An easy-to-understand guide on how to back up your Windows PC to OneDrive.

They say the only backup you ever regret is the one you didn’t make. Starting in Windows 10, the operating system (OS) now comes with a built-in tool to back up your files, themes, some settings, many of your installed apps, and your Wi-Fi information.

First, you’ll need to sign in with your Microsoft account

Go to **Start**  > **Settings**  > **Accounts**  > **Your info** . Select **Sign in with a Microsoft account instead**. You’ll see this only if you’re using a local account. If you see **Sign in with a local account instead**, you’re already using your Microsoft account.

To start the backup process select **Start**  **\> Windows Backup**.

Select **Folders** to drop down a list, and select which of your user folders you want to back up by toggling them **On** or **Off**. The ones you have already backed up will say **Backed up** next to them.

**Next**, you can move forward to back up your settings. You can use the drop down for each category and select the items you want to back up by setting them to **On** or **Off**.

First choose your apps:

Then your settings:

Then your credentials:

When you’ve decided on what to back up, click **Back up** and the backup will be made.

From this point on, Windows will synchronize these backups at regular intervals. If it’s been a while since you made your backups or changed your settings, you can check the status by going to **Start  > Settings  > Accounts  > Windows backup**.

_Current status_

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 How to back up your Windows 10/11 PC to OneDrive 

An easy-to-understand guide on how to back up your iPhone to a Windows computer

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

We’ve published posts on how to back up your iPhone to iCloud, and how to backup an iPhone to a Mac. Another method is to backup using the iTunes app on a Windows system.

Choose whichever backup method works best for you, and will continue to work.

First, connect your iPhone to the Windows system with a cable.

You are likely to see a prompt on your iPhone asking whether it can trust this computer.

To proceed, tap **Trust** and entering your passcode.

Then open the iTunes app on your Windows device.

In iTunes click the **Device** symbol in the upper left corner (next to the Music drop down box).

_Note: It may take a while before the device icon appears_

In the **Settings** of the iTunes app select **Summary**.

You’ll see some device data about your iPhone, and below that a **Backups** menu.

Here you can select either **iCloud** or **This Computer**.

To create a local backup select **This Computer** and click on **Back Up Now** to create a new backup of your iPhone on your Windows System.

To encrypt your backups, select **Encrypt local backup**, type a password, then click **Set Password**.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to back up your iPhone to a Windows computer 

An easy-to-understand guide on how to backup your iPhone or iPad to your Mac.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

One of the most cost effective ways to backup your iPhone is to save backups to your Mac. Backups are made automatically whenever you connect your iPhone to your Mac with a lead. Be aware though that backups can take up a lot of space on your Mac, and that if your Mac is lost, stolen, or inoperable, then you won’t be able to access your iPhone backups. If you need daily backups or backups that can always be accessed from anywhere, you may prefer to backup your iPhone to iCloud.

This guide tells you how to enable backups to your Mac, and how to check that everything is working as you expect.

First, connect your iPhone or iPad to a Mac using a cable.

Open the **Finder** app and select your iPhone from the list of **Locations**.

Click **Genera**l.

Under **Backups**, choose **Back up all of the data on your iPhone to this Mac**.

To encrypt your backup data and protect it with a password, select **Encrypt local backup**. You will be prompted for a password.

Click **Back Up Now.**

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to back up your iPhone to a Mac 

An easy-to-understand guide on how to backup your iPhone or iPad to iCloud automatically.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

The most convenient way to backup your iPhone is to have it backup to iCloud. Backups are made every day, automatically, provided your phone is connected to power and locked. Be aware though that backups take take up a lot of your iCloud storage, and your phones’ data plan if you choose to backup when you aren’t connected to Wi-Fi. If those are likely to be problems for you, you might prefer to backup your iPhone to your Mac.

This guide tells you how to enable backups to iCloud, and how to check that everything is working as you expect.

Open the **Settings** app.

Then tap where you see your name and **Apple ID, iCloud+, Media & Purchases**.

Next, tap **iCloud**.

Scroll down and tap **iCloud Backup**.

Toggle **Back Up This iPhone** to on.

This may reveal a **Back Up Over Cellular Data** or **Back Up Over Mobile Data** toggle. This creates backups when you aren’t connected to Wi-Fi. Because backups can use a lot of data, toggling this on may cause you to exceed your data plan.

Once you have made a backup, you can access it from this screen under **ALL DEVICE BACKUPS**.

You can return to the previous screen by tapping the **< iCloud** link at the top. This screen shows you how much storage space your backups are using. To see a little more detail, tap **Manage Account Storage**.

