IT News

The US Government has been working on the National Cybersecurity Strategy Document 2023 for some time now, and it’s finally been released. The strategy document, which replaces the last such piece of work from 2018, attempts to indicate the general direction of the US approach to cybercrime and security for the next few years.

While you don’t necessarily need to take immediate action on the points raised, there’s a lot of talk about liability for poor security practices for larger organisations, better ratings for IoT devices, and a greatly improved hiring strategy for unfilled security vacancies. If these are areas of concern for you, we highlight the important parts below.

 As per the WSJ, the five primary areas for action are:

• Defending critical infrastructure
• Disruption and dismantling of criminal gangs
• Shape market forces
• Investing in a resilient future
• Forge international partnerships

One large part of this new strategy is that organisations potentially most well equipped to fend off attacks must step up and do more:

The most capable and best positioned actors in cyberspace must be better stewards of the digital ecosystem…we must ask more [across both the public and private sectors] of the most capable and best positioned actors to make our digital ecosystem more secure and resilient. In a free and interconnected society, protecting data and ensuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.

With this in mind, then, let’s highlight some of the standouts from relevant sections.

Defending critical infrastructure

Expanding the use of minimum cybersecurity requirements in critical sectors

If you work in a critical sector of industry, you can expect to see new requirements heading your way in the near future. “Existing authorities” will set new requirements for cybersecurity, and where gaps exist in statutory authorities to create minimum standards, the Administration will work with congress to close them. Regulations will be performance based and make use of existing security frameworks—no reinventing the wheel here. A focus on driving better practices in the cloud industry is also evident.

Update Federal response plans

You can expect better processes should you need to contact Federal authorities after a cyber incident, with the aim of creating a “unified, coordinated, whole of government response” with organisations able to quickly and easily find out who to contact, and when. The National Cyber Incident Response Plan (NCIRP) will be updated through this work, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require specific entities in critical infrastructure sectors to report incidents to CISA “within hours”.

Disruption of criminal gangs

Engaging the private sector in disruption activities

The Government wants to combine the “unique insights and capabilities” of the private sector with the ability to take decisive action by Federal agencies. There’s a strong desire here to have private sector partners organise through non-profit organisations serving as hubs for operational collaboration with the Federal government.

Virtual collaboration platforms will be used for these activities and information sharing processes, with the Government looking after the necessary security requirements and records management activities. In other words: if your organisation casts a wide security net, gathers data on attempted attacks, blocks and catches interesting files, wards off ransomware, and spots dubious network traffic, then there’s something approaching an Avengers initiative waiting in the wings.

Shape market forces

Promoting privacy and the security of personal data

Making large organisations accountable for failing to be responsible stewards of data is a key thread running throughout the strategy document. This is because the costs are often passed on to everyday people, with the biggest impact being felt on vulnerable populations.

Internet of Things devices can expect to fall under “IoT security labelling programs”, which will allow consumers to compare security protections offered by devices. The idea here is to create a market incentive for better security across the IoT space, but this is reliant upon people understanding that these labels exist, and what they mean in practice.

Shifting liability for software products and services to promote secure development practices

If you know someone who works for an organisation playing fast and loose with data, security practices, and compliance, they should be warned: there’s a liability storm coming. The Administration is going to be working with Congress and the private sector to develop legislation establishing liability for software products and services, along with a “safe harbour” for those securely developing and maintaining products and services.

Investing in a resilient future

Develop a national strategy to strengthen our cyber workforce

The hundreds of thousands of vacancies in cybersecurity positions nationwide are a sore point for this Administration. If you’re short on security workers yourself, then the proposed development of a National Cyber Workforce and Education Strategy may be what you’ve been looking for. Critical infrastructure is once again a key talking point, and it aims to improve hiring among underrepresented groups of candidates. This plan aims to make use of several already existing schemes, and also take inspiration from successful hiring practices in other nations.

What’s the response so far?

There is some criticism for the plans, mainly on the basis that plans come and go but rarely manage to keep pace with the actual speed of changing technological threats. As Bloomberg Law points out, the plan itself has no regulatory teeth and it’s now mainly up to various agencies to take the ball and run with it in terms of making new changes.

