Ransomware review: January 2024

This article is based on research by Marcelo Rivero, Malwarebytes ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim did not pay a ransom. This provides the best overall picture of...

Info-stealers can steal cookies for permanent access to your Google account

Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication MFA the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn’t even help if the owner of the account changes their password...

Atomic Stealer rings in the new year with updated version

Last year, we documented malware distribution campaigns both via malvertising and compromised sites delivering Atomic Stealer AMOS onto Mac users. This stealer has proven to be quite popular in the criminal underground and its developers have been adding new features to justify its hefty...

Patch now! First patch Tuesday of 2024 is here

Microsoft has issued patches for 48 security vulnerabilities in the first Patch Tuesday of 2024. With a relatively low number of patches—and only two of them critical—this makes it a relatively quiet month, which is certainly not the norm in January. The Common Vulnerabilities and Exposures CVE...

SEC X account hacked to hawk crypto-scams

We have seen several high-profile accounts that were taken over on X formerly Twitter only to be used for cryptocurrency related promotional activities, like expressing the approval of exchange-traded funds ETFs. The latest victim in this line-up is the Securities and Exchange Commission SEC. The...

ThreatDown earns highest ratings across EDR and MDR categories in G2 Winter 2024 results

The peer-to-peer review source G2 has released its Winter 2024 reports, ranking ThreatDown products on top across several Endpoint Detection and Response EDR and Managed Detection and Response MDR categories. Based on verified customer reviews, ThreatDown EDR was voted a Leader in the overall and...

Exposing the ransomware lie to “leave hospitals alone”

Ransomware groups are liars, yes, but even when these dangerous cybercriminals would ransack organizations and destroy entire companies, a few select groups espoused a sort of "honor among thieves.” According to those few groups, their cybercriminal actions would never include organizations...

AirTags stalking lawsuit alleges Apple’s negligence in protecting victims

Each year, an estimated 13.5 million people in the US are victim to stalking. This is a worrying fact stated in the introduction of a lawsuit against Apple brought by stalking victims who charge that AirTags empowered their abusers. AirTags are marketed as trackers that allow you to easily find...

A week in security (January 1 – January 7)

Last week on Malwarebytes Labs: Police investigate sexual assault on an avatar How AI hallucinations are making bug hunting harder Explained: SMTP smuggling Facebook introduces another way to track you – Link History 23andMe blames "negligent" breach victims, says it’s their own fault Microsoft...

Police investigate sexual assault on an avatar

British police are investigating a case involving a virtual sexual assault of a girls avatar. Even though there was no physical violence involved the incident will be investigated as it has caused psychological trauma. By definition, an avatar is a virtual representation of a user and is driven b...

How AI hallucinations are making bug hunting harder

Bug bounty programs that pay people for finding bugs are a very useful tool for improving the security of software. But with the availability of artificial intelligence AI as seen in the popular large language models LLMs like ChatGPT, Bard, and others it looks like there is a new problem on the...

Explained: SMTP smuggling

SMTP smuggling is a technique that allows an attacker to send an email from pretty much any address they like. The intended goal is email spoofing—sending emails with false sender addresses. Email spoofing allows criminals to make malicious emails more believable. Let’s take a closer look at what...

Facebook introduces another way to track you – Link History

In what seems like yet another attempt to adapt its platform to prepare for new regulations, Facebook has started rolling out a new feature called Link History. Link History allows users to view and re-visit links they have visited with their Facebook browsing activity. Obviously Facebook will te...

23andMe blames “negligent” breach victims, says it’s their own fault

In a surprising move, in a letter to legal representatives of victims of the recent 23andMe data breach, the company has laid the blame at the feet of victims themselves. 23andMe even goes as far as to claim that this wasn’t a data breach at 23andMe at all. The reasoning: “… unauthorized actors...

Microsoft disables ms-appinstaller after malicious use

In what might be conceived as one of Microsoft’s new year resolutions, it has disclosed that its turned off the ms-appinstaller protocol handler by default. The change is designed to make installing apps easier, but it also makes installing malware easier. Typically, an app needs to be on a devic...

Investment fraud a serious money maker for criminals

Europols’s spotlight report ‘Online fraud schemes: a web of deceit’, looks into online fraud schemes—a major crime threat in the EU and beyond—and one of the reports primary themes is investment fraud. But first I want to share some more remarkable conclusions from the report: Charity scams that...

Oops! Black Basta ransomware flubs encryption

Researchers at SRLabs have made a decryption tool available for Black Basta ransomware, allowing some victims of the group to decrypt files without paying a ransom. The decryptor works for victims whose files were encrypted between November 2022 and December 2023. The decryptor, called Black Bast...

