ThreatDown has earned 37/37 awards over nine consecutive quarters.

ThreatDown Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware in the most recent anti-malware efficacy assessment results for the Q3 2023 evaluation performed by MRG Effitas, a world leader in independent IT research.

These results mark the ninth time in a row ThreatDown has received all certification awards, and is now officially the only vendor to win every single certification and award from Q3 2021 through Q3 2023.

MRG Effitas assesses a product’s ability to meet today’s most pressing threats in-the-wild, such as stopping zero-day malware, ransomware, and exploits—and doing so with speedy performance and low false positives.

After unveiling their new phishing assessment in Q2 2023, MRG Effitas in Q3 2023 began awarding a full-on 360° Phishing Certification to vendors who could take down phishing threats.

ThreatDown blocked 100% of phishing attempts in the In-the-Wild (ITW) Phishing Test. In other words, ThreatDown is the only vendor to consistently receive all 4 award logos and block 100% of phishing attempts.

How we were able to do it: The signature and behavior-based detection techniques and proprietary anti-exploit technology of ThreatDown EP allowed it to detect and autoblock more malware than any other competitor on the Q3 test. In addition, the Web protection layer of our EP blocks access to and from known or suspicious Internet addresses, allowing us to ace the phishing tests.

As an integral foundation layer for ThreatDown Bundles, these results prove that ThreatDown provides reliable and comprehensive protection against a wide range of threats.

Let’s dive into where we prevented more than the rest and how we were able to do it.

**100% of phishing attempts blocked **

Given the frequency and risks associated with phishing attacks today, it’s clear that modern endpoint security needs to protect against these attacks.

According to Verizon, attackers used phishing for initial access in 15% of data breaches in 2022. CISA also showed that, within the first 10 minutes of receiving a phishing email, 84% of employees took the bait. After successfully compromising a system through phishing, threat actors can further their attacks by dropping ransomware or stealing sensitive data, leading to costly financial and reputational damages.

**ThreatDown blocked 100% of phishing attempts in the ITW Phishing Test and was only one of two vendors to score 80% or above in the Phishing Simulator Test.**

How we were able to do it: ThreatDown EP, the foundation for ThreatDown Bundles, features a Web protection layer that blocks access to and from known or suspicious Internet addresses.

**100% of ransomware blocked **

Using a blend of signature and signature-less technologies, the anti-ransomware layer of ThreatDown EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.

MRG Effitas tested security products against 65 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running ThreatDown EP also ran three benign programs designed to mimic ransomware behavior.

ThreatDown blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.

**100% of banking malware blocked **

In 2021, 37% of banking malware attacks targeted corporate users. 

We were one of the few vendors who earned a 360° Online Banking Certification, which means ThreatDown EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.

ThreatDown EP blocked 100% of the 16 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials.

**100% of zero-day threats blocked **

One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.  

Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled ThreatDown EP to detect and block 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.

**100% of exploits blocked **

The anti-exploit feature of ThreatDown EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities.  

But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running ThreatDown EP—but they didn’t get very far. Malwarebytes earned the 360° Exploit Certification for autoblocking 100% of Exploit/Fileless attacks, entirely protecting the system from infection.  

We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode. 

**Consistency is key **

If there is one shining take away from this accomplishment, it’s that consistency is key.

You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, ThreatDown EP, and by extension our ThreatDown Bundles, is that solution.

For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated that ThreatDown—more consistently than anybody else—has what it takes to keep your business safe from today’s most pressing cyberthreats.

 Malwarebytes wins every MRG Effitas award for 2 years in a row 

The NCSC issued a report that warns about the growth and impact of malware, especially ransomware, due to the availability of AI.

The British National Cyber Security Centre (NCSC) says it expects Artificial Intelligence (AI) to heighten the global ransomware threat.