New strategies for tackling cybercrime and protecting critical infrastructure are always welcome, but it remains to be seen how much practical impact the Biden Administration’s 2023 National Cybersecurity Strategy will have over the next few years.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Microsoft has released out of band updates for information disclosure vulnerabilities in Intel CPUs. The normal gut reaction would be to install out of band updates as soon as possible. Microsoft wouldn’t be releasing the updates ahead of the regular cycle without good reason, would it?

Well, maybe there are good reasons, but the number of users that would have to worry about these vulnerabilities is relatively small. And there are known performance issues related to applying the updates or disabling the Intel Hyper-Threading Technology. So please read on before you rush to update your system(s).

The vulnerabilities

Microsoft issued a security advisory about these vulnerabilities on June 14, 2022. Intel’s advisory about the same four vulnerabilities came out the same day, which triggers the question, why did it take so long to release the updates? We can only speculate that a lot of time was spent on figuring out how to address these vulnerabilities most effectively.

The vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities. In shared resource environments (for example in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. Under normal circumstances, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The MMIO CVEs are listed as:

• CVE-2022-21123 – Shared Buffer Data Read (SBDR) 
• CVE-2022-21125 – Shared Buffer Data Sampling (SBDS)
• CVE-2022-21127 – Special Register Buffer Data Sampling Update (SRBDS Update)
• CVE-2022-21166 – Device Register Partial Write (DRPW)

The underlying cause for these vulnerabilities is that Virtual Machines (VMs) share a portion of the physical processor (CPU). MMIO uses the processor’s physical-memory address space to access I/O devices that respond like memory components. Due to the incomplete cleanup in specific special register read and write operations, or shared buffers an authenticated user could potentially gain information disclosure through local access.

There is a long list of affected processors which shows the impact of transient execution attacks and select security issues on currently supported Intel® products, including recommended mitigation where affected.

Should you update?

As with many threats, the risk you are running very much depends on your threat model. If you are not running virtual machines in shared environments, I wouldn’t worry about these updates. If you are, then the ball is for a large part in the park of the provider of the cloud services, since it’s their physical machines that may or may not have the affected CPUs.

If any action needs to be taken, I would consider it their duty to let you know what needs to be done on your end.  

Mitigation for these vulnerabilities includes a combination of microcode updates and software changes, depending on the platform and usage model. Microcode updates should be issued by the original equipment manufacturer (OEM). For more information, see INTEL-SA-00615.

Microcode is the name for the internal code that implements support for the processor’s instructions set.

The Windows updates are being released as manual updates in the Microsoft Update Catalog:

• KB5019180 – Windows 10, version 20H2, 21H2, and 22H2
• KB5019177 – Windows 11, version 21H2
• KB5019178 – Windows 11, version 22H2
• KB5019182 – Windows Server 2016
• KB5019181 – Windows Server 2019
• KB5019106 – Windows Server 2022

Another option is to disable Intel Hyperthreading, although we need to note that Intel Hyperthreading improves the overall performance for applications that benefit from a higher processor core count. So disabling it may have a negative impact, depending on the usage of the system.

According to VMWare, ensuring that no virtual machine has a PCI passthrough (VMDirectPath I/O pass-through) device configured is a viable workaround that will prevent any exploitation. VMDirectPath I/O allows a guest operating system on a virtual machine to directly access physical PCI and PCIe devices connected to a host.

Sometimes Microsoft really fails in providing a clear explanation about who needs to install an update, or even about how to do it. We get that it’s complicated when there are other vendors and OEMs involved, but referring users to highly technical third-party sites isn’t very helpful.

