It's Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online.

**1\. **Set up two-factor authentication****

Do this for as many of your online accounts as you can, especially the major ones like your email and social media accounts. Two-factor authentication (2FA) adds an extra step of protection and makes it much harder for attackers to login as you. We recommend using authenticator apps or physical security keys, but sometimes SMS is the easiest option and that’s fine. In most services you won’t have to enter the 2FA code every time, only when using a new device.

**2\. Use a different password for every account**

If your password is breached on one site, cybercriminals can use that login information to access your other online accounts that use the same passwords. If you use a different password for each account they can’t do this. Make sure your passwords are long (15 characters or more is good) and use a mix of upper and lower case characters, numbers and symbols too.

To make it easy, you can chose a phrase or a line from a song you like (for instance: DancingInTheMoonlight1999!). You can also use a password manager built-in on your browser, or a stand-alone password manager (see below). If you’ve received a notification from Google, Malwarebytes or any other service telling you your password has been exposed make sure to not use it or any variation of it again for any of your accounts. 

**3\. Use a password manager**

Making different and complicated passwords for each and every online account you have is one thing, but **remembering** them all is a lot more difficult. That’s why we use a password manager, and why you should too. It will generate passwords for you and then remember them all. Choose a vendor you trust for it, or simply use Apple or Google.

**4\. Keep software and hardware up to date**

Make sure your computer, phone, browser, apps and other programs are always on the latest version. If someone finds a security bug, the company that makes that software or hardware will release a new version with a patch for the bug. If you’re not on the latest version, you will be vulnerable. We know it can sometime be a hassle to update the version – but it’s not only about the latest features, in many cases it’s about keeping you safe!

**5\. Double check everything**

Got an email or SMS saying your delivery has been delayed that asks you to click on a link? Double check that you are expecting a delivery from where it says it’s coming from. Got a message from a friend on Facebook that seems off? Double check via text or phone that it is really them. Is your CEO suddenly asking you to buy $5000 of gift cards on the company credit card? Double check that it really is the CEO (it probably isn’t). There’s a ton of scams out there and they are getting more and more sophisticated with time, you just have to stay vigilant and aware of it.

Does that restaurant you’re making a reservation with really need to know your actual date of birth? Does that shopping site really need to know your mother’s maiden name as a password reset question? Consider carefully where you share your data and keep in the back of your mind that the service you are using could be breached. If it is breached, what of your information would be taken? If you can use false information, we really encourage you to do that. Pro-tip: create an “avatar online identity” for yourself with a separate email, date of birth and information you remember and use this information for vendors that don’t require your real identity.

**7\. Cover your camera**

When your camera isn’t in use, make sure you cover it with a physical cover. You can get webcam covers that slide open and shut to make it easy for you to use your camera when you like, and they look a lot nicer than a sticking plaster! Hackers have been known to take over webcams and take snapshots – so sometimes a physical cover is our last line of defense!

**8\. Use an identity monitoring solution**

Identity theft is a real challenge today, including stealing your credit and even opening new lines of credit in your name. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after. Malwarebytes Identity Theft Protection can help with this.

**9\. Check what data of yours has already been exposed**

It’s very likely that your personal information has already been involved in a breach, but you might be wondering how much information can be gained about you from all the pieces of data about you that’s online—aka your digital footprint. We created a tool that will show you just that. You enter your most commonly-used email address, we’ll run a scan and then we’ll send you the results. Try the free scan now.

**10\. Use security software**

Finally, make sure you have protected your devices with security software. It doesn’t take long and it’s such a basic step we must all do. Malwarebytes Premium detects or blocks over 95 million pieces of malware a day so we definitely have you covered. We protect Windows, Mac, Chrome, Android, and iOS.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 10 things to do to improve your online privacy 

US law enforcement will no longer be able to request footage produced by Ring devices, unless it's an emergency.

US law enforcement will no longer be able to request footage through the Neighbors app produced by Ring video doorbells and surveillance cameras.

Until now Ring’s Request for Assistance (RFA) function allowed law enforcement to ask for and obtain user footage, but this function will be retired.

Along with other changes, Ring announced on its blog how public safety agencies like fire and police departments can still use the Neighbors app to share helpful safety tips, updates, and community events, but they will no longer be able to use the RFA tool to request and receive video in the app.

