How experts uncovered a years-long SolarMarker attack on a K-12 district

In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became evident that SolarMarker had been present in the district’s system since at least 2021, likely exfiltrating data over several years.

Let’s dive further into the investigation’s findings and the steps taken to mitigate the threat.

**SolarMarker infection****Background**

The incident began with the detection of an anomalous instance of PowerShell attempting to establish an outbound network connection to a suspicious IP address **(188.241.83.61)**. This connection attempt was thwarted by Malwarebytes Web Protection (MWAC), signaling the first indication of a potential security breach.

**Initial challenges**

Upon investigation, it was discovered that Endpoint Detection and Response (EDR) settings were disabled in the client’s endpoint policy. This limitation prevented the use of Fast Response Scanning (FRS) to capture and analyze detailed endpoint data, necessitating a manual approach to the investigation utilizing Active Response Scanning (ARS).

**Investigation and analysis**

The first step involved querying active network connections with **netstat**, which revealed an instance of PowerShell in operation. To further understand the nature of this PowerShell instance, its command line was examined using Windows Management Instrumentation Command-line (WMIC) with the process ID (PID), which unveiled obfuscated code.

**Decoding and understanding SolarMarker**

The obfuscated PowerShell code was extracted and refactored for clarity. The analysis revealed the following components of the malware’s operation:

    powershell
    
    $decodeKey = '<Base64_encoded_string>'
    
    $encodedFilePath = 'C:\Users\akeith\AppData\Roaming\micROSoft\wbpgVnSBjsytaokm\JqdVQplHfgwxyNmtaPX.gvzPlATqFe'
    
    $decodedPayload = [System.IO.File]::ReadAllBytes($encodedFilePath)
    
    for ($payloadIndex = 0; $payloadIndex -lt $decodedPayload.Count; $payloadIndex++) {
    
     $decodedPayload[$payloadIndex] = $decodedPayload[$payloadIndex] -bxor $decodeKey[$payloadIndex % $decodeKey.Length]
    
     if ($payloadIndex -ge $decodeKey.Length) {
    
     $payloadIndex = $decodeKey.Length
    
     }
    
    }
    
    [System.Reflection.Assembly]::Load($decodedPayload)
    
    [ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()
    

This code reveals the malware’s methodology:

*   It utilizes a Base64-encoded string as a decryption key.
*   It targets a specific file path for encoded data.
*   It reads, decodes, and executes the encrypted payload.

The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…). 

Further investigation uncovered randomly named folders within the AppData\\Roaming\\Microsoft directory, each containing encoded payloads. These discoveries suggested a more widespread infection than initially anticipated.

**Response and mitigation**

The response involved several steps to contain and eliminate the threat:

*   Terminating the malicious PowerShell instance.
*   Deleting the identified folders containing encoded payloads.
*   Conducting a thorough search for persistence mechanisms, which fortunately yielded no findings.

A comprehensive threat scan was executed, and the incident was escalated for visibility with the client. Post-reboot checks confirmed the absence of persistence, no spawn of new PowerShell instances, and blocking of suspicious network connections, indicating successful remediation of the infection.

**Conclusion**

As we’ve seen in our 2024 State of Ransomware in Education report, the educational sector continues to be a prime target for attackers. In this case, attackers used SolarMarker, a sophisticated backdoor, to lurk within the school district’s network for years, likely stealing data in the process. Its presence went undetected until the district onboarded with ThreatDown MDR. Despite facing initial obstacles, such as disabled EDR settings, the ThreatDown MDR team successfully identified and neutralized the SolarMarker infection through manual intervention.

Discover how ThreatDown MDR can safeguard your K-12 institution.

 Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR 

Facebook is accused of using potentially criminal methods to spy on Snapchat users to gain a commercial advantage over its competition.

Social media giant Facebook snooped on Snapchat users’ network traffic, engaged in anticompetitive behavior and exploited user data through deceptive practices. That’s according to a court document filed March 23, 2024.

The document mentions Facebook’s so-called In-App Action Panel (IAAP) program, which existed between June 2016 and approximately May 2019. The IAAP program, used an adversary-in-the-middle method called to intercept and decrypt Snapchat’s—and later YouTube’s and Amazon’s—SSL-protected analytics traffic to provide information for Facebook’s competitive decision making. Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client.

