A list of topics we covered in the week of February 5 to February 11 of 2024

February 9, 2024 - Ivanti has found yet another vulnerability in versions of Connect Secure, Policy Secure, and ZTA gateways.

February 9, 2024 - FBI and CISA have produced guidance about Chinese APT group Volt Typhoon and other groups that use Living off the Land (LOTL) techniques.

February 8, 2024 - LastPass has warned about a fake app called LassPass, available in the Apple App Store.

February 8, 2024 - A criminal group called ResumeLooters has stolen the personal information of over two million job seekers from at least 65 different websites.

February 7, 2024 - Your essential guide to toothbrush security.

 A week in security (February 5 &#8211; February 11) 

Ivanti has found yet another vulnerability in versions of Connect Secure, Policy Secure, and ZTA gateways.

In a new blog post, Ivanti says that it has found another vulnerability and urges customers to “immediately take action to ensure you are fully protected”.

This vulnerability only affects a limited number of supported versions–Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3.

Please read between the lines that there could be unsupported versions which will never see a patch for this vulnerability.

A patch is available now for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7).

Customers can access the patch via the standard download portal (login required). The instructions are somewhat complicated, to say the least. Due to all the different versions that are available, it is imperative to carefully read the instructions.

Customers can read this KB article for detailed instructions on how to apply the mitigation and apply the patch as each version becomes available. Please ensure you are following the KB article to receive updates. If you have questions or require further support, please log a case and/or request a call in the Success Portal.

Important to note:

*   Customers who applied the patch released on January 31 or February 1, and completed a factory reset of their appliance, do not need to factory reset their appliances again.
*   And once customers applied this newly released patch, they do not need to apply the mitigation or the patches released on January 31 and February 1. 

**The vulnerability**

The vulnerability, listed as CVE-2024-22024 with a CVSS score of 8.3 out of 10, allows an attacker to access certain restricted resources without authentication.

An XML external entity injection (XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and/or to interact with any back-end or external systems that the application itself can access.

Ivanti found the XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways.

Since Ivanti claims that the vulnerability came up during internal code reviews, it is unlikely that an exploit already exists, but this type of vulnerability is usually easy to exploit, so chances are, this will not take long.

Although we have seen a pretty convincing claim that they did not find it themselves:

According to Ivanti they are unaware of any evidence of customers being exploited by CVE-2024-22024.

Only a week ago all, FCEB agencies received intructions to disconnect vulnerable Ivanti products before the weekend. This because besides the Ivanti vulnerabilities actively exploited in massive numbers we wrote about on January 11, 2024, alerts went off about two new high severity flaws on January 31, 2024.

All in all, since January 10, five vulnerabilities have been reported in Ivanti products. And at least three of them are subject to active exploitation.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Ivanti urges customers to patch yet another critical vulnerability 

2023 saw a 70% increase in ransomware attacks from 2022.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

2023 was an explosive year for ransomware.

While some ransomware trends hardly changed over the last year, such as LockBit’s continued dominance, ransomware criminals also challenged our fundamental assumptions on how ransomware gangs work, such as by exploiting zero-day vulnerabilities. Through thec onsistenciess and evolutions over the last year, one fact remains clear: 2023 broke records **with its total number of 4475 ransomware attacks, a 70% increase from 2022.**

Global ransomware attacks by month, 2022 vs 2023

Global ransomware attacks, 2022 vs 2023

Additionally, LockBit was responsible for a **22% of all ransomware attacks in 2023**, over half as much as the next top five gangs combined. Together, the top 10 ransomware gangs were responsible for **70% of all ransomware attacks**.

Top 10 ransomware gangs in 2023

Breaking 2023 ransomware attacks by sector reveals that **23% of all attack**s were directed against the Services sector. Together, the top 10 sectors accounted for **80% of all ransomware attacks**.

Top 10 industries attacked 2023

The USA was by far the most attacked country in 2023, **with a whopping 45%** of all ransomware attacks targeting the country.

