Update now! Apple patches two zero-day vulnerabilities that may have been actively exploited

Apple has released security updates for macOS Monterey 12.3.1, iOS 15.4.1, iPadOS 15.4.1, tvOS 15.4.1, and watchOS 8.5.1. The update patches two vulnerabilities about which the advisory states that Apple is aware of a report that this issue may have been actively exploited for both vulnerabilitie...

Hive ransomware impacts California non-profit health organisation

Ransomware authors are once again targeting health services, holding important files to ransom and impacting potentially vital services. On this occasion, the victims are a non-profit organisation assisting people with their healthcare needs in California. When Hive ransomware strikes The victim,...

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Cybersecurity can be complex work, as security teams need to regularly decipher and prioritize alerts, protect against daily threats, and possibly implement product configuration changes, all while staying abreast of the latest intelligence on new and evolving threats. For organizations that lack...

Phishers make a date with your calendar apps

Calendars are a rich source of bad behaviour for scammers and spammers. They’re one of the most prolific tools the workplace has for collaborative actions and general cross-purpose messaging. They’ve been misused by bad actors for many years now, most commonly spamming unwary potential victims an...

Tech support scam campaign targets Japanese visitors to PornHub

The Malwarebytes Threat Intelligence team has identified a malvertising campaign targeting Japanese users. The campaign they discovered was found to be using a cloaking technique to lure visitors of popular adult site PornHub to a decoy site at the domain mixhd.club. Cloaking Cloaking is a method...

URI spoofing flaw could phish WhatsApp, Signal, Instagram, and iMessage users

Update: We were informed by Sick Codes that, although Signal already has a fix for this URI flaw here, it hasnt been pushed out to market yet. Well further update this post once there is new development. Theres a flaw in the way many of the worlds most popular messaging and email platforms—such a...

Ukraine shuts down disinformation bot farm

Given current world events, there’s an incredible amount of misinformation and disinformation around at the moment. Whether we’re talking 5G, the pandemic, vaccines, or invasions, there’s a lot out there. One of the biggest problems where bad information placed online is concerned is bot farms. A...

Update now! Google launches Chrome version 100 and fixes 28 vulnerabilities

Google has launched Chrome version 100 which, among other things, fixes 28 vulnerabilities. Other new security features include Safety Check, Enhanced Safe Browsing, and the ability to control website access to your location and device. Of the 28 vulnerabilities, none have been marked as critical...

“A little gift for you” SMS spam appears to come from your own phone number

If youve received a spam SMS message sent from your own phone number, dont panic. No, you werent hacked. And youre not the only one who has received such a message, which looks a bit like this: A colleague received this same spam SMS message that has been going around more frequently these past f...

Watch out for LinkedIn fakes who want to get connected

Despite continued warnings of deepfake chaos during major events, things haven’t worked out the way some thought. Those video deepfakes are bad, and they remain bad. Quite simply, nobody is fooled - or at least, nobody able to make a mistaken snap judgement in a way that matters. As much as we ov...

New spear phishing campaign targets Russian dissidents

This blog post was authored by Hossein Jazi. -- Updated to clarify the two different campaigns Cobalt Strike and Rat Several threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is actively monitoring these threats...

Attacks on Ukraine communications are a major part of the war

Since the start of the Russian invasion of Ukraine, the war on the battlefield has been accompanied by cyber attacks. Those attacks against critical infrastructure have knocked out banking and defense platforms, mostly by targeting several communication systems. In a timeline set up by NetBlocks,...

Looking over your shoulder: when small mistakes have big consequences

People up to no good get themselves caught in an endless number of ways. This has always been the case in the real world, and continues to be true online. No matter how talented, how daring the schemes, greed and the desire for fame often win out. This has disastrous consequences for those caught...

Satellites are critical infrastructure and need to be cybersecured

In the context of this article we will use the term satellite for a machine that is launched into space and moves around Earth. And there might be a lot more of them than you would expect—this live map tracks a huge number of satellites. Originally most of earth’s satellites were launched for...

Telling stories securely, with Runa Sandvik: Lock and Code S03E07

In 2017, a former NSA contractor named Reality Winner was arrested for allegedly leaking an internal report to the online news outlet The Intercept. To verify the report itself, a journalist for The Intercept sent an image of the report to the NSA, but upon further inspection, it was revealed tha...

Update now! Google releases emergency patch for Chrome zero-day used in the wild

Google has urged its 3 billion+ users to update to Chrome version 99.0.4844.84 for Mac, Windows, and Linux to mitigate a zero-day that is currently being exploited in the wild. This is in response to a bug reported by an anonymous security researcher last week. The flaw, which is tracked as...

Tech support fraud is still very much alive, says latest FBI report

The FBI’s Internet Crime Complaint Center IC3 has released its annual report. In 2021, IC3 continued to receive a record number of complaints from the American public: 847,376 reported complaints, which was a 7% increase from 2020, with potential losses exceeding $6.9 billion. Among the complaint...

A week in security (March 21 – 27)

Last week on Malwarebytes Labs: Anti-war open-source software developer targets Russians and Belarussians with “protestware” Elden Ring exploit traps players in infinite death loop Update now! Many HP printers affected by three critical security vulnerabilities White House urges US businesses:...

Anti-war open-source software developer targets Russians and Belarussians with “protestware”

Russia is in the midst of its fourth week of attack against Ukraine. People worldwide have been increasingly and passionately showing support for Ukrainians since day one while condemning the atrocities of Russian President Vladimir Putin, the Russian military, and Belarus, its allied country...

Elden Ring exploit traps players in infinite death loop

Back in January, we wrote about how the Dark Souls games had their online components switched off for PC gamers. This is because someone figured out how to execute code remotely on the target’s PC. Given that the multiplayer angle of Souls games is rather important, this was quite a body blow for...

Update now! Many HP printers affected by three critical security vulnerabilities

In two security advisories, HP has alerted users to the existence of security vulnerabilities in several of its printer models. In total, four vulnerabilities were patched, but three of those vulnerabilities are rated critical, and all of them can lead to remote code execution RCE when exploited...

White House urges US businesses: Protect against potential Russian cyberattacks

On Monday, the White House told US business leaders to toughen up their cybersecurity defenses against a potential cyberattack from Russia. "The Biden-Harris Administration has warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States in...

Okta admits 366 customers may have been impacted by LAPSUS$ breach

Through its usual means of communication, its Telegram channel, the LAPSUS$ group has posted screenshots of what appears to be superuser access to the Okta management console. As such, the group claims to have acquired "superuser/admin" access to Okta.com and gained access to Oktas customer data,...

A new rootkit comes to an ATM near you

Its not unusual to hear about malware created to affect automated teller machines ATMs. Malware can be planted at the ATMs PC or its network, or attackers could launch a Man-in-the-Middle MiTM attack. Recently, a new rootkit, which the Mandiant Advanced Practices team have named CAKETAP, was foun...

Facebook users wary of security mail find themselves locked out of accounts

It’s not unusual for sites and services to offer additional forms of protection on top of regular security features. Some of the bigger ones even go the extra mile, protecting from attacks up to a potential nation state level. The most famous example of this recently is likely Google. Its Advance...

Fake Esports voting sites looking to phish Steam users

We’ve seen Esports occasionally become the focus of gaming or Steam scams. One particular tactic of note was to claim joining an official league is an easy process. Links to third-party hosted files would offer up a supposedly cracked ESEA Esports league client. In reality, it was a data stealing...

AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI

The FBI has issued an advisory about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. AvosLocker is a Ransomware as a Service RaaS affiliate-based group that has targeted victims across...

Facebook phish claims “Someone tried to log into your account”

Watch out for bogus Facebook phishing messages winging their way to your mailbox. The ruse is quite simple: The mail senders are relying on the recipient’s sense of panic to respond without thinking about it. The mail looks professional enough, and seeks to imitate what would be a fairly typical...

A week in security (March 14 – 20)

Last week on Malwarebytes Labs: Beware of this bogus and phishy “Instagram Support” email Meet Exotic Lily, access broker for ransomware and other malware peddlers Double header: IsaacWiper and CaddyWiper How to protect RDP Online Safety Bill’s provisions for “legal but harmful” content described...

Beware of this bogus (and phishy) “Instagram Support” email

Recently, a fake Instagram email successfully bypassed Googles email filters and made it into hundreds of employee inboxes used by a prominent US life insurance company based in New York. This was revealed in a report by Armorblox, a cybersecurity company specializing in stopping business email...

Meet Exotic Lily, access broker for ransomware and other malware peddlers

The Google Threat Analysis Group TAG has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organizations defenses, exploit that vulnerability, and sell the access...

Double header: IsaacWiper and CaddyWiper

As war in Ukraine rages, new destructive malware continues to be discovered. In this short blog post, we will review IsaacWiper and CaddyWiper, two new wipers that do not have much in common based on their source code, but with the same intent of destroying targeted Ukrainian computer systems...

How to protect RDP

You didn’t really think that the ransomware wave was coming to an end, did you? You may be tempted to think so, given the decline in reports about massive ransomware campaigns. Dont be fooled. Over the last five years, one of the primary attack vectors for ransomware attacks has been the Remote...

Online Safety Bill’s provisions for “legal but harmful” content described as “censor’s charter”

The UKs Online Safety Bill, a landmark piece of legislation that that aims to regulate the countrys online content, has just been introduced into Parliament after undergoing significant revisions. The bill has been in progress for about five years and its main objective is to regulate online...

Deepfake Zelenskyy video surfaces on compromised websites

It’s been a long time coming. The worry over deepfake technology being used during times of major upheaval has been alluded to frequently over the last couple of years. The buildup to the US election was peppered by “any moment now…” style warnings of dramatic and plausible deepfake deployment. I...

Gh0stCringe RAT makes database servers squeal for protection

Researchers have found that the Gh0stCringe RAT is infecting Microsoft SQL and MySQL, and seems to focus on servers with weak protection. The Gh0stCringe RAT communicates with a command and control C&C server to receive instructions and is capable of exfiltrating information. SQL SQL is short for...

Clouding the issue: what cloud threats lie in wait in 2022?

As more services move ever cloud-wards, so too do thoughts by attackers as to how best exploit them. With all that juicy data sitting on someone else’s servers, it’s essential that they run a tight ship. You’re offloading some of your responsibility onto a third party, and sometimes things can go...

FBI catches up with one of its Most Wanted, arrests head of advance-fee crime network

Some dont mind putting extra effort into making their crime appear as legitimate as possible by perpetuating more lies as long as they are guaranteed money in the end. Osondu Victor Igwilo is one such Nigerian scammer. The "catchers" 52-year-old Igwilo has been on the Federal Bureau of...

“Threatening and coercive” cold-callers who targeted the elderly hit with big fines

Every so often, fines hit the news as a result of phone/communication spam. Much of it targets older members of society. Sometimes folks say these calls are “just” irritants and nothing to particularly worry about. But it can be really serious, resulting in big chunks of people’s savings being...

CafePress faces $500,000 fine for data breach cover up

The US Federal Trade Commission FTC has announced that it took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. CafePress is a popular online custom T-shirt and merchandise...

Valorant cheats on YouTube are actually information-stealing malware

Valorant, the popular free-to-play team based shooter, is attracting the attention of scammers. It’s reported that a malware distribution campaign is leveraging YouTube to push infection files. The campaign distributes a file known for password theft, and hunts for those passwords in browsers,...

Fake Royal Mail chatbot offers up…a new iPhone?

Royal Mail scams are always popular techniques for people up to no good. We’ve covered them several times over the last year or so. A quick reminder: Your parcel is waiting for delivery This is the go-to tactic for fake Royal Mail phishing attacks. You receive a text claiming there’s a parcel in...

Escobar is the new Android banking Trojan we’ve met before

Aberebot, a known Android banking Trojan, has changed its name and returned loaded with new features. First spotted by @MalwareHunterTeam in early March, this mobile variant was renamed "Escobar"—a homage to the Colombian drug baron—and disguised itself as a McAfee app. It went by the package nam...

DDoS barrage against Israel described as the “largest ever” cyberattack its faced

Several government websites in Israel—those using the .gov.il domain—were inaccessible after a distributed denial of service DDoS attack hit Israels telecommunication provider, Cellcom. NetBlocks, a network disruption watchdog, initially detected "a significant disruption" aimed at the provider,...

Update now! Apple fixes several serious vulnerabilities in iOS and macOS

Apple has released patches for macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4. In these security updates, released on March 14, 2022, Apple tackles 39 vulnerabilities, several of which could allow an attacker to execute arbitrary code on an affected device. One of the vulnerabilities can be...

Stolen Nvidia certificates used to sign malware—here’s what to do

As we wrote on March 3, 2022 Nvidia, was recently attacked by the LAPSUS$ ransomware group. The ensuing data leak included two of NVIDIA’s code signing certificates. Those certificates are now being used to sign malware. Leaked signing certificates from major vendors like Nvidia come with huge...

De-Googling Carey Parker’s (and your) life: Lock and Code S03E06

Three years ago, a journalist for Gizmodo named Kashmir Hill wanted to understand what life was like without "Big Tech." Far from a "digital detox" retreat—the kind of which were popular with exceedingly plugged-in, very online types of mid-20s and early-30s folks—Hills experiment with technology...

CISA list of 95 new known exploited vulnerabilities raises questions

On Friday March 3, the Cybersecurity and Infrastructure Security Agency CISA added a whopping number of 95 new known exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog. This catalog provides Federal Civilian Executive Branch FCEB agencies with a list of vulnerabilities that...

A week in security (March 7 – March 13)

Last week on Malwarebytes Labs: The struggle to reduce bug-fixing time is real Update now! Mozilla patches two actively exploited vulnerabilities Google takes on Docs notification spammers When fake dating profiles try the military approach Azure AutoWarp brings automation headaches RagnarLocker...

Blunting RDP brute-force attacks with rate limiting

Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article. Not long ago, guessing a Windows Remote Desktop Protocol RDP password successfully was widely regarded as ransomware operators number one choice for breaching a target. It attracted a lot of...