We do hope we have at least made clear that most of you do not have to worry about these.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Last week on Malwarebytes Labs:

• Fighting online censorship, or, encryption’s latest surprise use-case, with Mallory Knodel: Lock and Code S04E05
• How to work from home securely, the NSA way
• TikTok probed over child privacy practices
• iPhone users targeted in phone AND data theft campaign
• US Marshals Service hit by ransomware and data breach
• LastPass was undone by an attack on a remote employee
• Crushing the two biggest threats to mobile endpoint security in 2023
• AI voice cracks telephone banking voice recognition
• Ransomware led to multiple DISH Network outages
• Internet Explorer users still targeted by RIG exploit kit
• YouTube under fire for allegedly gathering children’s data
• LockBit ransomware demands $2 million for Pierce Transit data

Stay safe!

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

The UK’s children’s code, introduced three years ago by the Information Commissioner’s Office (ICO), is all about ensuring that companies make children’s privacy a primary consideration when creating sites and services, games, and toys. The code, also known as the Age Appropriate Design Code (AADC), may now be stepping into the digital privacy ring. Duncan McCann, who works for child advocacy group 5Rights, has lodged a complaint with the ICO about YouTube.

The Children’s code applies to UK-based companies and also companies outside the UK involved in processing the personal data of UK children. In short, if an app or website is likely to be accessed by children, then there’s a good chance the code applies.

The complaint focuses on how YouTube collects children’s data and alleges that it is being handled poorly. If the allegations are true we could see the ICO ordering Google to stop collecting the data, Google could by in line for a large fine.

McCann claims that YouTube has broken the law by collecting “the location, viewing habits and preferences” of anything up to five million children. He wants YouTube to change how the platform is designed, and to delete the data which it has gathered. The Guardian also mentions that another part of the complaint asks the ICO to consider ordering YouTube to rollback or delete any machine learning systems trained on this data.

That’s quite the request, and McCann says that the ICO has three months to let him know whether or not it will take on the investigation.

Children uner 13 are, in theory, banned from using YouTube, and are supposed to use YouTube Kids instead, which is stricter about data collection. For example, there are no personalised ads on YouTube Kids, and no sensitive video categories. This is not the case on the main site. You may have seen for yourself how easy it is for videos on YouTube that are about one thing to autoplay their way into content which is about something quite different, including content that is not suitable for those under 13.

Child data is a prominent topic for Google. Back in 2019, YouTube was fined $170m due to the collection of children’s data without their parent’s consent.

Setting up YouTube Kids

If your children are making use of YouTube Kids, it’s a good idea to check out some of the security and privacy settings available to you. Assuming you are signed in, you can:

• Block channels. If there’s some YouTube Kids approved content which you’re still not happy with, this is the way to go.
• Enable specific content. If you want control over every aspect of viewing behaviour, you can force YouTube Kids to display only content which you’ve personally approved for viewing.
• Turn off the search feature. Although in theory nothing bad should come up via search in YouTube Kids, you can still turn this off if needed. Do this by changing the “Allow Searching” option to “Off” in Settings.
• Disable Autoplay. Again, this feature shouldn’t result in content you wouldn’t want randomly popping up. Even so, the option is there should you desire it. Change this setting by clicking your profile picture, selecting “Settings”, then “Parental Settings”. Select the child’s account, and then change “Disable autoplay” to “On”.
• Review watch history. You can pull up a list of watched videos through the “Watch it Again” option at the top of the home screen on a tablet, or navigating to the option on desktop or laptop by selecting the child’s profile picture to view the relevant videos.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

The Pierce County Public Transportation Benefit Area Corporation (Pierce Transit) has fallen victim to a cyberattack using LockBit ransomware. Pierce Transit is a public transit operator in Washington state.

The attack began on February 14, 2023, and required Pierce Transit to implement temporary workarounds, to maintain the service of the transit system which transports around 18,000 people every day.

Based on the number of known attacks, Lockbit has been the most widely used ransomware-as-a-service (RaaS) for some time now. It accounted for almost a third of all known RaaS attacks last year, peaking at almost half of all known ransomware attacks in September 2022. The largest ransom demand it made in 2022 was a staggering $50 million. And it hasn’t tempered its ambitions in 2023—last month it tried to get $80 million out of UK’s Royal Mail, but was politely shown the door by its negotiator.

