Why (almost) everything we told you about passwords was wrong

I have an embarrassing confession to make: I reuse passwords. I am not proud of it, but honestly its a relief to finally get it off my chest. I am not a heavy re-user, nothing crazy, I use a password manager to handle most of my credentials but I still reuse the odd password from time to time. It...

[updated]Two new Exchange Server zero-days in the wild

Microsoft has issued some customer guidance as it investigates yes, more reported vulnerabilities in Microsoft Exchange Server, affecting the 2013, 2016, and 2019 versions of the software. The company says it "is aware of limited targeted attacks using the two vulnerabilities to get into users...

Local government cybersecurity: 5 best practices

It seems like not a day goes by where we dont hear about a local government cyberattack. Indeed, from 911 call centers to public schools, cyberattacks on local governments are as common as they are devastating. Just how often do threat actors attack local governments? A survey of 14 mainly larger...

Optus data breach "attacker" says sorry, it was a mistake

Since Australian telecoms company Optus disclosed a security breach on September 22, 2022, a lot has been happening. Much of it reads like a movie script. Prologue A hacker acting under the pseudonym "optusdata" claims to have stolen the data of 10 million Optus customers. The information include...

Fast Company hacked to send obscene and racist messages

Yesterday, Apple News announced it had disabled the channel of Fast Company, a US-based business magazine, after surprised Twitter users reported it was tweeting offensive comments. An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channe...

APT28 attack uses old PowerPoint trick to download malware

Researchers at Cluster25 have published research about exploit code that's triggered when a user moves their mouse over a link in a booby-trapped PowerPoint presentation. The code starts a PowerShell script that downloads and executes a dropper for Graphite malware. Graphite is named after...

FCC moves to block robotexts

The American people are fed up with scam texts, and we need to use every tool we have to do something about it. This is what Jessica Rosenworcel, Chairwoman of the US Federal Communications Commission FCC said after releasing a plan that will require mobile carriers to block "robotext" text...

Spyware disguises itself as Zoom downloads

Zoom video call software continues to be a staple in work environments. Despite a slow, post-lockdown easing back to the "old normal," many businesses still have remote workers, or people working in different geographies. It's no surprise then to see criminals continuing to abuse Zoom's popularit...

Erbium stealer on the hunt for data

Theres a new slice of malware-as-a-service doing the rounds, although its actual newness is somewhat contested. The stealer, called Erbium, was first spotted on forums back in July 2022, but it seems nobody is quite sure when it started being deployed and snagging victims. Nevertheless, it is now...

4 times students compromised school cybersecurity

For many students school can be a tough time, and we've all heard stories about bored or frustrated kids compromising school cybersecurity to change grades. Sometimes the students are celebrated, and other times it ends in them being expelled from school, or even prosecuted. Of course, these acts...

Facebook users sue Meta for allegedly building "secret workaround" to Apple privacy safeguards

Last week, two Facebook users filed a class-action complaint against Meta in San Francisco's federal court, alleging the company built a "secret workaround" to Apple's safeguards that protect iPhone users from tracking. Facebook circumvents Apple's privacy rules by opening in-app browsers within...

TikTok faces $28m fine for failing to protect children's privacy

TikTok is no stranger to controversy where data usage is concerned. Back in 2021, the social media dance extravaganza platform agreed to pay $92m to settle dozens of lawsuits alleging harvesting of personal data. There has also been concern with regard to whether or not settings were enough to ke...

Flaw in some ManageEngine apps is being actively exploited, says CISA

CISA the Cybersecurity and Infrastructure Security Agency recently added CVE-2022-35405--a remote code executionRCE vulnerability affecting Zoho ManageEngine PAM360 versions 5500 and earlier, Password Manager Pro versions 12100 and earlier, and Access Manager Plus versions 4302 and earlier--to it...

Exchange servers abused for spam through malicious OAuth applications

Microsoft has published a security blog about an investigation into an attack in which threat actors used malicious OAuth applications to abuse Exchange servers for their spam campaign. The threat actor behind this attack has been active for many years, and has been running spam campaigns using...

Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20

Ransomware can send any company into crisis. Immediately following an attack, the notoriously disruptive malware can spread across networks and machines, locking up important files and rendering vital data almost useless for all employees. As we learned in a previous episode of Lock and Code, a...

Windows 11 pulls ahead of Windows 10 in anti-phishing stakes

Some new security additions and changes have been announced for users of Windows, but youll have to be using Windows 11 to get the most out of them. Windows 10 users may find that this is going to be a case of falling behind the herd ever so slightly. Anti-phishing tools Enhanced phishing...

