A list of topics we covered in the week of November 13 to November 19 of 2023

November 17, 2023 - The ALPHV/BlackCat ransomware group has filed a non compliance complant with the SEC against one of its victims.

November 17, 2023 - Learn how ThreatDown bundles help IT teams save time, money, and stop more threats.

November 16, 2023 - An alarm system company that allows people to call for help at the touch of a button has suffered a cyberattack, causing serious disruption.

November 15, 2023 - In October, we witnessed the takedown of several high-profile groups, including alleged Sony attacker RansomedVC.

November 15, 2023 - Microsoft has patched a total of 63 vulnerabilities this Patch Tuesday. Make sure you update as soon as you can.

 A week in security (November 13 &#8211; November 19) 

The ALPHV/BlackCat ransomware group has filed a non compliance complant with the SEC against one of its victims.

In what seems to be a new twist on the ransomware theme, the notorious ALPHV/BlackCat ransomware group has filed a complaint with the US Securities and Exchange Commission (SEC) about the software company MeridianLink.

ALPHV is one of the most active ransomware-as-a-service (RaaS) operators and regularly appears in our monthly ransomware reviews. MeridianLink supplies “digital lending solutions” to banks, credit unions, fintechs, and other financial institutions.

Since September 5, 2023 the SEC has required public companies to disclose within four days all cybersecurity breaches that could impact their bottom lines. Apparently ALPHV is aware of the new rules and in this screenshot of the SEC complaint form it wrote:

> “We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules.
> 
> It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

The referenced item (Form 8-K Item 1.05) states:

> “Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:
> 
> – Nature, scope, and timing; and
> 
> – Impact or reasonably likely impact.
> 
> An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety.
> 
> Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. “

As you can see, there are possible exceptions and for all we know, the investigation into the nature and gravity of the data breach is still ongoing. Or far from as material as ALPHV wants us to believe.

In a statement to databreaches.net MeridianLink  said:

> “Safeguarding our customers’ and partners’ information is something we take seriously. MeridianLink recently identified a cybersecurity incident that took place on Nov 10. Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.
> 
> We have no further details to offer currently, as our investigation is ongoing.”

Apparently the ransomware operators like to pretend that what they are doing is their civic duty. This tile is posted on the landing page of the gang’s leak site.

ALPHV announces that it’s filed a complaint with the SEC

Clicking through, we found the screenshot of the form and a non-explanatory statement why they filled the form out.

> “Despite this requirement, MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago. We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission (SEC). It appears MeridianLink reached out, but we are yet to receive a message on their end. Maybe this was their DFIR, Mandiant, who did so without authorization from their client. Whatever the reason is…..we are giving you 24 hours before we publish the data in its entirety.”

Whatever the reason is behind MeridianLink’s apparent decision not to report the cyber-incident (yet), the action taken by ALPHV certainly is something we haven’t seen before. It may be a warning or an attempt to gain extra leverage. Knowing how hard it can be to determine the scope of a cyberattack in just a few days, we can expect to see this happen more often.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Ransomware gang files SEC complaint about victim 

Learn how ThreatDown bundles help IT teams save time, money, and stop more threats.

Traditional approaches to endpoint security today have a three-fold complexity problem—with big consequences.

First, complexity in deployment causes long delays in protection, directly impacting ROI and leaving organizations vulnerable to breaches. In fact, almost 10 percent of small security teams cite such complexity as a primary reason for deployment setbacks. (Global Surveyz, 2022)

Second, lack of integrated security tools can lead security teams to overcompensate by buying and operating additional security platforms. This complexity multiplies operational overhead and creates gaps in security.

Dealing with day-to-day complexity with endpoint security is a third challenge. A survey of 200 CISOs by Global Surveyz found that nearly half (45 percent) of small IT teams flag issues like excessive alerts and multiple dashboards as chief product concerns, culminating in alert fatigue and drops in productivity.

To save time, money, and to stop more threats, it’s clear IT teams need an approach to endpoint security that resists complexity—a suite that’s easy to implement, cost-effective, and straightforward to operate.

ThreatDown combines the technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down complexity and take down costs:

*   **ThreatDown Core Bundle**: Next-gen AV and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
*   **ThreatDown Advanced Bundle**: Everything included in core plus Managed Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
*   **ThreatDown Elite Bundle**: Everything in Advanced plus 24/7/365 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
*   **ThreatDown Ultimate Bundle**: Everything in Elite plus protection from whole categories of malicious websites. Perfect for teams looking for a one-and-done shortcut to cybersecurity done right.

Each bundle comes with **ThreatDown** **Security Advisor****,** which analyzes an organization’s cybersecurity health—such as by assessment of current inventory and which assets are vulnerable—and generates **a score based off what it finds**, illuminating **gaps in defenses** and providing **actionable recommendations** for improvements that can be made in minutes.

_ThreatDown Nebula dashboard view. Security Advisor enables organizations to visualize and improve their organization’s security posture in just a few minutes._

**1\. Seamless Deployment**

With the average deployment timeline for traditional EDRs stretching up to 18 months for small security teams, the need for a swifter solution is clear.

Simply put, smaller teams just can’t afford extensive learning curves, which perhaps is why, from a financial standpoint, they prioritize implementation costs (50 percent) in their endpoint security more than anything else. (Global Surveyz)

ThreatDown EDR, the cornerstone of every ThreatDown bundle excluding Core, takes the complexity out of endpoint security deployment as evidenced by an average time to become fully operational that is two times shorter than the industry average.

