IT NEWS

When we first introduced the Royal ransomware gang in our November 2022 review, little did we know they’d rapidly evolve into one of the most potent threats in our ongoing monthly threat intelligence briefings.

In fact, the Malwarebytes Threat Intelligence team has tracked down a staggering 195 ransomware incidents credited to Royal from November 2022 to June 2023.

Known Royal attacks up to May 2023

These figures put Royal in a formidable third place for that time frame, trailing behind ALPHV (with 233 incidents) and the relentless LockBit (at 542 incidents).

In the rest of this post, we’ll be shedding some light on five key facts to know about the Royal ransomware gang.

1. 66% of their initial access is done through phishing

It seems there are three things certain in life: death, taxes, and phishing as a reliable attack vector.

Royal likes to send phishing emails with nasty PDFs attached. They have also been spotted using callback phishing attacks to lure victims into installing remote desktop malware.

Once someone falls for Royal’s phishing scam and ends up with malware on their computer, that malware tries to reach out to its command and control (C2) base. Then it starts downloading malicious tools to aid in lateral movement or exfiltration.

2. They have a massive USA bias

The Malwarebytes Threat Intelligence team found that 64% of Royal’s victims are from the USA.

Known Royal attacks up to May 2023 by country

For comparison, 43% of all known ransomware attacks were on the USA in the same November 2022 to June 2023 time period. For gangs with more than 50 attacks, Royal was only second to Black Basta (67%) for attackers on the USA.

3. Cobalt Strike is one of the many legit tools they repurpose for malicious activities

Royal has been spotted using a host of legitimate tools to carry out their attacks under the radar. Just some of these tools include:

• Cobalt Strike: A legitimate commercial pen test to assess network security and simulate advanced threat actor tactics. Attackers use it for command and control, lateral movement, and exfiltration of sensitive data.
• System Management (NSudo): NSudo allows administrators to run programs with full system rights. Attackers use it to execute malicious programs with elevated privileges.

• PsExec (Microsoft Sysinternals): PsExec lets admins execute remote processes. Attackers use it to execute malware on remote systems.

By mimicking normal behavior, these tools can make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities.

4. We’ve observed them reinfecting victims

Shortly after Royal rose to prominence in late 2022, a new customer joined the Malwarebytes Managed Detection and Response (MDR) service. The customer was previously a casualty of a Royal ransomware attack and thought they had dusted themselves off completely.

But soon after plugging in with us, we spotted some shady activities.

Malwarebytes MDR detecting “Ransomware.Royal” in the client’s network.

It turns out that Royal wasn’t content with having ‘merely’ attacked our customer once—they were still messing around in their system, potentially setting the stage for another damaging attack.

Fortunately, our EDR tech halted the ransomware in its tracks, and our MDR team managed to stop the post-ransomware havoc from spiraling further.

Still, it goes to show that attacks Royal doesn’t simply move on after a successful attack; they stay engaged for future exploitation, if they can help it.

5. The Services, Wholesale, and Technology industries are their top victims

When we look at Royal ransomware’s victimology, no overwhelming pattern stands out like it does for Vice Society.

Known Royal attacks up to May 2023 by industry sector

Their victims per industry more or less match the averages across all ransomware gangs, suggesting they are sheer opportunists without a particular industry focus.

Like any ransomware gang, they leverage any potential vulnerabilities and security gaps across sectors, launching their attacks wherever they find the easiest point of entry. 

Getting the upper-hand against the Royal gang

Royal has made a big name for itself in a short amount of time.

While it looks like Royal will attack anyone they think is an easy target, it’s safe to say that organizations in the USA should be particularly wary of Royal considering their strong focus on that country.

We recommend the organizations across all sectors follow a few best practices to prevent (and recover) from ransomware attacks from every angle. That includes: 

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes’ EDR anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity, including Royal ransomware. 

Malwarebytes EDR blocking Royal ransomware On-Execution

In our Ransomware Emergency Kit, you’ll find more tips your organization needs to defend against RaaS gangs. 