In a report, the NCSC makes the assessment that AI will almost certainly increase the volume and heighten the impact of cyberattacks over the next two years. We’re already seeing that cybercriminals of all trades are using AI in the initial stages of attacks to increase their effectiveness. The NCSC confirmed, saying:

> “All types of cyber threat actor – state and non-state, skilled and less skilled – are already using AI, to varying degrees.”

The NCSC expects the volume and the impact of cyberattacks to grow over the next two years.

The volume is expected to grow because AI lowers the barrier for entry-level cybercriminals to carry out effective access and information gathering operations.

The impact is expected to grow for several reasons:

*   AI already helps cybercriminals to compose more effective phishing emails.
*   AI will help to improve existing tactics, techniques, and procedures (TTPs).
*   Reconnaissance and social engineering are specific fields where AI can be deployed.
*   Stolen data can be analyzed by AI-driven tools and used for even more effective attacks.
*   More advanced threat actors, like state sponsored groups will be on the forefront of more sophisticated methods to utilize AI and others will follow.

Generative AI (GenAI) can already be used to create and entertain a convincing interaction with victims, including the creation of lure documents, without the translation, spelling, and grammatical errors that used to reveal phishing.

The NCSC expects that by 2025, GenAI and large language models (LLMs) will make it difficult for everyone, regardless of their cybersecurity posture, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing, or other social engineering attempts.

Currently only state sponsored groups, professional spyware vendors, and the large criminal operations have access to, and know how to use advanced AI tools to increase the effectivity of their attacks. But that availability will undoubtedly grow.

In how far new moves on the front of a United Nations Cybercrime Treaty will have a short-term effect on the behavior of state-sponsored groups is very hard to predict. I’m inclined to say that international legislation has never stopped any hacktivist before, they were just more careful about revealing their location and their principals.

Professional spyware vendors have deep enough pockets to invest in new tools, training, and development. We can expect them to use AI to find new zero-day vulnerabilities and new exploits for largely unpatched vulnerabilities.

As we at Malwarebytes Labs have tested ourselves, ChatGPT can be used to write ransomware. While this may draw new players to the field, they are not expected to have an immediate impact on the threat level. But the NCSC does expect AI to play a larger role in the near future when it comes to the development of malware and exploits.

Since ransomware is the most profitable form of malware at the moment, and this is expected to stay that way, this threat is likely to see the largest increase in volume. Which means that for the visible part of cybercrime, the landscape is not likely to change dramatically. The numbers may increase and the sophistication of the attacks is likely to grow, but the type of malware is probably the same.

To sum up the conclusion of the report, NCSC chief executive Lindy Cameron said:

> “The emergent use of AI in cyberattacks is evolutionary not revolutionary, meaning that it enhances existing threats like ransomware but does not transform the risk landscape in the near term.”

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 AI likely to boost ransomware, warns government body 

A new vulnerability in Fortra GoAnywhere MFT now has exploit code available that allows an attacker to create a new admin user.

On January 22, 2024, software company Fortra warned customers about a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) that allows an attacker to create a new admin user.

Fortra GoAnywhere MFT is a file transfer solution that organizations use to exchange their data. Some of the organizations that use GoAnywhere MFT are considered vital infrastructure such as local governments, financial companies, healthcare organizations, energy firms, and technology manufacturers.

The flaw impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier.

Customers should either install the latest update (now at 7.4.1) to fix the vulnerability, or eliminate the vulnerability in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see this advisory for customers (registration required).

By handing out these specific instructions it was to be expected that exploit code would come sooner rather than later. And, indeed, researchers were quick to analyze the flawed file and come up with an exploit and Proof-of-Concept (PoC) code.

Fortra told BleepingComputer earlier that there have been no reports of attacks exploiting this vulnerability. This might change quickly now that exploit code is readily available. To find out if your instance was compromised you should look for any new additions to the **Admin Users** group in the GoAnywhere administrator portal **Users** -> **Admin Users** section. Any new and unknown administrative users indicate a compromise and the login date will give you an idea about the time of compromise.

