IT NEWS

DNA testing has long been a hot-button issue for security and privacy. Concerns about everything from law enforcement and data retention to job offers and insurance have all been examined at great length. With millions of people signing up to use these services, it was only a matter of time before something went wrong.

Well, the inevitable legal clash is now here and comes courtesy of the Federal Trade Commission which has made a complaint in relation to an alleged failure to protect client privacy. From the FTC release:

The Federal Trade Commission charged that the genetic testing firm 1Health.io left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.

According to the FTC, close to 2,400 reports about consumers and “raw genetic data” of at least 227 people was at risk. This is because despite claims of rock solid security, sensitive data was being stored in publicly accessible Amazon Web Service buckets. According to the complaint, the data in the storage buckets was not encrypted, no monitoring was taking place with regard to who was accessing it, and there were no access restrictions in place either.

In fact, the company was warned “at least” three times across a two year period about the insecure buckets. When a security researcher contacted the company in 2019 regarding the buckets, the issue was finally investigated and the customers whose data was potentially exposed were notified.

Elsewhere, promises related to destroying retained DNA samples with a consumer’s name or other identifying information were not kept. 1Health—previously known as Vitagene—claimed on its website that DNA was not stored, and that consumers could delete their personal information at any time. When this request occurred, the company said, the data would be scrubbed from the company’s servers and all DNA saliva samples would be similarly destroyed once they had been analyzed.

However, from 2016 the company “did not implement a policy to ensure that the lab that analysed the DNA samples had a policy in place to destroy them”, alleges the FTC. In 2020, the company’s privacy policy was changed to retroactively expand the kinds of third parties that it could potentially share consumer’s data with.

Some examples given are supermarket chains and nutrition/supplement manufacturers. There was no need to notify consumers who had previously shared personal data with the company, nor was there a need to obtain their consent to share it, according to the complaint.

In terms of what happens next, the DNA firm must pay $75,000 which the FTC will use for consumer refunds. Additionally, under the proposed order, the company:

• Will be prohibited from sharing health data with third parties—including information provided by consumers before and after its 2020 privacy policy change—without obtaining consumers’ affirmative express consent;
• Must ensure any company that purchases all or parts of 1Health’s business agrees by contract to adhere to provisions of the order;
• Must notify the FTC about incidents of unauthorised disclosure of consumers’ personal health data; and
• Must implement a comprehensive information security program addressing the security failures outlined in the complaint.

All of this is in addition to the DNA deletion requirement.

The consent agreement package will be made live soon, at which point the public can comment for 30 days prior to the decision on whether the proposed consent order is made final.

This may be the case which makes people think twice about handing over valuable DNA data to organisations claiming to use top of the line security measures alongside consumer friendly privacy policies. If major alterations can be applied retroactively, you may be at risk. The FTC has this to say:

“Companies that try to change the rules of the game by re-writing their privacy policy are on notice. The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”

Depending on both your location and that of the company you had your data too, the FTC may not be able to do something about it should something go wrong at a later date.

We don’t just write about threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The University of Manchester has fallen victim to a ransomware gang, who are currently applying an interesting twist to their attack. Blackmail and pressure are two ways to extract funds from potential victims. We see this in sextortion cases, as well as in social engineering. Here, the fraudsters are directly mailing affected students in an effort to exert more pressure on the University of Manchester to pay up.

The incident, first discovered on June 6th, involved the likely theft of data by an unauthorised party. Bleeping Computer says it was informed by sources that the attack was ransomware.

The University has not confirmed if ransomware was used specifically, or if the attackers were only interested in stealing data. At time of writing, its cyber incident update page still makes no mention of it:

During the week commencing 6 June, we found out that the University is the victim of a cyber incident. It has been confirmed that some of our systems have been accessed by an unauthorised party and data has likely been copied.

Our in-house experts and external support are working around-the-clock to resolve this incident, and to understand what data has been accessed.

While there are several sets of detailed instruction and information available to students in need of guidance, the threat of data leakage has been hanging over the incident since day one. Sadly, we seem to be at that point now and the University is not playing ball with the attacker’s demands.

