60,000 Androids have stalkerware-type app Spyhide installed

Stalkerware-type app Spyhide is coded so badly that its possible to gain access to the back-end databases and retrieve data about everyone that has the app on their device. And it's not a small number. Hacktivist maia arson crimew told TechCrunch she'd found 60,000 compromised Android devices,...

Ransomware groups claim responsibility for double-attack on Yamaha

Music giant Yamahas Canadian division has experienced a compromise on two different fronts, both related to ransomware. In an attack which has worrying echoes of the recent Estee Lauder attack, multiple attackers have claimed to breach the organisation. Yamaha Canada Music had the following to sa...

Update now! Apple fixes several serious vulnerabilities

Apple has released security updates for several products to address several serious vulnerabilities including some actively exploited zero-days. Updates are available for these products: Safari 16.6 | macOS Big Sur and macOS Monterey ---|--- iOS 16.6 and iPadOS 16.6 | iPhone 8 and later, iPad Pro...

How to set up computer security for your parents

Last Sunday July 23, 2023 was National Parents Day. And maybe you are wondering how you can repay your parents for turning you into the person you are today. And we have an idea that shouldn't cost you much more than some of your time. Help them to shore up their cybersecurity, if they need it. I...

Tampa General Hospital half thwarts ransomware attack, but still loses patient data

The Tampa General Hospital TGH has promised to reach out to individuals whose information has been stolen by a ransomware group. In a cybersecurity notice, TGH said it noticed unusual activity on its computer systems on May 31, 2023. "Fortunately, TGHs monitoring systems and experienced technolog...

A week in security (July 17 - 23)

Last week on Malwarebytes Labs: CISA: You've got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519 Estee Lauder targeted by Cl0p and BlackCat ransomware groups Google fixes "Bad.Build" Cloud Build flaw, researchers say it's not enough Accidental VirusTotal upload is a valuable...

Estée Lauder targeted by Cl0p and BlackCat ransomware groups

Estee Lauder is currently at the heart of a compromise storm, revealing a major security issue via a Security Exchange Commission SEC filing on Tuesday. Although no detailed explanation of what has taken place is given, there is confirmation that an attack allowed access to some systems and...

CISA: You've got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519

The Cybersecurity and Infrastructure Security Agency CISA has added a critical unauthenticated remote code execution RCE vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that...

Google fixes "Bad.Build" Cloud Build flaw, researchers say it's not enough

Researchers at Orca Security have found a design flaw in the Google Cloud Build service. Attackers would have been able to gain Privilege Escalation resulting in unauthorized access to code repositories in Googles Artifact Registry. The researchers dubbed the vulnerability Bad.Build and say it...

Accidental VirusTotal upload is a valuable reminder to double check what you share

A document accidentally uploaded to Googles VirusTotal service has resulted in the potential exposure of defence and intelligence agency names and email addresses. The service, used to scan files for signs of potential malicious activity, is used by security professionals and folks just intereste...

Amazon in-van delivery driver footage makes its way online

Footage from technology used to monitor Amazon delivery drivers is leaking onto the internet. AI-enabled equipment which keeps an eye on the drivers speed, location, and other activities is part of the growing trend of workplace surveillance. In theory where drivers are concerned it could flag a...

Docker Hub images found to expose secrets and private keys

Numerous Docker images shared on Docker Hub are exposing sensitive data, according to a study conducted by researchers at the German university RWTH Aachen. Needless to say, this poses a significant security risk. In traditional software development, programmers code an application in one computi...

Plane sailing for ticket scammers: How to keep your flight plans safe

You may be getting ready to jump on a plane and head off for a few days or weeks of rest and relaxation. So the last thing you need before flying is a technology related horror show. Sadly, scammers are aware of families getting ready to hit the skies, and have tailored their threats accordingly...

Microsoft validation error allowed state actor to access user email of government agencies and others

Microsoft is getting criticized for the way in which it handled a serious security incident that allowed a suspected Chinese espionage group to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. The attacks were...

FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT

Over 5 years ago, we began tracking a new campaign that we called FakeUpdates also known as SocGholish that used compromised websites to trick users into running a fake browser update. Instead, victims would end up infecting their computers with the NetSupport RAT, allowing threat actors to gain...

Act now! In-the-wild Zimbra vulnerability needs a workaround

Security experts are warning Zimbra users that a vulnerability for which there is no patch is being actively exploited in the wild. In a security update about the vulnerability, the company offered a temporary workaround which users can apply while waiting for a patch to be created. Zimbra is an...

Spy vs. spy: Exploring the LetMeSpy hack, with maia arson crimew

The language of a data breach, no matter what company gets hit, is largely the same. There's the stolen data--be it email addresses, credit card numbers, or even medical records. There are the users--unsuspecting, everyday people who, through no fault of their own, mistakenly put their trust into...