Scroll down the list of apps until you see **Backups** to see how much storage your backups are using.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to back up your iPhone to iCloud 

Dive into where we are with AI and where we’re headed.

Nobody can deny the influence of AI today. In just a few years, we have observed AI’s capacity to be as transformative as the internet and smartphones, especially for cybersecurity. Indeed, the potential of AI to radically simplify complex security environments is unmistakable, and aligns closely with our mission at ThreatDown to reduce threats, complexity, and costs for our customers.

With continuous advancements in AI and its ever-expanding potential to enhance user experiences, ThreatDown remains dedicated to integrating these technologies into our solutions going forward. Let’s dive into where we are with AI and where we’re headed.

**What led us here**

We’ve always been big on democratizing security for all, and we believe AI has the potential to do just that. With this in mind, in late March 2024 we added a powerful AI functionality to our industry-leading Security Advisor. Users can now use simple natural language requests to search for information about their environment, ask for recommendations on how to optimize their security posture, and more.

Users will now see an “Ask AI” search bar on the Endpoints, Detections and Vulnerabilities pages

The deployment of generative AI into our Security Advisor propels us closer to our goal to make security management more accessible, especially for companies with constrained IT resources. Generative AI’s ability to sift through vast datasets to highlight essential issues and suggest actions significantly lowers the barrier to advanced security, eliminating the necessity for deep security know-how among users. But we’re not done yet.

**Where we’re going**

As we integrate generative AI, we envisage a host of potential advancements that could further revolutionize security management:

*   **Global AI search**: Our team is considering the development of a universal AI search feature, integrated across all products, that can comprehend natural language queries and surface relevant data.
*   **Evolving summarization techniques**: Imagine an AI that can not only summarize threats detected by EDR tools but also provides remediation steps with contextual help to follow along.
*   **Dynamic security recommendations**: We’re exploring the possibility of AI that not only provides recommendations but also adapts them in real-time based on the evolving security context of each user.

**Pioneering simplicity in security with AI**

AI will likely become a bigger and bigger fixture in security as the years go on, and as it evolves, ThreatDown is deeply committed to simplifying security management through the power of AI.

Nebula users can use Security Advisor and its AI capabilities today. Learn more.

 Powering the future of ThreatDown with AI 

How experts uncovered a years-long SolarMarker attack on a K-12 district

In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became evident that SolarMarker had been present in the district’s system since at least 2021, likely exfiltrating data over several years.

Let’s dive further into the investigation’s findings and the steps taken to mitigate the threat.

**SolarMarker infection****Background**

The incident began with the detection of an anomalous instance of PowerShell attempting to establish an outbound network connection to a suspicious IP address **(188.241.83.61)**. This connection attempt was thwarted by Malwarebytes Web Protection (MWAC), signaling the first indication of a potential security breach.

**Initial challenges**

Upon investigation, it was discovered that Endpoint Detection and Response (EDR) settings were disabled in the client’s endpoint policy. This limitation prevented the use of Fast Response Scanning (FRS) to capture and analyze detailed endpoint data, necessitating a manual approach to the investigation utilizing Active Response Scanning (ARS).

**Investigation and analysis**

The first step involved querying active network connections with **netstat**, which revealed an instance of PowerShell in operation. To further understand the nature of this PowerShell instance, its command line was examined using Windows Management Instrumentation Command-line (WMIC) with the process ID (PID), which unveiled obfuscated code.

**Decoding and understanding SolarMarker**

The obfuscated PowerShell code was extracted and refactored for clarity. The analysis revealed the following components of the malware’s operation:

    powershell
    
    $decodeKey = '<Base64_encoded_string>'
    
    $encodedFilePath = 'C:\Users\akeith\AppData\Roaming\micROSoft\wbpgVnSBjsytaokm\JqdVQplHfgwxyNmtaPX.gvzPlATqFe'
    
    $decodedPayload = [System.IO.File]::ReadAllBytes($encodedFilePath)
    
    for ($payloadIndex = 0; $payloadIndex -lt $decodedPayload.Count; $payloadIndex++) {
    
     $decodedPayload[$payloadIndex] = $decodedPayload[$payloadIndex] -bxor $decodeKey[$payloadIndex % $decodeKey.Length]
    
     if ($payloadIndex -ge $decodeKey.Length) {
    
     $payloadIndex = $decodeKey.Length
    
     }
    
    }
    
    [System.Reflection.Assembly]::Load($decodedPayload)
    
    [ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()
    

This code reveals the malware’s methodology:

*   It utilizes a Base64-encoded string as a decryption key.
*   It targets a specific file path for encoded data.
*   It reads, decodes, and executes the encrypted payload.

The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…). 

