A list of topics we covered in the week of December 4 to December 10 of 2023

December 11, 2023 - Malwarebytes is offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture

December 8, 2023 - Meta's Project Llama aims to help developers filter out specific items that might cause their AI model to produce inappropriate content.

December 5, 2023 - Accounting software provider Tivalti is investigating ALPHV/BlackCat claims it was breached. In a typical supply-chain attack ALPHV is threatening some of their customers like Roblox and Twitch

December 4, 2023 - 23andMe has released new details about the credential stuffing attack that took place in October.

December 4, 2023 - US senators issued subpoenas for the CEOs of five social media giants to testify over their "failure to protect children online".

 A week in security (December 4 &#8211; December 10) 

Meta's Project Llama aims to help developers filter out specific items that might cause their AI model to produce inappropriate content.

Meta has announced Purple Llama, a project that aims to “bring together tools and evaluations to help the community build responsibly with open generative AI models.”

Generative Artificial Intelligence (AI) models have been around for years and their main function, compared to older AI models is that they can process more types of input. Take for example the older models that were used to determine whether a file was malware or not. The input is limited to files and the output usually comes in the form of a percentage. (e.g. The chance that this file is malicious is 90%. ).

Generative AI models are capable of sorting through more types of information. Take for example Large Language Models (LLMs) that can process text, images, videos, songs, diagrams, webinars, computer code, and other similar types of input.

Generative AI models are the closest to human creativity we can get at this point in time. As such, generative AI has brought about a new wave of innovations. It enables us to have a conversation with models like ChatGPT, create images based on instructions, and summarize large amounts of text(s). It can even write papers to the point where scientists have a hard time telling them apart from human work.

According to Meta’s statement:

> “Collaboration on safety will build trust in the developers driving this new wave of innovation, and requires additional research and contributions on responsible AI.”

For this reason, Meta is collaborating in project Purple Llama with other AI application developers like Microsoft and cloud platforms like AWS and Google Cloud, and chip designers like Intel, AMD, and Nvidia.

LLMs can generate code, that fails to follow security best practices or introduce exploitable vulnerabilities. Given that GitHub recently proudly touted that 46% of code is produced with the help of their CoPilot AI, this is far from just a theoretical risk.

So, it makes sense that the first step in project Purple Llama focuses on tools to test cyber security issues in software-generating models. This package allows developers to run benchmark tests to check how likely it is for an AI model to generate insecure code or assist users in carrying out cyberattacks.

The package is introduced under the name CyberSecEval, a comprehensive benchmark developed to help bolster the cybersecurity of LLMs employed as coding assistants. Initial tests showed that on average, LLMs suggested vulnerable code 30% of the time.

To check and filter all the inputs and outputs of a LLM, Meta released Llama Guard. Llama Guard is a freely available model that provides developers with a pretrained model to help defend against generating potentially risky outputs. The model has been trained on a mix of publicly available datasets to help find common types of potentially risky, or violating content. This will allow developers to filter out specific items that might cause a model to produce inappropriate content.

The announcement has come at the same time as the Cybersecurity & Infrastructure Security Agency (CISA) has published a guide setting out The case for memory safe roadmaps. In its guidance, CISA attempts to provide manufacturers with steps they can take towards creating and publishing memory safe roadmaps as part of the international Secure by Design campaign.

Memory safety vulnerabilities are a class of well-known and common coding errors that cybercriminals exploit quite often. Coding errors that could increase in numbers unless we take steps toward using memory safe programming languages and use the methods to check the code generated by LLMs.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Meta&#8217;s Purple Llama wants to test safety risks in AI models 

Government agencies have been asking Apple and Google for metadata related to push notifications, but the companies aren't allowed to tell users about it.

Many people don’t realize that the instant alert push notifications you get on your phone are routed through Google or Apple’s servers, depending on which device you use. So if you have an iPhone or iPad, any push notifications can be seen by Apple, and if you use an Android, they can be seen by Google.

But, it seems, it’s not just Apple and Google who can view them.

In a letter to Attorney General Merrick B. Garland, Senator Ron Wyden urged the Department of Justice (DOJ) to “permit Apple and Google to inform their customers and the general public about demands for smartphone app notification records.”