DNA data deserves better, with Suzanne Bernstein: Lock and Code S05E01

This week on the Lock and Code podcast… Hackers want to know everything about you: Your credit card number, your ID and passport info, and now, your DNA. On October 1 2023, on a hacking website called BreachForums, a group of cybercriminals claimed that they had stolen—and would soon...

A week in security (December 25 – December 31)

Last week on Malwarebytes Labs: How to recognize AI-generated phishing mails How ransomware operators try to stay under the radar 4 sneaky scams from 2023 The top 4 ransomware gang failures of 2023 Have a safe 2024! Our business solutions remove all remnants of ransomware and prevent you from...

The top 4 ransomware gang failures of 2023

Ransomware gangs care about one thing: Stealing money. Over time, their craven, cybercriminal efforts have toppled businesses, destabilized hospitals, and ruined lives. Worst of all, they show no sign of slowing down, and their extortion attempts—which no longer focus on ransomware delivery...

4 sneaky scams from 2023

In 2023, the public primarily confronted two varieties of online scams: the technical and the topical. Technical scams abuse legitimate aspects of modern internet infrastructure to lead users to illegitimate or compromised sites. A team of hackers can, say, boost their own info-stealing websites...

How ransomware operators try to stay under the radar

An often heard remark is that when your security solution notices a ransomware attack, it’s already too late. Theres a lot of truth in that, if you consider the encryption process to be the ransomware attack. However, these days encryption is just a part of many ransomware attacks. Some of the...

How to recognize AI-generated phishing mails

Phishing is the art of sending an email with the aim of getting users to open a malicious file or click on a link to then steal credentials. But most phishers arent very good, and the success rate is relatively low: In 2021, the average click rate for a phishing campaign was 17.8%. However, now...

A week in security (December 18 – December 24)

Last week on Malwarebytes Labs: Comcast’s Xfinity breached by Citrix Bleed; 36 million customer’s data accessed How does ThreatDown Vulnerability Assessment and Patch Management work? How Outlook notification sounds can lead to zero-click exploits Update Chrome now! Emergency update patches...

Comcast’s Xfinity breached by Citrix Bleed; 36 million customer’s data accessed

In a notice for its customers, Xfinity acknowledges it recently fell victim to a data security incident. Xfinity is Comcasts brand for TV, internet, and home phone services, sometimes referred to as Comcast Cable Communications. During the data breach the attackers were able to access 35.8 millio...

How does ThreatDown Vulnerability Assessment and Patch Management work?

Maintaining updated systems and applications is a challenge for any IT team—especially considering the sheer volume of vulnerabilities organizations must find and prioritize on a rolling basis. ThreatDown Vulnerability Assessment VA, now included for free in every ThreatDown bundle, simplifies th...

How Outlook notification sounds can lead to zero-click exploits

An Akamai researcher has found two vulnerabilities in Windows that can be combined to achieve a full, zero-click remote code execution RCE in Outlook. Both vulnerabilities were responsibly disclosed to Microsoft and addressed in the August 2023 and October 2023 patch Tuesdays, so the researcher...

Update Chrome now! Emergency update patches zero-day

Google has released an emergency security update for Chrome that brings the browsers Stable channel to version 120.0.6099.129 for Mac, Linux and to 120.0.6099.129/130 for Windows. This update includes one security fix for a vulnerability that was subject to an existing exploit. The easiest way to...

US pharmacy Rite Aid banned from operating facial recognition systems

Pharmacy chain Rite Aid has been denied the right to run facial recognition systems in its stores for five years, by a Federal Trade Commission FTC ruling. The regulator found so many flaws in the retailers surveillance program that it concluded Rite Aid had failed to implement reasonable...

Webinar recap: Ransomware gangs and Living Off The Land attacks (LOTL)

Discover the intersection of Ransomware-as-a-Service RaaS gangs and Living Off The Land LOTL attacks in our latest webinar, now available on-demand, led by cybersecurity experts Ian Thomas, Mark Stockley, and Bill Cozens. The webinar revealed how RaaS gangs use LOTL tactics, leveraging legitimate...

FBI issues advisory over Play ransomware

The Federal Bureau of Investigation FBI, Cybersecurity and Infrastructure Security Agency CISA, and the Australian Signals Directorate’s Australian Cyber Security Centre ACSC have released a joint Cybersecurity Advisory CSA about Play ransomware. According to the FBI, Play made around 300 victims...

New MetaStealer malvertising campaigns

MetaStealer is a popular piece of malware that came out in 2022, levering previous code base from RedLine. Stealers have become a very hot commodity in the criminal space, so much so that there is competition between various groups. Threat actors have primarily used malspam as an infection vector...

Mr. Cooper leaks personal data of 14 million loan and mortgage customers

A major mortgage and loan company based in Dallas, working under the name Mr. Cooper Group Inc. has released more information on a recent breach. In a data breach notification, the company didnt say what type of cyberattack caused the compromise of customer data, calling it a rather non-descripti...

