SonicWall GMS and Analytics are vulnerable to an SQL injection bug, tracked as CVE-2022-22280.
The post SonicWall urges customers to patch critical SQL injection bug ASAP appeared first on Malwarebytes Labs.

Cybersecurity hardware company, SonicWall, recently released a public security notice about a critical SQL injection flaw affecting its GMS (Global Management System) and Analytics On-Prem products.

The flaw, which is tracked as CVE-2022-22280, is given a 9.4 critical rating. With the high capability of damage, this vulnerability has low attack complexity, meaning that anyone with little know-how of SQL injection can pull this off. CVE-2022-22280 can be exploited from the network without user interaction nor does it require any authentication.

“SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a proof of concept (PoC) have been made public, and malicious use of this vulnerability has not been reported to SonicWall,” said SonicWall in the security notice.

> SonicWall PSIRT strongly suggests that organizations using the Analytics On-Prem version outlined below should upgrade to the respective patched version immediately.
> 
> ~ SonicWall advisory

Clients using **Analytics 2.5.0.3-2520** or earlier and/or **GMS 9.3.1-SP2-Hotfix1** or earlier are advised to update to their patched versions, **Analytics 2.5.0.3-2520-Hotfix1** and **GMS 9.3.1-SP2-Hotfix-2**, respectively.

While there are no workarounds for this vulnerability in both affected products, SonicWall advises clients to incorporate a Web Application Firewall (WAF) to protect their web applications from common exploits and vulnerabilities, including SQL injections.

An SQL injection (SQLi) is a well-known, old-school injection attack that has been around for more than 15 years. Threat actors normally use this attack to expose the security gaps in websites. An SQL injection can be done via the use of automated tools, such as Havij, or by manually inserting specific SQL codes in forms or text boxes, such as on a website’s search box.

SQLi has remained the number threat to websites for years, according to records from the Open Web Application Security Project (OWASP). This non-profit organization regularly puts out a list of top 10 threats against websites. Although broken access failure dethroned injection threats in 2021, the latter remains in the top 3.

SonicWall urges customers to patch critical SQL injection bug ASAP

Microsoft is taking RDP attacks to task in Windows 11, with default lockdowns for too many incorrect passwords entered.
The post Microsoft clamps down on RDP brute-force attacks in Windows 11 appeared first on Malwarebytes Labs.

It wasn’t so long ago that we were wondering what improvements Windows 11 would make in the security stakes. Well, we haven’t had to wait too long to find out.

Windows 11 build 22528.1000 and up will tackle one of the more common entry points for network intruders. Namely, trying to prevent the brute forcing of Remote Desktop Protocol (RDP) by adding a default RDP lockout policy:

> @windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0
> 
> — David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022

Being able to access a computer remotely is a proverbial killer app for business. Unfortunately, this comes with several dangers if not configured correctly. Microsoft’s latest changes are designed to address these threats head on.

**RDP: a hot target for network intrusion**

RDP attacks are a prime tool for ransomware operators. Brute forcing a way into vulnerable machines is often the first step to total network compromise and data exfiltration. Microsoft’s own research in this realm is particularly illuminating with regard to giving a flavour of scale:

> _We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more._

The research goes on to say:

> _Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days._

To summarise: RDP attacks are not uncommon, and it’s important to be able to tell the difference between genuine failed sign-ins and actual brute forcing. In situations where brute forcing is taking place with few to zero security precautions for an organisation’s RDP setup, this can be fatal in giving attackers one foot in the door.