A week in security (July 10 - 16)

Last week on Malwarebytes Labs: Tax preparation firms shared sensitive information with Meta Ransomware making big money through "big game hunting" Malwarebytes stops 100% of Advanced Threats in latest AV-Test assessment From Malvertising to Ransomware: A ThreatDown webinar recap Ransomware revie...

Tax preparation firms shared sensitive information with Meta

A group of seven US senators has sent a letter to the heads of the IRS, the Department of Justice, the Federal Trade Commission and the IRS watchdog, revealing that they have found evidence that reveals "a shocking breach of taxpayer privacy by tax prep companies and by Big Tech firms." According...

Ransomware making big money through "big game hunting"

Ransomware generates big money for the groups behind it, with new research confirming some of the scale of the problem. Chainalysis, a blockchain research firm, looked at data from monitored cryptocurrency wallets, concluding that around $449 million has been taken from victims in the last six...

Malwarebytes stops 100% of Advanced Threats in latest AV-Test assessment

AV-TEST, a leading independent tester of cybersecurity solutions, has just given Malwarebytes two Advanced awards for the ability of our consumer and business products to protect against the latest attack techniques. Lets take a deeper dive into the test and the results. Advanced Threat Protectio...

From Malvertising to Ransomware: A ThreatDown webinar recap

Our recent webinar From Malvertising to Ransomware highlight the clear connection between malvertising--the practice of embedding malicious code within legitimate online advertisements--and the epidemic of ransomware attacks affecting businesses globally. Presented by Mark Stockley, security...

Ransomware review: July 2023

This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim did not pay a ransom. This provides the best overall picture of...

Zero-day deploys remote code execution vulnerability via Word documents

An unpatched zero-day vulnerability is currently being abused in the wild, targeting those with an interest in Ukraine. Microsoft reports that CVE-2023-36884 is tied to reports of: …a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of...

How to secure your business before going on vacation

For many, the summer months should be a time of peace: Maybe taking some vacation, maybe strolling across warm, soft sands as sapphire waves lap up against your feet, maybe even spending time with family that you like. But for determined cybercriminals, these periods of near-universal rest and...

Update now! Microsoft patches a whopping 130 vulnerabilities

Its that time of the month again. For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities. Nine of the vulnerabilities are rated as critical and four of them are known to be actively exploited. The Cybersecurity & Infrastructure Security Agency CISA has...

Proposed Massachusetts law to ban sale of your mobile location data

Cellular location phone data may be banned from sale in the state of Massachusetts, under a proposed law set to ruffle some data broker feathers. The selling of location data has long been a point of contention for privacy experts. As with so much bulk user data, claims of anonymity from the...

Criminals target businesses with malicious extension for Meta's Ads Manager and accidentally leak stolen accounts

Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that redirect to fake Microsoft alert pages, but there are also threats targeting businesses that use Facebook to promote their products and...

[Updated] Apple issues Rapid Security Response for zero-day vulnerability

Apple has issued an update for a vulnerability which it says may have been actively exploited. In the security content for Safari 16.5.2 we can learn that the vulnerability was found in the WebKit component which is Apples web rendering engine. In other words, WebKit is the browser engine that...

"TootRoot" Mastodon vulnerabilities fixed: Admins, patch now!

One of Twitters big rivals, Mastodon, recently finished fixing four issues which in the worst case allowed for the creation of files on the instances server. Mastodon, whose main selling point is lots of separate communities living on different servers yet still able to communicate, was notified ...

Threatening rogue finance apps removed from the Apple Store

Multiple apps have been removed from the App Store in India after a large helping of unethical behaviour was aimed at their users. TechCrunch reports that "Pocket Kash, White Kash, Golden Kash, and OK Rupee" among others were taken down after getting close to the top 20 finance app listing spots...

MOVEit Transfer fixes three new vulnerabilities

The Cybersecurity and Infrastructure Security Agency CISA has warned about three new vulnerabilities in Progress Software's MOVEit software. A cybercriminal could exploit some of these vulnerabilities to obtain sensitive information. In the advisory, CISA encouraged users to review Progress MOVEi...

Malwarebytes Browser Guard introduces three new features

Malwarebytes Browser Guard is our free browser extension for Chrome, Edge, Firefox, and Safari that blocks unwanted and unsafe content, giving users a safer and faster browsing experience. It's the worlds first browser extension to do this while also identifying and stopping tech support scams. A...

Warning issued over increased activity of TrueBot malware

In a joint advisory, the Cybersecurity and Infrastructure Security Agency CISA, the Federal Bureau of Investigation FBI, the Multi-State Information Sharing and Analysis Center MS-ISAC, and the Canadian Centre for Cyber Security CCCS have warned about newly identified TrueBot malware variants use...

