A week in security (May 23 – 29)

Last week on Malwarebytes Labs: Update now! Nvidia released fixes for 10 flaws in Windows GPU drivers Chicago students lose data to ransomware attackers Hunting down your data with Whitney Merrill: Lock and Code S03E11 Unknown APT group has targeted Russia repeatedly since Ukraine invasion Zero-d...

Twitter fined $150M after using 2FA phone numbers for marketing

The Federal Trade Commission FTC and the Department of Justice DOJ have ordered Twitter to pay a $150M penalty for using users account security data deceptively. The deception violates an FTC order from 2011, that bars Twitter from "misleading consumers about the extent to which it protects the...

Firefox, Thunderbird, receive patches for critical security issues

Mozilla has published updates for two critical security issues in Firefox and Thunderbird, demonstrated during Pwn2Own Vancouver. The vulnerabilities, discovered in the Firefox JavaScript engine shared by the Firefox-based Tor browser relate to Firefox 100.0.2, Firefox for Android 100.3.0, and...

ChromeLoader targets Chrome Browser users with malicious ISO files

If you’re on the hunt for cracked software or games, be warned. Rogue ISO archive files are looking to infect your systems with ChromeLoader. If you think campaigns such as this only target Windows users, you’d sadly be very much mistaken. The attack sucks in several operating systems and even us...

Watch out! Tinder and Grindr users targeted by cruel scammers using real abuse photos

A horrible catfishing scam is using real abuse photos in order to lure in unsuspecting victims on sites like Tinder and Grindr. Recently unearthed by Bleeping Computer, it works like this: Boy meets good-looking girl on dating site. The longer they talk, boy notices the conversation turning into ...

If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake

Our spam traps recently caught a phishing scam that neatly illustrates some of the tactics scammers use routinely to avoid both human intuition, and automatic detection. The scam starts with an unsolicited email, of course… The scam email is ostensibly from the Post Office, an instantly...

Eerie GoodWill ransomware forces victims to publish videos of good deeds on social media

Ransomware does what the name implies: holds your files or network to ransom. Pay the authors, typically in cryptocurrency, and you may get your files back. Refuse, and the files could be lost forever or even leaked to the far corners of the net. Sometimes creators of ransomware try different...

Massive increase in XorDDoS Linux malware in last six months

Microsoft says its recorded a massive increase in XorDDoS activity 254 percent in the last six months. XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie MMD. MMD believed the Linux Trojan originated in China...

How the Saitama backdoor uses DNS tunnelling

Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article. Understandably, a lot of cybersecurity research and commentary focuses on the act of breaking into computers undetected. But threat actors are often just as concerned with the act of breaking o...

Update now! Multiple vulnerabilities patched in Google Chrome

Google has announced an update for the Chrome browser that includes 32 security fixes. The severity rating for one of the patched vulnerabilities is Critical. The stable channel was promoted to 102.0.5005.61/62/63 for Windows, and 102.0.5005.61 for Mac and Linux. Critical Google rates...

Instagram verification services: What are the dangers?

Instagram, like other social platforms, has a verification system for high profile accounts. A verified badge means Instagram has confirmed that the account is the authentic presence of a public figure, celebrity or brand. Have you ever wanted to get your own account verified? We noticed a large...

General Motors suffers credential stuffing attack

American car manufacturer General Motors GM says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen. The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac vehicle...

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

The Google Threat Analysis Group TAG has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company. Did I hear someone say Pegasus? An educated guess, but wrong in this...

Unknown APT group has targeted Russia repeatedly since Ukraine invasion

An unknown Advanced Persistent Threat APT group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022. The campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote Access Trojan RAT that...

Hunting down your data with Whitney Merrill: Lock and Code S03E11

Depending on where you live, you can ask a company to hand over all the data it has collected about you and, in a matter of weeks as mandated by law, that company has to fork that information over. Whether the company will abide on time, however, is a different story. In the European Union, the...

Chicago students lose data to ransomware attackers

Chicago Public Schools CPS disclosed on Friday that students may have had their data taken in a ransomware incident involving one of its vendors. The ransomware attack happened last December at Battelle for Kids BfK, based in Columbus Ohio, which develops services to provide innovation in schools...

Update now! Nvidia released fixes for 10 flaws in Windows GPU drivers

Multiple NVIDIA graphic card models have been found to have flaws in their GPU drivers, with six medium-and four high-severity ratings. Last Monday, the company released a software security update for NVIDIA GPU Display Driver to address the vulnerabilities. If exploited, they could lead to denia...

