Hewlett Packard Enterprise revealed in a filing that it was breached by Russian group Cozy Bear, similar to Microsoft.

Hewlett Packard Enterprise (HPE) has disclosed that the state-sponsored actor known as Cozy Bear (aka Midnight Blizzard), gained unauthorized access to HPE’s cloud-based email environment.

This news comes only days after Microsoft broke very similar news that it got hacked by this same state sponsored group. Cozy Bear, who is generally linked to the Russian Foreign Intelligence Service, also known as the SVR, seems to be extremely curious to find out the intelligence information several tech giants gathered about it.

HPE stated in a form K-8 filing with the U.S. Securities and Exchange Commission (SEC) that:

> “Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

So far, the ongoing investigation showed that HPE’s cloud email environment was compromised in May of 2023, at which point Cozy Bear stole a limited number of SharePoint files.

In a statement to CRN last Wednesday, HPE said the impacted cloud email system was a Microsoft Office 365 environment, and said that the attacker leveraged a compromised account to access the email environment.

The accessed data was limited to information contained in the users’ mailboxes. As the investigation stands now, the company says the incident has not had a material impact on its operations, and is reasonably unlikely to materially impact the company’s financial condition or results of operations.

It is unsure if the Microsoft and HPE incidents are linked. Even though the news came out days apart, the actual incidents were months apart: HPE in May and Microsoft in November. However, in both incidents there is a notable focus on security staff and so it appears that Cozy Bear is trying to find out what information US tech giants have about it.

Without further details though, it’s all speculation. The question is if we will ever hear these details.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Hewlett Packard Enterprise also searched by Cozy Bear 

A list of topics we covered in the week of January 22 to January 28 of 2024

January 25, 2024 - Chinese speaking users looking for Telegram, or LINE are being targeted with malicious ads. Instead of downloading the legitimate application, they install malware.

January 25, 2024 - ThreatDown has earned 37/37 awards over nine consecutive quarters.

January 24, 2024 - 2023 was the worst ransomware year on record for Education.

January 24, 2024 - Your smart devices may reveal information about you or your location to an ex-partner. Here's how to lock them out.

January 24, 2024 - Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

 A week in security (January 22 &#8211; January 28) 

It's Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online.

**1\. **Set up two-factor authentication****

Do this for as many of your online accounts as you can, especially the major ones like your email and social media accounts. Two-factor authentication (2FA) adds an extra step of protection and makes it much harder for attackers to login as you. We recommend using authenticator apps or physical security keys, but sometimes SMS is the easiest option and that’s fine. In most services you won’t have to enter the 2FA code every time, only when using a new device.

**2\. Use a different password for every account**

If your password is breached on one site, cybercriminals can use that login information to access your other online accounts that use the same passwords. If you use a different password for each account they can’t do this. Make sure your passwords are long (15 characters or more is good) and use a mix of upper and lower case characters, numbers and symbols too.

To make it easy, you can chose a phrase or a line from a song you like (for instance: DancingInTheMoonlight1999!). You can also use a password manager built-in on your browser, or a stand-alone password manager (see below). If you’ve received a notification from Google, Malwarebytes or any other service telling you your password has been exposed make sure to not use it or any variation of it again for any of your accounts. 

**3\. Use a password manager**

Making different and complicated passwords for each and every online account you have is one thing, but **remembering** them all is a lot more difficult. That’s why we use a password manager, and why you should too. It will generate passwords for you and then remember them all. Choose a vendor you trust for it, or simply use Apple or Google.

**4\. Keep software and hardware up to date**

Make sure your computer, phone, browser, apps and other programs are always on the latest version. If someone finds a security bug, the company that makes that software or hardware will release a new version with a patch for the bug. If you’re not on the latest version, you will be vulnerable. We know it can sometime be a hassle to update the version – but it’s not only about the latest features, in many cases it’s about keeping you safe!

