Malware Bytes Security

Most of the malicious search ads we have seen have originated from Google, but threat actors are also abusing other search engines. Microsoft Bing is probably the second best target due to its close ties to the Windows ecosystem and Edge browser.

In this blog post, we look at a very recent malvertising campaign impersonating the popular VPN software NordVPN. A malicious advertiser is capturing traffic from Bing searches and redirecting users to a decoy site that looks almost identical to the real one.

The threat actors went ever further by trying to digitally sign a malicious installer and hosting it on Dropbox. Victims will have the impression they are getting NordVPN as it is part of the package, but will also inadvertently install a Remote Access Trojan known as SecTopRAT on their computer.

We have reported the malicious Bing ad to Microsoft, and other parts of the distribution infrastructure to their respective provider. We want to reiterate that NordVPN is a legitimate VPN provider and they are being impersonated by threat actors.

Fraudulent Bing ad

When searching for “nord vpn” via the Bing search engine, we identified a malicious ad that impersonates NordVPN. The ad itself looks suspicious because of the URL in the ad snippet. The domain name nordivpn[.]xyz was created one day ago (April 3, 2024). It was probably chosen as it looks quite similar to the official name and can deceive users who aren’t looking too closely.

As we often see, the ad URL is simply used as a redirection mechanism to a fake website that is meant to look identical to the one being impersonated. This is true here as well, where we have a redirect to besthord-vpn[.]com (note again the spelling chosen with the ‘h‘ looking like an ‘n‘) which was created today, only a few hours ago.

The website looks incredibly convincing, and victims will be tricked into downloading the app from there. Unlike the legitimate NordVPN that goes through a sign up process, here you can directly download the installer from Dropbox.

Here’s a summary of the traffic flow from the malicious ad to the download link:

Malware payload

The downloaded file is called NordVPNSetup.exe and is digitally signed, as if it was from its official vendor; however, the signature is not valid.

The file contains both an installer for NordVPN and a malware payload. The installer for NordVPN is meant to give victims the illusion that they are actually installing a real file.

The payload is injected into MSBuild.exe and will connect to the malware author’s command and control server at 45.141.87[.]216 on port 15647.

That network traffic is detected by Emerging Threats as Arechclient2 Backdoor, an alias for SecTopRAT.

Conclusion

Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads. Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.

ThreatDown customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

The malicious ad and related indictors have been reported as we work with industry partners to take down this campaign.

Indicators of Compromise

Malicious domains

nordivpn[.]xyz
besthord-vpn[.]com

Fake NordVPN installer

e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc

SecTopRAT C2

45.141.87[.]216

On April 2, 2024, Jackson County tweeted that it had identified significant disruptions within its IT systems, “potentially attributable to a ransomware attack”. Jackson County is one of 114 counties in Missouri, with a population of approximately 718,000 people, mostly in Kansas City.

We have identified significant disruptions within our IT systems, potentially attributable to a ransomware attack. Departments impacted so far include Assessment, Records, & Collections. Offices will be closed until further notice.https://t.co/kyRMmwtiTj pic.twitter.com/piOt3khPK8

— Jackson County MO (@JacksonCountyMO) April 2, 2024

The tweet explains that the attack has affected systems dealing with “tax payments and online property, marriage license and inmate searches,” and says that “the Assessment, Collection and Recorder of Deeds offices at all County locations will be closed until further notice.”

The Kansas City Board of Elections and Jackson County Board of Elections are not affected. County officials also confirmed that the compromised systems did not store residents’ financial data.

“In its commitment to protect residents, Jackson County prioritizes the security of sensitive financial information and does not keep any such data on its systems. Instead, these crucial details are securely handled and stored by our trusted partner, Payit.”

On the same date an executive order declared a state of emergency. The state of emergency exists to help officials investigate and take necessary measures without the need for the usual requirements of competitive bidding. And it allows them to make appropriations from the County’s emergency fund, and additional financial adjustments, to address the requirements imposed by the emergency.  

Today, the official Jackson County site says that the Jackson County offices will remain closed through Friday April 5.

Even though it looks like the county had its emergency plans ready and the county associates, especially those within the IT department, played a critical role in mitigating the impact of the attack, the impact of such a ransomware attack is not to be underestimated.

The County is investigating the security breach with the help of law enforcement agencies and cybersecurity experts. So far, there is no information available about the ransomware group that is behind this attack, but we’ll keep you posted.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In April’s update for the Android operating system (OS), Google has patched 28 vulnerabilities, one of which is rated critical for Android devices equipped with Qualcomm chips.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

If your Android phone is at patch level 2024-04-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Qualcomm CVE is listed as CVE-2023-28582. It has a CVSS score of 9.8 out of 20 and is described as a memory corruption in Data Modem while verifying hello-verify message during the Datagram Transport Layer Security (DTLS) handshake.