Cloud-hosted on the Nebula platform, ThreatDown bundle core technology can deploy within minutes and has won multiple G2 awards for its unique combination of rapid time to go live and time to ROI, all delivered via an agent deployed with a small footprint.

**2\. All-In-One Integration**

Managing too many platforms is challenging. Each additional security tool requires its own set of configurations, updates, and management protocols, ultimately translating to longer response times, inefficient workflows, and an inability to have a unified view of the threat landscape.

According to Global Surveyz, 77 percent of small security teams ranked a ‘one-stop’ product with the ‘most integrated’ features as one of their top considerations when choosing a new security technology. In addition, 80 percent of CISOs recognize vendor consolidation as an avenue for more efficient security.

And, once you consider that over 5 percent of breaches in 2022 came from known vulnerabilities that had yet to be patched—and that the average cost of those breaches was $4.17 million—it goes without saying that Vulnerability and Patch Management needs to be part of any all-in-one security solution today.

By combining Endpoint Protection (EP), EDR, an award-winning Vulnerability and Patch Management solution, and more, ThreatDown Advanced, Elite, and Ultimate bundles give IT teams the ‘one-stop’ product they need to streamline detection and response through a single pane of glass.

_Patch Management in ThreatDown Nebula_.

**3\. Increased Protection**

ThreatDown bundles don’t just simplify the deployment and administration of endpoint security; they simplify the take down of threats as well.

Traditional EDR is inherently exhausting. Without additional context, alerts become just too ambiguous to be actionable, meaning IT teams inevitably end up over-prioritizing less urgent threats while also overlooking severe ones—increasing their risk of a breach.

Starting with ThreatDown Advanced, organizations get access to next-level alert prioritization and threat protection with Managed Threat Hunting (MTH). For customers looking for 24x7x365 cybersecurity protection with proactive alert investigation and threat hunting, ThreatDown Elite and Ultimate offer Managed Detection and Response (MDR) services.

With ThreatDown bundles, organizations no longer need an advanced cybersecurity model and a well-staffed security operations center (SOC) to take down threats. Through a combination of superior EDR technology and human-delivered security, ThreatDown empowers organizations to keep up with the volume of EDR alerts and respond to threats on the fly.

_ThreatDown MDR workflow._

**Try ThreatDown bundles today**

For IT teams plagued by the triad of complex deployment, scattered tooling, and excessive alert noise, ThreatDown bundles emerge as a superior solution that caters to the needs of today’s security teams.

Discover the difference with ThreatDown Bundles and elevate your organization’s defense against cyber threats. Get in touch for a free trial and experience the benefits of a simplified, yet robust, security framework.

Learn more about ThreatDown bundles here.

 3 benefits of ThreatDown bundles 

An alarm system company that allows people to call for help at the touch of a button has suffered a cyberattack, causing serious disruption.

An alarm system company that allows those in need to ask for help at the touch of a button has suffered a cyberattack, causing serious disruption.

Tunstall Netherlands says the attack left the control room struggling to receive distress calls from clients on Sunday November 12, 2023.

Tunstall, among others, provides services and systems to allow smart monitoring in various healthcare settings. One of the services provides sick or disabled persons, and the elderly with an alarm button that can be used in case of an emergency.

Under normal circumstances, the control room would relay the distress call to a caregiver so they can check on and provide help.

The alarm button systems are used in situations where people that require care are not constantly surrounded by caregivers, like care homes that provide independent living, elderly who live at home but need the ability to call for help, and people with a heightened risk of falling.

It’s unknown what the exact nature of the cyberattack is. In case of a ransomware attack, it is unlikely that any group will claim responsibility or demand a ransom. These types of services are usually the type that they want to avoid for fear of repercussions.

Estimates say that tens of thousands of people are unable to reach the control room at the press of a button and will have to call an emergency number instead.

Tunstall says it’s worked hard to remediate the situation. It has engaged a specialized cybersecurity company to investigate the situation. Meanwhile it advised clients to keep their mobile phones handy so they can reach out in case of an emergency. At the moment the first services have been brought back online and the hope is that soon everything will be fully functional again.

Some organizations that use Tunstall’s system say they have provided their clients with the direct number they would need to call when they need help. But obviously pressing a button is a lot easier when you are in distress than having to call a phone number.

**How you can call without having to unlock your phone first**

Having the number pre-programmed and available at the press of a button makes things a bit easier if you do need to call for help via your phone. If you have or are someone who may need immediate help and you don’t have an alarm button or it doesn’t work, there are methods to make it easier to use your phone to raise help.

**iPhones** provide an “Emergency” option on the lock screen. Tapping it opens an on-screen keyboard, which allows you to dial a number. The restriction with this option however, is that it is designed primarily to call emergency numbers. Another option is to use the smart assistant by saying ‘Hey Siri’, and then ask it to call one of your contacts or a phone number. 

Some **Android** phones offer the option to add emergency contacts. Activating Emergency SOS requires you to save at least one emergency contact to your phone. This will need to be done first. Please note that Android phones’ menus may differ from vendor to vendor and version to version.