**Microsoft battens down the hatches**

Our own research shows how rate limiting the number of password attempts can hinder attackers enough that they leave empty-handed:

> _In our test, attackers were shut out for five minutes if they entered five incorrect passwords within the space of five minutes. Our attackers were persistent over several days and received, on average, about 150 bans per day._
> 
> _To trigger 150 bans per day, our attackers must have made 750 incorrect guesses and incurred 750 minutes of bans, leaving them 690 minutes of the day in which to guess passwords. 750 guesses in 690 minutes gives us a guessing rate of about one password every 55 seconds, or about 1,500 guesses per day._
> 
> _At that guessing rate, rate limiting reduced the number of daily password attempts from 1500 to 750, halving the effectiveness of the attack and doubling the time a security team would have to react._

What Microsoft is doing is setting the lockout to 10 failed attempts in 10 minutes. Some consideration has been given to the fact that not everyone is going to be running Windows 11, and older versions exist that could do with some lockout love. Ask and you shall receive, because these changes are also being applied to older versions of Windows:

> Yes it’s being backported
> 
> — David Weston (DWIZZZLE) (@dwizzzleMSFT) July 21, 2022

Microsoft recently reversed a decision to undo the blocking of VBA Macros after uproar among Office users. Hopefully the people making security decisions will continue to clamp down on potential weak spots and easy routes to success for network intruders and malware authors. RDP is the opening salvo of choice for many intrusion attempts, and making these lockouts the default can only be a good thing.

Microsoft clamps down on RDP brute-force attacks in Windows 11

We take a look at claims that virtual pet favourite, Neopets, has had its user database breached, and what you can do about it.
The post Lock down your Neopets account: Data breach being investigated appeared first on Malwarebytes Labs.

Bad news for players of long-time virtual pet management title Neopets. Word is spreading of a compromise claimed to have accessed around 69 million user accounts. This compromise, posted to a hacking forum, is said to include both the database and around 460 MB of compressed source code from Neopets.com.

Data claimed to have been taken includes:

*   Usernames
*   Names
*   Email address
*   Date of birth
*   Zip code
*   Date of Birth
*   Gender
*   Country
*   Registration email

Considering the young age of many Neopets players, this would be quite bad from a privacy and safety standpoint, if the breach turns out to be genuine. This wouldn’t be the first time Neopets has experienced a breach situation either. Back in 2014, “tens of millions” of Neopets accounts were said to have been traded on underground forums. The data in question had apparently been compromised prior to the current owners, Jumpstart, acquiring Neopets.

In 2020, there were claims of ways to potentially gain access to user accounts. Neopets also addressed this. Unfortunately, the current owners may now have a whole new incident to deal with.

**Is this a genuine compromise?**

There is currently no explanation of how the individual claiming to have done this managed to achieve their database swipe. BleepingComputer, who first reported this, has not been able to find independent verification of the breach. References to confirmation from the Neopets team on Discord actually came from volunteer moderators.

Nevertheless, there is some official recognition of something having happened behind the scenes. For example, the official Neopets twitter admits it “recently became aware that customer data may have been stolen” and has engaged the services of a forensics firm:

> It appears that email addresses and passwords used to access Neopets accounts may have been affected. We strongly recommend that you change your Neopets password. If you use the same password on other websites, we recommend that you also change those passwords. (2/3)
> 
> — neopets (@Neopets) July 21, 2022

What does this mean in practice? Well, we won’t know for sure until more information is released. One common occurrence in situations such as these is for large, existing data dumps to be passed off as new. When the data is examined, it often turns out to be lots of old stolen data bundled in with new content. Or it can even be old data across the board! Without proper analysis and comparison to old data, it’s wise to wait and see.

The main thing to note for now is that Neopets has acknowledged something has happened, and is looking into it. In the meantime: what can you do as a Neopets user, or as someone with a child in the house who plays it?

**Tips to keep your Neopets account safe**

1.  **Change your password**, as Neopets suggests. Don’t use something you’ve used previously on the Neopets site, or on any other site. This may be time to start looking at a password manager, for added safety. No need to use easily guessed passwords if you can store complex logins inside a management tool instead!
2.  **Don’t tell anybody your password**, whether they’re other Neopets users, or people on random forums or Discord servers. You won’t receive any free gifts or special in-game items for doing so; you’re just risking losing your account.
3.  **Be wary of Neomails phishing attacks**, sent your way via the Neopet site’s private message system. The only official communication you’ll receive via Neomail would be from “theneopetsteam”, in the form of warnings.
4.  **Watch out for email phishing attempts** via the mail you have registered to the site. If this data is truly out there, phishers will almost certainly try their luck. Gaming accounts of any kind are always juicy targets for scammers.