On February 28, the LockBit ransomware group published details of the attack on Pierce Transit, along with a public demand for just shy of $2 million in return for the stolen data. Publishing data like this is normally a sign that negotiations have broken down or that the victim does not intend to pay. The ransomware group claims to have stolen contracts, client information, non-disclosure agreements, correspondence, and more, all of which are now on sale.

The eye-watering ransom demand is just one of the costs of an attack like this. Even if a ransomware victim pays for a decryption key, it takes time to restore systems and the total damages are almost always a multiple of the ransom.

According to The Record, The incident has been reported to law enforcement agencies, and forensic experts were brought in to investigate the nature and scope of the event. If it turns out that LockBit managed to steal and leak client information, the company intends to let them know.  A spokeswoman stated:

“We are dedicated to informing our community, as appropriate, as our inquiry progresses.”

The majority of its operations have now been fully restored and Pierce Transit says it plans to implement new cybersecurity monitoring tools and security measures.

Public transportation is an essential service and any long-term disruption of its internal networks could have a devastating effect on the people who rely on it to get to school, their work, or medical appointments.

Thankfully, Pierce Transit managed to keep operations going, but undoubtedly there will be financial losses resulting from system failure and damage restoration in the short- and long-term.

Ransomware-as-a-service is the most lucrative and dangerous form of cybercrime. Individual attacks can bring entire organizations to a halt and raise multi-million-dollar ransoms. You can learn more about LockBit and the danger it poses to your organization in our 2023 State of Malware report.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Satellite broadcast organisation DISH experienced a major system issue over the past week which affected multiple services. Websites and channels were unavailable, logins were non-functional, and some folks couldn’t even pay their bills as a result of the downtime.

There was a suspicion that something may have gone wrong behind the scenes. This suspicion has turned out to be correct, as DISH has reported to the US Securities and Exchange Commission that a ransomware attack is responsible.

A timeline of ransomware

DISH filed an 8-K form, used to inform shareholders of major events, to explain the situation. The timeline is as follows:

February 23: DISH announces on an earnings call that a network outage affected internal servers and IT telephony. Having already determined that the outage was due to a “cybersecurity incident”, law enforcement was informed and security experts were brought in to assess the situation.

February 27: DISH becomes aware that data was extracted from IT systems as a result of the ransomware attack. At this point, it’s not certain if personal information is included in the extracted data.

The filing continues:

The forensic investigation and assessment of the impact of this incident is ongoing.  DISH, Sling and our wireless and data networks remain operational; however the Corporation’s internal communications, customer call centres and internet sites have been affected.  The Corporation is actively engaged in restoring the affected systems and is making steady progress.

At this point, DISH still can’t confirm whether or not personal data has been compromised. A statement given to The Record states that customers will be contacted if this turns out to be the case.

Downtime and confusion

To give some idea of the scale of the outage, services impacted according to Silicon include some of the below::

• Dish.com
• The Dish Anywhere app
• Boost Mobile
• “Other websites and networks” operated and owned by DISH network.
• The DISH call centre.

This is in addition to people not being able to pay bills or login. It’s not uncommon for a business to be rendered inoperable in the aftermath of a ransomware attack. However, it is somewhat unusual to see so many services fall over simultaneously. Perhaps the scale of the attack is something to behold, or maybe the attackers just got lucky. Either way, we won’t know for certain until the investigation is concluded and findings are published.

Bleeping Computer has been told by sources that the Black Blasta ransomware operation is allegedly behind the attack, “first breaching Boost Mobile and then the Dish corporate network”. It’s worth stressing that Bleeping Computer goes on to say that this information has not been independently, and DISH has not responded to multiple emails requesting more information. It’s possible we may be waiting some time for additional details to be made public.

Meanwhile, TechCrunch has been informed that employees have no information about the incident and have not been told when they can return to work. This is not a great situation for anyone involved, and really speaks to the scale of impact that a ransomware outbreak can have.

How bad is the current state of play?

Customers are without various services, and the Dish website is still sporting a “Thank you for your patience” message along with the link to a statement which includes the following message:

The security of our customers’ data is important to us, and if we learn that information was compromised, we’ll take the appropriate steps and let any impacted customers know.