Get the emergency kit

Researchers have found that a flaw in Microsoft Azure AD can be used by attackers to take over accounts that rely on pre-established trust.

In a nutshell, Microsoft Azure AD allows you to change the email address associated with an account without verification of whether you are in control of that email address. And in Microsoft Azure AD OAuth applications that email address can be used as a unique identifier.

So, how can this be used in an account take-over?

To understand how this flaw—dubbed nOAuth by the researchers—works we need to take a few steps back and explain how OAuth works.

OAuth (short for Open Authorization) is a standard authorization protocol. It allows us to get access to protected data from an application. Generally, the OAuth protocol provides a way for resource owners to provide a client, or application with secure delegated access to server resources. It specifies a process for resource owners to authorize third-party access to their server resources without providing credentials.

Chances are you have dealt with OAuth many times without being aware what it is and how it works. For example, some sites allow you to log in using your Facebook credentials. The same reasoning that is true for using the same password for every site is true for using your Facebook credentials to login at other sites. We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised.

In the example we used above, Facebook is called the identity provider (IdP). Other well-known IdPs are Google, Twitter, Okta, and Microsoft Azure AD. For the “Open” concept in OAuth to work, the authentication is based on pre-established trust with the IdP. In our example, because you are logged into Facebook, the other site or service accepts your identity and allows you access.

Azure AD manages user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other software as a service (SaaS) applications using OAuth apps. The difference is that most IdPs advise against using an email-address as an identifier, but Microsoft Azure AD accepts it.

The attacker that wishes to abuse this flaw needs to set up an Azure AD account as admin. They can do this using an email address which is under their control. When they are all set, they can change the Email attribute to one that belongs to the target. The main flaw here is that this requires no validation whatsoever.

Now, all the attacker has to do is open the site or service they wish to take over and choose the “Login with Microsoft” option. They will automatically get logged into the account associated with the provided email address. Which was the one that belongs to the victim and not to the actual operator.

From that point on they can make the necessary changes to either gain persistence, steal information, or completely take over the account. With any luck the victim will get a “you logged in from a new device” type of notice, but that’s the best case scenario.

There is one caveat for the attacker though. Not all sites and services use the email address as a unique identifier.

The researchers have informed Microsoft and other stakeholders of the issue and steps are being taken to thwart this type of account takeover.

Microsoft already had existing documentation informing developers not to use the “email” claim as a unique identifier in the access token, and after the disclosure it published a dedicated page on Claims Validation with all the information a developer needs to consider when implementing authentication.

The researchers say they tested their proof-of-concept on hundreds of websites and applications and found many of them vulnerable. They shared the PoC with each affected organization and informed them of the vulnerability. While most of the affected apps were quick to respond and fix the issue, the number of tested apps was just a drop in the ocean of the Internet.

So, if you are running a site or service that uses Azure AD as an IdP, please check that you do not accept the Email attribute, because the email claim is both mutable and unverified so it should never be trusted or used as an identifier.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Apple has released security updates for several products to address a set of flaws that it says are being actively exploited.

Updates are available for these products:

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three actively exploited CVEs are:

CVE-2023-32434: a vulnerability in the Kernel due to an integer overflow. Successful exploitation would enable the attacker to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. This vulnerability was part of the so-called Operation Triangulation.

CVE-2023-32435: a memory corruption issue in the WebKit component  for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.This vulnerability was also part of the so-called Operation Triangulation.

CVE-2023-32439: a type confusion issue in the WebKit component. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. So let’s say you have a program that expects a number as input, but instead it receives a string (i.e. a sequence of characters), if the program doesn’t properly check that the input is actually a number and tries to perform arithmetic operations on it as if it were a number, it may produce unexpected results which could be abused by an attacker.

Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this could allow attackers to execute arbitrary code on a vulnerable device. So, an attacker would have to trick a victim into visiting a malicious website or open such a page in one of the apps that use WebKit to render their pages. In the case of Operation Triangulation these were reportedly delivered via iMessage as zero-click exploits.