Top 10 countries attacked 2023

Additionally, we’ve sifted through the backlog of our 2023 ransomware reviews to find the most important stories and trends from the last year. Here are five key takeaways from the ransomware world in 2023.

**1\. LockBit was… LockBit**

LockBit remained the most prolific ransomware gang throughout 2023, responsible for several high-profile attacks (such as against Taiwanese chipmaker TSMC). As well, LockBit also unveiled a new variant, LockBit Green, and showed signs of expanding into macOS territory.  

**2\. Law enforcement worked overtime**

Despite 2023 being the worst ransomware year on record, law enforcement notched notable successes in taking down big-name groups, including the FBI’s shutdown of the Hive ransomware group and the seizure of ALPHV’s infrastructure.

**3\. Gangs seized the day with zero-days**

Ransomware gangs, including Cl0p and ALPHV, aggressively exploited zero-day vulnerabilities (e.g., in GoAnywhere MFT, MOVEit Transfer, and Citrix appliances) to launch attacks on a unprecedented scale.

**4\. Big blows dealt to critical infrastructure**

Critical infrastructure (as defined by CISA) took a beating in 2023, with sectors such as logistics, manufacturing, healthcare, and education accounting for almost **30% of all ransomware attacks** in 2023. Education alone (a subsector of the Government Facilities sector) experienced a 70% surge in attacks in the past year, increasing from 129 incidents in 2022 to 265 in 2023.

**5\. New tactics and rebrandings emerged**

Besides an increased focus on exploiting zero-days, ransomware gangs introduced other new tactics in 2023 such as CL0P’s use of torrents for distributing stolen data and innovative social engineering techniques by groups like Scattered Spider. We also saw notable rebrands (i.e Vice Society to Rhysida) and shifts in focus from encryption to purely data theft and extortion.

**Looking ahead**

2023 was a whirlwind year for ransomware: Attacks spiked by 70%, law enforcement landed key victories, gangs pivoted to exploiting zero-day vulnerabilities, and much more.

Going into 2024 it’s safe to say that the threat of ransomware looms large for all organizations—especially those with shrinking security budgets and overtaxed IT teams, organizations located in the US, critical infrastructure sectors like education.

Fighting off ransomware gangs requires a layered security strategy. Technologies such as Endpoint Protection (EP) and Vulnerability and Patch Management (VPM), for example, are vital first defenses to reduce the attack surface breach likelihood.

The key point, though, is to assume that motivated gangs will eventually breach any defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And for the ultimate assurance of uptime —choose an EDR solution with ransomware rollback to undo changes and restore files so that productivity continues.

**How ThreatDown Addresses Ransomware**

ThreatDown Bundles take a comprehensive approach to ransomware. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including:

*   Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access. 
*   RDP Shield: Securing remote access points with Brute Force Protection. 
*   Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them. 
*   Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network. 
*   Ransomware Rollback: Reversing the impact of any successful attacks. 

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams.

**Experience ThreatDown Bundles**

 Ransomware in 2023 recap: 5 key takeaways 

FBI and CISA have produced guidance about Chinese APT group Volt Typhoon and other groups that use Living off the Land (LOTL) techniques.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other authoring agencies have released a joint guidance about common living off the land (LOTL) techniques and common gaps in cyber defense capabilities.

Living Off The Land (LOTL) is a covert cyberattack technique in which criminals carry out malicious activities using legitimate IT administration tools.

This joint guidance comes alongside a joint Cybersecurity Advisory (CSA) called PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure.

These publications are a reaction to recent warnings about attacks on critical infrastructure by groups allegedly connected to the Chinese (PRC) government.

The FBI recently used a court order to remove malware from hundreds of routers across the US because it believed the attack was the work of an Advanced Persistent Threat (APT) group known as Volt Typhoon. US officials said the botnet was designed to give Chinese attackers persistent access to critical infrastructure. Routing their traffic through these gateways would hide the actual origin of malicious attempts to reach inside utilities and other targets.

In May of 2023, Microsoft uncovered stealthy and targeted malicious activity by Volt Typhoon. The activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.

