In November, ransomware gangs attacked at least 457 victims—the highest monthly count in 2023, after May's record numbers.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In November there were 457 total ransomware victims, making it the most active month for ransomware gangs in 2023 so far besides May. The top stories of the month include ALPHV’s shutdown, an increased focus on the healthcare sector, and high-profile attacks on Toyota, Boeing, and more using a Citrix Bleed vulnerability (CVE-2023-4966).

We’ve written about a few ransomware gangs getting shut down this year, including Hive in January and RansomedVC in October, but ALPHV is the latest—and arguably biggest—name to be crossed off of law enforcements’ hit list in 2023. The fate of the gang was sealed in early December, when their data leak sites suddenly became unavailable. Shortly thereafter, researchers at RedSense confirmed that law enforcement was indeed behind the takedown action.

ALPHV’s shutdown represents a huge blow to the ransomware world—and a big win for defenders. With a total of 573 victims since February 2022, it’s no exaggeration to say that ALPHV was second only to LockBit in being organizations’ biggest ransomware threat. The demise of ALPHV can be examined through a few different lenses. For one, it’s a reminder that no ransomware gang—however prolific or well-resourced—is immune to downfall.

The good news in all this is that today’s _who’s who_ can be tomorrow’s _nobody_. The bad news? That same logic works in reverse as well: Today’s nobody can be tomorrows who’s who.

This is the case we’ve seen with gangs like Medusa or 8BASE. For every head lopped of off the ransomware Hydra, it feels like three more grow in its place. However, none of this is to say that decisive law enforcement action doesn’t deter ransomware gangs to some extent—it does. One can hope that ransomware gangs see a Goliath like ALPHV get felled and think twice about wantonly attacking organizations at the rate we’ve been seeing lately.

In other news, attacks on the healthcare sector last month reached an all-time high at 38 total attacks.

The record follows a steady uptick in attacks on the sector we’ve observed over the past year. According to the findings released by the Department of Health and Human Services last month, there has been a 278% increase in ransomware attacks on health sector over the past four years. “The large breaches reported this year have affected over 88 million individuals, a 60% increase from last year,” the agency also said.

Ransomware attacks on healthcare, 03/22 to 011/23

An attack on Ardent Health Services last month stands as a devastating reification of the trend. The attack, which occurred on Thanksgiving Day, left emergency rooms in multiple hospitals across four US states shut down for five days.

What explains the rise and focus on attacks on the healthcare sector? Well, for one thing, there isn’t a clear bias of one gang disproportionately targeting health care—our data shows LockBit is consistently at the top of the list, as they are likely for most sectors. The explanation, then, likely resides in a combination of facts:

1.  Ransomware attacks are up overall for all sectors
2.  Healthcare is easy to attack (Large number of weak points due to use of legacy systems, third-party vendors, etc).
3.  Healthcare might be more likely to pay (Higher desire to protect sensitive patient data).

Pair this up with a Thanksgiving holiday, and a bigger increase in attacks on health care is somewhat expected.

In other news, ransomware gangs rushed to exploit the Citrix Bleed vulnerability last month, taking advantage of a massive attack surface with over 8,300 vulnerable devices. LockBit led the fray by using the vulnerability to breach the likes of the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing. Reported to have been in use as a zero-day since late August, Citrix Bleed provides attackers with the capability to bypass multi-factor authentication (MFA) and hijack legitimate user sessions. It is also said to be very easy to exploit.

Known ransomware attacks by gang, November 2023

Known ransomware attacks by country, November 2023

Known ransomware attacks by industry, November 2023

One of the most interesting developments last month were new reports reinforcing claims that Rhysida may be a rebrand of the infamous Vice Society ransomware gang. Not only does Rhysida share many operational and technical patterns with Vice Society—including using NTDSUtil for backups in ‘temp\_l0gs’ and SystemBC for C2 communications—but the distribution of their monthly attacks lines up as well. Vice Society hasn’t been active since June 2023—the same month we witnessed the rise of Rhysida.

Vice Society vs Rhysidia monthly ransomware attacks. Rhysida seems to pick up right where Vice Society dropped off

That being said, a rebrand isn’t confirmed. Perhaps Rhysida is a splinter group. Whatever the explanation, however, it’s almost certain this pattern is no mere coincidence—especially considering the victimology of the two groups is extremely similar (a focus on education and healthcare sectors).

**New Player: MEOW**

First detected in August 2022, Meow ransomware, linked to the Conti v2 variant, reappeared after vanishing in February 2023. The group published nine victims to its leak site in November.