As a result, emails like the below are being sent to students:

We have stolen 7TB of data, including confidential personal information from students and staff, research data, medical data, police reports, drug test results, databases, HR documents, finance documents, and more. The administration is fully aware of the situation had had been in discussion with us for over a week. They, however, value money about the privacy and security of their students and employees. They do not care about you or that ALL of your personal  information and research work will soon be sold/or made public!

The mail then goes on to list several professors, as well as stating that this is the last warning people from the University will receive.

The aim here is to cause a mass panic of angry students demanding that the University pays up. It’s certainly a bold strategy. It’s also very likely to fail. However, ransom success is probably not the aim of the game here. This feels much more like a scorched earth approach.

You won’t pay up? Fine. We’ll cause some chaos on your campus instead.

I have to say, I don’t think this approach will work either despite the (understandably) aggrieved tweets from some students.

Ngl I think @OfficialUoM staff and @ManchesterSU students should strike until the hacking incident has been dealt with.

No way am I going to work when I get emails from the hackers stating today is their last warning before they leak all personal and professional data.

Byeee✌?

— Ele ? (@Ele_Clayton) June 20, 2023

As Bleeping Computer notes, no group has claimed responsibility for this attack yet. If the threats are genuine, you should expect to see the data dump uploaded to a site with a countdown timer at some point. Then we’ll know for sure who is behind it.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ASUS has released firmware updates for several router models fixing two critical and several other security issues.

The new firmware with accumulated security updates is available for the models GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

You will find the latest firmware available for download from the ASUS support page or the appropriate product page. ASUS has also provided a link to new firmware for selected routers at the end of their security advisory.

When in doubt you can find the model number on the sticker which can usually be found on the back side of the router.

Example: the model RT-AX86U which is on the list

General instructions on how to update router firmware can be found here

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The new firmware incorporates the following security fixes:  CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, and CVE-2022-26376.

The critical CVEs patched in these updates are:

CVE-2022-26376: A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

The Asuswrt-Merlin New Gen is an open source firmware alternative for Asus routers. The unescaped function in this firmware assumes that after a % there are always at least two characters. If this is not the case, one of the instructions in the function cause an out-of-bounds read. Out of bounds reads can lead to crashes or other unexpected vulnerabilities, and may allow an attacker to read sensitive information that they should not have access to.

CVE-2018-1160: Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

Netatalk is a free, open-source implementation of the Apple Filing Protocol (AFP). It allows Unix-like operating systems to serve as file servers for Macintosh computers running macOS or Classic Mac OS.

This is a 5 year old vulnerability for which several exploits are publicly available.

Since many, especially home users will shy away of applying firmware, it is important to heed the advice offered by ASUS that says:

“Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger.”

General instructions on how to disable the WAN access can be found here under point 7.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

When you think about the word “cyberthreat,” what first comes to mind? Is it ransomware? Is it spyware? Maybe it’s any collection of the infamous viruses, worms, Trojans, and botnets that have crippled countless companies throughout modern history. 

In the future, though, what many businesses might first think of is something new: Disinformation. 

Back in 2021, in speaking about threats to businesses, the former director of the US Cybersecurity and Infrastructure Security Agency, Chris Krebs, told news outlet Axios: “You’ve either been the target of a disinformation attack or you are about to be.”

That same year, the consulting and professional services firm Price Waterhouse Coopers released a report on disinformation attacks against companies and organizations, and it found that these types of attacks were far more common than most of the public realized. From the report: 

“In one notable instance of disinformation, a forged US Department of Defense memo stated that a semiconductor giant’s planned acquisition of another tech company had prompted national security concerns, causing the stocks of both companies to fall. In other incidents, widely publicized unfounded attacks on a businessman caused him to lose a bidding war, a false news story reported that a bottled water company’s products had been contaminated, and a foreign state’s TV network falsely linked 5G to adverse health effects in America, giving the adversary’s companies more time to develop their own 5G network to compete with US businesses.”