On June 9, 2016, Facebook CEO Mark Zuckerberg complained about the lack of analytics about competitor Snapchat.

> “Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . .
> 
> Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

So, as part of the IAAP program, the company started Project Ghostbusters by using Onavo. Onavo was a VPN-like research tool that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

The Project Ghostbusters technique relied on technology known as a server-side SSL bump performed on Facebook’s Onavo servers. SSL bumping, also known as SSL interception, involves intercepting and decrypting SSL/TLS traffic, inspecting it for malicious content or policy violations, and then re-encrypting and forwarding it to the intended destination.

To gain access to the data about their competitor, Facebook incentivized users to install “kits” on both Android and iOS devices that impersonated official servers and decrypted traffic that Facebook had no right to access.

These kits allowed Facebook to intercept traffic for specific sub-domains, allowing them to read what would otherwise be encrypted traffic and to measure in-app usage of their competitor’s apps. The users were clueless about what the kits did exactly, but it allowed the operators to view and analyze the traffic before it got encrypted.

According to the court documents, advertisers suing Meta claim that Facebook later expanded the program to Amazon and YouTube. This practice is likely in violation of wiretapping laws and “potentially criminal.” Facebook’s secret program likely violated the Wiretap Act, because it prohibits intentionally intercepting electronic communications with no applicable exception and the use of such intercepted communications.

We’ll keep you updated on how this develops.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Facebook spied on Snapchat users to get analytics about the competition 

Google has released an update for Chrome to fix seven security vulnerabilities.

Google has released an update to Chrome which includes seven security fixes. Version 123.0.6312.86/.87 of Chrome for Windows and Mac and 123.0.6312.86 for Linux will roll out over the coming days/weeks.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

_After the update, the version should be 123.0.6312.86, or later_

**Technical details**

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

There is one critical vulnerability that looks like it might be of interest to cybercriminals.

CVE-2024-2883: Use after free (UAF) vulnerability in Angle in Google Chrome prior to 123.0.6312.86 could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Angle is a browser component that deals with WebGL (short for Web Graphics Library) content. WebGL is a JavaScript API for rendering interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, it can lead to heap corruption.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

Chromium vulnerabilities are considered critical if they “allow an attacker to read or write arbitrary resources (including but not limited to the file system, registry, network, etc.) on the underlying platform, with the user’s full privileges.”

So, to sum this up, in this case an attacker could create a specially crafted HTML page–which can be put online as a website–that exploits the vulnerability, potentially leading to a compromised system.

My suggestion: don’t wait for the update, get it now.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Update Chrome now! Google patches possible drive-by vulnerability 

A robocaller that spoofed a local phone number and presented his targets with inflammatory and disturbing content has received a hefty fine.

A federal court in Montana has fined a man $9.9 million after he was found responsible for causing thousands of unlawful and malicious spoofed robocalls.

Sometimes there is good news. Well, for almost everybody except for the robocaller who was found guilty of unlawful robocalls to people in states including Florida, Georgia, Idaho, Iowa and Virginia in 2018. The court also imposed an injunction prohibiting any future violations of the Truth in Caller ID Act and Telephone Consumer Protection Act.

Scott Rhodes spoofed his telephone number, so it appeared to his targets that he was calling from a local phone number. If they picked up, they were presented with recorded messages. Those messages included highly inflammatory and disturbing content, often directed at certain communities, that intended to offend or harm the recipients.

Those messages typically addressed tragic and controversial events that took place in the region. Many consumers who received the calls found the calls so disturbing, they submitted complaints to FCC and other law enforcement regarding unwanted and harassing robocalls.

The FCC traced the unlawful spoofed robocalls to Scott Rhodes, a resident of Idaho and Montana, and in January 2021, the FCC imposed a $9,918,000 forfeiture penalty against Rhodes. In September 2021, the Justice Department sued Rhodes in the District of Montana to recover that penalty and obtain an injunction.