As a result of this incident, many of our customers are having trouble reaching our service desks, accessing their accounts, and making payments. We’re making progress on the customer service front every day, including ramping up our call capacity, but it will take a little time before things are fully restored. DISH TV continues to operate and is up and running.

If you’re a DISH customer, you may have to wait a bit longer until things are something like approaching normal service.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Despite a very slim browser market share, Internet Explorer (IE) is still being exploited by exploit kits like the RIG exploit kit (EK).

One major advantage for the malware distributors behind the exploit kit is that the outdated browser has reached end-of-life (EOL), which means it no longer receives security updates and patches against known threats.

According to Malwarebytes’ Senior Director of Threat Intelligence Jérôme Segura:

“RIG EK is probably one of the last exploit kits targeting Internet Explorer still around. We have observed RIG EK activity via the same malvertising campaigns for the past several years.”

An exploit kit is a toolkit designed to facilitate the exploitation of client-side vulnerabilities most commonly found in browsers and their plugins in order to deliver malware. The primary infection method with an exploit kit is a drive-by download attack, when cybercriminals lure potential victims to a site where their browser can be fingerprinted and vulnerabilities can be unleashed to infect the system. Ideally for the exploit kit handler, such attacks occur silently within seconds and they do not require any user interaction.

A recent report by Prodaft details a wealth of information related to the victim statistics, operation, command and control (C&C) server, and technical aspects of RIG EK.

RIG EK has been around since 2014 and, despite many take down efforts, has always managed to make a comeback. Without many changes to the inner workings of the exploit kit itself, we’ve seen many changes in the malware distributed. It all depends on which cybercriminals pay the RIG EK administrator to install their malware on victim machines. RIG EK has also introduced some newer vulnerabilities while Internet Explorer’s market share has continued to drop.

Prodaft researchers describe how they noticed RIG EK RIG dropping multiple types of malware, including stealers, Remote Access Trojans (RATs), cryptocurrency miners, and banking malware. The exploits of RIG EK are delivered to unsuspecting victims in two ways: either via malvertising, where users are redirected to online advertising pages that are tricked to execute the RIG exploits on their browser; or when the victim visits sites that were compromised and the exploit kit’s JavaScript was injected.

As Jérôme mentions, at Malwarebytes we’ve seen them involved via the same malvertising campaigns for the past several years.

2020 analysis of malvertising leading to the RIG Exploit Kit

We connected some RIG EK activity with the cybercriminal behind the “MakeMoney gate” (a name coined by security researcher @nao_sec) based on the domain makemoneywithus[.]work (188.225.75.54) with the earliest instance of this threat group seen in December 2019 via the gate gettime[.]xyz (185.220.35.26).

We still see some hits every week, but nothing to make this exploit kit a real threat anymore. We should note that the threat actor behind the MakeMoney gate tried the social engineering route in 2022, using a fake browser update campaign which was not all that different from the one we saw with SocGholish.

Very recently recorded malvertising campaign

Mitigation

The main advice to stay out of the claws of exploit kits is clear. Use a fully updated and patched browser. And always be careful before you click on links.

A warning from Jérôme Segura:

“We can expect RIG EK to stick around to the very end until there is no one left behind to infect. The individual(s) behind the malvertising campaigns have been persistent and still count on victims daring enough to visit shady websites with an outdated computer.”

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Last August, LastPass suffered a well publicised breach: Developer systems were compromised and source code stolen. This resulted in a second breach in November, which was revealed by LastPass in December. The company has now revealed that the individual(s) responsible for the attack also compromised a remote employee’s computer, in order to capture credentials used in the second attack.

The credentials allowed the attacker to steal data from Amazon AWS cloud storage servers used by LastPass for a little over two months.

The remote developer’s PC was reportedly compromised via a remote code execution vulnerability in a third-party media player, which was exploited to deploy a keylogger. After this, the attacker was able to wait until the employee entered their master password and authenticated themselves with multi-factor authentication.

The attacker was able to access the DevOps engineer’s LastPass corporate vault. From the LastPass support page:

The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.