We don’t just report on iOS security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

UPS Canada is warning customers in Canada of potential data exposure and the risk of phishing. People have started to receive letters like the one below from UPS, which some have assumed were “just” regular phishing alerts. As it turns out, the letter is specifically about the potential exposure of data via a look-up tool.

One example of the letter is below, via a tweet from threat analyst Brett Callow.

So @UPS_Canada sent me a letter about phishing and smishing. Turns out it wasn’t simply intended to be educational. In the 4th paragraph, it became apparent that it was actually a data breach notification. 1/2 pic.twitter.com/lw7PI7HORI

— Brett Callow (@BrettCallow) June 21, 2023

You’ll notice why recipients assumed it was a generic phish warning straight away: There is no reference to any actual incident until halfway down the page. The whole first half is a generic description of what phishing and smishing involve, alongside a link to examples and where genuine UPS texts originate.

I would think many people looking at this would have already tuned out and thrown it into the garbage. In this case, that would be a mistake. Anyone who reads on will (eventually) discover that all is not right in the land of parcel deliveries:

UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered. UPS has been working with partners in the delivery chain to try to understand how that fraud was being perpetrated.

The letter goes on to mention that an internal review took place to see if information it received from shippers was somehow contributing to these attempts taking place:

During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient’s phone number.

UPS states that access to this information has now been limited, and people whose information may have been impacted are being notified out of “an abundance of caution”.

In terms of the data potentially accessed:

The information available through the package look up tools included the recipient’s name, shipment address, and potentially phone number and order number. We cannot provide you with the exact time frame that the misuse of our package look-up tools occurred. It may have affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.

This isn’t great, and it’s exactly the kind of data needed to get the phishing ball rolling. Bleeping Computer notes some other messages doing the rounds which may be tied to this campaign, which include delivery fee charges owed, and missing shipments of Lego.

Parcel Delivery scams are a big problem, and target firms like UPS and even the US Postal Service. Being able to grab personal details from actual delivery firms is a major boon for scammers so it’s essential to be on your guard where mysterious parcel texts and emails are concerned.

How to avoid fake parcel scams

• Check your orders. The email isn’t going anywhere, and neither is your order. You have plenty of time to see if you recognise parcel details, and also the delivery network. 
• Avoid attachments. So-called invoices or shipping details enclosed in a ZIP file should be treated with suspicion.
• Watch out for a sense of urgency. Be wary of anything applying pressure to make you perform a task. A missing payment and only 24 hours to make it? A time-sensitive refund? Mysterious shipping charges? These are all designed to hurry you into action.
• If in doubt, make contact with the company directly via official channels.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

MRG Effitas, a world leader in independent IT research, published their anti-malware efficacy assessment results for Q1 2023. Malwarebytes Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware.

These results mark the seventh time in a row we have received all certification awards and we are now officially the only vendor to win every single certification & award in 2022 and so far into 2023.

MRG Effitas assesses a product’s ability to meet today’s most pressing threats, including stopping zero-day malware, ransomware, exploits, and more—and doing so with speedy performance and low false positives.

The signature and behavior-based detection techniques and proprietary anti-exploit technology of Malwarebytes EP allowed it to detect and block more malware than any other competitor on the Q1 test. As an integral foundation layer for our EDR and MDR solutions, these results prove that Malwarebytes EP provides reliable and comprehensive protection against a wide range of threats. 

For the full results and to see how we stack up against competitors, our “Endpoint Security Evaluation Guide” eBook—based on MRG Effitas’ independent lab assessment—is an essential tool for any organization looking to make an informed decision about endpoint security. Download below!

GET THE ENDPOINT SECURITY EVALUATION GUIDE

Let’s dive into where we prevented more than the rest and how we were able to do it.

100% of ransomware blocked

Using a blend of signature and signature-less technologies, the anti-ransomware layer of Malwarebytes EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.

MRG Effitas tested security products for 30 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running Malwarebytes EP also ran three benign programs designed to mimic ransomware behavior.