Operating as MeowCorp or MeowCorp2022, it encrypts files with a “.MEOW” extension and sends ransom notes demanding contact via email or Telegram. Using ChaCha20 and RSA-4096 encryption, Meow is related to other malware strains originating from the leaked Conti variant. Its dark web site shows a limited victim list, including the high-profile entity Sloan Kettering Cancer Center.

**Preventing Ransomware with ThreatDown**

ThreatDown detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

ThreatDown Bundles combinesthe technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down ransomware gangs:

*   **ThreatDown Core Bundle**: Next-gen AV and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
*   **ThreatDown Advanced Bundle**: Everything included in core plus Managed Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
*   **ThreatDown Elite Bundle**: Everything in Advanced plus 24/7/365 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
*   **ThreatDown Ultimate Bundle**: Everything in Elite plus protection from whole categories of malicious websites. Perfect for teams looking for a one-and-done shortcut to cybersecurity done right.

**Try ThreatDown bundles today**

 Ransomware review: December 2023 

Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!

December’s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units (CPUs), was shifted by AMD to software developers.

The AMD vulnerability sounds like something from back in the eighties:

> “A division by zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.”

And AMD’s mitigation advice basically boils down to “so don’t divide by zero,” which as many programmers can tell you, is not as easy as it sounds. Then ensure that no privileged data is used in division operations prior to changing privilege boundaries, AMD adds, which is about as hard as it sounds. We’re not sure how Microsoft solved it, but the company noted that the latest builds of Windows enable the mitigation and provide protection against the vulnerability.

The other vulnerability we wanted to highlight is listed as CVE-2023-35628, a Windows MSHTML platform remote code execution (RCE) vulnerability with a CVSS score of 8.1 out of 10 and in severity listed as “Critical.”

MSHTML is a core component of Windows that is used to render browser-based content. This vulnerability can be used in emails. An attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation even before the email is viewed in the Preview Pane. This could result in the attacker executing remote code on the victim’s machine. In other words, they could install or trigger malware on the target’s machine.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address multiple vulnerabilities in Adobe software.

*   Adobe Prelude
*   Adobe Illustrator
*   Adobe InDesign
*   Adobe Dimension
*   Adobe Experience Manager
*   Adobe Substance3D Stager
*   Adobe Substance3D Sampler
*   Adobe Substance3D After Effects
*   Adobe Substance3D Designer

**Android**: Google released the Android December 2023 security updates with a fix for a critical zero-day.

**Apache** released security updates to address a vulnerability (CVE-2023-50164) in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system.

**Apple** issued emergency updates including patches for older iOS devices concerning two actively used zero-day vulnerabilities.

**SAP** released its December 2023 Patch Day updates.

**WordPress** released version 6.4.2 that addresses a remote code execution (RCE) vulnerability.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft patches 34 vulnerabilities, including one zero-day 

Threat actors are increasingly placing malicious ads for Zoom within Google searches.

During the past month, we have observed an increase in the number of malicious ads on Google searches for “Zoom”, the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared towards IT administrators.

While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.

In this blog post, we chose to highlight two cases:

*   Case #1 is about a new loader which we have not seen mentioned publicly before called **_HiroshimaNukes_**. It drops an additional payload designed to steal user data.
*   Case #2 is a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called **_Hunting panel 1.40_**. FakeBat is often used by threat actors as the initial entry point for hands on keyboard operations.

We have reported the malicious ads to Google.

**Advertiser profiles**

The threat actors are using a number of fake identities to create multiple advertiser accounts. We noticed that different ads had different advertiser IDs but the backend infrastructure was the same.

Fake advertiser profiles

They are also using what looks like existing advertising accounts (one of the accounts had over 30K ads) which may have been compromised:

Advertising account possibly hacked to insert malicious Zoom ad

While we don’t know how many people may have fallen for these Zoom malvertising campaigns, we can say that the number of ads and their positioning was prominent enough to generate a substantial amount of traffic.

**Cloaking via new services**

The threat actors are using tracking templates to cloak the redirection mechanism to either the legitimate Zoom website or a site or their choosing. They are abusing a service called AppsFlyer (onelink.me) and HYROS (l.hyros.com) for their redirects. We observed the following links for the Zoom campaigns:

*   aksdquwrqr\[.\]onelink\[.\]me
*   ntcrgfmmc3\[.\]onelink\[.\]me
*   169-zoona32\[.\]onelink\[.\]me
*   zoromonm\[.\]onelink\[.\]me
*   notetrest\[.\]onelink\[.\]me
*   putin-777\[.\]onelink\[.\]me
*   zoomus\[.\]onelink\[.\]me
*   mmozl\[.\]onelink\[.\]me
*   arnold\[.\]onelink\[.\]me
*   desktop-client\[.\]onelink\[.\]me
*   slovo-pacana\[.\]onelink\[.\]me
*   l\[.\]hyros\[.\]com/c8KqPHYKdt

Ad and redirection mechanism

**Case #1: HiroshimaNukes**

HiroshimaNukes is a name given by its author to a piece of malware that was new to us. It uses several techniques to bypass detection from DLL side-loading to very large payloads. Its goal is to drop additional malware, typically a stealer followed by data exfiltration.

