PikaBot malware on the rise: What organizations need to know

A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot. A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the infamous QakBot QBot trojan that was shut down in August 2023. QBot was used by many ransomware gangs in...

Malicious meeting invite fix targets Mac users

Cybercriminals are targeting Mac users interested in cryptocurrency opportunities with fake calendar invites. During the attacks the criminals will send a link supposedly to add a meeting to the target’s calendar. In reality the link runs a script to install Mac malware on the target’s machine...

Pig butchering scams, how they work and how to avoid them

Pig butchering scams are big business. There are hundreds of millions of dollars involved every year. The numbers are not very precise because some see them as a special kind of romance scam, while others classify them as investment fraud. The victims in Pig Butchering schemes are referred to as...

Airbnb scam sends you to a fake Tripadvisor site, takes your money

One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers. Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the...

Facebook bug could have allowed attacker to take over accounts

A vulnerability in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all. The bug was found by a bounty hunter from Nepal called Samip Aryal and has now been fixed by Facebook. In his search for an account takeover...

Stopping a targeted attack on a Managed Service Provider (MSP) with ThreatDown MDR

In late January 2024, the ThreatDown Managed Detection and Response MDR team found and stopped a three-month long malware campaign against a Managed Service Provider MSP based in Europe. In line with our observations of attackers increasingly relying on legitimate software in their attacks, the...

ALPHV is singling out healthcare sector, say FBI and CISA

In an updated StopRansomware security advisory, the Cybersecurity and Infrastructure Security Agency CISA, the Federal Bureau of Investigation FBI, and the Department of Health and Human Services HHS has warned the healthcare industry about the danger of the ALPHV ransomware group, also known as...

One year later, Rhadamanthys is still dropped via malvertising

It was just a little over a year ago that the Rhadamanthys stealer was first publicly seen distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads. Fast forward to 2024 and the same malvertising campaigns are still going on...

Change Healthcare outages reportedly caused by ransomware

On Wednesday February 21, 2024, Change Healthcare—a subsidiary of UnitedHealth Group—experienced serious system outages due to a cyberattack. In a Form 8-K filing the company said it: “identified a suspected nation-state associated cyber security threat actor had gained access to some of the Chan...

Android banking trojans: How they steal passwords and drain bank accounts

For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals. These are “Android banking trojans,” and, according to our 2024 ThreatDown State ...

Identity theft is number one threat for consumers, says report

The German Federal Office for Information Security BSI has published a report on The State of IT Security in Germany in 2023, and the number one threat for consumers is… identity theft. The thing is, you can protect your devices and your online privacy as much as possible, but what happens when...

How to make a fake ID online, with Joseph Cox: Lock and Code S05E05

This week on the Lock and Code podcast… For decades, fake IDs had roughly three purposes: Buying booze before legally allowed, getting into age-restricted clubs, and, we can only assume, completing nation-state spycraft for embedded informants and double agents. In 2024, thats changed, as the use...

A week in security (February 19 – February 25)

Last week on Malwarebytes Labs: Joomla! patches XSS flaws that could lead to remote code execution Update now! ConnectWise ScreenConnect vulnerability needs your attention Why ransomware gangs love using RMM tools—and how to stop them Signal to shield user phone numbers by default Vibrator virus...

Joomla! patches XSS flaws that could lead to remote code execution

On February 20, Joomla! posted details about four vulnerabilities it had fixed in its Content Management System CMS, and one in the Joomla! Framework that affects the CMS. Joomla! is an open-source CMS that’s been around since 2005, and has been one of the most popular CMS platforms by market sha...

Update now! ConnectWise ScreenConnect vulnerability needs your attention

ConnectWise is warning self-hosted and on-premise customers that they need to take immediate action to remediate a critical vulnerability in its ScreenConnect remote desktop software. This software is typically used in data-centers and for remote assistance. Together ConnectWise’s partners manage...

Why ransomware gangs love using RMM tools—and how to stop them

One of the most alarming trends our ThreatDown Intelligence team has noticed lately is the increased exploitation of legitimate Remote Monitoring and Management RMM tools by ransomware gangs in their attacks. RMM software, such as AnyDesk, Atera, and Splashtop, are essential for IT administrators...

Signal to shield user phone numbers by default

Chat app Signal will shield user’s phone numbers by default from now on. And, it will no longer be necessary to exchange phone numbers when people want to connect through the app. In November, we reported that Signal was testing usernames to eliminate the need to share your phone number. Signal h...

[updated] Vibrator virus steals your personal information

I know that some of you are expecting a post similar to that about a toothbrush botnet, but this is not a hypothetical case. It actually happened. A Malwarebytes Premium customer started a thread on Reddit saying we had blocked malware from trying to infect their computer after they connected a...

A first analysis of the i-Soon data leak

Data from a Chinese cybersecurity vendor that works for the Chinese government has exposed a range of hacking tools and services. Although the source is not entirely clear, it seems that a disgruntled staff member of the group leaked the information on purpose. The vendor, i-Soon aka Anxun is...

ThreatDown EDR update: Streamlined Suspicious Activity investigation

Navigating the complex world of alerts just got easier, thanks to our latest enhancements to the ThreatDown Endpoint Detection and Response EDR platform. The detailed technical information in EDR alerts—replete with complicated diagrams and references to advanced cybersecurity tactics—can overwhe...

Law enforcement trolls LockBit, reveals massive takedown

In an act of exquisite trolling, the UKs National Crime Agency NCA has announced further details about its disruption of the LockBit ransomware group by using the groups own dark web website. The LockBit dark web site has a new look Since the demise of Conti in 2022, LockBit has been unchallenged...

Wyze cameras show the wrong feeds to customers. Again.

Last September, we wrote an article about how Wyze home cameras temporarily showed other people’s security feeds. As far as home cameras go, we said this is absolutely up there at the top of the “things you don’t want to happen” list. Turning your customers into Peeping Tom against their will and...

Malvertising: This cyberthreat isn’t on the dark web, it’s on Google

On the internet, people need to worry about more than just opening suspicious email attachments or entering their sensitive information into harmful websites—they also need to worry about their Google searches. That’s because last year, as revealed in our 2024 ThreatDown State of Malware report,...

Raccoon Infostealer operator extradited to the United States

A Ukrainian national, Mark Sokolovsky, has been indicted for crimes related to fraud, money laundering and aggravated identity theft and extradited to the United States from the Netherlands, the US Attorney’s Office of the Western District of Texas has announced. In March 2022, around the same ti...

LockBit, the world’s worst ransomware, is down

For the last two years the absolute worst, most prolific, most globally significant "big game" ransomware gang has been LockBit. This evening its position as ransomwares biggest beast is suddenly in doubt, following some non-consensual website redecoration at the hands of the UKs National Crime...

Why keeping track of user accounts is important

CISA the Cybersecurity & Infrastructure Security Agency has issued a cybersecurity advisory after the discovery of documents containing host and user information of a state government organization’s network environment—including metadata—on a dark web brokerage site. An attacker managed to...

A week in security (February 12 – February 18)

Last week on Malwarebytes Labs: GoldPickaxe Trojan steals your face! Microsoft Exchange vulnerability actively exploited Massive utility scam campaign spreads via online ads Facebook Marketplace users’ stolen data offered for sale How ransomware changed in 2023 Malwarebytes crushes malware all th...

GoldPickaxe Trojan steals your face!

Well, the GoldPickaxe Trojan does not literally steal your face, but it does steal an image of your face in order to be able to identify as you. Researchers have found a family of Trojans, attributed to a financially motivated Chinese group, which come in versions for iOS and Android...

Microsoft Exchange vulnerability actively exploited

As it turns out, there was another actively exploited vulnerability included in Microsoft’s patch Tuesday updates for February. When Microsoft said in its update guide for CVE-2024-21410 that the vulnerability was likely to be exploited by attackers, they weren’t kidding. Soon after they changed...

Massive utility scam campaign spreads via online ads

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away. Enter the utility scam, where crooks pretend to be your utility company so they can threaten...

Facebook Marketplace users’ stolen data offered for sale

Personal data belonging to Facebook Marketplace users has been published online, according to BleepingComputer. A cybercriminal was allegedly able to steal a partial database after hacking the systems of a Meta contractor. The leak consists of around 200,000 records that contain names, phone...

How ransomware changed in 2023

In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits. The gangs novel approach challenged a bottleneck that makes it...

Malwarebytes crushes malware all the time

About a month ago, The PC Security Channel TPSC ran a test to check out the detection capabilities of Malwarebytes. They tested Malwarebytes by executing a repository of 2015 “malicious” files to see how many Malwarebytes would detect. This YouTube video shows how a script executes the files and...

Update now! Microsoft fixes two zero-days on February Patch Tuesday

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday. Among these vulnerabilities are two zero-days that are reportedly being used in the wild. The two zero-day vulnerabilities have already been added to the Cybersecurity & Infrastructure Security Agency...

TheTruthSpy stalkerware, still insecure, still leaking data

In 2022, we published an article about how photographs of children taken by a stalkerware-type app were found exposed on the internet because of poor cybersecurity practices by the app vendor. The stalkerware-type app involved, TheTruthSpy, has shown once again that the way in which it handles...

Remote Monitoring & Management software used in phishing attacks

Remote Monitoring & Management RMM software, including popular tools like AnyDesk, Atera, and Splashtop, are invaluable for IT administrators today, streamlining tasks and ensuring network integrity from afar. However, these same tools have caught the eye of cybercriminals, who exploit them to...

Remote Monitoring & Management software used in phishing attacks

Remote Monitoring & Management RMM software, including popular tools like AnyDesk, Atera, and Splashtop, are invaluable for IT administrators today, streamlining tasks and ensuring network integrity from afar. However, these same tools have caught the eye of cybercriminals, who exploit them to...

Patch now! Roundcube mail servers are being actively exploited

The Cybersecurity & Infrastructure Security Agency CISA has added a vulnerability in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch FCEB agencies need to remediate this vulnerability by...

Warzone RAT infrastructure seized

On February 9, 2024, the Justice Department announced that an international operation had seized internet domains that were selling information-stealing malware. Federal authorities in Boston seized www.warzone.ws and three related domains, which sold the Warzone RAT malware. The Warzone RAT...

Ransomware review: February 2024

This article is based on research by Marcelo Rivero, Malwarebytes ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim did not pay a ransom. This provides the best overall picture of...

If only you had to worry about malware, with Jason Haddix: Lock and Code S05E04

Today on the Lock and Code podcast… If your IT and security teams think malware is bad, wait until they learn about everything else. In 2024, the modern cyberattack is a segmented, prolonged, and professional effort, in which specialists create strictly financial alliances to plant malware on...

AI-generated voices in robocalls are illegal, rules FCC

The Federal Communications Commission FCC has announced that calls made with voices generated with the help of Artificial Intelligence AI will be considered “artificial” under the Telephone Consumer Protection Act TCPA. Effective immediately, that makes robocalls that implement voice cloning...

A week in security (February 5 – February 11)

Last week on Malwarebytes Labs: Ivanti urges customers to patch yet another critical vulnerability Ransomware in 2023 recap: 5 key takeaways FBI and CISA publish guide to Living off the Land techniques Warning from LastPass as fake app found on Apple App Store 2 million job seekers targeted by da...

Ivanti urges customers to patch yet another critical vulnerability

In a new blog post, Ivanti says that it has found another vulnerability and urges customers to “immediately take action to ensure you are fully protected”. This vulnerability only affects a limited number of supported versions–Ivanti Connect Secure version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 a...

Ransomware in 2023 recap: 5 key takeaways

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of...

FBI and CISA publish guide to Living off the Land techniques

The Cybersecurity and Infrastructure Security Agency CISA, National Security Agency NSA, Federal Bureau of Investigation FBI, and other authoring agencies have released a joint guidance about common living off the land LOTL techniques and common gaps in cyber defense capabilities. Living Off The...

Warning from LastPass as fake app found on Apple App Store

Password Manager LastPass has warned about a fraudulent app called “LassPass Password Manager” which it found on the Apple App Store. The app closely mimics the branding and appearance of LastPass, right down to the interface. So, even if the name was a “happy accident” it seems clear that this w...

2 million job seekers targeted by data thieves

A cybercriminal group known as ResumeLooters has infiltrated 65 job listing and retail websites, compromising the personal data of over two million job seekers. The group used SQL injection and cross-site scripting XSS attacks—both common techniques— to extract the sensitive information from the...

How to tell if your toothbrush is being used in a DDoS attack

Its not...

Facebook fatal accident scam still rages on

Recently I wrote about a malvertising campaign on Facebook that has been going on for almost a year. Apparently Facebook is struggling to stop this campaign, so now this type of campaign is showing up in other languages than English. I have seen two different types in German. First Facebook scam...