Update now! Firefox and Adobe updates are more critical than Microsoft’s

The most critical updates for this “Patch Tuesday” come from Firefox and Adobe. While Microsoft addresses 70 vulnerabilities in its February 2022 Patch Tuesday release, none of them are ranked as critical. Firefox and Adobe however have fixed a few issues that could be qualified as critical...

A week in security (November 5 – 11)

Last week on Malwarebytes Labs, we looked at browser lockers that fly under the radar with complete obfuscation, transport and logistics in our series about compromising vital infrastructure, Google logins now requiring JavaScript, how to create a sticky cybersecurity training program, and an...

Week in Security (August 7 – August 13)

Last week, we explained how security certificates work and how malware authors have used them to block security software from being downloaded and executed. We also showed how the Magnitude exploit kit is spreading a Cerber ransomware variant that uses binary padding in an attempt to get skipped,...

All this EternalPetya stuff makes me WannaCry

Another week goes by and yet again we have another ransomware outbreak initially dropped by a malicious software update and eventually spreading within internal networks using several methods - including EternalBlue - the leaked exploit from the ShadowBrokers group. Security researchers can’t see...

[Updated, again] Apache fixes zero-day vulnerability in HTTP Server

The Apache HTTP Server 2.4.49 is vulnerable to a flaw that allows attackers to use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. This issue is known to be...

What’s new in TrickBot? Deobfuscating elements

Trojan.TrickBot has been present in the threat landscape from quite a while. We wrote about its first version in October 2016. From the beginning, it was a well organized modular malware, written by developers with mature skills. It is often called a banker, however its modular structure allows t...

Thief pulls off colossal, $600m crypto-robbery …and gives the money back

The largest crypto-robbery in history is rapidly turning into the most bizarre as well. Lets start at the beginning… In an apparent scream for mercy, 21 hours ago the Poly Network Team reached out via Twitter to “hackers” that had managed to transfer roughly $600 million in digital tokens out of...

Safe Connections Act could help domestic abuse survivors take control of their digital lives

A bill introduced in the US Senate could help domestic abuse and sex trafficking survivors—including those tracked by stalkerware-type applications—regain digital independence through swift, shared phone plan termination and the extension of mobile phone plan subsidies. Titled the Safe Connection...

Parental monitoring apps: How do they differ from stalkerware?

In late June, Malwarebytes revived its long-running campaign against a vicious type of malware in use today. This malware peers into text messages. It pinpoints victims’ movements across locations. It reveals browsing and search history. Often hidden from users, it removes their expectation of,...

Will pay-for-privacy be the new normal?

Privacy is a human right, and online privacy should be no exception. Yet, as the US considers new laws to protect individuals’ online data, at least two proposals—one statewide law that can still be amended and one federal draft bill that has yet to be introduced—include an unwelcome bargain:...

A week in security (March 1 – 7)

Last week on Malwarebytes Labs, our podcast featured Eva Galperin who talked to us about defending online anonymity and speech. We wrote about how Ryuk ransomware has developed a worm-like capability, how Exchange servers are attacked by Hafnium zero-days, 21 million free VPN users’ data was...

15,000 webcams vulnerable to attack: how to protect against webcam hacking

Webcams may have been around for a long time, but that doesn’t mean we know what we’re doing with them. Webcam hacking has been around for equally as long, yet new research from Wizcase indicates that more than 15,000 private, web-connected cameras are exposed and readily accessible to the genera...

Should you delete yourself from social media?

You're feeling like you've had enough. All the recent news—from Facebook's Cambridge Analytica snafu to various abuses of Twitter vulnerabilities—has you wondering: Should I delete myself from social media? Social networking does have its positive aspects. You can stay in touch with distant or no...

[updated]Two new Exchange Server zero-days in the wild

Microsoft has issued some customer guidance as it investigates yes, more reported vulnerabilities in Microsoft Exchange Server, affecting the 2013, 2016, and 2019 versions of the software. The company says it "is aware of limited targeted attacks using the two vulnerabilities to get into users...

Mac malware combines EmPyre backdoor and XMRig miner

Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil. The malware was being distributed through an application named Adobe Zii. Adobe Zii is software that is designed to...

“Who visits your Twitter profile” spam app brings week of chaos

Twitter spam has been around forever, and rogue apps asking for installs in return for a cool feature to be more accurate, spamming your contacts is a constant thorn in our Twittery sides. Over the weekend, we observed a new Twitter app doing the rounds and causing a lot of congestion on people's...

Inside the Kronos malware – part 1

Recently, a researcher nicknamed MalwareTech famous from stopping the WannaCry ransomware got arrested for his alleged contribution to creating the Kronos banking malware. We are still not having a clear picture whether the allegations are true or not - but let's have a look at Kronos itself...

April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities

It’s that time of the month again. Time to check what needs to be updated and prioritize where necessary. The Microsoft updates include at least two zero-day vulnerabilities that deserve your attention. Microsoft Microsoft has released security updates and non-security updates for client and serv...

What is the WireGuard VPN protocol?

In layman’s terms, a VPN uses encryption to create a private online connection between a device and a VPN server. With a good VPN service, you can shield your data from curious eyes. A VPN protocol is the set of rules that shapes how your data travels between your computer, mobile phone, tablet, ...

Smart speakers: Christmas treat or lump of coal?

Christmas is nearly upon us, and thoughts are perhaps turning to various digital presents of a “smart” nature. Home security, hubs, speakers, cameras, and mashups of all of those and more besides. With regards to speakers, the most immediate pieces of your home are theoretically at your beck and...

Associated Press, ESPN, CBS among top sites serving fake virus alerts

ScamClub is a threat actor whos been involved in malvertising activities since 2018. Chances are you probably ran into one of their online scams on your mobile device. Confiant, the firm that has tracked ScamClub for years, released a comprehensive report in September while also disrupting their...

Why Log4Text is not another Log4Shell

The Apache Software Foundation has acknowledged a vulnerability in Apache Commons Text, a library focused on algorithms for string manipulation. The vulnerability has been assigned CVE-2022- 42889, but security researchers have dubbed it Log4Text. The name provides an immediate association with...

Don't share the WhatsApp 'Martinelli' phone hacking alert: It's a hoax

Everyone loves a good campfire story prone to exaggeration. However, when told online its not quite got the same effect. Long ago, sites like Myspace would play host to very certain types of messages. "Dont open this post from Johnny Cyberhack, or your account will be stolen and your C drive will...

Update now! Microsoft patches three zero-day vulnerabilities on Patch Tuesday

The updates for Microsofts March 2022 Patch Tuesday should fix 92 vulnerabilities, including three zero-day vulnerabilities. Of the 92 vulnerabilities, 21 are for Microsoft Edge and originate from the Chromium Project. Of the 71 others, three are classified as Critical because they allow remote...

SonicWall warns users to patch critical vulnerability “as soon as possible”

SonicWall has issued a security notice about its SMA 100 series of appliances. The vulnerability could potentially allow a remote unauthenticated attacker the ability to delete arbitrary files from a SMA 100 series appliance and gain administrator access to the device. SonicWall SonicWall is a...

Massive DDoS attack washes over GitHub

There's been some huge DDoS distributed denial of service attacks over the years, but we've been…lucky?…enough to witness the latest raising of the stakes in the last couple of days. GitHub, an incredibly important code resource for major organisations around the world, fell victim to a colossal...

Compromising vital infrastructure: problems in education security continue

The educational system and many of its elements are targets for cybercriminals on a regular basis. While education is a fundamental human right recognized by the United Nations, the financial means of many schools and other entities in the global educational system are often limited. These limite...

GreenFlash Sundown exploit kit expands via large malvertising campaign

Exploit kit activity has been relatively quiet for some time, with the occasional malvertising campaign reminding us that drive-by downloads are still a threat. However, during the past few days we noticed a spike in our telemetry for what appeared to be a new exploit kit. Upon closer inspection ...

4 lessons to be learned from the DOE’s DDoS attack

Analysts, researchers, industry professionals, and pundits alike have all posited the dangers of the next-generation “smart grid,” particularly when it comes to cybersecurity. They warn that without the right measures in place, unscrupulous parties could essentially wreak havoc on the bulk of...

New Golang brute forcer discovered amid rise in e-commerce attacks

E-commerce websites continue to be targeted by online criminals looking to steal personal and payment information directly from unaware shoppers. Recently, attacks have been conducted via skimmer, which is a piece of code that is either directly injected into a hacked site or referenced externall...

Sextortion Bitcoin scam makes unwelcome return

Heads up: a particularly nasty sextortion Bitcoin scam from at least the middle of 2018 is making the rounds once again. The scam involves making use of old breach dumps, then emailing someone from the list and reminding them of their old password. When something lands in your mailbox with “Hey,...

Fake Flipper Zero websites look to cause a big splash

Security researchers are advised to be on the lookout for scammers targeting their interest in the latest hard to obtain security testing tools. Flipper Zero, a slick looking portable multi-tool which frequently makes its way into the news, is one of the hottest pieces of kit around for security...

Samba patches critical vulnerability that allows remote code execution as root

Samba developers have patched a vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfsfruit. Samba is a free software re-implementation of the SMB networking protocol that provides file and print services for variou...

Trojans, ransomware dominate 2018–2019 education threat landscape

Heading into the new school year, we know educational institutions have a lot to worry about. Teacher assignments. Syllabus development. Gathering supplies. Readying classrooms. But one issue should be worrying school administrators and boards of education more than most: securing their networks...

A week in security (June 17 – 23)

Last week on the Malwarebytes Labs blog, we took a look at the growing pains of smart cities, took a deep dive into AI, jammed along to Radiohead, and looked at the lessons learned from Chernobyl in relation to critical infrastructure. We also explored a new Steam phish attack, and pulled apart a...

A week in security (August 28 – September 3)

Last week, we looked at what actions Kronos can perform in the final installment of a 2-part post. We also dived into Locky, again, a ransomware that just made a comeback, and found that its latest variant as of this writing has anti-sandboxing capabilities. This means that once Locky has...

The fake Elon Musk Bitcoin giveaway marathon will NOT make you rich

Today we look at a fakeout which begins with Elon Musk, and ends with a trip to Mars or, if youre really lucky, the Sun. One of the most annoying “features” of Twitter is being added to lists without permission. Its a theoretically useful way to keep track of certain topics. It’s often also used...

Revisiting the NSIS-based crypter

This blog post was authored by hasherezade NSIS Nullsoft Scriptable Install System is a framework dedicated to creating software installers. It allows to bundle various elements of an application together i.e. the main executable, used DLLs, configs, along with a script that controls where are th...

Zoom zero-day discovery makes calls safer, hackers $200,000 richer

Two Dutch white-hat security specialists entered the annual computer hacking contest Pwn2Own, managed to find a Remote Code Execution RCE flaw in Zoom and are $200,000 USD better off than they were before. Pwn2Own Pwn2Own is a high profile event organized by the Zero Day Initiative that challenge...

New social engineering toolkit draws inspiration from previous web campaigns

Some of the most common web threats we track have a social engineering component. Perhaps the more popular ones are those encountered via malvertising, or hacked websites that push fraudulent updates. We recently identified a website compromise with a scheme we had not seen before; it's part of a...

MegaCortex continues trend of targeted ransomware attacks

MegaCortex is a relatively new ransomware family that continues the 2019 trend of threat actors developing ransomware specifically for targeted attacks on enterprises. While GandCrab apparently shut its doors, several other bespoke, artisanal ransomware families have taken its place, including...

Is it game over for VR advergaming?

We’ve been warning about advergaming—the combination of virtual reality VR and ads—for years on the Labs Blog. I’ve given a few talks on the subject too, and how ad networks will slowly work their way into enclosed spaces formerly reserved for your head. They still might, but thanks to a recent...

Crack hunting: not all it’s cracked up to be

People sometimes ask us in the forums if a keygen or software crack is safe to use. Sometimes, these programs do what they say on the tin. Other times, they’re not what they say they are. In this post, I’ll describe what happened when I went crack hunting, and why it is often unsafe to carry out...

4 steps for improving employee trust while securing them

Earlier this month we held our quarterly Cybercrime Tactics and Techniques Q2 2017 webinar. This event gave thousands of security practitioners and leaders a chance to learn about the latest analysis of threats Malwarebytes Labs has seen around the globe. In case you missed it, you can watch an...

A deep dive into Phobos ransomware

Phobos ransomware appeared at the beginning of 2019. It has been noted that this new strain of ransomware is strongly based on the previously known family: Dharma a.k.a. CrySis, and probably distributed by the same group as Dharma. While attribution is by no means conclusive, you can read more...

New LNK attack tied to Higaisa APT discovered

This post was authored by Hossein Jazi and Jérôme Segura On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent...

Business in the front, party in the back: backdoors in elastic servers expose private data

It seems like every day we read another article about a data breach or leak of cloud storage exposing millions of users' data. The unfortunate truth is that the majority of these leaks require no actual "hacking" on the part of the attacker. Most of the time, this highly confidential data is just...

Apple iOS 13 will better protect user privacy, but more could be done

Last week, Apple introduced several new privacy features to its latest mobile operating system, iOS 13. The Internet, predictably, expressed doubt, questioning Apple’s oversized influence, its exclusive pricing model that puts privacy out of reach for anyone who can’t drop hundreds of dollars on ...

New critical vulnerability discovered in open-source office suites

A great number of attack techniques these days are using Microsoft Office documents to distribute malware. In recent years, there has been serious development on document exploit kit builders, not to mention the myriad of tricks that red-teamers have come up with to bypass security solutions. In...

Vulnerabilities in GPS tracker could have “life-threatening” implications

Researchers at BitSight have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular vehicle tracking device. The vulnerabilities are severe enough for the Cybersecurity & Infrastructure Security Agency CISA to publish a Security Advisory titled ICSA-22-200-01: MiCODUS MV720 GP...