The cause of the memory corruption lies in a buffer copy without checking the size of the input. Practically, this means that a remote attacker can cause a buffer overflow during the verification of a DTLS handshake, allowing them to execute code on the affected device.

Another vulnerability highlighted by Google is CVE-2024-23704, an elevation of privilege (EoP) vulnerability in the System component that affects Android 13 and Android 14.

This vulnerability could lead to local escalation of privilege with no additional execution privileges needed. Local privilege escalation happens when one user acquires the system rights of another user. This could allow an attacker to access information they shouldn’t have access to, or perform actions at a higher level of permissions.

Pixel users

Google warns Pixel users that there are indications that two high severity vulnerabilities may be under limited, targeted exploitation. These vulnerabilities are:

• CVE-2024-29745: An information disclosure vulnerability in the bootloader component. Bootloaders are one of the first programs to load and ensure that all relevant operating system data is loaded into the main memory when a device is started.
• CVE-2024-29748: An elevation of privilege (EoP) vulnerability in the Pixel firmware. Firmware is device-specific software that provides basic machine instructions that allow the hardware to function and communicate with other software running on the device.

On Pixel devices, a security patch level of 2024-04-05 resolves all these security vulnerabilities.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Google has announced the introduction of Device Bound Session Credentials (DBSC) to secure Chrome users against cookie theft.

In January we reported how hackers found a way to gain unauthorized access to Google accounts, bypassing multi-factor authentication (MFA), by stealing authentication cookies with info-stealer malware. An authentication cookie is added to a web browser after a user proves who they are by logging in. It tells a website that a user has already logged in, so they aren’t asked for their username and password over and over again. A cybercriminal with an authentication cookie for a website doesn’t need a password, because the website thinks they’ve already logged in. It doesn’t even matter if the owner of the account changes their password.

At the time, Google said it would take action:

“We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

However, some info stealers reportedly updated their methods to counter Google’s fraud detection measures.

The idea that malware could steal authentication cookies and send them to a criminal did not sit well with Google. In its announcement it explains that, “because of the way cookies and operating systems interact, primarily on desktop operating systems, Chrome and other browsers cannot protect them against malware that has the same level of access as the browser itself.”

So it turned to another solution. And if the simplicity of the solution is any indication for its effectiveness, then this should be a good one.

It works by using cryptography to limit the use of an authentication cookie to the device that first created it. When a user visits a website and starts a session, the browser creates two cryptographic keys—one public, one private. The private key is stored on the device in a way that is hard to export, and the public key is given to the website. The website uses the public key to verify that the browser using the authentication cookie has the private key. In order to use a stolen cookie, a thief would also need to steal the private key, so the more robust the “hard to export” bit gets, the safer your cookies will be.

Google stated in its announcement that it thinks this will substantially reduce the success rate of cookie theft malware. This would force attackers to act locally on a device, which makes on-device detection and cleanup more effective, both for anti-malware software as well as for enterprise managed devices.

As such, Device Bound Session Credentials fits in well with Google’s strategy to phase out third-party cookies.

Development of the project is done in the open at Github with the goal of DBSC becoming an open web standard. The goal is to have a fully working trial ready by the end of 2024. Google says that identity providers such as Okta, and browsers such as Microsoft Edge, have expressed interest in DBSC as they want to secure their users against cookie theft.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Telecommunications giant AT&T has finally confirmed that 73 million current and former customers have been caught up in a massive dark web data leak. The leaked data includes names, addresses, mobile phone numbers, dates of birth, and social security numbers.

The data came to light a few weeks ago when it was put up for sale on an online cybercrime forum, but the seller, a hacker calling themselves “MajorNelson”, claimed it had been stolen from AT&T three years prior.

In 2021, a hacker named “Shiny Hunters” put a database apparently containing the personal details of 70 million AT&T customers up for sale, but AT&T denied the leak was its data, and denied it again when the data appeared on the dark web last month. It has since revised its position as it wrestles with the thorny problem of investigating what happened on its computers three years ago.

In its latest statement, the company confirmed that the leak contained “AT&T data-specific fields,” but said it had not yet determined the source of that data.

AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago. While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors. With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed.

However, it also said that it believes that the leak affects 7.6 million current customers, and the leaked data is “from 2019 or earlier”.

Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.

In a separate statement, the company also said it is reaching out to the people affected by the breach.

It has come to our attention that a number of AT&T passcodes have been compromised. We are reaching out to all 7.6M impacted customers and have reset their passcodes. In addition, we will be communicating with current and former account holders with compromised sensitive personal information.