Further investigation uncovered randomly named folders within the AppData\\Roaming\\Microsoft directory, each containing encoded payloads. These discoveries suggested a more widespread infection than initially anticipated.

**Response and mitigation**

The response involved several steps to contain and eliminate the threat:

*   Terminating the malicious PowerShell instance.
*   Deleting the identified folders containing encoded payloads.
*   Conducting a thorough search for persistence mechanisms, which fortunately yielded no findings.

A comprehensive threat scan was executed, and the incident was escalated for visibility with the client. Post-reboot checks confirmed the absence of persistence, no spawn of new PowerShell instances, and blocking of suspicious network connections, indicating successful remediation of the infection.

**Conclusion**

As we’ve seen in our 2024 State of Ransomware in Education report, the educational sector continues to be a prime target for attackers. In this case, attackers used SolarMarker, a sophisticated backdoor, to lurk within the school district’s network for years, likely stealing data in the process. Its presence went undetected until the district onboarded with ThreatDown MDR. Despite facing initial obstacles, such as disabled EDR settings, the ThreatDown MDR team successfully identified and neutralized the SolarMarker infection through manual intervention.

Discover how ThreatDown MDR can safeguard your K-12 institution.

 Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR 

Facebook is accused of using potentially criminal methods to spy on Snapchat users to gain a commercial advantage over its competition.

Social media giant Facebook snooped on Snapchat users’ network traffic, engaged in anticompetitive behavior and exploited user data through deceptive practices. That’s according to a court document filed March 23, 2024.

The document mentions Facebook’s so-called In-App Action Panel (IAAP) program, which existed between June 2016 and approximately May 2019. The IAAP program, used an adversary-in-the-middle method called to intercept and decrypt Snapchat’s—and later YouTube’s and Amazon’s—SSL-protected analytics traffic to provide information for Facebook’s competitive decision making. Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client.

On June 9, 2016, Facebook CEO Mark Zuckerberg complained about the lack of analytics about competitor Snapchat.

> “Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . .
> 
> Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

So, as part of the IAAP program, the company started Project Ghostbusters by using Onavo. Onavo was a VPN-like research tool that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

The Project Ghostbusters technique relied on technology known as a server-side SSL bump performed on Facebook’s Onavo servers. SSL bumping, also known as SSL interception, involves intercepting and decrypting SSL/TLS traffic, inspecting it for malicious content or policy violations, and then re-encrypting and forwarding it to the intended destination.

To gain access to the data about their competitor, Facebook incentivized users to install “kits” on both Android and iOS devices that impersonated official servers and decrypted traffic that Facebook had no right to access.

These kits allowed Facebook to intercept traffic for specific sub-domains, allowing them to read what would otherwise be encrypted traffic and to measure in-app usage of their competitor’s apps. The users were clueless about what the kits did exactly, but it allowed the operators to view and analyze the traffic before it got encrypted.

According to the court documents, advertisers suing Meta claim that Facebook later expanded the program to Amazon and YouTube. This practice is likely in violation of wiretapping laws and “potentially criminal.” Facebook’s secret program likely violated the Wiretap Act, because it prohibits intentionally intercepting electronic communications with no applicable exception and the use of such intercepted communications.

We’ll keep you updated on how this develops.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Facebook spied on Snapchat users to get analytics about the competition 

Google has released an update for Chrome to fix seven security vulnerabilities.

Google has released an update to Chrome which includes seven security fixes. Version 123.0.6312.86/.87 of Chrome for Windows and Mac and 123.0.6312.86 for Linux will roll out over the coming days/weeks.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

_After the update, the version should be 123.0.6312.86, or later_

**Technical details**

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

There is one critical vulnerability that looks like it might be of interest to cybercriminals.

CVE-2024-2883: Use after free (UAF) vulnerability in Angle in Google Chrome prior to 123.0.6312.86 could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Angle is a browser component that deals with WebGL (short for Web Graphics Library) content. WebGL is a JavaScript API for rendering interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, it can lead to heap corruption.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

Chromium vulnerabilities are considered critical if they “allow an attacker to read or write arbitrary resources (including but not limited to the file system, registry, network, etc.) on the underlying platform, with the user’s full privileges.”

So, to sum this up, in this case an attacker could create a specially crafted HTML page–which can be put online as a website–that exploits the vulnerability, potentially leading to a compromised system.

My suggestion: don’t wait for the update, get it now.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Update Chrome now! Google patches possible drive-by vulnerability 

A robocaller that spoofed a local phone number and presented his targets with inflammatory and disturbing content has received a hefty fine.

A federal court in Montana has fined a man $9.9 million after he was found responsible for causing thousands of unlawful and malicious spoofed robocalls.