You can also look at the logs for the database which are stored at \GoAnywhere\userdata\database\goanywhere\log\*.log. These files contain a transactional history of the database, adding users will create entries in that log.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This vulnerability is listed as:

CVE-2024-0204: Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Basically it’s a path traversal flaw that allow attackers to read, and write to, restricted files by inputting path traversal sequences like ../ or /..;/ into file or directory paths.

If the mention of the name of Fortra GoAnywhere sent shivers down your security sensors, you may have been reminded of the exploitation by the Clop ransomware gang of a vulnerability in the same software last year.

Despite several warnings about last year’s vulnerability, a great many victims were made even after the patch was available.

Let’s hope we are capable of learning from the mistakes we made in the past.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch now! Fortra GoAnywhere MFT vulnerability exploit available 

2023 was the worst ransomware year on record for Education.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

2023 was the worst ransomware year on record for Education: according to original ThreatDown research, the sector witnessed a staggering **70% surge** in attacks in the past year, increasing from 129 incidents in 2022 to 265 in 2023.

The spike is further underscored by the increase in median monthly attacks. In 2022 there was an average of 11 attacks per month, but by 2023, this number leapt to 21—marking an **91% uptick** in monthly attacks.

Although the attacks were carried out by several ransomware gangs, two in particular were responsible for the lion’s share of 2023 attacks (50%)—**LockBit and Rhysida** (a rebrand of Vice Society). The data also shows that, while ransomware attacks against education are a global phenomenon, the **US** (with 80% of known attacks) and the **UK** (with 12%) were hit the most frequently attacked countries between January 2023 and December 2023.

Let’s break down attacks on the education sector by the ransomware gangs involved, the countries of target, and which gangs attacked which countries the most.

**The Threat Landscape**

The top gangs that targeted the education sector between January 2023 and December 2023 include **LockBit (60), Vice Society/Rhysida (44)**, CL0P (22), Medusa (17), and Akira (15). Together, these 5 gangs were responsible for about 81% of all Education ransomware attacks.

When we look at which gangs attack educational institutions most **consistently** (with attacks in at least six different months), however, the data tells a slightly different story. While top gangs such as CL0P and Royal may have targeted a significant amount of educational institutions, they tend to attack a majority of their victims in just one or two months.

Again, LockBit and Vice Society/Rhysida emerge as the most consistently prolific attackers against the Education sector. Notice too that Vice Society hasn’t been active since June 2023—the same month we witnessed the rise of Rhysida.

**Geographic Distribution**

When we break down education sector attacks by country, it becomes clear that the US and the UK have a huge target on their back. The US, however, bore the brunt of the onslaught, with **169** reported attacks.

**K-12 vs Higher Ed**

In 2023, **43%** of all ransomware in education attacks in 2023 targeted Higher Ed and **36% of attacks targeted K-12**.

Some of the most high profile attacks on Higher Ed and K-12 in 2023 include an attack against Western Michigan University, which caused a 13-day service disruption, and against the Minneapolis School District, which resulted in over 300,000 files leaked and a $1 million ransom.

**K-12 trends YoY**

Ransomware attacks on K-12 increased **92% between 2022 and 2023**, with 51 attacks in 2022 and 98 total attacks in 2023.

**Higher Ed trends YoY**

Ransomware attacks on Higher Ed increased **70% between 2022 and 2023**, with 68 attacks in 2022 and 116 total attacks in 2023.

**Looking Ahead**

The reality is that tight budgets of many educational institutions force them to struggle with outdated equipment and limited staff, making education an easy target for ransomware gangs. To recap, our key findings include:

*   2023 witnessed a worrying **70% rise in ransomware attacks** on the education sector, increasing from 129 incidents in 2022 to 265.
*   The median number of monthly attacks **surged by 91%**, indicating a heightened and consistent threat throughout the year.
*   LockBit and Rhysida emerged as the primary attackers, responsible for about **50%** of all attacks.
*   The US and the UK bore the brunt of ransomware in education attacks, with over **90% of all attacks** being against these two countries.
*   Both K-12 and higher education institutions faced significant increases in attacks, with a **92% rise in attacks on K-12 and 70% in higher education**, showing widespread vulnerability across all levels of the educational sector, but especially K-12.