Meet the entirely legal, iPhone-crashing device, the Flipper Zero: Lock and Code S04E25

This week on the Lock and Code podcast… It talks, it squawks, it even blocks! The stocking-stuffer on every hobby hacker’s wish list this year is the Flipper Zero. “Talk” across low-frequency radio to surreptitiously change TV channels, emulate garage door openers, or even pop open your friend’s...

MongoDB warns customers about data breach after cyberattack

Database provider MongoDB has posted a security notice about a security incident in which attackers obtained unauthorized access to some of its corporate systems. The targeted system contained customer names, phone numbers, and email addresses among other customer account metadata, including syst...

A week in security (December 11 – December 17)

Last week on Malwarebytes Labs: PikaBot distributed via malicious search ads Chrome starts the countdown to the end of tracking cookies Apple to introduce new feature that makes life harder for iPhone thieves Recently-patched Apache Struts vulnerability used in worldwide attacks ALPHV ransomware...

PikaBot distributed via malicious search ads

During this past year, we have seen an increase in the use of malicious ads malvertising and specifically those via search engines, to drop malware targeting businesses. In fact, browser-based attacks overall have been a lot more common if we include social engineering campaigns. Criminals have...

Chrome starts the countdown to the end of tracking cookies

Google has announced that it will start rolling its Chrome web browsers new Tracking Protection feature from January of 2024. Tracking Protection is part of Google’s Privacy Sandbox initiative to phase out third-party cookies. The Tracking Protection feature aims to disable third-party cookies...

Apple to introduce new feature that makes life harder for iPhone thieves

Reportedly, Apple has plans to make it harder for iPhone thieves to steal your personal information even if they have your device’s passcode. A new feature called Stolen Device Protection is included in the beta version of iOS 17.3. The feature limits access to your private information in case...

Recently-patched Apache Struts vulnerability used in worldwide attacks

Attackers are exploiting a critical vulnerability in Apache Struts 2 that was patched recently. Struts is a very popular open source platform to develop applications and websites. On December 7, 2023, Apache announced versions 6.3.0.2 and 2.5.33 of Struts were now available to address a potential...

ALPHV ransomware gang returns, sorta

The ALPHV ransomware gang, arguably the second most dangerous "big game" ransomware operator, appears to be back in business after its infrastructure went down for five days. But all does not appear to be going well for group. ALPHVs dark web leak site may be back but it is only showing a single...

Apple now requires a judge’s order to hand over your push notification data

Last week, we reported on how US government agencies have been asking Apple and Google for metadata related to push notifications, but the companies arent allowed to tell users about it happening. The content of the notifications is diverse. It ranges from a weather app warning you about rain to ...

Ransomware review: December 2023

This article is based on research by Marcelo Rivero, Malwarebytes ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim did not pay a ransom. This provides the best overall picture of...

Microsoft patches 34 vulnerabilities, including one zero-day

December’s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units CPUs, was shifted by AMD to software developers. Th...

Malvertisers zoom in on cryptocurrencies and initial access

During the past month, we have observed an increase in the number of malicious ads on Google searches for "Zoom", the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as "Advanced IP Scanner" or "WinSCP"...

How to choose a free vulnerability scanner: Insights from an industry veteran

The cybersecurity market is awash with expensive, high-end solutions for detecting vulnerabilities in third-party applications. However, for smaller security teams, free vulnerability scanners offer a practical alternative. But of course, free doesn’t always mean better—it’s crucial to thoroughly...

Update now! Apple issues patches for older iPhones and other devices

Apple has issued emergency updates that include patches for older iOS devices concerning the two actively used zero-day vulnerabilities that were patched last week in newer devices. Updates are available for: Safari 17.2| macOS Monterey and macOS Ventura| ---|---|--- iOS 17.2 and iPadOS 17.2|...

Healthcare giant Norton breach leads to theft of millions of patient records

Healthcare company Norton says a May breach led to the theft of data of around 2.5 million of its patients, as well as employees and their dependents. Norton has more than 40 clinics and hospitals in and around Louisville, Kentucky. In a filing with Maine’s attorney general on Friday, Norton said...

The sound of you typing on your keyboard could reveal your password

As if password authentications coffin needed any more nails, researchers in the UK have discovered yet another way to hammer one in. The technique, developed at Durham University, the University of Surrey, and Royal Holloway University of London, builds on previous work to produce a more accurate...

The sound of you typing on your keyboard could reveal your password

As if password authentications coffin needed any more nails, researchers in the UK have discovered yet another way to hammer one in. The technique, developed at Durham University, the University of Surrey, and Royal Holloway University of London, builds on previous work to produce a more accurate...