The flaws could allow an attacker with privileged access to a guest VM to access the hypervisor on the host.

VMWare has issued secuity fixes for its VMware ESXi, Workstation, Fusion, and Cloud Foundation products. It has even taken the unusual step of issuing updates for versions of the affected software that have reached thier end-of-life, meaning they would normally no longer be supported.

This flaws affect customers who have deployed VMware Workstation, VMware Fusion, and/or VMware ESXi by itself or as part of VMware vSphere or VMware Cloud Foundation.

A virtual machine (VM) is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and the VM (the guest system).

VMWare’s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.

Besides instructions about how to update the affected products, the advisory lists possible workarounds that would block an attacker from exploiting the vulnerabilities. Since three of the vulnerabilities affect the USB controller, applying the workarounds will effectively block the use of virtual or emulated USB devices. For guest operating systems that do not support using a PS/2 mouse and keyboard, such as macOS, this means they will effectively be unable to use a mouse and keyboard.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2024-22252 and CVE-2024-22253 are use-after-free vulnerabilities in the XHCI and UHCI USB controllers of VMware ESXi, Workstation, and Fusion. A malicious actor with local administrative privileges on a virtual machine can exploit the issues to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation of either is contained within the VMX sandbox, but on Workstation and Fusion this may lead to code execution on the machine where Workstation or Fusion is installed.

The VMX process is a process that runs in the kernel of the VM and is responsible for handling input/output (I/O) to devices that are not critical to performance. The VMX is also responsible for communicating with user interfaces, snapshot managers, and remote consoles.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2024-22254 is an out-of-bounds write vulnerability in VMWare ESXi. A malicious actor with privileges within the VMX process can trigger an out-of-bounds write leading to an escape of the sandbox.

A sandbox environment is another name for an isolated VM in which potentially unsafe software code can execute without affecting network resources or local applications.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data being written to memory is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written

CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller of VMware ESXi, Workstation, and Fusion. A malicious actor with administrative access to a VM may be able to exploit this issue to leak memory from the VMX process.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch now! VMWare escape flaws are so serious even end-of-life software gets a fix 

Users of JetBrains TeamCity on-prmises server need to deal with two serious vulnerabilities.

JetBrains issued a warning on March 4, 2024 about two serious vulnerabilities in TeamCity server. The flaws can be used by a remote, unauthenticated attacker with HTTP(S) access to a TeamCity on-premises server to bypass authentication checks and gain administrative control of the TeamCity server.

TeamCity is a build management and continuous integration and deployment server from JetBrains that allows developers to commit code changes into a shared repository several times a day. Each commit is followed by an automated build to ensure that the new changes integrate well into the existing code base and as such can be used to detect problems early.

Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts. Which, depending on the use-case of your projects, could make for a suitable attack vector leading to a supply chain attack.

The two vulnerabilities are CVE-2024-27198, an authentication bypass vulnerability with a CVSS score of 9.8, and CVE-2024-27199, a path traversal issue with a CVSS score of 7.3. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-27198 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by March 28, 2024 in order to protect their devices against active threats.

These two vulnerabilities allow an attacker to create new administrator accounts on the TeamCity server which have full control over all TeamCity projects, builds, agents and artifacts.

Exploitation code is readily available online and has already been integrated in offensive security tools like the MetaSploit framework.

So, it doesn’t come as a surprise that researchers are now reporting abuse of the vulnerabilities.

Bleeping Computer reports that attackers have already compromised more than 1,440 instances, while a scan for vulnerable instances by Shadowserver showed that the US and Germany are the most affected countries.

> If running JetBrains TeamCity on-prem – make sure to patch for latest CVE-2024-27198 (remote auth bypass) & CVE-2024-27199 vulns NOW!
> 
> We started seeing exploitation activity for CVE-2024-27198 around Mar 4th 22:00 UTC. 16 IPs seen scanning so far.https://t.co/zZ0iU5MD8S
> 
> — Shadowserver (@Shadowserver) March 5, 2024

The vulnerabilities affect all TeamCity on-premises versions through 2023.11.3 and were fixed in version 2023.11.4. Customers of TeamCity Cloud have already had their servers patched, and according to JetBrains they weren’t attacked.