Disinformation is here, and as much of it happens online—through coordinated social media posts and fast-made websites—it can truly be considered a “cyberthreat.” 

But what does that mean for businesses? 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Lisa Kaplan, founder and CEO of Alethea, about how organizations can prepare for a disinformation attack, and what they should be thinking about in the intersection between disinformation, malware, and cybersecurity. Kaplan said:

“When you think about disinformation in its purest form, what we’re really talking about is people telling lies and hiding who they are in order to achieve objectives and doing so in a deliberate and malicious life. I think that this is more insidious than malware. I think it’s more pervasive than traditional cyber attacks, but I don’t think that you can separate disinformation from cybersecurity.”

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

The ramifications of a Reddit breach which occurred back in February are now being felt, with the attackers threatening to leak the stolen data. The February attack, billed as a “sophisticated phishing campaign” by Reddit, involved an attempt to swipe credentials and two-factor authentication tokens.

One employee was tricked into handing over details, and then reported what had happened to Reddit. Its security team locked things down and began investigating.

The employee’s credentials were reportedly used to gain access to “some internal docs, code, as well as some internal dashboards and business systems”, which exposed “limited contact information” for company contacts and employees, and information about advertisers.

Reddit advised users that their passwords were safe, and so there was no need to alter login details. There were also “no signs” that the breach impacted “the parts of our stack that run Reddit and store the majority of our data, or any of your non-public data”. At the time, Reddit received praise for the clarity of the messaging. “This happened, that didn’t, your login is fine” is somewhat unusual in these situations and messaging is often confusing or even simply absent for far too long.

It seems we’re finally about to find out how on the money Reddit’s assessment of the situation was. Bleeping Computer reports that the Black Cat ransomware group is claiming responsibility for the attack. Worse, its threatening to drop roughly 80GB of data online after supposed attempts to claim a ransom of $4.5m were ignored.

Here’s what Black Cat—also known as ALPHV—has to say about this one:

…I am very happy to know that the public will be able to read all about the statistics they track about their users and all the interesting confidential data we took. Did you know they also silently censor users?

Bold claims indeed, but nobody will know for sure how much of the claims is true or simply bluster until and unless the files are leaked. Interestingly, Black Cat is also demanding that Reddit alters its controversial API pricing changes.

Bleeping Computer notes that nothing was encrypted in this attack; it appears that this was “just” about grabbing as much data as possible and using it to extort money from the victim. A double threat ransomware attack without the ransomware, if you will. Even so, this still presents a major headache for Reddit even without having to worry about encrypted devices.

At this point, nobody knows what exactly may leak when the data drop comes (if it ever does). There is no suggestion from the Black Cat group that passwords were grabbed, so that’s one plus point for Reddit users. As for the rest of it, this seems like a mess for the Reddit CEO and team to deal with.

Black Cat is definitely one of the more prominent ransomware players in recent times, with a string of high-impact and notable attacks. Lehigh Valley Health network in Pennsylvania was hit hard in February of this year, with an understandable furore over photos of breast cancer patients. Elsewhere, the dedicated leak site continues to play to its strengths as we can see with the current Reddit story. As you can see from our June Ransomware review, Black Cat is always close to the top of the pile where infections are concerned. Time may be running out for Reddit as far as the above breach goes, but with a little bit of pre-planning your organisation doesn’t have to meet the same fate.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Do you have an impending new arrival in your family of the small and very noisy variety? If so, you’re probably going to invest in a baby monitor for peace of mind both at night and during the day. But do you know what kind of monitor you’re going to buy? Will it be audio only, or have images? Will it be Wi-Fi, or the non Wi-Fi kind? Did you know there’s a non Wi-Fi kind?

As it happens, you don’t have to buy an internet connected device for one of the most private areas of your home. There’s plenty of cheap Internet of Things (IoT) baby monitors out there with default passwords baked in, insecurely stored data, and an alarming amount of compromise stories in the news. If you wish, you can bypass this problem almost completely and go for a device entirely lacking in internet functionality.