Only in emergencies, Ring will share user’s footage without a court order.

The Electronic Frontier Foundation (EFF) considers this a victory in a long fight. But it remains critical about the emergencies loophole, because there is no clear process for a Ring owner or a judge to rule when a situation is an emergency. The fear is that law enforcement will slowly erode what constitutes an emergency and end up requesting footage for less urgent matters.

We should not forget that Ring is a market leader and other companies are looking at its example, which is why it’s important to make sure that security and privacy are key values and not helping law enforcement.

As the EFF stated:

> “Ring has been forced to make some important concessions—but we still believe the company must do more.”

In its blog, Ring brings up a lot of endearing examples of how its Neighbors app has helped families locate lost pets, and even lost family members, and how it has been used to share critical information during disasters and emergencies.

But if there is one thing history has taught us, it’s that eventually computer vision will be used for surveillance purposes against human beings.

For example. the EFF warned on a previous occasion about self-driving cars:

> “The sheer amount of visual and other information collected by a fleet of cars traveling down public streets conjures the threat of the possibility for peoples’ movements to be tracked, aggregated, and retained by companies, law enforcement, or bad actors—including vendor employees. The sheer mass of this information poses a potential threat to civil liberties and privacy for pedestrians, commuters, and any other people that rely on public roads and walkways in cities.”

Combining the information with that of CCTV cameras, Ring doorbells, delivery robots, and what have you, brings us closer to 1984, rather than steering away from it. Being able to combine the gathered information with AI driven tools at some point, makes it only scarier.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Ring curtails law enforcement&#8217;s access to footage 

Chinese speaking users looking for Telegram, or LINE are being targeted with malicious ads. Instead of downloading the legitimate application, they install malware.

An ongoing campaign of malicious ads has been targeting Chinese-speaking users with lures for popular messaging applications such as Telegram or LINE with the intent of dropping malware. Interestingly, software like Telegram is heavily restricted and was previously banned in China.

Many Google services, including Google search, are also either restricted or heavily censored in mainland China. Having said that, many users will try to circumvent those restrictions by using various tools such as VPNs.

The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead. Such programs gives an attacker full control of a victim’s machine and the ability to drop additional malware.

It may not be a coincidence that the malvertising campaigns are primarily focused on restricted or banned applications. While we don’t know the threat actor’s true intentions, data collection and spying may be one of their motives. In this blog post, we share more information about the malicious ads and payloads we have been able to collect.

Visitors to google.cn are redirected to google.com.hk where searches are said to be uncensored. Doing a lookup for ‘telegram’ we see a sponsored search result.

The following description is associated with this ad:

> TeIegram official application – TeIegram Chinese version download docs.google.com https://docs.google.com › 2024 › Official download Latest Telegram Understand your users Androd needs and engage them with relevant personalized solutions in real time. One of the top 5 most downloaded apps in the world with over 700 million active users.

Here is an ad for ‘LINE’

Description:

> LINE is the largest communication platform that provides an end-to-end encrypted experience, allowing cross-platform communication across mobile phones, computers, tablets, etc. Simple, reliable, and free\* private messages and calls can be used around the world.

We identified two advertiser accounts behind those ads, both of them being associated with a user profile in Nigeria:

*   Interactive Communication Team Limited
*   Ringier Media Nigeria Limited

Due to the number of ads for each of these accounts (including many unrelated to these campaigns), we believe they may have been taken over by the threat actors.

**Infrastructure**

This threat actor seems to rely on Google infrastructure in the form of Google Docs or Google sites. This allows them to insert links for the download or even redirect to other sites they control.

**Malware payloads**

We collected a number of payloads from this campaign, all in MSI format. Several of those used a technique known as DLL side-loading, which consists of combining a legitimate application with a malicious DLL that gets loaded automatically.

In the example above, the DLL is signed with a now revoked certificate from _Sharp Brilliance Communication Technology Co., Ltd._ which was also recently used to sign a PlugX RAT sample. (PlugX is a RAT from China that also performs DLL side-loading).

Not all dropped malware is new, in fact some were previously used in other campaigns and are variants of Gh0st RAT.