To update your server, download the latest version (2023.11.4) or use the automatic update option within TeamCity. 

JetBrains has also made a security patch plugin available for customers who are unable to upgrade to version 2023.11.4. There are two security patch plugins, one for TeamCity 2018.2 and newer and one for TeamCity 2018.1 and older. See the TeamCity plugin installation instructions for information on installing the plugin.

If your server is publicly accessible over the internet, and you are unable to immediately mitigate the issue you should probably make your server inaccessible until you can.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Update now! JetBrains TeamCity vulnerability abused at scale 

Pet retail company PetSmart has emailed customers to alert them to a recent attack that used reused passwords.

Pet retail company PetSmart has emailed customers to alert them to a recent credential stuffing attack.

Credential stuffing relies on the re-use of passwords. Take this example: User of Site A uses the same email and password to login to Site B. Site A gets compromised and those login details are exposed. People with access to the credentials from Site A try them on Site B, often via automation, and gain access to the user’s account.

If the user had different passwords on Site A and Site B, the attacker would have been stopped before they got in to Site B. This is why we are continuously telling people to not reuse their passwords. If all your logins are hard to remember (and they should be), you can use a password manager to help you.

We’d like to like to praise PetSmart for the way in which it handled the attack, setting a good example by warning customers.

Email courtesy of DarkWebInformer on X

> “Dear Pet Parent,
> 
> We want to assure you that there is no indication that petsmart.com or any of our systems have been compromised. Instead, our security tools saw an increase in password guessing attacks on petsmart.com and during this time your account was logged into. While the log in may have been valid, we wanted you to know.
> 
> In an abundance of caution to protect you and your account, we have inactivated your password on petsmart.com. The next time you visit petsmart.com, simply click the “Forgot password” link to rest your password. You can also reset your password by visiting www.petsmart.com/account/.
> 
> Across the internet, fraudsters are constantly trying to obtain user names and passwords and they often try and test the credentials they find on various websites, like ours. To help keep your accounts secure, remember to use strong passwords for each of your important accounts.
> 
> Thank you for your understanding. If you have any questions about this, or any other issue, please feel free to contact us at customercare@petsmart.com or 888-839-9638.
> 
> Sincerely,
> 
> The PetSmart Data Security Team”

While we don’t agree with everything in the email—a strong password would not have made a difference here—it is informative, to the point, and helpful.

**Digital Footprint scan**

If you were one of those customers and the login was not you, that means the attacker knew your email and password. Maybe they found them in the proceeds of a previous data breach.

Malwarebytes has a tool that can help you find out how much of your own data is currently exposed online. Our free Digital Footprint scan scours the internet to find your exposed passwords and much more. Fill in your email address (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 PetSmart warns customers of credential stuffing attack 

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

Predator can turn infected smartphones into surveillance devices. Intellexa is based in Greece but the Treasury Department imposed the sanctions because of the use of the spyware against Americans, including US government officials, journalists, and policy experts.

Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said:

> “Today’s actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens.”

Since its founding in 2019, the Intellexa Consortium has marketed the Predator label as a suite of tools created by a variety of offensive cybercompanies that enable targeted and mass surveillance campaigns.

Predator is capable of infiltrating a range of electronic devices without any user interaction (known as ‘zero-click’). Once installed, Predator deploys its extensive data-stealing and surveillance capabilities, giving the attacker access to a variety of applications and personal information on the compromised device. The spyware is capable of turning on the user’s microphone and camera, downloading their files without their knowledge, tracking their location, and more.

Under the sanctions, Americans and people who do business with the US are forbidden from transacting with Intellexa, its founder and architect Tal Dilian, employee Sara Hamou and four of the companies affiliated with Intellexa.

Sanctions of this magnitude leveraged against commercial spyware vendors for enabling misuse of their tools are unprecedented, but the US has expressed concerns about commercial spyware vendors before.

> “A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists.”

In July 2023, the US Commerce Department’s Bureau of Industry and Security (BIS) added Intellexa and Cytrox AD to the Entity List for trafficking in cyber exploits used to gain access to information systems. Cytrox AD is a North Macedonia-based company within the Intellexa Consortium and acts as a developer of the consortium’s Predator spyware.