Ready to shield your school against threats like LockBit and Rhysida?

The ThreatDown K-12 Bundle integrates AI-driven endpoint security, constant expert monitoring, comprehensive device management, and advanced mobile defense—all at a price that makes sense.

 2024 State of Ransomware in Education: 92% spike in K-12 attacks 

Your smart devices may reveal information about you or your location to an ex-partner. Here's how to lock them out.

Stalkers can use all kinds of apps, gadgets, devices, and phones to spy on their targets, which are often their ex-partners. Unfortunately, while they no doubt have many positive uses, smart home devices give stalkers an array of tools to keep an eye on their targets.

If you are the partner that stays in the house you shared together, you need to make sure that you lock out your ex-partner. This may seem unnecessarily painful at first, but it’s better to be safe than sorry. Your ex doesn’t need to be a hacker when he still has access.

Consider the apps you have shared from your phone. Some of these apps can be queried for information about where, when, and with which device they were last accessed. If you want to keep those apps, make sure you have full control and nobody else has access.

Any camera in your house surely stores more footage about you and your family than of any burglar and this footage is usually stored in the cloud. That means it can be viewed by anyone who has correct login credentials. And, when most people think of security cameras and baby monitors, they will ignore less obvious smart appliances.

A smart doorbell can give away who comes to visit you and when. The setting of your smart thermostat can reveal whether you are at home, in your bed, or if you went out for a while. Even smart lighting systems may give away information about your location inside the house or whether you’ve gone out. Your ex will know some of your habits and can use that to interpret the information provided by smart appliances.

Other smart appliances that may reveal information about you or your whereabouts include your TV, coffee maker, oven, refrigerator, and cleaning robot. Someone could also use these smart appliances to make your life miserable. They may be able to remotely turn up the heat, flash your lights, defrost your refrigerator, set a timer for your oven, and so on.

**How to lock out your ex-partner from your smart home**

There may be more smart appliances in your house than you realize. So, it’s important to make a list and get familiar with their settings, so you can:

*   Change the passwords to previously shared accounts.
*   Make sure that your ex doesn’t have access to the email address any “password reset” mails get sent to.
*   Terminate shared social media accounts.
*   Review access to your Google, iCloud, and email accounts. A malicious stalker with access to such important accounts can ruin your life.
*   Log out devices that are not yours from any app your ex may have had access to.
*   Scan your phone for stalkerware if your ex may have had access to the device.
*   Check your phone for apps that have access to location data and ask yourself whether they actually need them. (see below for instructions).

**How to disable location services**

On **iPhones** you can turn location services off completely at **Settings** > **Privacy & Security** > **Location Services**. Here you can also see, and control, individually which apps and system services have access to Location Services data.

On **Android** devices these settings can be different based on vendor and Android version, but generally speaking one of these methods should work to access Location settings:

Swipe down from the top of the screen and find the Location icon. Touch and hold **Location**

*   or  –

In the **Settings** app > press **Location**

Here you can turn **Location** off or look at the permissions for each individual app.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 How to lock out your ex-partner from your smart home 

Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

Apple has released new security updates for several products, including a patch for a zero-day vulnerability that could impact iPhones, iPad, Macs, and Apple TVs.

Apple says it’s aware of a report that the bug may have been exploited already. Further details about the nature of the vulnerability were not disclosed to give users enough time to install the updates.

