[updated] Important update! iPhones, Macs, and more vulnerable to zero-day bug

On Monday, Apple released a long list of patched vulnerabilities to its software, including a new zero-day flaw affecting Macs and iPhones. The company revealed it's aware that threat actors may have been actively exploiting this vulnerability, which is tracked as CVE-2022-32917. As it's a...

Update now! Google patches vulnerabilities for Pixel mobile phones

Googles Pixel Update Bulletin for September included two security patches that are Pixel specific. Both underlying vulnerabilities are rated critical and could lead to privilege escalation and device takeover. The vulnerabilities Publicly disclosed computer security flaws are listed in the Common...

BackupBuddy WordPress plugin vulnerable to exploitation, update now!

Users of WordPress may need to perform an urgent update related to the popular BackupBuddy plugin. BackupBuddy is a plugin which offers backup solutions designed to combat "hacks, malware, user error, deleted files, and running bad commands". Unfortunately, running an older version of BackupBuddy...

Apple puts the password on life support with passkey

The "passwordless future" is something many internet users--and a great majority of the cybersecurity industry--have hoped for. Now Apple is about to make those hopes a reality. With the release of iOS 16 yesterday, and macOS Ventura next month, Apple fans will be able to use passkeys, its passwo...

The MSP playbook on deciphering tech promises and shaping security culture

The in-person cybersecurity conference has returned. More than two years after Covid-19 pushed nearly every in-person event online, cybersecurity has returned to the exhibition hall. In San Francisco earlier this year, thousands of cybersecurity professionals walked the halls of Moscone Center at...

6 patch management best practices for businesses

Patching is a thorn in the side of many businesses today: Everything from keeping up with the volume of patches to prioritizing what needs to be patched first can cause major delays in a business's patching process. Needless to say, businesses are looking to streamline their patch management...

Facebook engineers aren't sure where all user data is kept

If it takes a village to raise a child, apparently it takes Facebook a team to tell you what data the company keeps about you and where they keep it. In the recently unsealed transcript of a hearing led by "Discovery Special Master" Daniel Garrie, an expert appointed by the court, two Facebook...

The North Face hit by credential stuffing attack

The North Face clothing brand, which specialises in outdoor and heavy weather outerwear, has experienced a "large-scale" credential stuffing attack. This has resulted in no fewer than 194,905 accounts being compromised. What is credential stuffing, and how did it affect The North Face customers?...

A week in security (September 5 – 11)

Last week on Malwarebytes Labs: Phishers use verified status as bait for Instagram users Microsoft will disable Basic authentication for Exchange Online in less than a month Zero-day puts a dent in Chrome's mojo Update now! QNAP warns users DeadBolt is exploiting Photo Station vulnerability Don't...

InterContinental Hotels' booking systems disrupted by cyberattack

In a statement filed at the London Stock Exchange, InterContinental Hotels Group PLC reports that parts of the company's technology systems have been subject to unauthorized activity. The activity significantly disrupted IHG's booking channels and other applications. The InterContinental Hotels...

Ransomware review: August 2022

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom. As expected, LockBit remaine...

Vulnerability response for SMBs: The Malwarebytes approach

The intel you need to secure your business--delivered straight to your inbox From industry tips and best practices to the latest Malwarebytes product releases and how-tos, our Business newsletter is chock-full with the best of our business blog. Subscribe to our Business newsletter today. At...

Your HP Support Assistant needs an update!

HP has issued a new version of its HP Support Assistant tool. Users of HP Support Assistant versions earlier than 9.11 and Fusion versions earlier than 1.38.2601.0 are affected by a high severity vulnerability. According to HP it is possible for an attacker to exploit a dynamic-link library DLL...

Evasive Shikitega Linux malware drops Monero cryptominer

Researchers from the AT&T Alien Labs Resarch have discovered a new and stealthy Linux malware it's dubbed Shikitega. Once it's on a machine or device, Shitega executes a "multistage infection chain" involving small files, a couple of vulnerabilities, and the use of Mettle, a portable Metasploit...

YouTube transparency report shows battle against misinformation

Statistics for YouTube community guidelines enforcement are now available for the period April to June 2022, via Googles Transparency Report. YouTube channels are terminated if they accrue three community guideline strikes in 90 days, have a case of severe abuse predatory behaviour, for example, ...

How to set up an Android for your kids

Last week, we gave you some tips on how you can set up a new iPhone for your child to use as they start this school year. Today, we'll look at doing the same for Android phones. Setting up an Android isn't very different from setting up an iPhone as both platforms follow a similar logic to making...