The Entity List is a trade control list created and maintained by the US government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten US national security or foreign policy interests.

Earlier this month, a California federal judge ordered spyware maker NSO Group to hand over the code for Pegasus and other spyware products used to spy on WhatsApp users.

While you’ll see Predator and Pegasus usually deployed in small-scale and targeted attacks, putting a stop to the development and deployment of spyware by these commercial entities is good news for everyone.

**How to remove spyware**

Because spyware apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.

1.  Open Malwarebytes for Android and navigate to the dashboard
2.  Tap **Scan** **now**
3.  It may take a few minutes to scan your device, but it will tell you if it finds spyware or any other nasties.
4.  You can then uninstall the app.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Predator spyware vendor banned in US 

The ALPHV gang's attempt to cover up an exit scam isn't going well.

For the second time in only four months, all is not well on the ALPHV (aka BlackCat) ransomware gang’s dark web site. Gone are the lists of compromised victims. In their place, a veritable garden of law enforcement badges has sprouted beneath the ominous message “THIS WEBSITE HAS BEEN SEIZED.”

The ALPHV ransomware dark web site has a new look

So far, so FBI, but all is not what it seems.

ALPHV is arguably the second most dangerous ransomware group in the world. It sells Ransomware-as-a-Service (RaaS) to criminal affiliates who pay for its ransomware with a share of the ransoms they extract.

When a task force of international law enforcement agencies score a hit on a target this big, they tend to make a bit of a song and dance about it. At a minimum, there are announcements. Last time the FBI disrupted ALPHV with an unscheduled home page redecoration in December, the law enforcement agency was very happy to tell everyone.

When the UK’s National Crime Agency (NCA) took a slice out of the LockBit gang last month it didn’t just tell everyone in a press release, it celebrated with a week-long fiesta of premium-grade trolling _on LockBit’s own website_.

They have every reason to celebrate their success, but this takedown—if that’s what it really is—has been greeted with nothing but silence from law enforcement.

In fact, ransomware experts have weighed in with an alternative explanation: ALPHV has recycled the takedown banner provided by law enforcement in December, and staged a fake takedown to cover its tracks while it runs off with its affiliates’ money.

The story starts on February 21, 2024, when an ALPHV affiliate attacked Change Healthcare, one of the largest healthcare technology companies in the USA. The attack has caused enormous disruption and been described by the American Hospital Association (AHA) President and CEO Rick Pollack as “the most significant and consequential incident of its kind against the US health care system in history.”

On March 3, a user on the RAMP dark web forum claimed they were the affiliate behind the Change Healthcare attack. They alleged that two days earlier Change Healthcare had paid ALPHV $22 million—backing up their claim with a link to a Bitcoin wallet that shows a 350 bitcoin transfer on March 1—and that ALPHV then suspended their account.

VX Underground reported that a day later, other ALPHV affiliates were also locked out of their accounts, while ALPHV issued an “ambiguous” message seemingly pointing the finger at the FBI for…something, before putting the source code to its ransomware up for sale for $5 million.

The final act in this entirely unconvincing drama was the appearance of a “THIS WEBSITE HAS BEEN SEIZED” banner on the ALPHV dark web site. Not only was the banner identical to the one used by law enforcement in December, it appeared to have been lazily copied from the compromised site.

The giveaway, spotted by ransomware researcher Fabian Wosar, was the URL of the takedown image, which was being kept in a directory called THIS WEBSITE HAS BEEN SEIZED_files.

“An image URL like this is what Firefox and the Tor Browser create when you use the ‘Save page as’ function to save a copy of a website to disk,” he pointed out.

Of course, it’s not impossible that law enforcement would do this, but it’s a far cry from the no-stone-left-unturned effort of the recent LockBit takedown. Unconvinced, Wosar took to X (formerly Twitter) to say he’d reached out to contacts at Europol and the NCA, and they declined “any sort of involvement”.

It’s the second reminder in under a month, following revelations that the LockBit gang didn’t delete its victims’ stolen data when they were paid a ransom, that you just can’t trust criminals.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 ALPHV ransomware gang fakes own death, fools no one 

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited.