HiroshimaNukes loader installation flow

**Distribution**

The threat actor is targeting users via Google ads related to a search for zoom:

Malicious ad for Zoom via Google search

Clicking on the ad redirects to a domain at _zoommaster\[.\]life_ that checks the IP address of the visitor and performs a redirect to _zoom.us_ (legitimate) site or _zoom-us\[.\]tech_ (malicious site) based on certain conditions. Intended targets will see a web page that looks similar to the real Zoom’s website:

Fake Zoom web page with malicious download

Users are tricked into downloading a file called _ZoomInstaller.zip_ which once extracted contains one main executable and several DLL files:

Content of the Zoom download archive

The _\_Zoom.exe_ file is a legitimate binary signed by Zoom Video Communications, Inc:

Main executable is legitimate

**DLL side-loading**

DLL side-loading is a technique used by threat actors to bypass detection. It consists of replacing a legitimate library file (DLL) used by a program (EXE) with a malicious one, using the same name and location.

When the main program is launched, it will automatically load the corresponding DLL without necessarily validating it. In this instance, _\_Zoom.exe_ side-loads _librcrypto-3-zm.dll_:

The malicious DLL that is loaded when the main executable runs

While DLL side-loading is commonly used by malware authors, it is also a unique TTP that we don’t see in all malvertising campaigns. We were able to search for previous similar attacks from the same threat actor. This time, the malicious DLL was side-loaded as if it was the FFmpeg library (_ffmpeg.dll_). As you can see from the screenshot below, the lure varied over time with for example brands such as TradingView, Notion or Obsidian.

Other examples of DLL side-loading

All the malicious DLLs we found were likely compiled by the same threat actor, who was either sloppy or wanted to leave the malware name in plain sight:

D:\\Projects\\General\\HiroshimaNukesDropper\\V2\\Dll\\x64\\Release\\Dll.pdb

This “HiroshimaNukes” dropper will spawn a new executable (_zoom\_crypted.exe_) that also attempts to evade detection due to its size:

Dropped file over 774 MB

The file has been inflated with junk code:

UnpacMe service’s analysis of the binary

Looking at its strings we can see that it is a stealer focusing on cryptocurrency wallets:

0x40284e: Cookies
0x40290a: Network\\Cookies
0x4029c2: DHistoryDDDDDDDsWeb Datassssssss
0x42c43b: TDiscord PTB\\Local Storage\\leveldbTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTC
0x42c51f: wDiscord Canary\\leveldbwwwwwwwwwwwwwwwwwwwwww-
0x42e1fd: Jkey3.dbJJJJJJJ
0x42e67c: Nformhistory.sqlite
0x42e798: Nformhistory.sqlite
0x433d69: WIMAP PasswordWWWWWWWWWWWWW
0x43515c:
0x44241d: oArmoryoooooo6
0x4426f4: 2bytecoin22222222
0x4427ba: ZJaxxClassicZZZZZZZZZZZ
0x4431f2: %Jaxx\\Local Storage\\leveldb%%%%%%%%%%%%%%%%%%%%%%%%%%
0x44347e: jEthereumjjjjjjjj2
0x443544: oEthereum\\keystoreooooooooooooooooo>
0x443621: #Electrum
0x443751: }Electrum\\wallets}}}}}}}}}}}}}}}}
0x443825: Electrum-LTC
0x4438ff: Electrum-LTC\\wallets
0x443a3c: Electrum-BCH
0x443b76: WElectrum-BCH\\walletsWWWWWWWWWWWWWWWWWWWW
0x443c5e: 2Atomic222222&
0x443d64: atomic\\Local Storage\\leveldb
0x443e5a: +Guarda
0x443f66: 9lGuarda\\Local Storage\\leveldb
0x4440ab: tWasabitttttt
0x444194: 7^WalletWasabi\\Client\\Wallets
0x444335: ,Daedalus,,,,,,,,f
0x444441: Daedalus Mainnet\\wallets
0x444523: Ledger Live
0x4445fc: )Ledger Live)))))))))))
0x444d50: /Litecoin////////

**Case #2: FakeBat and Hunting panel**

In this second case we look at a FakeBat loader payload which has an interesting addition to it. The threat actors are tracking victims from their campaigns using a control panel called Hunting panel 1.40 which was new to us.