And, since Apple and Google serve as intermediaries in the delivery of these push notifications this puts them in “a unique position to facilitate government surveillance of how users are using particular apps, “ wrote Senator Wyden.

The type of information varies from app to app, but in certain cases, it might also contain unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in a notification.

In the letter, Senator Wyden asked the DOJ to repeal or modify any policies that hinder public discussions of push notification spying.

> “Apple and Google should be permitted to be transparent about the legal demands they receive, particularly from foreign governments, just as the companies regularly notify users about other types of government demands for data.”

The reason for this request stems from the fact that Apple and Google told the senator’s staff that information about this practice is restricted from public release by the government.

Apple said in a statement that it welcomed Wyden’s letter as it gave the opening it needed to share more details with the public about how governments monitored push notifications.

A source familiar with the matter confirmed to Reuters that both foreign and US government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.

This is possible because the data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. So, if you’re using a messaging app which you’d like not to be tied to your device or online accounts, you probably shouldn’t allow those apps to show you notifications and instead check manually whether there are new messages.

**Disabling notifications**

After writing the above I went over the list of apps that had permissions to send me notifications and limited this to a few that I feel I need and won’t do too much harm. If you want to do the same, here is what you can do.

On Android devices open your **Settings** app and click on **Notifications**. In the dropdown menu, tap **All apps**. Here you can turn the app’s notifications on or off. There could be slight variations due to Android version and phone vendors.

On iPhones and iPads open the **Settings** app and click on **Notifications**. You’ll see a list of apps that are allowed to show push notifications. To disable them, you need to click on the individual app in that list and disable notifications (turn the slider from green to grey).

No doubt there is more to come on this story. We’ll keep you updated.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 US government is snooping on people via phone push notifications, says senator 

Android phones are vulnerable to attacks that allow a remote execution of malicious code and it requires no user interaction.

Android phones are vulnerable to attacks that could allow someone to takeover a device remotely without the device owner needing to do anything.

Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December. In total, there are patches for 94 vulnerabilities, including five rated as “Critical.”

The most severe of these flaws is a vulnerability in the System component that could lead to remote code execution (RCE) without any additional execution privileges required. User interaction is not needed for exploitation.

This vulnerability, referenced as CVE-2023-40088, affects a function that is used for Bluetooth communication, so the “remote” part is limited to “close range” since the average Bluetooth range is about 30 feet (10 meters). Successful manipulation with a specially crafted input leads to a use after free vulnerability. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Another critical vulnerability (CVE-2023-40077) that looks problematic is an Elevation of Privilege (EoP) vulnerability in the Android Framework. Successful exploitation could lead to a race condition. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. In this case it could provide a successful attacker with permissions to perform actions they shouldn’t be able to.

Security patch levels of 2023-12-05 or later address all of these issues. To learn how to check a device’s security patch level, see how to check and update your Android version. The updates have been made available for Android 11, 12, 12L, 13, and 14. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors. Android vendors such as Samsung and OnePlus have pledged to release security updates once a month. Google usually ships out security updates to Pixel phones within two weeks or sooner.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Android phones can be taken over remotely &#8211; update when you can 

A quick IT guide for conducting a vulnerability assessment.

Google Chrome, Adobe Acrobat Reader, TeamViewer, you name it—there’s no shortage of third-party apps that IT teams need to constantly check for vulnerabilities. But to get a better picture of the problem, let’s bust out some napkin math.  

The average company uses about 200 applications overall. Assuming at least 75% of these have a vulnerability at any given time, small security teams are tasked with finding and prioritizing over 150 vulnerabilities on a rolling basis.  

If you’re not using a comprehensive tool like ThreatDown Vulnerability Assessment (free for all ThreatDown users), it’s going to take a solid combo of resourcefulness and patience to do that much vulnerability assessment on your own. 

With that in mind, we’ve compiled this list of the five things IT teams need to do in order to find vulnerabilities in their environment.

****Vulnerability Assessment: A Step-by-Step Guide******1\. Cataloging Applications**

The crucial first step involves cataloging every application within the IT environment. This foundational task, akin to a thorough inventory check, is essential for identifying potential security issues.

**2\. Software Version Analysis**

It’s not just about identifying the applications but also understanding their versions. 