The trade-off in this situation is that the device you buy won’t have as many features as a Wi-Fi product, such as the ability to check in on your baby on an app on your phone if you’ve got a babysitter for the evening. However, if all you really care about is monitoring your baby when you’re not in the same room as them, then you can probably go for something more basic.

Non-internet connected baby monitors come with a standalone screen. These screens connect back to the camera in your child’s room. Instead of Wi-Fi, they use other technologies called Digital Enhanced Cordless Telecommunications (DECT) and Frequency Hopping Spread Spectrum (FHSS).

FHSS is one alternative to smart home networks and IoT devices. It rapidly switches frequency when in operation, which can mean a very low chance of someone trying to compromise the device. This isn’t to say a non Wi-Fi camera is unhackable, but given the short range of transmission for these devices, someone would have to be very close to your home to begin poking around. Much the same can be said with baby monitors that use DECT. 

An internet-connected baby monitor is more out of your control. Even if you lock things down at your end with secure passwords it could go wrong if the company you use reveals that footage of your child was stored on an open server somewhere.

In fact, the data doesn’t need to be accidentally stored on an open server at all. Sometimes, the people responsible for keeping your information safe have other ideas in mind. Amazon’s Ring was recently fined by the FTC after it was discovered that every employee had previously had access Ring videos, with some abusing that power to look through users’ personal videos. The FTC also highlighted lack of proper security precautions related to warding off attacks, such as credential stuffing.

If you sign up to a home IoT system managed by one organisation, this is what you might be facing from the very entities you’re entrusting with the most personal details of your living space. It’s probably low risk, but it’s a risk all the same. With this in mind, if you want to go down the Wi-Fi route, here are some tips for securing your baby monitor.

Tips for keeping your baby monitor safe

1. Change your password: Some cheap devices may ship with passwords that cannot be changed, ever. If this is the case, those passwords are almost certainly available online for anyone to see. Avoid those at all costs and get one where you can change the password. Then change the password as soon as you set up your monitor.
2. Make your password strong: A weak password could let someone into your baby monitor and allow them to view videos, or even speak over the monitor.
3. Use multi-factor authentication (MFA): Pick a baby monitor that allows you to use multi-factor (or 2-factor) authentication. This means that even if someone manages to guess your password, they won’t be able to get into your account.
4. Keep your videos stored locally: There are perhaps specific reasons why you may want recordings from your child’s room stored somewhere. If so, go for a product which allows local saving. It’s simply not worth the risk of footage making its way into the cloud, and other people’s hands.
5. Turn it off: If you don’t need a camera enabled in your baby’s room, then consider powering it down when not needed. The window of opportunity for breaking into a device is made even smaller if nobody can access it, so when your baby is elsewhere just flip that switch.

As with all digital toys, really have a think about what you need in a device. If you don’t need to see your baby over an app when you’re away from home, then maybe there’s no need for an internet enabled monitor. The more connected you make your home, the more potential security risks you introduce.

We don’t just write about threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• MOVEit discloses THIRD critical vulnerability
• Fake security researchers push malware files on GitHub
• LockBit ransomware advisory from CISA provides interesting insights
• Microsoft fixes six critical vulnerabilities in June Patch Tuesday
• Update Chrome now! Google fixes critical vulnerability in Autofill payments
• Ticket scammers target Taylor Swift tour
• Edge browser feature sends images you view back to Microsoft
• Strava heatmap loophole may reveal users’ home addresses
• More MOVEit vulnerabilities found while the first one still resonates
• Public and free WiFi: Can I safely use it?

Stay safe!

A particularly nasty slice of phishing, scamming, and social engineering is responsible for DoorDash drivers losing a group total of around $950k.

DoorDash drivers are contractors who pick up food deliveries from stores and restaurants and deliver the products to the customer. A 21 year old man named David Smith, from Connecticut, allegedly figured out a way to extract large quantities of cash from drivers with a scam stretching back to 2020. Incredibly, this means it all began when he was 18. There’s picking up a new hobby, and then there’s this.