The compromised developer was one of only four people with access to the decryption keys needed to access cloud storage services. This is very much the definition of a targeted attack.

According to LastPass, once the attacker was inside the DevOps Engineer’s LastPass corporate vault, they were able to export all manner of potentially useful information.

The support page mentions that as part of the post-attack work being done, the DevOps engineer is being assisted with “hardening the security of their home network and personal resources”.

It’s somewhat remarkable to think that a big chunk of the above LastPass chaos is down to someone running a media player on a system used for work. Or, put another way, LastPass allowing an employee to use a computer with a vulnerable media player for work. We don’t know if it was a work machine, or a home machine, but the two look very alike these days, with home devices used to access the office, and work devices used for non-work activities.

There is a grey area here, then, in terms of whether using a personal device for work should have been subject to “acceptable / unacceptable” software installation decisions by IT. Considering the severity of this particular attack, there’s probably a good case for it.

What to do if you’re a LastPass user

At the moment, there is nothing you need to do if you have already followed the advice during the December breach reveal. However, if you are only now finding out about the various LastPass breaches:

• Change your master password and then begin changing the logins inside your vault as soon as possible, starting with the most important.
• Start using multi-factor authentication (MFA) to make your account immune to similar compromises in future. LastPass supports several kinds of MFA.

How to work from home securely

• Use devices supplied or approved by your employer. This ensures your machine meets your security team’s requirements.
• Use a VPN to connect to the office network. A corporate VPN protects traffic from prying eyes as it travels over the Internet.
• Change your router password. Don’t rely on the default password your router shipped with—these often end up in long lists online.
• Keep software up to date. If your employer is unable to update your software automatically, you’ll have to do it. Don’t ignore those popups telling you that an update is available.
• Use effective endpoint protection. Malwarebytes Endpoint Protection detects malware like keyloggers, and is designed to be easy to deploy and administer on remote machines.

For more information about working from home securely, read our security tips for working from home.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Don’t let their small size fool you: mobile devices can have a big impact on your security posture. It’s easy to see why, considering that almost half of organizations said they suffered a mobile-related compromise in 2022.

Malware and phishing are two particular mobile threats that you need to defend against in 2023. Just check out the following stats from last year:

• 18 percent of clicked phishing emails in 2022 came from a mobile device. (Verizon Mobile Security Index 2022)
• 46 percent organizations that had suffered a mobile-related security breach in 2022 said that app threats were a contributing factor. (Verizon Mobile Security Index 2022)
• 9 percent of organizations suffered a mobile malware attack in 2022. (Check Point 2023 Cyber Security Report)

In addition, according to Malwarebytes research, 45 percent of schools reported that at least one cybersecurity incident last year started with Chromebooks or other mobile devices.

In this post, we’ll talk about the threat that phishing and malware pose to mobile endpoint security and how to crush them.

Mobile devices have a huge target on their backs

Mobile devices are a key part of today’s modern business: 56 percent of employees rely on at least four to eight enterprise applications on their mobile device.

But wherever sensitive data exists, threat actors are out there trying to get their hands on it.

The explosion of bring-your-devices (BYOD) policies during and after the pandemic created a large, new attack surface. Employees love mobile devices for their convenient access to corporate data systems; attackers love them for the same reason.

Malware on Android

First things first, malware is a much bigger threat to Android devices than it is to iOS devices, as iOS malware is extremely rare.

Malware on mobile Android devices comes in many forms, including adware, ransomware, trojan-banker (aka ‘bankers’), and trojan-dropper (aka ‘droppers’). Droppers, considered the “most Trojan of Trojans,” disguise themselves as innocent apps to steal personal and financial data. Droppers can install copies of themselves, and because they can drop software that downloads other malware, they can be used to establish a permanent gateway into a smartphone, and then into a business

In our 2022 State of Malware Report, Malwarebytes found that droppers accounted for 14 percent of detections on Android. Other malware is more widespread, but droppers pose the greatest danger to organizations.

Examples of recent Android malware

Phishing on iOS and Android

Phishing has always worked wonders for attackers, and if it ain’t broke, don’t fix it—including on mobile devices. In fact, Zimperium found the number of phishing sites that target mobile devices specifically has seen 50 percent growth from 2019-2021.