**Active threat**

A website and forum (bbs\[.\]kafan\[.\]cn) dedicated to security frequented by Chinese users keeps up with malware from these campaigns that they refer to as FakeAPP.

It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command and control.

Online ads are an effective way to reach a certain audience, and of course they can be misused as well. People (such as activists) that live in countries where encrypted communication tools are banned or restricted will attempt to bypass these measures. It appears that a threat actor is luring potential victims with such ads.

The payloads are consistent with threats observed in the South Asia region, and we see similar techniques such as DLL side-loading that is quite popular with many RATs. This type of malware is ideal to gather information about someone and silently dropping additional components if and when necessary.

We have notified Google regarding the malicious ads and have reported the supporting infrastructure to the relevant parties.

Malwarebytes detects the malicious payloads upon execution.

**Indicators of Compromise**

Fake domains

telagsmn\[.\]com  
teleglren\[.\]com  
teleglarm\[.\]com

Redirectors

5443654\[.\]site  
5443654\[.\]world

Payloads

CS-HY-A8-bei.msi
63b89ca863d22a0f88ead1e18576a7504740b2771c1c32d15e2c04141795d79a

w-p-p64.msi
a83b93ec2a5602d102803cd02aecf5ac6e7de998632afe6ed255d6808465468e

mGtgsotp\_zhx64.msi
acf6c75533ef9ed95f76bf10a48d56c75ce5bbb4d4d9262be9631c51f949c084

cgzn-tesup.msi
ec2781ae9af54881ecbbbfc82b34ea4009c0037c54ab4b8bd91f3f32ab1cf52a

tpseu-tcnz.msi
c08be9a01b3465f10299a461bbf3a2054fdff76da67e7d8ab33ad917b516ebdc

C2s

47.75.116\[.\]234:19858
216.83.56\[.\]247:36061
45.195.148\[.\]73:15628

 Malicious ads for restricted messaging applications target Chinese users 

ThreatDown has earned 37/37 awards over nine consecutive quarters.

ThreatDown Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware in the most recent anti-malware efficacy assessment results for the Q3 2023 evaluation performed by MRG Effitas, a world leader in independent IT research.

These results mark the ninth time in a row ThreatDown has received all certification awards, and is now officially the only vendor to win every single certification and award from Q3 2021 through Q3 2023.

MRG Effitas assesses a product’s ability to meet today’s most pressing threats in-the-wild, such as stopping zero-day malware, ransomware, and exploits—and doing so with speedy performance and low false positives.

After unveiling their new phishing assessment in Q2 2023, MRG Effitas in Q3 2023 began awarding a full-on 360° Phishing Certification to vendors who could take down phishing threats.

ThreatDown blocked 100% of phishing attempts in the In-the-Wild (ITW) Phishing Test. In other words, ThreatDown is the only vendor to consistently receive all 4 award logos and block 100% of phishing attempts.

How we were able to do it: The signature and behavior-based detection techniques and proprietary anti-exploit technology of ThreatDown EP allowed it to detect and autoblock more malware than any other competitor on the Q3 test. In addition, the Web protection layer of our EP blocks access to and from known or suspicious Internet addresses, allowing us to ace the phishing tests.

As an integral foundation layer for ThreatDown Bundles, these results prove that ThreatDown provides reliable and comprehensive protection against a wide range of threats.

Let’s dive into where we prevented more than the rest and how we were able to do it.

**100% of phishing attempts blocked **

Given the frequency and risks associated with phishing attacks today, it’s clear that modern endpoint security needs to protect against these attacks.

According to Verizon, attackers used phishing for initial access in 15% of data breaches in 2022. CISA also showed that, within the first 10 minutes of receiving a phishing email, 84% of employees took the bait. After successfully compromising a system through phishing, threat actors can further their attacks by dropping ransomware or stealing sensitive data, leading to costly financial and reputational damages.

**ThreatDown blocked 100% of phishing attempts in the ITW Phishing Test and was only one of two vendors to score 80% or above in the Phishing Simulator Test.**

How we were able to do it: ThreatDown EP, the foundation for ThreatDown Bundles, features a Web protection layer that blocks access to and from known or suspicious Internet addresses.

**100% of ransomware blocked **

Using a blend of signature and signature-less technologies, the anti-ransomware layer of ThreatDown EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.