FakeBat installation flow

**Distribution**

Unsuspecting users doing a Google search for “zoom” are deceived by a Sponsored result that looks authentic from the outside. While the ad display URL is **zoom.us** (which is the official website for Zoom), clicking on the menu beside the ad reveals an advertiser identified as “CHANDLER BONNY M”:

Malicious ad for Zoom via Google search

Web traffic following click on ad

On this landing page, users are tricked into downloading a malicious version of the Zoom installer:

Fake Zoom web page and malicious installer

The download process is initiated via a JavaScript event linking to the _ms-appinstaller_ URL where the MSIX file is hosted:

Source code processing the download of the MSIX installer

**Malware payload**

The malicious installer contains several files but the malicious components reside in the PowerShell scripts. This technique has been used by the threat actor for months already, probably because they get higher infection rates than with a traditional malware binary.

Contents of the MSIX file

The Base64-encoded PowerShell reveals the malware’s command and control server as well as a number of other commands such as reporting telemetry back about the machine and any security software installed, and more importantly a GPG encrypted payload decoded on the fly.

View of the malicious PowerShell script

**Panel and API**

Inspecting web traffic, we noticed that a new WebSocket was created to send data to a remote domain at api\[.\]huntingpanel\[.\]link. Some of this data includes a fileID, a project name and the domain that was used for the landing page.

Connection to WebSocket

This server is hosting a login page to “Hunting panel 1.40”, a control panel we had not heard of before. We surmise this is a way for the threat actor to track their malvertising and payload delivery campaigns. The panel’s background image is from the Firewatch video game.

Hunting panel 1.40 control panel

**Protection**

Malvertising continues to be a privileged malware delivery vector where threat actors are able to bypass ad verification checks, and often times security solutions as well.

We are actively tracking and reporting each new malvertising campaign we come across. As we can’t always control when third parties will take action on malicious ads, our top priority is to ensure our customers remain protected by blocking new malware domains and samples.

Both our consumer and enterprise users are protected agains these threats.

**Acknowledgements**

We would like to thank Sergei Frankoff, malware researcher and a co-founder of Open Analysis, for his help with the HiroshimaNukes dropper.

**Indicators of Compromise**

**Case #1 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

zoom-us\[.\]tech

Download URL

zoom-us\[.\]tech/ZoomInstaller.zip

Fake Zoom archive (ZoomInstaller.zip)

fd524641d2be705d76feb0453374c5b2ad9582ced4f00bb3722b735401da2762

Malicious DLL (libcrypto-3-zm.dll)

30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c

Stealer payload

5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b

Stealer C2

94.131.110\[.\]127

**Case #2 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

z00nn.one-platform-to-connect\[.\]group

Fake Zoom site

info-zoomapp\[.\]com

Fake Zoom site

zoomnewsonly\[.\]site

Fake Zoom site

zoonn\[.\]virtual-meetings\[.\]cn\[.\]com

Fake Zoom site

promoapp-zoom\[.\]com

Download URL

youstorys\[.\]com/fonts/Zoom-x64.msix

Download URL

windows-rars\[.\]shop/bootstrap/Zoom-x64.msix

Download URL

scheta\[.\]site/apps.store/ZoomInstaller.msix

Installer (Zoom-x64.msix)

dcb80bd21bd6900fe87423d3fb0c49d8f140d5cf5d81b662cd74c22fca622893

Installer (Zoom-x64.msix)

44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5

Installer (ZoomInstaller.msix)

462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c

Encrypted payload URL

winkos\[.\]net/ld/zm.tar.gpg

FakeBat C2

2311foreign\[.\]xyz

 Malvertisers zoom in on cryptocurrencies and initial access 

How to choose a free vulnerability scanner? Industry expert Robert Elworthy has the answers.

The cybersecurity market is awash with expensive, high-end solutions for detecting vulnerabilities in third-party applications. However, for smaller security teams, free vulnerability scanners offer a practical alternative.

But of course, free doesn’t always mean better—it’s crucial to thoroughly assess free vulnerability scanners before integrating one into your security protocols.

How to choose a free vulnerability scanner? Industry expert Robert Elworthy, NA Solutions Engineering Manager at ThreatDown, has the answers.

Robert has a wealth of experience from his tenure as IT manager at Langdale Industries, where he managed a network of over 500 endpoints. In this article, we’ll break down his advice on selecting a free vulnerability scanner

Let’s dive into the essentials.