Warning issued about Vice Society ransomware targeting the education sector

The Federal Bureau of Investigation FBI, the Cybersecurity and Infrastructure Security Agency CISA, and the Multi-State Information Sharing and Analysis Center MS-ISAC have released a joint Cybersecurity Advisory CSA after observing Vice Society threat actors disproportionately targeting the...

Sextortionists used mobile malware to steal nude videos, contact lists from victims

In an international police operation supported by Interpol, law enforcement agencies have uncovered and dismantled an international sextortion ring that managed to extract at least US$ 47,000 from victims. Sextortion is a form of cybercrime in which the victim is blackmailed by threatening to mak...

Instagram receives record fine of $400M for abuse of children's data

Ireland's Data Protection Commissioner DPC, the lead regulator in Europe for Meta and other tech giants, has slapped Instagram with a fine of €405M--roughly equivalent to $402M--following an investigation on how the company handled children's data. In the investigation that started in 2020, the D...

YouTuber on the run after allegedly swiping $55m from followers

We mostly hear about bogus advertising and offers via compromised accounts on Instagram or Facebook. Strict advertising rules on social media involve making it clear that someone is promoting an ad or offering up a risky venture. However, sometimes things go wrong on other platforms like YouTube...

Don't share the WhatsApp 'Martinelli' phone hacking alert: It's a hoax

Everyone loves a good campfire story prone to exaggeration. However, when told online its not quite got the same effect. Long ago, sites like Myspace would play host to very certain types of messages. "Dont open this post from Johnny Cyberhack, or your account will be stolen and your C drive will...

Update now! QNAP warns users DeadBolt is exploiting Photo Station vulnerability

QNAP Quality Network Appliance Provider has warned users to update Photo Station to the latest available version. The warning comes after QNAP detected that cybercriminals known as DeadBolt have been exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that are directly...

Zero-day puts a dent in Chrome's mojo

On Friday, Google announced the release of a new version of its Chrome browser that includes a security fix for a zero-day tracked as CVE-2022-3075. As with previous announcements, technical details about the vulnerability won't be released until a certain number of Chrome users have already...

Microsoft will disable Basic authentication for Exchange Online in less than a month

Microsoft has posted a reminder on the Exchange Team blog that Basic authentication for Exchange Online will be disabled in less than a month, on October 1, 2022. The first announcement of the change stems from September 20, 2019. With so much warning you might expect organizations to be ready, a...

Phishers use verified status as bait for Instagram users

Another Instagram phish is doing the rounds, and will appeal to a wide variety of platform users. Bleeping Computer reports that verified status is once again being dangled as bait. The "importance" of being verified Being verified gives the impression of status, or importance, on social media...

A week in security (August 29 - September 4)

Last week on Malwarebytes Labs: Twilio data breach turns out to be more elaborate than suspected Playing Doom on a John Deere tractor with Sick Codes: Lock and Code S03E18 Chromium browsers can write to the system clipboard without your permission British Airways customers targeted in lost luggag...

Apple releases security update for iPhones and iPads to address vulnerability

Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices. The WebKit zero-day that is known as CVE-2022-32893 was fixed for iOS 15.6.1, iPadOS 15.6, and macOS Monterey 12.5.1 on...

TikTok vulnerability could have allowed hijackers to take over accounts

Microsoft has released a detailed rundown of an issue, now fixed, which was potentially dangerous for users of TikTok. The problem, flagged as a "high-severity vulnerability" by Microsoft, required several steps chained together in order to function. Attackers making use of it could have...

What is a keylogger?

A blog post published earlier this year posed the question "Is Grammarly a keylogger?" I have personally had people reference that post and ask me to add detection of Grammarly to Malwarebytes. The answer has always been, "no." Whether or not you like what Grammarly does, Grammarly is not a...

Data broker sued for allegedly selling individuals' sensitive location data

The Federal Trade Commission FTC has sued data broker Kochava for allegedly selling information that would allow for individuals whereabouts to be traced to sensitive locations. The information included location data from hundreds of millions of phones, including sensitive locations that could be...

Controversial Kids' Code aims to keep children safe online

California has passed a bill designed to make the internet a safer place for children. The bill, commonly referred to as the "Kids Code", has been passed by the State Senate. If signed by Gov. Gavin Newsom, it will spring into life. What is it, and how is it designed to help children be safe...

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes Endpoint Protection continues to receive outstanding results in third-party testing. Our recent participation in two highly-regarded industry evaluations, namely MRG-Effitas and Info-Techs Data Quadrant Report, reflects our belief that continual testing and unbiased validation are...

James Webb telescope images used to hide malware

A rather unique approach to spread malware using the popularity of the James Webb telescope images has been identified by the Securonix threat research team. The malware is being spread by a phishing campaign that includes a Microsoft Office attachment. Similar to traditional Office macros, the...