Personal information like names, addresses, phone numbers, passcodes, and social security numbers are prized assets for cybercriminals because they can be used to make scams much more believable.

In particular, this information will make it easier for criminals to pose as AT&T, and all 73 million people affected by this breach will need to be on their guard for scammers using it as a pretext to send personalised, AT&T-branded emails and messages.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check if your data has been breached

Our Digital Footprint records now include the AT&T data so you can check if your information has been exposed online. Submit your email address (it’s best to submit the one you use most frequently) to our free Digital Footprint scan and we’ll send you a report.

SCAN NOW

First released for Windows last year, the Malwarebytes Trusted Advisor dashboard is also now available on Mac, iOS and Android. 

Our Trusted Advisor dashboard provides an easy-to-understand assessment of your device’s security, with a single comprehensive protection score, and clear, expert-driven advice. 

In our recent report, “Everyone’s afraid of the internet, and no-one’s sure what to do about it,” we found that only half of the people surveyed feel confident they know how to stay safe online and even fewer are taking the right measures. 

So, though the fears are big, they are followed by very little action. We want to make things easy for our customers so they know what they should be doing, and how. 

Computer security can be difficult and time consuming, especially if you consider all the different devices and operating systems. We want to help our customers, whatever they use. 

Getting it right means knowing what software needs to be updated, whether your system settings are configured securely, and running active protection that can uncover hidden threats. 

Getting it wrong means leaving gaps in your defences that malware, criminal hackers, and other online threats can sneak through. 

Trusted Advisor takes away the guesswork by delivering a holistic assessment of your security and privacy in a way that’s easy to understand, making issues simple to correct. It combines the proven capabilities of Malwarebytes with the knowledge of the brightest industry experts to give you an expert assessment that puts you one step ahead of the cybercrooks. 

Protection score

At the heart of Trusted Advisor is a single, easy-to-understand protection score. If you’re rocking a 100% rating then you know you’re crushing it. 

If your score dips below 100%, we’ll explain why, and offer you a checklist of items to improve your security and boost your score. 

Trusted Advisor’s recommendations are practical and jargon-free, so they’re easy to action.

Six steps to security

Trusted Advisor monitors various categories of information around security and privacy to assess your overall Protection Score: 

• Real-time protection monitors your device continuously, stopping and removing threats like malware as they appear. It’s vital for keeping you safe from the most destructive threats and the most common methods of infection, so Trusted Advisor will alert you if you aren’t fully protected. 
• Software updates fix the coding flaws that cybercriminals exploit to steal data or put malware on your system. Staying up to date is one of the most important things you can do for your security, so Trusted Advisor has your back here too. 

• General settings covers settings within Malwarebytes, Operating Systems, or your network preferences. Trusted Advisor checks for settings that may not be configured correctly. For example, on iOS it ensures you have defined a passcode for your device and activated web and call protection. 
• Device scans are routine scans that seek out hidden threats on your system. Trusted Advisor will tell you if you get behind and need to run a scan manually. 
• Online privacy helps you take a proactive stance on your privacy by hiding your IP address and blocking third-party ad trackers, making you’re harder to track on the web. Trusted Advisor monitors this so you only part with the personal information you intend to. 
• Device health guards against slowdowns and other performance problems. Trusted Advisor helps you get the most out of your system so that you aren’t left guessing whether it was malware grinding your device to a halt. 

Even with an excellent score, you can’t guarantee absolute safety, though it places you in the closest proximity to it. By following our recommendations, you’ll be in the best security situation you can be.

Try it today

If you’re an existing Malwarebytes customer you will get Trusted Advisor automatically, but if you’re in a hurry, you can go to Settings > About > Check for updates and get it right now. If you aren’t, you can get Trusted Advisor by just downloading the latest version of Malwarebytes.

Educational institutions may face a range of cyberthreats in 2024, but our 2024 State of Malware in Education report identifies the six most critical ones.

Ransomware, for example, stands out as a key threat for schools and universities. The report covers how last year, we witnessed a 92% increase in ransomware attacks in K-12 schools and a 70% increase in Higher Education. The trend appears set to continue, partly due to specialized ransomware groups like Rhysida (formerly Vice Society) targeting educational sectors.  

Education ransomware attacks, 2022 – 2023

Another major threat our 2024 State of Malware in Education covers is the reduction of conventional malware in favor of Living off The Land (LOTL) attacks. LOTL attacks exploit legitimate system tools to remain undetected while conducting harmful activities.