Why? Because you’re not just looking for vulnerabilities in one version of 7-Zip; to see if you’re truly affected, you’ll need to match your list of applications against vulnerabilities across different versions, such as 3.5 or 3.7.4. Not to mention that if your organization’s workforce doesn’t require regular updates of important software, then you might find countless versions of the same app dating back to the longest-term employees.  

**3\. Correlating with CVE Databases**

Matching the cataloged applications and their versions against entries in Common Vulnerabilities and Exposures (CVE) databases is the next critical step. This process helps in pinpointing specific vulnerabilities applicable to the software in use.

Here’s the play-by-play: 

1.  Go to https://cve.mitre.org/cve/search\_cve\_list.html  
2.  Type in the application you want vulnerability info on in the search bar. 
3.  Pinpoint whether the vulnerability impacts the specific version of the software that’s present throughout your network. 
4.  Rinse and repeat. 

**4\. Prioritizing Threats**

This type of repetitive, sometimes monotonous work isn’t just about identifying a CVE—it’s also about determining its severity. After identifying potential vulnerabilities, the next challenge is to prioritize them by CVSS and by asking questions that should inform you and your team about the best response. This includes questions like: 

*   Is the vulnerability being actively exploited in the wild?  
*   Is the CVE impacting critical tools or areas? 
*   How important is the affected asset in maintaining operational continuity? 

**5\. Routine Vulnerability Assessment**

Remember, this is not a one-time task. You don’t just run vulnerability assessment once a year, or even once a month; you should be doing this on a daily basis. Why? Because every day counts. New CVEs are constantly popping into existence left and right, and if you’re not on top of them, you could be the target of an attack.

For teams seeking a more streamlined approach, the ThreatDown Vulnerability Assessment tool offers a solution. 

**Single, Lightweight Agent**

To simplify security and reduce costs, Vulnerability Assessment deploys easily in minutes without a reboot, using the same agent and cloud-based console that powers all ThreatDown endpoint security technologies.

**Quick Vulnerability Scans**

Identifies vulnerabilities in modern and legacy applications in less than a minute.

**Accurate severity ratings**

Utilizes the Common Vulnerability Scoring System (CVSS) and Cybersecurity and Infrastructure Security Agency (CISA) recommendations to evaluate and rank vulnerabilities for proper prioritization.

**Security Advisor Integration**

Our Security Advisor tool to analyzes an organization’s cybersecurity health—such as by assessment of current inventory and which assets are vulnerable—and generates a score based off what it finds. To improve the endpoint security health score, Security Advisor delivers recommendations to address discovered vulnerabilities: patching, updates, or policy changes.

**Vulnerability Assessment Doesn’t Have To Be Hard**

While manually identifying vulnerabilities in third-party applications is a demanding task, following these structured steps can make the process more manageable. However, for ThreatDown customers, the ThreatDown Vulnerability Assessment tool is a valuable alternative.

The ThreatDown Vulnerability Assessment tool simplifies the process with features like a lightweight agent, quick vulnerability scans, accurate severity ratings based on CVSS and CISA guidelines, and integration with Security Advisor for tailored recommendations.

Try ThreatDown Vulnerability Assessment today.

Interested in adding Patch Management capabilities as well? Check out our Advanced, Ultimate, and Elite Bundles.

 How IT teams can conduct a vulnerability assessment for third-party applications 

Microsoft announced it will offer a similar extended security updates program for Windows 10 as it did for Windows 7

The day that Windows 10 machines will get their last security updates is set for October 14, 2025. So if you want to stay secure, you’d have to upgrade to a newer version. Either to Windows 11, which is not all that different, but more demanding when it comes to system requirements. Or to the rumored Windows 12 which might be out by then.

Despite the fact that Windows 11 has been around for a while, market share would have it that Windows 10 is still far more popular. Windows 11 shows a slight increase in usage, but not a very significant one.

Which is strange, since apart from the surprising Copilot introduction, Windows 10 hasn’t seen any major changes. But some people don’t like changes that much. Once they are used to something they want to keep it that way.

So, it makes sense that, similar to the extended security updates program Microsoft offered Windows 7 users years ago, it will now introduce a similar extension program for Windows 10.

The extended security update (ESU) program for Windows 10 is mentioned almost as a footnote in the options users have when end of support (EOS) for Windows 10 comes to light. The suggestions Microsoft offers first are:

*   Upgrade eligible PCs to Windows 11.
*   Purchase new Windows 11 machines.
*   Migrate to the cloud and subscribe to Windows 365.