As Jen Easterly, the director of CISA put it in a hearing before the House Select Committee

> “We have seen a deeply concerning evolution of Chinese targeting of US critical infrastructure. We have seen them burrowing deep into critical infrastructure to enable destructive attacks. This is a world where a crisis across the world could well endanger the lives of Americans here.”

And it’s not just the US. The Dutch Military Intelligence Service (MIVD) found a Remote Access Trojan (RAT) on one of their networks which they identified as Chinese malware.

The Living of the Land (LOTL) guide does not exclusively focus on Chinese state actors though. It also includes methods deployed by Russian Federation state-sponsored actors, and will likely apply to Ransomware-as-a-Service (RaaS) gangs that leverage legitimate tools to evade detection too.

So, it’s important to be aware of what your cybersecurity team, internal or managed (MDR) should be looking for when it comes to suspicious use of legitimate tools, unusual network connections, and other signs of malicious activities.

The guidance stipulates that LOTL is particularly effective because:

*   Many organizations lack effective security and network management practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavioral analytics, anomaly detection, and proactive hunting.
*   There is a general lack of conventional indicators of compromise (IOCs) associated with the activity, complicating network defenders’ efforts to identify, track, and categorize malicious behavior.
*   It enables cyber threat actors to avoid investing in developing and deploying custom tools.

So, it provides some best practices for detecting and hardening that are all explained in detail.

*   Implement write once, read many detailed logging to avoid the risk of attackers modifying or erasing logs.
*   Establish and continuously maintain baselines of network, user, administrative, and application activity and least privilege restrictions.
*   Build or acquire automation to continually review all logs to compare current activities against established behavioral baselines and alert on specified anomalies.
*   Reduce alert noise by fine-tuning via priority (urgency and severity) and continuously review detections based on trending activity.
*   Leverage user and entity behavior analytics to identify abnormal and potentially dangerous user and device behavior.
*   Apply and consult vendor-recommended guidance for security hardening.
*   Implement application allowlisting and monitor use of common LOTL binaries (LOLBins).
*   Enhance IT and OT network segmentation and monitoring.
*   Implement authentication and authorization controls for all human-to-software and software-to-software interactions regardless of network location.

Understanding the context of LOTL activities is crucial for accurate detection and response. Many of the tips that Malwarebytes provides for avoiding ransomware will prove to be useful in state sponsored attacks as well, although the latter can be even more targeted in some situations.

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Further on, CISA  urges software manufacturers to implement secure by design rules in their software, to reduce the prevalence of weak default configurations and passwords, recognize the need for low or no-cost enhanced logging, and other exploitable issues identified in the guide.

Insecure software allows threat actors to leverage flaws to enable LOTL techniques and the responsibility should not solely be on the end user. By using secure by design principles, software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.

Living off the Land is one of six cyberthreats that resource-constrained IT teams need to be ready to combat in 2024, covered in our 2024 State of Malware report.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 FBI and CISA publish guide to Living off the Land techniques 

LastPass has warned about a fake app called LassPass, available in the Apple App Store.

Password Manager LastPass has warned about a fraudulent app called “LassPass Password Manager” which it found on the Apple App Store.

The app closely mimics the branding and appearance of LastPass, right down to the interface. So, even if the name was a “happy accident” it seems clear that this was a purposeful attempt to trick users installing the fake app.

The fake app can be recognized not only by the name, but other misspellings in the screenshots, and the app lists Parvati Patel as the developer and the privacy policy as hosted at bluneel\[.\]com. The developer of the legitimate LastPass app is LogMeIn, Inc. 

While using a genuine password manager provides extra security, entrusting your passwords to an app that is a rip-off does not. Obviously, storing all your passwords in an app that is not trustworthy can get you in all kinds of trouble, including identity theft.

We have not tested if the app sends your passwords to a third-party, but we should assume that it does just that.

In the App Store the impersonator claims to be “Trusted by over 1+ million users and 10,000+ businesses” which clearly can’t be right and was most certainly copied from LastPass.