Related: **How to find vulnerabilities in your IT environment**

**1\. Assessing your environment’s scale**

Limits on the number of scannable endpoints are common with free vulnerability scanners. While a small business with a few devices might find them sufficient, larger enterprises with hundreds of endpoints could exceed these limits.

Elworthy, reflecting on his Langdale experience, highlights the importance of a tool capable of handling large-scale environments efficiently, a critical aspect for organizations with extensive networks:

“Free tools often struggle with large networks,” Elworthy said. “It’s important to choose a tool that can handle large-scale environments without compromising efficiency, especially for organizations with extensive networks, where the ability to scale effectively is crucial.”

**2\. Understanding scanning requirements**

Different scanners have varied requirements. Some scanners need agents installed on each endpoint for in-depth insights, while others conduct less intrusive remote scans.

Elworthy emphasizes the need for scanners that minimize the complexity of agent installations, especially in large and diverse IT landscapes:

“Often, when you opt for a free tool, you might need to run the software on-premises or integrate it into your network. This becomes particularly challenging with remote work and constantly shifting targets,” Elworthy said. “How do you deploy an agent to gather the necessary information? It’s not always straightforward with free tools.”

**3\. Evaluating reporting capabilities**

The effectiveness of a vulnerability scanner is largely measured by its reporting capabilities, but free vulnerability scanners might provide basic reports that overlook critical remediation details.

“You must consider how you can utilize the data once it’s acquired. Some tools may display the data, but offer limited reporting or feedback capabilities, which can be a significant limitation,” Elworthy said.

**4\. Checking ongoing support**

Cyber threats evolve rapidly, and so must your scanner. Tools like OWASP ZAP are updated frequently but require users to stay on top of these updates manually, which could add to your team’s workload.

“Without ongoing support, free tools risk becoming outdated as new vulnerabilities are discovered,” Elworthy said. “To make sure your organization isn’t unaware of emerging threats, you should confirm a free vulnerability scanner has a process for frequently updating its vulnerability database.”

**5\. Integration capabilities**

Integration with other security tools is crucial. Elworthy stressed the importance of tools that aid in both vulnerability identification and remediation:

“It’s important to have a scanner that not only detects vulnerabilities but also offers guidance on remediation.” Elworthy said. “Many free tools don’t automatically patch vulnerabilities found during scans since remediation is a separate process. Integrating with patch management is critical to easily fix any vulnerabilities found.”

The labor involved in configuring, updating, and mastering free vulnerability scanners represents a substantial investment. Elworthy points out the hidden labor costs in using “free” tools, which can affect team efficiency:

“The time and labor required to maintain scans and update tools can be significant,” Elworthy said, reflecting on his time at Langdale. “There are often-overlooked costs associated with ‘free’ vulnerability scanners. They may not require direct financial investment, but the manpower and time needed for their effective operation can be substantial.”

**Alternative: ThreatDown Vulnerability Assessment solution**

For teams seeking a streamlined approach, the ThreatDown Vulnerability Assessment solution, free for all ThreatDown customers, offers:

**Single, Lightweight Agent**

To simplify security and reduce costs, Vulnerability Assessment deploys easily in minutes without a reboot, using the same agent and cloud-based console that powers all ThreatDown endpoint security technologies.

**Quick Vulnerability Scans**

Identifies vulnerabilities in modern and legacy applications in less than a minute.

**Accurate severity ratings**

Utilizes the Common Vulnerability Scoring System (CVSS) and Cybersecurity and Infrastructure Security Agency (CISA) recommendations to evaluate and rank vulnerabilities for proper prioritization.

**Security Advisor Integration**

Our Security Advisor tool to analyzes an organization’s cybersecurity health—such as by assessment of current inventory and which assets are vulnerable—and generates a score based off what it finds. To improve the endpoint security health score, Security Advisor delivers recommendations to address discovered vulnerabilities: patching, updates, or policy changes.

**Beyond the no-cost appeal**

Opting for a free vulnerability scanner is about more than avoiding expenses. It’s about striking the right balance between cost, functionality, and available resources.

The ThreatDown Vulnerability Assessment solution simplifies the process with features like a lightweight agent, quick vulnerability scans, accurate severity ratings based on CVSS and CISA guidelines, and integration with Security Advisor for tailored recommendations and ThreatDown Patch Management for automated remediation.

**Try ThreatDown Vulnerability Assessment today.**

Interested in adding Patch Management capabilities as well? Check out ThreatDown Advanced, Ultimate, and Elite bundles.