**5\. Double check everything**

Got an email or SMS saying your delivery has been delayed that asks you to click on a link? Double check that you are expecting a delivery from where it says it’s coming from. Got a message from a friend on Facebook that seems off? Double check via text or phone that it is really them. Is your CEO suddenly asking you to buy $5000 of gift cards on the company credit card? Double check that it really is the CEO (it probably isn’t). There’s a ton of scams out there and they are getting more and more sophisticated with time, you just have to stay vigilant and aware of it.

Does that restaurant you’re making a reservation with really need to know your actual date of birth? Does that shopping site really need to know your mother’s maiden name as a password reset question? Consider carefully where you share your data and keep in the back of your mind that the service you are using could be breached. If it is breached, what of your information would be taken? If you can use false information, we really encourage you to do that. Pro-tip: create an “avatar online identity” for yourself with a separate email, date of birth and information you remember and use this information for vendors that don’t require your real identity.

**7\. Cover your camera**

When your camera isn’t in use, make sure you cover it with a physical cover. You can get webcam covers that slide open and shut to make it easy for you to use your camera when you like, and they look a lot nicer than a sticking plaster! Hackers have been known to take over webcams and take snapshots – so sometimes a physical cover is our last line of defense!

**8\. Use an identity monitoring solution**

Identity theft is a real challenge today, including stealing your credit and even opening new lines of credit in your name. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after. Malwarebytes Identity Theft Protection can help with this.

**9\. Check what data of yours has already been exposed**

It’s very likely that your personal information has already been involved in a breach, but you might be wondering how much information can be gained about you from all the pieces of data about you that’s online—aka your digital footprint. We created a tool that will show you just that. You enter your most commonly-used email address, we’ll run a scan and then we’ll send you the results. Try the free scan now.

**10\. Use security software**

Finally, make sure you have protected your devices with security software. It doesn’t take long and it’s such a basic step we must all do. Malwarebytes Premium detects or blocks over 95 million pieces of malware a day so we definitely have you covered. We protect Windows, Mac, Chrome, Android, and iOS.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 10 things to do to improve your online privacy 

US law enforcement will no longer be able to request footage produced by Ring devices, unless it's an emergency.

US law enforcement will no longer be able to request footage through the Neighbors app produced by Ring video doorbells and surveillance cameras.

Until now Ring’s Request for Assistance (RFA) function allowed law enforcement to ask for and obtain user footage, but this function will be retired.

Along with other changes, Ring announced on its blog how public safety agencies like fire and police departments can still use the Neighbors app to share helpful safety tips, updates, and community events, but they will no longer be able to use the RFA tool to request and receive video in the app.

Only in emergencies, Ring will share user’s footage without a court order.

The Electronic Frontier Foundation (EFF) considers this a victory in a long fight. But it remains critical about the emergencies loophole, because there is no clear process for a Ring owner or a judge to rule when a situation is an emergency. The fear is that law enforcement will slowly erode what constitutes an emergency and end up requesting footage for less urgent matters.

We should not forget that Ring is a market leader and other companies are looking at its example, which is why it’s important to make sure that security and privacy are key values and not helping law enforcement.

As the EFF stated:

> “Ring has been forced to make some important concessions—but we still believe the company must do more.”

In its blog, Ring brings up a lot of endearing examples of how its Neighbors app has helped families locate lost pets, and even lost family members, and how it has been used to share critical information during disasters and emergencies.

But if there is one thing history has taught us, it’s that eventually computer vision will be used for surveillance purposes against human beings.

For example. the EFF warned on a previous occasion about self-driving cars:

> “The sheer amount of visual and other information collected by a fleet of cars traveling down public streets conjures the threat of the possibility for peoples’ movements to be tracked, aggregated, and retained by companies, law enforcement, or bad actors—including vendor employees. The sheer mass of this information poses a potential threat to civil liberties and privacy for pedestrians, commuters, and any other people that rely on public roads and walkways in cities.”