Our report suggests that educational institutions must employ expert staff to manually identify LOTL activities, which traditional malware detection tools miss. For example, we recently wrote how one K-12 district used MDR to uncover malicious PowerShell activity and stop an ongoing infection.

Some other trends and threats educational institutions can expect in the report to cover include:

• Why targeting Macs has become an easy choice for criminals 
• How CL0P is rewriting the ransomware playbook and why Big Game ransomware remains the most serious threat.
• How cybercriminals use ‘malvertising’ to target educational institutions with malicious ads for popular for remote learning such as Zoom. 

As we progress into 2024, the reality is that educational institutions’ success in pairing state of the art security software with skilled security staff will be a deciding factor in their ability to take down the most serious cyberthreats. 

To understand the complete list of threats facing educational institutions in 2024 and how to tackle them, get the full 2024 State of Malware in Education report—tailored to either K-12 or Higher Ed—below.

Get the 2024 State of Malware report (K-12 version) Get the 2024 State of Malware report (Higher Education version)

Researchers at HUMAN’s Satori Threat Intelligence have discovered a disturbing number of VPN apps that turn users’ devices into proxies for cybercriminals without their knowledge, as part of a camapign called PROXYLIB.

Cybercriminals and state actors like to send their traffic through other people’s devices, known as proxies. This allows them to use somebody else’s resources to get their work done, it masks the origin of their attacks so they are less likely to get blocked, and it makes it easy for them to keep operating if one of their proxies is blocked.

An entire underground market of proxy networks exists to service this desire, offering cybercriminals flexible, scalable platfroms from which to launch activities like advertising fraud, password spraying, and credential stuffing attacks.

The researchers at HUMAN found 28 apps on Google Play that turned unsuspecting Android devices into proxies for criminals. 17 of the apps were free VPNs. All of them have now been removed from Google Play.

The operation was dubbed PROXYLIB after a code library shared by all the apps that was responsible for enrolling devices into the ciminal network.

HUMAN also found hundreds of apps in third-party repositories that appeared to use the LumiApps toolkit, a Software Development Kit (SDK) which can be used to load PROXYLIB. They also tied PROXYLIB to another platform that specializes in selling access to proxy nodes, called Asocks.

Protection and removal

Android users are now automatically protected from the PROXYLIB attack by Google Play Protect, which is on by default on Android devices with Google Play Services.

The affected apps can be uninstalled using a mobile device’s uninstall functionality. However, apps like these may be made available under different names in future, which is where apps like Malwarebytes for Android can help.

Recommendations to stay clear of PROXYLIB are:

• Do not install apps from third-party websites.
• Do not install free VPNs.
• Use Malwarebytes for Android.

Victims of novel attacks like PROXYLIB might notice slow traffic, because their bandwidth is in use for other purposes. And at some point their IP address may be blocked by websites and other services.

The researchers included a list of applications they uncovered as part of PROXYLIB. If you installed any of the apps on the list before they were removed from Google Play you will need to uninstall them.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Last week on Malwarebytes Labs:

• MFA bombing taken to the next level
• How to back up your Mac
• How to back up your Windows 10/11 PC to OneDrive
• How to back up your iPhone to a Windows computer
• How to back up your iPhone to a Mac
• How to back up your iPhone to iCloud
• Powering the future of ThreatDown with AI
• Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR
• Facebook spied on Snapchat users to get analytics about the competition
• Update Chrome now! Google patches possible drive-by vulnerability
• Disturbing robocaller fined $9.9 million
• Meta to abandon social media tracking tool CrowdTangle
• Patch now: Mozilla patches two critical vulnerabilities in Firefox
• YouTube ordered to reveal the identities of video viewers
• Vans warns customers of data breach
• Securing your home network is long, tiresome, and entirely worth it, with Carey Parker: Lock and Code S05E07
• 3 important lessons from a devastating ransomware attack

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Simply put, MFA bombing (also known as “push bombing” or “MFA fatigue”) is a brute force attack on your patience. Cybercriminals use MFA bombing to break into accounts that are protected by multi-factor authentication (MFA).

MFA normally requires a user to enter a six-digit code sent by SMS, or generated by an app, or to respond to a push notification, when they enter a username and password. It provides an enormous increase in security and makes life much harder for criminals.

Because it’s so hard to break, criminals have taken to getting users to defeat their own MFA. They do this by using stolen credentials to try logging in, or by trying to reset a user’s password over and over again. In both cases this bombards the user with push notifications asking them to approve the login, or messages asking them to change their password. By doing this, the criminals hope that users will either tap the wrong option or get so fed up they just do whatever the messages are asking them to do, just to make the bombardment stop.

Now, according to this blog by Bran Krebs, these attacks have evolved. If you can withstand the pressure of the constant notifications, the criminals will call you pretending to come to your rescue.