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited. Zero-day vulnerabilities are discovered by attackers before the software company itself – meaning the vendor has ‘zero days’ to fix them.

Both the two vulnerabilities allow an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.

The update is available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

A patch for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation, running iOS 16.7.6 or iPadOS 16.7.6 is available for one of the vulnerabilities.

To check if you’re using the latest software version, go to **Settings** > **General** > **Software Update**. You want to be on iOS 17.4 or iPadOS 17.4, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:

CVE-2024-23225: a memory corruption issue was addressed with improved validation. A patch is available for this issue in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple says it’s aware of a report that this issue may have seen active exploitation.

CVE-2024-23296: a memory corruption issue in RTKit was addressed with improved validation. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple says it’s aware of a report that this issue may have seen active exploitation.

RTKit is Apple’s real-time operating system, running on multiple chips in iPhone, Watch, MacBook, and peripherals like the iPod. A real-time operating system, is software that manages tasks on a single core, which is crucial for real-time applications that require precise timing.

Apple included several other vulnerabilities in the update, some of which it listed but it also mentions “Additional CVE entries coming soon.” For protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update your iPhones and iPads now: Apple patches security vulnerabilities in iOS and iPadOS 

Researchers have uncovered thousands of "subdomailing" campaigns.

Researchers at Guardio Labs have discovered that a group of spammers is using long-forgotten subdomains from established brands like MSN, eBay, CBS, and Marvel to send out malicious emails. The emails can bypass spam checks and to recipients they look like they come from a legitimate source.

A subdomain is a named sub-division of domain name. For example my.malwarebytes.com and www.malwarebytes.com are both subdomains of the malwarebytes.com domain.

Companies use subdomains for all kinds of purposes, from differentiating marketing campaigns to naming different online systems.

It’s also common practice for companies to create CNAME (Canonical Name) DNS records that alias a subdomain to another domain or subdomain.

For example, the subdomain my.malwarebytes.com is an easy to read alias for a CloudFront server called d1ok04i2z9vvoy.cloudfront.net.

When companies use these techniques and don’t clean up their records after they’re done, criminals can take advantage.

The researchers provide the example of marthastewart.msn.com, which was an alias for the msnmarthastewartsweeps.com domain.

At some point, MSN no longer needed the msnmarthastewartsweeps.com domain and stopped paying for it, but did not remove the CNAME record that alised marthastewart.msn.com to it.

Criminals discovered the link between the two and bought the msnmarthastewartsweeps.com domain.

This is bad, as the researchers explain:

> This means that the subdomain inherits the entire behavior of msnmarthastewartsweeps.com , including it’s SPF policy.

The Sender Policy Framework (SPF) is an anti-spam DNS record that sets out what domains and IP addresses can send email for a particular domain.

By registering the old and forgotten alias msnmarthastewartsweeps.com, the criminals were able to add their own IP addresses to the SPF record, allowing them to send spam from marthastewart.msn.com that passes SPF checks.

Guardio Labs warns that SPF also offers criminals another way to gain control. SPF’s include: syntax can include a list of other domain names that are allowed to send emails on behalf of a domain. If any of the included domains are abandoned, criminals can buy them up and send email on behalf of the parent domain.

Once the researchers knew what they were looking for they identified thousands of instances of so-called “subdomailing”, encompassing both CNAME and SPF-based tactics and going back at least two years.

The sheer number of hijacked subdomains and available IP addresses is big enough for the criminals to cycle through them to minimize detection and depletion of their “assets.”

As an organization it is important to regularly check your domains for signs of compromise and better manage your online assets—starting with removing unused subdomains and DNS records.

Guardio Labs has created a special subdomailing checker website, allowing domain administrators and site owners to quickly check if any trace of abuse has been found. The researchers note that the checker queries a database with the latest domains impacted by CNAME and SPF-based hijacking. So, a positive result does not mean you are safe, just that you haven’t been hijacked yet.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Check your DNS! Abandoned domains used to bypass spam checks 

American Express has warned affected customers about a breach at a merchant process that leaked account numbers, names, and card expiration dates.

American Express has sent affected customers a warning that “a third party service provider engaged by numerous merchants experienced unauthorized access to its system.”