Combining the information with that of CCTV cameras, Ring doorbells, delivery robots, and what have you, brings us closer to 1984, rather than steering away from it. Being able to combine the gathered information with AI driven tools at some point, makes it only scarier.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Ring curtails law enforcement&#8217;s access to footage 

Chinese speaking users looking for Telegram, or LINE are being targeted with malicious ads. Instead of downloading the legitimate application, they install malware.

An ongoing campaign of malicious ads has been targeting Chinese-speaking users with lures for popular messaging applications such as Telegram or LINE with the intent of dropping malware. Interestingly, software like Telegram is heavily restricted and was previously banned in China.

Many Google services, including Google search, are also either restricted or heavily censored in mainland China. Having said that, many users will try to circumvent those restrictions by using various tools such as VPNs.

The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead. Such programs gives an attacker full control of a victim’s machine and the ability to drop additional malware.

It may not be a coincidence that the malvertising campaigns are primarily focused on restricted or banned applications. While we don’t know the threat actor’s true intentions, data collection and spying may be one of their motives. In this blog post, we share more information about the malicious ads and payloads we have been able to collect.

Visitors to google.cn are redirected to google.com.hk where searches are said to be uncensored. Doing a lookup for ‘telegram’ we see a sponsored search result.

The following description is associated with this ad:

> TeIegram official application – TeIegram Chinese version download docs.google.com https://docs.google.com › 2024 › Official download Latest Telegram Understand your users Androd needs and engage them with relevant personalized solutions in real time. One of the top 5 most downloaded apps in the world with over 700 million active users.

Here is an ad for ‘LINE’

Description:

> LINE is the largest communication platform that provides an end-to-end encrypted experience, allowing cross-platform communication across mobile phones, computers, tablets, etc. Simple, reliable, and free\* private messages and calls can be used around the world.

We identified two advertiser accounts behind those ads, both of them being associated with a user profile in Nigeria:

*   Interactive Communication Team Limited
*   Ringier Media Nigeria Limited

Due to the number of ads for each of these accounts (including many unrelated to these campaigns), we believe they may have been taken over by the threat actors.

**Infrastructure**

This threat actor seems to rely on Google infrastructure in the form of Google Docs or Google sites. This allows them to insert links for the download or even redirect to other sites they control.

**Malware payloads**

We collected a number of payloads from this campaign, all in MSI format. Several of those used a technique known as DLL side-loading, which consists of combining a legitimate application with a malicious DLL that gets loaded automatically.

In the example above, the DLL is signed with a now revoked certificate from _Sharp Brilliance Communication Technology Co., Ltd._ which was also recently used to sign a PlugX RAT sample. (PlugX is a RAT from China that also performs DLL side-loading).

Not all dropped malware is new, in fact some were previously used in other campaigns and are variants of Gh0st RAT.

**Active threat**

A website and forum (bbs\[.\]kafan\[.\]cn) dedicated to security frequented by Chinese users keeps up with malware from these campaigns that they refer to as FakeAPP.

It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command and control.

Online ads are an effective way to reach a certain audience, and of course they can be misused as well. People (such as activists) that live in countries where encrypted communication tools are banned or restricted will attempt to bypass these measures. It appears that a threat actor is luring potential victims with such ads.

The payloads are consistent with threats observed in the South Asia region, and we see similar techniques such as DLL side-loading that is quite popular with many RATs. This type of malware is ideal to gather information about someone and silently dropping additional components if and when necessary.

We have notified Google regarding the malicious ads and have reported the supporting infrastructure to the relevant parties.

Malwarebytes detects the malicious payloads upon execution.

**Indicators of Compromise**

Fake domains

telagsmn\[.\]com  
teleglren\[.\]com  
teleglarm\[.\]com

Redirectors

5443654\[.\]site  
5443654\[.\]world

Payloads

CS-HY-A8-bei.msi
63b89ca863d22a0f88ead1e18576a7504740b2771c1c32d15e2c04141795d79a

w-p-p64.msi
a83b93ec2a5602d102803cd02aecf5ac6e7de998632afe6ed255d6808465468e

mGtgsotp\_zhx64.msi
acf6c75533ef9ed95f76bf10a48d56c75ce5bbb4d4d9262be9631c51f949c084

cgzn-tesup.msi
ec2781ae9af54881ecbbbfc82b34ea4009c0037c54ab4b8bd91f3f32ab1cf52a

tpseu-tcnz.msi
c08be9a01b3465f10299a461bbf3a2054fdff76da67e7d8ab33ad917b516ebdc

C2s

47.75.116\[.\]234:19858
216.83.56\[.\]247:36061
45.195.148\[.\]73:15628

 Malicious ads for restricted messaging applications target Chinese users 

ThreatDown has earned 37/37 awards over nine consecutive quarters.

ThreatDown Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware in the most recent anti-malware efficacy assessment results for the Q3 2023 evaluation performed by MRG Effitas, a world leader in independent IT research.

These results mark the ninth time in a row ThreatDown has received all certification awards, and is now officially the only vendor to win every single certification and award from Q3 2021 through Q3 2023.

MRG Effitas assesses a product’s ability to meet today’s most pressing threats in-the-wild, such as stopping zero-day malware, ransomware, and exploits—and doing so with speedy performance and low false positives.

After unveiling their new phishing assessment in Q2 2023, MRG Effitas in Q3 2023 began awarding a full-on 360° Phishing Certification to vendors who could take down phishing threats.

ThreatDown blocked 100% of phishing attempts in the In-the-Wild (ITW) Phishing Test. In other words, ThreatDown is the only vendor to consistently receive all 4 award logos and block 100% of phishing attempts.

How we were able to do it: The signature and behavior-based detection techniques and proprietary anti-exploit technology of ThreatDown EP allowed it to detect and autoblock more malware than any other competitor on the Q3 test. In addition, the Web protection layer of our EP blocks access to and from known or suspicious Internet addresses, allowing us to ace the phishing tests.

As an integral foundation layer for ThreatDown Bundles, these results prove that ThreatDown provides reliable and comprehensive protection against a wide range of threats.

Let’s dive into where we prevented more than the rest and how we were able to do it.

**100% of phishing attempts blocked **

Given the frequency and risks associated with phishing attacks today, it’s clear that modern endpoint security needs to protect against these attacks.

According to Verizon, attackers used phishing for initial access in 15% of data breaches in 2022. CISA also showed that, within the first 10 minutes of receiving a phishing email, 84% of employees took the bait. After successfully compromising a system through phishing, threat actors can further their attacks by dropping ransomware or stealing sensitive data, leading to costly financial and reputational damages.

**ThreatDown blocked 100% of phishing attempts in the ITW Phishing Test and was only one of two vendors to score 80% or above in the Phishing Simulator Test.**

How we were able to do it: ThreatDown EP, the foundation for ThreatDown Bundles, features a Web protection layer that blocks access to and from known or suspicious Internet addresses.

**100% of ransomware blocked **

Using a blend of signature and signature-less technologies, the anti-ransomware layer of ThreatDown EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.

MRG Effitas tested security products against 65 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running ThreatDown EP also ran three benign programs designed to mimic ransomware behavior.

ThreatDown blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.

**100% of banking malware blocked **

In 2021, 37% of banking malware attacks targeted corporate users. 

We were one of the few vendors who earned a 360° Online Banking Certification, which means ThreatDown EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.

ThreatDown EP blocked 100% of the 16 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials.

**100% of zero-day threats blocked **

One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.  

Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled ThreatDown EP to detect and block 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.

**100% of exploits blocked **

The anti-exploit feature of ThreatDown EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities.  

But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running ThreatDown EP—but they didn’t get very far. Malwarebytes earned the 360° Exploit Certification for autoblocking 100% of Exploit/Fileless attacks, entirely protecting the system from infection.  

We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode. 

**Consistency is key **

If there is one shining take away from this accomplishment, it’s that consistency is key.

You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, ThreatDown EP, and by extension our ThreatDown Bundles, is that solution.

For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated that ThreatDown—more consistently than anybody else—has what it takes to keep your business safe from today’s most pressing cyberthreats.

 Malwarebytes wins every MRG Effitas award for 2 years in a row 

The NCSC issued a report that warns about the growth and impact of malware, especially ransomware, due to the availability of AI.

The British National Cyber Security Centre (NCSC) says it expects Artificial Intelligence (AI) to heighten the global ransomware threat.

In a report, the NCSC makes the assessment that AI will almost certainly increase the volume and heighten the impact of cyberattacks over the next two years. We’re already seeing that cybercriminals of all trades are using AI in the initial stages of attacks to increase their effectiveness. The NCSC confirmed, saying:

> “All types of cyber threat actor – state and non-state, skilled and less skilled – are already using AI, to varying degrees.”

The NCSC expects the volume and the impact of cyberattacks to grow over the next two years.

The volume is expected to grow because AI lowers the barrier for entry-level cybercriminals to carry out effective access and information gathering operations.

The impact is expected to grow for several reasons:

*   AI already helps cybercriminals to compose more effective phishing emails.
*   AI will help to improve existing tactics, techniques, and procedures (TTPs).
*   Reconnaissance and social engineering are specific fields where AI can be deployed.
*   Stolen data can be analyzed by AI-driven tools and used for even more effective attacks.
*   More advanced threat actors, like state sponsored groups will be on the forefront of more sophisticated methods to utilize AI and others will follow.

Generative AI (GenAI) can already be used to create and entertain a convincing interaction with victims, including the creation of lure documents, without the translation, spelling, and grammatical errors that used to reveal phishing.

The NCSC expects that by 2025, GenAI and large language models (LLMs) will make it difficult for everyone, regardless of their cybersecurity posture, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing, or other social engineering attempts.

Currently only state sponsored groups, professional spyware vendors, and the large criminal operations have access to, and know how to use advanced AI tools to increase the effectivity of their attacks. But that availability will undoubtedly grow.

In how far new moves on the front of a United Nations Cybercrime Treaty will have a short-term effect on the behavior of state-sponsored groups is very hard to predict. I’m inclined to say that international legislation has never stopped any hacktivist before, they were just more careful about revealing their location and their principals.

Professional spyware vendors have deep enough pockets to invest in new tools, training, and development. We can expect them to use AI to find new zero-day vulnerabilities and new exploits for largely unpatched vulnerabilities.

As we at Malwarebytes Labs have tested ourselves, ChatGPT can be used to write ransomware. While this may draw new players to the field, they are not expected to have an immediate impact on the threat level. But the NCSC does expect AI to play a larger role in the near future when it comes to the development of malware and exploits.

Since ransomware is the most profitable form of malware at the moment, and this is expected to stay that way, this threat is likely to see the largest increase in volume. Which means that for the visible part of cybercrime, the landscape is not likely to change dramatically. The numbers may increase and the sophistication of the attacks is likely to grow, but the type of malware is probably the same.

To sum up the conclusion of the report, NCSC chief executive Lindy Cameron said:

> “The emergent use of AI in cyberattacks is evolutionary not revolutionary, meaning that it enhances existing threats like ransomware but does not transform the risk landscape in the near term.”

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 AI likely to boost ransomware, warns government body 

A new vulnerability in Fortra GoAnywhere MFT now has exploit code available that allows an attacker to create a new admin user.

On January 22, 2024, software company Fortra warned customers about a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) that allows an attacker to create a new admin user.

Fortra GoAnywhere MFT is a file transfer solution that organizations use to exchange their data. Some of the organizations that use GoAnywhere MFT are considered vital infrastructure such as local governments, financial companies, healthcare organizations, energy firms, and technology manufacturers.

The flaw impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier.

Customers should either install the latest update (now at 7.4.1) to fix the vulnerability, or eliminate the vulnerability in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see this advisory for customers (registration required).

By handing out these specific instructions it was to be expected that exploit code would come sooner rather than later. And, indeed, researchers were quick to analyze the flawed file and come up with an exploit and Proof-of-Concept (PoC) code.

Fortra told BleepingComputer earlier that there have been no reports of attacks exploiting this vulnerability. This might change quickly now that exploit code is readily available. To find out if your instance was compromised you should look for any new additions to the **Admin Users** group in the GoAnywhere administrator portal **Users** -> **Admin Users** section. Any new and unknown administrative users indicate a compromise and the login date will give you an idea about the time of compromise.

You can also look at the logs for the database which are stored at \GoAnywhere\userdata\database\goanywhere\log\*.log. These files contain a transactional history of the database, adding users will create entries in that log.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This vulnerability is listed as:

CVE-2024-0204: Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Basically it’s a path traversal flaw that allow attackers to read, and write to, restricted files by inputting path traversal sequences like ../ or /..;/ into file or directory paths.

If the mention of the name of Fortra GoAnywhere sent shivers down your security sensors, you may have been reminded of the exploitation by the Clop ransomware gang of a vulnerability in the same software last year.

Despite several warnings about last year’s vulnerability, a great many victims were made even after the patch was available.

Let’s hope we are capable of learning from the mistakes we made in the past.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch now! Fortra GoAnywhere MFT vulnerability exploit available 

2023 was the worst ransomware year on record for Education.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

2023 was the worst ransomware year on record for Education: according to original ThreatDown research, the sector witnessed a staggering **70% surge** in attacks in the past year, increasing from 129 incidents in 2022 to 265 in 2023.

The spike is further underscored by the increase in median monthly attacks. In 2022 there was an average of 11 attacks per month, but by 2023, this number leapt to 21—marking an **91% uptick** in monthly attacks.

Although the attacks were carried out by several ransomware gangs, two in particular were responsible for the lion’s share of 2023 attacks (50%)—**LockBit and Rhysida** (a rebrand of Vice Society). The data also shows that, while ransomware attacks against education are a global phenomenon, the **US** (with 80% of known attacks) and the **UK** (with 12%) were hit the most frequently attacked countries between January 2023 and December 2023.

Let’s break down attacks on the education sector by the ransomware gangs involved, the countries of target, and which gangs attacked which countries the most.

**The Threat Landscape**

The top gangs that targeted the education sector between January 2023 and December 2023 include **LockBit (60), Vice Society/Rhysida (44)**, CL0P (22), Medusa (17), and Akira (15). Together, these 5 gangs were responsible for about 81% of all Education ransomware attacks.

When we look at which gangs attack educational institutions most **consistently** (with attacks in at least six different months), however, the data tells a slightly different story. While top gangs such as CL0P and Royal may have targeted a significant amount of educational institutions, they tend to attack a majority of their victims in just one or two months.

Again, LockBit and Vice Society/Rhysida emerge as the most consistently prolific attackers against the Education sector. Notice too that Vice Society hasn’t been active since June 2023—the same month we witnessed the rise of Rhysida.

**Geographic Distribution**

When we break down education sector attacks by country, it becomes clear that the US and the UK have a huge target on their back. The US, however, bore the brunt of the onslaught, with **169** reported attacks.

**K-12 vs Higher Ed**

In 2023, **43%** of all ransomware in education attacks in 2023 targeted Higher Ed and **36% of attacks targeted K-12**.

Some of the most high profile attacks on Higher Ed and K-12 in 2023 include an attack against Western Michigan University, which caused a 13-day service disruption, and against the Minneapolis School District, which resulted in over 300,000 files leaked and a $1 million ransom.

**K-12 trends YoY**

Ransomware attacks on K-12 increased **92% between 2022 and 2023**, with 51 attacks in 2022 and 98 total attacks in 2023.

**Higher Ed trends YoY**

Ransomware attacks on Higher Ed increased **70% between 2022 and 2023**, with 68 attacks in 2022 and 116 total attacks in 2023.

**Looking Ahead**

The reality is that tight budgets of many educational institutions force them to struggle with outdated equipment and limited staff, making education an easy target for ransomware gangs. To recap, our key findings include:

*   2023 witnessed a worrying **70% rise in ransomware attacks** on the education sector, increasing from 129 incidents in 2022 to 265.
*   The median number of monthly attacks **surged by 91%**, indicating a heightened and consistent threat throughout the year.
*   LockBit and Rhysida emerged as the primary attackers, responsible for about **50%** of all attacks.
*   The US and the UK bore the brunt of ransomware in education attacks, with over **90% of all attacks** being against these two countries.
*   Both K-12 and higher education institutions faced significant increases in attacks, with a **92% rise in attacks on K-12 and 70% in higher education**, showing widespread vulnerability across all levels of the educational sector, but especially K-12.

Ready to shield your school against threats like LockBit and Rhysida?

The ThreatDown K-12 Bundle integrates AI-driven endpoint security, constant expert monitoring, comprehensive device management, and advanced mobile defense—all at a price that makes sense.

 2024 State of Ransomware in Education: 92% spike in K-12 attacks 

Your smart devices may reveal information about you or your location to an ex-partner. Here's how to lock them out.

Stalkers can use all kinds of apps, gadgets, devices, and phones to spy on their targets, which are often their ex-partners. Unfortunately, while they no doubt have many positive uses, smart home devices give stalkers an array of tools to keep an eye on their targets.

If you are the partner that stays in the house you shared together, you need to make sure that you lock out your ex-partner. This may seem unnecessarily painful at first, but it’s better to be safe than sorry. Your ex doesn’t need to be a hacker when he still has access.

Consider the apps you have shared from your phone. Some of these apps can be queried for information about where, when, and with which device they were last accessed. If you want to keep those apps, make sure you have full control and nobody else has access.

Any camera in your house surely stores more footage about you and your family than of any burglar and this footage is usually stored in the cloud. That means it can be viewed by anyone who has correct login credentials. And, when most people think of security cameras and baby monitors, they will ignore less obvious smart appliances.

A smart doorbell can give away who comes to visit you and when. The setting of your smart thermostat can reveal whether you are at home, in your bed, or if you went out for a while. Even smart lighting systems may give away information about your location inside the house or whether you’ve gone out. Your ex will know some of your habits and can use that to interpret the information provided by smart appliances.

Other smart appliances that may reveal information about you or your whereabouts include your TV, coffee maker, oven, refrigerator, and cleaning robot. Someone could also use these smart appliances to make your life miserable. They may be able to remotely turn up the heat, flash your lights, defrost your refrigerator, set a timer for your oven, and so on.

**How to lock out your ex-partner from your smart home**

There may be more smart appliances in your house than you realize. So, it’s important to make a list and get familiar with their settings, so you can:

*   Change the passwords to previously shared accounts.
*   Make sure that your ex doesn’t have access to the email address any “password reset” mails get sent to.
*   Terminate shared social media accounts.
*   Review access to your Google, iCloud, and email accounts. A malicious stalker with access to such important accounts can ruin your life.
*   Log out devices that are not yours from any app your ex may have had access to.
*   Scan your phone for stalkerware if your ex may have had access to the device.
*   Check your phone for apps that have access to location data and ask yourself whether they actually need them. (see below for instructions).

**How to disable location services**

On **iPhones** you can turn location services off completely at **Settings** > **Privacy & Security** > **Location Services**. Here you can also see, and control, individually which apps and system services have access to Location Services data.

On **Android** devices these settings can be different based on vendor and Android version, but generally speaking one of these methods should work to access Location settings:

Swipe down from the top of the screen and find the Location icon. Touch and hold **Location**

*   or  –

In the **Settings** app > press **Location**

Here you can turn **Location** off or look at the permissions for each individual app.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

Source

Malwarebytes