At this point, we’d typically suggest also making use of two-factor authentication to keep your login more secure. Unfortunately, Neopets doesn’t currently offer a way to do this. As a result, it’s even more important that you try and keep your Neopets logins safe with a strong password.

Lock down your Neopets account: Data breach being investigated

MenuDrive, Harbortouch, and InTouchPOS fell victim to a long Magecart infection that started in January and only ended days ago.
The post Malware spent months hoovering up credit card details from 300 US restaurants appeared first on Malwarebytes Labs.

Criminal hackers have been able to steal at least 50,000 credit cards from 300 restaurants in the US, after launching two Magecart campaigns that target the MenuDrive, Harbortouch, and InTouchPOS online payment platforms:

Magecart is a web-skimmer—malware that is injected onto a vulnerable website so it can steal credit card information as it’s entered into the site’s checkout. Because it does not interupt card payments, it just quietly siphons off users’ card details, it can be very difficult for both its victims and their users to spot.

Recorded Future’s Insikt Group recently identified two Magecart campaigns targeting the aforementioned online payment platforms. Stolen details were offered for sale in various underground marketplaces on the dark web.

“Online ordering platforms are a very attractive target since they deal with many vendors downstream, which also means a high number of customers are going to be entering payment data that could be skimmed,” said Jerome Segura, Senior Director of Malwarebytes’ Threat Intelligence Team, and an expert in web skimmers.

Although MenuDrive, Harbortouch, and InTouchPOS are not as popular as Uber Eats, Hungrrr, or DoorDash, many small, local restaurants across the US outsource their online ordering process to them as it’s cost-effective.

The Insikt Group discovered the first Magecart campaign on January 18 this year, affecting 80 restaurants via MenuDrive and 74 restaurants via Harbortouch. On both platforms, the skimmer was injected into the restaurant’s web pages, including the subdomain on the online payment service’s platform.

Skimmers deployed two scripts to MenuDrive, one built for stealing payment card details, the other made for stealing user details like the card holder’s name, email address, and phone number. On Harbortouch, however, only a single script is used to steal all personally identifiable information (PII) and card details.

The skimmer code use on MenuDrive with the exfiltration URL highlighted in orange.

The campaign against InTouchPOS started earlier than the other two—around November last year—but most skimmer injections didn’t happen until January 2022.

Instead of stealing data as it was entered into the site, the InTouchPOS skimmers overlaid the site with a fake payment form for users who are ready to checkout.

“Attackers routinely probe networks using automated tools or a more manual approach, especially if the target is deemed highly valuable,” Segura said. “Compromising a third-party site breaks the chain of trust already established between a provider and a merchant but on a scale of ‘one to many’.”

Malware spent months hoovering up credit card details from 300 US restaurants

Researchers at Intezer have published an analysis of a modular and versatile malware targeting Linux systems called Lightning Framework
The post Lightning Framework, modular Linux malware appeared first on Malwarebytes Labs.

Researchers at Intezer have published a technical analysis of Lightning Framework, a previously undocumented and undetected Linux threat. Lightning is a modular framework that is very versatile and something we don’t see very often in the Linux space.

The old argument that Linux systems (or Macs for that matter) don’t get malware has never been true. Linux servers often play a key role in corporate networks, and are also very popular in cloud-based systems, making them attractive targets for criminals.

**The Lightening Framework**

The Lightning Framework has a modular structure, consisting of a downloader (Lightning.Downloader) and a core module (Lightning.Core), with a number of plugins.