In one example Krebs writes about, criminals flooded a target’s phone with password reset notifications for their Apple ID. Each notification required the user to choose either “Allow” or “Don’t Allow” before they could go back to using their device.

After withstanding the temptation to click “Allow”, and declining “100-plus” notifications, the victim receved a call from a spoofed number pretending to be Apple Support.

The call was designed to get the victim to trigger a password reset, and then to hand over the one-time password reset code sent to their device. Armed with a reset code, the criminals could change the victim’s password and lock them out of their account.

Luckily, in this situation the victim thought the callers seemed untrustworthy, so he asked them to provide some of his personal information, and they got his name wrong.

Another victim of MFA bombing learned that the notifications kept coming even after he bought a new device and created a new Apple iCloud account. This revealed that the attacks must have been targeted at his telephone number, because it was the only constant factor between the two device configurations.

Yet another target was told by Apple that setting up an Apple Recovery Key for his account would stop the notifications once and for all, although both Krebs and the victim dispute this.

Unfortunately, there doesn’t seem to be a lot you can do once an MFA bombing attack starts other than be patient, and be careful not to click Allow. If you get a call, know that Apple Support will never call you out of the blue, so don’t trust the caller, no matter how convenient their timing.

If you lose control of your Apple ID, go to iforgot.apple.com to start the account recovery process.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Backing up your Mac computer doesn’t need to be intimidating.

By taking advantage of a user-friendly feature released by Apple several years ago, the entire backup process can be handled almost automatically, preserving your most important files, photos, applications, and emails from cyberthreats and mishaps.

Before starting the backup process, you will need an external storage device that can connect to your Mac with a USB or Thunderbolt cable. External storage devices, which are sometimes called external hard drives, are developed and sold by many different companies, including Lacie, SanDisk, and Western Digital.

If you do not have an external storage device, you must first get one. You should also follow Apple’s recommendation that your external storage device be twice as large as the hard drive of your Mac computer.

To find the hard drive size of your current Mac, open the System Settings app on your computer. On the left-hand rail, click General and then, in the window open to the right, click Storage.

Several statistics and options will be shown.

At the top of the Storage section, the hard drive space is shown. Here, it is 494.38 GB, or 500 GB roughly.

The Mac shown here has 500 GB of internal storage. If we were to back this Mac up, we would need to use an external storage device of 1 TB (terabyte).

Once you have your external storage device, you can begin the actual backup processs.

The simplest way to back up your Mac is with the built-in feature “Time Machine.”

First, connect your external storage device to your Mac.

Then, you need to set up that storage device as your “backup disk.” This means that, from this point forward, your external storage device will have one primary use, and that is as a backup device that syncs with Time Machine. Apple recommends that you do not use your external storage device that you are using with Time Machine for anything other than Time Machine backups.

To set up your storage device as your backup disk, follow these instructions:

Go to System Settings.  

Click on General in the left sidebar.

From here, click on Time Machine in the main window displayed to the right.

From the Time Machine menu, click Add Backup Disk or click the “Add” button (+).

From here, select your external storage device and then click Set Up Disk.

At this point in the process, you may receive two options from Time Machine:

1. If your device has other files on it, you will be asked if you want to erase the device so that it can be used solely as a backup with Time Machine. You can erase the files immediately and then continue the backup process through Time Machine. If you do not want to erase the files, you need to get a separate external storage device that will be used exclusively as a backup with Time Machine.
2. If your external storage device already has backups from a prior computer, you will be asked whether you can to keep those backups and roll them into new backups made with Time Machine. This is up to you.

From here, the backup process is nearly done.

To make a backup, simply click on Back Up Now from the Time Machine menu.

Your first backup could take a long time to complete, but know that you can continue using your computer like normal while the process happens in the background.

From here on, whenever you attach your external storage device to your Mac, Time Machine will automatically ask to make a backup of the changes to your Mac. You can also change the frequency of your backups in your Time Machine Settings.

They say the only backup you ever regret is the one you didn’t make. Starting in Windows 10, the operating system (OS) now comes with a built-in tool to back up your files, themes, some settings, many of your installed apps, and your Wi-Fi information.

First, you’ll need to sign in with your Microsoft account

Go to Start  > Settings  > Accounts  > Your info . Select Sign in with a Microsoft account instead. You’ll see this only if you’re using a local account. If you see Sign in with a local account instead, you’re already using your Microsoft account.

To start the backup process select Start  > Windows Backup.

Select Folders to drop down a list, and select which of your user folders you want to back up by toggling them On or Off. The ones you have already backed up will say Backed up next to them.