How to set up an iPhone for your kids

Thanks to Thomas Reed for his expertise and guidance. This is it. After much hemming and hawing, you've finally given in and bought your child their first smartphone, which you plan to give to them before the school year starts. But before you give it to them, it's worth sitting them down to talk...

Final Fantasy 14 players targeted by QR code phishing

Final Fantasy 14, the smash-hit online role playing game, is under fire from scammers. The attack is a devious way to try and compromise player accounts, making use of free item promises and bogus QR codes. As the game is a constantly changing service, its almost impossible to keep up with new...

British Airways customers targeted in lost luggage Twitter scam

Getting back into the travel habit? Jumping on a plane soon? Experienced a bit of a luggage disaster and looking for help on social media? Watch out, because a lack of prior research could prove very costly. Word has spread of a bogus Twitter account pretending to be a customer support channel of...

Chromium browsers can write to the system clipboard without your permission

If you are a user of Google Chrome or any other Chromium-based web browser, then websites may push anything they want to the operating system's clipboard without your permission or any user interaction. This means that by simply visiting a website, the data on your clipboard may be overwritten...

Playing Doom on a John Deere tractor with Sick Codes: Lock and Code S03E18

In 1993, the video game developers at id Software released Doom, a first-person shooter that placed a nameless protagonist into the fiery depths of hell, equipped with an arsenal of weapons to mow down imps, demons, lost souls, and the intimidating "Barons of Hell." In 2022, the hacker Sick Codes...

Twilio data breach turns out to be more elaborate than suspected

Earlier this month, messaging service Twilio got compromised by a sophisticated social engineering attack. After deploying phishing attacks against company employees, hackers were able to access user data, but now it seems that the impact of the hack was more elaborate than originally assumed. In...

A week in security (August 22 - August 28)

Last week on Malwarebytes Labs: Cryptojackers growing in numbers and sophistication CISA wants you to patch these actively exploited vulnerabilities before September 8 Reddit users crowdsourcing explicit images and identities Criminals socially engineer their way to bank details with fake arrest...

Adware found on Google Play — PDF Reader serving up full screen ads

A PDF reader found on Google Play with over one million downloads is aggressively displaying full screen ads, even when the app is not in use. More specifically, the reader is known as PDF reader - documents viewer, package name com.document.pdf.viewer. As a result, this aggressive behavior lands...

Source code of password manager LastPass stolen by attacker

In a security incident notice from LastPass the company informed the public know that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. There is no evidence that this incident involved any access to customer dat...

Exploits and TrickBot disrupt manufacturing operations

September 2021 saw a huge spike of exploit detections against the manufacturing industry, with a distributed spread between California, Florida, Ohio, and Missouri. This is combined with heavy detections of unseen malware, identified through our AI engine, spiking in May as well as September 2021...

Introducing Patch Management for OneView

We're thrilled to announce our Patch Management module for OneView, which is paired alongside our Vulnerability Assessment module to help you uncover vulnerabilities, respond to threats, and keep your customers productive and safe. Vulnerability identification and system patching are critical to...

Update now! GitLab issues critical security release for RCE vulnerability

GitLab has released versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition CE and Enterprise Edition EE. These versions contain important security fixes, and its recommended that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the...

Binance chief says a “sophisticated hacking team” turned him into a deepfake hologram

Deepfakes are back, and causing major problems for people involved in financial circles. Scammers have been targeting people in the cryptocurrency community for some time now. Theres huge money to be made via the act of ripping folks off. Some of it is phishing, other attacks focus on breaking in...

Twitter security under scrutiny after former executive turns whistleblower

A former Twitter executive has acted as a whistleblower and alleged some serious problems. Provided these accusations are true, the disclosure shows a side of Twitter that poses a threat to its own users' personal information, to company shareholders, to national security, and to democracy...

ChromeOS vulnerability found by Microsoft

Microsoft recently released a report about a ChromeOS remote memory corruption vulnerability. The issue has already been fixed. In fact, it was reported to Google in April. The fix was applied shortly after, and released on June 15. The resulting deep-dive from Microsoft is a fascinating look at...

Reset your password now! Plex suffers data breach

In an email sent to its users, Plex has revealed that a cybercriminal accessed some customer data, including emails and encrypted passwords. From the email that was sent out by the Plex security team: Yesterday, we discovered suspicious activity on one of our databases. We immediately began an...

How to secure a Mac for your kids

If you want to know how to secure your Mac so your kids can use it safely, I can help. In 2018 I decided to give my kids an old Apple laptop to share, and I documented the steps I took to secure it. They were still a few years short of their tenth birthdays, and it was their first computer, so I...