The updates may already have reached you if you automatically update, but it doesn’t hurt to check you’re on the latest version.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

Updates are available for:

Safari 17.3

macOS Monterey and macOS Ventura

iOS 17.3 and iPadOS 17.3

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.5 and iPadOS 16.7.5

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

iOS 15.8.1 and iPadOS 15.8.1

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

macOS Sonoma 14.3

macOS Sonoma

macOS Ventura 13.6.4

macOS Ventura

macOS Monterey 12.7.3

macOS Monterey

watchOS 10.3

Apple Watch Series 4 and later

tvOS 17.3

Apple TV HD and Apple TV 4K (all models)

**Technical details**

The zero-day vulnerability is listed as CVE-2024-23222: a type confusion issue in WebKit that was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. Processing maliciously crafted web content may lead to arbitrary code execution.

Type confusion can occur in interpreted languages such as JavaScript and PHP, which use dynamic typing. In dynamic typing, the type of a variable is determined and updated at runtime, as opposed to being set at compile-time in a statically typed language. A type confusion vulnerability means an attacker has the opportunity to change the type of a given variable in order to trigger unintended behavior.

Several other vulnerabilities in WebKit, which is the browser engine that powers Safari and other apps, were patched as well.

**CISA**

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by February 13, 2024 in order to protect their devices against active threats.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update now! Apple releases patch for zero-day vulnerability 

Security researchers have discovered billions of exposed records online, calling it the "mother of all breaches". Check what data of yours has been exposed online with our free tool.

Security researchers have discovered billions of exposed records online, calling it the “mother of all breaches”.

However, the dataset doesn’t seem to be from one single data breach, but more a compilation of multiple breaches. These sets are often created by data enrichment companies. Data enrichment is the process of combining first party data from internal sources with disparate data from other internal systems or third party data from external sources. Enriched data is a valuable asset for any organization because it becomes more useful and insightful.

The researchers stated:

> “While the team identified over 26 billion records, duplicates are also highly likely. However, the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors.”

In other news about leaked personal data, a cybercriminal going by the name of “emo” claims they have 15 million unique records of project management tool Trello accounts for sale.

Trello is used by many organizations, so it understandably raised some concerns.

Atlassian, the company that runs Trello, however denies there has been a breach. It seems as if someone has used a large collection of email addresses and tested it against Trello.

This brings us to the question: when do you call a giant leak of personal information a breach, and when don’t you?

A definition of a breach that makes sense to me is this one:

> “A breach is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software.”

So you might say that exposing of billions of records was a breach because it is unlikely the instance was left open on purpose. After all, that amount of data can be sold for a pretty penny.

And Atlassian can safely say it was not breached, since the criminals used an existing feature. Maybe in larger numbers than intended, but why admit you shouldn’t have allowed it?

Some people will say that a data breach can only be the result of a hack and everything else is a leak. If you look at it that way, neither one of the datasets came from a breach. One set was stumbled upon and the other was created by using a legitimate API.

But to those affected the end result is pretty much the same whether your data was leaked in a breach, accumulated by scraping, or gathered by a data enrichment company. Your information is out there in the open for every cybercriminal to use at their perusal.

If you want to find out if your data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

You might be surprised. Remember though that it’s not embarrassing to you if your email address was found in a breach, but it is good to know if it was and where a password may have been included.

If the passwords it throws up at you look familiar, it would be a good idea to change the password where you’ve used it, enable 2FA, and check if it’s been re-used for other accounts.

Scammers are very good at using information found in breaches in social engineering attacks. Even the fact that your data may have been leaked in a breach is something scammers will readily use to launch a phishing attack and see what more they can find out from you.

Last year, over **2,000** companies and government entities reported data breaches impacting over **400** million personal accounts. Set up Identity Monitoring to get alerts whenever your data is exposed in a new breach.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 &#8220;The mother of all breaches&#8221;: 26 billion records found online 

Microsoft has acknowledged a cyberattack by Russians state sponsored group Cozy Bear who, it says, was looking how much information Microsoft holds about Cozy Bear.

