Malware Bytes

How to deactivate or delete your Facebook account

Malware Bytes Security - Fri, 06/11/2021 - 11:51am

People worldwide use Facebook to connect with friends and family, and to engage in pointless debates with strangers over moderately amusing cat videos. But while some feel that the social media platform is an essential part of life, others find the data scandals and privacy issues disconcerting. For those who wish to take a break from Facebook either temporarily or permanently, instructions for deleting or deactivating your account are below.

Deleting your Facebook account How to delete your Facebook account from a browser

Removing Facebook for good is easier than you think. Follow this link to the page that allows you to end your account permanently. Click Delete Account, enter your password, and your account is gone forever. But before you do, consider downloading a copy of the information you have stored on Facebook, including photos, videos, and more. Here is an official guide from Facebook that can help.

How to delete your Facebook account from the iPhone app
  1. Start the Facebook app on your iPhone.
  2. Tap the three-lined icon (hamburger menu).
  3. Tap Settings & Privacy.
  4. Tap Settings.
  5. Tap Account Ownership and Control.
  6. Tap Deactivation and Deletion.
  7. Tap Delete Account.
  8. Delete your Facebook app for good measure.
How to delete your Facebook account from the Android app
  1. Start the Facebook app on your Android device.
  2. Tap the three-lined icon (hamburger menu).
  3. Tap Settings & Privacy.
  4. Tap Settings.
  5. Tap Account Ownership and Control.
  6. Tap Deactivation and Deletion.
  7. Tap Delete Account.
  8. Delete your Facebook app for good measure.
The cons of deleting your Facebook account

Deleting your Facebook account can certainly feel liberating. You don’t have to worry about managing your privacy or consuming seemingly endless social media content. But rather than a permanent deletion, some people prefer to take a break from Facebook by deactivating their account for the following reasons:

  • You won’t be able to access Facebook again unless you create a new account.
  • It’s impossible to use Messenger without a Facebook account.
  • Some accounts that you entered through Facebook Login may malfunction. You may need to contact those apps and websites or create new accounts.
  • You’ll permanently lose your data unless you download a copy
  • You’ll lose your app purchases, achievements, and more related to your Facebook login on Oculus.  
Can you undelete Facebook if you change your mind?

Facebook says that it needs up to 90 days from the start of the deletion request to remove everything you’ve posted permanently. It may even keep some data in backup storage for legal issues as part of its data policy. It also offers a 30-day grace period after you erase your account. Here is how to cancel your account deletion within 30 days:

  1. Log in to your Facebook account.
  2. Hit Cancel Deletion.
Deactivating your Facebook account

Deactivating your Facebook is a temporary measure. After you deactivate your account, your Facebook page, including your intro, photos, friends, and posts, is hidden. No one can send you friend requests either. However, your messages are still visible to their recipients. Here are some advantages of deactivating your Facebook instead of deleting it:

  • Your photos, videos, and posts are hidden but not permanently deleted.
  • Facebook Messenger is still fully accessible.
  • You can still access accounts through Facebook Login.
  • You can reactivate Facebook whenever you please by logging in.
How to deactivate your Facebook account from a browser

The same link that allows you to erase your account also allows you to deactivate your account. Hit Deactivate Account and then enter your password to lose access to Facebook temporarily. Alternatively, you can use the following steps:

  1. Select Settings & Privacy from the drop-down menu on the top right.
  2. Click Settings.
  3. Click Your Facebook Information.
  4. Click Deactivation and Deletion.
  5. Select Deactivate Account and hit Continue to Account Deactivation.
  6. Enter your password and deactivate your account.
How to deactivate your Facebook account from the iPhone app
  1. Start the Facebook app on your iPhone.
  2. Tap the three-lined icon (hamburger menu).
  3. Tap Settings & Privacy.
  4. Tap Settings.
  5. Tap Account Ownership and Control.
  6. Tap Deactivation and Deletion.
  7. Tap Deactivate account.
How to deactivate your Facebook account from the Android app
  1. Start the Facebook app on your Android device.
  2. Tap the three-lined icon (hamburger menu).
  3. Tap Settings & Privacy.
  4. Tap Settings.
  5. Tap Account Ownership and Control.
  6. Tap Deactivation and Deletion.
  7. Tap Deactivate Account.
Tips for using Facebook safely

We understand that some users don’t want to deactivate or delete Facebook, but still have safety concerns. There are steps you can take to better manage your privacy and security on Facebook. Here are some tips that may help:

  • Set a long, unique password for your Facebook account. You can use a trusted password manager to make the task easier.
  • Avoid oversharing information on Facebook. Threat actors can use it for social engineering.
  • Be careful when accepting friend requests. Limit posts to trusted friends and not the public.
  • Limit the audience of old posts on your Timeline by clicking General > Privacy > Your Activity > Limit Past Posts.  
  • Stop Facebook from using your data to show you tailored ads by clicking General > Ads > Ad Settings.
  • Manage third-party apps that have access to your data by clicking General > Apps and Websites.
  • Beware of social media scams and be careful which links you click on Facebook or in Messenger.

The post How to deactivate or delete your Facebook account appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Cloud vs on premise: 3 reasons the Cloud is winning

Malware Bytes Security - Fri, 06/11/2021 - 11:26am

Thanks to the vast rollout of COVID-19 vaccines to millions of people in the US and Europe, some of us are finally seeing some semblance of a return to normalcy. And organizations, who have experienced first-hand the struggle to stay afloat during months of struggle, are expecting to transition back to how things were.

For some, a life back to normal means employees commuting back to workplaces. Empty cubicles will slowly start filling up again. And face-to-face meetings, either a big group in a conference room or a small one in a coffee shop, will be A Thing once again.

But what about those employees who prefer to work from home, or at least to have the option? And what of businesses happy to be liberated from the constraints of physical workspaces? It seems there are many of both.

The normal we knew of may no longer fit the kind of normal organizations have adjusted for. Remote working during the pandemic has made leadership roles in organizations understand that connectivity—making company data and resources available for all employees who need them, no matter where they are, while keeping that data as secure as possible—is what they and every business really need.

The Cloud, in other words.

Cloud adoption

“Cloud” is a term used to describe a vast network of remote servers located around the world linked together to form a contiguous platform for computer services that can be subdivided and scaled with ease. It has been around for nearly two decades, and organizations adapting a Cloud strategy have been on the uptick, pre-pandemic. And the lockdowns and (some imposed) mandatory work from home (WFH) measures during the pandemic have only accelerated Cloud adoption even further.

It is noted that enterprises are the big spenders on Cloud computing. Yet, many have yet to embrace the Cloud—particularly those in the SMB sector. According to the Small & Medium Business Trend Report from Salesforce, “digital forward SMBs”—or SMBs that have invested in technology, including the cloud, to drive customer interaction and growth—were better equipped to handle the pandemic.

Half and half: While almost half of SMBs in the paper reported digitizing their operations, almost half of them are still behind. (Source: Salesforce)

If you’re still on the fence about whether you should move your data and operations to the Cloud, or you’re locked in the “on-premise versus Cloud” debate on which one is better, we have identified below the three main reasons why organizations, regardless of size, are migrating to the Cloud.

1. Cost efficiency

Setting up servers and making sure that they are physically secure, have uninterrupted power and air conditioning, and are loaded with properly licensed, patched and updated software is no small task. There are high, upfront fees, a multitude of things can go wrong, and it is hard to scale. And the lifetime costs aren’t small either: From electricity bills and maintenance, to that dreaded “end of life” for both hardware and software. When it comes to this kind of computing infrastructure, economies of scale matter, and almost no business can compete with the scale of Cloud providers like Google, Microsoft and Amazon.

Suffice to say, many organizations are opting not to worry about servers and server rooms at all, and instead choosing to pay for what they use by using Cloud infrastructure like AWS, or Cloud services, like Office 365.

2. Security and compliance

Cloud service providers, especially the big-named ones like Amazon and Microsoft, boast of having excellent and powerful security in place by default. And Cloud service providers have made it a point to make their security as robust as possible, relieving businesses of many of the basics they struggle with, such as backups, single sign-on, encryption, firewall configuration, and consistent security updates—you name it. The Cloud doesn’t mean you can forget about security, but it can make it much easier to do the right thing.

The same robustness can be said about the physical security of their servers. It would be extremely hard for intruders to physically break into servers that house an organization’s precious data. Cloud providers keep data safe from physical destruction by keeping it in multiple places, and keep it safe from theft by investing in layers of physical security, like fences, guards, surveillance cameras, and biometric access systems.

Security in the Cloud also reduces the attack surface for insider threats because employees and contractors cannot go in and out of rooms they’re not supposed to go to.

When it comes to disasters—and by this, we mean natural and local ones—locations of on-premise servers are expected to withstand whatever nature can throw at it, may these be floods, earthquakes, tornadoes, and even your random lava spill. However, many on-premise operators don’t have the redundancies they need, seeing them as not cost efficient. On the other hand, redundancy is built into a Cloud or hybrid configuration.

Lastly, we’d like to mention that many Cloud providers comply with various security, privacy, and data protection regulations. In the US, we have the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA) among others. Other countries have their own standards that a Cloud provider complies to as well.

The security advantage of Cloud services was graphically illustrated in March this year, after Microsoft released patches for four zero-days being exploited by a group dubbed Hafnium. The patches were quickly reverse engineered by multiple criminal groups and automated attacks began soon after. The attacks turned unpatched Exchange servers into backdoors that could be used to steal data or launch ransomware inside company networks. IT teams dropped everything to find and patch their vulnerable servers, Microsoft released a flurry of tools to help, and the FBI even took the highly unusual step of remotely cleaning up some of the compromised servers.

What was notable about the incident is that it affected on-premise servers with Exchange, but not not the Cloud version. The “patch gap”, the often months-long gap between a patch being made available and it being used—the gap that criminals were so ruthlessly exploiting—simply didn’t exist in the Cloud.

3. Flexibility

The Cloud allows enormous flexibility, whether you’re adapting quickly to good news or bad. Famously, the Cloud allows services to scale up extremely quickly, avoiding many of the technical problems that can come from growing too fast or becoming suddenly popular.

It can also help when businesses are faced with a sudden, unexpected and challenging situation, as many were in April 2020 as COVID spread around the world. Dyer Brown, a Boston-based architectural firm, is an SMB that adopted the Cloud prior to 2020 and was able to successfully and fully shift their entire workforce to remote work. Employees were able to access important files wherever they were, thus, productivity and collaboration weren’t sacrificed. This flexibility afforded by the Cloud not only made it possible for their 50 employees to work offsite but also take care of sick family members, home school kids, and focus on their health more.

It has also been made apparent that flexibility with work schedule due to working remotely has become a make-or-break factor for employees on whether they should stick with their current company or move to a new one. Some even welcome pay cuts in exchange for working from home.

This is something organizational leaders will need to consider seriously.

The post Cloud vs on premise: 3 reasons the Cloud is winning appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How a Resident Evil image leaked in a ransomware attack ended up in the middle of $12m copyright claim

Malware Bytes Security - Thu, 06/10/2021 - 1:43pm

Back in November, gaming giant Capcom suffered a ransomware attack. In its press notification, it mentioned the various types of data potentially grabbed by their attackers. Things took an ominous turn when they refused to pay the ransom, and the group behind the attack said that was the wrong move. Capcom had the chance to “save data from leakage”; they did not take it. Sure enough, a whole collection of files were leaked soon after.

The threat of data drops from scorned ransomware groups is now a common extortion tactic. What we couldn’t have predicted here, is one of the ramifications of said drop. Time to wind things forward to June 2021 and a date with a lawsuit. The twist? The lawsuit isn’t aimed at the ransomware authors, but the compromised company.

Of data drops and research collections

I used to work in and around game / movie development a long time ago. We were incredibly low budget, and did very low budget things. An invaluable source of help at the time were resource guides and collections. Essentially: Big books filled with work compiled by visual artists, composers, designers, whoever. If you were lucky, the book came with a CD loaded with material from the book. Even luckier? You could use the contents for your own work for free. If the project was commercial, you’d typically pay a license fee of some kind.

There were also companies which curated content from multiple artists, and made sure all the licensing behind the scenes was watertight. Where this often went wrong was if the disc went walkabout away from the book.

Organisations would end up with discs lying around in desks, with nobody sure of the source / who had paid for licensing. If someone ripped disc contents, you’d then end up with self-burnt CDs lying around the place which appeared to be in-house creations. You have to be incredibly careful where resource materials are concerned.

If you’re wondering how this ties into the ransomware attack, I’m about to fill in the blanks.

The unintended consequence of a data leak

An artist in this case is seeking $12m in damages from Capcom, claiming Capcom used their imagery from a resource book / CD in a number of its video game titles. This has all come about off the back of the data leak from the ransomware hack. At least one of the images from the stolen and leaked files shares the same file name as what appears to be an identical image from the book’s CD-ROM.

The Juracek Vs Capcom document can be seen here, along with multiple examples of images potentially making their way into games. Sadly, it doesn’t go into detail on the most fascinating part…whether or not the artist became aware as a result of the data breach and subsequent leak. Most reports simply say the artist is using the breach as part of their evidence. There’s also the question of how they became aware of the images in the dump in the first place.

If I had to guess, incredibly knowledgeable fans saw the high resolution images, wondered where they came from, and perhaps got in touch with the creator. This isn’t an unusual thing to happen. Back in the mid 90s I tracked down the music composer for a AAA game series on Japanese language message boards, in order to tell them how cool their music is. It’s a lot easier to do things like this these days which may be a blessing or a curse, or perhaps a bit of both.

However you stack it up, it promises to be a fascinating day in court. This story raises some other issues, too.

Turning a negative into a positive

Some ransomware groups have tried to mix it up a bit in the realm of PR. They present themselves as Robin Hood style renegades, robbing the rich to give to the poor…or, more specifically, giving to charities. An interesting tactic, except charities face all sorts of problems if they’re gifted ill-gotten gains. As mentioned elsewhere, there’s every possibility the “we’re being helpful, honest” approach is merely a ruse to keep up the pretence of respectability. Here, though, we run into a bit of a problem.

The artist in question has made what they feel to be a valid complaint, and are having their day in court as a result. Being able to tie specific file names from their CD-ROM to named files in Capcom folders off the back of the hack? That probably strengthens their case quite a bit.

Put simply, these ransomware authors…and anyone else, for that matter…can now point to this story as evidence that they did in fact “help” someone in indirect fashion.

New frontiers in the ransomware world

The fallout from the attack could prompt a new ransomware tactic. It’s not a stretch to think breachers will go looking for copyright / related violations. After all, some ransomware groups have already shown an interest in how they can weaponize the data they’ve stolen, beyond simply leaking it.

With so many ways to tie found materials to the original source online, they may view this as an easy PR win. On top of all the other issues with ransomware, we probably don’t need its authors yelling “Look! We’re helping!” every time a new leak hits. When a creator is potentially $12 million out of pocket, it becomes increasingly tricky to argue against it.

Sure, this is still potentially another way for people who don’t actually care about helping people to act as if they do. But if the end result is the same and someone does benefit, it doesn’t really matter a whole lot. As far as the ransomware authors are concerned, they’ll have a collection of individuals telling everyone how cool they are.

It’s to be hoped we don’t end up fighting a PR war on top of the technical battle already raging across networks everywhere. I’m not sure I agree that “any publicity is good publicity”, but good publicity certainly is. So in case anyone is tempted to offer ransomware operators the benefit of the doubt, let’s not forget they’re same organised crime gangs that think little of attacking hospitals.

The post How a Resident Evil image leaked in a ransomware attack ended up in the middle of $12m copyright claim appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Russia accused of hacking Dutch police during MH17 investigation

Malware Bytes Security - Thu, 06/10/2021 - 10:19am

Journalists at the Dutch newspaper “De Volkskrant” have reported that the country’s intelligence service, AIVD, discovered in 2017 that Russian hackers had broken into Dutch police systems. The De Volkskrant report is based on knowledge from anonymous sources. The reason behind this act of espionage is thought to be the ongoing MH17 investigation.


A little background: on July 17, 2014, Malaysia Airlines Flight 17 (MH17) was shot from the sky on its way from Amsterdam to Kuala Lumpur above the Ukraine. The plane was hit by a surface-to-air missile, and as a result, all 298 people on board were killed, the majority of them Dutch.

At that time, there was a revolt of pro-Russian militants against the Ukrainian government which is thought to have been backed by Russia. Russian denied any direct involvement at the time but later admitted to having military intelligence officers in the country. Both the Ukrainian military and the separatists denied responsibility for the MH17 incident.

A large disinformation campaign was launched to obscure who was responsible.

The discovery

The Dutch police only became aware it had been breached after a tip off from AIVD, and the discovery caused a major panic, according to the newspaper. Whether and which data was stolen, is not clear, insiders told the Volkskrant. Understandably, the police network is a huge one and spread out across the country. Apparently the point of first entry was a server of the Police Academy. After discovery, the decision was made that putting a stop to the intrusion as quickly as possible was more important than figuring out what the intruders were after.

So, at this point it is unsure what the exact information was the intruders were after and even whether they were successful in finding that information. According to the Volkskrant, due to a lack of monitoring and logging, the AIVD and Dutch Police have very little knowledge of what the hackers did inside the police network. “There were a lot of question marks,” the newspaper’s source said. “How long had they been inside? Was this the first time? Had they already siphoned off data? That wasn’t clear.”

Dutch police

The Dutch police took the lead in the investigation of the MH17 incident. The Joint Investigation Team (JIT), a special team set up to investigate the MH17 incident, comprises officials from the Dutch Public Prosecution Service and the Dutch police, along with police and criminal justice authorities from Australia, Belgium, Malaysia and Ukraine. On July 5, 2017 the JIT countries decided that the prosecution of those responsible for downing flight MH17 would be conducted in the Netherlands.

The timing of the attack against the police could be coincidental, but it is notable that the attack took place in that same month.

Information feeds disinformation

One possible motive for the attack is disinformation. The best lies are based on truth after all. Reportedly, the Dutch justice department and the Dutch police were targeted with phishing emails and cars filled with listening equipment were found in the vicinity of the “Landelijk Parket”, which is the part of the justice department that deals with both national and international organized crimes. Knowing which facts were already known could be instrumental in building believable lies without revealing new facts.


We have reported before about the Russian disinformation campaigns regarding this incident. More recently, in November of 2020, Bellingcat, which has been instrumental in retrieving information about the attack on flight MH17, published evidence that Bonanza Media, a self-styled independent investigative platform, is in fact a special disinformation project working in coordination with Russia’s military intelligence. The open-source intelligence outfit asserts that:

While we have not yet established conclusively whether the Russia’s military intelligence agency, best known as the GRU, was behind the initial launch and funding of the Bonanza Media project, we have established that shortly after it was launched, senior members of the GRU entered into direct and regular communication with the project leader

It is no coincidence that one of the main forces behind Bonanza is Dutch as well. Together with former Russia Today journalist Yana Yerlashova, Bonanza was set up by blogger and journalist Max van der Werff.

Eliot Higgins, the founder and executive director of Bellingcat has called out what he says are Russian lies, and the interplay between the official Russian position and the disinformation propagated by so-called MH17 “Truthers”, in his recent tweets about the on-going MH17 court hearings.

This video is now being shown in court, showing the Buk traveling south out of Snizhne towards the eventual launch site. The MH17 truthers have repeatedly tried to claim this is fake footage, and Russia has even claimed this was uploaded the day before MH17 was shot down.

— Eliot Higgins (@EliotHiggins) June 10, 2021 Cozy Bear

Top suspect of the attack on the Dutch police is APT29 (Cozy Bear), a well-known hacking group that the White House linked earlier this year to the Russian Foreign Intelligence Service, also known as the SVR. They are also suspected to be behind the SolarWinds attack and other international espionage cases.


Both the Dutch police and the AIVD did not provide comments on the publication by the Volkskrant, but we do know that the AIVD is closely monitoring a reorganization to improve the security of the Dutch police’s networks.

The international court in The Hague is in the middle of the MH17 trials and Russia’s interference is unlikely to do their case any good, but of course they will deny every involvement.

The post Russia accused of hacking Dutch police during MH17 investigation appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How to clear cookies

Malware Bytes Security - Wed, 06/09/2021 - 12:27pm

Until the information age, cookies were only known as a tasty but unhealthy snack that some people enjoyed, and others avoided. HTTP cookies, also known as computer, browser, or Internet cookies, are similarly divisive. Although some people like the more personalized browsing experience created by cookies, others have privacy concerns.

Cookies are small pieces of information that websites can store in your browser. A website can check that information each time you interact with it, and that allows it to tell you apart from everyone else. Without cookies you would never be able to log in to a website or store items in a shopping cart.

However, that ability to tell you apart from everyone else is also what makes cookies extremely useful for cross-site tracking and advertising. Thankfully, privacy-conscious users can disrupt that tracking easily, because blocking or clearing cookies is easy. Although there are plenty of tools that can help manage your cookies, if you need to, you can easily clear the decks directly in your browser. Here’s how:

Clearing cookies on a desktop computer

The following instructions will guide you through clearing cookies on the most popular desktop and mobile browsers (as of June 2021).

How to clear cookies in Chrome on Windows
  1. Start Google Chrome.
  2. Click the vertical three-dots icon on the top right-hand corner and then select History—alternatively, press Ctrl+H in Chrome. 
  3. Click Clear browsing data.
  4. Select Cookies and other site data.
  5. Select All time in the Time range dropdown menu.
  6. Click Clear data to clear cookies in Google Chrome.
  7. Click Block all cookies in Cookies and other site data to turn off cookies permanently.
How to clear cookies in Firefox on Windows
  1. Start Firefox.
  2. Click the three-lined icon (hamburger menu) on the top right-hand corner and select Options next to the gear icon.
  3. Click Privacy & Security and then Cookies and Site Data.
  4. Select Cookies and Site Data.
  5. Select Cached Web Content.
  6. Hit Clear to clear cookies in Firefox.
  7. You can also click Strict in Privacy & Security to Block most cookies, but this may cause websites to malfunction in Firefox.
How to clear cookies in Edge on Windows
  1. Start Microsoft Edge
  2. Click the horizontal three-dots icon on the top right-hand corner and select Settings next to the gear icon.
  3. Click Privacy, search, and services.
  4. Click Choose what to clear under Clear browsing data.
  5. Select Browsing history, Download history, Cookies and other site data, and Cached images and files.
  6. Hit Clear now to clear cookies in Microsoft Edge.
  7. Click Block third-party cookies in Cookies and site preferences to block third-party cookies permanently.
How to clear cookies in Opera on Windows
  1. Start Opera.
  2. Click Settings on the top left-hand corner.
  3. Click Advanced and then Privacy & Security.
  4. Click Clear browsing data. Alternatively, please Ctrl+Shift+Del to open your Clear browsing data options faster.
  5. Select Cookies and site data.
  6. Hit Clear data to clear cookies in Opera.
  7. Click Cookies and site data under Site Settings to find options to block all third-party cookies permanently.
How to clear cookies in Safari on macOS
  1. Start Safari on your Mac.
  2. Select Preferences and then click on Privacy.
  3. Find Cookies and website data and hit Manage Website Data.
  4. Press Remove All and Done to clear cookies in Safari.
  5. Click Block all cookies under Manage Website Data and tick Prevent cross-site tracking to turn off cookies permanently.
Clearing cookies on a mobile device How to clear cookies in Chrome for Android
  1. Start the Chrome app.
  2. Click the vertical three-dots icon on the top right-hand corner and then select History.
  3. Click Clear browsing data…
  4. Select All time in the Time range drop-down menu.
  5. Click clear data to clear cookies in Chrome on an Android device.
How to clear cookies in Firefox for Android
  1. Start the Firefox app.
  2. Click the three-dot icon in the corner and hit Privacy.
  3. Click Delete browsing data.  
  4. Select Cookies and click Clear Data.
  5. Alternatively, click Clear private data on exit to clear cookies in Firefox on an Android device
  6. Click Disabled in Cookies to turn off cookies permanently.
How to clear cookies in Safari for iOS
  1. Click Settings on your iOS device.
  2. Find Safari.
  3. Click Clear History and Website Data to clear your cookies and history in iOS.
  4. Alternatively, click Settings, Safari, Advanced, Website Data, and then hit Remove All Website Data to clear cookies in iOS but keep your history.
  5. Click Block All Cookies in Safari to turn off cookies permanently.
How to clear cookies in Firefox for iOS
  1. Start the Firefox app.
  2. Click the three-lined icon (hamburger menu) on the lower-right corner.
  3. Hit Settings.
  4. Select Data Management.
  5. Click Clear Private Data to clear cookies in Firefox on iOS.
  6. Click Cookies in Data Management to turn off cookies permanently.

The post How to clear cookies appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw

Malware Bytes Security - Wed, 06/09/2021 - 10:50am

This patch Tuesday harvest was another big one. The Windows updates alone included seven zero-day vulnerability updates, two of them are actively being used in the wild by a group called PuzzleMaker, four others that have also been seen in the wild, plus one other zero-day vulnerability not known to have been actively exploited. Add to that 45 vulnerabilities that were labelled important, and security updates for Android, Adobe, SAP, and Cisco. You can practically see the IT staff scrambling to figure out what to do first and what needs to be checked before applying the patches.


Security researchers have discovered a new threat actor dubbed PuzzleMaker, that was found using a chain of Google Chrome and Windows 10 zero-day exploits in highly targeted attacks against multiple companies worldwide. Unfortunately the researchers were unable to conclusively identify the Chrome vulnerability that was used (but they do have a suspect). The good news is that the two Windows vulnerabilities in the attack chain were included in the Windows 10 KB5003637 & KB5003635 cumulative updates. These vulnerabilities are listed as CVE-2021-31955, a Windows kernel information disclosure vulnerability, and CVE-2021-31956, a Windows NTFS elevation of privilege vulnerability.

Other critical issues

The other critical patches made available by Microsoft this June include these actively exploited vulnerabilities:

  • CVE-2021-33739, a Microsoft DWM Core Library Elevation of Privilege Vulnerability.
  • CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability.
  • CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.
  • CVE-2021-31201 another Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.

Not (yet) actively exploited zero day vulnerability:

  • CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability.

Other critical updates:

  • CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability.
  • CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability.
  • CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability.
  • CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability.
  • CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability.

The Android Security Bulletin of June 7 mentions a critical security vulnerability in the System component that “could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process”, which is as bad as it sounds. That vulnerability, listed as CVE-2021-0507, could allow an attacker to take control of a targeted Android device unless it’s patched.


Cisco has issued a patch for a vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software, that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message through an affected device. SSL/TLS messages sent to an affected device do not trigger this vulnerability. Cisco informs us that there is no workaround for this issue. Patching is the only solution.


In the SAP advisory for Security Patch Day – June 2021 we can find two issues that are labelled as “Hot News”:

  • CVE-2021-27602 SAP Commerce, versions – 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.
  • CVE-2021-27610 Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform.

To top things off, Adobe has released a giant Patch Tuesday security update release that fixes vulnerabilities in ten applications, including Adobe Acrobat (of course), Reader, and Photoshop. Notably five vulnerabilities in Adobe Acrobat and Reader were fixed that address multiple critical vulnerabilities. Acrobat’s determination to cement its place as the new Flash shows no sign of dimming.

Successful exploitation could lead to arbitrary code execution in the context of the current user on both Windows and macOS. The same is true for two critical vulnerabilities in Photoshop that could lead to arbitrary code execution in the context of the current user.


Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Which is why we try and link you to the Mitre list of CVE’s where possible. It allows interested parties to find and compare vulnerabilities.

Happy patching, everyone!

The post Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw appeared first on Malwarebytes Labs.

Categories: Malware Bytes

TrickBot indictment reveals the scale and complexity of organized cybercrime

Malware Bytes Security - Tue, 06/08/2021 - 2:07pm

Back in 2016, we saw the emergence of a botnet mainstay called TrickBot. Initially observed by our Labs team spreading via malvertising campaigns, it quickly became a major problem for businesses everywhere. Whether spread by malvertising or email spam, the end result was the same. Data exfiltration and the threat of constant reinfection were the order of the day.

Over time, it evolved. Tampering with web sessions depending on mobile carrier is pretty smart. Other features such as disabling real-time monitoring from Windows Defender were also added. In fact, wherever you look, there’s the possibility of stumbling upon a TrickBot reference when digging into other attacks.

The tricky problem of “sophisticated” attacks

The word “sophisticated” is used a lot in security research. Sometimes, it’s used even if an attack being discussed is a basic phish, or maybe some very generic malware.

However, TrickBot is a pretty formidable opponent. As is often the case, the “sophisticated” part isn’t necessarily just about the files themselves. There’s also the organisation behind the scenes to contend with. We’re talking people, infrastructure, small groups of individuals all working to make some code, and keep it ticking over. To grab the exfiltrated data and make something of it. Wherever you look where TrickBot is concerned, there’s probably another cluster of specialised people up to no good. This isn’t a good thing when tackling malware developments.

“How bad is it, really?”

Have you ever stopped to consider “what, exactly, are we up against” when dealing with malware? This week’s events are a very good, and rather alarming, illustration.

What happened this week, you ask? That would be a potentially major blow to the TrickBot crew. A Latvian woman has been charged for their alleged role in a transnational cybercrime organisation. That organisation, as you’ll have guessed, is all about TrickBot shenanigans. What’s particularly interesting here, is how it illuminates just how much work goes into development. It isn’t one person sitting in their bedroom. It’s an actual criminal enterprise, run as a business, with lots of different divisions and moving parts.

There are malware managers in hiring roles, hiring developers to produce the files. This is done on Russian language job websites, and made to look as if it’s for “regular” coding jobs. 

There’s folks looking after finances, and testing malware against CAV services. Money mules and spear phishing are thrown into the mix alongside social engineering and international theft of money, personal, and confidential information.

Peeling back the TrickBot onion

This is just skimming the surface of what was happening under the hood. An entire infrastructure was created, with servers, VPNs, and VPS providers combined by the TrickBot crew to create the perfect malware deployment environment. That’s before you get to the crypters, hired to help evade detection from security software. Or how about those responsible for the spamming tools? The folks monitoring bank website flows to figure out how to defeat multi-factor encryption? There’s even someone creating coding tests, to ensure potential malware author hires know what they’re doing in terms of injections.

Make no mistake, the groups infecting millions of computers worldwide and making huge amounts of money aren’t doing it by accident. What cases like United States of America v. Alla Witte show us is that it’s efficient, structured, and very organised indeed.

The basic plan? Infect computers with TrickBot, spread across networks, grab banking details, and then steal funds. Said funds would then be laundered across a variety of bank accounts “controlled by the defendant and others”. Ransomware would also be deployed, for that final splash of cash.

As touched on above, the group hired experts in a variety of cybercrime fields. This was a perfect accompaniment to the modular, ever-evolving TrickBot. This itself was built upon the framework of the older Dyre malware, with all the years of experience and field expertise you’d expect coming along for the ride.

Evading the long arm of the law

Certain elements of the team helped evade detection by making use of multiple tricks to keep out of law enforcement’s reach. Stolen credit cards and fake identities paid for behind the scenes tech like servers and domains. Multiple proxies were used for communications purposes. Emails and attachments were encrypted, and chat in a private messaging server was also locked down. Multiple VPN services made use of around the world are the final anonymous splashes of icing on a very large cake.

Big scams, big numbers

The full arrest warrant document [PDF] is roughly 60 pages long, and contains an incredible amount of information. It breaks everything down by category, explaining how the malware and its injections worked. How the multi-stage laundering took place, including dates / transaction amounts. The wire transfers listed range from $44,900 to $230,400 across most of 2017 to 2018. There’s even an incredible attempted approximate wire transfer of $691,570,000 between the 19 and 20 October, 2017.

It’s possible time has now been called on this TrickBot crew. No matter what happens, you can be sure other groups are out there right now doing much the same things. A few of them will be just as big, just as well organised, and firing even bigger plundered sums of cash around banking infrastructure.

Next time you read about a piece of malware in the news, consider the sobering thought that it is the tip of a very long spear. An in-depth process lies under the surface keeping said malware in operation. How bad is it really? What, exactly, are we up against?

The answer is: all of the above, and more.

The post TrickBot indictment reveals the scale and complexity of organized cybercrime appeared first on Malwarebytes Labs.

Categories: Malware Bytes

800 arrests after police dupe crime groups into using backdoored phones

Malware Bytes Security - Tue, 06/08/2021 - 8:52am

An international operation that monitored an encrypted device company under control of the Federal Bureau of Investigation (FBI) and the Australian Federal Police (AFP) has led to a massive, coordinated string by law enforcement in a several countries.

The setup

Law enforcement agencies around the world have long campaigned for encryption backdoors, so they can see what criminals are saying to each other. Unable to break the encryption of existing messaging apps, the FBI and the AFP came up with an ingenious plan to get criminals to use a device for encrypted communication that they could eavesdrop on.

The FBI created an app called AN0M, to fill the void left behind by dismantling several encrypted platforms used by criminals. Custom cellphones with the FBI-controlled platform installed were sold on underground markets and grew in popularity. Of course, not all the users interested in these devices were necessarily criminals, but the phones turned out to be very popular among criminals of all kinds, including outlawed motor gangs, Italian organized crime, Asian crime syndicates, and international drug traffickers.

As a result, law enforcement officials have been monitoring what they had to say for nearly three years.

The operation

The name of the operation was different depending on who you ask. The AFP refers to it as Special Operation Ironside, Europol ran an Operational Task Force to support the sting and called it Greenlight, and the FBI (and many others) call it Operation Trojan Shield. Which is very fitting as it pretended to offer the criminals a shield to hide their messages, but that shield was in fact a Trojan horse.

The goal of the new platform was to target global organized crime, drug trafficking, and money laundering organizations, regardless of where they operated, with an encrypted device that had features that would appeal to organized crime networks, such as remote wipe and duress passwords, to persuade criminal networks to pivot to the device.

The service is said to have provided over 12,000 encrypted devices to over 300 criminal syndicates operating in more than 100 countries.

The cooperation

The FBI had the lead in the investigation aided by the AFP which provided the systems needed to decrypt the messages. Europol supported the  operation by coordinating the international law enforcement community that was involved, by enriching the information picture and bringing the criminal intelligence into ongoing operations to target organized crime and drug trafficking organizations. The following countries participated in the international coalition: Australia, Austria, Canada, Denmark, Estonia, Finland, Germany, Hungary, Lithuania, New Zealand, the Netherlands, Norway, Sweden, the United Kingdom, and the United States.

Is it legal?

Of course it was you would say, since it was run by law enforcement. But listening in on the conversations of people that you have no evidence against is not allowed in many countries. The AFP’s prominent role may be related to Australia’s Telecommunications and other Legislation Amendment (TOLA), passed in 2018. The TOLA provides Australian law enforcement with the ability to make technical assistance requests (TARs) that oblige companies providing technical services in Australia to help them decrypt messages with technical assistance or new capabilities.

Providing a service after taking down the real enablers

It is ironic in a way that the need for a encrypted device company has arisen after the EncroChat system had been compromised so that law enforcement could eavesdrop, and the Sky ECC communication service was unlocked. After these events ANOM was welcomed in criminal circles and passed on by word-of-mouth advertising. Australian Federal Police Commissioner Reece Kershaw:

“Essentially, they have handcuffed each other by endorsing and trusting AN0M and openly communicating on it — not knowing we were watching the entire time.”

You had to know a criminal to get hold of one of these customized phones and you could only communicate with someone on the same platform. This probably helped to limit the number of customers to the “target audience” of the agencies that ran the sting operation.

The results

To say that the operation was a success would be an understatement. Law enforcement agencies report that around 800 suspects have been arrested. Searches of more than 700 houses have resulted in the seizure of over eight tons of cocaine, 22 tons of cannabis and cannabis resin, two tons of synthetic drugs, six tons of synthetic drugs precursors, 250 firearms, 55 luxury vehicles and over $48 million in cash and cryptocurrencies.

Why stop now?

Given the operation was so successful, questions have been raised about why its use wasn’t continued. The decision to stop the operation was reportedly made jointly by all the international partners. But commissioner Kershaw is reported to have hinted of “a legal time frame on this operation” about which more details might be revealed later on. We’ll keep you posted.

The post 800 arrests after police dupe crime groups into using backdoored phones appeared first on Malwarebytes Labs.

Categories: Malware Bytes

DOJ recovers pipeline ransom, signals more aggressive approach to cybercrime

Malware Bytes Security - Tue, 06/08/2021 - 5:53am

The US Department of Justice announced Monday that it recovered much of the ransomware payment that Colonial Pipeline paid to free itself from the attack that derailed the oil and gas supplier’s operations for several days last month.

The seizure of 63.7 of the initial 75 paid bitcoins represented the first success of the Justice Department’s Ransomware and Digital Extortion Task Force, a team formalized just months ago, according to reporting from The Wall Street Journal. The value of the recovered bitcoins stands at roughly $2.3 million.

Justice Department Seizes $2.3 Million in Cryptocurrency Paid to Ransomware Extortionists: @TheJusticeDept today announced that it has seized 63.7 bitcoins that allegedly represent the proceeds of a May 8 ransom payment to DarkSide cyber actors.

— FBI (@FBI) June 7, 2021

Some commentators have speculated that the discrepancy between what was paid and what was recovered may be accounted for by the fact that Darkside ransomware is sold under the Ransomware-as-a-Service (RaaS) model. The missing money (about 15% of the total) may be the fee the attackers paid the Darkside creators for using their malware.

In statements prepared Monday, US Deputy Attorney General Lisa Monaco characterized the operation as a victory and a representation of the Justice Department’s full powers.

“Following the money remains one of the most basic, yet powerful tools we have,” Monaco said. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

Monaco added that the Department of Justice’s actions showcased the “value of early notification to law enforcement”—a clear signal that the federal government is now operating in lockstep to curb the threat of ransomware. In mid-May, the White House emphasized the importance of cyberattack notification when President Joe Biden signed an Executive Order that requires such warnings from technology companies that sell their products to the federal government, and weeks later, the Transportation Security Administration (TSA) rolled out a new cybersecurity directive for all US pipeline companies that will require pipelines to notify the government of any cyberattacks.

According to a sworn affidavit in support of a “seizure warrant” that was revealed Monday, Monaco’s statement about “following the money” was surprisingly literal. According to the affidavit, law enforcement tracked Colonial Pipeline’s payment across the public Bitcoin ledger until much of the payment landed in one specific Bitcoin address, which the outlet The Record identified here. After the funds arrived at the Bitcoin address—which law enforcement referred to as the “Subject Address”—they were not touched for days.

Then, a bit of mystery happened.

According to the affidavit, the Justice Department was able to retrieve funds from the Subject Address because the FBI obtained that address’s related “private key.”

Private keys are somewhat like passwords, in that they not to be shared, but they are also more complex than that. Private keys are randomized strings of letters and numbers that are cryptographically related to the Bitcoin address that they access. Reverse engineering a private key is technically infeasible, which means that somehow, the FBI obtained an example of possibly the most closely guarded secret for any cryptocurrency user today.

Some users keep their private keys on exchanges (websites for trading bitcoins). If the Colonial Pipeline attackers kept their key on a US-based exchange it would be an easy matter for the FBI to seize it. However, security-conscious Bitcoin users tend to keep their keys where they can see and secure them, on computers they own.

How the FBI managed managed to get the key is unclear, but a week after the Colonial Pipeline attack, Darkside said it lost control of some of its servers. In the same announcement, the threat actors also said they lost some ransom payments.

Whether the US government removed Darkside’s server access is not known, but the FBI’s ability to obtain a Bitcoin address private key still reveals a new attitude in America’s fight against cybercrime—a fierce, antagonistic approach that potentially crosses ethical lines.

In April, the Department of Justice revealed that the FBI had obtained the somewhat extraordinary authority to access servers it did not own or control so that it could remove web shells placed by cybercriminals who exploited zero-day vulnerabilities in on-premises versions of Microsoft Exchange Server software. These web shell removals were performed with no notification to the servers’ owners.

Similarly, in January, after the international law enforcement agency Europol announced that it had taken control of the Emotet botnet, cybersecurity researchers spotted something hidden. The law enforcement agencies responsible for the takedown had already planned to deploy an update to remove Emotet from infected machines, and law enforcement agencies themselves wrote the code for the deployment.

In speaking on our podcast Lock and Code, Malwarebytes Security Evangelist Adam Kujawa said this was a new tactic from government authorities.

“I’ve seen people maybe misuse or abuse or modify how a particular malware Command & Control infrastructure would work, but I’ve never seen law enforcement deploy brand new code, and that’s kind of worrying a lot of folks,” Kujawa said. “A lot of people might consider it illegal.”

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post DOJ recovers pipeline ransom, signals more aggressive approach to cybercrime appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Can two VPN “wrongs” make a right? Lock and Code S02E10

Malware Bytes Security - Mon, 06/07/2021 - 10:36am

This week on Lock and Code, we’re presenting you something a little different. We’re telling you a story—with no guest interview included—that involves the use of VPNs.

In 2016, a mid-20s man began an intense, prolonged harassment campaign against his new roommate. He emailed her from spoofed email accounts. He texted her and referenced sensitive information that was only stored in a private, online journal. He created new Instagram accounts, he repeatedly made friend requests through Facebook to her friends and family, he even started making bomb threats. And though he tried to sometimes mask his online activity, two of the VPNs he used while registering a fake account eventually gave his information to the FBI.

This record-keeping practice, known as VPN logging, is frowned upon in the industry. And yet, it helped lead to the capture of a dangerous criminal.

Can two VPN “wrongs” make a right? Find out today on Lock and Code, with host David Ruiz.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Can two VPN “wrongs” make a right? Lock and Code S02E10 appeared first on Malwarebytes Labs.

Categories: Malware Bytes

White hat, black hat, grey hat hackers: What’s the difference?

Malware Bytes Security - Mon, 06/07/2021 - 8:22am

When you think of the world of ethical hackers (white hat), malicious hackers (black hat), and hackers that flirt with both sides (grey hat), you may envision people in shiny trench coats and dark glasses, whose computer skills are only matched by their prowess in martial arts.

The truth is that hackers are pretty different from their depiction in The Matrix. For example, most hackers can’t slow time down and jump across tall buildings. At least, not that we know of. In reality, a hacker usually keeps a low profile and concentrates on their work.

What’s a hacker?

The answer to “what’s a hacker?” depends on who you ask. We’d guess that most people who work with computers will tell you the answer is something close to this Wikipedia description: “a computer expert who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.” Much to the annoyance of many of those people, outside of computing, people often understand “hacker” to mean something different and more negative.

To many, a hacker is someone that employs their expertise to breach a computer, smartphone, tablet, or network, regardless of intent. Although it is often used to refer to illegal activity, even within this narrower definition not all hackers are deemed criminal. They are often classified into three main categories: Ethical hackers have traditionally been known as “white hat”, malicious hackers as “black hat”, and “grey hats” are somewhere in the middle.

Ethical hackers

Ethical hackers look for security flaws and vulnerabilities for the purpose of fixing them. Ethical hackers don’t break laws when hacking. An ethical hacker can be someone who tests their own computer’s network defenses to develop their knowledge of computer software and hardware or a professional hired to test and enhance system security.

Security careers related to ethical hacking are in-demand. Malware analysts are a good example. An in-demand ethical hacker who has worked hard to develop their skillset can have a lucrative career.

Ethical hackers are sometimes referred to as white hat hackers. White hat hacker is an outmoded term for an ethical hacker. It comes from 20th century Western films in which the good guys wore white hats. Modern experts refer to them as ethical hackers.

Malicious hackers

Malicious hackers circumvent security measures and break into computers and networks without permission. Many people wonder what motivates hackers who have had intentions. While some do it for cyber-adventure, others hack into computers for spying, activism, or financial gain. Malicious hackers might use tools like computer viruses, spyware, ransomware, Trojan horses, and more to further their goals. While there may be financial incentives to hacking, the risks are high too: A malicious hacker can face a long time behind bars and massive fines for their illegal activity.

Just as “white hat” is an older term for ethical hackers, conversely “black hat” is an older term for malicious hackers, also based on the old Western film practice of which hats the “good guys” and “bad guys” wore. Today, malicious hacker is a more apt description.

Grey hat hackers

A grey hat hacker skirts the boundaries between ethical and unethical hacking by breaking laws or using unethical techniques in order to achieve an ethical outcome. Such hackers may use their talents to find security vulnerabilities in a network without permission to simply show off, hone their skills, or highlight a weakness.

Tips on how to become an ethical hacker

You may have what it takes to become a highly rated ethical hacker if you’re patient, clever, have an affinity for computers, have good communication skills, and enjoy solving puzzles.

A degree in computer science or information security and a background in military intelligence can be useful but isn’t necessary. Thanks to the wide availability of information and open source code, and incentives like bug bounties, there are many routes into ethical hacking outside of traditional education. For more advice on how to become an ethical hacker, take a look at our interview with bug bounty hunter Youssef Sammouda.

How do I protect myself from a hacker?

An unethical hacker can use many techniques and tools to breach your computer or device’s network security. Your first line of defense is to make life hard for hackers by ensuring you: Use strong, unique passwords; keep your systems patched with security updates; install advanced antivirus protection that defends your computer against malicious software; enable the firewalls on your Internet router and computers. For an extra layer of defense, you can protect your network traffic from snooping and tampering with a VPN.   

Lastly, be on guard for phishing and social engineering attacks that try to trick you into doing something that’s bad for you, like downloading malware or giving out sensitive information.

The post White hat, black hat, grey hat hackers: What’s the difference? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Amazon Sidewalk starts sharing your WiFi tomorrow, thanks

Malware Bytes Security - Mon, 06/07/2021 - 7:11am

Amazon smart device owners only have until June 8 to opt out of a new program that will group their Echo speakers and Ring doorbells into a shared wireless network with their neighbors, a new feature that the shopping giant claims will provide better stability for smart devices during initial setup and through possible Internet connectivity problems.

The program is the latest example of yet another multibillion-dollar company rolling out significant changes without meaningfully notifying users beforehand, making it increasingly difficult for users to choose how their data is used, or how their products function. In March, Google changed how Google Chrome users would be tracked across the web, and in May, WhatsApp threatened to remove basic messaging functions from the apps of users who refused to share some of their data with parent company, Facebook.

With all these company decisions, user choice has diminished.

This week, Amazon announced that many of its smart devices would be incorporated into what it is calling “Amazon Sidewalk,” a shared network of devices within neighborhoods that will, according to the company, “help simplify new device setup, extend the low-bandwidth working range of devices to help find pets or valuables with Tile trackers, and help devices stay online even if they are outside the range of their home WiFi.”

Amazon Sidewalk will create a mesh network between smart devices that are located near one another in a neighborhood. Through the network, if, for instance, a home WiFi network shuts down, the Amazon smart devices connected to that home network will still be able to function, as they will be borrowing internet connectivity from neighboring products. Data transfer between homes will be capped, and the data communicated through Amazon Sidewalk will be encrypted.

Amazon smart device owners will automatically be enrolled into Amazon Sidewalk, but they can opt out before a June 8 deadline. That deadline has irked many cybersecurity and digital rights experts, as Amazon Sidewalk itself was not unveiled until June 1—just one week before a mass rollout.

Jon Callas, director of technology projects at Electronic Frontier Foundation, told the news outlet ThreatPost that he did not even know about Amazon’s white paper on the privacy and security protocols of Sidewalk until a reporter emailed him about it.

“They dropped this on us,” Callas said in speaking to ThreatPost. “They gave us seven days to opt out.”

Other experts have warned about the security and privacy implications of Amazon’s project, as Sidewalk will rely on an untested WiFi protocol to link together selected devices. Whitney Merrill, a privacy and information security attorney with Asana, said on Twitter: “Hello privacy nightmare.” 

June 8, Amazon devices will soon automatically share your Internet with neighbors – hello privacy nightmare.

— Whitney Merrill (@wbm312) May 30, 2021

Further, as reported by Ars Technica, the history of wireless connection technologies is littered with vulnerabilities. Researchers found flaws in the late-90s security algorithm Wired Equivalent Privacy (WEP)—after it had been widely used for years—and the technology that replaced it—WPA—is not without problems.

To its credit, Amazon’s white paper addresses how it plans to keep customers’ data secure and private when it travels through Sidewalk. According to that white paper, Amazon will limit the type and amount of metadata it receives, it will encrypt the contents of delivered packets so that the company cannot see what is inside, and customers themselves will also be prevented from seeing the content of packets sent to and from endpoints that they do not own.

Security and privacy aside, one issue still remains—weakened user choice.

The implementation of Amazon Sidewalk mirrors the more careless behavior showcased by Google earlier this year, when it decided to include millions of Google Chrome users in an experiment into how their web browsing behavior was tracked online. Google, like Amazon, did not individually notify users about the new program—called FLoC—and Google, like Amazon, automatically enrolled users into the program, forcing them to manually opt out.

Amazon’s approach to opt-out is clearer than Google’s, though. The company has developed a specific menu item in its Alexa and Ring apps that clearly denotes a new setting to enable or disable Sidewalk. Google, on the other hand, did not have a specific toggle to disable FLoC, and users were instead forced to turn off all third-party cookies if they wanted to opt out.

Certain aspects of Amazon’s rollout of Sidewalk also resemble decisions made this year by WhatsApp, the end-to-end encrypted messaging app owned by Facebook. Last month, the messaging app told users that if they did not agree to sharing some of their data with Facebook, they would see their apps become useless, unable to receive calls or messages. WhatsApp walked back this decision in late May.

Here, Amazon is implementing no such consequences for opting out—which is good—but it is still making a sweeping decision about how customers’ own products should function. And the company isn’t just changing the way already-purchased Amazon devices work, it’s also reaching beyond those devices to affect relationships that have nothing to do with Amazon, such as who gets to use your internet connection, how much of it they can use, and what you might be charged for that.

Amazon Sidewalk will work with the following devices in the US, according to Amazon: Ring Floodlight Cam (2019), Ring Spotlight Cam Wired (2019), Ring Spotlight Cam Mount (2019), Echo (3rd gen and newer), Echo Dot (3rd gen and newer), Echo Dot for Kids (3rd gen and newer), Echo Dot with Clock (3rd gen and newer), Echo Plus (all generations), Echo Show (2nd gen), Echo Show 5, 8, 10 (all generations), Echo Spot, Echo Studio, Echo Input, Echo Flex.

For users who want to opt out, they can find the solution in their Alexa and Ring apps. In the Alexa app, users can go to “Settings,” and then navigate to “Account Settings,” where they can find “Amazon Sidewalk.” Users can also disable Sidewalk in the “Control Center” of the Ring app or Ring website.

The post Amazon Sidewalk starts sharing your WiFi tomorrow, thanks appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (May 31 – June 6)

Malware Bytes Security - Mon, 06/07/2021 - 6:10am

Last week on Malwarebytes Labs, we looked at an interesting trend in facial recognition technology—hint: it’s a slow fade, the latest ransomware attacks on JBS and Steamship Authority, Cobalt Strike, a Coronavirus phishing campaign, WhatsApp’s decision to not limit app functionalities for non-compliant users after all, and a cyber threat report compiled by the National Crime Agency (NCA) in the UK.

We also analyzed Kimsuky, the APT that continues to attack the South Korean government, and the NSIS crypter along with its evolution.

Lastly, we recognized the cybersecurity challenges in SMBs and were in awe after the US Attorney’s office decided to investigate ransomware attacks the same way as terrorist attacks.

Other cybersecurity news
  • A phishing campaign launched off of the back of the recent ransomware attack against Colonial Pipeline weeks ago. The email, purporting to originate from a company’s “Help Desk”, is encouraging recipients to download a “ransomware system update” that’d prevent the company from getting attacked by ransomware. (Source: Inky)
  • Organizers of the Tokyo Olympics found themselves on the receiving end of a data breach. (Source: The Japan Times)
  • Fujifilm fell victim to a ransomware attack. (Source: InfoSecurity Magazine)
  • Those returning to the office were welcomed by—drumroll, please—phishing emails! (Source: Avanan)
  • According to researchers, a new ransomware variant called Epsilon Red is said to be hunting for unpatched Microsoft Exchange servers to exploit. (Source: Computing)
  • The UK government faced a backlash and legal challenge over its plan to share health service data with a third-party as part of its digitization effort. (Source: Computing)
  • A threat report from Thales revealed that, although the pandemic has transformed how we do work, cybersecurity is sadly not keeping up. (Source: TechRepublic)
  • Mustang Panda, a Chinese espionage campaign, is gaining access to official Southeast Asian government websites via a novel Windows backdoor. (Source: The Record)
  • JBS, the world’s largest meat supplier, is back to normal operations after a ransomware attack. (Source: Bleeping Computer)

Stay safe, everyone!

The post A week in security (May 31 – June 6) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Security pros agree about threats—convincing everyone else is the problem

Malware Bytes Security - Fri, 06/04/2021 - 11:51am

How about that Colonial Pipeline?

As troubling as this event may be, for those of us working in the world of cybersecurity it can be hard to convince others to take dangers like this seriously—regardless of how real and immediate they are.

“Sadly, the upper leadership team does not understand the stakes and why an investment is necessary to protect assets and tomorrow’s productivity,” said one beleaguered security professional we spoke to.

If this sounds like you, you’re not alone. There are plenty who share your pain.

Back in March, Malwarebytes released the SMB Cybersecurity Trust and Confidence Report 2021. For this report, we surveyed 704 cybersecurity professionals from all levels on the corporate ladder, from CISOs on the top rung down to the hardworking sysadmins. Participating small- and medium-sized businesses ranged from 50 to 999 employees. 

What did we find? Security professionals trust their endpoint protection to do its job—with some caveats.

Some 95 percent of respondents say they trust their cybersecurity vendor to provide effective endpoint protection. By that same token, more than 90 percent say their endpoint protection is effective and they’re confident it protects against dangerous threats.

So, what’s the catch?

Decision makers versus decision influencers

To get a better sense of who our survey-takers are and identify any potential difference of opinion, we asked them for their titles. You can see the full breakdown below, but just under half, 48 percent, of our respondents identify as IT directors.

Next, we grouped participants by those who “make the final decision” regarding endpoint protection purchases and those who have ”significant influence,” with 52 percent identifying as decision makers and 48 percent identifying as decision influencers.

Those who answered, “Yes, I’m a decision maker” generally have a somewhat rosier disposition when it comes to the dangers their organizations are facing and their ability to stop those dangers. 

We asked, “Has your endpoint protection product ever failed to detect a threat?” Those who make the final decision are more likely than those who influence decision making to say their endpoint protection provider hadn’t failed (64 percent versus 48 percent).

Coming at the issue from another angle, we also asked, “How frequently does your organization register a cybersecurity threat?” Those who make the final decision are far more likely than those who influence decision making to say their organization registers a threat “once a month” or “very often” (26 percent versus 13 percent).

We then asked “Agree or disagree? I believe it’s not a matter of if but when my organization suffers a successful attack or breach.” Just over half, 56 percent, said they agreed. Those who make the final decision agree to this statement significantly more than those who influence decision making (64 percent versus 49 percent).

So, what is the data telling us? Security professionals are confident in their endpoint protection, but they’re realistic about the threats they’re facing. Yes, there are some variations depending on an individual’s position within the org chart; otherwise, everyone is pretty much in agreement on the increasing sophistication and frequency of attacks.

The security ouroboros

Many of the survey respondents expressed frustration with leadership outside of the security org.

We asked, “What’s the biggest obstacle to security at your organization?”

“Buy-in from the leadership team that it is worth the investment versus other priorities,” said one respondent.

Another said, “Faced with a range of obstacles, from slowing budget growth to dissatisfied boards, business and security leaders are being challenged to change the way they approach cybersecurity and risk.”

No budget? No buy-in? Lack of investment? Sounds about right.

At risk of reading too deeply in to the data, the implication here is that while businesses get bigger, security orgs stay the same in terms of personnel and infrastructure. 

The numbers bear this out, 65 percent of respondents from SMBs with 500 to 999 employees identified as CIO, CISO, or IT director. 

Where one would expect to see a pyramid shape from the CISO or CIO on down, with more frontline level employees at the bottom than leaders at the top, the reality has gone all pear-shaped. As mentioned earlier, almost half of total survey respondents identified as IT directors.

Compounding the problem, a significant portion of our respondents believe that bigger organizations make for more frequent targets.

We asked “Agree or disagree? Hackers do not target small- and medium-sized organizations and attack only bigger organizations.” 

Some 39 percent of respondents agreed bigger organizations made for more frequent targets. Among survey respondents at organizations with more than 500 employees, a slightly larger 43 percent agree.

However, those who make the final purchasing decision on endpoint protection agree even more—bigger business, bigger target—than those who just influence decision making (48 percent versus 30 percent).

What does it all mean? For starters, security professionals across the board have faith in their endpoint protection, but they’re frustrated at the lack of support from senior leadership outside of the security org. 

When businesses find success and the dollars start rolling in it’s a given that many of those dollars are going to be earmarked for talent acquisition and IT infrastructure. Unfortunately, from a security perspective, growth at one end doesn’t translate to growth at the other end. Security pros just don’t get the additional resources that they’re expecting—that they need—to accommodate growth within the organization as a whole.

Like a snaking eating its own tail, growing businesses have more employees and more endpoints to protect, but security budgets and head count seem to remain stagnant. And the consequences for this security conundrum are dire. Look no further than the latest headlines.

The post Security pros agree about threats—convincing everyone else is the problem appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Ransomware to be investigated like terrorism

Malware Bytes Security - Fri, 06/04/2021 - 10:01am

The impact of recent ransomware attacks on vital infrastructure in the US has triggered a reaction from the US Attorney’s office. In an internal guidance it says that all ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.

According to Reuters, the internal communication states:

“To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking.”

Terrorism model

This model of investigation and cooperation is used only in a few fields that touch upon national security, e.g. terrorism. According to US officials this shows how the issue of ransomware is being prioritized. According to Reuters, this means investigators will have to share updated case details and active technical information with leaders in Washington. It also means they will receive guidance from Washington on how to proceed. If implemented optimally this will surely result in a better understanding of the ransomware landscape.

In his recent executive order on improving the nation’s cybersecurity President Biden already pointed out that the US faces persistent and increasingly sophisticated malicious cyber-campaigns. Section two of the order it titled Removing Barriers to Sharing Threat Information, and this new cooperation seems to fall under that banner.

Ransomware Task Force

In April we reported about international cooperation in this field in the form of the Ransomware Task Force (RTF), a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments. In its report (PDF) the RTF recommended that ransomware be treated as a threat to national security.

“Ransomware attacks have shut down the operations of critical national resources, including military facilities. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for 30 hours,  and in February 2020, a ransomware attack on a natural-gas pipeline operator halted operations for two days. Attacks on the energy grid, on a nuclear plant, waste treatment facilities, or on any number of critical assets could have devastating consequences, including human casualties.”

This was before the attack on Colonial Pipeline which prompted  President Biden to sign an executive order that broadly directs the Commerce Department to create cybersecurity standards for companies that sell software to the federal government.

Whether the RTF and the proposed task force in Washington will work closely together is unknown but perhaps unlikely given the international character of the RTF. Sharing information might be benificial for both though.

REvil is not impressed

In an interview published by cybersecurity blogger Sergey R3dhunt, a spokesperson for the REvil appears to indicate they are not worried by the new “terrorism approach.“

Translated, the transcript says:

Q: What happened as a result of the cyber attack?

A: As a result, the United States has put us on the agenda of the discussion with Putin. The question is, why there is such confidence that at the moment everyone is in the CIS, and even more so in the Russian Federation. In connection with the recent events with fuel [Colonial Pipeline], the United States are in every possible way avoided, as well as work inside CI.

Further inquiries seemed to indicate that it will only make matters worse, because if they are going to be prosecuted anyway, they may as well open the floodgates. When asked why they attacked JBS, this was the answer:

“Revenge. The parent company is located in Brazil, where the attack was directed. Why the US intervened is not clear. She was avoided by all means.”

History tells us the words of ransomware criminals should be taken with a heavy dose of salt.

Treated as or investigated like

Even though some gut reactions were indicating that ransomware attacks would be treated in the same way as terrorist attacks, this is not entirely true. Even though some ransomware attacks have had worse outcomes than terrorist attacks. It is the way in which the US Attorney’s office wants to organize the ransomware investigations that is similar to other national security issues. Not the severity of the punishments or the way convicted persons will be apprehended.

Ransomware infrastructure

Ransomware, especially Ransomware-as-a-Service (RaaS), has a similar organizational structure to some terrorist organizations. You have the enablers, that provide the software and the infrastructure for the ransomware itself and for receiving payments. And you have the executioners that go out and attack victims. These groups do not have to know each other’s true identities and usually communicate through encrypted channels.

A thorough knowledge of the ransomware landscape and successful infiltration of the communication platforms could provide methods to hinder operations. Maybe the inherent distrust between criminals can be used to launch successful misinformation campaigns to disrupt the cooperation between enablers and executioners. And maybe the fear of being tracked down by a strong dedicated task force will keep some potential participants away from the scene.

Tracking payments or making it illegal to pay ransom could make another dent in the severity of the threat. According to the report by the RTF, about 27 percent of victims choose to pay a ransom. With this, these victims are fuelling the ransomware industry. Not that they want to, but sometimes they feel it’s the only viable choice. This feeling is often strengthened by the additional threat to publicly disclose exfiltrated data.

All in all, a US centralized task force to investigate ransomware could contribute to the goals that the international RTF has set:

  • Deter ransomware attacks
  • Disrupt the ransomware business model
  • Help organizations prepare
  • Respond to ransomware attacks more effectively

Let’s hope so.

The post Ransomware to be investigated like terrorism appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Cybercrime, fraud, and insider threats increased in 2020 in the UK, report says

Malware Bytes Security - Thu, 06/03/2021 - 1:41pm

Since the initial lockdown, we have seen the rise of certain types of cybercrime, including scams and fraud campaigns that either bank on the global COVID-19 pandemic or take advantage of potential victims that adhere to work-from-home measures.

In the UK, the National Crime Agency (NCA) has determined that many types of cybercrime, such as ransomware attacks, digital fraud, and insider threats—with a specific mention of child sexual abuse—have increased because of more users in the UK logging online to do work, attend online classes, and (at the first few months of lockdown) alleviate boredom.

The agency also noted the resilience and adaptability of serious and organized crimes (oddly labeled as “SOCs,” despite the same acronym meaning “security operation center” in the cybersecurity field) in their use of technology and well-established tools to avoid detection. For example, budding and professional criminals are using commercially available encryption, Secure Messaging Applications (SMAs), and decentralized messaging apps, which usually comes with a crypto wallet, to manage their own data and mask their identities and communications. They also use cryptoassets to buy and sell illegal commodities in the underground or to launder money. Because of this, the NCA has assessed that by disrupting the technology, including the capabilities that enable them, they can end criminal schemes in an efficient manner.

SOCs are categorized as “significant and established national security threat that endangers the integrity, legitimacy, and sovereignty of the UK and its institutions, both at home and overseas.” It is no surprise to see SOCs being conducted over the internet by crime groups. And the NCA has been monitoring them year on year.

Organized crime: Ransomware-as-a-service (RaaS)

The growing threat of ransomware continues to loom over organizations across industries worldwide. In the UK, the estimated direct and indirect cost of ransomware is, at most, billions of pounds per year. However, determining the exact figure has always been a challenge seeing that underreporting and inaccurate cost estimates were and have been pretty much a problem in 2020. Underreporting is primarily caused by lack of awareness of who to report an attack to and, in some cases, the general reluctance to report for fear of reputational damage and/or uncertainty.

The NCA has observed a dramatic increase in demand for Remote Desktop Protocol (RDP) credentials. This is because of the increased use of such software following remote working. Criminals gaining these credentials could no doubt also access corporate networks.

Lastly, cybercriminals use current events in their spam and phishing emails—another way to get into corporate networks. They have themed their campaigns around COVID-19 and the end of the financial year for the business.

Organized crime: Online fraud

COVID-19 themes are also common in fraud campaigns. According to Action Fraud, the UK’s go-to reporting center for fraud and cybercrime, between January to December 2020, victims lost an estimated total of 3 billion GBP to fraudsters. 

The increased reliance on online services has encouraged fraudsters to target and take advantage of the more vulnerable and less security-savvy UK citizens, giving rise to shopping fraud, auction fraud, and, of course, sophisticated phishing campaigns. If criminals couldn’t find a way to their potential victims, online advertising has served as the perfect means for their victims to come to them. Fraudsters have been observed to use social media and online service platforms to post up fraudulent ads.

The NCA cited other fraud campaigns, such as romance scams and misinformation campaigns surrounding Brexit, the UK’s departure from the European Union. 

What’s the difference between ‘catfishing’ and ‘catfishing’? Find out here.

Organized crime: Insider threats 

In the financial sector, working from home shined a light on the problem of reduced ability to monitor staff, thus missing signs of unusual behaviour and other signs that give away employee struggles. This opens the possibility of an insider threat, a threat that businesses hardly mention, let alone prepare for.

Disgruntled employees and those struggling financially could more likely be tempted to engage in bribery and corruption when opportunity presents itself. Incidents involving these would be difficult to trace or pinpoint as they are usually presented as genuine payments for goods with increased market rates. There is also a realistic possibility that such engagements will only increase as businesses in the UK begin recovery measures from the impact of the pandemic and Brexit.

Future cybercrimes in the UK and beyond

Whether or not these online organized crimes will continue to be noteworthy in the next year is yet to be seen. However, notice that these online crimes have already been present, pre-pandemic and pre-Brexit. More often than not, when everyone starts living in “the new normal,” it’s highly likely that the possible turnout will all just be differences in numbers: Ransomware, for example, may or may not have higher victim rates after a year. Or, perhaps, romance scams will dramatically scale down to nonexistence. Perhaps.

However cybercrime will look like in the future, what remains constant is the continued vigilance of groups like the NCA and businesses in the public and private sectors on effectively educating and training UK employees on cybercrimes that affect them and how they should respond. As a business, they should know what steps to take to further improve their security posture and who to contact in the event of a cybercrime incident they may encounter. Lastly, much stress should also be placed in reporting to spread awareness, help other organizations avoid being victimized, and for law enforcement to keep track of cybercriminals.

The post Cybercrime, fraud, and insider threats increased in 2020 in the UK, report says appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Steamship Authority answers question: Who’s the next ransomware victim?

Malware Bytes Security - Thu, 06/03/2021 - 11:50am

After the attacks on Colonial Pipeline and JBS, many may have been wondering, as we did, what the next ransomware headline was going to be.

Well, here it is—another victim in the vital infrastructure of transport and logistics, although this time the impact may be less brutal.

Steamship Authority, the largest ferry service in Massachusetts, has fallen victim to a ransomware attack. The Steamship Authority informed the public on social media that it was the target of a ransomware attack early Wednesday, June 2, 2021.

Steamship Authority, the company

Steamship Authority is the largest ferry service to the islands of Martha’s Vineyard and Nantucket. They operate ferry transports between the mainland of the US and Martha’s Vineyard and Nantucket islands, including passengers, autos, and trucks. The ferry services and their safety have not been compromised, but it looks like the Steamship Authority offices have been disrupted in a severe way. The Steamship Authority’s website is currently unavailable. This also means that it is not possible to make new reservations, not even by phone.

 The impact

In a tweet, the company informed customers that while they were working through the consequences of the cyberattack, all ferries are operating at this time. They are keeping customers informed by posting the ferry schedules on their social media channels.

Which does not mean that it’s all business as usual. There is limited access to credit card systems at some terminal and parking locations but, to avoid delays, cash is likely the best option for ticketing and parking. Customers are currently unable to book or change vehicle reservations online or by phone. Existing vehicle reservations will be honored at Authority terminals, and rescheduling and cancellation fees will be waived.

The timing for the attack is painfully accurate as this marks the start of season where tourists start to visit this region and where a peak in traffic is to be expected.


The Steamship Authority tweeted that it is working internally, as well as with federal, state and local authorities, to determine the extent and origin of the attack. Since this is an ongoing investigation it is unlikely that the authorities will share any information about the type or possible origin of the attack. But we will keep you informed if we should learn more.

A spokesperson for the U.S. Coast Guard stated that the U.S. Coast Guard 1st District is working in conjunction with the Massachusetts Cybersecurity Unit, and that the FBI is currently leading the investigation.


Recovery from a ransomware attack can be a long and expensive process, even if the victim decides to pay the ransom. It can take weeks to months to get the server infrastructure back up and running. If the possibility to make new bookings stays offline it will only take so long before the number of existing bookings starts to dwindle. We can only hope that the Steamship Authority manages to get back into an operational state as soon as possible. Getting stuck on one of the islands is not the worst thing one could imagine, but it’s different if you didn’t necessarily plan it.

Stay safe, everyone!

The post Steamship Authority answers question: Who’s the next ransomware victim? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Coronavirus phishing: “Welcome back to the office…”

Malware Bytes Security - Thu, 06/03/2021 - 9:00am

As offices start to slowly open back up, the theoretically post-pandemic world is changing its threat landscape once again, and that includes the likely inclusion of coronavirus phishing attempts. With the move to remote work, attackers switched up their tactics. Personal devices and home networks became hot targets. Organizations struggled with securing devices remotely, rolling out VPNs, and forming best practices for potentially sensitive work done outside the office environment.

And hey, don’t forget the trend of using work devices for personal use. The gradual blurring of lines between work and personal use is an understandable one given how 2020 panned out. Even so, it introduces an aspect of risk that many organizations perhaps weren’t dealing with previously.

Office, work from home (WFH), or…both?

Now that a lot of the office space has gone virtual and might not go back to being fully on-site, we’re all left holding our breath. It’s impossible to predict how the post COVID-19 work landscape will fit together. A hybrid approach seems most likely, with time split between office and home. Full office attendance or 100 percent WFH seems unlikely, and perhaps not actually possible for some roles.

With this in mind, attackers will have to keep thinking up the best ROI for schemes which are able to take on said hybrid workers with maximum efficiency.

For now, we have an opening salvo of “welcome back to the office, here’s a phish we’d like you to click”.

“The office is re-opening! Please read the newsletter…”

Employees are now indeed being targeted with “back to the office” missives. Found by Cofense, the mail claims to be an [EXTERNAL] email notice from the CIO, welcoming people back to the office as they update their “business operations”.

A simple yet effective tactic. Many organisations will likely be sending similar messages over the coming weeks and months. In fact, this could be more effective where companies don’t have regular COVID status updates going out by mail. In places where regular comms and instructions are dispensed, this will perhaps stand out. A curious employee won’t think “Oh, it’s not our bi-weekly update from our official pandemic information source. This seems peculiar”. They may perhaps go down the “Wow, it’s the boss! We’re back in the office” route instead.

From there, it’s a short step to “I’ve just handed my credentials to this fake Microsoft portal”.

Taking action against the pandemic chancers

There’s a few ways to try and defend against this type of attack.

If an organization doesn’t have any sort of plan for COVID updates, they should really consider it. Narrowing down the scope for “Who sends this” to one specific mailbox/individual potentially makes it a target, but that’s preferable to a fake COVID update coming from any number of random employees.

There’s also other ways to get across COVID updates, like group calls or status updates in other weekly/monthly team meetings. Considering how many Zoom calls everyone has had at this point, there shouldn’t be any problem dropping these updates into overall messaging.

A combination of mailed and spoken comms, alongside other systems like Intranet portals containing the latest advice, should go a long way to keeping the Covid scammers out. For now, be on your guard against mails making bold promises regarding office activity. While many of us can’t wait to get back, that’s exactly what these phishers are banking on.

The post Coronavirus phishing: “Welcome back to the office…” appeared first on Malwarebytes Labs.

Categories: Malware Bytes

JBS says it is recovering quickly from a ransomware attack

Malware Bytes Security - Wed, 06/02/2021 - 10:58am

This week another major supplier reported it had been hit with ransomware. After the Colonial Pipeline attack last month, this time the victim is the world’s largest meatpacker, JBS. JBS halted cattle slaughter at all its US plants on Tuesday after the attack caused their Australian operations to shut down on Monday. Some plant shifts in Canada were also canceled Monday and Tuesday. The company’s operations in Mexico and the UK were not impacted and are conducting business as normal.


JBS is the second largest meat and poultry processor in the US. JBS controls about 20 percent of the slaughtering capacity for US cattle and hogs. It owns the Swift brand, and most of chicken processor Pilgrim’s Pride Co. Due to the attack, US meatpackers slaughtered 22 percent fewer cattle than a week earlier. There are early fears that ongoing shutdowns of JBS plants could raise meat prices further for American consumers.

The attack

The initial press statement by JBS mentioned an “organized cybersecurity attack,” affecting some of the servers supporting its North American and Australian IT systems. Soon after it became clear that the company was dealing with a ransomware attack because a ransom demand came in. This was later confirmed by some tweets from the Cybersecurity and Infrastructure Security Agency (CISA).

At the moment of writing it is unclear which ransomware family was involved or how the attack took place. Although early reporting indicates the cybercrime group responsible is REvil.


According to JBS, they have made significant progress in resolving the cyberattack that has impacted the company’s operations.

“Our systems are coming back online and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans. Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow.”

This means the company had an excellent plan, because recovery from a ransomware attack usually takes weeks and sometimes even months. We have even seen companies go bankrupt over the costs.

International intervention

What is also notable about this incident, as well as the attack on Colonial Pipeline, is the fact that the Biden administration has sent another warning to Russia, which is believed to be the origin of the cyberattacks. White House principal deputy press secretary Karine Jean-Pierre said:

“The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals.”

Biden is scheduled to meet with Russian President Vladimir Putin in Geneva later this month.

Supply chains and critical infrastructure

The attacks on critical infrastructure—especially in supplies that we need on a daily basis—are very disruptive and it is no wonder that governments are likely to get involved. But it makes us wonder why the supply chains for food and oil seem to be a higher priority than other critical services like healthcare, schools, and emergency services, all of which have suffered countless attacks without political intervention. On the other hand, Colonial Pipeline and JBS represent suppliers for whom there are no immediate replacements if they shut down for a long time.

Of course, it is also possible that these attacks are done under the guise of ransomware attacks, but are in reality probes to see how vulnerable our infrastructure is, especially when major targets like Colonial Pipeline and JBS are involved.

The need to better secure the nation’s supply chains prompted the Department of Homeland Security last month to issue new security directives to regulate the pipeline industry for the first time. Maybe we can expect something similar for major food suppliers soon.

Ransomware Task Force

JBS reportedly informed the government about the ransomware attack, which is exactly the kind of behavior that the Ransomware Task Force would like to see of ransomware victims. The Ransomware Task Force (RTF), is a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments. The RTF has recently pushed out a comprehensive and strategic plan for tackling the increasing threat and evolution of ransomware.

Stay safe, everyone!

The post JBS says it is recovering quickly from a ransomware attack appeared first on Malwarebytes Labs.

Categories: Malware Bytes

WhatsApp reverses course, will not limit app functionality

Malware Bytes Security - Tue, 06/01/2021 - 3:25pm

WhatsApp, the end-to-end encrypted messaging service that has lost users, its founders, and a large amount of public goodwill, issued a reversal on its recent privacy policy enforcement measures, clarifying that it will no longer punish users who refuse to share some of their data with the company’s owner, Facebook.

Previously, the company said it would restrict some users from accessing chat logs and even turn off the ability for users to receive calls and messages through the app. But in a statement to the news outlet The Next Web last week, WhatsApp said:

“Given recent discussions with various authorities and privacy experts, we want to make clear that we currently have no plans to limit the functionality of how WhatsApp works for those who have not yet accepted the update. Instead, we will continue to remind users from time to time about the update as well as when people choose to use relevant optional features, like communicating with a business that is receiving support from Facebook.”

The reversal comes after a confusing and difficult five months for WhatsApp, which, in January, began notifying users about a new privacy policy that would include additional data sharing with Facebook. Users immediately balked at the policy request, though they misconstrued old data sharing practices that WhatsApp rolled out in 2016 with new practices from WhatsApp that would go into effect in 2021.

Never included in WhatsApp’s data sharing practices was the content of users’ messages, and it remains that way today. WhatsApp has held firm on the end-to-end encryption enabled by default for all users, and it has never hinted at breaking that encryption to allow its parent company to increase targeted advertising efforts. Instead, WhatsApp’s current privacy policy will allow the company to share certain data with Facebook about business interactions—like when a user contacts a business over WhatsApp.

Still, the confusion led to a reported exodus of users, to which WhatsApp responded by extending the initial deadline for users to agree to its privacy policy to May 15. But for users who chose not to agree to the new privacy policy, the eventual, planned consequences appeared rather extreme.

For users who refused the privacy policy, WhatsApp previously said that “after a period of several weeks,” those users would see a notification to accept the new privacy policy become persistent. Users with the persistent notification would then see limitations.

The company previously said:

“At that time, you’ll encounter limited functionality on WhatsApp until you accept the updates. This will not happen to all users at the same time.

You won’t be able to access your chat list, but you can still answer incoming phone and video calls. If you have notifications enabled, you can tap on them to read or respond to a message or call back a missed phone or video call.

After a few weeks of limited functionality, you won’t be able to receive incoming calls or notifications and WhatsApp will stop sending messages and calls to your phone.”

That language is no longer present on WhatsApp’s FAQ, but when it was first revealed, it presented a stark image to users who had perhaps chosen WhatsApp entirely because of its earlier, pro-privacy slant.

Instead, those users who chose to protect one small aspect of their online privacy were being punished. As we wrote previously:

“A private messaging app that cannot receive messages is useless, and it is ludicrous that the reason it is useless is because the company has chosen to make it that way.

This is an anti-privacy choice. It is also an anti-user choice, as users are being punished for their refusal to share data.”

Thankfully, this scenario has been avoided, but it is still frustrating that it took this level of public outrage for WhatsApp to correct course. Protecting users and protecting their choices should not be this hard.

The post WhatsApp reverses course, will not limit app functionality appeared first on Malwarebytes Labs.

Categories: Malware Bytes