LastPass states that it is:

> “… actively working to get this application taken down as soon as possible, and will continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property“

But at the time of writing the app was still available in the Apple App Store.

Malwarebytes Premium and Malwarebytes Browser Guard block the domain bluneel\[.\]com so users will see a warning about the trustworthiness of the app.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Warning from LastPass as fake app found on Apple App Store 

A criminal group called ResumeLooters has stolen the personal information of over two million job seekers from at least 65 different websites.

A cybercriminal group known as ResumeLooters has infiltrated 65 job listing and retail websites, compromising the personal data of over two million job seekers.

The group used SQL injection and cross-site scripting (XSS) attacks—both common techniques— to extract the sensitive information from the websites.

The attacks primarily focused on the Asia-Pacific (APAC) region, targeting sites in Australia, Taiwan, China, Thailand, India, and Vietnam. However, other compromised companies were located in other regions, including Brazil, Italy, Mexico, Russia, Turkey, and the US.

Researchers first detected the activity of the group in November 2023, and tracked the massive malicious campaign targeting employment agencies and retail companies. Due to the criminals’ focus on job search platforms and the theft of resumes, the researchers dubbed the group ResumeLooters.

The stolen data is hard to quantify given the amount of sources, but it may include names, phone numbers, emails, and dates of birth, as well as information about job seekers’ experience, employment history, and other sensitive personal data.

The stolen data were put up for sale on Chinese-speaking Telegram channels. This and other indicators make it very likely that the group is of Chinese origin.

If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 2 million job seekers targeted by data thieves 

Your essential guide to toothbrush security.

February 7, 2024 - We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account.

February 6, 2024 - The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

February 6, 2024 - Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

February 6, 2024 - Safer Internet Day is all about raising awareness about a safer and better internet for all, and especially for children and young people.

February 5, 2024 - Clorox has reported losses of $49 million following a cyberattack in mid-2023.

 How to tell if your toothbrush is being used in a DDoS attack 

We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account.

Recently I wrote about a malvertising campaign on Facebook that has been going on for almost a year. Apparently Facebook is struggling to stop this campaign, so now this type of campaign is showing up in other languages than English.

I have seen two different types in German.

**First Facebook scam**

_Translation: Deadly accident on highway causes several fatalities_

Notable about this one is that it was posted as a fundraiser and does not allow comments, which blocks me from posting a warning that this is a scam.

I reached out to the person that owns the account to find out if he knew how his account got compromised. He had no idea, but told me that it seemed like a lot of people were having the same issues. Not only did he see the same type of posts, but he also got a lot of Messenger messages prompting him to click a link.

In the past we’ve seen campaigns on Messenger where clicking such a link would install a Facebook app that required posting permissions. These apps would then spread further from the compromised user account.

The host storage.googleapis.com gives the link a legitimate feel, but that feeling is not justified. Although googleapis.com is a legitimate service provided by Google, it’s being abused by all sorts of cybercriminals for phishing, tech support scams, and in this case fingerprinting. The script on that site looks at your IP address, your type of machine and whether you are using a VPN. Based on the analysis of that information you are forwarded to the type of scam that is likely to be the most profitable.

An example of a redirect URL shows some of the elements that were fingerprinted.

https://byxzz.altairaquilae[.]top/?pl=Yyo1IAH5aE2Q4g9YuOImuw&click_id=da5d3q51mm737150e7&sub_id=18222478-Edge%20(Chromium)%20for%20Windows-Windows

Malwarebytes has already blocked the windyplentiful.com domain for Malvertising.

_Malwarebytes Premium blocks the domain windyplentiful.com_

**Second Facebook scam**

The second example is easier to identify as a fake. Both the ambulance and the wrecked motorcycle hail from California, so this highly unlikely to have happened on the German autobahn.

_Translation: Accident causes several victims including a child_

Not only is the picture clearly not German, the grammar used in the sentence is another sign as it’s a bad translation.

