This week on Lock and Code, we discuss how law enforcement can now use your data, ever since the Supreme Court overturned Roe v. Wade.
The post Roe v. Wade: How the cops can use your data: Lock and Code S03E15 appeared first on Malwarebytes Labs.

On the evening of June 23, in the United States, millions of women went to bed with a Constitutional right to choose to have an abortion, and they went to bed with the many assurances that are tied to that right—to speak about getting an abortion, to organize and provide support to those seeking abortions, to search for abortion services safely online, to digitally track their menstrual cycles, to record their reproductive plans, all without too much concern about who would be interested in that information.

But on June 24, that Constitutional right was removed by the Supreme Court.

Immediately, this legal story has become one of data privacy, as countless individuals ask themselves: What surrounding activity is now allowed?

Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that is now promising to technologically protect their data from legal requests? Should they clamp down on all their data? What should they do?

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts on this intersection of data privacy and legal turmoiil—Electronic Frontier Foundation staff attorney Saira Hussain and senior staff technologist Cooper Quintin.

As Quintin explains in the podcast, while much of the focus has recently been on the use of period-tracking apps, there are so many other forms of data out there that people should protect: 

> “Period-tracking apps aren’t the only apps that are problematic. The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches.”

By spotlighting how benign data points—including shopping habits and locations—have already been used to reveal pregnancies and miscarriages and to potentially identify abortion-seekers, our guests explain what data could now be of interest to law enforcement, and how people at home can keep their decisions private and secure.

Tune in to hear all this and more on the most recent episode of Lock and Code.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “SCP-x5x (Outer Thoughts)” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Roe v. Wade: How the cops can use your data: Lock and Code S03E15

We take a look at reports of organised review bombing, leading to extortion threats to get the negative ratings removed.
The post Extortionists target restaurants, demand money to take down bad reviews appeared first on Malwarebytes Labs.

Restaurants and other eating establishments are being targeted by extortionists who post fake reviews online and then offer to remove them in exchange for a gift card.

The possibility has always existed to leave poor reviews on Google Maps and elsewhere. However, seeing fraudsters get organised and issue extortion threats alongside the review is a new development.

According to the New York Times, businesses are being “deluged” with the poor reviews. Extortion threats are then mailed to the business owners, apologising for the actions but insisting that $75 Google Play gift cards be purchased in order to have the poor reviews erased.

Card codes are mailed to a ProtonMail account, where the scammers pick up their bounty. The codes are likely sold on at this point to turn a tidy profit. We don’t know if anyone actually sent a card code to the relevant mail address, nor if any reviews were removed by the fraudsters in cases where a payment was made.

The group claims to be based in India, and is currently targeting businesses in San Francisco, New York, and Chicago.

**The bad review bombing technique**

Review bombing is something you’ve probably heard about in relation to gaming. When fans of certain titles become annoyed with changes in a game, or something is released which they object to, some turn to leaving bad reviews.

These reviews tend to be organised by groups, and plaster a product’s page with poor ratings. This has a negative impact on the title, and comes with a variety of side effects. It might even make the product less visible to other shoppers due to the product review score tanking.

Platforms selling games have had to take significant action against these tactics in recent years, developing new ways to spot inauthentic reviews and hiding them away from the public.

**Defending your business from bad review practices**

Google offers several guides for both reviewers and business owners where reviews are concerned.

Firstly, there’s detailed information about adding a review on Maps. While this is useful to know as a business owner, the really important information is on the How to remove reviews guide. Review removal requests are initiated via the Manage Reviews page. Before you submit, you need to check through the Prohibited and Restricted content section and see which category extortion attempts would fall under.

We suspect **Civil Discourse > Harassment**, or **Deceptive Content > Misrepresentation** would be good places to start.

*   We don’t allow users to post content to harass other people or businesses, or encourage others to participate in harassment.

*   Misleading information can impact the quality of information on Google Maps. For this reason, we don’t allow individuals to use Google Maps to mislead or deceive others, or make misrepresentations.

This includes:

*   False or misleading accounts of the description or quality of a good or service. 

No matter which rules you feel that your extortion-laced missives fall under, here’s how to report in both Maps and Search:

**Flag a review in Google Maps**

1.  On your computer, open Google Maps.
2.  Find your Business Profile.
3.  Find the review you’d like to report.
4.  Click **More >** **Flag as inappropriate**.

**Flag a review in Google Search**

1.  On your computer, go to Google.
2.  Find your Business Profile.
3.  Click **Google** **Reviews**.
4.  Find the review you’d like to report.
5.  Click **More >** **Report review**. Select the type of violation you want to report.

Extortionists target restaurants, demand money to take down bad reviews

The most important and interesting computer security stories from the last week.
The post A week in security (July 11 – July 17) appeared first on Malwarebytes Labs.

*   Partner Success Story
*   Marek Drummond
    
    Managing Director at Optimus Systems
    
    "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected."
    
*   See full story

A week in security (July 11 – July 17)

We take a look at a major ransomware attack impacting video game giant Bandai Namco, laced with the potential threat of data leakage.
The post Elden Ring maker Bandai Namco hit by ransomware and data leaks appeared first on Malwarebytes Labs.

It’s not been a great couple of months for gaming giant Bandai Namco. The name behind smash hit titles like Elden Ring and Dark Souls has endured a long run of cheats and hacks.

Hacking concerns led to Remote Code Execution issues, and multiplayer features in Souls titles were disabled for months. In March, in-game cheats in Elden Ring meant players had to turn off multiplayer to avoid new attacks.

We’re now in July and Bandai Namco has experienced its most severe issue yet, confirming it has fallen victim to a severe ransomware attack.

Eurogamer published a Bandai Namco statement, which reads as follows:

> _On 3rd July, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorised access by third party to the internal systems of several Group companies in Asian regions (excluding Japan)._
> 
> _“After we confirmed the unauthorised access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause._
> 
> _“We will continue to investigate the cause of this incident and will disclose the investigation results as appropriate. We will also work with external organizations to strengthen security throughout the Group and take measures to prevent recurrence._

**Double threat**

While triple threat attacks are becoming increasingly popular, double threat (locking up data and then threatening to make it public if the ransom isn’t paid) are still big business. What we have here is a classic double threat, being run by a group with no qualms about following through on its promises.

> ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.
> 
> Bandai Namco is an international video game publisher. Bandai Namco video game franchises include Ace Combat, Dark Souls, Dragon Ball\*, Soulcaliber, and more. pic.twitter.com/hxZ6N2kSxl
> 
> — vx-underground (@vxunderground) July 11, 2022

In the tweet above, the screenshot refers to the compromise as “data soon”. The fear is that data is going to be leaked at some point in the near future. There is currently no word how much data has been grabbed, or what the ransomware authors are asking as payment.

Whether the data is related to employees, third parties, or even customers, we simply don’t know. Games publishers and developers are also host to significant amounts of confidential data for unreleased and unannounced games. This is an additional angle to consider. Would attackers value secret game IP over user data? Possibly.

**The bad news carousel**

This lands at a really bad time for Bandai Namco. It’s not so long ago that the Dark Souls multiplayer servers were in the process of being switched back on. This could well throw a large ransomware shaped spanner into the works for those plans.

There has to be concern over the considerable skillet of the BlackCat attackers, considering some of its likely past exploits. BlackCat stands accused of attacks on some of Europe’s largest ports back in February of this year. January saw data published belonging to a luxury fashion brand, and it wasn’t so long ago that it was publishing stolen data related to a luxury spa and resort located in the US.

This is one group which will absolutely carry out its double threat extortion threats. BlackCat is also ramping up its typical ransom amount, currently weighing in at around $2.5m. It remains to be seen how Bandai Namco handles this situation. Unfortunately for the publisher and their customers, the ransomware authors are firmly in the driving seat.

Elden Ring maker Bandai Namco hit by ransomware and data leaks

A hacking group displays its sophisticated skills by causing molten steel to spew from factory foundries. Could a state be backing the group?
The post Predatory Sparrow massively disrupts steel factories while keeping workers safe appeared first on Malwarebytes Labs.

Stuxnet‘s attack on Iran’s uranium enrichment facilities manifested fears of cyberattacks leaking into the real world. What once was theory is now upon us.

Two weeks ago, multiple Iranian steel facilities experienced a cyberattack that might have been pulled off by what many cybersecurity experts in the field believe is “a professional and tightly regulated team of state-sponsored military hackers, who may even be obliged to carry out risk assessments before they launch an operation.”

The group who claimed responsibility for the attack goes by the _nom de hack_ Predatory Sparrow.

Predatory Sparrow’s logo, which it uses on its Telegram and Twitter accounts. (Source: The BBC)

The victim organizations are the Khouzestan Steel Company (KSC), Mobarakeh Steel Company (MSC), and Hormozgan Steel Company (HOSCO).

Some say Predatory Sparrow’s name is a play on “Charming Kitten”, the name of the notorious Iranian APT (advanced persistent threat) group. Although Predatory Sparrow has its own social media accounts, these are not searchable under the English _nom_ but under its Persian equivalent, Gonjeshke Darande.

The attackers caused the foundry to spew hot molten steel and fire onto the factory floor, but not until workers had already cleared the area, unbeknownst of what was about to happen. The timing of the group’s attack is deliberate.

A video captured during one of these attacks was shared on its social platforms as proof. It already has 200,000 views.

“Today, 27/06/2022, we, ‘Gonjeshke Darande’, carried out cyberattacks against Iran’s steel industry which affiliated \[sic\] with the IRGC and the Basij,” a caption within the video reads. “These companies are subject to international sanctions and continue their operations despite the restrictions.”

> These cyberattacks, being carried out carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic.

The public office of the Iranian National Cyberspace Center confirmed the attacks, blaming the incidents on “foreign enemies.” The outcome triggered a temporary shutdown of facilities. The public office also claimed, “Security systems quickly took action to contain and repel the effects.”

According to sources close to the two organizations affected by the attack, the only reason severe damage wasn’t done to the production line was that they were switched off at night due to power supply restrictions. The attack “is understood” to have occurred between midnight and 6AM, Tehran time. Systems affected by the attack are the production and security systems.

At this point, no one knows whether Predatory Sparrow is a state-sponsored group. Is it just merely a group of hacktivists out to punish corporations they see are crossing the line?

“If this does turn out to be a state sponsored cyber-attack causing physical – or in the war studies jargon ‘kinetic’ damage – this could be hugely significant,” Emily Taylor, editor of the Cyber Policy Journal, told the BBC.

Ersin Cahmutoglu, a cybersecurity researcher from ADEO Cyber Security Services, also has a theory. “If this cyberattack is state-sponsored then of course Israel is the prime suspect. Iran and Israel are in a cyber-war, and officially both states acknowledge this.”

“Both states mutually organise cyberattacks through their intelligence services and everything has escalated since 2020 when retaliation came from Israel after Iran launched a failed cyberattack on Israeli water infrastructure systems and attempted to interfere with the chlorine level.”

UK-based Iranian activist and independent cyberespionage investigator Nariman Gharib also shared his thoughts: “If Israel is behind these attacks, I think they are showing that they can do real damage rather than just disrupting a service. It shows how things can quickly escalate.”

Last week, Predatory Sparrow leaked “top secret documents and tens of thousands of emails”, along with “trading practices” from the steel makers it attacked.

Predatory Sparrow massively disrupts steel factories while keeping workers safe

A researcher found eight malware-laden apps in the Play Store which have been downloaded over 3 million times.
The post New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs appeared first on Malwarebytes Labs.

Security researcher Maxime Ingrao has found a new variant of Android/Trojan.Spy.Joker which he’s dubbed Autolycos. Malware in this family secretly subscribes users to premium services. The researcher noted that the eight applications that contained this malware had racked up a total of over 3 million downloads.

**Toll fraud malware**

Toll fraud malware is a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent. At the moment, toll fraud malware—also known as fleeceware—is one of the most prevalent types of Android malware. And not only does the number of infections keep going up, so does the sophistication of the malware.

**Joker**

Android/Trojan.Spy.Joker was the first major family that specialized in this field. It was first found in the Play Store in 2017. Joker is capable of clicking on online ads, and asks for SMS permissions during installation so it can access One Time Passwords (OTPs) to secretly approve payments. The user will never know that they have been subscribed to some service online until they check their bank statements or phone invoice.

**Detection**

Google uses the name Bread for the Joker malware family. In January, 2020, Google Play Protect detected and removed 1,700 unique Bread apps from the Play Store. By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint which makes it hard to detect. But SMS and toll fraud generally require some basic functionality like disabling WiFi which needs one of a handful of APIs. Since Joker expects security researchers to look for those APIs, it uses a wide variety of techniques to mask the usage of them.

**Slow response**

The small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store. But that doesn’t explain why it took Google over a year to remove the eight apps reported by Maxime Ingrao. He reported the apps in June, 2021, and the last two were removed on July 13, 2022. It’s possible they would still be available if the researcher hadn’t gone public because he said he got tired of waiting.

**Autolycos**

As mentioned earlier, the malware is still undergoing development. What is new about this type is that it no longer requires a WebView. WebViews are exactly what the name indicates—a small view to a piece of Web content. A WebView can be a tiny part of the app screen, a whole page, or anything in between. Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on. Autolycos avoids WebView by executing URLs on a remote browser and then including the result in HTTP requests.

**Malicious apps**

BleepingComputer posted the list of malicious apps found by Maxime Ingrao, which users may still have installed:

*   Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
*   Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
*   Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
*   Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
*   Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
*   Coco Camera v1.1 (com.toomore.cool.camera) –  1,000 downloads
*   Funny Camera by KellyTech –  500,000 downloads
*   Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads

Pradeo researchers have also identified four new malicious applications that embed the Joker malware:

*   Smart SMS Messages 50.000+ installs
*   Blood Pressure Monitor 10.000+ installs
*   Voice Languages Translator 10.000+ installs
*   Quick Test SMS 10.000+ installs

**How to avoid toll fraud malware**

Users that have any of the listed apps installed are advised to remove them as soon as possible. To avoid getting infected and duped by toll fraud malware there are a few countermeasures you can take:

*   Keep Play Protect active.
*   Pay attention to apps asking for permissions, in this case especially SMS permissions.
*   Minimize the number of apps you install, however useful they may seem. The Autolycos operators created numerous advertising campaigns on social media.
*   Do not rely on user reviews alone, since the malware authors use bots to maintain a good user rating.

Also, always keep an eye on your background internet data, battery consumption, phone invoices, and bank statements, just in case. The sooner you stop it, the smaller the damages.

New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs

China is gathering more intel about Russia after strengthening their diplomatic ties in the face of Western sanctions.
The post China’s Tonto Team increases espionage activities against Russia appeared first on Malwarebytes Labs.

According to analyses of several cybersecurity firms and CERT (Computer Emergency Response Team) Ukraine (CERT-UA), the state-sponsored threat actor group Tonto Team, which has been linked to China-backed cyber operations, is ramping up its spying campaign against Russian government agencies. 

The campaign, which involves an email, a Word document file in RTF (Rich Text File) format, and a backdoor payload, starts off with socially engineering recipients to convince them to open a malformed attachment, triggering the execution of an MS Office exploit, particularly in the Equation Editor.

According to SentinelOne, the RTF file masquerades as a government advisory or security warning to agencies and infrastructure providers of potential attacks.

This is the malicious RFT document attached to an email sent over by the Tonto Team to targets, shared by one of our threat intelligence researchers on Twitter.  
(Source: Hossein Jazi | Malwarebytes)

The fake advisory is written in Russian. Below is the Google-translated text in English:

(Source: Hossein Jazi | Malwarebytes)

    Dear colleagues!
    
    In addition, we remind you that recently there have been more cases of attempts to steal logins / passwords for access of employees of the Minsitry to official mail and the Service Portal.
    
    Attackers on behalf of representatives of the Department of the Ministry of Foreign Affairs, government and other organizations send letters to e-mail addresses, in which they convince you to familiarize yourself with various documents and information.
    
    Under no circumstances do not enter your service login / password in such cases.
    
    Please note that the documents must be attached to the letter and opened from the body of the letter.
    
    Compliance with these rules will allow you to maintain the confidentiality of not only your data, but also the data of other employees of the Ministry.

The Tonto Team used Royal Road (sometimes called “8.t”) to create the malicious RTF file. First analyzed by nao\_sec, Royal Road is a document builder that gives threat actors the ability to embed malicious code within RTF files, aiding actors in compromising target systems.

The exploit is triggered upon opening the file, and the malware payload, Bisonal, is dropped. Bisonal, a tool many Chinese threat actors use, is a RAT (remote access Trojan). Apart from Chinese APTs (Advanced Persistent Threats), no other threat actor has used Bisonal.

The Tonto Team, an APT group that has been around almost as long as Bisonal, has many aliases: Karma Panda, Bronze Huntley, CactusPete, and Earth Akhlut. The group is known for targeting Asian nations (South Korea, Taiwan, and Japan) and Russia. So, this isn’t the first time China has been in the case of the former Soviet state. Rather, this is about a notable increase in targeting activity against Russia.

“What we’re seeing here is a potential Chinese government increase in intelligence collection requirements from inside Russia,” SentinelOne Senior Threat Researcher Tom Hegel told Dark Reading in an interview. “Perhaps an increased prioritization or expansion of resources assigned to such tasking.”

China is prioritizing its espionage campaign against Russia due to the ongoing Russian invasion of Ukraine. And while Chinese officials see themselves with Russia as “comprehensive strategic partners of coordination”, their diplomatic relations have strengthened through the years, mainly to suppress the expansion of Western alliances.

What China is doing is “simply China looking out for itself in uncertain times,” Hegel is also quoted saying. “Like any well-resourced nation, they seek to support their own agenda through cyber, and the state of affairs in Russia may be adjusting just what they prioritize.”

Chinese hacking groups have been using Royal Road and Bisonal for years, which says a lot. Its longevity points to the shared use of resources among these groups, making attribution very difficult. The repeated use of these tools through the years also suggests that campaigns against targeted nations have been successful, which gives us an idea of the state of security of these countries.

“The fact that these toolkits evolve and continue to operate really speaks to how well they’re resourced, and the state of the defense side,” Hegel told CyberScoop in a separate interview. “Nothing can really stop them from continuing to use this. It’s still successful in many cases, as we see here. You look at the exploits they’re using in these documents, they’re years old exploits. They’re popping people that are out of date by quite a few years.”

China’s Tonto Team increases espionage activities against Russia

In this post, we break down three endpoint security for Mac best practices to help you prevent phishing attacks, DDoS attacks, and much more.
The post Endpoint security for Mac: 3 best practices appeared first on Malwarebytes Labs.

If you’re one of the 50% of small and medium-sized businesses (SMBs) that use Mac devices today, chances are your IT and security teams have a ton of Mac endpoints to monitor. 

Securing that many endpoints can get really complex, really fast, especially when you consider that the common wisdom that Macs don’t get malware simply isn’t true: in fact, the number of malware detections on Mac jumped 200% year-on-year in 2021. 

And it’s not just malware you have to worry about with your Mac endpoints. 

Phishing attacks, vulnerability exploits, DDoS attacks, and much more threaten your company’s Macs at any time — and if any of them are successful, it could cost your business millions in lost productivity and information theft. 

Needless to say, these are a lot of different threats to deal with when it comes to Mac endpoint security. But Thomas Reed, Director of Mac & Mobile at Malwarebytes, is here to remind us of a few simple things we can do to make our Mac endpoints more secure. 

In this post, we break down three of Reed’s best practices for endpoint security for Mac. 

**1\. Update frequently**

As in the Windows world, one of your top priorities needs to be keeping your Macs up to date — and by now we should all understand why. Just consider the fact that 60% of companies say breaches could have been avoided if they had patched known vulnerabilities. 

Tracking and patching vulnerabilities on macOS, however, is a little more difficult to do than on Windows. 

While Microsoft regularly advertises its security updates with its Patch Tuesdays,  Apple slips in patches on an ad-hoc basis — meaning MacOS admins need to put in a little more legwork to keep their devices up-to-date.

To ensure that you know about the latest updates for your Mac endpoints, there are two things you should do.

1.  **Sign up for Apple’s public security notifications and announcements mailing list**. You’ll get an email anytime Apple releases a patch for macOS.
2.  **Regularly check Apple’s list of security updates and patches.** It provides patch names, patch information, affected devices, and release dates.

Additionally, if you’re like most businesses and find that having no common view of assets is causing you major delays in patching, you should consider a vulnerability management solution that gives you instant visibility into potential vulnerabilities across your macOS environment.

**2\. Use a DNS filter to stop web-based attacks**

Since Macs have a much smaller amount of “traditional” malware attacking them compared to Windows, you might think your endpoints are in the clear of cyberattacks. 

Not so. 

Instead of file-based malware, a lot of Mac users get attacked with adware and PUPs that are typically delivered through a number of web-based scams. These threats can throw advertisements up on your screen and slow your computer down, among other things.

OK, that sounds annoying. But surely a few advertisements aren’t too big a threat to your Mac endpoint security, right? Not quite, says Thomas Reed.

“Some of the adware out there is more sophisticated than most of the malware that we see for Mac,” Reed says. “It can do all kinds of stuff, like sending all your network traffic through a proxy or changing system settings to be less secure.”

Reed also mentions that a lot of adware and PUPs are part of the payload of scam sites that direct you to some kind of installer that you download — and so having some sort of web-based protection is vital. That’s where DNS filtering comes in.

“The source of all of these kinds of attacks is through the web, and DNS filtering can help with that by blocking some of those sites,” Reed says.

DNS filtering blocks connections to malicious web servers attempting to deliver malware payloads, so any business interested in Mac endpoint security should have it. Learn more about the ways DNS filtering can save your business from cyberattacks.

**3\. Don’t rely on Mac AV – use EDR **

Since 2009, Apple has included a built-in antivirus (AV) technology called XProtect on all Macs — and while it’s fairly good, there are a lot of threats that it doesn’t detect (that a third-party would).

“You can’t rely on the built-in antivirus that’s in Mac OS to do the job,” Reed says. “You really need to have something else on top of that.”

Even so, let’s be overly generous and say XProtect and your third-party AV detects and removes every Mac malware threat. Throw in the fact that traditional AVs can’t prevent sophisticated threats such as file-based malware, and you just may be left wondering what you can do to best protect your Macs from damaging endpoint attacks.

Endpoint detection and response (EDR) is the answer. 

EDR gives you a real-time “birds-eye view” of all of your Mac endpoints, so whenever something happens outside the norm, you isolate an endpoint, quarantine the threat, or remediate. This stands in stark contrast to more reactive signature-based solutions (like AVs) that allow malware to execute before working.

A key feature of EDR is its threat hunting capabilities. Read our Threat Hunting Made Easy eBook to learn how to save hours every month on threat investigation and response.

**Prevent your Mac endpoints from online threats **

With everything from security vulnerabilities to malware threatening your company’s Macs at all times, Mac endpoint security is high-up on the list of priorities for macOS admins. In this post, we explained how macOS admins can stay on top of their patching game and why having a DNS filter and EDR are so essential for protecting Mac endpoints from a variety of threats.

Want to learn more about what simple and effective Mac endpoint protection looks like in action? Watch the demonstration of Malwarebytes Endpoint Detection and Response (EDR)!

Endpoint security for Mac: 3 best practices

Cleo Communications took advantage of the FCC's EBB program to scam those already struggling with money when the pandemic struck.
The post Low-income consumers preyed on by fake ISP during pandemic, FCC says appeared first on Malwarebytes Labs.

The FCC (Federal Communications Commission) has proposed a fine of $220,210 against Kyle Traxler of Ohio for allegedly establishing the bogus internet provider, Cleo Communications, to scam low-income consumers. The victims believed they were receiving government-approved discounts on internet services and devices during pandemic lockdowns in the US.

In a document posted to its site, the FCC says Traxler “willfully and repeatedly” committed multiple federal wire fraud violations for three months, from May 24, 2021, to August 11, 2021. During this time, Traxler, who was CEO of Cleo Communications, sought to be authorized by the FCC as an ISP provider under the Emergency Broadband Benefit (EBB) program, which the FCC opened to provide subsidized broadband—$50 monthly discounts—to those who had low or lost income when the pandemic hit.

Per the notice, Cleo Communications sold EBB-discounted devices via its website, accepting payments via PayPal, Venmo, credit cards, and interstate wire transfers. However, these products never arrived. When consumers asked for a refund for products or services that never materialized, the company refused, citing its “Terms of Service” as the basis for refusal. Cleo’s terms stated:

    Cleo Communications operates a PREPAID Service. All services are sold as in (sic) and without warranty. Under NO circumstances does Cleo Communications represent any warranty nor provide a refund of any kind for services that are offered [...] Cleo Communications does NOT nor will ever imply or agree upon a refund, credits nor any other refunds of service and monies to be returned to you.
    
    All refunds and credits are up to Cleo at its sole discretion and therefore, charge backs to us via any customer bank is breach of contract at any time and is subject to further legal action up to but not limited to small claims court actions for breach of contract in the amount of what is disputed, any and all legal fees, court fees, attorney fees, filing fees, interest at 9.9%, and a contract breach fee in the amount of $300.00.

In some cases, Cleo threatened to sue them for “terms of service breach”, admin cost for preparing the invoice, and an interest rate.

From the document:

> “Cleo apparently existed for the sole purpose of taking financial advantage of customers under the disguise of being a legitimate EBB Program provider. Cleo Communications has had no business activity outside of the EBB Program and no other business purpose.
> 
> After receiving authorization to participate in the EBB Program and advertising that participation on its website, Cleo apparently never enrolled consumers in the EBB Program or delivered the discounted broadband services or devices for which Cleo received payment from consumers who believed Cleo’s online website representations.”

Complaints received by the FCC eventually triggered the investigation into Cleo Communications and Traxler. The agency interviewed eight of Cleo’s victims from various states, and all shared a very similar story. Cleo never resorted to other schemes that could have defrauded the EBB program directly. Instead, Traxler chose to just scam consumers.

> “Cleo’s schemes to defraud consumers under the pretense of participating in the EBB Program caused severe harm not only in monetary terms to the low-income consumers it preyed upon, but also to the trust and goodwill this or any program needs to achieve its purposes effectively.”

The EBB program was eventually discontinued and replaced by the Affordable Connectivity Program, which offered $30 monthly discounts.

Low-income consumers preyed on by fake ISP during pandemic, FCC says

2022 is shaping up to be another banner year for ransomware, which continued to dominate the threat landscape in Q2. 
The post Ransomware rolled through business defenses in Q2 2022 appeared first on Malwarebytes Labs.

Ransomware has given security professionals a headache for the better part of a decade. Fast forward to 2022, and the headache has become a migraine—not just for IT teams but business owners, employees, and customers as well. Over the last three months, ransomware gangs have increased the pressure by multiplying in number and unleashing targeted attacks on vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion.

The supply chain, already stretched to a breaking point, suffered additional misfortunes across multiple industries, from agriculture and manufacturing to technology and utilities. Governments, nonprofits, and schools—some forced to close their doors—didn’t escape unscathed. And the carnage was not confined to US borders, though it was by far the most affected country. Germany, the UK, and Italy also registered high ransomware tallies.

To understand how we got here, let’s first take a closer look at recent statistics on the top ransomware variants, countries and industries attacked. Next, we’ll evaluate noteworthy attacks month-by-month before discussing whether it’s worth paying the ransom in today’s climate. In addition, we’ll examine current trends to deduce what businesses might expect from ransomware authors in the months to come. Finally, we’ll review mitigation tactics that businesses of all sizes can adopt to keep ransomware at bay.

****Top ransomware variants****

LockBit was the most widely-distributed ransomware in March, April, and May 2022, and its total of 263 spring attacks was more than double the number of Conti, the variant in second place. However, the Conti gang suffered severe setbacks in the wake of its public declaration of support for Russia and subsequent data leaks of its source code, and the group quietly dismantled operations while keeping up appearances. Three groups alleged to be linked to Conti’s disbandment—Black Basta, ALPHV, and Hive—eventually overtook Conti in ransomware distribution by the end of May.

Here’s how the top variants ranked by total number of spring incidents:

1.  LockBit: 263
2.  Conti: 127
3.  Black Cat/ALPHV: 68
4.  Hive: 40
5.  Black Basta: 33\*

\*Black Basta launched in April, so its tally is one month less than the others.

****Top countries****

The United States was by far the most attacked country this spring, with 290 reported ransomware events. Its cyberattack count far surpassed the next two highest countries (Germany and the UK) combined, with the former reporting 48 ransomware incidents and the latter 41.

Here are the top five countries impacted by ransomware this spring:

1.  United States: 290
2.  Germany: 48
3.  UK: 41
4.  Italy: 38
5.  Canada: 31

****Top industries****

Perhaps it might be easier to create a list of industries that weren’t impacted by ransomware in Q2. Services—a catch-all term encompassing service-providing sectors such as transportation, travel, finance, health, education, information, government, and a myriad of other industries—was targeted the most by cybercriminals. However, in a clear bid for the supply chain jugular, threat actors also zeroed in on manufacturing, technology, utilities (including oil), and agriculture.

In fact, the FBI warned the food and agriculture sector (specifically farmers’ co-ops) this April about potential ransomware attacks during critical planting and harvesting seasons that could result in operational disruptions to the supply chain, which could then lead to food shortages. The previous month, HP Hood Dairy suffered a ransomware attack, which was likely behind its Lactaid brand going missing from shelves in early April.

Here’s how the top five industries ranked by number of ransomware attacks this spring:

1.  Services: 171
2.  Manufacturing: 76
3.  Technology: 65
4.  Utilities: 61
5.  Retail: 50

****Noteworthy March attacks****

March was a chaotic month featuring headline-grabbing attacks on tech giants Microsoft and Samsung, as well as automotive titan Toyota, which was forced to halt production across its Japanese plants after a key supplier was compromised. Lapsus$, the criminal enterprise behind Samsung’s infiltration, leaked 190 GB of data and source code reportedly from the Galaxy smart phone, as well as confidential information from Qualcomm.

The most active ransomware variant was LockBit, which registered 97 attacks in March alone, including a hit on tire company Bridgestone Americas that caused the organization to disconnect many of its Latin and North American manufacturing and retreading facilities from the corporate network.

Hive ransomware, a RaaS launched in June 2021, was also busy in March. The group attacked Romania’s petroleum provider, demanding a multi-million dollar ransom and forcing the company to shut down its websites and Fill&Go services at gas stations. Hive also compromised a California healthcare nonprofit later in the month.

****Noteworthy April attacks****

April stood out as the month when three new dangerous RaaS variants, thought to be Conti-affiliated were introduced: Onyx, Mindware, and Black Basta. Conti still had some bite left, however, with 43 reported attacks that month. Among them were industrial giant Parker Hannifin and American automotive tools manufacturer Snap-on, as well as Panasonic’s Canadian operations, from which Conti claimed to have stolen 2.8 GB of data.

Newcomer Black Basta, who carried out 11 attacks in April, made headlines when it compromised German wind turbine company Deutsche Windtechnik and the American Dental Association, which was forced to take affected systems offline. The organization suffered disruptions to online services, telephones, email, and webchat, as well as personal data leaked on its members.

Onyx ransomware, meanwhile, launched with only six attacks in April, but they were deadly. The malware doesn’t just lock up systems and data—it destroys any file larger than 2 MB. Mindware also made a splashy April debut with double extortion threats and 13 attacks, including a Minnesota-based mental health provider from which it pilfered sensitive patient information.

The award for most data stolen in April goes to the Stormous criminal gang, who bragged about an assault resulting in 161 GBs exfiltrated from Coca-Cola without the company knowing. Reports say the Russian-linked threat actors later put it up for sale for 16 million Bitcoin or $640,000.

To add insult to injury, REvil (aka Sodonokibi) appeared to return in April with new payloads and a fresh leak blog featuring a mixture of recent and old victims. The threat actors have been linked to numerous high-profile ransomware incidents, including arguably the biggest ransomware attack of all time—a supply-chain hit on Kaseya in July 2021 believed to have affected over 1,000 businesses.

****Noteworthy May attacks****

In May, government and education were some of the hardest hit verticals, while attacks on Indian airline SpiceJet and farming equipment maker AGCO made the most headlines globally. Black Basta was reportedly behind the AGCO infiltration, which disrupted production of harvesters, tractors, and other business operations. The Austrian state of Carinthia also made the news when the BlackCat gang disrupted their systems and demanded a ransom of $5 million.

Despite strong evidence of a slow-down in activity—just 12 reported incidents in May—Conti made a showy display with a massive, sustained attack against Costa Rica that resulted in its new president declaring a state of emergency on May 8. On the same day, an inflammatory message appeared on the group’s leak site alongside 672 GB of stolen data. In response, the US Department of State offered a $10 million reward for information leading to individuals holding key leadership positions within Conti.

In other May government attacks, the town of Quincy, Massachusetts, had its information service systems compromised. They paid $500,000 for a decryption key and an additional $150,000 for security consultants to assist with the investigation. A ransomware attack in New Jersey’s Somerset County disrupted services and forced employees to shut down computers and create temporary Gmail accounts to ensure the public could still email key departments. The attack marked the 22nd US state or local government to be hit by ransomware in 2022, according to analysts at Recorded Future.

In education, several colleges and K–12 districts were crippled by ransomware. Kellogg Community College in Michigan was forced to cancel classes and close campuses due to a ransomware attack. On May 13, Lincoln College in Illinois permanently closed its doors after 157 years due to the combined effects of the pandemic and a major ransomware incident—a first in ransomware history.

Not to be outdone, LockBit set a steady pace in May with 73 attacks. Thought to have strong ties with Russia, the cybercriminals compromised the Bulgarian Refugee Agency and threatened to release sensitive files. Nearly 230,000 Ukrainian refugees have entered Bulgaria since the start of the war. LockBit was also behind May strikes against electronics manufacturer Foxcomm, the Rio de Janeiro finance department, and one of the largest library services in Germany.

****New ransomware trends****

In recent months, cybercriminals have upped the ransomware ante with further developments in functionality, sophistication, and distribution techniques. As a combined result of the increase in big game hunting (BGH) and remote/hybrid work, threat actors have been encountering ever more complex security infrastructures and a wider variety of devices and platforms.

To penetrate and encrypt as many systems as possible, some threat groups have started writing ransomware code using cross-platform programming languages like Python, Rust, or Golang. This allows the malware to run on different combinations of operating systems and architectures. Both BlackCat and Conti affiliates have been observed distributing versions of their variants for Linux as well as Windows. Developing in a cross-platform language also makes analyzing the malware more difficult for security researchers.

In attack methods, ransomware authors—while still favoring good old-fashioned social engineering—have started backing away from phishing emails and leaning toward exploiting server, software, and operating system vulnerabilities instead. In fact, unpatched vulnerabilities are now the primary vector for ransomware attacks, according to a report by IT software company Ivanti.

Last year, Ivanti identified 65 new vulnerabilities known to have been exploited in ransomware attacks—a number representing nearly one quarter of all vulnerabilities used to drop the threat in the history of its existence. There were 39 percent more vulnerabilities used for ransomware attacks in 2021 than in the previous year, and 2022 is shaping up to be even more tumultuous. From January to May 2022, 22 new vulnerabilities associated with ransomware were found, and all but one are considered critical or high-risk.

What do these trends mean for the year ahead? Cross-platform ransomware has the potential to infect even more systems, some (like Linux) that lack robust anti-ransomware protections. Coding ransomware in this way could eventually take down all endpoints, including IoT and personal devices, in a single blow, rendering recovery operations incredibly difficult—if not outright impossible. Automatic data backups to offsite and/or segmented servers will be key in keeping businesses operational in case of breach.

Meanwhile, ransomware operators are moving to swiftly weaponize vulnerabilities. The average time to exploit is now within eight days of the vulnerability being published by a vendor. That means organizations will need to prioritize patching vulnerabilities associated with ransomware, as well as according to criticality and against their own risk appetites.

****To pay or not to pay****

As ransomware attacks have evolved in sophistication and impact, so too have their ransom demands. Ransoms were 36 percent higher in 2021 than in 2020 at an average of $6.1 million. Yet by spring of 2022, many ransomware authors had whittled away at any sense of trust businesses might have had that by paying the ransom, they’ll receive what’s promised.

In 2020, gangs such as Conti, REvil, and Maze published stolen data even if the ransom was paid. Others took the ransom and never returned the files. By 2021, only 8 percent of those who paid the ransom actually got their files back. At that point, 83 percent of successful attacks featured double or triple extortion schemes. According to a Proofpoint study, 60 percent of participants who opted to negotiate with their attackers ended up having to pay ransom more than once.

By spring 2022, ransomware gangs showed no sense of responsibility toward their victims. RaaS operations, which now dominate the ransomware landscape, tend to be short-lived (therefore reputation isn’t important), and renegade affiliates often fail to follow their operator’s directions. When ransom demands bust the budget, data is not returned or is leaked regardless, and paying up puts a target on your back, it’s probably best to pocket the millions and get to work on mitigations.

****Ransomware mitigations****

To stave off potential future attacks—especially in an era of political and economical instability—the following actions are recommended:

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Make sure these copies are not accessible for modification or deletion from any system where the original data lives.
*   Administer network segmentation so that all machines on your network are not accessible from every other machine.
*   Install updates/patches to operating systems, software and firmware as soon as they are released.
*   Install and regularly update endpoint security software on all devices—including those used in work-from-home capacities—and enable real-time detection.
*   Audit user accounts with administrative privileges and configure access controls with the least privilege in mind. Implement multifactor authentication (MFA) for additional credential security.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor for any unusual activity.

For ransomware reviews by the Malwarebytes Threat Intel team, check out the following:

*   March ransomware review
*   April ransomware review
*   May ransomware review
*   June ransomware review

Be ready and resilient in advance of ransomware attacks. Learn more.

_Malwarebytes’ CEO Marcin Kleczynski started the Byte into Security newsletter to provide readers with candid takeaways—and practical solutions—for the most pressing security topics of the day._ _Subscribe to get the CEO perspective sent straight to your inbox_!