But how much will the ESU program cost you? Microsoft says that pricing will be provided at a later date. But if the costs for Windows 7 were any indication, the first year came at $70 and doubled each consecutive year, so the third (and last) year was priced at $280. And that was just for security updates. ESUs do not include new features, customer-requested non-security updates, or design change requests.

What will be different this time is that home users will also be able to buy the ESU subscriptions.

Jason Leznek, Principal Product Manager for Windows Servicing and Delivery said:

> “Stay tuned for more ESU program updates as we approach availability, including an ESU program for individual consumers.”

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Windows 10 gets its own extended security updates program 

CISA has published an advisory about a vulnerability in Adobe Coldfusion used in two attacks against federal agencies.

The Cybersecurity and Infrastructure Security Agency (CISA) put out a Cybersecurity Advisory (CSA) to alert government agencies about cybercriminals using a vulnerability in Adobe Coldfusion to gain initial access to servers.

Adobe ColdFusion is a platform for building and deploying web and mobile applications. It can often be found on internet-facing servers.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The exploited vulnerability is listed as CVE-2023-26360, which affects Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). The vulnerability is an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

A patch for this vulnerability has been available since March 14, 2023. As we reported at the time, Adobe stated it was aware  that CVE-2023-26360 had been exploited in the wild in very limited attacks.

The due date for patching the vulnerability set by CISA was April 5, 2023. The problem is that the vulnerability also affects ColdFusion 2016 and ColdFusion 11 installations, which have reached end-of-life (EOL) and are no longer supported with security patches.

According to the CSA, CISA now has confirmation that the vulnerability has been used in attacks on two Federal Civilian Executive Branch (FCEB). An analysis of network logs has reportedly confirmed the compromise of at least two public-facing servers within agencies’ environments between June and July 2023. Both servers were running outdated versions of the software that were vulnerable due to several unpatched flaws.

The investigation learned that it was a reconnaissance attack, and there was no evidence of data theft or lateral movement in the network. After initial access, the criminals started process enumeration to obtain currently running processes on the web server and performed a network connectivity check, likely to confirm their connection was successful.

In the CSA, CISA shares several indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used in the two attacks. It is not clear whether they were done by the same threat actor.

**Mitigation**

CISA recommends organizations:

*   Upgrade all versions affected by this vulnerability.
*   Prioritize remediation of vulnerabilities on internet-facing systems.
*   Prioritize secure-by-default configurations, such as eliminating default passwords and implementing single sign-on (SSO) technology via modern open standards.
*   Employ proper network segmentation, to separate internet-facing servers from systems that are crucial or contain sensitive information.
*   Deploy application-aware network defenses to block improperly formed traffic and restrict content.

And a lot of other security measures that are less threat-specific.

From our end we’d like to add:

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Adobe Coldfusion vulnerability used in attacks on government servers 

Accounting software provider Tivalti is investigating ALPHV/BlackCat claims it was breached. In a typical supply-chain attack ALPHV  is threatening some of their customers like Roblox and Twitch

Accounting software provider Tipalti says it is investigating a claim by ransomware group ALPHV that they have gained access to Tipalti’s systems.

Tipalti makes software for accounting and payment automation and has some big names among its customers. In what seems to be a typical supply chain attack, ALPHV aka BlackCat are now threatening some Tipalti customers, including Roblox and Twitch:

> “We are systematically reaching out to affected clients of Tipalti, the first batch (consisting of organizations with the most data exfiltrated), have been sent communications requesting initial contact.”

Organizations who share these file lists, samples or notes with Tipalti run the risk of having their data leaked immediately.

The ransomware group claim to have had access since September 8, 2023. Since then, they say they have stolen 265 GB of data, including data for Twitch and Roblox, who they say they will extort separately.

_Screenshot of the ALPHV leak site_

A Roblox spokesperson told BleepingComputer that the company is working with Tipalti to investigate the claims, but is currently unaware of any impact on its systems. The spokesperson stated they haven’t been contacted by anyone about the security incident, to which ALPHV responded on their leak site:

> “Re: statement by Roblox to BleepingComputer. Just because you haven’t been contacted yet, does not mean you are not affected.”