Next, you can move forward to back up your settings. You can use the drop down for each category and select the items you want to back up by setting them to On or Off.

First choose your apps:

Then your settings:

Then your credentials:

When you’ve decided on what to back up, click Back up and the backup will be made.

From this point on, Windows will synchronize these backups at regular intervals. If it’s been a while since you made your backups or changed your settings, you can check the status by going to Start  > Settings  > Accounts  > Windows backup.

Current status

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

We’ve published posts on how to back up your iPhone to iCloud, and how to backup an iPhone to a Mac. Another method is to backup using the iTunes app on a Windows system.

Choose whichever backup method works best for you, and will continue to work.

First, connect your iPhone to the Windows system with a cable.

You are likely to see a prompt on your iPhone asking whether it can trust this computer.

To proceed, tap Trust and entering your passcode.

Then open the iTunes app on your Windows device.

In iTunes click the Device symbol in the upper left corner (next to the Music drop down box).

Note: It may take a while before the device icon appears

In the Settings of the iTunes app select Summary.

You’ll see some device data about your iPhone, and below that a Backups menu.

Here you can select either iCloud or This Computer.

To create a local backup select This Computer and click on Back Up Now to create a new backup of your iPhone on your Windows System.

To encrypt your backups, select Encrypt local backup, type a password, then click Set Password.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

One of the most cost effective ways to backup your iPhone is to save backups to your Mac. Backups are made automatically whenever you connect your iPhone to your Mac with a lead. Be aware though that backups can take up a lot of space on your Mac, and that if your Mac is lost, stolen, or inoperable, then you won’t be able to access your iPhone backups. If you need daily backups or backups that can always be accessed from anywhere, you may prefer to backup your iPhone to iCloud.

This guide tells you how to enable backups to your Mac, and how to check that everything is working as you expect.

First, connect your iPhone or iPad to a Mac using a cable.

Open the Finder app and select your iPhone from the list of Locations.

Click General.

Under Backups, choose Back up all of the data on your iPhone to this Mac.

To encrypt your backup data and protect it with a password, select Encrypt local backup. You will be prompted for a password.

Click Back Up Now.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

The most convenient way to backup your iPhone is to have it backup to iCloud. Backups are made every day, automatically, provided your phone is connected to power and locked. Be aware though that backups take take up a lot of your iCloud storage, and your phones’ data plan if you choose to backup when you aren’t connected to Wi-Fi. If those are likely to be problems for you, you might prefer to backup your iPhone to your Mac.

This guide tells you how to enable backups to iCloud, and how to check that everything is working as you expect.

Open the Settings app.

Then tap where you see your name and Apple ID, iCloud+, Media & Purchases.

Next, tap iCloud.

Scroll down and tap iCloud Backup.

Toggle Back Up This iPhone to on.

This may reveal a Back Up Over Cellular Data or Back Up Over Mobile Data toggle. This creates backups when you aren’t connected to Wi-Fi. Because backups can use a lot of data, toggling this on may cause you to exceed your data plan.

Once you have made a backup, you can access it from this screen under ALL DEVICE BACKUPS.

You can return to the previous screen by tapping the < iCloud link at the top. This screen shows you how much storage space your backups are using. To see a little more detail, tap Manage Account Storage.

Scroll down the list of apps until you see Backups to see how much storage your backups are using.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Nobody can deny the influence of AI today. In just a few years, we have observed AI’s capacity to be as transformative as the internet and smartphones, especially for cybersecurity. Indeed, the potential of AI to radically simplify complex security environments is unmistakable, and aligns closely with our mission at ThreatDown to reduce threats, complexity, and costs for our customers.

With continuous advancements in AI and its ever-expanding potential to enhance user experiences, ThreatDown remains dedicated to integrating these technologies into our solutions going forward. Let’s dive into where we are with AI and where we’re headed.

What led us here

We’ve always been big on democratizing security for all, and we believe AI has the potential to do just that. With this in mind, in late March 2024 we added a powerful AI functionality to our industry-leading Security Advisor. Users can now use simple natural language requests to search for information about their environment, ask for recommendations on how to optimize their security posture, and more.

Users will now see an “Ask AI” search bar on the Endpoints, Detections and Vulnerabilities pages

The deployment of generative AI into our Security Advisor propels us closer to our goal to make security management more accessible, especially for companies with constrained IT resources. Generative AI’s ability to sift through vast datasets to highlight essential issues and suggest actions significantly lowers the barrier to advanced security, eliminating the necessity for deep security know-how among users. But we’re not done yet.