Twitter fixes bug that left devices logged in after password reset

Twitter says it has fixed a bug that meant users weren't logged out of active sessions on all devices after manually resetting their passwords. Writing on its blog, Twitter said: "We want to let you know that we recently fixed a bug that allowed Twitter accounts to stay logged in from multiple...

Critical WhatsApp vulnerabilities patched: Check you've updated!

WhatsApp has fixed two remote code execution vulnerabilities in its September update, according to its security advisory. These could have allowed an attacker to remotely access a device and execute commands from afar. These versions of WhatsApp are affected by at least one of the vulnerabilities...

A week in security (September 19 – 25)

Last week on Malwarebytes Labs: Hookup site targeted by typo-squatters American Airlines suffers data breach after phishing incident Grand Theft Auto 6 suffers grand theft EDR vs MDR vs XDR - Whats the Difference? Scammers send fake 'Energy Bills Support Scheme' texts Tax refund phish logs...

Malwarebytes recognized as endpoint security leader by G2

G2 has released their Fall 2022 reports, ranking Malwarebytes as the leader across a number of endpoint protection categories. Based on factual customer reviews, Malwarebytes has been ranked 1 over top EDR vendors for endpoint malware and antivirus protection, detection and remediation of web-bas...

A first look at the builder for LockBit 3.0 Black

A few months after the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, the builder for it has been leaked by what seems to be a disgruntled developer. LockBit has been by far the most widely used ransomware in 2022 and the appearance of the builder could make things worse...

Medtronic's MiniMed 600 series insulin pumps potentially at risk of compromise, says FDA

The US FDA Food and Drug Administration has warned users of Medtronic's MiniMed 600 Series Insulin Pump System--specifically, models for MiniMed 630G and MiniMed 670G--that their medical devices have a cybersecurity issue with its communication protocol. If compromised, attackers could gain...

Welcome to high tech hacking in 2022: Annoying users until they say "yes"

Last week we learned that ride-sharing giant Uber's defences had been unpicked by an attacker with a novel take on social engineering: Fatigue. Fatigue attacks play on the often repetitive nature of certain security procedures and failsafes. Do you hate having to punch in a password on your login...

Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. In Firefox 105 a total of seven vulnerabilities were patched, three of which received the...

Morgan Stanley's years-long "extensive failure" to protect customer data ends in huge fine

On Tuesday, the Securities and Exchange Commission SEC charged financial company Morgan Stanley a $35M fine for "the firm's extensive failures, over five years, to protect the personal identifying information, or PII, of approximately 15 million customers. The company agreed to settle the penalty...

2K games helpdesk abused to spread RedLine malware

On September 20, 2022, the official Twitter account for 2K Support tweeted an important message from the Customer Support team. The tweet said an unauthorized party illegally accessed the credentials of one of the vendors of the helpdesk platform. The attacker then used that access to send out...

Vulnerable children's identities used in tax fraud scheme

Fraudster Ariel "Melo" Jimenez has been sentenced to 12 years in prison for leading a "tax fraud and identity theft conspiracy" that resulted in the fraudulent claiming of tax credits, earning him millions of dollars. "Ariel Jimenez was the leader of a long-running fraudulent tax business that...

5 things to teach your kids about social media

With children now back at school, its time to think about social media, and their use of it. Are they already firing out tweets, chatting in Discord channels, or even just looking to set up a Tik-Tok account? Now is the time to consider giving your kids some security and privacy tips for all thei...

Scammers send fake 'Energy Bills Support Scheme' texts

Watch out for an energy-themed scam being sent out via SMS. The message plays on energy price fears, similar to what weve seen previously. Scam alert. I just received this text. Click through and it looks very official. Its a scam. The £400 energy bill discount is automatic, you dont need to...

Tax refund phish logs keystrokes to swipe personal details

Theres been some smart phishing campaigns running over the last few weeks, and this one is particularly sneaky. Bleeping Computer reports that a phishing page is targeting Greek taxpayers with a tax refund scam. The added sting in the tail comes in the form of an embedded keylogger which grabs...

Kiwi Farms breached, user data potentially exposed

The operators of a site known to most observers for being in a recent state of flux have announced a forum breach. Kiwi Farms, which gained a reputation for sophisticated trolling and doxxing, was recently dropped by Cloudflare after a sustained campaign to have the DDoS mitigation and cloud...

[update] American Airlines suffers data breach after phishing incident

Major airline American Airlines has fallen victim to a data breach after a threat actor got access to the email accounts of several employees via a phishing attack. According to a published notice of a security incident, the data breach was discovered in July 2022. How it happened American Airlin...

Grand Theft Auto 6 suffers grand theft

For games publisher Take-Two Interactive, damage control is in full effect as word spreads of a Grand Theft Auto-centric network compromise. Developer Rockstar Games has suffered a major leak of upcoming game content, specifically unfinished video footage of Grand Theft Auto 6. The first anyone...