Malwarebytes blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.

Nebula view of detected ransomware activity 

100% of banking malware blocked

In 2021, 37% of banking malware attacks targeted corporate users.

We were one of the few vendors who earned a 360° Online Banking Certification, which means Malwarebytes EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.

Malwarebytes EP autoblocked 100% of the 25 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials. 

100% of zero-day threats blocked

One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.

Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled Malwarebytes EP to detect and autoblock 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.

100% of exploits blocked

The anti-exploit feature of Malwarebytes EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities. But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running Malwarebytes EP—but they didn’t get very far.

Malwarebytes earned the 360° Exploit Certification for autoblocked 100% of Exploit/Fileless attacks, entirely protecting the system from infection.

We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode.

Our four layers of exploit protection

Anti-exploit settings in Nebula

Consistency is key

If there is one shining take away from this accomplishment, it’s that consistency is key.

You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, Malwarebytes EP, and by extension our EDR and MDR, is that solution.

For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated—more constantly than anybody else—that Malwarebytes for Business has what it takes to keep your business safe from today’s most pressing cyberthreats.

Download THE ebook for full results

On June 13, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-02. BOD 23-02 is titled Mitigating the Risk from Internet-Exposed Management Interfaces, and requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet, or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.

Harsh as that may sound, there is a lot to be said for the strategy of shielding management interfaces from public internet access, or if that’s not an option, to apply every possible access control to make sure that only authorized people have access to the management part of the application.

As we have experienced a few times, applying timely patches is absolutely no guarantee you’ll be safe. Take for example the recent MOVEit vulnerability that was used against hundreds of victims before anyone even became aware of the fact that the vulnerability existed.

And new vulnerabilities are disclosed at a worrying rate. To demonstrate that point, here’s a quick roundup of the ones I looked at just yesterday.

• Researchers discovered two dangerous vulnerabilities with Azure Bastion and Azure Container Registry that could allow attackers to achieve cross-site scripting (XSS), injecting malicious scripts into trusted websites. Exploitation of the vulnerabilities could have potentially allowed hackers to gain access to a target’s session within the compromised Azure service.
• Zyxel warned its NAS (Network Attached Storage) devices users to update their firmware to fix a critical severity command injection vulnerability. The newly discovered vulnerability, CVE-2023-27992, is a pre-authentication command injection problem that could allow an unauthenticated attacker to execute operating system commands by sending specially crafted HTTP requests.
• VMWare published a security advisory about multiple vulnerabilities in Aria Operations for Networks. Of these vulnerabilities, CVE-2023-20887 was confirmed to be exploited in the wild. Successful exploitation would allow a malicious actor with network access to VMware Aria Operations for Networks to perform a command injection attack resulting in remote code execution.
• We reported about ASUS fixing nine security flaws in several router models. Among them were two critical vulnerabilities that could lead to memory corruption, and one vulnerability that could allow a remote unauthenticated attacker to achieve arbitrary code execution.

These are applications and services that we find in many organizations’ networks. Finding the vulnerable instances and applying the patches could be more than a day’s work in some cases.

But, a workaround that would have worked for many of the above is disablingor minimizing the internet facing access.

This supports the warning from CISA director Jen Easterly, who said:

“Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise. Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise. While this Directive only applies to federal civilian agencies, as the threat extends to every sector, we urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

Recommendations

In a nutshell, the recommendations from CISA to minimize your attack surface are:

• Remove management interfaces from the internet by making them only accessible from an internal enterprise network. CISA recommends network segmentation to create an isolated management network.
• Deploy capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself. In other words, don’t rely on the access control of the instance itself, once it’s vulnerable it could be easy to circumvent.

For more information, we encourage you to read the directive. While the primary audience for this document is FCEB agencies, other organizations may find the content useful.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

You’ve done it, you’ve got married. The big day is over, and while you’re relaxing on honeymoon you definitely don’t want to get distracted by security problems. So, we rounded up some quick tips to keep you safe.