Image courtesy of Intezer

A modular architecture can make adding new capabilities or improvements easier, since an update to a plugin should not affect the core or any other plugins. It is also potentially useful to malware authors because if detection is based on one of the plugins then replacing the plugin that triggered the detection may allow the malware to go under the radar for a bit longer.

While some of the modules are known tools, it is rare to see such a complex and versatile framework target Linux systems.

**How Lightening hides**

The main function of the downloader module is to fetch the other components and execute the core module. The framework makes heavy use of typo-squatting and masquerading in order to remain undetected. Intezer reports that the downloader module is located in the working directory /usr/lib64/seahorses/ so anyone performing a quick inspection might think the directory belongs to the password and key manager software seahorse.

One of the tasks of the core module is to set up persistence. It does this by creating a script that gets executed upon system boot. The boot execution is achieved by first creating a file located at /etc/rc.d/init.d/elastisearch, an obvious attempt to typosquat elasticsearch.

The malware uses a timestomping technique to change the timestamp of the script so that it matches the timestamp of one of a few core Linux files. So that, without closer inspection an investigator might think it was created when the system was initially set up.

The framework also uses a rootkit to hide its Process ID (PID) and any related network ports. The rootkit can scrub any reference to files running in the framework.

**Communication**

Network communication in the core and downloader modules is performed over TCP sockets. The C2 server is stored in an encoded configuration file that is unique for every single creation.

The Linux.Plugin.Lightning.Sshd plugin is an OpenSSH daemon that includes hardcoded private and host keys, allowing the attacker to SSH into the machine with their own SSH key, creating a secondary backdoor.

For a deeper analysis of the malware and its plugins, and a list of IOCs, check out the full write up by Intezer.

Lightning Framework, modular Linux malware

Google has issued an update for the Chrome browser that includes 11 security fixes, including 5 with a high severity
The post Update Google Chrome now! New version includes 11 important security patches appeared first on Malwarebytes Labs.

The latest Google Chrome update includes 11 security fixes, some of which could be exploited by an attacker to take control of an affected system. Google Chrome’s Stable channel has been updated to 103.0.5060.134 for Windows, Mac, and Linux, and the new version will roll out over the coming days/weeks.

**Vulnerabilities**

Of the 11 security fixes five are use-after-free issues, including four that are marked with a severity of “high.” Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The four high-severity use-after-free vulnerabilities resolved with the latest Chrome update are tracked as follows:

**CVE-2022-2477** is a use-after-free vulnerability in Guest View that could allow arbitrary code execution following interaction by the victim.

**CVE-2022-2478** is a use-after-free vulnerability in Chrome’s PDF handling code. Not many details are available but the attacker needs the victim to engage in some kind of user interaction to exploit this vulnerability.

**CVE-2022-2479** is caused by insufficient validation of untrusted input in File. No further details were given but successful exploitation requires user interaction by the victim.

**CVE-2022-2480** is a use-after-free vulnerability in Chrome’s Service Worker API. (Service workers are specialized JavaScript assets that act as proxies between web browsers and web servers.)

**CVE-2022-2481** is a use-after-free vulnerability in Views. The Chrome user interface is constructed of a tree of components called Views. These Views are responsible for rendering, layout, and event handling.

**How to protect yourself**

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Android users will also find an update waiting.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome is up to date

After the update the version should be **103.0.5060.134** or later.

Stay safe, everyone!

Update Google Chrome now! New version includes 11 important security patches

The most important and interesting computer security stories from the last week.
The post A week in security (July 18 – July 24) appeared first on Malwarebytes Labs.

Posted: July 25, 2022 by

**RELATED ARTICLES**

July 21, 2022 - Governance, risk, and compliance (GRC) are top-of-mind for many cybersecurity decision-makers. Learn why GRC is important - and how it make it easier.

June 11, 2021 - Many US organizations are migrating from in-house, on-premises solutions to the Cloud. We look at what's driving the Cloud's ascendency.

November 6, 2020 - The financial industry has come to rely on RegTech. It helps financials comply with regulations and tightens up data safety and security. But what is it exactly?