In a subsequent update, American Express explained that it was not a service provider, but a merchant processor that suffered the breach.

The account information of some card holders may have fallen into the wrong hands. The accessed information includes account numbers, names, and card expiration dates.

Further details about which merchant processor was involved and how, are not available at the time of writing.

American Express said it notified the required regulatory authorities and is alerting impacted customers. The company also told BleepingComputer that if a card member’s credit card is used to make fraudulent purchases, customers won’t be responsible for the charges.

American Express is advising customers to carefully review their account for fraudulent activity. Below are some steps you can take to protect your account.

*   Login to your account at americanexpress.com/MYCA to review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months.
*   If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts.
*   Make sure American Express has your correct mobile phone number and email address so the company can contact you if needed.
*   If you receive an email relating to American Express that you believe could be fraudulent, immediately forward it to UKemailfraud@americanexpress.com. Do not include your account number in the email.

**Beware of scammers**

Scammers are always on the lookout for data breaches as it presents an opportunity for phishing. There are a few tips to keep in mind.

*   American Express will never ask for sensitive account details by email or phone.
*   Do not install software when asked out of the blue, especially if it reaches you as an email attachment.
*   Scammers will always invoke a feeling of urgency. Don’t let scammers rush you into making wrong decisions.
*   Keep your anti-malware software and security patches up-to-date to prevent fraudsters accessing your details via your computer.
*   If you’re an Android user, be wary of screen overlays on your devices that could capture entered information while you think you are in the actual app. Screen overlays are hard to recognize but on Android you can check **Settings** > **Apps & notifications** \> **Special access** > **Draw over other apps**. (Note that the path may be slightly different depending on your Android version and the phone vendor.) Once there you can review all apps that have the option to “draw over” other apps and see whether or not they have the permission to do so.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Digital Footprint scan**

If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in your email address (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 American Express warns customers about third party data breach 

Last year, 11% of all detections on Macs were caused by malware. The illuminating figure gives a view into the world of Mac cyberthreats.

We’re going to let you in on a little cybersecurity secret… There’s malware on Mac computers. There pretty much always has been.

As revealed in our 2024 ThreatDown State of Malware report, a full 11% of all detections recorded by Malwarebytes on Mac computers in 2023 were for different variants of malware—the catch-all term that cybersecurity researchers use to refer to ransomware, trojans, info stealers, worms, viruses, and more.

That 11% figure may not sound imposing but remember that many people today still believe that Apple devices, including Mac computers, are invulnerable to cyberinfections because of some sort of vague “Apple magic.”

In reality, “Apple magic” is more a byproduct of old advertising (this 2006 commercial from the “I’m a Mac, and I’m a PC” series did irreparable harm) and faulty conclusions concerning cybersecurity’s biggest breaches and attacks: People mistakenly believe that because _most_ attacks target Windows computers and servers, _no_ attacks target Macs.

The truth is far more nuanced, as the visible, overwhelming focus of cyberattacks on Windows machines is a consequence of Microsoft’s long-standing success in business computing.

For decades, every multinational corporation, every local travel agency, every dentist, every hospital, every school, government, and city hall practically ran on Windows. This mass adoption was good for Microsoft and its revenue, but it also drew and maintained the interests of cybercriminals, who would develop malware that could impact the highest number of victims. This is why the biggest attacks, even today, predominantly target Windows-based malware and the sometimes-unpatched vulnerabilities found in Windows software and applications.  

Essentially, as Windows is the biggest target, cybercriminals zero in their efforts respectively.

But new information last year revealed that could all be changing.

****Mac malware tactics shifted in 2023****

Apple’s desktop and laptop operating system, macOS, represents a 31% share of US desktop operating systems, and roughly 25% of all businesses reportedly utilize Mac devices somewhere in their networks.

Already, the cybercriminals have taken note.

In April 2023, the most successful and dangerous ransomware in the world—LockBit—was found to have a variant developed for Mac. Used in at least 1,018 known attacks last year, LockBit ransomware, and the operators behind it, destroyed countless businesses, ruined many organizations, and, according to the US Department of Justice, brought in more than $120 million before being disrupted by a coordinated law enforcement effort in February of this year.