The theft would begin by placing a bogus DoorDash order, receiving the driver details, and then contacting said driver by text and / or phone claiming to be DoorDash support. From here, the driver would be convinced to hand over banking details or log in to a fake portal. The end result would be a loss of funds, and potentially not being able to do their job.

Considering that this took place during the pandemic, targeting drivers may have had a significant impact on vulnerable people whose only way to get food was via services like DoorDash. As with so many scams of this nature, the impact ripples out from the initial victim and never quite stops where you expect it to.

A typical example of how the scam would play out is highlighted in the Stamford Advocate. One driver on her way to a supermarket received a text which advised her not to complete her current order. A call followed, with the individual claiming to be from DoorDash support. He claimed a scam was being perpetuated by drivers, and he needed to make sure that she wasn’t involved.

He sent her a link to verify her identity, and then said she wouldn’t be able to access her earnings / account for roughly four days. Thankfully a reference to a fictitious DoorDash promo tipped her off that something wasn’t right, and she altered her login credentials just in time. Others were not so lucky, with one driver named in the Stamford article losing close to $5,000. A third lost somewhere in the region of $2,000 after being tricked by three scams in a row.

1,750 transactions in total ensured a steady stream of ill-gotten gains for the individual allegedly at the heart of the scheme. Variations on this scam included calls from “DoorDash security” which eventually resulted in banking details being handed over. In some cases, victims may never be identified due to the way some of the reports of theft have been stored in DoorDash’s systems.

It seems the only reason law enforcement has a name for this case at all is by sheer chance, after stumbling upon $700,000+ inside lockboxes while investigating an unrelated incident. At this point in time, it’s not clear that all of the 700 drivers will get their lost funds back.

The Stamford Advocate notes that Smith faces charges of “first-degree larceny, third-degree identity theft, two counts of second-degree forgery, trafficking in personal identifying information and first-degree computer crime”.

The court appearance is scheduled for July 6.

DoorDash mentions that drivers are trained to look out for scams and attacks, but this one managed to sneak in under the radar. While most people wouldn’t dream of targeting gig economy workers during a pandemic, unfortunately some people aren’t most people. All it took here was one individual with a game plan to cheat 700 folks out of close to a million dollars.

How to avoid phishing

• Block known bad websites. Malwarebytes DNS filtering blocks malicious websites used for phishing attacks, as well as websites used to spread or control malware.
• Don’t take things at face value. Phishing attacks often seem to come from brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Take action. If you receive a phishing attempt act work, report it to your IT or security team. If you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, change the card.
• Use a password manager. Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won’t enter your credentials into a fake site.
• use a FIDO 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The US Department of State’s national security rewards program, Rewards for Justice (RFJ), is offering a reward of up to $10 million for information linking the Cl0p ransomware gang, or any other malicious cyber actors targeting US critical infrastructure, to a foreign government.

Advisory from @CISAgov, @FBI: https://t.co/jenKUZRZwt

Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government?

Send us a tip. You could be eligible for a reward.#StopRansomware pic.twitter.com/fAAeBXgcWA

— Rewards for Justice (@RFJ_USA) June 16, 2023

This is not really new. RFJ’s statutory authorities offers rewards for information in four broad categories and one of them is:

Malicious Cyber Activity For information that identifies or locates any individual who, while acting at the direction or under the control of a foreign government, aids or abets a violation of the Computer Fraud and Abuse Act  (“CFAA”), 18 U.S.C. § 1030. This includes foreign election interference.

But the Tweet explicitly mentioning Cl0p is new. The gang is thought to be behind a recent ransomware spree that compromised a large number of organizations by exploiting a zero-day flaw in Progress’ MOVEit Transfer software.

With as many as 2,500 targets exposed on the Internet, the number of potential victims could be in the hundreds. Some of them have already confirmed, either by the firms themselves or by  being mentioned on the Cl0p leak site.

Campaigns like Cl0p’s abuse of the MOVEit vulnerability, or high profile attacks like the one on Colonial Pipeline in 2021, can trigger an extra focus on the specific ransomware group responsible. Perhaps aware of this, Cl0p took to its website to preemptively promise that it was not going to use data stolen from government organizations and would delete it instead.