Where we’re going

As we integrate generative AI, we envisage a host of potential advancements that could further revolutionize security management:

• Global AI search: Our team is considering the development of a universal AI search feature, integrated across all products, that can comprehend natural language queries and surface relevant data.
• Evolving summarization techniques: Imagine an AI that can not only summarize threats detected by EDR tools but also provides remediation steps with contextual help to follow along.
• Dynamic security recommendations: We’re exploring the possibility of AI that not only provides recommendations but also adapts them in real-time based on the evolving security context of each user.

Pioneering simplicity in security with AI

AI will likely become a bigger and bigger fixture in security as the years go on, and as it evolves, ThreatDown is deeply committed to simplifying security management through the power of AI.

Nebula users can use Security Advisor and its AI capabilities today. Learn more.

In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became evident that SolarMarker had been present in the district’s system since at least 2021, likely exfiltrating data over several years.

Let’s dive further into the investigation’s findings and the steps taken to mitigate the threat.

SolarMarker infection Background

The incident began with the detection of an anomalous instance of PowerShell attempting to establish an outbound network connection to a suspicious IP address (188.241.83.61). This connection attempt was thwarted by Malwarebytes Web Protection (MWAC), signaling the first indication of a potential security breach.

Initial challenges

Upon investigation, it was discovered that Endpoint Detection and Response (EDR) settings were disabled in the client’s endpoint policy. This limitation prevented the use of Fast Response Scanning (FRS) to capture and analyze detailed endpoint data, necessitating a manual approach to the investigation utilizing Active Response Scanning (ARS).

Investigation and analysis

The first step involved querying active network connections with netstat, which revealed an instance of PowerShell in operation. To further understand the nature of this PowerShell instance, its command line was examined using Windows Management Instrumentation Command-line (WMIC) with the process ID (PID), which unveiled obfuscated code.

Decoding and understanding SolarMarker

The obfuscated PowerShell code was extracted and refactored for clarity. The analysis revealed the following components of the malware’s operation:

powershell $decodeKey = '<Base64_encoded_string>' $encodedFilePath = 'C:\Users\akeith\AppData\Roaming\micROSoft\wbpgVnSBjsytaokm\JqdVQplHfgwxyNmtaPX.gvzPlATqFe' $decodedPayload = [System.IO.File]::ReadAllBytes($encodedFilePath) for ($payloadIndex = 0; $payloadIndex -lt $decodedPayload.Count; $payloadIndex++) {  $decodedPayload[$payloadIndex] = $decodedPayload[$payloadIndex] -bxor $decodeKey[$payloadIndex % $decodeKey.Length]  if ($payloadIndex -ge $decodeKey.Length) {  $payloadIndex = $decodeKey.Length  } } [System.Reflection.Assembly]::Load($decodedPayload) [ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()

This code reveals the malware’s methodology:

• It utilizes a Base64-encoded string as a decryption key.
• It targets a specific file path for encoded data.
• It reads, decodes, and executes the encrypted payload.

The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…). 

Further investigation uncovered randomly named folders within the AppData\Roaming\Microsoft directory, each containing encoded payloads. These discoveries suggested a more widespread infection than initially anticipated.

Response and mitigation

The response involved several steps to contain and eliminate the threat:

• Terminating the malicious PowerShell instance.
• Deleting the identified folders containing encoded payloads.
• Conducting a thorough search for persistence mechanisms, which fortunately yielded no findings.

A comprehensive threat scan was executed, and the incident was escalated for visibility with the client. Post-reboot checks confirmed the absence of persistence, no spawn of new PowerShell instances, and blocking of suspicious network connections, indicating successful remediation of the infection.

Conclusion

As we’ve seen in our 2024 State of Ransomware in Education report, the educational sector continues to be a prime target for attackers. In this case, attackers used SolarMarker, a sophisticated backdoor, to lurk within the school district’s network for years, likely stealing data in the process. Its presence went undetected until the district onboarded with ThreatDown MDR. Despite facing initial obstacles, such as disabled EDR settings, the ThreatDown MDR team successfully identified and neutralized the SolarMarker infection through manual intervention.

Discover how ThreatDown MDR can safeguard your K-12 institution.

Social media giant Facebook snooped on Snapchat users’ network traffic, engaged in anticompetitive behavior and exploited user data through deceptive practices. That’s according to a court document filed March 23, 2024.

The document mentions Facebook’s so-called In-App Action Panel (IAAP) program, which existed between June 2016 and approximately May 2019. The IAAP program, used an adversary-in-the-middle method called to intercept and decrypt Snapchat’s—and later YouTube’s and Amazon’s—SSL-protected analytics traffic to provide information for Facebook’s competitive decision making. Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client.

On June 9, 2016, Facebook CEO Mark Zuckerberg complained about the lack of analytics about competitor Snapchat.