*   Open the Settings app.
*   Scroll down and tap Safety & emergency. On some types this menu can be found in the Advanced Settings menu.
*   Tap Emergency contacts > Add contact
*   Select one or more emergency contacts from your contact list.
*   Now you can enable Emergency SOS
*   In Safety & emergency, toggle the Use Emergency SOS and set the Use Emergency SOS slider to enabled
*   Confirm the setting and select what information you want to share.
*   You will need to provide the app with the necessary permissions.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Alarm system cyberattack leaves those in need struggling to call for help 

In September, two high-profile casino breaches taught us about the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In October, 318 new victims were posted on ransomware leak sites. The top active gangs were LockBit (64), NoEscape (40), and PLAY (36). Major stories for the month included the takedown of several high-profile groups, including alleged Sony Systems attacker RansomedVC, new data shedding light on Cl0p’s education sector bias, and a deep-dive revealing the danger of the group behind September’s infamous casino attacks.

Last month three major ransomware groups—RansomedVC, Ragnar, and Trigona—were shut down, the first two by law enforcement and the third by Ukrainian hacktivists. Let’s dive into RansomedVC, a group which burst onto the scene in August and quickly gained notoriety for allegedly breaching several well-known companies. In late October, the lead hacker behind the group was seen on Telegram trying to sell the operation. Just days later, the account announced that it was “putting an end to” the group after learning that six of its affiliates may have been arrested. The group had posted 42 victims on their leak site at the time of their take down.

While law enforcement is yet to come forward confirming the RansomedVC arrests, the same is not true for RagnarLocker group, which Europol and Eurojust announced they had taken down last month. RagnarLocker started in 2019 and was responsible for numerous high-profile attacks against municipalities and critical infrastructure across the world. At the time of the takedown action, the group had posted a total of 42 victims on their leak site.

Trigona’s demise, on the other hand, was not at the hands of investigators but activists, highlighting the impact that broader geopolitical struggles can have on the ransomware landscape. In mid-October, the Ukrainian Cyber Alliance (UCA) breached the Trigona Confluence server and completely deleted and defaced their sites. Formed around 2016 to defend Ukraine’s cyberspace against Russian interference, the UCA used a public exploit for CVE-2023-22515 to gain access to Trigona infrastructure. Trigona is responsible for at least 30 attacks across various sectors since first emerging in October 2022.

Known ransomware attacks by ransomware group, October 2023

Known ransomware attacks by country, October 2023

Known ransomware attacks by industry sector, October 2023

In other October news, Resilience, a cyber insurance company, reported that 48% of all MOVEit cyberattack victims in its client base during the first half of 2023 were from the education sector. This suggests a possible targeting preference of the Cl0p campaign towards educational institutions. However, this figure might not fully represent the situation.

For instance, if Resilience has a higher proportion of clients in the education sector, it could bias the data towards that sector. On the other hand, data from Malwarebytes indeed indicates that while the education sector comprises only 3% of all MOVEit hosts, they account for 6% of the victims. However, this trend is likely not due to a deliberate focus by Cl0p, whose attacks were more opportunistic in scope, but rather because educational sectors often have fewer resources to promptly address vulnerabilities like those in MOVEit. Thus, the bias observed is more circumstantial than intentional. At any rate, given that the education sector frequently relies on third-party applications like MOVEit, the impact of Cl0p’s activities serves as a stark reminder for these institutions to adopt robust third-party security best practices.

Microsoft’s deep dive into Scattered Spider last month shed new light on the relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their use of Living Of The Land (LOTL) techniques to avoid detection: Scattered Spider employs everyday tools like PowerShell for reconnaissance and stealthily alters network settings to bypass security measures. They also exploit identity providers and modify security systems, blending their malicious activities with normal network operations.

With the success of groups like Scattered Spider increasingly relying on LOTL attacks, it’s vital for defenders to focus on detecting anomalous activities within legitimate tools and network configurations. Strengthening monitoring and analysis capabilities can help identify and counter the subtle, sophisticated techniques employed by these ransomware gangs.

**New(?) player: Hunters International**

Hunters International is a new ransomware player suspected to be a rebrand of the Hive ransomware, which was shutdown in January 2023 by law enforcement. Despite Hunters International’s denial, claiming they are a distinct entity that purchased Hive’s source code, the overlap in their malware’s coding and functionality suggests a direct lineage from Hive.

Their activity, though limited, includes a notable attack on a UK school.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Ransomware review: November 2023 

Microsoft has patched a total of 63 vulnerabilities this Patch Tuesday. Make sure you update as soon as you can.

Another important update round for this month’s Patch Tuesday. Microsoft has patched a total of 63 vulnerabilities in its operating systems. Five of these vulnerabilities qualify as zero-days, with three listed as being actively exploited. Microsoft considers a vulnerability to be a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in these updates are listed as:

CVE-2023-36025: a Windows SmartScreen security feature bypass vulnerability that would allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts. SmartScreen is a built-in Windows component designed to detect and block known malicious websites and files.

It requires user interaction since the user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker. Microsoft listed this vulnerability with the remark “Exploitation Detected.”

CVE-2023-36033: a Windows Desktop Window Manager (DWM) Core Library elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

CVE-2023-36036: a Windows Cloud Files Mini Filter Driver EoP vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

EoP type of vulnerabilities are typically used in attack chains. Once the attacker has gained entrance, the vulnerabilities allow them to increase their permission level.

CVE-2023-36413: a Microsoft Office security feature bypass vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. Full exploitation requires that the attacker sends the target a malicious file and convince them to open it. This is a publicly disclosed vulnerability but there are no known cases of exploitation.