EDR vs MDR vs XDR – What’s the Difference?

Cyberattacks are rapidly evolving, leaving businesses and their IT security teams to handle immense workloads. Keeping up with todays cyberthreats not only involves staying up to date in an ever-changing threat landscape, it also involves managing complex security infrastructure and technologies...

Hookup site targeted by typo-squatters

Ethical hacker and security researcher Kody Kinzie shared with BleepingComputer a list of over 50 domains of which many are spelling variations of the brand name Sniffies. Sniffies identifies itself as a "modern, map-based, meetup app for gay, bi, and curious guys." Kody used an open source tool...

A week in security (September 12 – 18)

Last week on Malwarebytes Labs: The North Face hit by credential stuffing attack Facebook engineers aren't sure where all user data is kept 6 patch management best practices for businesses The MSP playbook on deciphering tech promises and shaping security culture Apple puts the password on life...

3 ways MDR can drive business growth for MSPs

The managed service provider market is growing rapidly. As cyberattacks continue to increase worldwide, more and more small-and-medium-sized businesses SMBs are looking to MSPs to take the load off when it comes to securing their business. With more business, of course, comes more competition--an...

Uber hacked

Uber informed the public on Thursday it was responding to a cybersecurity incident after somebody breached its network. From what we have been able to find out so far, the attacker managed to compromise an employees access to the chat app Slack. The intruder may also have gained access to the...

School app Seesaw compromised to send shock NSFW image

On Wednesday, parents and teachers reported that student learning platform, Seesaw, had been hacked after some users received an infamous explicit photo known as "goatse" on private chats. Schools from districts in Colorado, Illinois, Kansas, Michigan, New York, Oklahoma, South Dakota, and Texas...

Explained: Fuzzing for security

Fuzzing, or fuzz testing, is defined as an automated software testing method that uses a wide range of invalid and unexpected data as input to find flaws in the software undergoing the test. The flaws do not necessarily have to be security vulnerabilities. Fuzzing can also bring other undesirable...

Here are the new security and privacy features of iOS 16

On Monday, September 12, Apple released iOS 16, which included a host of new security and privacy features. Let's look at what these are--and some quality-of-life QoL changes. Lockdown Mode As Macrumors calls it, Lockdown Mode is an "extreme" security setting ideal for those who regularly find...

Cyber threat hunting for SMBs: How MDR can help

When you hear the words "cyber threat hunting", you just may picture an elite team of security professionals scouring your systems for malware. Sounds like something only huge businesses or nation states would need to do, right? Not quite. Threat hunting is just as essential for...

Malvertising on Microsoft Edge's News Feed pushes tech support scams

While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular...

5 technologies that help prevent cyberattacks for SMBs

The intel you need to secure your business--delivered straight to your inbox From industry tips and best practices to the latest Malwarebytes product releases and how-tos, our Business newsletter is chock-full of the best of our business blog. Subscribe to our Business newsletter today. Now more...

The privacy concerns of tying SIM cards to real identities

The registration of SIM cards tied to a verified identity is back in the news, off the back of large-scale phone fraud. In what some may call a knee-jerk response to a problem, there are calls to revive a legal bill and make it law. Whats happening, and what are the potential ramifications? Hitti...

Update now! Microsoft patches two zero-days

The Microsoft September 2022 Patch Tuesday includes fixes for two publicly disclosed zero-day vulnerabilities, one of which is known to be actively exploited. Five of the 60+ security vulnerabilities were rated as "Critical", and 57 as important. Two vulnerabilities qualify as zero-days, with one...

WPGateway WordPress plugin vulnerability could allow full site takeover

Theres been a few WordPress plugin vulnerabilities in the wild recently, and today we have another one to add to the list. Sometimes when word breaks of a WordPress plugin issue, a fix is already available and all you have to do is perform an update. On other occasions, the attack is live and out...

How to help your child manage their online reputation

Whether your child has been socially active online for a while now or you just handed your young one their first ever smartphone, now is an excellent time to think about managing their online reputation. The concept may sound overwhelming, but doing it is easy. Since you're no doubt talking to yo...

Steam account credentials phished in browser-in-a-browser attack

Steam users are once again under threat from a particularly sneaky tactic used to steal account details. As with so many Steam attacks currently, it accommodates for the possibility of users relying on Steam Guard Mobile Authentication for additional protection. It also makes use of a recent...

[updated] Important update! iPhones, Macs, and more vulnerable to zero-day bug

On Monday, Apple released a long list of patched vulnerabilities to its software, including a new zero-day flaw affecting Macs and iPhones. The company revealed it's aware that threat actors may have been actively exploiting this vulnerability, which is tracked as CVE-2022-32917. As it's a...