MRG Effitas tested security products against 65 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running ThreatDown EP also ran three benign programs designed to mimic ransomware behavior.

ThreatDown blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.

**100% of banking malware blocked **

In 2021, 37% of banking malware attacks targeted corporate users. 

We were one of the few vendors who earned a 360° Online Banking Certification, which means ThreatDown EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.

ThreatDown EP blocked 100% of the 16 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials.

**100% of zero-day threats blocked **

One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.  

Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled ThreatDown EP to detect and block 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.

**100% of exploits blocked **

The anti-exploit feature of ThreatDown EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities.  

But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running ThreatDown EP—but they didn’t get very far. Malwarebytes earned the 360° Exploit Certification for autoblocking 100% of Exploit/Fileless attacks, entirely protecting the system from infection.  

We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode. 

**Consistency is key **

If there is one shining take away from this accomplishment, it’s that consistency is key.

You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, ThreatDown EP, and by extension our ThreatDown Bundles, is that solution.

For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated that ThreatDown—more consistently than anybody else—has what it takes to keep your business safe from today’s most pressing cyberthreats.

 Malwarebytes wins every MRG Effitas award for 2 years in a row 

The NCSC issued a report that warns about the growth and impact of malware, especially ransomware, due to the availability of AI.

The British National Cyber Security Centre (NCSC) says it expects Artificial Intelligence (AI) to heighten the global ransomware threat.

In a report, the NCSC makes the assessment that AI will almost certainly increase the volume and heighten the impact of cyberattacks over the next two years. We’re already seeing that cybercriminals of all trades are using AI in the initial stages of attacks to increase their effectiveness. The NCSC confirmed, saying:

> “All types of cyber threat actor – state and non-state, skilled and less skilled – are already using AI, to varying degrees.”

The NCSC expects the volume and the impact of cyberattacks to grow over the next two years.

The volume is expected to grow because AI lowers the barrier for entry-level cybercriminals to carry out effective access and information gathering operations.

The impact is expected to grow for several reasons:

*   AI already helps cybercriminals to compose more effective phishing emails.
*   AI will help to improve existing tactics, techniques, and procedures (TTPs).
*   Reconnaissance and social engineering are specific fields where AI can be deployed.
*   Stolen data can be analyzed by AI-driven tools and used for even more effective attacks.
*   More advanced threat actors, like state sponsored groups will be on the forefront of more sophisticated methods to utilize AI and others will follow.

Generative AI (GenAI) can already be used to create and entertain a convincing interaction with victims, including the creation of lure documents, without the translation, spelling, and grammatical errors that used to reveal phishing.

The NCSC expects that by 2025, GenAI and large language models (LLMs) will make it difficult for everyone, regardless of their cybersecurity posture, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing, or other social engineering attempts.

Currently only state sponsored groups, professional spyware vendors, and the large criminal operations have access to, and know how to use advanced AI tools to increase the effectivity of their attacks. But that availability will undoubtedly grow.

In how far new moves on the front of a United Nations Cybercrime Treaty will have a short-term effect on the behavior of state-sponsored groups is very hard to predict. I’m inclined to say that international legislation has never stopped any hacktivist before, they were just more careful about revealing their location and their principals.

Professional spyware vendors have deep enough pockets to invest in new tools, training, and development. We can expect them to use AI to find new zero-day vulnerabilities and new exploits for largely unpatched vulnerabilities.

As we at Malwarebytes Labs have tested ourselves, ChatGPT can be used to write ransomware. While this may draw new players to the field, they are not expected to have an immediate impact on the threat level. But the NCSC does expect AI to play a larger role in the near future when it comes to the development of malware and exploits.

Since ransomware is the most profitable form of malware at the moment, and this is expected to stay that way, this threat is likely to see the largest increase in volume. Which means that for the visible part of cybercrime, the landscape is not likely to change dramatically. The numbers may increase and the sophistication of the attacks is likely to grow, but the type of malware is probably the same.

To sum up the conclusion of the report, NCSC chief executive Lindy Cameron said:

> “The emergent use of AI in cyberattacks is evolutionary not revolutionary, meaning that it enhances existing threats like ransomware but does not transform the risk landscape in the near term.”