February 24, 2020 - What many don’t realize is that SMBs need the same level of protection from threats that are usually only afforded to enterprises. Managed service providers (MSPs) are the key to getting the protection and service they need while staying on budget.

February 25, 2019 - Almost 10 years ago, privacy advocate Max Schrems and the European Union began separate efforts to change the way the world thinks about online privacy. Thanks to them, we now have GDPR.

**ABOUT THE AUTHOR**

A week in security (July 18 – July 24)

A 3-year old TikTok influencer has got parents talking about how to keep images of their kids away from online creeps.
The post The Wren Eleanor story: Why you should keep your kids off social media appeared first on Malwarebytes Labs.

TikTok moms have started a movement: Calling out potential creeps who follow child influencer accounts on the platform. The latest account in the spotlight is @wren.eleanor, a TikTok account with a massive 17.3 million followers. It’s an impressive number and one that got the attention of armchair sleuths.

@hashtagfacts, another account, posted a video about what other people on TikTok have observed about this account’s followers. They’ve noted the number of times specific clips of 3-year-old Wren have been saved. Perhaps, more surprisingly, they’ve taken note of the pre-filled texts that appear in TikTok’s search box when one starts searching for “wren”.

And that’s just the tip of the iceberg. Many also found a lot of “disgusting comments left by men” in certain videos about Wren.

“My daughter is 12 and a half,” @hashtagfacts said in her video post, “The issue with all of these saves and the follows are that people are watching your children. And doing disgusting things.”

**“Protect your children.”**

Regardless of your intentions when you post pictures and videos of your children publicly, realize and accept the fact that the Internet, with all its awesomeness, also harbors creeps who follow social media accounts featuring kids for disturbing reasons. It’s safe to assume they’re everywhere: Facebook, Instagram, YouTube, TikTok, Omegle, and others.

The simplest way to protect your children from the harms you know, and especially the harms you don’t, is to keep them off social media entirely. Let them decide how they want to use it when they are old enough to understand and navigate the risks they face. That means no social media accounts for them, and no posting images of them on your own accounts.

If that simply isn’t an option for you, for whatever reason, there are ways that you can still safely share photos and videos of your kids on social media while keeping them far away from the hawking eyes of online child predators. In reality, there are many things we can’t control when it comes to protecting our children. However, as one TikTok commenter correctly pointed out, we _can_ control what we post online about our kids.

So, parents and carers, let’s take control.

**Take your social media accounts private**

If you need to act quickly but don’t have the time now to weed through all the media to pick which ones to delete and keep, consider protecting your tweets or making your Instagram account private.

Doing this also gives you time to think about what to consider before deciding on where you stand with the sharing of your child’s photos and videos. Because at the end of the day, you, the responsible parents and carers, get to decide, not people on the internet.

**Limit access to the child’s photos and videos**

Even though your entire account is public, some social media platforms allow you to pick and choose who among your contacts can see specific things you share. Better yet, share to a Private group on Facebook and Instagram comprising only of close family members and friends you’ve known and trusted for long enough you consider them as family.

The smaller the circle of trust, the better.

**Yes, share via secure messengers and private albums**

Social media platforms aren’t the only places where you can safely share pictures and videos of your kids. Secure messengers like iMessage, WhatsApp, or Signal can also do this for you, so make good use of them.

If your family and friends all have Apple devices, or if you use Google Photos, you can also set up a private, shared photo album where you can share media of all family members safely.

**Prepare your kids for a life with social media**

Posting media of your kids on social media is one thing. Creating social media accounts for them, whether they meet a social network’s minimum age requirement or not, is quite another. Because for children, especially girls aged 11 to 13, who are targeted by online predators more than other groups, just being online is already a huge risk.

Don’t assume they know enough to look after themselves. Make sure they do. We suggest you adopt **T.A.L.K.**, a series of comprehensive and actionable steps parents and carers can take to help guide kids through a safe online experience as they grow up.