A week in security (May 16 – 22)

Last week on Malwarebytes Labs: Fake reCAPTCHA forms dupe users via compromised WordPress sites How COVID-19 fuelled a surge in malware Why MRG-Effitas matters to SMBs “Look what I found here” phish targets Facebook users AirTag stalking: What is it, and how can I avoid it? Long lost @ symbol get...

Why you should act like your CEO’s password is “qwerty”

A poor password at the highest levels of an organisation can cost a company millions in losses. Recent findings show that half of IT leaders store passwords in shared documents. On top of that, it seems that folks at executive level are not picking good passwords either. Researchers from NordPass...

How iPhones can run malware even when they’re off

Most people think that turning off their iPhone - or letting the battery die - means that the phone is, well, off. The thing is, this isnt quite true. In reality, most of the phones functionality has ended, but there are components that mindlessly continue a zombie-like existence, for the most pa...

Cardiologist moonlighted as successful ransomware developer

The US has charged a 55-year-old French-Venezuelan cardiologist from Venezuela with "attempted computer intrusions and conspiracy to commit computer intrusions". This was revealed in an unsealed complaint in a federal court in Brooklyn, New York. Moises Luis Zagala Gonzales worked as a ransomware...

VMWare vulnerabilities are actively being exploited, CISA warns

The Cybersecurity & Infrastructure Security Agency has issued an Emergency Directive ED 22-03 and released a Cybersecurity Advisory CSA about ongoing, and expected exploitation of multiple vulnerabilities in several VMware products. Chaining unpatched VMware vulnerabilities The title of the...

10 ways attackers gain access to networks

A joint multi-national cybersecurity advisory has revealed the top ten attack vectors most exploited by cybercriminals in order to gain access to organisation networks, as well as the techniques they use to gain access. The advisory cites five techniques used to gain leverage: 1. Public facing...

Sysrv botnet is out to mine Monero on your Windows and Linux servers

In a Twitter thread, the Microsoft Security Intelligence team have revealed new information about the latest versions of the Sysrv botnet. The variant they focused on uses a range of known exploits for vulnerabilities in web apps and databases to install cryptocurrency miners on both Windows and...

Car owners warned of another theft-enabling relay attack

Tesla owners are no strangers to seeing reports of cars being tampered with outside of their control. Back in 2021, a zero-click exploit aided a drone in taking over the cars entertainment system. In 2016, we had a brakes and doors issue. 2020 saw people rewriting key-fob firmware via Bluetooth...

Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV

Apple has released security updates for a zero-day vulnerability that affects multiple products, including Mac, Apple Watch, and Apple TV. The flaw is an out-of-bounds write issue—tracked as CVE-2022-22675—in AppleAVD, a decoder that handles specific media files. An out-of-bounds write or read fl...

Gmail-linked Facebook accounts vulnerable to attack using a chain of bugs—now fixed

A security researcher has disclosed how he chained together multiple bugs in order to take over Facebook accounts that were linked to a Gmail account. Youssef Sammouda states it was possible to target all Facebook users but that it was more complicated to develop an exploit, and using Gmail was...

Long lost @ symbol gets new life obscuring malicious URLs

Threat actors have rediscovered an old and little-used feature of web URLs, the innocuous @ symbol we usually see in email addresses, and started using it to obscure links to their malicious websites. Researchers from Perception Point noticed it being used in a cyberattack against multiple...

AirTag stalking: What is it, and how can I avoid it?

More voices are being raised against the use of everyday technology repurposed to attack and stalk people. Most recently, its reported that Ohio has proposed a new bill in relation to electronic tagging devices. The bill, aimed at making short work of a loophole allowing people with no stalking o...

“Look what I found here” phish targets Facebook users

Facebook-themed messages are a frequent source of bogus links from both spam and compromised accounts. Whether you receive the messages via SMS, the Messenger app, or just inside regular web chat, it pays to be careful. A wide variety of attacks use bogus messages as their launchpad, and the risk...

Why MRG-Effitas matters to SMBs

When selecting the right cybersecurity vendor to protect their operations, small- and medium-sized businesses SMBs can lean on several third-party research organizations that analyze which cybersecurity products can best prevent, detect, and clean up various types of cyberattacks today. But these...

How COVID-19 fuelled a surge in malware

2021 saw a massive surge in detections of malware, adware, and Potentially Unwanted Programs PUPs. It didnt matter what the computers were used for or what operating system they ran—across business and home computers, on Windows and on Mac, detections went up, enormously. Detections of malware on...

Fake reCAPTCHA forms dupe users via compromised WordPress sites

Researchers at Sucuri investigated a number of WordPress websites complaining about unwanted redirects and found websites that use fake CAPTCHA forms to get the visitor to accept web push notifications. These websites are a new wave of a campaign that leverages many compromised WordPress sites...