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 AI likely to boost ransomware, warns government body 

A new vulnerability in Fortra GoAnywhere MFT now has exploit code available that allows an attacker to create a new admin user.

On January 22, 2024, software company Fortra warned customers about a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) that allows an attacker to create a new admin user.

Fortra GoAnywhere MFT is a file transfer solution that organizations use to exchange their data. Some of the organizations that use GoAnywhere MFT are considered vital infrastructure such as local governments, financial companies, healthcare organizations, energy firms, and technology manufacturers.

The flaw impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier.

Customers should either install the latest update (now at 7.4.1) to fix the vulnerability, or eliminate the vulnerability in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see this advisory for customers (registration required).

By handing out these specific instructions it was to be expected that exploit code would come sooner rather than later. And, indeed, researchers were quick to analyze the flawed file and come up with an exploit and Proof-of-Concept (PoC) code.

Fortra told BleepingComputer earlier that there have been no reports of attacks exploiting this vulnerability. This might change quickly now that exploit code is readily available. To find out if your instance was compromised you should look for any new additions to the **Admin Users** group in the GoAnywhere administrator portal **Users** -> **Admin Users** section. Any new and unknown administrative users indicate a compromise and the login date will give you an idea about the time of compromise.

You can also look at the logs for the database which are stored at \GoAnywhere\userdata\database\goanywhere\log\*.log. These files contain a transactional history of the database, adding users will create entries in that log.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This vulnerability is listed as:

CVE-2024-0204: Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Basically it’s a path traversal flaw that allow attackers to read, and write to, restricted files by inputting path traversal sequences like ../ or /..;/ into file or directory paths.

If the mention of the name of Fortra GoAnywhere sent shivers down your security sensors, you may have been reminded of the exploitation by the Clop ransomware gang of a vulnerability in the same software last year.

Despite several warnings about last year’s vulnerability, a great many victims were made even after the patch was available.

Let’s hope we are capable of learning from the mistakes we made in the past.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch now! Fortra GoAnywhere MFT vulnerability exploit available 

2023 was the worst ransomware year on record for Education.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

2023 was the worst ransomware year on record for Education: according to original ThreatDown research, the sector witnessed a staggering **70% surge** in attacks in the past year, increasing from 129 incidents in 2022 to 265 in 2023.

The spike is further underscored by the increase in median monthly attacks. In 2022 there was an average of 11 attacks per month, but by 2023, this number leapt to 21—marking an **91% uptick** in monthly attacks.

Although the attacks were carried out by several ransomware gangs, two in particular were responsible for the lion’s share of 2023 attacks (50%)—**LockBit and Rhysida** (a rebrand of Vice Society). The data also shows that, while ransomware attacks against education are a global phenomenon, the **US** (with 80% of known attacks) and the **UK** (with 12%) were hit the most frequently attacked countries between January 2023 and December 2023.

Let’s break down attacks on the education sector by the ransomware gangs involved, the countries of target, and which gangs attacked which countries the most.

**The Threat Landscape**

The top gangs that targeted the education sector between January 2023 and December 2023 include **LockBit (60), Vice Society/Rhysida (44)**, CL0P (22), Medusa (17), and Akira (15). Together, these 5 gangs were responsible for about 81% of all Education ransomware attacks.

When we look at which gangs attack educational institutions most **consistently** (with attacks in at least six different months), however, the data tells a slightly different story. While top gangs such as CL0P and Royal may have targeted a significant amount of educational institutions, they tend to attack a majority of their victims in just one or two months.

Again, LockBit and Vice Society/Rhysida emerge as the most consistently prolific attackers against the Education sector. Notice too that Vice Society hasn’t been active since June 2023—the same month we witnessed the rise of Rhysida.

**Geographic Distribution**

When we break down education sector attacks by country, it becomes clear that the US and the UK have a huge target on their back. The US, however, bore the brunt of the onslaught, with **169** reported attacks.

**K-12 vs Higher Ed**

In 2023, **43%** of all ransomware in education attacks in 2023 targeted Higher Ed and **36% of attacks targeted K-12**.

Some of the most high profile attacks on Higher Ed and K-12 in 2023 include an attack against Western Michigan University, which caused a 13-day service disruption, and against the Minneapolis School District, which resulted in over 300,000 files leaked and a $1 million ransom.

**K-12 trends YoY**

Ransomware attacks on K-12 increased **92% between 2022 and 2023**, with 51 attacks in 2022 and 98 total attacks in 2023.

**Higher Ed trends YoY**

Ransomware attacks on Higher Ed increased **70% between 2022 and 2023**, with 68 attacks in 2022 and 116 total attacks in 2023.

**Looking Ahead**

The reality is that tight budgets of many educational institutions force them to struggle with outdated equipment and limited staff, making education an easy target for ransomware gangs. To recap, our key findings include:

*   2023 witnessed a worrying **70% rise in ransomware attacks** on the education sector, increasing from 129 incidents in 2022 to 265.
*   The median number of monthly attacks **surged by 91%**, indicating a heightened and consistent threat throughout the year.
*   LockBit and Rhysida emerged as the primary attackers, responsible for about **50%** of all attacks.
*   The US and the UK bore the brunt of ransomware in education attacks, with over **90% of all attacks** being against these two countries.
*   Both K-12 and higher education institutions faced significant increases in attacks, with a **92% rise in attacks on K-12 and 70% in higher education**, showing widespread vulnerability across all levels of the educational sector, but especially K-12.

Ready to shield your school against threats like LockBit and Rhysida?

The ThreatDown K-12 Bundle integrates AI-driven endpoint security, constant expert monitoring, comprehensive device management, and advanced mobile defense—all at a price that makes sense.

 2024 State of Ransomware in Education: 92% spike in K-12 attacks 

Your smart devices may reveal information about you or your location to an ex-partner. Here's how to lock them out.

Stalkers can use all kinds of apps, gadgets, devices, and phones to spy on their targets, which are often their ex-partners. Unfortunately, while they no doubt have many positive uses, smart home devices give stalkers an array of tools to keep an eye on their targets.

If you are the partner that stays in the house you shared together, you need to make sure that you lock out your ex-partner. This may seem unnecessarily painful at first, but it’s better to be safe than sorry. Your ex doesn’t need to be a hacker when he still has access.

Consider the apps you have shared from your phone. Some of these apps can be queried for information about where, when, and with which device they were last accessed. If you want to keep those apps, make sure you have full control and nobody else has access.

Any camera in your house surely stores more footage about you and your family than of any burglar and this footage is usually stored in the cloud. That means it can be viewed by anyone who has correct login credentials. And, when most people think of security cameras and baby monitors, they will ignore less obvious smart appliances.

A smart doorbell can give away who comes to visit you and when. The setting of your smart thermostat can reveal whether you are at home, in your bed, or if you went out for a while. Even smart lighting systems may give away information about your location inside the house or whether you’ve gone out. Your ex will know some of your habits and can use that to interpret the information provided by smart appliances.

Other smart appliances that may reveal information about you or your whereabouts include your TV, coffee maker, oven, refrigerator, and cleaning robot. Someone could also use these smart appliances to make your life miserable. They may be able to remotely turn up the heat, flash your lights, defrost your refrigerator, set a timer for your oven, and so on.

**How to lock out your ex-partner from your smart home**

There may be more smart appliances in your house than you realize. So, it’s important to make a list and get familiar with their settings, so you can:

*   Change the passwords to previously shared accounts.
*   Make sure that your ex doesn’t have access to the email address any “password reset” mails get sent to.
*   Terminate shared social media accounts.
*   Review access to your Google, iCloud, and email accounts. A malicious stalker with access to such important accounts can ruin your life.
*   Log out devices that are not yours from any app your ex may have had access to.
*   Scan your phone for stalkerware if your ex may have had access to the device.
*   Check your phone for apps that have access to location data and ask yourself whether they actually need them. (see below for instructions).

**How to disable location services**

On **iPhones** you can turn location services off completely at **Settings** > **Privacy & Security** > **Location Services**. Here you can also see, and control, individually which apps and system services have access to Location Services data.

On **Android** devices these settings can be different based on vendor and Android version, but generally speaking one of these methods should work to access Location settings:

Swipe down from the top of the screen and find the Location icon. Touch and hold **Location**

*   or  –

In the **Settings** app > press **Location**

Here you can turn **Location** off or look at the permissions for each individual app.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 How to lock out your ex-partner from your smart home 

Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

Apple has released new security updates for several products, including a patch for a zero-day vulnerability that could impact iPhones, iPad, Macs, and Apple TVs.

Apple says it’s aware of a report that the bug may have been exploited already. Further details about the nature of the vulnerability were not disclosed to give users enough time to install the updates.

The updates may already have reached you if you automatically update, but it doesn’t hurt to check you’re on the latest version.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

Updates are available for:

Safari 17.3

macOS Monterey and macOS Ventura

iOS 17.3 and iPadOS 17.3

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.5 and iPadOS 16.7.5

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

iOS 15.8.1 and iPadOS 15.8.1

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

macOS Sonoma 14.3

macOS Sonoma

macOS Ventura 13.6.4

macOS Ventura

macOS Monterey 12.7.3

macOS Monterey

watchOS 10.3

Apple Watch Series 4 and later

tvOS 17.3

Apple TV HD and Apple TV 4K (all models)

**Technical details**

The zero-day vulnerability is listed as CVE-2024-23222: a type confusion issue in WebKit that was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. Processing maliciously crafted web content may lead to arbitrary code execution.

Type confusion can occur in interpreted languages such as JavaScript and PHP, which use dynamic typing. In dynamic typing, the type of a variable is determined and updated at runtime, as opposed to being set at compile-time in a statically typed language. A type confusion vulnerability means an attacker has the opportunity to change the type of a given variable in order to trigger unintended behavior.

Several other vulnerabilities in WebKit, which is the browser engine that powers Safari and other apps, were patched as well.

**CISA**

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by February 13, 2024 in order to protect their devices against active threats.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update now! Apple releases patch for zero-day vulnerability 

Security researchers have discovered billions of exposed records online, calling it the "mother of all breaches". Check what data of yours has been exposed online with our free tool.

Security researchers have discovered billions of exposed records online, calling it the “mother of all breaches”.

However, the dataset doesn’t seem to be from one single data breach, but more a compilation of multiple breaches. These sets are often created by data enrichment companies. Data enrichment is the process of combining first party data from internal sources with disparate data from other internal systems or third party data from external sources. Enriched data is a valuable asset for any organization because it becomes more useful and insightful.

The researchers stated:

> “While the team identified over 26 billion records, duplicates are also highly likely. However, the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors.”

In other news about leaked personal data, a cybercriminal going by the name of “emo” claims they have 15 million unique records of project management tool Trello accounts for sale.

Trello is used by many organizations, so it understandably raised some concerns.

Atlassian, the company that runs Trello, however denies there has been a breach. It seems as if someone has used a large collection of email addresses and tested it against Trello.

This brings us to the question: when do you call a giant leak of personal information a breach, and when don’t you?

A definition of a breach that makes sense to me is this one:

> “A breach is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software.”

So you might say that exposing of billions of records was a breach because it is unlikely the instance was left open on purpose. After all, that amount of data can be sold for a pretty penny.

And Atlassian can safely say it was not breached, since the criminals used an existing feature. Maybe in larger numbers than intended, but why admit you shouldn’t have allowed it?

Some people will say that a data breach can only be the result of a hack and everything else is a leak. If you look at it that way, neither one of the datasets came from a breach. One set was stumbled upon and the other was created by using a legitimate API.

But to those affected the end result is pretty much the same whether your data was leaked in a breach, accumulated by scraping, or gathered by a data enrichment company. Your information is out there in the open for every cybercriminal to use at their perusal.

If you want to find out if your data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

You might be surprised. Remember though that it’s not embarrassing to you if your email address was found in a breach, but it is good to know if it was and where a password may have been included.

If the passwords it throws up at you look familiar, it would be a good idea to change the password where you’ve used it, enable 2FA, and check if it’s been re-used for other accounts.

Scammers are very good at using information found in breaches in social engineering attacks. Even the fact that your data may have been leaked in a breach is something scammers will readily use to launch a phishing attack and see what more they can find out from you.

Last year, over **2,000** companies and government entities reported data breaches impacting over **400** million personal accounts. Set up Identity Monitoring to get alerts whenever your data is exposed in a new breach.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

Source

Malwarebytes