In a spy-vs-spy type of scenario, Microsoft has acknowledged that a group called Midnight Blizzard (also known as APT29 or Cozy Bear), gained access to a Microsoft legacy non-production test tenant account.

According to Microsoft, the group managed to access the account in November after subjecting it to a password spray attack, a type of brute force attack where the attacker tries a large amount of logins until they succeed. The group used this foothold to access some of Microsoft’s corporate email accounts and steal some emails and attached documents.

Cozy Bear, who is generally linked to the Russian Foreign Intelligence Service, also known as the SVR, appears to have been curious to find out what information Microsoft had gathered about it. Cozy Bear is generally believed to be behind the SolarWinds attack and attacks on several US institutions, including the State Department, the White House, and the DNC. On all these occasions, the Dutch alerted the US intelligence services.

Microsoft’s investigation about the attack showed that the group was not after customer data or corporate information, but instead something closer to home:

> “The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself.”

To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems, but the investigation is still ongoing. Microsoft has promised to provide additional details as appropriate.

Generally speaking, the larger an organization is, the larger the attack surface, but with companies like Microsoft people expect a tighter security. It is, after all, a security software vendor as well. So, the fact that Cozy Bear was able to stay undetected for months comes as a surprise to many.

Apparently, the attack scared Microsoft itself as well: It says that it feels the need to speed up its cyberprotection advancement project, the Secure Future Initiative, given how well-funded and resourced the attackers are.

> “We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”

This attack can generally be seen as a warning to every other organization that has information which might be of interest to foreign governments.

The more an organization has grown, the larger the chance that legacy accounts exist and may even be neglected. Compare the organization to an office building: The more doors and windows (pun intended) exist, the larger the chance that one is left open. And if there are offices that are no longer in use, the chance of an opening grows exponentially.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Microsoft got hacked by state sponsored group it was investigating 

Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

Researchers at Google’s Threat Analysis Group (TAG) have published their findings about a group they have dubbed Coldriver. The main targets of the Coldriver group are high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments. These targets are approached in spear phishing attacks.

The group uses social engineering techniques to persuade their targets to open documents or download malware. Their activities are aligned with those of the Russian government, so it’s pretty safe to say that Coldriver is a state-sponsored group.

In December 2023, the US charged two Russians believed to be members of this group, for their role in a campaign that hacked government accounts.

Microsoft, who tracks the group as Star Blizzard, says the group targets individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.

Typically, the group creates an impersonation account that pretends to be an expert in a field the target might be interested in or that is somehow affiliated with the target. Once a relationship has been established, the target will receive a phishing link or a document containing such a link.

To gain trust, Coldriver uses social media and professional marketing systems to build a profile of its target. With that information the group sets up email contacts, social media and other networking accounts that align with the target’s interests and appear legitimate.

Coldriver uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton Mail in the initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. The group is also known to register malicious domains that mimic legitimate organizations.

Recently, TAG has noticed that the group uses “lure documents” to install a backdoor on the target’s system. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted.

When the target queries about the encryption, Coldriver sends the target a link to a decryption utility, typically hosted on a cloud storage site. This so-called decryption utility shows the target a normal PDF file, so that it appears as if the original was decrypted, but at the same time it installs a backdoor.

This backdoor is custom malware, likely developed by or for Coldriver, called Spica. Spica is written in the Rust programming language and supports, among others, these commands:

*   Execute arbitrary shell commands
*   Steal cookies from Chrome, Firefox, Opera, and Edge
*   Upload and download files
*   Analyze the filesystem by listing the content
*   Enumerate documents and copy them to an archive

The backdoor establishes persistence through an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

TAG suspects but has been unable to verify that there are multiple variants of Spica: one to match each lure document sent to targets.

**YARA rule**

YARA is a tool that can identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.