CVE-2023-36038: a vulnerability in ASP.NET that could lead to core denial of service. This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. A successful exploitation might result in a total loss of availability. So, basically an attacker would send requests and then cancel them until the program runs out of memory and crashes. Microsoft notes that this vulnerability was publicly disclosed, however no in-the-wild exploitation has been observed, which is not likely to happen either if the denial of service is the best achievable goal for an attacker.

An extra warning for organizations running Microsoft Exchange Server: Prioritize several new Exchange patches, including CVE-2023-36439, which is a vulnerability that enables attackers to install malicious software on an Exchange server.

**Other vendors**

Other organizations have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities affecting multiple Adobe products:

*   APSB23-52: Adobe ColdFusion
*   APSB23-53: Adobe RoboHelp Server
*   APSB23-54: Adobe Acrobat and Reader
*   APSB23-55: Adobe InDesign
*   APSB23-56: Adobe Photoshop
*   APSB23-57: Adobe Bridge
*   APSB23-58: Adobe FrameMaker Publishing Server
*   APSB23-60: Adobe InCopy
*   APSB23-61: Adobe Animate
*   APSB23-62: Adobe Dimension
*   APSB23-63: Adobe Media Encoder
*   APSB23-64: Adobe Audition
*   APSB23-65: Adobe Premiere Pro
*   APSB23-66: Adobe After Effects

**Android**’s November updates were released by Google.

**SAP** released its November 2023 Patch Day updates.

**SysAid** released security updates for a zero-day vulnerability that is actively being exploited by a ransomware affiliate.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

 Update now! Microsoft patches 3 actively exploited zero-days 

We've seen a particular card skimming campaign really pick up pace lately. With hundreds of stores compromised, you may come across it if you shop online this holiday season.

As we head into shopping season, customers aren’t the only ones getting excited. More online shopping means more opportunities for cybercriminals to grab their share using scams and data theft.

One particular threat we’re following closely and expect to increase over the next several weeks is credit card skimming. Online stores are not always as secure as you might think they are, and yet you need to hand over your valuable credit card information in order to buy anything.

When a merchant website is hacked, any purchase made has the potential of being intercepted by bad actors. Often, the malicious code is right underneath the surface and yet completely invisible to shoppers.

One particular skimming campaign we have been following picked up the pace drastically in October after a lull during the summer. With hundreds of stores compromised, you may come across it if you shop online on a regular basis.

**The Kritec campaign**

We first discovered this credit card skimming operation back in March 2023, as it stood out from the rest due to its large volume. The threat actors were also taking the time to customize their skimmer for each victim site with very convincing templates that were even localized in several languages.

The experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen.

**Threat actors ramp up their activity just in time for the holiday season**

In April this skimming campaign reached a peak and then slowed down during the summer. However it came back, increasing to its highest volume in October. We measured this activity based on the number of newly registered domain names attributed to this threat actor.

The infrastructure is located on the IT WEB LTD network (ASN200313) registered in the British Virgin Islands.

**How to shop safely online**

If you are shopping online, and especially via smaller merchants (i.e. not Amazon, Walmart, etc), you absolutely need to be extra careful. Unless you are able to perform a full website audit yourself, you simply can’t be sure that the platform hasn’t been compromised.

Having said that, if the website looks like it hasn’t been maintained in a while (for example it is displaying outdated information, such as ”Copyright 2018′) you probably should stay away from it. Most compromises happen because a website’s content management system (CMS) and its plugins are outdated and vulnerable.

There are tools that can also detect malicious code embedded into websites. Most antivirus products offer some kind of web protection that detects malicious domains and IP addresses. But because threat actors are constantly swapping their infrastructure, it is also a good idea to have some kind of heuristic detection for things like malicious JavaScript snippets.

Malwarebytes Premium offers web protection and is complemented by the Malwarebytes Browser Guard extension for more advanced in-browser detection.

We are also publishing a list of the infrastructure that includes domains we had previously not seen but obtained via retrohunting, so that those can be included in community blocklists ingested by third-party products.

**Indicators of Compromise**

**Kritec domains**

oumymob\[.\]shop  
nujtec\[.\]shop  
lavutele\[.\]yachts  
tochdigital\[.\]pics  
gemdigit\[.\]pics  
vuroselec\[.\]quest  
bereelec\[.\]quest  
psyhomob\[.\]sbs  
antohub\[.\]shop  
kritec\[.\]pics  
daichetmob\[.\]sbs  
smestech\[.\]shop  
interytec\[.\]shop  
ribtech\[.\]shop  
podobadigit\[.\]quest  
yaknatec\[.\]pics  
stacstocuh\[.\]quest  
keistodigit\[.\]pics  
shumtech\[.\]shop  
metsimob\[.\]yachts  
hovarelec\[.\]shop  
vdoxdigit\[.\]pics  
vushtech\[.\]sbs  
tekeiteh\[.\]quest  
tastmob\[.\]yachts  
krasoticmob\[.\]space  
pyatiticdigt\[.\]shop  
frikctictempo\[.\]fun  
secreelec\[.\]shop  
yelyotech\[.\]pics  
statemob\[.\]yachts  
sviisdigit\[.\]quest  
garnimob\[.\]sbs  
povomob\[.\]shop  
dvojnatech\[.\]sbs  
petlelec\[.\]quest  
helotec\[.\]pics  
xiloditg\[.\]yachts  
paunit\[.\]pics  
rithdigit\[.\]cyou  
dayspiselec\[.\]quest  
uznatec\[.\]shop  
nespomob\[.\]sbs  
nebiltech\[.\]shop  
bufelec\[.\]yachts  
ledeehub\[.\]shop  
greentechify\[.\]digital  
ecosustain\[.\]digital  
innovate360\[.\]digital  
wellbeingtech\[.\]digital  
inspireworks\[.\]digital  
avtomob\[.\]sbs  
otkridigit\[.\]quest  
balacdigit\[.\]pics  
schetdigit\[.\]pics  
bantec\[.\]pics  
jantech\[.\]quest  
shotsmob\[.\]sbs  
podbotec\[.\]sbs  
shokomob\[.\]sbs  
resuelec\[.\]yachts  
xorotelec\[.\]quest  
rozkatech\[.\]yachts  
nasnamob\[.\]quest  
ensdigit\[.\]quest  
genlytec\[.\]us  
onitzech\[.\]sbs  
odintech\[.\]sbs  
rebomob\[.\]quest  
flattec\[.\]sbs  
noanotech\[.\]sbs  
fadyit\[.\]pics  
lielecef\[.\]cyou  
inlinedigital\[.\]pics  
fantodelt\[.\]sbs  
volosmob\[.\]pics  
zahidelt\[.\]sbs  
dychtech\[.\]shop  
samopotele\[.\]yachts  
stimob\[.\]pics  
jestmob\[.\]pics  
weitmob\[.\]shop  
poidelt\[.\]sbs  
perstech\[.\]shop  
telehub\[.\]shop  
projectmob\[.\]sbs  
imhoelec\[.\]yachts  
plactech\[.\]quest  
sakwohub\[.\]shop  
volonmob\[.\]sbs  
lehelec\[.\]yachts  
tochelec\[.\]quest  
prijetech\[.\]shop  
supermob\[.\]network  
eluntec\[.\]info  
chutech\[.\]works  
stonworks\[.\]vip  
hapermob\[.\]shop  
seletech\[.\]markets  
calcdigit\[.\]pics  
shellmob\[.\]fun  
valetec\[.\]pw  
votedigit\[.\]shop  
encit\[.\]yachts  
defimob\[.\]bar  
goponl\[.\]online  
yukmob\[.\]store  
tuchtoch\[.\]shop

sasaiso\[.\]cfd  
aifanul\[.\]yachts  
soplelec\[.\]pics  
wudutec\[.\]shop  
vonderdigit\[.\]quest  
mutelec\[.\]quest  
gemstec\[.\]yachts  
genertech\[.\]pw  
genstech\[.\]shop  
effecttec\[.\]shop  
bespitech\[.\]sbs  
otpusmob\[.\]shop  
yedelec\[.\]sbs  
chokdigit\[.\]pics  
poptec\[.\]sbs  
aurelec\[.\]shop  
stramdigital\[.\]yachts  
sotkelec\[.\]yachts  
funkomob\[.\]sbs  
beatmob\[.\]pics  
osobtech\[.\]yachts  
kruktech\[.\]shop  
volosmob\[.\]sbs  
provtec\[.\]shop  
dvanatech\[.\]yachts  
druzit\[.\]quest  
yololive\[.\]sbs  
bachitech\[.\]pics  
kamitac\[.\]shop  
karadigit\[.\]quest  
gachit\[.\]yachts  
yalomob\[.\]pics  
druzit\[.\]quest  
mopedigit\[.\]shop  
macsetech\[.\]online  
strajit\[.\]yachts  
istoretc\[.\]shop  
trepmob\[.\]sbs  
animtech\[.\]quest  
chekeelec\[.\]quest  
kinotec\[.\]pics  
zamlmob\[.\]pics  
leritgo\[.\]sbs  
autotec\[.\]shop  
helinit\[.\]yachts  
shpitech\[.\]quest  
seletmob\[.\]online  
hhfnsfsga\[.\]sbs  
dvanatech\[.\]yachts  
lemodigit\[.\]online  
ttewe\[.\]quest  
efromob\[.\]site  
selentech\[.\]click  
centridig\[.\]store  
timetok\[.\]online  
musatech\[.\]quest  
digitstel\[.\]site  
sintec\[.\]store  
eleconuch\[.\]click  
deletouch\[.\]shop  
topostock\[.\]shop  
dujetech\[.\]yachts  
fletmob\[.\]sbs  
semebit\[.\]online  
kontec\[.\]quest  
moldmob\[.\]site  
lemtok\[.\]store  
domelec\[.\]shop  
hemidigit\[.\]click  
teletoch\[.\]pics  
temtoch\[.\]site  
intescon\[.\]store  
genimmob\[.\]online  
teledomn\[.\]quest  
stemtec\[.\]click  
gemofab\[.\]store  
tenastoc\[.\]click  
kiligob\[.\]site  
pelstec\[.\]online  
vetitec\[.\]quest  
denlog\[.\]shop  
lemnidig\[.\]shop  
fasfad\[.\]site  
lishetoc\[.\]shop  
ruepliz\[.\]click  
stiornec\[.\]store  
daisnetech\[.\]site  
yavipustec\[.\]online  
bednedigit\[.\]quest  
sipletoc\[.\]site  
olinmasot\[.\]click  
verecey\[.\]quest  
oleketec\[.\]store  
etibuz\[.\]shop  
comepetec\[.\]click  
stiildig\[.\]store  
hemogom\[.\]online  
dzelonline\[.\]shop  
tuctec\[.\]site  
obogtec\[.\]quest  
moboed\[.\]icu  
shonowor\[.\]site  
idopos\[.\]shop  
mylase\[.\]click  
henove\[.\]store  
frodetraho\[.\]click  
tromtustec\[.\]quest  
bulkmob\[.\]store

tisimy\[.\]quest  
depeyo\[.\]online  
livepolitical\[.\]sbs  
shareeffectiv\[.\]yachts  
basewhit\[.\]quest  
deliverclos\[.\]online  
changeyellow\[.\]cfd  
writefederal\[.\]click  
dowonderful\[.\]store  
deliverclos\[.\]sbs  
stopfurther\[.\]sbs  
usespecial\[.\]quest  
startculturl\[.\]site  
followmilitry\[.\]cfd  
intesres\[.\]quest  
androton\[.\]online  
begistic\[.\]site  
heptombo\[.\]store  
felestech\[.\]click  
gelimog\[.\]online  
hasekytop\[.\]click  
dekrenof\[.\]quest  
gerelec\[.\]site  
beresor\[.\]store  
lenosmac\[.\]shop  
hustiontec\[.\]store  
teletouch\[.\]click  
pilozol\[.\]quest  
belmrs\[.\]click  
jetomob\[.\]shop  
gelenhan\[.\]online  
lokotec\[.\]quest  
plasmob\[.\]pics  
shumocom\[.\]site  
biposou\[.\]online  
golyter\[.\]shop  
cuvanil\[.\]quest  
trevago\[.\]site  
domog\[.\]shop  
sgolen\[.\]store  
vjevec\[.\]quest  
spilotich\[.\]online  
babtek\[.\]click  
vozvrec\[.\]store  
irlatok\[.\]shop  
vkiten\[.\]click  
golyadik\[.\]site  
oklasdon\[.\]online  
mihayam\[.\]shop  
cutele\[.\]shop  
hoohotic\[.\]click  
pubupu\[.\]quest  
genodigit\[.\]store  
djutech\[.\]online  
voouvdigit\[.\]site  
zizitok\[.\]shop  
ulyatec\[.\]quest  
tuchtok\[.\]site  
justlice\[.\]store  
enisemol\[.\]click  
tululudoc\[.\]online  
nogtech\[.\]site  
mageants\[.\]sbs  
deshvoc\[.\]store  
shumtech\[.\]shop  
metsimob\[.\]yachts  
bolotoc\[.\]store  
nepochtec\[.\]shop  
bibstele\[.\]online  
nechuvelec\[.\]click  
gastdigit\[.\]quest  
arastek\[.\]online  
galeglob\[.\]quest  
boroshtic\[.\]click  
prodovjtec\[.\]shop  
denetok\[.\]site  
kalomob\[.\]store  
avordic\[.\]site  
chasoc\[.\]quest  
jujoc\[.\]online  
helostop\[.\]shop  
zlakovos\[.\]click  
obomob\[.\]site  
miskotec\[.\]store  
shakorot\[.\]site  
nemojmob\[.\]online  
najitel\[.\]quest  
ragutech\[.\]shop  
pershtec\[.\]click  
nadoelec\[.\]space  
odnydigit\[.\]quest  
yamatel\[.\]store  
jezesec\[.\]quest  
samknut\[.\]click  
imperel\[.\]site  
pricetool\[.\]store  
donashhack\[.\]online  
chelotec\[.\]quest  
stelor\[.\]shop  
udamos\[.\]online  
kurkumin\[.\]click  
vedldeno\[.\]store  
oifilon\[.\]site  
igusfil\[.\]shop  
cosmafit\[.\]click  
tanuatech\[.\]quest  
ifilone\[.\]site  
sourite\[.\]online  
becasotec\[.\]site

**Kritec IPs**

195\[.\]242\[.\]110\[.\]102  
195\[.\]242\[.\]110\[.\]103  
195\[.\]242\[.\]110\[.\]112  
195\[.\]242\[.\]110\[.\]130  
195\[.\]242\[.\]110\[.\]131  
195\[.\]242\[.\]110\[.\]134  
195\[.\]242\[.\]110\[.\]135  
195\[.\]242\[.\]110\[.\]136  
195\[.\]242\[.\]110\[.\]137  
195\[.\]242\[.\]110\[.\]139  
195\[.\]242\[.\]110\[.\]143  
195\[.\]242\[.\]110\[.\]158  
195\[.\]242\[.\]110\[.\]162  
195\[.\]242\[.\]110\[.\]166  
195\[.\]242\[.\]110\[.\]168  
195\[.\]242\[.\]110\[.\]171  
195\[.\]242\[.\]110\[.\]172  
195\[.\]242\[.\]110\[.\]174  
195\[.\]242\[.\]110\[.\]179  
195\[.\]242\[.\]110\[.\]181  
195\[.\]242\[.\]110\[.\]182  
195\[.\]242\[.\]110\[.\]185  
195\[.\]242\[.\]110\[.\]186  
195\[.\]242\[.\]110\[.\]187  
195\[.\]242\[.\]110\[.\]188  
195\[.\]242\[.\]110\[.\]189  
195\[.\]242\[.\]110\[.\]190  
195\[.\]242\[.\]110\[.\]191  
195\[.\]242\[.\]110\[.\]196  
195\[.\]242\[.\]110\[.\]197  
195\[.\]242\[.\]110\[.\]205  
195\[.\]242\[.\]110\[.\]206  
195\[.\]242\[.\]110\[.\]231  
195\[.\]242\[.\]110\[.\]232  
195\[.\]242\[.\]110\[.\]235  
195\[.\]242\[.\]110\[.\]237  
195\[.\]242\[.\]110\[.\]24  
195\[.\]242\[.\]110\[.\]242  
195\[.\]242\[.\]110\[.\]25  
195\[.\]242\[.\]110\[.\]250  
195\[.\]242\[.\]110\[.\]251  
195\[.\]242\[.\]110\[.\]28  
195\[.\]242\[.\]110\[.\]3  
195\[.\]242\[.\]110\[.\]30  
195\[.\]242\[.\]110\[.\]32  
195\[.\]242\[.\]110\[.\]33  
195\[.\]242\[.\]110\[.\]34  
195\[.\]242\[.\]110\[.\]37  
195\[.\]242\[.\]110\[.\]40  
195\[.\]242\[.\]110\[.\]41  
195\[.\]242\[.\]110\[.\]46  
195\[.\]242\[.\]110\[.\]58  
195\[.\]242\[.\]110\[.\]59

195\[.\]242\[.\]110\[.\]60  
195\[.\]242\[.\]110\[.\]72  
195\[.\]242\[.\]110\[.\]73  
195\[.\]242\[.\]110\[.\]77  
195\[.\]242\[.\]110\[.\]79  
195\[.\]242\[.\]110\[.\]80  
195\[.\]242\[.\]110\[.\]83  
195\[.\]242\[.\]110\[.\]84  
195\[.\]242\[.\]110\[.\]87  
195\[.\]242\[.\]110\[.\]95  
195\[.\]242\[.\]110\[.\]99  
195\[.\]242\[.\]111\[.\]102  
195\[.\]242\[.\]111\[.\]11  
195\[.\]242\[.\]111\[.\]117  
195\[.\]242\[.\]111\[.\]12  
195\[.\]242\[.\]111\[.\]120  
195\[.\]242\[.\]111\[.\]147  
195\[.\]242\[.\]111\[.\]148  
195\[.\]242\[.\]111\[.\]152  
195\[.\]242\[.\]111\[.\]214  
195\[.\]242\[.\]111\[.\]215  
195\[.\]242\[.\]111\[.\]217  
195\[.\]242\[.\]111\[.\]224  
195\[.\]242\[.\]111\[.\]25  
195\[.\]242\[.\]111\[.\]29  
195\[.\]242\[.\]111\[.\]36  
195\[.\]242\[.\]111\[.\]37  
195\[.\]242\[.\]111\[.\]38  
195\[.\]242\[.\]111\[.\]40  
195\[.\]242\[.\]111\[.\]42  
195\[.\]242\[.\]111\[.\]44  
195\[.\]242\[.\]111\[.\]49  
195\[.\]242\[.\]111\[.\]50  
195\[.\]242\[.\]111\[.\]53  
195\[.\]242\[.\]111\[.\]56  
195\[.\]242\[.\]111\[.\]57  
195\[.\]242\[.\]111\[.\]58  
195\[.\]242\[.\]111\[.\]59  
195\[.\]242\[.\]111\[.\]6  
195\[.\]242\[.\]111\[.\]7  
195\[.\]242\[.\]111\[.\]76  
195\[.\]242\[.\]111\[.\]77  
195\[.\]242\[.\]111\[.\]84  
195\[.\]242\[.\]111\[.\]85  
195\[.\]242\[.\]111\[.\]86  
195\[.\]242\[.\]111\[.\]87  
195\[.\]242\[.\]111\[.\]94  
195\[.\]242\[.\]111\[.\]95  
195\[.\]242\[.\]111\[.\]96  
45\[.\]88\[.\]3\[.\]114  
45\[.\]88\[.\]3\[.\]12  
45\[.\]88\[.\]3\[.\]122  

45\[.\]88\[.\]3\[.\]123  
45\[.\]88\[.\]3\[.\]134  
45\[.\]88\[.\]3\[.\]138  
45\[.\]88\[.\]3\[.\]139  
45\[.\]88\[.\]3\[.\]141  
45\[.\]88\[.\]3\[.\]142  
45\[.\]88\[.\]3\[.\]144  
45\[.\]88\[.\]3\[.\]145  
45\[.\]88\[.\]3\[.\]146  
45\[.\]88\[.\]3\[.\]148  
45\[.\]88\[.\]3\[.\]149  
45\[.\]88\[.\]3\[.\]154  
45\[.\]88\[.\]3\[.\]167  
45\[.\]88\[.\]3\[.\]170  
45\[.\]88\[.\]3\[.\]201  
45\[.\]88\[.\]3\[.\]21  
45\[.\]88\[.\]3\[.\]213  
45\[.\]88\[.\]3\[.\]218  
45\[.\]88\[.\]3\[.\]219  
45\[.\]88\[.\]3\[.\]225  
45\[.\]88\[.\]3\[.\]227  
45\[.\]88\[.\]3\[.\]23  
45\[.\]88\[.\]3\[.\]235  
45\[.\]88\[.\]3\[.\]237  
45\[.\]88\[.\]3\[.\]238  
45\[.\]88\[.\]3\[.\]239  
45\[.\]88\[.\]3\[.\]240  
45\[.\]88\[.\]3\[.\]244  
45\[.\]88\[.\]3\[.\]245  
45\[.\]88\[.\]3\[.\]248  
45\[.\]88\[.\]3\[.\]25  
45\[.\]88\[.\]3\[.\]251  
45\[.\]88\[.\]3\[.\]253  
45\[.\]88\[.\]3\[.\]34  
45\[.\]88\[.\]3\[.\]35  
45\[.\]88\[.\]3\[.\]40  
45\[.\]88\[.\]3\[.\]49  
45\[.\]88\[.\]3\[.\]52  
45\[.\]88\[.\]3\[.\]60  
45\[.\]88\[.\]3\[.\]61  
45\[.\]88\[.\]3\[.\]63  
45\[.\]88\[.\]3\[.\]70  
45\[.\]88\[.\]3\[.\]78  
45\[.\]88\[.\]3\[.\]79  
45\[.\]88\[.\]3\[.\]81  
45\[.\]88\[.\]3\[.\]82  
45\[.\]88\[.\]3\[.\]83  
45\[.\]88\[.\]3\[.\]85  
45\[.\]88\[.\]3\[.\]95  
45\[.\]88\[.\]3\[.\]98

 Credit card skimming on the rise for the holiday shopping season 

The US State of Maine says it has suffered a data breach impacting around 1.3 million people—more or less the the entire population of Maine.

The US State of Maine says it has suffered a data breach impacting around 1.3 million people. According to the census from July 2022, that’s more or less the the entire population of Maine.

The State of Maine says it was compromised via a known vulnerability in secure transfer service MOVEit Transfer. This vulnerability is known to be used by the Cl0p ransomware gang.

The type of stolen data varies from person to person, likely because the data breach affected multiple agencies in the State. More than 50% of the data exposed in the breach came from Maine’s Department of Health and Human Services, while between 10 and 30% came from the state’s Department of Education. The breach also impacted several other departments.

For what we can gather, the cybercriminals may have obtained names, Social Security numbers (SSN), dates of birth, driver’s licenses, state identification numbers, and taxpayer identification numbers. The stolen data may involve certain types of medical information and health insurance for some individuals.

Progress Software, who make MOVEit Transfer, issued a patch for the exploited vulnerability on May 31, 2023. However, the State of Maine says the cybercriminals gained access and started downloading files between May 28 and 29, 2023, before the patch was available.

****Data breach****

The State of Maine is encouraging people to contact Maine’s dedicated call center to find out if their data was involved or if they have questions about this incident. The phone number is (877) 618-3659, with representatives available from Monday to Friday, 9 AM to 9 PM ET.

If your Social Security Number or taxpayer identification number is involved, the call center will provide you with a complimentary credit monitoring code which give you two years of credit monitoring and identity theft protection services.

If you suspect your data has been stolen, it’s worth watching out for people posing as the State of Maine. There’s nothing like a data breach to bring out the scammers, and they will be looking to target people affected by the breach. If someone does contact you, make sure to verifying they are who they say they are using another communication channel. Watch out for phishing emails, too.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 State of Maine data breach impacts 1.3 million people 

A list of topics we covered in the week of November 06 to November 12 of 2023

November 9, 2023 - A judge has refused to bring back a class action lawsuit against four car manufacturers because the privacy violation did not meet the WPA standard.

November 9, 2023 - The FBI is investigating a data breach where cybercriminals were able to steal patients’ records from a Las Vegas plastic surgeon's office and then publish them online.

November 9, 2023 - A SysAid vulnerability is actively being exploited by a ransomware affiliate.

November 8, 2023 - Users looking to download a popular PC utility may be tricked in this campaign where a threat actor has registered a website that copies content from a PC and Windows news portal.

November 8, 2023 - Scientists have developed a ChatGPT detector with unprecedented accuracy. Even though it has a limited scope, this could be a big step forward.

 A week in security (November 06 &#8211; November 12) 

The Signal messaging service is testing support for usernames as a replacement for phone numbers to serve as user identities

Messaging service Signal is testing support for usernames as a replacement for phone numbers to serve as user identities.

Signal provides encrypted instant messaging and is popular among people that value their privacy. Compared to more popular services like WhatsApp, Signal offers more layers of privacy protection, customization of settings, and enhanced data security. These layers include hiding metadata, not using a user’s data, allowing call relay, and others.

The current Signal setup requires users to sign up with a phone number and this number will be shared if you want to message other users on the app. But not everyone wants to share their phone number when messaging someone and so Signal is doing something about that.

 On its forums, Signal announced the feature is ready for pre-beta-testing.

> “After rounds of internal testing, we have hit the point where we think the community that powers these forums can help us test even further before public launch.”

So, for now, the announced feature is currently only available for the app’s testers on Android, iOS, and desktop users. Once it’s finally released, you’ll be able to select your username by going to Settings > Profile and Settings > Privacy > Phone Number section.

From a screenshot posted on X, it looks like you’ll be able to invite new contacts by sending them a link or a QR code.

_Screenshot of new options_

It’s also likely you still have to have a phone number to create an account. The new feature just allows you to hide your number behind a username. Phone numbers will still be used as a unique identification and as an anti-spam measure.

We don’t know when the new feature will be generally available, but in an earlier interview, president Meredith Whitaker said she expected the feature’s launch in early 2024. However, this seems unlikely as it requires a major overhaul of the app’s architecture.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Source

Malwarebytes