Related: 3 benefits of ThreatDown bundles

 How to choose a free vulnerability scanner: Insights from an industry veteran 

Apple has issued emergency updates that include patches for older iOS devices concerning two actively used zero-days that were patched for iOS 17 last week

Apple has issued emergency updates that include patches for older iOS devices concerning the two actively used zero-day vulnerabilities that were patched last week in newer devices.

Updates are available for:

Safari 17.2

macOS Monterey and macOS Ventura

iOS 17.2 and iPadOS 17.2

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.3 and iPadOS 16.7.3

iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

macOS Sonoma 14.2

macOS Sonoma

macOS Ventura 13.6.3

macOS Ventura

macOS Monterey 12.7.2

macOS Monterey

tvOS 17.2

Apple TV HD and Apple TV 4K (all models)

watchOS 10.2

Apple Watch Series 4 and later

The updates may already have reached you if you automatically update, but it doesn’t hurt to check if your device is at the latest update level.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

Owners of devices running iOS 16.7 and iPad iOS 16.7 are especially encouraged to update as soon as possible, since the fixed issues may have been exploited against versions of iOS before iOS 16.7.1.

Apple doesn’t disclose, discuss, or confirm details about security issues until an investigation has occurred and patches or releases are available. But both vulnerabilities were credited to Clément Lecigne of Google’s Threat Analysis Group (TAG). 

Recently we saw an update for the Chrome browser which included a patch for an actively exploited zero-day vulnerability. That vulnerability was reported by TAG’s Benoît Sevens and the formerly mentioned Clément Lecigne. These Google TAG researchers are renowned for finding and disclosing zero-day vulnerabilities used in state-sponsored spyware attacks.

**We don’t just report on Android and iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today. And keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Update now! Apple issues patches for older iPhones and other devices 

Ransomware operator ALPHV/Blackcat reportedly stole 2.5 million records from non-profit healthcare system Norton Healthcare

Healthcare company Norton says a May breach led to the theft of data of around 2.5 million of its patients, as well as employees and their dependents.

Norton has more than 40 clinics and hospitals in and around Louisville, Kentucky. In a filing with Maine’s attorney general on Friday, Norton said that on May 9, 2023, it discovered an “external system breach.” While the attackers were in the system, Norton says, the sensitive data of the patients, and employees and their dependents was accessed.

In a security incident notice as well as the letter that was sent to potential victims, Norton said the attackers accessed certain network storage devices, but did not access Norton Healthcare’s medical record system or Norton MyChart, its electronic medical record system.

The leaked information included names, dates of birth, Social Security numbers, health and insurance information, and medical identification numbers. Some people also had their financial account numbers, driver licenses or other government ID numbers, and digital signatures also taken.

While Norton never called the incident a ransomware attack, according to databreaches.net the attack was claimed by ALPHV/BlackCat. We could not confirm this, since at the time of writing, the ALPHV leak site is recovering from an outage due to problems with their hosting provider.

Norton says it told law enforcement about the attack and confirmed it did not pay any ransom payment. ALPHV claims to have extracted 4.7 TB worth of data and posted dozens of files as proof to get negotiations underway.

ALPHV is one of the most active ransomware-as-a-service (RaaS) operators and regularly appears in our monthly ransomware reviews as one of the top five most active groups. Recently they made headlines when one of their affiliates, known as Scattered Spider attacked MGM. They also filed a SEC complaint about one of their victims for failing to disclose a breach.

Our podcast host David Ruiz talked to ransomware expert Allan Liska about the why of the SEC complaint.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Healthcare giant Norton breach leads to theft of millions of patient records 

Researchers have found a way to guess passwords from keyboard sounds recorded by a smartphone with 95% accuracy.

As if password authentication’s coffin needed any more nails, researchers in the UK have discovered yet another way to hammer one in. The technique, developed at Durham University, the University of Surrey, and Royal Holloway University of London, builds on previous work to produce a more accurate way to guess your password by listening to the sound of you typing it on your keyboard.

The slight differences in the sounds each key makes is an unintentional leak of information, known as a “side channel”. Computers typically have lots of side channels, such as noises, heat, and changes in electromagnetic emissions, which can be hoovered up and analysed by adversaries to learn more about what’s happening on the computer.

Side channel research can get a little far-fetched and impractical at times but it serves a useful purpose in improving our knowledge about what’s possible. However, this research is firmly rooted in the possible, starting with the decision to monitor sound, rather than something more exotic.

> The ubiquity of keyboard acoustic emanations makes them not only a readily available attack vector, but also prompts victims to underestimate (and therefore not try to hide) their output. For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s sound.

The researchers also used real-world attack scenarios, such as snooping on a laptop keyboard using the microphone on a smartphone in the same room, and by capturing the sound on a Zoom call.