• Refrain from posting on social media about your honeymoon. This is good practice before you leave as well. You don’t want people knowing that your home will be empty, so it’s better to wait to show off your honeymoon happiness until you get back home.
• Feel free to use a VPN. Hotel and airport Wi-Fi is safer now than years ago, thanks to HTTPS everywhere. But if you still can’t shake the feeling of being “exposed,” use a VPN you trust. 
• Turn on Find My device. Both iOS and Android offer ways for you to track your device. So turn this on before you go, and if you lose your device you can remotely wipe it, or even leave a message on the screen for whoever finds it.
• Use strong passwords and encryption. If you don’t use a strong password on all devices, now is the time to change that. Better still, invest in a Password Manager. And make sure that all data stored on your devices is encrypted and backed up before you go.
• Turn off Bluetooth connectivity. As a rule of thumb, turn it off it if you don’t use it. If you can’t do that, disable it when it’s not in use. Keeping it enabled could allow someone to discover what other devices you have connected to before, pretend to be one of those devices, and gain access to your device.
• Leave your device in the hotel’s safe. When you’re not using a device, keep it in the safe. What you don’t bring along, you can’t lose or drop in the ocean.

Happy honeymoon!

DNA testing has long been a hot-button issue for security and privacy. Concerns about everything from law enforcement and data retention to job offers and insurance have all been examined at great length. With millions of people signing up to use these services, it was only a matter of time before something went wrong.

Well, the inevitable legal clash is now here and comes courtesy of the Federal Trade Commission which has made a complaint in relation to an alleged failure to protect client privacy. From the FTC release:

The Federal Trade Commission charged that the genetic testing firm 1Health.io left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.

According to the FTC, close to 2,400 reports about consumers and “raw genetic data” of at least 227 people was at risk. This is because despite claims of rock solid security, sensitive data was being stored in publicly accessible Amazon Web Service buckets. According to the complaint, the data in the storage buckets was not encrypted, no monitoring was taking place with regard to who was accessing it, and there were no access restrictions in place either.

In fact, the company was warned “at least” three times across a two year period about the insecure buckets. When a security researcher contacted the company in 2019 regarding the buckets, the issue was finally investigated and the customers whose data was potentially exposed were notified.

Elsewhere, promises related to destroying retained DNA samples with a consumer’s name or other identifying information were not kept. 1Health—previously known as Vitagene—claimed on its website that DNA was not stored, and that consumers could delete their personal information at any time. When this request occurred, the company said, the data would be scrubbed from the company’s servers and all DNA saliva samples would be similarly destroyed once they had been analyzed.

However, from 2016 the company “did not implement a policy to ensure that the lab that analysed the DNA samples had a policy in place to destroy them”, alleges the FTC. In 2020, the company’s privacy policy was changed to retroactively expand the kinds of third parties that it could potentially share consumer’s data with.

Some examples given are supermarket chains and nutrition/supplement manufacturers. There was no need to notify consumers who had previously shared personal data with the company, nor was there a need to obtain their consent to share it, according to the complaint.

In terms of what happens next, the DNA firm must pay $75,000 which the FTC will use for consumer refunds. Additionally, under the proposed order, the company:

• Will be prohibited from sharing health data with third parties—including information provided by consumers before and after its 2020 privacy policy change—without obtaining consumers’ affirmative express consent;
• Must ensure any company that purchases all or parts of 1Health’s business agrees by contract to adhere to provisions of the order;
• Must notify the FTC about incidents of unauthorised disclosure of consumers’ personal health data; and
• Must implement a comprehensive information security program addressing the security failures outlined in the complaint.

All of this is in addition to the DNA deletion requirement.

The consent agreement package will be made live soon, at which point the public can comment for 30 days prior to the decision on whether the proposed consent order is made final.

This may be the case which makes people think twice about handing over valuable DNA data to organisations claiming to use top of the line security measures alongside consumer friendly privacy policies. If major alterations can be applied retroactively, you may be at risk. The FTC has this to say:

“Companies that try to change the rules of the game by re-writing their privacy policy are on notice. The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”

Depending on both your location and that of the company you had your data too, the FTC may not be able to do something about it should something go wrong at a later date.