It seems that was not enough to avoid getting in the cross-hairs of the US federal government, as we predicted just hours before. The tweet appeared shortly after our own Cybersecurity Evangelist, Mark Stockley, expressed his doubts that Cl0p’s plan would help them avoid unwanted attention from law enforcement.

“Cl0p’s approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware’s squeakiest wheel.”

And don’t think that all these ransomware operators sit safely out of reach, behind what used to be an iron curtain. The recent arrest of Ruslan Magomedovich Astamirov, a ransomware actor associated with LockBit, in Arizona, shows that the cybercriminals think they can hide anywhere if they are careful enough.

US Attorney Philip R. Sellinger for the District of New Jersey said:

“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended. The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

Also, some criminals can’t help themselves and need to show off how rich they are or how clever they think they are. The best example may be Mark Sokolovsky. This Ukrainian national and alleged cybercriminal loved posting selfies with fistfuls of cash. When the Russian invasion of Ukraine caused him to flee the country, his girlfriend posted pictures of the couple’s journey on her Instagram account. Sokolovsky was arrested in the Netherlands and is awaiting extradition to the US, accused of being a key player in the cybercrime operation behind Raccoon Stealer.

So, if you’re in the market for a $10 million reward, happy hunting. And for anyone eligible, I’m throwing in a free copy of Malwarebytes Premium. You’ll need it.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In chess, the threefold repetition rule states that a player may claim a draw if the same position occurs three times during the game. Whether this means that customers of the popular file transfer utility MOVEit Transfer can ask for their money back remains to be seen, but we do hope it signals the end of the game.

Let’s do a small recap first, because it’s easy to lose track here. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use these CVE numbers where available.

Timeline:

• On May 31, 2023 Progress released a security bulletin about CVE-2023-34362, a vulnerability in MOVEIt Transfer that was being actively exploited. At the time we had a few details about how it was being exploited, but not by who.
• Over the next few days it became clear that the Cl0p ransomware group had been testing the vulnerability since July 2021 and decided to deploy it over the Memorial Day weekend. The first victims became known.
• A second vulnerability was found while new victims were still coming forward. After the first vulnerability was discovered, MOVEit’s owner Progress Software partnered with third-party cybersecurity experts to conduct further detailed code reviews of the software and found CVE-2023-35036. Progress posted a new bulletin about it on June 9, 2023.
• On June 15, 2023, Progress published information about a third critical vulnerability which got listed as CVE-2023-35708 on June 16.

This latest vulnerability could lead to escalated privileges and potential unauthorized access to the environment.

Please note that it is very important to follow the instructions outlined in the latest advisory regarding the order in which the patches need to be applied and based on how many patches have already been applied.

The best advice provided by Progress is probably to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard the environments while a patch is being prepared to address the vulnerabilities and in case even more of them come to the surface.

Meanwhile the Cybersecurity and Infrastructure Security Agency (CISA)  says it’s providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications. Among the probably hundreds of victims are Payroll provider Zellis who serves British Airways and the BBC, oil giant Shell, several financial services organizations, insurance companies, and many others. Reportedly, two US Department of Energy (DOE) entities were also compromised.

Victims have been identified in the UK, US, Germany, Austria, Switzerland, Luxembourg, France, and the Netherlands. Organizations in the US make for most of the victims, but no ransom demands have been made of federal agencies according to a CISA spokesperson.

Cl0p re-emphasized that it was not going to use data stolen from government organizations with a message on its dark web site:

“We got a lot of emails about government data, we don’t have it. We have completely deleted this information. We are only interested in business, everything related to the government has been deleted.”

We shouldn’t mistake this for altruism. It could be they are simply afraid of the consequences and because they are fully aware that governmental organizations are not allowed to pay the ransom anyway, so there is no profit to be made there.

Our own Cybersecurity Evangelist, Mark Stockley, has his doubts about Cl0p’s methods:

“Cl0p’s approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware’s squeakiest wheel.”

Stay tuned for future developments.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW