Apple pulls Facebook enterprise certificate

It’s been an astonishing few days for Facebook. They've seen both an app and their enterprise certificate removed and revoked with big consequences. What happened? Apple issue enterprise certificates to organizations with which they can create internal apps. Those apps don’t end up released on th...

Analyzing a new stealer written in Golang

Golang Go is a relatively new programming language, and it is not common to find malware written in it. However, new variants written in Go are slowly emerging, presenting a challenge to malware analysts. Applications written in this language are bulky and look much different under a debugger fro...

Apple’s FaceTime privacy bug allowed possible spying

Social media caught fire yesterday as the news of a new Apple bug spread. It seemed that there was a flaw in FaceTime that allowed you to place a call to someone, but listen in on their microphone if they didn't pick up. Worse, as the news spread, it turned out that there was also a way to captur...

Interview with a malware hunter: Jérôme Segura

In our series "Interview with a malware hunter," our feature role today goes to Jérôme Segura, Malwarebytes’ Head of Threat Intelligence and world-renowned exploit kits researcher. The goal of this series is to introduce our readers to our malware intelligence crew by involving them in these Q&A...

A week in security (January 21 – 27)

Last week on the Malwarebytes Labs blog, we took a look at Modlishka, the latest hurdle in two-factor authentication 2FA, the potential for abuse of push notifications, a malware-phishing combo by the name of CryTekk ransomware, and why we detect PUPs, but enforce the power of users' choice. We...

What does ‘consent to tracking’ really mean?

Thanks to Jerome Boursier for contributions. Post GDPR, many social media platforms will ask end users to consent to some form of tracking as a condition of using the service. It's easy to make assumptions as to what that means, especially when the actual terms of service or data policy for the...

Sly criminals package ransomware with malicious ransom note

Ransomware continues to show signs of evolution. From a simple screen locker to a highly-sophisticated data locker, ransomware has now become a mainstream name, even if historically, it has been around far longer than we want to look back. Although the criminals behind ransomware campaigns are...

A user’s right to choose: Why Malwarebytes detects Potentially Unwanted Programs (PUPs)

Potentially Unwanted Programs PUPs: the name says it all. While the programs themselves might have legitimate uses, their vendors often use inappropriate methods to drive downloads or hide within a program bundle. At Malwarebytes, we feel we have an obligation to help protect our customers from...

2019 State of Malware report: Trojans and cryptominers dominate threat landscape

Each quarter, the Malwarebytes Labs team gathers to share intel, statistics, and analysis of the tactics and techniques made popular by cybercriminals over the previous three months. At the end of the year, we synthesize this data into one all-encompassing report—the State of Malware report—that...

Browser push notifications: a feature asking to be abused

“I’m seeing a lot of ads popping up in the corner of my screen, and the Malwarebytes scan does not show there is anything wrong. It says my computer is clean. So what's happening?” Our support team runs into questions like this regularly, but the volume seems to be increasing lately. In most of...

A week in security (January 14 – 20)

Last week on the Malwarebytes Labs blog, we took a look at how the government shutdown is influencing cybersecurity jobs, Advanced Persistent Threats group APT10, the comeback of Fallout EK, the hosting of malicious sites on legitimate servers, and the Collection 1 data breach. Other cybersecurit...

Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge

Multiple news reports about the defeat of two-factor authentication 2FA have been making rounds lately. In November 2018, our friends at ESET discovered a purported Android battery utility tool called “Optimization Android” from a third-party app store. This app was designed to steal money from a...

Collection 1 data breach: what you need to know

Yesterday, news broke that the largest data dump in history had been discovered, with more than 770 million people's Personally Identifiable Information PII decrypted, catalogued, and up for grabs on the Internet. The files, which are being dubbed Collection 1, were originally found on cloud...

Hosting malicious sites on legitimate servers: How do threat actors get away with it?

How do threat actors manage to get their sites and files hosted on legitimate providers’ servers? I have asked myself this question many times, and many times thought, “The threat actors pay for it, and for some companies, money is all that matters.” But is it really that simple? I decided to fin...

Improved Fallout EK comes back after short hiatus

Edit 2019-01-24 Fallout EK introduces a new dropper to facilitate the final payload retrieval. This update replaces the plain MZ we saw for a little while. -- After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year. During i...

The Advanced Persistent Threat files: APT10

We've heard a lot about Advanced Persistent Threats APTs over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a...

How the government shutdown is influencing cybersecurity jobs

As of this writing, the government shutdown of 2019 is the longest ever in America. The only good news about this situation is that, with each passing day, a new group of people in the country seems to rediscover just how essential government services are, now that they're unavailable. The next...

A week in security (January 7 – 13)

Last week on the Malwarebytes Labs blog, we took a look at the Ryuk ransomware attack causing trouble over the holidays, as well as a ransom threat for an Irish transportation company. We explored the realm of SSN scams, and looked at what happens when an early warning system is attacked. Other...

Government shutdown impacts .gov websites, puts Americans in danger

If you are in the United States, then you likely already know that we are on our 24th day of a government shutdown. While it is considered a "partial" shutdown, there are still plenty of government workers who are furloughed, which impacts the services they run—both online and off. Last week,...

Luas data ransom: the hacker who cried wolf?

In a terrible start to the year for Irish tram firm Luas, their site was compromised a week ago and adorned with a stark ransom warning: Click to enlarge You are hacked. Some time ago I wrote that you have serious security holes. You didn’t reply. The next time someone talks to you, press the rep...

Social Security Number scammers are at it again

The Federal Trade Commission FTC once again sounded the alarm in mid-December about the latest Social Security Number SSN scam that continues to affect thousands of Americans. While most of us were only able to read about this type of scam in the past, the FTC now has an audio recording of an SSN...

Ryuk ransomware attacks businesses over the holidays

While families gathered for food and merriment on Christmas Eve, most businesses slumbered. Nothing was stirring, not even a mouse—or so they thought. For those at Tribune Publishing and Data Resolution, however, a silent attack was slowly spreading through their networks, encrypting data and...

Australia’s Early Warning Network compromised

An early warning network designed to notify subscribers about dangerous weather in Australia has been compromised. The hacker sent many bogus messages via phone, SMS, and email, telling users that the service had been hacked. Early Warning Network, a service used by local governments to send...

A week in security (December 31, 2018 – January 6, 2019)

Last week on Labs, we looked back at 2018 as the year of data breaches, homed in on pre-installed malware on mobile devices, and profiled a malicious duo, Vidar and GandCrab. Other cybersecurity news 2019's first data breach: It took less than 24 hours. An unauthorized third-party downloaded 30,0...

Vidar and GandCrab: stealer and ransomware combo observed in the wild

We have been tracking a prolific malvertising campaign for several weeks and captured a variety of payloads, including several stealers. One that we initially identified as Arkei turned out to be Vidar, a new piece of malware recently analyzed in detail by Fumik0 in his post: Let’s dig into Vidar...

The new landscape of pre-installed mobile malware: malicious code within

Here's a scary thought: Mobile devices may soon come with pre-installed malware on required system apps. While it might sound like a grim foretelling, pre-installed mobile malware is an unfortunate reality of the future. In the past, we’ve seen pre-installed malware with the notorious Adups threa...

2018: The year of the data breach tsunami

It’s tough to remember all of the data breaches that happened in 2018. But when you look at the largest and most impactful ones that were reported throughout the year, it paints a grim picture about the state of data security today. The consequences of major companies leaking sensitive data are...

Using the blockchain to create secure backups

“Oh no! I’ve got a ransomware notice on my workstation. How did this happen?” “Let’s figure that out later. First, apply the backup from a few minutes ago, so we can continue to work.” Now that wasn't so painful, was it? Having a rollback solution or a recent backup could make this ideal post...

Assessing the security of a portable router: a look inside its hardware, part deux

In part two of our blog assessing the security of a portable router, we will acquire the tools and equipment to make a copy of the firmware on our target router so that we can assess the full firmware. Sometimes, the manufacturer has an updated firmware that is available on their website. It coul...

A week in security (December 17 – 23)

Last week on Labs we looked at Fuchsia OS as a possible alternative for Android, explained all the reasons why cybercriminals want to hack your phone, discussed a flaw in Twitter form that may have been abused by nation states, gave you a Christmas tech scams roundup, revealed why many online...

Underminer exploit kit improves in its latest iteration

One of the most interesting exploit kits we track is also a bit of an elusive one, and as such does not receive the same scrutiny as its RIG and Fallout counterparts. Underminer was mentioned in our Fall 2018 round up, and at the time was using CVE-2018-8174 Internet Explorer and CVE-2018-4878...

Smart speakers: Christmas treat or lump of coal?

Christmas is nearly upon us, and thoughts are perhaps turning to various digital presents of a “smart” nature. Home security, hubs, speakers, cameras, and mashups of all of those and more besides. With regards to speakers, the most immediate pieces of your home are theoretically at your beck and...

This online quiz is now confirmed to be a phishing scam

Ah, online quizzes. Many of us know that they can be somewhat dodgy and nonsense, really—but that doesn’t stop us from clicking the “Start quiz” button anyway. Besides, you have time to kill, and there are only three questions to answer, right? The right kind of wrong Phishing attacks don’t alway...

Christmas tech scams roundup

There’s a fair few Christmas tech scams floating around out there as 2018 winds up, and we thought it’d be a good time to warn you about them. It’s the usual mish-mash of phone antics, social media shenanigans, and click bait. Shall we begin? This scam looks divine BOOM reports on a collection of...

Flaw in Twitter form may have been abused by nation states

Twitter announced in a blog post on Monday that they discovered and addressed a security flaw on one of their support forms. The discovery was made on November 15 — more than a month ago — and was promptly fixed the next day. From the Twitter blog on this issue: We have become aware of an issue...

Yes, Chromebooks can and do get infected

As a Mac malware specialist, I've seen more than my share of folks saying "Macs don't get viruses" over the years. I've seen and experienced first-hand that this isn't true—even on iOS, where despite having tight, built-in security, iPhones are still capable of getting infected by rare malware. I...

All the reasons why cybercriminals want to hack your phone

When people think of hacking, most imagine desktop computers, laptops, or perhaps even security cameras. However, in recent years, cybercriminals have expanded their repertoire to include smartphones, too. Here are 10 reasons why they may be looking to hack your phone. 1. To infect it with malwar...

Mobile Menace Monday: Is Fuchsia OS the end of Android?

It’s no secret that every year Google announces a new Android version. This time though, recent Google documents state that the next major Android version will be Android Q and not Android 9.1 Pie. In parallel, Google is also developing an operating system called Fuchsia that’s supposedly going t...

A week in security (December 10 – 16)

Last week on Labs, we took a look at some new Mac malware, a collection of various scraped data dumps, the protection of power grids, and how bad actors are using SMB vulnerabilities. Other cybersecurity news Millions affected by Facebook photo API bug: An issue granted third-party apps more acce...

How threat actors are using SMB vulnerabilities

Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block SMB to propagate through an organization’s network. Windows SMB is a protocol used by PCs for file and printer sharing, as well as for access to remote services. A pat...

Compromising vital infrastructure: the power grid

Where were you when the lights went out? That line became famous after the 1977 blackout in New York City. This power outage was caused by lightning and lasted for up to two days, depending on which part of New York you lived in. While in this case the power grid failure was a freak incident due ...

Data scraping treasure trove found in the wild

We bring word of yet more data exposure, in the form of “nonsensitive” data scraping to the tune of 66m records across 3 large databases. The information was apparently scraped from various sources and left to gather dust, for anyone lucky enough to stumble upon it. What is data scraping? The...

Flurry of new Mac malware drops in December

Last week, we wrote about a new piece of malware called DarthMiner. It turns out there was more to be seen, as not just one but two additional pieces of malware had been spotted. The first was identified by Microsoft's John Lambert and analyzed by Objective-See's Patrick Wardle, and the second wa...

A week in security (December 3 – 9)

Last week on Malwarebytes Labs, we gave readers an FYI on multiple breaches that affected Humble Bundle, Quora, and Dunkin' Donuts, to name a few. This follows the announcement from Marriott about a four-year-long breach that impacted half a billion of its patrons. We also pushed out the report,...

Something else is phishy: How to detect phishing attempts on mobile

In a report published in 2011, IBM revealed that mobile users are three times more likely to fall for phishing scams compared to desktop users. This claim was based on accessed log files found on Web servers used to host websites involved in phishing campaigns. Almost a decade later, we continue ...

Mac malware combines EmPyre backdoor and XMRig miner

Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil. The malware was being distributed through an application named Adobe Zii. Adobe Zii is software that is designed to...

New Flash Player zero-day used against Russian facility

For the past couple of years, Office documents have largely replaced exploit kits as the primary malware delivery vector, giving threat actors the choice between social engineering lures and exploits or a combination of both. While today's malicious spam malspam heavily relies on macros and popul...

Breaches, breaches everywhere, it must be the season

After last weeks shocker from Marriott this week started off with disclosures about breaches at Quora, Dunkin’ Donuts, and 1-800-Flowers. Quora Quora is an online community that focuses on asking and answering questions. It was founded in 2009 by two former Facebook employees. The stolen data may...

New ‘Under the Radar’ report examines modern threats and future technologies

As if you haven't heard it enough from us, the threat landscape is changing. It's always changing, and usually not for the better. The new malware we see being developed and deployed in the wild have features and techniques that allow them to go beyond what they were originally able to do, either...

Humble Bundle alerts customers to subscription reveal bug

You’ll want to check your mailbox if you have a Humble Bundle account, as they’re notifying some customers of a bug used to gather subscriber information. Click to enlarge The mail reads as follows: Hello, Last week, we discovered someone using a bug in our code to access limited non-personal...