As it is in so much cybersecurity research, Artificial Intelligence is centre stage. The new password-busting technique uses Deep Learning (a form of AI that mimics the learning process of the human brain) to determine which of a keyboard’s 36 keys are being pressed. The algorithm was taught using 25 presses on each key of an Apple laptop using different fingers and different pressures. The sounds from the key presses were processed extensively before being turned into images, and then fed into a deep learning algorithm used for image classification.

Did it work? Yes, even over Zoom.

> The method presented in this paper achieved a top-1 classification accuracy of 95% on phone-recorded laptop keystrokes, representing improved results for classifiers not utilising language models and the second best accuracy seen across all surveyed literature. When implemented on the Zoom-recorded data, the method resulted in 93% accuracy, an improved result for classifiers using such applications as attack vectors.

Research like this always begs the question, should you be worried about this? Most people have far more basic password problems to concern themselves with before fixing their noisy keyboards. However, all targets of cybercrime are not created equal, and there are nation state agencies willing to spend millions to compromise specific people. It is not difficult to imagine an intelligence agency using a technique like this, and it isn’t too far fetched for industrial espionage either.

As the reseachers point out, a deep learning engine trained on one laptop could probably guess passwords on other laptops of the same model, meaning “a successful attack on a single laptop could prove viable on a large number of devices.” A hint that techniques like this could even be commodified one day.

If you are concerned about this it’s worth noting that entering a password with a password manager makes almost no sound. However, if you think you’re genuinely at risk from techniques like this you should be looking beyond passwords at things like passkeys anyway.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 The sound of you typing on your keyboard could reveal your password 

A message about extra delivery addresses getting added to Amazon accounts has gone wild on social media. Luckily, it's nothing to worry about.

Amazon customers have been seeing a message on social media that has caused some alarm.

Most of the posts look like one of these (depending on the social media platform):

> “PSA!! Amazon got hacked. For USA based people, check your Amazon account. Hackers added HUB lockers as your default delivery addresses. Remove it! I had 2 added to mine.”

Hub lockers are local secure places for people to pick up their Amazon order rather than risk them being left on a doorstep, so the concern was that someone could buy something on your account and then send it to the Hub locker to be picked up.

Here’s another similar post, this time saying the lockers were actually fake:

> “PSA: check your saved addresses on Amazon. Amazon got hacked and a lot of people (including me) have random “Amazon lockers” saved in their addresses – which are not actual lockers. If you do use Amazon lockers, be sure to verify that the locker you’re sending it to is an actual locker.
> 
> Double check your order history and make sure there aren’t any orders you don’t recognize. And check your bank accounts to make sure your credit card on file is also not being used for unauthorized purchases. “

It’s not surprising that those messages would raise the alarm amongst Amazon’s customers, but thankfully the security alert is nothing to worry about.

The additional addresses are genuine Hub locations or other pick-up locations and they weren’t put there by hackers. Amazon added them in error.

As an Amazon spokesperson told Snopes:

> This isn’t a data security matter and our systems are secure. Amazon pickup locations were added to a small number of customer accounts in error, and we are working to fix the issue. We apologize for any inconvenience this may have caused, and customers with questions about their account are welcome to contact customer service.

Things like this are tricky – on the one hand we are always pleased for people to share security issues and alert others to potential problems. However in this case it appears as though people were forwarding the message without first checking if it was, in fact, a real issue.

And nowadays with social media and instant messaging, rumours like these can spread fast. All it takes is some panic, little research, and a lot of contacts.

If you see a message like this, always do a bit of research before forwarding it on. Sites like Snopes allow you to search for keywords and you’ll find a lot of hoaxes including this one.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 &#8220;Amazon got hacked&#8221; messages are a false alarm 

Malwarebytes is offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture

Every day, nearly 70 brand-new vulnerabilities are discovered in software products around the world. That’s almost 25,550 new problems each year, of which roughly 4,250 (or every one-in-six) will be classified as “critical.”

But with little guidance beyond “critical” classifications—and with the potential for non-critical vulnerabilities to still be exploited for devastating malware attacks—resource-constrained IT organizations need help. How can IT teams prioritize amongst potentially thousands of vulnerabilities if they don’t know which to fix first?

Malwarebytes analyzed the vulnerabilities identified by its ThreatDown Vulnerability Assessment module, now included at no additional cost in all ThreaDown bundles, to reveal the most common “critical” and “important” unpatched vulnerabilities on known endpoints.

