“Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise. Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise. While this Directive only applies to federal civilian agencies, as the threat extends to every sector, we urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

Recommendations

In a nutshell, the recommendations from CISA to minimize your attack surface are:

  • Remove management interfaces from the internet by making them only accessible from an internal enterprise network. CISA recommends network segmentation to create an isolated management network.
  • Deploy capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself. In other words, don’t rely on the access control of the instance itself, once it’s vulnerable it could be easy to circumvent.

For more information, we encourage you to read the directive. While the primary audience for this document is FCEB agencies, other organizations may find the content useful.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW