International law enforcements agencies have disruped the infrastructure behind the Warzone RAT.

On February 9, 2024, the Justice Department announced that an international operation had seized internet domains that were selling information-stealing malware. Federal authorities in Boston seized www.warzone.ws and three related domains, which sold the Warzone RAT malware.

The Warzone RAT malware, a sophisticated Remote Access Trojan (RAT), enabled cybercriminals to browse victims’ file systems, take screenshots, record keystrokes, steal victims’ usernames and passwords, and watch victims through their web cameras, all without their knowledge or permission.

On February 7, 2024, two suspects were arrested in Malta and Nigeria, accused of selling the malware and supporting cybercriminals who used it for malicious purposes.

The operation was led by the FBI, and supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT).

Anyone who is a victim of a Warzone RAT computer intrusion is urged to report it to the FBI via its Warzone RAT Victim Reporting Form.

**Signs of infection**

There are some know Indicators of Compromise (IOCs) for recent versions of the Warzone RAT (aka AveMaria Stealer):

**SHA 256 hashes:**

0246d4eb99473ba449b98548167d0767b68b075749a8962d0573851f505689b5

19dba570adb979d9063882d8dd6d880d1f37f25e600cc07097646946ebc947a2

7de4fbda4834453be39c6e20697ab0cde46cf417c953a2f1ba3ab63442d49981

94f836d1cd5bfe8a245a0b66076c86506f53b2fae38ed5da7b2f13cfa07b6cac

b66c5ebef83e48811156c3499b79c798c178d5655d6448403cb070061aba4f4d

dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21

de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488

Warzone RAT is usually spread by emails that use social engineering methods to trick the receiver into downloading and triggering the infection.

General signs that a RAT is active on your system may be:

*   A slow computer and seemingly slow internet connection.
*   Unknown processes in Task Manager.
*   Missing or altered files on your system.
*   Unknown entries in the list of installed programs/software.

**Prevention**

To keep RATs off your systems, the most general rules of security apply:

*   Keep your software and internet connected devices updated.
*   Only download apps and other software from trusted sources.
*   Be careful about which sites you visit and which emails you open.
*   Never open unsolicited email attachments.
*   Use an up-to-date anti-malware solution.

Malwarebytes and ThreatDown products will detect the Warzone RAT as:

*   Trojan.MalPack.PNG.Generic
*   Trojan.MalPack.MSIL.Generic
*   Generic.Malware.AI.DDS
*   Malware.AI.2990474738
*   Trojan.MalPack

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Warzone RAT infrastructure seized 

In January, we recorded a total of 261 ransomware victims.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In January, we recorded a total of 261 ransomware victims, the lowest number of attacks since February 2023. This is normal, as past data reveals that historical January months tend to be one of the least active periods for ransomware gangs. But don’t let the relatively low number of attacks fool you: there was plenty of important ransomware news last month. 

In January, researchers observed fake “security researchers” trying to trick ransomware victims into thinking that they can recover their stolen data. Described as “follow-on extortion” attacks, the goal of these scams is to get the victims to pay Bitcoin for supposed assistance.

The two examples we have of follow-on extortion attacks targeted victims of the Royal and Akira ransomware gangs, but it’s unclear if the fake security researchers are a part of either of those gangs. Our guess? It’s more likely that they are a fringe group simply seizing an opportunity to exploit victims already targeted by these gangs. 

Let’s analyze why, using two scenarios, assuming that the follow-up extortioners really are Royal or Akira.  

In scenario one, Royal or Akira steals data, prompting a ransom payment from the victim for data deletion. Then, Royal or Akira sends a splinter group to the same victim claiming Royal didn’t delete the data, offering deletion services for an additional fee. This scenario is pretty unlikely, as it undermines Royal’s credibility from the victim’s perspective, damaging the gang’s reputation.

In scenario two, Royal or Akira steals data, but the victim hasn’t paid for deletion yet. The Royal or Akira splinter group then offers to recover the data for a fee. This predicament forces the victim to choose who to trust, likely deciding that it might be more logical to rely on Royal since they have more incentive to maintain a semblance of reliability. So, it then just becomes a normal double-extortion case but with an unnecessary extra step.

In the first case, the “initial ransomware gang” has no leverage for a second round of extortion without contradicting their own claims and damaging their reputation. In the second case, the initial ransomware gang just does more work to get the same outcome, namely payment for data deletion. 

Neither option presents a guaranteed connection to the original attackers.

Known ransomware attacks by gang, January 2024

Known ransomware attacks by country, January 2024

Known ransomware attacks by industry sector, January 2024

In other January news, the UK’s National Cybersecurity Centre (NCSC) released a report suggesting that AI will boost ransomware attack volume and severity in the next two years, particularly through lowering the entry barrier for novice hackers. A simple example is an affiliate using generative AI to create more persuasive phishing emails. This could decrease affiliates’ dependence on Initial Access Brokers for accessing networks, leading to more attacks by individuals enticed by the lower initial investment.

In general, however, we should be cautious about these predictions. Incorporating AI into cybercrime—especially for automated discovery of vulnerabilities or efficient high-value data extraction, as NCSC’s report suggests—is extremely complex and costly. For major gangs like LockBit and CL0P, who manage multimillion-dollar operations, adopting these AI advancements might be more feasible, yet it is still far too early to speculate upon.

In our view, RaaS groups will maintain their current operations in the short term. AI may introduce new methods and techniques for cybercriminals, to be sure, but the core principles of ransomware gangs—based on access, leverage, and profit—will likely continue unchanged for the foreseeable future.

In other news, researchers last month witnessed Black Basta affiliates leveraging a new phishing campaign aimed at delivering a relatively new loader named PikaBot. 

PikaBot, an ostensible replacement for the notorious OakBot malware, is an initial access tool that we first wrote about in mid-December—and it looks like it didn’t take ransomware gangs long to start using it. While our original post about PikaBot focused on its distribution via malicious search ads and not phishing emails, ransomware gangs are known to use both attack vectors to gain initial access. 

A typical distribution chain for PikaBot, writes ThreatDown Intelligence researcher Jérôme Segura, usually starts with an email (within an already-hijacked thread) containing a link to an external website. Users are then tricked to download a zip archive containing malicious JavaScript that downloads Pikabot from an external server. 

As this news marks the first time that PikaBot has been publicly connected with any ransomware operations, it’s safe to assume that the malware is actively being used by other gangs as well—or that if it’s not, it will be soon.

**New leak site: MYDATA**

Mydata is a new leak site from Alpha ransomware, a distinct group not to be confused with ALPHV ransomware. The site published the data of 10 victims in January.

MYDATA leak data

**Preventing Ransomware**

Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough. 

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through. 

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood. 

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.

****How ThreatDown Addresses Ransomware****

ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:

*   Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access.
*   RDP Shield: Securing remote access points with Brute Force Protection.
*   Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them.
*   Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network.
*   Ransomware Rollback: Reversing the impact of any successful attacks.

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Ransomware review: February 2024 

This week on the Lock and Code podcast, we speak with Jason Haddix about how businesses can protect against modern cyberthreats.

_Today on the Lock and Code podcast_…

If your IT and security teams think malware is bad, wait until they learn about everything else.

In 2024, the modern cyberattack is a segmented, prolonged, and professional effort, in which specialists create strictly financial alliances to plant malware on unsuspecting employees, steal corporate credentials, slip into business networks, and, for a period of days if not weeks, simply sit and watch and test and prod, escalating their privileges while refraining from installing any noisy hacking tools that could be flagged by detection-based antivirus scans.

In fact, some attacks have gone so “quiet” that they involve no malware at all. Last year, some ransomware gangs refrained from _deploying ransomware_ in their own attacks, opting to steal sensitive data and then threaten to publish it online if their victims refused to pay up—a method of extracting a ransom that is entirely without ransom_ware_.

Understandably, security teams are outflanked. Defending against sophisticated, multifaceted attacks takes resources, technologies, and human expertise. But not every organization has that at hand.

What, then, are IT-constrained businesses to do?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Jason Haddix, the former Chief Information Security Officer at the videogame developer Ubisoft, about how he and his colleagues from other companies faced off against modern adversaries who, during a prolonged crime spree, plundered employee credentials from the dark web, subverted corporate 2FA protections, and leaned heavily on internal web access to steal sensitive documentation.

Haddix, who launched his own cybersecurity training and consulting firm Arcanum Information Security this year, said he learned so much during his time at Ubisoft that he and his peers in the industry coined a new, humorous term for attacks that abuse internet-connected platforms: “A browser and a dream.”

> “When you first hear that, you’re like, ‘Okay, what could a browser give you inside of an organization?'”

But Haddix made it clear:

“On the internal LAN, you have knowledge bases like SharePoint, Confluence, MediaWiki. You have dev and project management sites like Trello, local Jira, local Redmine. You have source code managers, which are managed via websites—Git, GitHub, GitLab, Bitbucket, Subversion. You have repo management, build servers, dev platforms, configuration, management platforms, operations, front ends. These are all websites.”

Tune in today.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)  
LLM Prompt Injection Game: https://gandalf.lakera.ai/

**Overwhelmed by modern cyberthreats? ThreatDown can help.**

The 2024 ThreatDown State of Malware report is a comprehensive analysis of six pressing cyberthreats this year—including Big Game ransomware, Living Off The Land (LOTL) attacks, and malvertising—with strategies on how IT and security teams can protect against them.

 If only you had to worry about malware, with Jason Haddix: Lock and Code S05E04 

The FCC has ruled that the use of AI generated voices in robocalls is illegal, by considering them as artificial under the Telephone Consumer Protection Act.

The Federal Communications Commission (FCC) has announced that calls made with voices generated with the help of Artificial Intelligence (AI) will be considered “artificial” under the Telephone Consumer Protection Act (TCPA). Effective immediately, that makes robocalls that implement voice cloning technology and target consumers illegal.

Robocalls are automated phone calls, often associated with scams, which can be a nuisance to individuals and businesses alike. Some of these calls use AI generated voices of trusted celebrities to gain the trust of the target, in a technique known as voice cloning.

Robocallers not only sell products or services in an annoying way, they’ve also been known to be part of political misinformation campaigns as well.

The unanimous ruling by the FCC provides state attorneys general across the country with new tools to go after the people behind these nefarious robocalls. Many of these calls would be considered illegal anyway because they are scams or fraudulent, but now the fact that they use AI generated voices alone is enough for them to be considered illegal.

The FCC says it received a letter signed by attorneys general from 26 states asking the agency to act on restricting the use of AI in marketing phone calls.

FCC Chairwoman Jessica Rosenworcel stated:

> “Bad actors are using AI-generated voices in unsolicited robocalls to extort vulnerable family members, imitate celebrities, and misinform voters. We’re putting the fraudsters behind these robocalls on notice.”

From now on, those who wish to send robocalls must obtain prior express consent from the called party before making a call that utilizes artificial or prerecorded voice simulated or generated through AI technology.

Violations of the TCPA are subject to stiff civil penalties. Abusers can anticipate fines of up to $1,500 per incident without a cap on damages.

On January 30, 2024, the FCC said its previous actions against international robocalls appear to have reduced apparently illegal robocall traffic across multiple networks. If this new announcement leads to an even bigger reduction, you won’t hear us complaining.

**What to do if you answer a robocall**

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.

1.  Hang up as soon as you realize that it is an automated robocall.
2.  Do not engage with the call at all.
3.  Don’t follow any instructions.
4.  Avoid giving away any personal information.
5.  Report the robocall.
    *   If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
    *   If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
    *   If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your recorded voice could allow for voice-cloning and used in scams against you or your loved ones.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 AI-generated voices in robocalls are illegal, rules FCC 

A list of topics we covered in the week of February 5 to February 11 of 2024

February 9, 2024 - Ivanti has found yet another vulnerability in versions of Connect Secure, Policy Secure, and ZTA gateways.

February 9, 2024 - FBI and CISA have produced guidance about Chinese APT group Volt Typhoon and other groups that use Living off the Land (LOTL) techniques.

February 8, 2024 - LastPass has warned about a fake app called LassPass, available in the Apple App Store.

February 8, 2024 - A criminal group called ResumeLooters has stolen the personal information of over two million job seekers from at least 65 different websites.

February 7, 2024 - Your essential guide to toothbrush security.

 A week in security (February 5 &#8211; February 11) 

Ivanti has found yet another vulnerability in versions of Connect Secure, Policy Secure, and ZTA gateways.

In a new blog post, Ivanti says that it has found another vulnerability and urges customers to “immediately take action to ensure you are fully protected”.

This vulnerability only affects a limited number of supported versions–Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3.

Please read between the lines that there could be unsupported versions which will never see a patch for this vulnerability.

A patch is available now for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7).

Customers can access the patch via the standard download portal (login required). The instructions are somewhat complicated, to say the least. Due to all the different versions that are available, it is imperative to carefully read the instructions.

Customers can read this KB article for detailed instructions on how to apply the mitigation and apply the patch as each version becomes available. Please ensure you are following the KB article to receive updates. If you have questions or require further support, please log a case and/or request a call in the Success Portal.

Important to note:

*   Customers who applied the patch released on January 31 or February 1, and completed a factory reset of their appliance, do not need to factory reset their appliances again.
*   And once customers applied this newly released patch, they do not need to apply the mitigation or the patches released on January 31 and February 1. 

**The vulnerability**

The vulnerability, listed as CVE-2024-22024 with a CVSS score of 8.3 out of 10, allows an attacker to access certain restricted resources without authentication.

An XML external entity injection (XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and/or to interact with any back-end or external systems that the application itself can access.

Ivanti found the XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways.

Since Ivanti claims that the vulnerability came up during internal code reviews, it is unlikely that an exploit already exists, but this type of vulnerability is usually easy to exploit, so chances are, this will not take long.

Although we have seen a pretty convincing claim that they did not find it themselves:

According to Ivanti they are unaware of any evidence of customers being exploited by CVE-2024-22024.

Only a week ago all, FCEB agencies received intructions to disconnect vulnerable Ivanti products before the weekend. This because besides the Ivanti vulnerabilities actively exploited in massive numbers we wrote about on January 11, 2024, alerts went off about two new high severity flaws on January 31, 2024.

All in all, since January 10, five vulnerabilities have been reported in Ivanti products. And at least three of them are subject to active exploitation.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Ivanti urges customers to patch yet another critical vulnerability 

2023 saw a 70% increase in ransomware attacks from 2022.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

2023 was an explosive year for ransomware.

While some ransomware trends hardly changed over the last year, such as LockBit’s continued dominance, ransomware criminals also challenged our fundamental assumptions on how ransomware gangs work, such as by exploiting zero-day vulnerabilities. Through thec onsistenciess and evolutions over the last year, one fact remains clear: 2023 broke records **with its total number of 4475 ransomware attacks, a 70% increase from 2022.**

Global ransomware attacks by month, 2022 vs 2023

Global ransomware attacks, 2022 vs 2023

Additionally, LockBit was responsible for a **22% of all ransomware attacks in 2023**, over half as much as the next top five gangs combined. Together, the top 10 ransomware gangs were responsible for **70% of all ransomware attacks**.

Top 10 ransomware gangs in 2023

Breaking 2023 ransomware attacks by sector reveals that **23% of all attack**s were directed against the Services sector. Together, the top 10 sectors accounted for **80% of all ransomware attacks**.

Top 10 industries attacked 2023

The USA was by far the most attacked country in 2023, **with a whopping 45%** of all ransomware attacks targeting the country.

Top 10 countries attacked 2023

Additionally, we’ve sifted through the backlog of our 2023 ransomware reviews to find the most important stories and trends from the last year. Here are five key takeaways from the ransomware world in 2023.

**1\. LockBit was… LockBit**

LockBit remained the most prolific ransomware gang throughout 2023, responsible for several high-profile attacks (such as against Taiwanese chipmaker TSMC). As well, LockBit also unveiled a new variant, LockBit Green, and showed signs of expanding into macOS territory.  

**2\. Law enforcement worked overtime**

Despite 2023 being the worst ransomware year on record, law enforcement notched notable successes in taking down big-name groups, including the FBI’s shutdown of the Hive ransomware group and the seizure of ALPHV’s infrastructure.

**3\. Gangs seized the day with zero-days**

Ransomware gangs, including Cl0p and ALPHV, aggressively exploited zero-day vulnerabilities (e.g., in GoAnywhere MFT, MOVEit Transfer, and Citrix appliances) to launch attacks on a unprecedented scale.

**4\. Big blows dealt to critical infrastructure**

Critical infrastructure (as defined by CISA) took a beating in 2023, with sectors such as logistics, manufacturing, healthcare, and education accounting for almost **30% of all ransomware attacks** in 2023. Education alone (a subsector of the Government Facilities sector) experienced a 70% surge in attacks in the past year, increasing from 129 incidents in 2022 to 265 in 2023.

**5\. New tactics and rebrandings emerged**

Besides an increased focus on exploiting zero-days, ransomware gangs introduced other new tactics in 2023 such as CL0P’s use of torrents for distributing stolen data and innovative social engineering techniques by groups like Scattered Spider. We also saw notable rebrands (i.e Vice Society to Rhysida) and shifts in focus from encryption to purely data theft and extortion.

**Looking ahead**

2023 was a whirlwind year for ransomware: Attacks spiked by 70%, law enforcement landed key victories, gangs pivoted to exploiting zero-day vulnerabilities, and much more.

Going into 2024 it’s safe to say that the threat of ransomware looms large for all organizations—especially those with shrinking security budgets and overtaxed IT teams, organizations located in the US, critical infrastructure sectors like education.

Fighting off ransomware gangs requires a layered security strategy. Technologies such as Endpoint Protection (EP) and Vulnerability and Patch Management (VPM), for example, are vital first defenses to reduce the attack surface breach likelihood.

The key point, though, is to assume that motivated gangs will eventually breach any defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And for the ultimate assurance of uptime —choose an EDR solution with ransomware rollback to undo changes and restore files so that productivity continues.

**How ThreatDown Addresses Ransomware**

ThreatDown Bundles take a comprehensive approach to ransomware. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including:

*   Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access. 
*   RDP Shield: Securing remote access points with Brute Force Protection. 
*   Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them. 
*   Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network. 
*   Ransomware Rollback: Reversing the impact of any successful attacks. 

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams.

**Experience ThreatDown Bundles**

 Ransomware in 2023 recap: 5 key takeaways 

FBI and CISA have produced guidance about Chinese APT group Volt Typhoon and other groups that use Living off the Land (LOTL) techniques.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other authoring agencies have released a joint guidance about common living off the land (LOTL) techniques and common gaps in cyber defense capabilities.

Living Off The Land (LOTL) is a covert cyberattack technique in which criminals carry out malicious activities using legitimate IT administration tools.

This joint guidance comes alongside a joint Cybersecurity Advisory (CSA) called PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure.

These publications are a reaction to recent warnings about attacks on critical infrastructure by groups allegedly connected to the Chinese (PRC) government.

The FBI recently used a court order to remove malware from hundreds of routers across the US because it believed the attack was the work of an Advanced Persistent Threat (APT) group known as Volt Typhoon. US officials said the botnet was designed to give Chinese attackers persistent access to critical infrastructure. Routing their traffic through these gateways would hide the actual origin of malicious attempts to reach inside utilities and other targets.

In May of 2023, Microsoft uncovered stealthy and targeted malicious activity by Volt Typhoon. The activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.

As Jen Easterly, the director of CISA put it in a hearing before the House Select Committee

> “We have seen a deeply concerning evolution of Chinese targeting of US critical infrastructure. We have seen them burrowing deep into critical infrastructure to enable destructive attacks. This is a world where a crisis across the world could well endanger the lives of Americans here.”

And it’s not just the US. The Dutch Military Intelligence Service (MIVD) found a Remote Access Trojan (RAT) on one of their networks which they identified as Chinese malware.

The Living of the Land (LOTL) guide does not exclusively focus on Chinese state actors though. It also includes methods deployed by Russian Federation state-sponsored actors, and will likely apply to Ransomware-as-a-Service (RaaS) gangs that leverage legitimate tools to evade detection too.

So, it’s important to be aware of what your cybersecurity team, internal or managed (MDR) should be looking for when it comes to suspicious use of legitimate tools, unusual network connections, and other signs of malicious activities.

The guidance stipulates that LOTL is particularly effective because:

*   Many organizations lack effective security and network management practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavioral analytics, anomaly detection, and proactive hunting.
*   There is a general lack of conventional indicators of compromise (IOCs) associated with the activity, complicating network defenders’ efforts to identify, track, and categorize malicious behavior.
*   It enables cyber threat actors to avoid investing in developing and deploying custom tools.

So, it provides some best practices for detecting and hardening that are all explained in detail.

*   Implement write once, read many detailed logging to avoid the risk of attackers modifying or erasing logs.
*   Establish and continuously maintain baselines of network, user, administrative, and application activity and least privilege restrictions.
*   Build or acquire automation to continually review all logs to compare current activities against established behavioral baselines and alert on specified anomalies.
*   Reduce alert noise by fine-tuning via priority (urgency and severity) and continuously review detections based on trending activity.
*   Leverage user and entity behavior analytics to identify abnormal and potentially dangerous user and device behavior.
*   Apply and consult vendor-recommended guidance for security hardening.
*   Implement application allowlisting and monitor use of common LOTL binaries (LOLBins).
*   Enhance IT and OT network segmentation and monitoring.
*   Implement authentication and authorization controls for all human-to-software and software-to-software interactions regardless of network location.

Understanding the context of LOTL activities is crucial for accurate detection and response. Many of the tips that Malwarebytes provides for avoiding ransomware will prove to be useful in state sponsored attacks as well, although the latter can be even more targeted in some situations.

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Further on, CISA  urges software manufacturers to implement secure by design rules in their software, to reduce the prevalence of weak default configurations and passwords, recognize the need for low or no-cost enhanced logging, and other exploitable issues identified in the guide.

Insecure software allows threat actors to leverage flaws to enable LOTL techniques and the responsibility should not solely be on the end user. By using secure by design principles, software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.

Living off the Land is one of six cyberthreats that resource-constrained IT teams need to be ready to combat in 2024, covered in our 2024 State of Malware report.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 FBI and CISA publish guide to Living off the Land techniques 

LastPass has warned about a fake app called LassPass, available in the Apple App Store.

Password Manager LastPass has warned about a fraudulent app called “LassPass Password Manager” which it found on the Apple App Store.

The app closely mimics the branding and appearance of LastPass, right down to the interface. So, even if the name was a “happy accident” it seems clear that this was a purposeful attempt to trick users installing the fake app.

The fake app can be recognized not only by the name, but other misspellings in the screenshots, and the app lists Parvati Patel as the developer and the privacy policy as hosted at bluneel\[.\]com. The developer of the legitimate LastPass app is LogMeIn, Inc. 

While using a genuine password manager provides extra security, entrusting your passwords to an app that is a rip-off does not. Obviously, storing all your passwords in an app that is not trustworthy can get you in all kinds of trouble, including identity theft.

We have not tested if the app sends your passwords to a third-party, but we should assume that it does just that.

In the App Store the impersonator claims to be “Trusted by over 1+ million users and 10,000+ businesses” which clearly can’t be right and was most certainly copied from LastPass.

LastPass states that it is:

> “… actively working to get this application taken down as soon as possible, and will continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property“

But at the time of writing the app was still available in the Apple App Store.

Malwarebytes Premium and Malwarebytes Browser Guard block the domain bluneel\[.\]com so users will see a warning about the trustworthiness of the app.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Warning from LastPass as fake app found on Apple App Store 

A criminal group called ResumeLooters has stolen the personal information of over two million job seekers from at least 65 different websites.

A cybercriminal group known as ResumeLooters has infiltrated 65 job listing and retail websites, compromising the personal data of over two million job seekers.

The group used SQL injection and cross-site scripting (XSS) attacks—both common techniques— to extract the sensitive information from the websites.

The attacks primarily focused on the Asia-Pacific (APAC) region, targeting sites in Australia, Taiwan, China, Thailand, India, and Vietnam. However, other compromised companies were located in other regions, including Brazil, Italy, Mexico, Russia, Turkey, and the US.

Researchers first detected the activity of the group in November 2023, and tracked the massive malicious campaign targeting employment agencies and retail companies. Due to the criminals’ focus on job search platforms and the theft of resumes, the researchers dubbed the group ResumeLooters.

The stolen data is hard to quantify given the amount of sources, but it may include names, phone numbers, emails, and dates of birth, as well as information about job seekers’ experience, employment history, and other sensitive personal data.

The stolen data were put up for sale on Chinese-speaking Telegram channels. This and other indicators make it very likely that the group is of Chinese origin.

If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

Source

Malwarebytes