In October 2023, the United States moved for summary judgment, and the court subsequently entered an injunction and the full $9,918,000 forfeiture penalty against Rhodes, after concluding based on a de novo review of the evidence that Rhodes committed the violations found by FCC. When a court hears a case as “de novo,” it is deciding the issues without reference to any legal conclusion or assumption made by the previous court to hear the case.

Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s Civil Division commented:

> “The department is committed to protecting consumers from deceptive robocalls. We are very pleased by the court’s judgment, and we will continue working with the FCC and other agency partners to vigorously enforce the telemarketing laws that prohibit these practices.”

Earlier this year we reported that the FCC efforts seem to be paying off, by showing an encouraging decline in robocalls.

Last year, another robocaller made headlines after the FCC issued a $300 million forfeiture to a persistent offender and shut down their operation.

**What to do if you answer a robocall**

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.

1.  Hang up as soon as you realize that it is an automated robocall.
2.  Do not engage with the call at all.
3.  Don’t follow any instructions.
4.  Avoid giving away any personal information.
5.  Report the robocall.
    *   If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
    *   If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
    *   If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your voice being recorded, can be used in scams against you or your loved ones.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Disturbing robocaller fined $9.9 million 

Meta will retire social media tracking tool CrowdTangle in August 2024, which is awkward timing given the amount of important elections this year.

On 14 March, Meta announced it would abandon CrowdTangle, saying the tool will no longer be available after August 14, 2024. While most people have never heard of CrowdTangle, among journalists the tool is considered essential. Its popularity largely depends on the ability to monitor social media activity around important elections.

This makes the timing of the change a bit awkward to say the least. Not just in the US, but in many countries around the world there are major elections in 2024.

Data analysis tool CrowdTangle was created to show publishers which posts on Facebook pages were getting the most engagement. However, researchers and journalists later discovered that monitoring which stories spread most quickly, also provides the means to find the source of disinformation and watch how it spreads.

Meta bought CrowdTangle eight years ago, and the tool helped journalists and researchers learn more about the content on Meta’s platforms, including Facebook and Instagram. It was the first major tool that let the public analyze trends on the social media platforms in real time.

But it also produced negative consequences for Meta. If content performed well, Meta received accusations of promoting that content in its algorithm. In 2021, CrowdTangle underwent some changes and the team that ran it, including founder and CEO Brandon Silverman, was dismantled.

Arguably, the only thing keeping CrowdTangle alive at that point was Article 40 of the European Union’s Digital Services Act, which requires very large platforms and search engines to share publicly available data with researchers and nonprofit groups.

So, in November of 2023, Meta introduced the Meta Content Library as a replacement for CrowdTangle to “help us meet new regulatory requirements, data-sharing and transparency compliance obligations.”

In an interview, Meta’s president of global affairs Nick Clegg said that the Meta Content Library is a better tool for researchers than CrowdTangle in almost every way. For starters, it includes data about reach, which he said offers a better picture of what content on the platform is most popular.

Researchers who have used both CrowdTangle and the Content Library are torn, they say that both tools have their strengths and weaknesses. However, the audience for the Content Library is much more limited: aside from certain fact checkers, journalists won’t have direct access.

In an open letter, Mozilla has called on Meta to keep CrowdTangle functioning until January 2025. At the time of writing, 156 universities, researchers, disinformation trackers, privacy watchers, and other social media followers have signed the request.

They fear that the absence of CrowdTangle will undermine the monitoring of election disinformation in a year that approximately half the world’s population will vote.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

 Meta to abandon social media tracking tool CrowdTangle 

Mozilla released an update of Firefox to fix two critical security vulnerabilities that together allowed an attacker to escape the sandbox.

Mozilla released version 124.0.1 of the Firefox browser to Release channel users (the default channel that most non-developers run) on March 22, 2024. The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn’t affect mobile versions of Firefox.

Windows users that have automatic updates enabled should have the new version available as soon or shortly after they open the browser.