TAG has created a YARA rule that cab help find the Spica backdoor.

rule SPICA\_\_Strings {  
meta:

author = “Google TAG”  
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”  
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”  
strings:  
$s1 = “os\_win.c:%d: (%lu) %s(%s) – %s”  
$s2 = “winWrite1”  
$s3 = “winWrite2”  
$s4 = “DNS resolution panicked”  
$s5 = “struct Dox”  
$s6 = “struct Telegram”  
$s8 = “struct Download”  
$s9 = “spica”  
$s10 = “Failed to open the subkey after setting the value.”  
$s11 = “Card Holder: Bull Gayts”  
$s12 = “Card Number: 7/ 3310 0195 4865”  
$s13 = “CVV: 592”  
$s14 = “Card Expired: 03/28”

$a0 = “agent\\\\src\\\\archive.rs”  
$a1 = “agent\\\\src\\\\main.rs”  
$a2 = “agent\\\\src\\\\utils.rs”  
$a3 = “agent\\\\src\\\\command\\\\dox.rs”  
$a4 = “agent\\\\src\\\\command\\\\shell.rs”  
$a5 = “agent\\\\src\\\\command\\\\telegram.rs”  
$a6 = “agent\\\\src\\\\command\\\\mod.rs”  
$a7 = “agent\\\\src\\\\command\\\\mod.rs”  
$a8 = “agent\\\\src\\\\command\\\\cookie\\\\mod.rs”  
$a9 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\mod.rs”  
$a10 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\browser\_name.rs”  
condition:  
7 of ($s\*) or 5 of ($a\*)  
}

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Coldriver threat group targets high-ranking officials to obtain credentials 

A list of topics we covered in the week of January 15 to January 21 of 2024

Skip to content

*   Contact Us
    *   Personal Support
    *   Business Support
    *   Talk to Sales
    *   Contact Press
    *   Partner Programs
    *   Submit Vulnerability
*   Company
    *   About Malwarebytes
    *   Careers
    *   News & Press
*   Sign In
    *   **MyAccount sign in:** manage your personal or Teams subscription >
    *   **Cloud Console sign in:** manage your cloud business products >
    *   **Partner Portal sign in:** management for Resellers and MSPs >

*   Personal
*   Business
    
    < Business
    
    BUNDLES
    
    *   Core
    *   Prevent and remediate threats and identify vulnerabilities
    *   Advanced
    *   Utilize threat guidance and patch management plus everything in **Core**
    *   Elite
    *   Deploy Managed Detection and Response plus everything in **Advanced**
    *   Ultimate
    *   Protect against categories of malicious websites plus everything in **Elite**
    
    TECHNOLOGY HIGHLIGHTS
    
    *   Managed Detection & Response (MDR)
    *   Deploy fully-managed threat monitoring, investigation, and remediation
    *   Endpoint Detection & Response (EDR)
    *   Prevent more attacks with security that catches what others miss
    *   Security Advisor
    *   Visualize and optimize your security posture in just minutes
    *   For Education
    *   Secure your students and institution against cyberattacks
    
    Learn more about Security Advisor (available in every bundle) and see the full list of our products and services.
    
    Full technology list >
    
*   Pricing
    
    < Pricing
    
    Protect your personal devices and data
    
    Protect your team’s devices and data
    
    Explore our award-winning endpoint security products, from EP to EDR to MDR
    
*   Partners
*   Resources
    
    *   Reviews
    *   Analyst Reports
    *   Case Studies
    
*   Support
    
    Featured Content
    
    *   Activate Malwarebytes Privacy on Windows device.
    

**RELATED ARTICLES**

January 22, 2024 - Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

January 20, 2024 - A nonprofit study claims that Google is failing to delete location history that reveals users' physical trips to abortion clinics.

January 19, 2024 - Google wants you to know you can still be tracked when you're incognito.

January 19, 2024 - CISA has added two Citrix NetScaler vulnerabilities to its vulnerability catalog, with a very short deadline to patch.

January 18, 2024 - Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.

Source

Malwarebytes