While the LockBit variant for Mac was not operational upon discovery, the LockBit ransomware gang said at the time that it was “actively being developed.” Fortunately, LockBit suffered enormous blows this year, and the ransomware gang is probably less concerned with Mac malware development and more concerned with “avoiding prison.”

Separately, in September 2023, Malwarebytes discovered a cybercriminal campaign that tricked Mac users into accidentally installing a type of malware that can steal passwords, browser data, cookies, files, and cryptocurrency. The malware, called Atomic Stealer (or AMOS for short) was delivered through “malvertising,” a malware delivery tactic that abuses Google ads to send everyday users to malicious websites that—though they may appear legitimate—fool people into downloading malware.

In this campaign, when users searched on Google for the financial marketing trading app “TradingView,” they were sometimes shown a malicious search result that appeared entirely authentic: a website with TradingView branding was visible, and download buttons for Windows, Mac, and Linux were clearly listed.

But users who clicked the Mac download button instead received AMOS.

This malvertising site mimics TradingView to fool users into downloading malware for different operating systems.

Just months later, AMOS again wriggled its way onto Mac computers, this time through a new delivery chain that has more typically targeted Windows users.

In November, Malwarebytes found AMOS being distributed through a malware delivery chain known as “ClearFake.” The ClearFake campaign tricks users into believing they’re downloading an approved web browser update. That has frequently meant a lot of malicious prompts mimicking Google Chrome’s branding and update language, but the more recent campaign imitated the default browser on Mac devices—Safari.

A template is used that mimics the official Apple websites and webpages to convince users into downloading a Safari “update” that instead contains malware.

As Malwarebytes Labs wrote at the time:

> “This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.”

****Replace “magic” with Malwarebytes****

Cyberthreats on Mac aren’t non-existent, they’re just different. But different threats still need effective protection, which is where Malwarebytes Premium can help.

Malwarebytes Premium detects and blocks the most common infostealers that target Macs—including AMOS—along with annoying browser hijackers and adware threats such as Genieo, Vsearch, Crossrider, and more. Stay protected, proactively, with Malwarebytes Premium for Mac.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 No “Apple magic” as 11% of macOS detections last year came from malware 

Meta has won a court case against spyware vendor NSO Group to reveal the Pegasus spyware code that allows spying on WhatsApp users.

A California federal judge has ordered spyware maker NSO Group to hand over the code for Pegasus and other spyware products that were used to spy on WhatsApp users.

Meta-owned WhatsApp has been fighting NSO in court since 2019, after Pegasus was allegedly used against 1,400 WhatsApp users over the period of two weeks. During this time, NSO Group gained access to the users’ sensitive data, including encrypted messages.

NSO Group justifies the use of Pegasus by saying it’s a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public. However, the company also says it recognizes that some customers might abuse the abilities of the software for other purposes.

Earlier in the court case, NSO Group argued it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries. NSO Group is closely regulated by the Israeli ministry of defense, which reviews and has to approve the sale of all licenses to foreign governments or entities. This is likely also the reason why NSO Group claimed to be excused of all its discovery obligations in the case, due to various US and Israeli restrictions.

NSO Group argued it should only be required to hand over information about Pegasus’ installation layer, but this was denied by the court. The judge ordered NSO Group to provide the plaintiffs with the knowledge needed to understand how the relevant spyware performs the functions of accessing and extracting data.

WhatsApp said that the decision is a major victory in its mission to defend its users against cyberattacks. This may be true if a better understanding of how the spyware works leads to improvements that can thwart future abuse.

However, this is no reason to assume that this will bring an end to NSO Group’s capabilities or willingness to spy on WhatsApp users. NSO Group doesn’t have to disclose the identity of its clients and it only has to produce information concerning the full functionality of the relevant spyware, specifically for a period of one year before the alleged attack to one year after the alleged attacks, which means from April 29, 2018 to May 10, 2020. Things have developed since then.

The US sanctioned NSO Group in 2021 for developing and supplying cyber weapons to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.

After that period we saw many zero-day vulnerabilities brought to light in browsers and other online applications very likely used by the NSO to compromise mobile devices.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Source

Malwarebytes