_Version number should read 124.0.1 or higher_

Other users can update their browser by following these instructions:

*   Click the menu button (3 horizontal stripes) at the right side of the Firefox toolbar, go to **Help**, and select **About Firefox**. The About Mozilla Firefox window will open.
*   Firefox will check for updates automatically. If an update is available, it will be downloaded.
*   You will be prompted when the download is complete, then click **Restart to update Firefox.**

To change the way in which Firefox installs updates, you can:

*   Click the menu button (3 horizontal stripes) and select **Settings**.
*   In the **General** panel, go to the **Firefox Updates** section.
*   Here you can adjust the settings to your liking.

**The vulnerabilities**

The vulnerabilities were found during the Pwn2Own Vancouver 2024 hacking competition. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in this update are:

CVE-2024-29943: an attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.

An out-of-bounds read or write can occur when a program has access outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution or disclosure of information. This can happen when the size of the data is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data.

CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1.

Firefox ESR (Extended Support Release) is offered for organizations, including schools, universities, businesses, and others who need extended support for mass deployments.

An event handler is a program function that is executed by the application or operating system when an event is executed on the application.

Programming languages are built on the concept of classes and objects to organize programs into simple, reusable pieces of code. A privileged object is a function or piece of code with elevated permissions.

Together, the two vulnerabilities allowed the researcher to achieve a sandbox escape of Firefox. The sandbox is employed to protect against malicious content entering the system through the browser.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch now: Mozilla patches two critical vulnerabilities in Firefox 

Federal authorities have asked Google to reveal the identities of people that watched certain videos in at least two investigations.

Federal US authorities have asked Google for the names, addresses, telephone numbers, and user activity of accounts that watched certain YouTube videos, according to unsealed court documents Forbes has seen.

Of those users that weren’t logged in when they watched those videos between January 1 and 8, 2023, the authorities asked for the IP addresses.

The starting point of one of the investigations is an entity that uses the handle “elonmuskwhm” and is suspected of money laundering by selling Bitcoin for cash. As part of the investigation, agents sent the suspect links to tutorials on YouTube about mapping via drones and augmented reality software.Then they asked YouTube to send them data about the people that watched that video.

But those video tutorials were not private and had been watched over 30,000 times by the time the agents asked YouTube’s parent company Google for information about the viewers.

In another case, related to a bomb threat, the authorities asked for information about the viewers of eight selected live streams. One of those live streams has over 130,000 subscribers.

The police received a threat from an unknown male that there was an explosive placed in a trash can in a public area. When the police went to investigate the matter, they found out their actions were broadcasted through a YouTube live stream camera. Apparently similar events had taken place before, so for good reason law enforcement is after the evildoers.

But asking for data of that many viewers, many of which we can assume to be innocent bystanders, goes against what privacy experts believe to be reasonable. This type of digital dragnets go against the fourth amendment: freedom from unreasonable searches.

Albert Fox-Cahn, executive director at the Surveillance Technology Oversight Project (STOP) said:

> “No one should fear a knock at the door from police simply because of what the YouTube algorithm serves up. I’m horrified that the courts are allowing this.”

According to the documents Forbes has seen, the court granted the order but asked Google not to make it public. We don’t currently know if Google complied with the request for information.

Google spokesperson Matt Bryant told Forbes:

> “We examine each demand for legal validity, consistent with developing case law, and we routinely push back against over broad or otherwise inappropriate demands for user data, including objecting to some demands entirely.”

STOP condemned the US Department of Justice for securing a bulk warrant to track every YouTube user who watched the completely legal videos about mapping software for drones.

John Davisson, senior counsel at the Electronic Privacy Information Center, told Forbes:

> “What we watch online can reveal deeply sensitive information about us—our politics, our passions, our religious beliefs, and much more. It’s fair to expect that law enforcement won’t have access to that information without probable cause. This order turns that assumption on its head.”

Warrants like these turn innocent people into suspects for no other reason than watching a perfectly legal video. The YouTube warrants are similar to geofence warrants, where court issues a search warrant to allow law enforcement to search a database to find all active mobile devices within a particular area.

These warrants turn the fear that certain online searches or your viewing history is going to put you on some kind of list, into reality. It also encourages users to use a VPN for even the most harmless activities and discourages YouTube visitors from logging in.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 YouTube ordered to reveal the identities of video viewers 

Vans warns its customers about phishing and other fraud attacks in the aftermath of a ransomware attack in December

Skater brand Vans emailed customers last week to tell them about a recent “data incident.”

On December 13, 2023, Vans said it detected unauthorized activities on its IT systems, attributed to “external threat actors.” An investigation revealed that the incident involved some personal information of Vans’ customers. The affected information could include:

*   Email address
*   Full name
*   Phone number
*   Billing address
*   Shipping address

In certain cases, the affected data may also include order history, total order value, and information about the payment method used for the purchases. Vans notes that the payment method does not specify details like account number, just the method described as “credit card”, “Paypal”, or “bank account payment”, with no additional details attached.

The data incident turned out to be a ransomware attack. In a filing with the Securities and Exchanges Commission (SEC), parent company V.F. Corporation stated the hackers disrupted business operations and stole the personal information of approximately 35.5 million individual consumers.

The attack was claimed by the ALPHV/BlackCat ransomware group. This happened during the period that ALPHV was in a spot of trouble themselves by events eventually leading to faking their own death.  It is unclear whether VF Corporation was able to use the decryptor made available after law enforcement seized control of ALPHV’s infrastructure, even though ALPHV reportedly claimed that the company tried to obtain a decryptor from law enforcement.

Vans says there’s no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set, but it does warn about phishing and fraud attempts which could lead to identity theft.

**Data breach tips**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check if your data has been breached**

Check if your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Vans warns customers of data breach 

This week on the Lock and Code podcast, we speak with Carey Parker about the importance and the process of securing your home network.

_This week on the Lock and Code podcast…_

Few words apply as broadly to the public—yet mean as little—as “home network security.”

For many, a “home network” is an amorphous thing. It exists somewhere between a router, a modem, an outlet, and whatever cable it is that plugs into the wall. But the idea of a “home network” doesn’t need to intimidate, and securing that home network could be simpler than many folks realize.

For starters, a home network can be simply understood as a router—which is the device that provides access to the internet in a home—and the other devices that connect _to_ that router. That includes obvious devices like phones, laptops, and tablets, and it includes “Internet of Things” devices, like a Ring doorbell, a Nest thermostat, and any Amazon Echo device that come pre-packaged with the company’s voice assistant, Alexa. There are also myriad “smart” devices to consider: smartwatches, smart speakers, smart light bulbs, don’t forget the smart fridges.

If it sounds like we’re describing a home network as nothing more than a “list,” that’s because a home network is pretty much just a list. But where securing that list becomes complicated is in all the updates, hardware issues, settings changes, and even scandals that relate to every single device on that list.

Routers, for instance, provide their own security, but over many years, they can lose the support of their manufacturers. IoT devices, depending on the brand, can be made from cheap parts with little concern for user security or privacy. And some devices have scandals plaguing their past—smart doorbells have been hacked and fitness trackers have revealed running routes to the public online.

This shouldn’t be cause for fear. Instead, it should help prove why home network security is so important.

Today, on the Lock and Code podcast with host David Ruiz, we’re speaking with cybersecurity and privacy advocate Carey Parker about securing your home network.

Author of the book Firewalls Don’t Stop Dragons and host to the podcast of the same name, Parker chronicled the typical home network security journey last year and distilled the long process into four simple categories: Scan, simplify, assess, remediate.

In joining the Lock and Code podcast yet again, Parker explains how everyone can begin their home network security path—where to start, what to prioritize, and the risks of putting this work off, while also emphasizing the importance of every home’s router:

> Your router is kind of the threshold that protects all the devices inside your house. But, like a vampire, once you invite the vampire across the threshold, all the things inside the house are now up for grabs.
> 
> Carey Parker

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Securing your home network is long, tiresome, and entirely worth it, with Carey Parker: Lock and Code S05E07 

Three things you could learn from the cyber incident review produced by the British Library following its October ransomware attack.

In October 2023, The British Library was attacked by the Rhysida ransomware gang in a devastating cyberattack.

The library, a vast repository of over 170 million items, is still deep in the recovery process, but recently released an eighteen page cyber incident review describing the attack, its impact, the aftermath, and the lessons learned. The report is full of useful information, and well worth a read, even if you’re responsible for security in a much smaller organisation.

The attack and its aftermath is a reminder that big game ransomware remains the preeminent cyberthreat to organisations of all sizes, and the tactics it describes will be familiar to anyone who has read the Big Game Ransomware section of our 2024 State of Malware report.

The ransomware itself was launched on October 28, 2023, but the library believes that the Rhysida group infiltrated its systems at least three days before that. During those three days the group conducted what the library calls “hostile reconnaissance,” and exfiltrated 600GB of data.

The report also describes how the gang “hijacked native utilities” to copy databases. Using tools that are already on a victim’s network (a technique know as Living off the Land) makes it easier for ransomware gangs to avoid detection while they prepare an attack.

However, there are some details about the attack that either add to the body of knowledge, or remind us of things that are easily overlooked, so I’ve picked out some lessons from the report that can probably be usefully applied by any IT team.

**1\. Complexity helped the attackers**

One thing that leaps off the pages of the report is how the library’s complex infrastructure aided the attackers. The report describes the library environment as an “unusually diverse and complex technology estate, including many legacy systems.” Unless you work for a brand new startup, the chances are that you recognise some of your own company network in that description, even if it isn’t as complex as the British Library.

This technical debt prevented the library from complying with security standards, “contributed to the severity of the impact of the attack,” and offered the attackers wider access than they should have had.

Most damaging of all though is the effect that carrying too much complexity has had on the library’s ability to recover:

> “Our reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack. These legacy systems will in many cases need to be migrated to new versions, substantially modified, or even rebuilt from the ground up, either because they are unsupported and therefore cannot be repurchased or restored, or because they simply will not operate on modern servers or with modern security controls.”

It concludes, “there is a clear lesson in ensuring the attack vector is reduced as much as possible by keeping infrastructure and applications current.”

**2\. Endpoint protection matters**

While the issue of complexity crops up again and again in the report, there is another significant finding that’s covered in just a single line—the importance of effective endpoint protection.

As devastating as the attack on the library was, it could have been worse. The attack only succeeded in compromising the organisation’s servers, but its desktops and laptops were spared because they were running a more modern “defensive software” that successfully identified and prevented the attack.

> “A different software system successfully identified and prevented the encryption attack from executing on our laptop and desktop estates, but older defensive software on the server estate was unable to resist the attack.”

The clear implication is that if the system that was running on the desktops and laptops had also been running on the servers then the attack would have been thwarted.

As important as monitoring technologies like SIEM, EDR and MDR have become, it remains as true today as it ever has that every endpoint and server, whether they’re Windows, Macs, or Linux machines, needs a next-gen antivirus engine that can detect and stop known threats and block suspicious behaviour, such as malicious encryption.

**3\. Ransomware is 24/7**

The report also mentions another potential opportunity to stop the attack. It describes how “at 01:15 on 26 October 2023, the Library’s IT Security Manager was alerted to possible malicious activity on the Library network.” The IT manager took action, monitored the situation and the escalated the incident the following morning. A subsequent detailed analysis of activity logs, “did not identify any obviously malicious activity.”

Investigations performed after the attack “identified evidence of an external presence on the Library network at 23:29 on Wednesday 25 October 2023,” and that “an unusually high volume of data traffic (440GB) had left the Library’s estate at 1.30am on 28 October.” This suggests that there were further opportunities to detect the attackers’ “hostile reconnaissance.”

We highlight this to demonstrate an important point about how ransomware gangs operate, not to second guess the IT team at the library. It seems that everyone concerned treated the incident very seriously and took appropriate action, and they have our sympathy.

What we want to draw your attention to is that all three incidents happened in the dead of night.

Groups like Rhysida make significant efforts to cover their tracks, and are likely to work at times when their targets are least well staffed. However, even as stealthy as they are, their out-of-hours activities still create opportunities for skilled security staff to detect them. The problem for defenders is that their skilled security staff need to be working at the same time as the attackers.

For many organisations, the only practical way to achieve that is through a Managed Service Provider or a service like Managed Detection and Response (MDR).

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Source

Malwarebytes