We don’t just write about threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The University of Manchester has fallen victim to a ransomware gang, who are currently applying an interesting twist to their attack. Blackmail and pressure are two ways to extract funds from potential victims. We see this in sextortion cases, as well as in social engineering. Here, the fraudsters are directly mailing affected students in an effort to exert more pressure on the University of Manchester to pay up.

The incident, first discovered on June 6th, involved the likely theft of data by an unauthorised party. Bleeping Computer says it was informed by sources that the attack was ransomware.

The University has not confirmed if ransomware was used specifically, or if the attackers were only interested in stealing data. At time of writing, its cyber incident update page still makes no mention of it:

During the week commencing 6 June, we found out that the University is the victim of a cyber incident. It has been confirmed that some of our systems have been accessed by an unauthorised party and data has likely been copied.

Our in-house experts and external support are working around-the-clock to resolve this incident, and to understand what data has been accessed.

While there are several sets of detailed instruction and information available to students in need of guidance, the threat of data leakage has been hanging over the incident since day one. Sadly, we seem to be at that point now and the University is not playing ball with the attacker’s demands.

As a result, emails like the below are being sent to students:

We have stolen 7TB of data, including confidential personal information from students and staff, research data, medical data, police reports, drug test results, databases, HR documents, finance documents, and more. The administration is fully aware of the situation had had been in discussion with us for over a week. They, however, value money about the privacy and security of their students and employees. They do not care about you or that ALL of your personal  information and research work will soon be sold/or made public!

The mail then goes on to list several professors, as well as stating that this is the last warning people from the University will receive.

The aim here is to cause a mass panic of angry students demanding that the University pays up. It’s certainly a bold strategy. It’s also very likely to fail. However, ransom success is probably not the aim of the game here. This feels much more like a scorched earth approach.

You won’t pay up? Fine. We’ll cause some chaos on your campus instead.

I have to say, I don’t think this approach will work either despite the (understandably) aggrieved tweets from some students.

Ngl I think @OfficialUoM staff and @ManchesterSU students should strike until the hacking incident has been dealt with.

No way am I going to work when I get emails from the hackers stating today is their last warning before they leak all personal and professional data.

Byeee✌?

— Ele ? (@Ele_Clayton) June 20, 2023

As Bleeping Computer notes, no group has claimed responsibility for this attack yet. If the threats are genuine, you should expect to see the data dump uploaded to a site with a countdown timer at some point. Then we’ll know for sure who is behind it.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ASUS has released firmware updates for several router models fixing two critical and several other security issues.

The new firmware with accumulated security updates is available for the models GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

You will find the latest firmware available for download from the ASUS support page or the appropriate product page. ASUS has also provided a link to new firmware for selected routers at the end of their security advisory.

When in doubt you can find the model number on the sticker which can usually be found on the back side of the router.

Example: the model RT-AX86U which is on the list

General instructions on how to update router firmware can be found here

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The new firmware incorporates the following security fixes:  CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, and CVE-2022-26376.

The critical CVEs patched in these updates are:

CVE-2022-26376: A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

The Asuswrt-Merlin New Gen is an open source firmware alternative for Asus routers. The unescaped function in this firmware assumes that after a % there are always at least two characters. If this is not the case, one of the instructions in the function cause an out-of-bounds read. Out of bounds reads can lead to crashes or other unexpected vulnerabilities, and may allow an attacker to read sensitive information that they should not have access to.

CVE-2018-1160: Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

Netatalk is a free, open-source implementation of the Apple Filing Protocol (AFP). It allows Unix-like operating systems to serve as file servers for Macintosh computers running macOS or Classic Mac OS.

This is a 5 year old vulnerability for which several exploits are publicly available.

Since many, especially home users will shy away of applying firmware, it is important to heed the advice offered by ASUS that says:

“Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.”

General instructions on how to disable the WAN access can be found here under point 7.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.