A week in security (July 3 - 9)

Last week on Malwarebytes Labs: How kids pay the price for ransomware attacks on education Solar monitoring systems exposed: Secure your devices Warning issued over vulnerability in cardiac device monitoring software Update Android now! Google patches three actively exploited zero-days Malicious ...

How kids pay the price for ransomware attacks on education

Modern ransomware attacks are as much about stealing data and threatening to leak it as they are about encrypting data. Which means that when a school or hospital is attacked, it's often students' and patients' data that's leaked if the ransom demand isn't met. We have to wonder how greedy any...

Solar monitoring systems exposed: Secure your devices

Researchers who go looking for devices exposed to the Internet report "tens of thousands" of solar photovoltaic PV monitoring and diagnostic systems can be found on the web. The systems are used for everything from system optimization to performance monitoring and troubleshooting. No fewer than...

Warning issued over vulnerability in cardiac device monitoring software

The Cybersecurity and Infrastructure Security Agency CISA has issued a warning about a vulnerability that could result in remote code execution or a denial-of-service DoS condition impacting a healthcare delivery organizations Paceart Optima system. Paceart Optima is a software application that...

Update Android now! Google patches three actively exploited zero-days

In Julys update for the Android operating system OS, Google has patched 43 vulnerabilities, three of which are actively exploited zero-day vulnerabilities. The security bulletin notes that there are indications that these three vulnerabilities may be under limited, targeted exploitation. If your...

Malicious ad for USPS fishes for banking credentials

We often think of malvertising as being malicious ads that push malware or scams, and quite rightly so these are probably the most common payloads. However, malvertising is also a great vehicle for phishing attacks which we usually see more often via spam emails. Threat actors continue to abuse a...

Google plans to scrape everything you post online to train its AI

Additions to Googles Privacy Policy are making some observers worry that all of your content is about to be fed into Google's AI tools. Alterations to the T&Cs now explicitly state that your "publicly available information" will be used to train in-house Google AI models alongside other products...

Self-driving cars are a privacy issue, says security expert

Self-driving cars peel off an extra layer from our privacy, says security expert Bruce Schneier. Theoretically, if you know the location of all the closed-circuit television CCTV cameras in a neighborhood, you might be able to move around without one of them ever catching a glimpse of your face...

Fake reviewers face big fines

The FTC is cracking down on fake reviews. Under the new proposed rules, organisations involved in the buying, selling, and manipulation of reviews could be very much out of pocket. Every time a consumer sees a fake review, it will carry a fine of "up to $50,000" per viewing. From the FTC release:...

Elderly targeted in car accident scam, kingpin arrested

The head of a criminal network responsible for defrauding hundreds of elderly people has been arrested, Europol has announced. After a joint operation in Germany, Poland, and the UK, Europol says the suspect was arrested in London from where he ran a network of fraudsters targeting mainly German...

Of sharks, surveillance, and spied-on emails: This is Section 702, with Matthew Guariglia

In the United States, when the police want to conduct a search on a suspected criminal, they must first obtain a search warrant. It is one of the foundational rights given to US persons under the Constitution, and a concept that has helped create the very idea of a right to privacy at home and...

A week in security (June 26 - July 2)

Last week on Malwarebytes Labs: A proxyjacking campaign is looking for vulnerable SSH servers New technique can defeat voice authentication "after only six tries" "Free" Evil Dead Rise movie scam lurks in Amazon listings Spyware app LetMeSpy hacked, tracked user data posted online Online safety...

Brave browser will prevent websites from port scanning visitors

If you use Brave browser, then youre shortly going to find you have a new string added to your security bow. Websites performing port scanning will now be automatically blocked beginning with version 1.54 of the browsing tool. Port scanning, I hear you cry? Yes indeed. You may well not have even...

A proxyjacking campaign is looking for vulnerable SSH servers

A researcher at Akamai has posted a blog about a worrying new trend--proxyjacking--where criminals sell your bandwidth to a third-party proxy service. To understand how proxyjacking works, well need to explain a few things. There are several legitimate services that pay users to share their surpl...

New technique can defeat voice authentication "after only six tries"

Voice authentication is back in the news with another tale of how easy it might be to compromise. University of Waterloo scientists have discovered a technique which they claim can bypass voice authentication with "up to a 99% success rate after only six tries". In fact this method is apparently ...

"Free" Evil Dead Rise movie scam lurks in Amazon listings

Scammers are using a novel technique with Amazon listings to trick fans of Evil Dead into downloads they may not want, and expensive rolling payments they have no interest in. Evil Dead Rise, the breakout horror film of 2023, started with big cinema numbers and has moved on to a victory lap in...