When I set my VPN to pretend I was located in Germany, the script identified it as an anonymous proxy and stopped there.

Switching back to the Netherlands I got to “enjoy” sites with explicit content, scam sites where celebrities encourage investing in cryptocurrencies, and websites offering browser push notifications.

These browser push notifications are a very annoying type of advertising, often associated with tech support scams, explicit content, gambling, and anything else that pays a handsome referral bonus.

Several attempts on both images led to different domains as well. Other blocks we encountered during our research:

_Malwarebytes Premium blocks 188.114.96.0_

_Malwarebytes Premium blocks the subdomain oyglk.altairaquilae.top_

**How to recover from a Facebook scam**

You can recognize this type of scam because they usually tag several friends of the victim. And although the image looks like a click will start a video, it never has for me. The images were hosted at media.discordapp.net/attachments and although the pages contain a link to Vimeo, the videos there have already been removed or were never even there.

If you find your account has posted a message like this, you should assume that someone else has full control over your Facebook account. Simply changing the password is not always enough.

1.  Check for unknown and unused Facebook apps.
    *   Click your profile picture.
    *   Select **Settings & Privacy**, then click **Settings**.
    *   Click **Apps and Websites**.Go to the app or game you want to remove, then next to the name of the app or game, click **Remove**.
    *   Click **Remove** again to confirm.
2.  Enable two-factor authentication (2FA)
    *   Go to your **Security and Login Settings**.
    *   Scroll down to **Use two-factor authentication** and click **Edit**.
    *   Choose the security method you want to add and follow the on-screen instructions.
3.  Change your password on Facebook if you’re already logged in:
    *   Click your profile picture.
    *   Select **Settings & Privacy**, then click **Settings** (or **Accounts Center** if you’re on your phone).
    *   Click **Security and Login** (or **Password and Security** if you’re on your phone).
    *   Click **Edit** next to **Change password** (or just **Change password** if you’re on your phone).
    *   Enter your current password and new password.
    *   Click **Save Changes**.

If you’re logged in but have forgotten your password or it has been changed to something you don’t know, follow the steps above to change your password, then click **Forgot your password?** and follow the steps to reset it. Keep in mind that you’ll need access to the email associated with your account.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Facebook fatal accident scam still rages on 

The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

Released today, the Malwarebytes State of Malware 2024 report takes a deep dive into the latest developments in the world of cybercrime. 

As home users, many of the threats we cover will only affect you second hand, such as disruptions after a company suffers a ransomware attack, or when your private information is sold online after a data breach. Sadly, there’s not a lot you can do to prevent incidents like these yourself, other than stay on top of the news and protect yourself against identity theft. 

But other threats you can do something about. So in this article we’ll focus on what threats affect you directly and how you can protect yourself. 

**Privacy **

In the last year, the UK’s Online Safety Act attempted to challenge the status quo for social media and messaging companies. The act was widely interpreted as a demand that companies scan users’ messages for illegal material, and is a first warning about the directions in which privacy may continue to be threatened in the name of greater good.  

It also acts as a reminder to be careful about what you share, even if you are under the impression that you are using the internet securely. We have seen news of ChatGPT leaking user’s information and law enforcement asking for backdoors in encryption routines. 

**Passwords **

Google and Microsoft made good on their promise to back passkeys, an encryption-based alternative to passwords that can’t be stolen, guessed, cracked, or phished.

We’d like to see more companies embrace new methods of authentication and wave passwords goodbye: Too many breaches have shown us that user education only works for those that were already doing the right things. Keeping track of the hundreds of passwords an average user has, along with the relative complexity of using a password manager have convinced us it’s time for a better alternative. 

**Malvertising **

If the last year has taught us something, it’s that scammers and malware peddlers can afford to buy sponsored search results and outbid the brand owner so that their links come out on top. Cybercriminals create Google Search ads mimicking popular brands, which lead to highly realistic, replica web pages where users are scammed or tricked into downloading malware. 