“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . .

Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

So, as part of the IAAP program, the company started Project Ghostbusters by using Onavo. Onavo was a VPN-like research tool that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

The Project Ghostbusters technique relied on technology known as a server-side SSL bump performed on Facebook’s Onavo servers. SSL bumping, also known as SSL interception, involves intercepting and decrypting SSL/TLS traffic, inspecting it for malicious content or policy violations, and then re-encrypting and forwarding it to the intended destination.

To gain access to the data about their competitor, Facebook incentivized users to install “kits” on both Android and iOS devices that impersonated official servers and decrypted traffic that Facebook had no right to access.

These kits allowed Facebook to intercept traffic for specific sub-domains, allowing them to read what would otherwise be encrypted traffic and to measure in-app usage of their competitor’s apps. The users were clueless about what the kits did exactly, but it allowed the operators to view and analyze the traffic before it got encrypted.

According to the court documents, advertisers suing Meta claim that Facebook later expanded the program to Amazon and YouTube. This practice is likely in violation of wiretapping laws and “potentially criminal.” Facebook’s secret program likely violated the Wiretap Act, because it prohibits intentionally intercepting electronic communications with no applicable exception and the use of such intercepted communications.

We’ll keep you updated on how this develops.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Google has released an update to Chrome which includes seven security fixes. Version 123.0.6312.86/.87 of Chrome for Windows and Mac and 123.0.6312.86 for Linux will roll out over the coming days/weeks.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

After the update, the version should be 123.0.6312.86, or later

Technical details

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

There is one critical vulnerability that looks like it might be of interest to cybercriminals.

CVE-2024-2883: Use after free (UAF) vulnerability in Angle in Google Chrome prior to 123.0.6312.86 could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Angle is a browser component that deals with WebGL (short for Web Graphics Library) content. WebGL is a JavaScript API for rendering interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, it can lead to heap corruption.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

Chromium vulnerabilities are considered critical if they “allow an attacker to read or write arbitrary resources (including but not limited to the file system, registry, network, etc.) on the underlying platform, with the user’s full privileges.”

So, to sum this up, in this case an attacker could create a specially crafted HTML page–which can be put online as a website–that exploits the vulnerability, potentially leading to a compromised system.

My suggestion: don’t wait for the update, get it now.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

A federal court in Montana has fined a man $9.9 million after he was found responsible for causing thousands of unlawful and malicious spoofed robocalls.

Sometimes there is good news. Well, for almost everybody except for the robocaller who was found guilty of unlawful robocalls to people in states including Florida, Georgia, Idaho, Iowa and Virginia in 2018. The court also imposed an injunction prohibiting any future violations of the Truth in Caller ID Act and Telephone Consumer Protection Act.

Scott Rhodes spoofed his telephone number, so it appeared to his targets that he was calling from a local phone number. If they picked up, they were presented with recorded messages. Those messages included highly inflammatory and disturbing content, often directed at certain communities, that intended to offend or harm the recipients.

Those messages typically addressed tragic and controversial events that took place in the region. Many consumers who received the calls found the calls so disturbing, they submitted complaints to FCC and other law enforcement regarding unwanted and harassing robocalls.

The FCC traced the unlawful spoofed robocalls to Scott Rhodes, a resident of Idaho and Montana, and in January 2021, the FCC imposed a $9,918,000 forfeiture penalty against Rhodes. In September 2021, the Justice Department sued Rhodes in the District of Montana to recover that penalty and obtain an injunction.

In October 2023, the United States moved for summary judgment, and the court subsequently entered an injunction and the full $9,918,000 forfeiture penalty against Rhodes, after concluding based on a de novo review of the evidence that Rhodes committed the violations found by FCC. When a court hears a case as “de novo,” it is deciding the issues without reference to any legal conclusion or assumption made by the previous court to hear the case.

Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s Civil Division commented:

“The department is committed to protecting consumers from deceptive robocalls. We are very pleased by the court’s judgment, and we will continue working with the FCC and other agency partners to vigorously enforce the telemarketing laws that prohibit these practices.”

Earlier this year we reported that the FCC efforts seem to be paying off, by showing an encouraging decline in robocalls.

Last year, another robocaller made headlines after the FCC issued a $300 million forfeiture to a persistent offender and shut down their operation.

What to do if you answer a robocall

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.

1. Hang up as soon as you realize that it is an automated robocall.
2. Do not engage with the call at all.
3. Don’t follow any instructions.
4. Avoid giving away any personal information.
5. Report the robocall.
   • If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
   • If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
   • If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your voice being recorded, can be used in scams against you or your loved ones.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.