Phishing attacks on Android and iOS range from email to banking, SMS (smishing), and even attempting to trick users into handing over legitimate two-factor authentication codes.

Targeted phishing campaigns on enterprise mobile devices are common, with threat attackers often impersonating companies such as Apple, PayPal, and Amazon.

Mobile Device Management (MDM) ain’t the solution

A common misconception that we hear when we talk about mobile endpoint security is that MDM is the solution to all of our mobile malware and phishing woes.

It’s not.

Mobile device management services only secure use of corporate data, but are not designed to counter threats such as malware and phishing on iOS and Android devices.

Organizations should look beyond MDM platforms and toward mobile security products that use a variety of techniques, including behavioral analysis, to crush mobile threats. Some features of a robust mobile threat defense product include:

• 24/7 real-time protection against emerging threats
• Advanced antivirus, anti-malware, anti-spyware capabilities
• Malicious app protection
• App privacy audit
• Safe web browsing
• Block ads and ad trackers
• Filters suspicious fraudulent texts
• Spam call blocking

Malwarebytes makes mobile device security easy

With Malwarebytes Mobile Security for Business, you can put a damper on mobile attacks on your organization in just a few clicks.

In Nebula, our cloud-hosted security platform made for small to large businesses (OneView for MSPs), all you have to do to get started is activate the endpoint agent for your mobile devices.

From there, you set how your mobile endpoints behave by adding a new policy and selecting Web protection and Ad block for iOS and Behavior protection for ChromeOS and Android.

Once you save this policy, you’re set!

Admins gain immediate visibility into mobile device activity, enabling IT teams to easily identify and report malicious threats, PUPs, and PUMs.

The Malwarebytes Mobile Security app on IOS (left) and Android (right)

The statistics don’t lie—phishing and malware pose a big threat to mobile endpoint security in 2023. But with a mobile threat defense solution like Malwarebytes Mobile Security, you can crush threats like these and more. Get a free trial and/or quote below!

Get a quote or free trial of Malwarebytes Mobile Security

Voice ID is slowly rolling out across various banks worldwide as a way to perform user authentication over the phone. However, questions remain about just how secure it is. Now that we have freely available artificial intelligence (AI) happily replicating people’s voices, could it be a security risk?

Some recent research suggests that it could.

Vice reporter Joseph Cox put it to the test, with surprising results. All it took was five minutes of recorded speech and a site that can learn to synthesise the voice in the recording.

At first the banking website refused to verify Cox’s synthesized voice as genuine. But with a few tweaks, it soon allowed Cox into his account.

From here, he had access to account information, recent transactions, transfers, and balances. You’ll note from the video below that an additional piece of information is required here in the form of date of birth.

Thankfully, you can’t just use the voice on its own and log straight in to this bank. However, while dates of birth are often use as a form of authentication they are not secret. If an attacker is determined enough to find or create five minutes of your voice recordings, they are unlikely to be deterred by the (probably much easier) task of finding out your birth date.

The bank used for the test claims that criminals would rather use other more common methods of attack than AI voice recordings, and that deploying voice ID has led to “a significant dip in fraud with phone banking”. This may well be true, but that dip presumably occurred before the wide availability of AI tools like ChatGPT.

The stunt is a useful reminder that unlike passwords, which are either right or wrong, all forms of biometric authentication are analogue. Voice, fingerprint, face, and iris recognition all rely on a judgement of similarity, which creates opportunities for enterprising criminals who can produce realistic facsimiles. It’s why your iPhone fingerprint recognition is backed up by a passcode, and why the bank in the test also included a birth date in its authentication process.

What’s  next for voice AI?

The AI genie is most definitely out of the bottle, with AIs being used for all manner of good things, like additional voice lines in video game mods, and all sorts of bad things too.

If you’re deploying voice recognition as part of your business, it would be wise move to pay close attention to the rapidly improving area of voice synthesis. Don’t let the words “My voice is my password” come back to haunt you in the worst way imaginable.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED