Researchers have found a flaw in the Black Basta ransomware encryption algorithm, allowing decryption of some files.

Researchers at SRLabs have made a decryption tool available for Black Basta ransomware, allowing some victims of the group to decrypt files without paying a ransom. The decryptor works for victims whose files were encrypted between November 2022 and December 2023.

The decryptor, called Black Basta Buster, exploits a flaw in the encryption algorithm used in older versions of the Black Basta group’s ransomware. The bug was fixed by the group in mid-December, probably as a result of the discovery, so it won’t work on the most recent attacks.

During the period the decryptor works for, the gang was responsible for 153 known attacks (attacks where the victim did not pay a ransom and appeared on Black Basta’s dark web data leak site).

BlackBasta first appeared in April 2022 and is a regular entry in the top 5 most active ransomware groups in our monthly ransomware reviews. Among others, the ransomware has been used to attack organizations like Canada’s Yellow Pages and German arms producer Rheinmetall.

Known Black Basta attacks, December 2022 – November 2023

The decryptor comes with a few restrictions due to the nature of the flaw it exploits.

On its Github page for Black Basta Buster, SRLabs explains:

> “Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

**So, how do you recover your files?**

The decryptor only works on one file at a time and your best chances are on virtual machine disks. According to SRLabs, virtualised disk images “have a high chance of being recovered, because the actual partitions and their filesystems tend to start later. So the ransomware destroyed the MBR or GPT partition table, but tools such as “testdisk” can often recover or re-generate those.”

Files can be recovered if the plaintext of 64 encrypted bytes is known. The easiest way to establish this is to find a sequence of zeroes in the file. It may be possible to decrypt large files that don’t contain large enough chunks of zero-bytes, but you will need an unencrypted version of the target file. In many cases this will defeat the purpose of decryption, but there may be are edge cases where you have a previous version of the target file that meets the requirements, but does not hold the information you want to decrypt.

On the Github pages you will find several python scripts to help you with the recovery of the encrypted files. Interested parties can find instructions on how to use them in the readme file. This is not an easy process and certainly not something we would recommend using for every encrypted file. Each victim will need to weigh up how useful it is to them.

BleepingComputer reports that some digital forensics companies may have been aware of the flaw and have been assisting clients for months in recovering important files, similar to the way the FBI offered decryption keys to Hive victims after penetrating its computer networks. They may have done the same for ALPHV victims, but this is unconfirmed.

Obviously, it’s better to avoid malicious encryption if you can, so here are some pointers.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Oops! Black Basta ransomware flubs encryption 

This week on the Lock and Code podcast, we speak with Suzanne Bernstein about  DNA privacy and protecting data from hackers.

_This week on the Lock and Code podcast…_

Hackers want to know everything about you: Your credit card number, your ID and passport info, and now, your DNA.

On October 1 2023, on a hacking website called BreachForums, a group of cybercriminals claimed that they had stolen—and would soon sell—individual profiles for users of the genetic testing company 23andMe.

23andMe offers direct-to-consumer genetic testing kits that provide customers with different types of information, including potential indicators of health risks along with reports that detail a person’s heritage, their DNA’s geographical footprint, and, if they opt in, a service to connect with relatives who have also used 23andMe’s DNA testing service.

The data that 23andMe and similar companies collect is often seen as some of the most sensitive, personal information that exists about people today, as it can expose health risks, family connections, and medical diagnoses. This type of data has also been used to exonerate the wrongfully accused and to finally apprehend long-hidden fugitives.

In 2018, deputies from the Sacramento County Sherriff’s department arrested a serial killer known as the Golden State Killer, after investigators took DNA left at decades-old crime scenes and compared it to a then-growing database of genetic information, finding the Golden State Killer’s relatives, and then zeroing in from there.

And while the story of the Golden State Killer involves the use of genetic data to _solve_ a crime, what happens when genetic data is _part_ of a crime? What law enforcement agency, if any, gets involved? What rights do consumers have? And how likely is it that consumer complaints will get heard?

For customers of 23andMe, those are particularly relevant questions. After an internal investigation from the genetic testing company, it was revealed that 6.9 million customers were impacted by the October breach.

What do they do?

Today on the Lock and Code podcast with host David Ruiz, we speak with Suzanne Bernstein, a law fellow at Electronic Privacy Information Center (EPIC) to understand the value of genetic data, the risks of its exposure, and the unfortunate reality that consumers face in having to protect themselves while also trusting private corporations to secure their most sensitive data.

“We live our lives online and there’s certain risks that are unavoidable or that are manageable relative to the benefit that a consumer might get from it,” Bernstein said.

> “Ultimately, while it’s not the consumer’s responsibility, an informed consumer can make the best choices about what kind of risks to take online.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 DNA data deserves better, with Suzanne Bernstein: Lock and Code S05E01 

A list of topics we covered in the week of December 25 to December 31 of 2023

December 29, 2023 - Ransomware gangs don't always win, and when they don't, it feels pretty great.

December 27, 2023 - We look at the three most common methods that ransomware groups use to avoid being detected.

December 26, 2023 - Cybercriminals now have AI to write their phishing emails, which might well improve their success rates. Here's what to watch out for.

December 25, 2023 - A list of topics we covered in the week of December 18 to December 24 of 2023

December 21, 2023 - Xfinity has notified customers that due to exploitation of the Citrix Bleed vulnerability, attackers were able to access personal data of almost 36 million customers.

 A week in security (December 25 &#8211; December 31) 

Ransomware gangs don't always win, and when they don't, it feels pretty great.

Ransomware gangs care about one thing: Stealing money.

Over time, their craven, cybercriminal efforts have toppled businesses, destabilized hospitals, and ruined lives. Worst of all, they show no sign of slowing down, and their extortion attempts—which no longer focus on ransomware delivery alone—are getting bolder, meaner, and uglier.

As Allan Liska, intelligence analyst at Recorded Future, recently said on the Lock and Code podcast, times have changed.

“There are no protections anymore,” Liska said. “For a while, some ransomware actors \[said\] ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”

Considering all this, it’s pretty damn nice to see ransomware gangs lose.

As the holidays put people closer to family and friends (and ransomware gangs closer to attacking—seriously, watch out for that), Malwarebytes Labs is sharing some of the brighter moments of 2023 in which ransomware gangs didn’t get what they wanted. And while some of these “victories” still include an unfortunate ransomware deployment, they all have the same result for the ransomware gangs involved: A lost payday.

Here are four times ransomware gangs failed in 2023.

**1\. The Royal Mail ransomware attack**

On January 11, the Royal Mail service in the United Kingdom publicly announced that it had suffered a “severe service disruption” due to a cyber incident. Until the incident was cleared, customers were asked to not send packages or letters overseas.

Within days of Royal Mail’s announcement, news outlets began linking the alleged cyber incident to the ransomware gang LockBit, which, oddly, denied the attack.

But underneath the public reporting, a fascinating negotiation between the cybercriminal gang and its victim would play out for weeks.

On January 12, a representative for Royal Mail makes contact with a cybercriminal for LockBit on a chat hosted in the dark web. The Royal Mail rep is direct, says they work in IT, and, curiously, has a deft command of flattery, referring to LockBit’s work as “pen-testing.” More impressively, the Royal Mail rep immediately takes control of the conversation by implementing one of the most effective strategies in ransomware negotiations: Stalling for time.

Despite LockBit’s constant pushes for urgency, the Royal Mail rep grinds the conversation to a halt, at one point raising a thus-unheard-of concern with LockBit’s decryption key: Yes, it may work on a few sample files, but will it work on _really big files_?

“My management have heard that your decryptor might not work on large files,” the Royal Mail rep says, deploying yet another stunning negotiation tactic by trying to invoke a manager to deliver difficult news.

After days of back and forth, the LockBit rep returns to the most important issue—payment. LockBit had asked for an astounding $80 million ransom, and, after enough delay, it is time to talk money.

But again, Royal Mail’s rep turns the tables. Yes, the Royal Mail service could possibly make a payment that large, but there is only one problem, the representative says: We’re not Royal Mail.

Shock. Horror. Utter embarrassment. According to the Royal Mail rep, LockBit had attacked _the wrong Royal Mail_, instead deploying ransomware for a Royal Mail subsidiary, where a more reasonable starting point in ransomware demands should be about $4 million.

At this point, the LockBit rep accepts defeat.

“You are a very clever negotiator,” the LockBit agent says. “I appreciate your experience in stalling and bamboozling.”

We’ll take that as a win.

**2\. MGM bounces back 10 days after ransomware siege**

In Sin City, the house always wins, even when it loses $100 million.

In the late hours of September 11, customers and hotel guests at the Las Vegas resort MGM Grand noticed something was off—literally. On TikTok, a user shared a video showing rows of digital gambling machines with blank, non-functional screens. On the MGM Grand website, online reservations had become inaccessible. And for some unfortunate guests, even their room keys didn’t work.

“Digital keys weren’t working,” said the same TikTok user who shared video of the hotel’s broken digital slot machines. “Had to get physical keys printed.”

MGM Grand had been hit by a ransomware gang named Scattered Spider, a group of cybercriminals that, it would turn out, had already found some luck on the Las Vegas strip.  

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

MGM Grand, however, chose a different path. Across 10 hectic days—which included equipping hotel elevators with handheld, two-way radios in case guests encountered any problems—the MGM Grand became operational once more, all without paying a ransom.  

MGM Resorts International later provided a sober estimation of the cost of the recovery effort, expecting a $100 million loss to its third-quarter results, and valid criticism about the hotelier’s security vulnerabilities remain, but in the land of vice and greed, stopping a ransomware gang is a feat that few have accomplished.

**3\. Qakbot shot down**

Duck hunting season came early this year.

In August, an international investigation led by US law enforcement agencies nearly wiped Qakbot from the internet, shutting down a large part of the botnet’s infrastructure, retrieving $8.6 million in cryptocurrency, and removing the botnet’s associated Qakbot malware from hundreds of thousands of infected machines around the world.

When infected with the Qakbot malware, computers would join the Qakbot “botnet,” an army of devices that could be controlled by a cybercriminal gang and pilfered for login credentials. The infected machines would also be susceptible to additional malware, and in the case of Qakbot-infected computers, that additional malware was often the ransomware variant called Black Basta.

Because of this enormous reach, Black Basta consistently appeared in Malwarebytes’ monthly Ransomware Reviews that record the most active ransomware variants across publicly-recorded attacks.

In April, Black Basta was responsible for at least 40 attacks. In September, just one month after Qakbot’s announced takedown, that number dropped to six.

**4\. ALPHV tattles on its victim to little success**

A new wrinkle about modern ransomware attacks is that some of them don’t involve any ransomware at all.

That’s because, years ago, ransomware gangs learned that their malware of choice wasn’t the sole reason that victims paid ransoms. Rather, the ransomware that was deployed was just a digital representation of a highly effective, criminal lever: Extortion.

Since at least 2020, ransomware gangs have implemented a “double-extortion” technique against victims, stealing an organization’s files and threatening to publish them online before also deploying ransomware to encrypt the original copies left behind. More recently, however, ransomware gangs have resorted to just stealing a victim’s data without detonating any ransomware afterwards. The State of Maine, for instance, likely suffered such an attack this year in a data breach that impacted 1.3 million people.

But in November, the ransomware gang ALPHV, also known as BlackCat, tried something different.

Earlier in the month, ALPHV attacked the company MeridianLink. After a few days, MeridianLink showed no sign of paying the ransom, so ALPHV upped the pressure by reporting MeridianLink to, of all places, the US Securities and Exchange Commission (SEC).

To hear ALPHV tell it, MeridianLink was required to report ALPHV’s attack to the SEC because of newly-announced rules from the federal agency that mandate the reporting of any “material cybersecurity incident” within four days.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” ALPHV allegedly wrote in their complaint to the SEC.

MeridianLink, however, was unimpressed. After confirming “a” cybersecurity incident, a spokesperson with the company downplayed its severity.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the MeridianLink spokesperson said. Further, the rules cited by ALPHV were not even in effect, yet, so noncompliance would be impossible.

To date, MeridianLink has not reportedly paid the ransom. More importantly, ALPHV may have learned something the rest of the world already knows: Criminal tactics only gain sympathy within criminal enterprises. Next time, complain to your coworkers, not the federal government.  

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 The top 4 ransomware gang failures of 2023 

Online scams abound every day, but these four scams from 2023 were particularly devious.

In 2023, the public primarily confronted two varieties of online scams: the technical and the topical.

Technical scams abuse legitimate aspects of modern internet infrastructure to lead users to illegitimate or compromised sites. A team of hackers can, say, boost their own info-stealing websites through Google search results, providing a veneer of authenticity to their malicious intent. These scams can involve vast criminal segmentation and coordination between malware developers, code writers, and hackers who sometimes also infect legitimate websites with dangerous tools.

Topical scams, on the other hand, are simpler. By leveraging major news events or luring users with too-good-to-be-true deals, cybercriminals trick victims into giving away their vital credit card information through cyberspace.

Both are dangerous, both are effective, and both had their fair share of sneaky examples this year.

With your holiday shopping over (or, we hope it’s over, as it’s a bit late now for gifts), we at Malwarebytes Labs wanted to look back on four of the sneakiest online scams we saw last year.

****Forged in fire, fraud on Facebook****

In November, an insulated tumbler made by the drinkware company Stanley allegedly survived a roaring fire that sadly destroyed a woman’s car. The car owner, Danielle Marie Lettering, posted a video on TikTok that showed a Stanley tumbler—merely singed—inside a wrecked Kia.

“Everybody is so concerned if the Stanley spills but what else,” Lettering said in the video she posted. “It was in a fire yesterday and it still has ice in it.”

Lettering’s TikTok video has more than 90 million views and a wealth of comments about first-time interest in Stanley’s products.

And right on time, just weeks later, Malwarebytes Labs spotted a fraudulent Facebook ad—posing as a legitimate sale from Dick’s Sporting Goods—selling the now-storied Stanley Quencher cup for just $19, a steal compared to Amazon listings near $45.

Users who clicked on the ad were not taken to the legitimate website for Dick’s Sporting Goods, but instead routed to a website where the payment processor was registered in Hong Kong.

Sprung just before Black Friday, this scam had it all—the urgency of an annual mega-shopping event, the name of a recognized and trusted online retailer, and the allure of a once-benign product now launched into viral celebrity.

****WoofLocker sends victims into a redirection labyrinth****

Tech support scams often follow a similar plot: Cybercriminals will place malicious ads online that label a bogus phone number for everyday users who are experiencing common tech problems. When those users look up their tech troubles online, they’ll see results that display the scammers’ phone number, fooling them into calling what they think is a legitimate helpline, only to be led through a series of social engineering tricks to eventually hand over their money.

But the tech support scam held up by “Wooflocker” is different.

Wooflocker does not rely on malicious advertising (also known as malvertising). Wooflocker only ensnares victims who, of their own accord, visit any of several compromised websites.

With every visit to a compromised website, a user is surreptitiously “fingerprinted”—if their IP address, computer environment, and cyber-defenses (or lack thereof) are all preferable to the hackers behind Wooflocker, then those website visitors are redirected to another domain with a URL that is created then and there by Wooflocker’s hacking scripts.

Malwarebytes Labs first spotted Wooflocker in 2020, and even then, we learned that the cybercriminals behind it had likely been building out their web traffic redirection machine since 2017. But in the years since we last checked in, Wooflocker has become more sophisticated. The current iteration of Wooflocker now relies on web hosting services in Bulgaria and Ukraine, which could potentially provide added protection against any takedown efforts.

****The “logout king”** gets pinned**

In March, the reporting outlet ProPublica revealed that, after months of investigation, it had likely tracked down one of the most notorious online scammers—the self-proclaimed “log-out king,” also known as OBN Brandon.

OBN Brandon’s trick is almost always the same. He reports accounts of growing Instagram influencers to the customer service department of Meta, the company formerly known as Facebook, which also owns Instagram. Once he wrongfully enacts a ban on the account, OBN Brandon reaches out to the person behind the account and says he can bring it back—for a price.

As to _how_ OBN Brandon convinces Meta’s customer support to take down an account, there are multiple tactics. According to ProPublica:

“In some cases OBN hacks into accounts to post offensive content. In others, he creates duplicate accounts in his targets’ names, then reports the original accounts as imposters so they’ll be barred for violating Meta’s ban on account impersonation. In addition, OBN has posed as a Meta employee to persuade at least one target to pay him to restore her account.”

Once a simple image-sharing tool, Instagram has now ballooned into a business platform for countless influencers who take promotional offers from larger companies to be featured in posts and Reels—which are short-form videos on the app. Similarly, many small businesses and entrepreneurs use the platform to self-promote and connect users to their products and services.

One OBN victim that ProPublica spoke to claimed that, before his account was targeted, he had been making between $15,000 and $20,000 a month simply from his Instagram account.

“People pay me all the time to post promos for music, crypto,” the individual told ProPublica. “I can make five, 10 grand by accident if I needed to. … The money’s crazy.”

In its investigation, ProPublica identified a 20-year-old Nevada man as a likely operator or affiliate behind OBN Brandon. Once the outlet gave more details to Meta, Meta sent a cease-and-desist order to the man, also banning him from the platform.

****In their villain era****

For years, Taylor Swift fans were starving.

Not since 2018 had the most recent TIME Person of the Year produced a full-fledged world circuit tour. But in 2023, that changed, when Swift began her “Eras” tour, a globe-spanning celebration of her past albums that, on stage, delighted audiences for three-and-a-half hours every night, no matter the weather.

Still in production, Swift’s “Eras” tour has already brought in literal billions for the pop star goddess, according to one Washington Post estimate.

But the tour has also brought in a significant payday for ticket scammers.

In June, just a few months into the start of the “Eras” tour, Attorney General Dana Nessel for the state of Michigan issued a warning to Swift fans in her state.

“Michigan residents who are defrauded by online ticket scammers should not just shake it off,” said Nessel. “We know these scams all too well. If you believe you were taken advantage of, filing a complaint with my office is better than revenge.”

According to Malwarebytes Labs’ own reporting at the time, scams that preyed on the Eras tour were popping up all across the United States:

“Other locations for the tour are trying to get ahead of the scam curve, issuing their own warnings ahead of events where possible. For example, Cincinnati has highlighted tales of woe related to fake ticket sales on Facebook. Detroit flagged fake ticket sales on Instagram. CBC covered multiple fake sale attempts cheating folks in Canada out of significant chunks of money. Elsewhere, teens have lost out on $1,200 thanks to Craigslist scammers.”

With many, many, many more shows scheduled (the latest of which is in December 2024), stay alert.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 4 sneaky scams from 2023 

We look at the three most common methods that ransomware groups use to avoid being detected.

An often heard remark is that when your security solution notices a ransomware attack, it’s already too late. There’s a lot of truth in that, if you consider the encryption process to be the ransomware attack. However, these days encryption is just a part of many ransomware attacks.

Some of the cybercriminals we conveniently call ransomware groups have even completely stopped using the encryption process because it’s too “noisy.” Any AI based solution that is worth the electrons used to create it, will notice the activities on a system associated with encryption and the deletion of backups.

In the first days of ransomware, the cybercriminals sent you an email, hoping you would open an attachment or click a link to infect your system with malware. But malware has only a short time-span during which it can hope to stay undetected. Widespread malware is usually just one update away from detection.

So, to hide their presence, many of these gangs have resorted to a lot more silent operations. Consider this typical attack flow:

1.  Initial access is gained by exploiting vulnerabilities on software or hardware found in the target’s environment.
2.  With valid credentials gained by the vulnerability exploitation, phishing, or password attacks, the criminals get access to an internet exposed service, where they can set up some foothold to provide them with command and control options.
3.  From here they can start lateral movement across the target’s network and find ways to raise their permissions.
4.  The next step is often called data exfiltration, which is nothing more than copying interesting looking files to a location under their control where the criminals can have a good look at them.

As you can see, there was no malware involved in these steps. Every single step can be done by using software that is already present. The lateral movement is often done by deploying built-in tools like PowerShell, PsExec, or Windows Management Instrumentation (WMI).

We call this technique Living-off-the-Land (LOTL). LOTL attacks are performed by mimicking normal behavior, and make it extremely difficult for IT teams and security solutions to detect any signs of malicious activity.

Another way to avoid being detected is using fileless malware. Fileless malware is intended to be memory resident only, ideally leaving no trace after its execution. So, the malicious payload exists only in the computer’s memory, which means nothing is ever written directly to the hard drive. As a rule, if malware authors can’t avoid detection by security vendors, they at least want to delay it for as long as possible. This made fileless malware a step forward in the arms race between malware and security products.

Another, very different method to avoid detection is to disable the resident security software before the actual attack is launched. One way to achieve this, which we have seen this year, is by using signed drivers. The drivers can be deployed only when the attacker has already gained administrative privileges on compromised systems. Drivers are loaded early in the boot process of a system and can therefore interfere with subsequently loaded programs.

The most common type of attacks that uses drivers is the “bring your own vulnerable driver” (BYOVD) approach, in which the attackers use a driver from a legitimate software publisher that has known and exploitable security vulnerabilities. Since the driver is legitimate, it will bypass security checks and allow the attacker to then exploit it once it has been installed on the system.

However, there’s also been abuse of several developer program accounts engaged in submitting malicious drivers to obtain a Microsoft signature. Signatures from a trustworthy software publisher make it more likely the driver will get into Windows without interference from the security software.

Many anti-malware solutions, including Malwarebytes, have anti-tampering protection in place, so finding methods to disable the protection is a big deal for malware authors.

Finding signs of malicious activity that are designed to stay under the radar is a job for specialists, which is why many organizations are looking for Managed Detection & Response (MDR) services.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 How ransomware operators try to stay under the radar 

Cybercriminals now have AI to write their phishing emails, which might well improve their success rates. Here's what to watch out for.

Phishing is the art of sending an email with the aim of getting users to open a malicious file or click on a link to then steal credentials. But most phishers aren’t very good, and the success rate is relatively low: In 2021, the average click rate for a phishing campaign was 17.8%.

However, now cybercriminals have AI to write their emails, which might well improve their phishing success rates. Here’s why.

The old clues for telling if something was a phishing mail were:

1.  It asks you to update/fill in personal information.
2.  The URL on the email and the URL that displays when you hover over the link are different from one another.
3.  The “From” address is an imitation of a legitimate address, especially from a known brand.
4.  The formatting and design are different from what you usually receive from a brand.
5.  The content is badly written and may well include typos.
6.  There is a sense of urgency in the message, encouraging you to quickly perform an action.
7.  The email contains an attachment you weren’t expecting.

While most of these are still valid, there are a few checks you can strike off your list due to the introduction of AI.

When a phisher is using a Large Language Model (LLM) like ChatGPT, a few simple instructions are all it takes to make the email look as if it came from the intended sender. And LLMs do not make grammatical errors or put extra spaces between words (unless you ask them to).

They’re not limited to one language ether. AI can write the same mail in every desired language and make it look as if you are dealing with a native speaker. It’s also easier to create phishing emails tailored to the intended target.

All in all, the amount of work needed to create an effective phishing email has been reduced dramatically, and the number of phishing emails has gone up accordingly. In the last year, there’s been a 1,265% increase in malicious phishing emails, and a 967% rise in credential phishing in particular.

Because of AI, it’s become much harder to recognize phishing emails, which makes things almost impossible for filtering software. According to email security provider Egress 71% of email attacks created through Ai go undetected.

**So how do you recognize AI phishing emails?**

Here are some ideas:

Number 4 above—The formatting and design are different from what you usually receive from a brand—is helpful. Compare the email with any previous communications you have from the supposed sender. If there are inconsistencies in the tone, style, or vocabulary, this could indicate that the message is a phishing attempt.

Number 5—The content is badly written and may well include typos—AI phishing emails may still use generic greetings, such as “Dear user” or “Dear customer,” instead of addressing the recipient by name. Also, look for generic or mismatched signatures that do not align with the sender’s typical signature.

Number 7—The email contains an attachment you weren’t expecting—If you know the person who sent the email but don’t trust the content, contact the sender through an alternate communication method to verify whether they actually sent it.

For organizations it is important to have a clear reporting procedure and actively follow up on reported suspected phishing emails. If your employees never hear back about a reported phishing email, they are less likely to report the next one. A pat on the shoulder for catching one goes a long way. A lot further than the more common shame-and-blame punishments for clicking a malicious link.

Repetitive phishing training that neither aligns to how users engage with email, nor provides appropriate tools for responding to ambiguous emails are a waste of time, money, and the patience of the employee.

And most of all, make sure that your own communications, internal and external, don’t look like phishing attempts.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 How to recognize AI-generated phishing mails 

A list of topics we covered in the week of December 18 to December 24 of 2023

December 21, 2023 - Xfinity has notified customers that due to exploitation of the Citrix Bleed vulnerability, attackers were able to access personal data of almost 36 million customers.

December 21, 2023 - A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.

December 21, 2023 - Google has issued an emergency update for Chrome that fixes an actively exploited zero-day vulnerability in the WebRTC component.

December 21, 2023 - Pharmacy chain Rite Aid has been denied the right to run facial recognition systems in its stores for five years, by the FTC.

December 21, 2023 - Learn how RaaS gangs use LOTL tactics in their attacks on organizations.

 A week in security (December 18 &#8211; December 24) 

Xfinity has notified customers that due to exploitation of the Citrix Bleed vulnerability, attackers were able to access personal data of almost 36 million customers.

In a notice for its customers, Xfinity acknowledges it recently fell victim to a data security incident. Xfinity is Comcast’s brand for TV, internet, and home phone services, sometimes referred to as Comcast Cable Communications.

During the data breach the attackers were able to access 35.8 million customers’ usernames and hashed passwords. For some customers, other personal information may have been exposed, such as names, contact information, the last four digits of social security numbers, dates of birth, and secret questions combined with answers.

On October 25, 2023, Xfinity discovered suspicious activity and subsequently determined that between October 16 and 19 unauthorized access to its internal systems occured.

Xfinity says it notified federal law enforcement and started an investigation, which revealed the attackers had used the Citrix Bleed vulnerability. Affiliates of at least two ransomware groups, LockBit and Medusa, have been observed exploiting Citrix Bleed as part of attacks against organizations. Whether one of those affiliates was behind this attack is not known.

On October 10, 2023, Citrix released security updates to address Citrix Bleed, but many organizations struggle to patch in a timely manner. Although you would expect a large company like Comcast to have some type of vulnerability and patch management deployed.

The company is notifying customers through a variety of channels, including through the Xfinity website, email, and news media.

Xfinity has required customers to reset their passwords to protect affected accounts. In addition, Xfinity strongly recommends that customers enable two-factor or multi-factor authentication to secure their Xfinity account.

It is not advisable to use the same password for multiple accounts, but if you did, Xfinity recommends that you change the passwords for any accounts that share your Xfinity password.

Customers with questions can contact Xfinity’s dedicated call center at 888-799-2560 toll-free 24 hours a day, seven days a week. More information is available on the Xfinity website.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Comcast’s Xfinity breached by Citrix Bleed; 36 million customer’s data accessed 

Dive into the inner workings of ThreatDown Vulnerability Assessment and Patch Management

Maintaining updated systems and applications is a challenge for any IT team—especially considering the sheer volume of vulnerabilities organizations must find and prioritize on a rolling basis.

ThreatDown Vulnerability Assessment (VA), now included for free in every ThreatDown bundle, simplifies the vulnerability-finding process by automatically identifying gaps in your environment and prioritizing the results.

Based on the scans shared by the VA, ThreatDown Patch Management (PM), patches both the operating system and third-party applications installed on endpoints. But how exactly do both solutions work together?

In this article, we’ll dive into the inner workings of ThreatDown Vulnerability Assessment and how it integrates with Patch Management to seamlessly plug the holes in your cyber defenses.

**1\. Getting a lightweight start**

Our journey with how Threat Down Vulnerability Assessment and Patch Management works begins as all great cybersecurity journeys begin: A clunky, on-prem server directly wired up to all your endpoints.

Just kidding. This isn’t the 1970s anymore. Thankfully.

The cornerstone of all ThreatDown security solutions—not just Vulnerability Assessment, but Endpoint Detection and Response (EDR) in general—is a lightweight endpoint agent (EA). The EA is a software tool which collects and sends endpoint security data to a central system for analysis and threat response

You can distribute the ThreatDown EA to endpoints either manually to each user or automatically via network-wide remote deployment tools.

**2\. Vulnerability Assessment scans endpoints**

When you download the ThreatDown Endpoint Agent on your devices, it can then scan for installed third-party software and find out if there are any known vulnerabilities in them.

To enable a Vulnerability Assessment policy in Nebula, check out this simple step-by-step guide. There are two ways to scan for vulnerabilities: on-demand or scheduled.

**3\. VA finds vulnerabilities across third-party applications**

The ThreatDown EA sends the results of the vulnerability scan to Nebula, our cloud-hosted security platform. Vulnerability data is stored and displayed for up to 90 days across all endpoints.

All vulnerabilities found are automatically assigned a severity rating based on the Common Vulnerability Scoring System (CVSS) standard. As well, vulnerabilities are tagged as “CISA recommended” if they are found in the Cybersecurity and Infrastructure Security Agency (CISA) managed catalog of known exploited vulnerabilities.

In Nebula, you have a few options for how you want to view found vulnerabilities:

**Vulnerabilities page**

On the left navigation menu, go to Monitor > Vulnerabilities to view vulnerabilities across your environment.

**Endpoint page**

On the Endpoints page, add a new column for a quick glance of the severity of CVEs for each endpoint. Hover over the diagram for a breakdown of vulnerabilities by severity.

**Vulnerabilities tab**

Navigate to the Vulnerabilities tab from Manage > Endpoints to view the vulnerabilities of a specific endpoint.

Finding vulnerabilities, of course, is just one half of the battle.

After our free Vulnerability Assessment tool does its discovery work, our Patch Management module automatically imports the scan data and uses it to determine which patches and application updates need to be deployed.

With Patch Management, you can apply two different types of patches: operating system patches and software patches. To view and install both OS and software patches across your environment, navigate to Monitor > Patch Management on the left navigation menu.

**5\. Patch Management automatically updates OS and third-party applications to the latest versions**

To apply patches en masse, check the boxes for the systems or applications on endpoints you wish to update and click Actions > Update Software.

Bam, you’re done.

To help automate the patching process, you can create a schedule to install third-party software updates regularly. This schedule installs all system and third-party software updates found when the schedule is run.

**Streamlining Vulnerability Response with ThreatDown**

Managing vulnerabilities and patches yourself can be a pain. But, as we’ve broken down in this article, ThreatDown takes care of vulnerability management all from one console.

Learn more about our free Vulnerability Assessment solution here.

Interested in adding Patch Management capabilities as well? Check out ThreatDown Advanced, Elite, and Ultimate bundles.

Related:

How to choose a free vulnerability scanner: Insights from an industry veteran

How IT teams can conduct a vulnerability assessment for third-party applications

Source

Malwarebytes