T.A.L.K. stands for:

*   **Talk to your child** about online sexual abuse. Start the conversation—and listen to their concerns.
*   **Agree on ground rules** about the way you use technology as a family.
*   **Learn about the platforms and apps** your child loves**.** Take an interest in their online life.
*   **Know how to use tools**, apps and settings that can help to keep your child safe online.

Age shouldn’t be the only indicator for when you can allow your kids to start exploring the wider Internet more. Maturity of mind should be considered, too.

We also believe that part of keeping kids secure online is developing their self-esteem. So no matter what negativity the online world throws at them, they will rise above it. An insecure child will easily succumb to criticisms, want to be famous, or feel the need to get approval and acceptance from everyone.

Putting them in front of the camera for millions of people to watch and look at won’t build up the self-esteem your child needs.

The Wren Eleanor story: Why you should keep your kids off social media

Governance, risk, and compliance (GRC) are top-of-mind for many cybersecurity decision-makers. Learn why GRC is important - and how it make it easier.
The post The winding road to compliance appeared first on Malwarebytes Labs.

“Here are the keys. Buy milk and bread. Drive safely.”

These are important instructions for a new driver tasked with running an errand. But unless the driver knows where they are going, a bit of guidance on how to get to the store can only help. Without it, the driver may complete the errand successfully, or at least make a good effort; but they might not complete the errand or be inefficient in the attempt.

For IT and security teams, aiming for compliance feels eerily similar to running errands without  
direction.

Like the driver, these users want to accomplish the task at hand (in this case, regulatory  
compliance) but are often stymied by the ambiguity or lack of direction on how to do so. Often,  
compliance standards define the ultimate objectives, but give organizations the flexibility to determine  
for themselves the path they take to get there.

Consequently, some users experience the equivalent of making three left turns when they didn’t know they could have just made a right.

**Navigating by the stars**

Freedom to define your own path has some benefits, of course. So, how do you reach the goal  
efficiently to optimally protect your organization against breaches?

If you’re working through this question, you’re not alone. In fact, data from earlier this year suggests more cybersecurity decision-makers are focused on ensuring governance and compliance standards are met (56%), topping the list of priority projects during the first quarter of 2022.

It’s no secret that complying with leading standards in your industry protects your business in several  
ways – some more obvious than others.

Immediately, there is the imperative protection for corporate data, personally identifiable information (PII), intellectual property, etc., and mandatory compliance with these protections to operate in certain industries or countries. Then there are the expanded values gained from compliance, such as assurances you can provide to executives and Boards about the organization’s cybersecurity posture, or your improved stance for cyber insurance.

Overriding all of these benefits is the primary reason compliance programs exist: to increase organizations’ level of prevention against an attack (akin to the “drive safely” instruction to a new driver).

**Help along the journey**

With the freedom to choose how you meet compliance requirements, a navigator who is easy to travel  
with and able to help guide you efficiently can be the best kind of travel companion. You need a solution  
partner who can help you check off some of those distance-markers along the compliance highway.

Malwarebytes EDR includes essential threat prevention capabilities to keep nefarious actors from  
entering your environment.

These are complimented by threat detection and remediation tools to help you identify threats that get past the gate, so your IT or security team can respond effectively and efficiently. The platform aligns nicely with NIST and ENISA attack response frameworks, which include guidelines for best practices that help you achieve compliance.

Compliance may not be the pinnacle of your journey, either; perhaps your organization’s focus is  
reinforcing specific attack surfaces. In cases like these, the value of an expandable, cloud-based platform becomes apparent.

Malwarebytes EDR is built to run in our Nebula cloud platform, which empowers you to easily add  
modules that fortify specific vectors. For example, adding our Vulnerability Assessment and Patch  
Management (VPM) modules to your Malwarebytes EDR deployment helps protect against software exploits.