The vulnerabilities compiled show up across four major software products:

*   Adobe Flash Player
*   Adobe Acrobat Reader
*   VideoLan VLC Media Player
*   Zoom

****The most prevalent vulnerabilities:****

In the 100 most prevalent unpatched vulnerabilities, the majority **(93 out of the 100) are found in software by Adobe, Zoom, and Mozilla.** \[MOU3\] 

No vulnerability listed as critical made it into the top 100 most prevalent vulnerabilities. But one critical vulnerability was close: CVE-2020-9633 in Adobe Flash Player. The vulnerable version of Flash is still in use because Adobe silently introduced a time bomb in later Flash Player versions that would prevent Flash Player from working and playing any Flash content after January 12, 2021. So organizations that have certain Flash content they need to play often to go back to that vulnerable version.

Relatedly, the most prevalent vulnerabilities labeled “Critical” come from a more diverse group of software vendors, with four distinct top contributors:

*   30 % UltraVNC (Server and Viewer)
*   20 % Python (versions 3.6 to 3.10)
*   18% Microsoft (Edge and Visual Studio)
*   14 % Adobe (Flash Player, Acrobat, and Reader)

Read on to see details of the top 5 unpatched critical vulnerabilities and the top 5 unpatched important vulnerabilities, as uncovered by ThreatDown, powered by Malwarebytes.

****The top 5 unpatched CRITICAL vulnerabilities:****

**Adobe Flash Player**

CVE-2020-9633: Adobe Flash Player Desktop Runtime 32.0.0.371 and earlier, Adobe Flash Player for Google Chrome 32.0.0.371 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 32.0.0.330 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS.

**Zoom:**

CVE-2022-22785: The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

CVE-2022-22786: The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.

**Adobe Acrobat Reader**

CVE-2016-1038: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

CVE-2016-1044: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

****The top 5 unpatched IMPORTANT vulnerabilities:****

**Zoom:**

CVE-2023-39211: Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows may allow an authenticated user to enable an information disclosure via local access. Upgrading to 5.15.5 or later eliminates this vulnerability.

CVE-2023-34116: Improper input validation in the Zoom Desktop Client for Windows may allow an unauthorized user to enable an escalation of privilege via network access. Upgrading to version 5.15.0 or later eliminates this vulnerability.

CVE-2023-39213: Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client may allow an unauthenticated user to enable an escalation of privilege via network access. Upgrading to version 5.15.2 or later eliminates this vulnerability.

**Adobe:**

CVE-2023-29320: Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Violation of Secure Design Principles vulnerability that could result in arbitrary code execution in the context of the current user by bypassing the API blacklisting feature. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Updating to the latest version eliminates the vulnerability.

**VLC media player**

CVE-2020-26664: A vulnerability in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a specially crafted file. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. A buffer overflow may result in arbitrary code execution. Installing the 3.0.20 release of VLC eliminates the vulnerability.

**You Can’t Fix What You Can’t See**

While only on very rare occasions do vulnerabilities make mainstream news headlines, but when they do, the impact can be enormous. The exploitation of the MOVEit vulnerability by Cl0p ransomware operators impacted over 60 million individual victims (between May and September of 2023. And remember that not every “critical” vulnerability is synonymous with an exploited vulnerability. With an additional 1,000 entries added to CISA’s known, exploited vulnerabilities catalog in just the past two years, few organizations have the IT staff to keep track of everything.

Many organizations only have limited visibility into which vulnerabilities might impact them, and nearly every organization relies on the Common Vulnerabilities and Exposures (CVE) database, which lists publicly disclosed computer security flaws. But this isn’t a perfect resource.

In 2023, CVE-2023-4863 was discovered, originally described as a heap buffer overflow in WebP  within Google Chrome. The average person, upon learning about this vulnerability, may have thought that the problem was limited to Chrome, or maybe even realize that other Chromium based browsers could be affected. Yet the reality was quite different. It turned out that the bug was deeply rooted in the libwebp library, which is not only used by Chrome but by virtually every application that handles WebP images. So anyone that patched their Chrome browser might think they thwarted that vulnerability, when in reality they might still be vulnerable, just in different software.

This type of library oversight happens quite often. Most people, including thoroughly trained and experienced IT staff, have no idea about all the building blocks that were used to create the environment and software that they use.

This is where dedicated software to alert staff about existing vulnerabilities in their environment integrated with patch management capabilities can help save the day.

**Free Vulnerability Assessment**

Today Malwarebytes announced its offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture. The full featured comprehensive vulnerability scanning is now included in every ThreatDown Bundle at no additional cost via its integrated console.

Learn more about how ThreatDown bundles can help you to improve your security by quickly finding and fixing vulnerabilities here.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.