Despite efforts on the side of search providers like Google, the cybercriminals remained one step ahead, able to consistently bypass ad verification checks all year. The type of malware that’s used varies with each campaign but infostealers (which gather information from your computer, such as usernames and passwords) were the most common type. 

**Banking Trojans **

Banking trojans are one of the most serious threats facing Android devices. Banking trojans come disguised as regular apps like QR code scanners, fitness trackers, or even copies of popular apps like Instagram. 

The malicious app asks the user for permissions that allow it to monitor what happens in other apps and will then create overlay screens for legitimate apps. This allows them to capture login credentials and even multi-factor authentication (MFA) tokens.

**Mac malware **

The days of “my Mac is safe” and “Macs don’t get malware” are definitely over. There are many signs that criminals are taking note of the platform’s increasing popularity by enabling attacks to target both Windows and Mac users at the same time. 

Contrary to outdated beliefs, malware for Macs has always existed, it was just considered less serious since most Mac malware was adware or potentially unwanted programs (PUPs). This is changing. For example, in September, 2023, Malwarebytes discovered a cybercriminal campaign spreading Atomic Stealer (AMOS) malware to Mac users through malicious ads. AMOS malware can steal passwords from browsers and Apple’s Keychain, as well as grab files.

**Malwarebytes  **

Malwarebytes has solutions to safeguard individuals’ data and identities. We can protect your Android and iOS devices, Macs, Chromebooks, and Windows systems. We also have software to protect your identity, safeguard your online privacy, and block unwanted ads and trackers.

 State of Malware 2024: What consumers need to know 

Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

Today, Malwarebytes released its 2024 State of Malware report, detailing six cyberthreats that resource-constrained IT teams should pay attention to in 2024. Top of the list is “Big Game” ransomware, the most serious cyberthreat to businesses all around the world.

Big game attacks extort vast ransoms from organizations by holding their data hostage—either with encryption, the threat of damaging data leaks, or both. The report reveals that, awash with money, the number of known Big Game attacks surged by 68% in 2023, thanks to Ransomware-as-a-Service groups like LockBit and ALPHV.

Known ransomware attacks July 2022 – December 2023

Big Game ransomware is just one part of a thriving and highly organized cybercrime business—a multi-billion-dollar mirror to the legitimate economy it feeds off. Its ecosystem supports entire supply chains, dotted about with specialized organizations like access brokers and malicious software vendors. It has brand names, PR stunts, HR departments, incentive schemes, and “employees of the month.”

And like broader, law-abiding “Business” at large, cybercrime has settled on a collection of tools that work. Its activity is built around evergreen techniques like phishing, software exploits, and password guessing, along with mature malicious technologies like info stealers, trojans, and ransomware.

For years, the latest iterations of these ideas have only offered marginal improvements on their predecessors. As a result, innovation in cybercrime has increasingly shifted towards tactics—advancements that focus more on how attacks can succeed and less on what malware can do. The 2024 State of Malware report also details how ransomware gangs use Living of the Land (LotL) techniques to hide in plain sight, and how one gang, CL0P, turned to automated zero-day attacks to break ransomware’s scalability barrier.

The report also explains how cybercriminals turned to a tactic called “malvertising” in 2023, using search ads and disposable websites that mimic legitimate brands to distribute malware as an alternative to malicious emails and document macros.

And as Macs continued to buck the trend in declining PC sales, some criminals began to add Mac malware, like Atomic Stealer, to their Windows distribution channels.

As we enter 2024, malware is as dangerous as ever, but when it is used, it is just one link in an attack chain of multiple different threats. IT and security teams now face active adversaries, zero-day exploits, compromised accounts, social engineering, and a range of other threats that don’t meet the traditional definition of malware. Against this backdrop, security budgets are shrinking while resource-constrained IT and security teams firefight ever more complex environments.

When it comes to security, “more of the same” will not work in 2024, so this year’s report also outlines what effective cyberdefense in the year ahead will require.

To learn more about the most serious threats facing IT teams in 2024, and how to combat them, download the 2024 State of Malware report.

Source

Malwarebytes