Connecting our DNS Filtering module yields greater control over internet browsing and content  
access, providing end users a safer, more secure web experience. In addition to their inherent enhanced  
protection value, these modules help businesses with specific HIPAA, PCI and GDPR compliance criteria,  
and public sector entities meet additional requirements of CJIS compliance, for example.

The path to compliance is easier with an informed companion. Malwarebytes EDR helps you navigate  
the compliance highways and byways, like a travel companion with experience in and expert knowledge  
of the routes to optimal protection. Our platform is easy to learn and use and can effectively help you  
reach your compliance destination (and beyond). Get started with an EDR demo or trial today.

The winding road to compliance

Malwarebytes Endpoint Detection and Response can fight—and defeat—advanced ransomware that other security solutions miss. In this post, we’ll walk through what it looks like to deal with a ransomware attack using Malwarebytes EDR. 
The post Demo: Your data has been encrypted! Stopping ransomware attacks with Malwarebytes EDR appeared first on Malwarebytes Labs.

It’s no secret that ransomware is one of the most pressing cyber threats of our day. What worse, ransomware gangs have increased their attacks on a range of vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion. 

With Malwarebytes Endpoint Detection and Response, however, you can fight—and defeat—advanced ransomware that other security solutions miss. 

In this post, we’ll walk through what it looks like to deal with a ransomware attack using Malwarebytes EDR.

*   Part 1: Your data has been encrypted!
*   Part 2: Pinpointing the ransomware
*   Part 3: Isolating the endpoint infected with ransomware
*   Part 4: Remediating the ransomware
*   Accelerate and simplify your ransomware defense with Malwarebytes EDR

**Part 1: Your data has been encrypted!**

Prior to this demo, we ran a ransomware sample on the virtual machine (VM) that we’ll be demonstrating from. Below, you’ll see that the VM is currently in an infected state.

As you can see, our files have in fact been encrypted by the ransomware across multiple directories with the “.**encrypt**” extension.

Let’s start a ping to Google’s DNS server. The reason that we’re going to do this is to help demonstrate some of the functionality that Malwarebytes has later. 

Just keep in mind that right now we can effectively communicate out to the internet. But we’ll come back to that later.

**Part 2: Pinpointing the ransomware**

Now, let’s switch to our Nebula console. Below, you’ll see the dashboard for Malwarebytes Nebula, our cloud-hosted security operations platform that allows you to manage control of any malware or ransomware incident. 

Click into the **Suspicious Activity** section of the console.

Right at the top, we can see that activity, a process that ran today at 9:31am.

Let’s click on this executable and start diving into how an IT admin or security analyst could use Malwarebytes to help respond to a ransomware situation, as well as effectively contain it.

Up at the top here, we have categorization of rules to help a maybe newer or less savvy security expert understand what’s going on with this process.

At the bottom, we have a detailed process timeline as well.

Let’s expand here by clicking **Show rules**. 

What we see here is the actual categorization of behaviors that Malwarebytes witnessed in this process. Each of these little bubbles has been color coded to help you understand the severity of this issue. 

We follow a pretty simple mechanism: Red is high severity, orange is medium severity, yellow is low severity. All of these behaviors are things that Malwarebytes actually witnessed this process doing on our endpoint. 

As you can see, there’s a lot of questionable behavior here. Things like disabling Windows Firewall, turning off the control panel, turning off the desktop activity; lots of things that would be concerning to a security expert.

Now, for someone who is not as familiar with some of these behaviors, or maybe there’s a technique that you’re not aware of, you can hover over them for more details. 

So for example, if we hover over the disable Windows Firewall behavior that we saw, on the left, you’ll see that we’ve been partnering with the MITRE foundation and using its attack framework to give you context and a common set of terms that you can use to identify and understand these tactics.

On the right, we see the command line context for this process in our organization.

We can see the exact time that it ran and the file hashes, so if we needed to do further investigation, we have those available. And most importantly, we’ve highlighted below the command line actually used to execute this technique on our machine. 

So again, in the context of disabling the firewall, this might be something we do in testing or as part of our troubleshooting process.

We can use this context to help understand if this is something that we have done intentionally – or if it’s possibly something that an attacker is doing to compromise our environment.

Let’s navigate now down to the bottom half, where we can see the actual specific details of this process.

Clicking into any of these nodes, we get a lot of rich context information about what this process did. 

As a security analyst or an IT admin, the first question you typically ask when an incident occurs is: What happened? Do we know if it’s malicious? What is the actual extent of the potential damages? And so on.

So here, we can navigate through to see everything that’s happened on this machine. 

For example, if we click on **File Write**, we can see every artifact or file left behind by this process.

Similarly, we can click on **Reg values** to see what registry changes were made on that system. 

**Part 3: Isolating the endpoint infected with ransomware**

Now, as we’re continuing our investigation, we’re looking at this and deciding it looks pretty suspicious – it’s probably unwanted or a potentially damaging activity. So as a safeguard, we’re going to use the first response mechanism in Malwarebytes, which is our isolation capability.

From the **Actions** menu, let’s choose to isolate this machine with **Isolate Endpoint**.

We have three layers of isolation that we can provide: **network isolation**, **process isolation**, and **desktop** **isolation**. 

The network and process isolations are intended to give us the ability to quarantine that machine and prevent it from doing anything that is not authorized by Malwarebytes. 

What this means is, we can still use our Malwarebytes console to trigger scans to perform other tasks and to review data, but the machine otherwise can’t communicate or run anything else. 

For this demonstration, we’re just going to use network isolation so that we can simulate preventing this machine from spreading an infection laterally in the environment.

Notice as we send that isolation command, the ping to Google immediately begins to fail – showing that that machine can no longer communicate to the internet. 

Now that we’ve isolated this device, let’s continue our investigation further. 

Below, we see a process here with a large amount of file activity, namely file renames. 

Let’s click into this. This is where Malwarebytes witnessed the ransomware attack actually occurring—so we see those files changing to not their normal versions, but to the .**encrypted** versions of the same file. 

What makes Malwarebytes unique in our EDR capabilities is when we see behavior like this (something that could compromise your files due to encryption or deletion or other types of malicious activity) we’ve actually created backups of all of the files that were targeted by this process stored locally on this machine. 

Now that we’ve identified that this is unwanted and malicious behavior, what we’re going to do is initiate a rollback action. 

Effectively, we’re telling Malwarebytes that we did not want this activity: this is something that happened on our machine that we never authorized and that we did not want. So when we go to **Actions**, and then **Remediate**, this will send a customized script to this endpoint and it will look at all of the behavior we witnessed in this process graph here.

This will create a customized remediation plan for this machine, where it will iterate backwards through the behavior, resolving any potential issues that might have arisen. 

One of the things that it’s going to do in this process is look for those backup versions of the files we created and restore those to the end user.

We can see on the right that our virtual machine received the command and it needs to restart to finish the process. Let’s restart it now so that we can see it carry out the backup!

After the machine reboots, we can open these folders and actually see that all of our files have been returned to their original version. 

**Accelerate and simplify your ransomware defense with Malwarebytes EDR**

In this post, we seamlessly looked at the activity that ransomware exhibited, found a recovery plan for it, then implemented that plan. 

In short, this is not a tool where you’re going to have to devise a customer mediation plan, where you’re going to have to iterate through hundreds of IOCs or complex readouts with an EDR solution to build a manual recovery solution – you simply need to tell Malwarebytes to resolve the issue. 

When it comes to ransomware mitigation, we’ll take the wheel from you – freeing up a lot of time in your day as an admin or an analyst. Read about how a leading automotive manufacturer and distributor used Malwarebytes EDR to simplify their ransomware remediation.

Looking for more demos of Malwarebytes EDR? Watch the webinar!

_Read our eBook on_ _ransomware best practices to detect and block ransomware attacks before they happen_.

Source

Malwarebytes