ALPHV is one of the most active ransomware-as-a-service (RaaS) operators and regularly appears in our monthly ransomware reviews as one of the top 5 most active groups. Recently they made headlines when one of their affiliates, known as Scattered Spider attacked MGM. They also last week filed a SEC complaint about one of their victims for failing to disclose a breach.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Roblox and Twitch provider Tipalti breached by ransomware 

23andMe has released new details about the credential stuffing attack that took place in October.

In October we reported that the data of as many as seven million 23andMe customers were for sale on criminal forums following a password attack against the genomics company.

Now, a filing with the US Securities and Exchange Commission (SEC) has provided some more insight into the data theft. The filed amendment supplements the original Form 8-K submitted by 23andMe.

The amendment says that an investigation showed that the attacker was able to directly access the accounts of roughly 0.1% of 23andMe’s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.

With the breached accounts at their disposal, the attacker used 23andMe’s opt-in DNA Relatives (DNAR) feature—which matches users with their genetic relatives—to access information about millions of other users. According to a spokesperson the DNAR profiles of roughly 5.5 million customers could be accessed in this way, plus the Family Tree profile information of 1.4 million additional DNA Relative participants.

The 5.5 million DNAR Profiles contained sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships, and ancestry reports.

For a subset of these accounts, the stolen data might contain health-related information based upon the user’s genetics.

The 1.4 million Family Tree profiles contain display names and relationship labels, plus other information that a user may have added, including birth year and location.

23andMe is in the process of notifying users impacted by the incident. The company said it believes that the attacker activity is contained, and that it is working to have the publicly-posted information taken down.

When the breach was first announced, 23andMe urged its users to ensure they have strong passwords, to avoid reusing passwords from other sites, and to enable multi-factor authentication (MFA).

Our Mark Stockley noted at the time:

> “Respectfully, we would like to see 23andMe reach a different conclusion. Telling users to choose strong passwords and not to reuse them is great advice that just isn’t working. It’s good in theory but fails in practice. In a world where users have tens or even hundreds of logins to manage, password reuse and weak passwords that are easy to remember are inevitable.”

And it looks as if they listened to us. On the 23andMe blog the updated article about the breach now says:

> “We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers. The company will continue to invest in protecting our systems and data.”

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 23andMe says, er, actually some genetic and health data might have been accessed in recent breach 

This week on the Lock and Code podcast, we speak with Allan Liska about why a ransomware group tattled on its own victim, and what to expect next year.

_This week on the Lock and Code podcast…_

Like the grade-school dweeb who reminds their teacher to assign tonight’s homework, or the power-tripping homeowner who threatens every neighbor with an HOA citation, the ransomware group ALPHV can now add itself to a shameful roster of pathetic, little tattle-tales.

In November, the ransomware gang ALPHV, which also goes by the name Black Cat, notified the US Securities and Exchange Commission about the Costa Mesa-based software company MeridianLink, alleging that the company had failed to notify the government about a data breach. Under newly announced rules by the US Securities and Exchange Commission (SEC), public companies will be expected to notify the government agency about “material cybersecurity incidents” within four days of determining whether such an incident could have impacted the company’s stock prices or any investment decisions from the public.

According to ALPHV, MeridianLink had violated that rule. But how did ALPHV know about this alleged breach?

Simple. They claimed to have done it.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” wrote ALPHV in a complaint that the group claimed to have filed with the US government.

The victim, MeridianLink, refuted the claims. According to a MeridianLink spokesperson, while the company confirmed a cybersecurity incident, it denied the severity of the incident.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” a MeridianLink spokesperson said at the time. “If we determine that any consumer personal information was involved in this incident, we will provide notifications as required by law.”

This week on the Lock and Code podcast with host David Ruiz, we speak to Recorded Future intelligence analyst Allan Liska about what ALPHV could hope to accomplish with its SEC complaint, whether similar threats have been made in the past under other regulatory regime, and what organizations everywhere should know about ransomware attacks going into the new year. One big takeaway, Liska said, is that attacks are getting bigger, bolder, and brasher.

“There are no protections anymore,” Liska said. “For a while, some ransomware actors were like, ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”

Liska continued:

> “We’ve seen ransomware actors go after food banks. You’re not going to get a ransom from a food bank. Don’t do that.”

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source

Malwarebytes