Sometimes there is good news. Well, for almost everybody except for the robocaller who was found guilty of unlawful robocalls to people in states including Florida, Georgia, Idaho, Iowa and Virginia in 2018. The court also imposed an injunction prohibiting any future violations of the Truth in Caller ID Act and Telephone Consumer Protection Act.

Scott Rhodes spoofed his telephone number, so it appeared to his targets that he was calling from a local phone number. If they picked up, they were presented with recorded messages. Those messages included highly inflammatory and disturbing content, often directed at certain communities, that intended to offend or harm the recipients.

Those messages typically addressed tragic and controversial events that took place in the region. Many consumers who received the calls found the calls so disturbing, they submitted complaints to FCC and other law enforcement regarding unwanted and harassing robocalls.

The FCC traced the unlawful spoofed robocalls to Scott Rhodes, a resident of Idaho and Montana, and in January 2021, the FCC imposed a $9,918,000 forfeiture penalty against Rhodes. In September 2021, the Justice Department sued Rhodes in the District of Montana to recover that penalty and obtain an injunction.

In October 2023, the United States moved for summary judgment, and the court subsequently entered an injunction and the full $9,918,000 forfeiture penalty against Rhodes, after concluding based on a de novo review of the evidence that Rhodes committed the violations found by FCC. When a court hears a case as “de novo,” it is deciding the issues without reference to any legal conclusion or assumption made by the previous court to hear the case.

Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s Civil Division commented:

> “The department is committed to protecting consumers from deceptive robocalls. We are very pleased by the court’s judgment, and we will continue working with the FCC and other agency partners to vigorously enforce the telemarketing laws that prohibit these practices.”

Earlier this year we reported that the FCC efforts seem to be paying off, by showing an encouraging decline in robocalls.

Last year, another robocaller made headlines after the FCC issued a $300 million forfeiture to a persistent offender and shut down their operation.

**What to do if you answer a robocall**

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.

1.  Hang up as soon as you realize that it is an automated robocall.
2.  Do not engage with the call at all.
3.  Don’t follow any instructions.
4.  Avoid giving away any personal information.
5.  Report the robocall.
    *   If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
    *   If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
    *   If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your voice being recorded, can be used in scams against you or your loved ones.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Disturbing robocaller fined $9.9 million 

Meta will retire social media tracking tool CrowdTangle in August 2024, which is awkward timing given the amount of important elections this year.

On 14 March, Meta announced it would abandon CrowdTangle, saying the tool will no longer be available after August 14, 2024. While most people have never heard of CrowdTangle, among journalists the tool is considered essential. Its popularity largely depends on the ability to monitor social media activity around important elections.

This makes the timing of the change a bit awkward to say the least. Not just in the US, but in many countries around the world there are major elections in 2024.

Data analysis tool CrowdTangle was created to show publishers which posts on Facebook pages were getting the most engagement. However, researchers and journalists later discovered that monitoring which stories spread most quickly, also provides the means to find the source of disinformation and watch how it spreads.

Meta bought CrowdTangle eight years ago, and the tool helped journalists and researchers learn more about the content on Meta’s platforms, including Facebook and Instagram. It was the first major tool that let the public analyze trends on the social media platforms in real time.

But it also produced negative consequences for Meta. If content performed well, Meta received accusations of promoting that content in its algorithm. In 2021, CrowdTangle underwent some changes and the team that ran it, including founder and CEO Brandon Silverman, was dismantled.

Arguably, the only thing keeping CrowdTangle alive at that point was Article 40 of the European Union’s Digital Services Act, which requires very large platforms and search engines to share publicly available data with researchers and nonprofit groups.

So, in November of 2023, Meta introduced the Meta Content Library as a replacement for CrowdTangle to “help us meet new regulatory requirements, data-sharing and transparency compliance obligations.”

In an interview, Meta’s president of global affairs Nick Clegg said that the Meta Content Library is a better tool for researchers than CrowdTangle in almost every way. For starters, it includes data about reach, which he said offers a better picture of what content on the platform is most popular.

Researchers who have used both CrowdTangle and the Content Library are torn, they say that both tools have their strengths and weaknesses. However, the audience for the Content Library is much more limited: aside from certain fact checkers, journalists won’t have direct access.

In an open letter, Mozilla has called on Meta to keep CrowdTangle functioning until January 2025. At the time of writing, 156 universities, researchers, disinformation trackers, privacy watchers, and other social media followers have signed the request.

They fear that the absence of CrowdTangle will undermine the monitoring of election disinformation in a year that approximately half the world’s population will vote.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

Source

Malwarebytes