A week in security (May 9 – 15)

Last week on Malwarebytes Labs: How to spot the signs of a virtual kidnap scam Virtual credit cards coming to Chrome: What you need to know Clearview AI banned from selling facial recognition data in the US Cyberattacks on SATCOM networks attributed to Russian threat actors F5 BIG-IP vulnerabilit...

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

This blog post was authored by Hossein Jazi and Jérôme Segura Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information. Although all countries have reasons to be...

How to spot the signs of a virtual kidnap scam

Threats and bluster play a key role in most online attacks: Ransomware has its ransom note; trolls threaten to ramp up the pressure; tech support scammers insist your PC needs urgent assistance. Some take it a step further, leaning in with a more direct approach, ranging from death threats to...

Virtual credit cards coming to Chrome: What you need to know

When youre buying things online, reducing the exposure of payment details during transactions is one way to help reduce the risk of data theft. If you can hide this payment data and switch it out for something else entirely, even better. Google is proposing to do just that for customers in the US...

Clearview AI banned from selling facial recognition data in the US

Clearview AI, a facial recognition software and surveillance company, is permanently banned from selling its faceprint database within the United States. The company also cannot sell its database to state and law enforcement entities in Illinois for five years. This is a historic win for the...

Cyberattacks on SATCOM networks attributed to Russian threat actors

The Cybersecurity & Infrastructure Security Agency CISA and the Federal Bureau of Investigation FBI have updated their joint cybersecurity advisory, Strengthening Cybersecurity of SATCOM Network Providers and Customers, originally released March 17, 2022, with US government attribution to Russian...

F5 BIG-IP vulnerability is now being used to disable servers

As we reported a few days ago, a F5 BIG-IP vulnerability listed as CVE-2022-1388 is actively being exploited. But now researchers have noticed that attackers arent just taking control of the vulnerable servers but also making them unusable by destroying the device’s file system. F5 BIG-IP The...

College closes down after ransomware attack

Lincoln College, one of the few rural schools in Illinois, said that it will permanently close on Friday, May 13, after 157 years, partly due to the impacts of the COVID-19 pandemic and partly due to a long recovery after a ransomware attack in December 2021. The institution notified the Illinois...

Update now! Microsoft releases patches, including one for actively exploited zero-day

Microsoft has released patches for 74 security problems, including fixes for seven “critical” vulnerabilities, and an actively exploited zero-day vulnerability that affects all supported versions of Windows. First, well look at the actively exploited zero-day. Then well discuss two zero-days that...

Canon printer owners: Be careful of bogus driver download sites

Think of all the really common, very mundane things you search for of a tech nature. Drivers. Scanners. Printers. A broken photocopier. USB sticks not recognised. Activating a streaming service which refuses to play ball. Some of the above have many issues already with bogus search engine results...

APT34 targets Jordan Government using new Saitama backdoor

On April 26th, we identified a suspicious email that targeted a government official from Jordans foreign ministry. The email contained a malicious Excel document that drops a new backdoor named Saitama. Following our investigation, we were able to attribute this attack to the known Iranian Actor...

Client side scanning may cost more than it delivers

On May 11, 2022, the EU will publicize a proposal for a law on mandatory chat control. The European Commission wants all providers of email, chat and messaging services to search for suspicious messages in a fully automated way and forward them to the police in the fight against child pornography...

“Chemical attack” email warnings deliver Jester Stealer malware

Jester Stealer, a malicious file capable of large amounts of data theft, is on the prowl again. The Ukrainian Computer Emergency Response Team CERT-UA has warned of a large distribution campaign abusing a "chemical attack" theme. Receiving an email like this in the invasion-affected regions of...

Costa Rica continues defence against sustained Conti ransomware attacks

Its not been plain sailing recently for Conti ransomware, the Ransomware as a Service RaaS group with several major attacks under its belt. In August last year, a pen tester leaked valuable manuals and documents related to the operation. These leaks continued as the Conti gang expressed support f...

Update now! F5 BIG-IP vulnerability being actively exploited

The Australian Cyber Security Centre ACSC has announced it is aware of the existence of Proof of Concept PoC code exploiting a F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range. The vulnerability listed as CVE-2022-1388 allows attackers to bypass authentication ...

Recovering from romance scams with Cindy Liebes: Lock and Code S03E10

Earlier this year, many members of the public were introduced to the facets of a long-ignored crime in cyberspace: The romance scam. A flashy documentary called The Tinder Swindler had premiered on Netflix, and in it, filmmakers documented the efforts of one man to manipulate several women into...

How to remove Google from your life

Swearing off a company used to be easier. Rude customer service, an unfortunate bout of food poisoning, even standing up for workers’ rights against the alleged involvement of a private company to order a country’s military to brutally quash a strike—almost every facet of an individual boycott...