Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.

Software vendor Ivanti has warned customers about two actively exploited vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways. Successful exploitation would give an attacker the ability to run arbitrary code on Ivanti’s Virtual Private Network (VPN) system.

The warning is echoed by several international security agencies like CISA and the German BSI. Both are flagging active exploitation of these two chained vulnerabilities. Ivanti Connect Secure is a widely used VPN solution that allows users to connect to their organization’s network.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs mentioned in these reports are:

CVE-2023-46805 (CVSS score 8.2 out of 10): an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure, which allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887 (CVSS score 9.1 out of 10): A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Ivanti Neurons for Secure Access is not vulnerable to these CVEs. However, the gateways being managed are independently vulnerable to them.

After attackers have used the authentication bypass to authenticate as an administrator they are able to install webshells on the VPN system to gain persistence, allowing them to execute commands on the compromised devices.

Active exploitation has been seen as far back as December 3, 2023. These attackers erased log files and turned logging off on the compromised system. Besides that, they had stolen configuration files, altered existing files, dropped remote files, and established a reverse tunnel allowing them unrestricted access.

One of the dropped files contained a JavaScript that stole the credentials of users that logged in, which could also be used for lateral movement.

**Mitigation**

Patches will be released on a schedule based on versions, with the first coming out in the week of January 22. The last version will come out the week of February 19.

> “We are releasing patches based upon telemetry information available to us from current installed solutions that notify us of the version number they are running. We are releasing patches for the highest number of installs first and then continuing in declining order.”

Until then, customers are under advice to apply a workaround and monitor their network traffic for suspicious activity and analyze the logs on their Connect Secure device.

The workaround requires importing a mitigation.release.20240107.1.xml file which can be obtained via the download portal (login required). The XML file is in the zipped format, so you’ll need to unzip and then import the XML file.

*   Navigate to **Maintenance** > **Import/Export** > **Import XML**
*   Use the **Browse** button to point to the unzipped XML file
*   Click the **Import** Button

Import of this XML into any one node of a Cluster is enough. A FAQ and more detailed instructions can be found in the Ivanti advisory article.

It is important to note that applying the workaround or a patch, when they are made available, is not enough to undo the effects of an attack. If you see signs that your instances have been compromised you should investigate or hire a specialized investigator to find out what the attackers may have obtained and what needs to be done to regain the required safety level.

CISA has added CVE-2023-46805 and CVE-2024-21887 to its Known Exploited Vulnerabilities Catalog, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by January 21, 2024 to protect FCEB networks against active threats.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Act now! Ivanti vulnerabilities are being actively exploited 

This month in ransomware: ALPHV and LockBit joining forces?

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In December, the ransomware scene saw 334 attacks, with the ALPHV shutdown saga continuing to grab the spotlight. In last month’s review, when we wrote about ALPHV’s infrastructure going offline, there was widespread speculation about law enforcement involvement, but no concrete evidence to confirm this. Now, the picture is becoming clearer. 

The previous theories about hardware failures within ALPHV are now overshadowed by the confirmed law enforcement action: recent updates revealed that the FBI played a pivotal role in disrupting ALPHV’s operations. This intervention led to the seizure of their URLs and enabled the recovery of decryption keys for many victims. 

The FBI’s recent operation against ALPHV has been a game-changer, not only disrupting the group’s activities but also denting their reputation in the cybercriminal community. The ripple effects? ALPHV affiliates are showing signs of mistrust, with some resorting to direct victim contact via email, and others shifting alliances to rival groups like LockBit. 

Adding to the intrigue, there’s talk of an emerging “cartel” between LockBit and ALPHV, according to messages on the dark web forums. This potential alliance could mark a new era in ransomware operations, where rivals look to pool resources and expertise in response to increasing law enforcement pressure. 

Known ransomware attacks by gang, December 2023

Known ransomware attacks by country, December 2023

Known ransomware attacks by industry, December 2023

In other news, LockBit’s attack on Capital Health last month was starkly reminiscent of events from a year prior. In December 2022, LockBit audaciously targeted SickKids (a hospital for sick children), impacting the hospital’s internal and corporate systems, phone lines, and website. Back then, LockBit’s unexpected apology for the hospital attack—blamed on a rogue affiliate, and self-forgiven with a free decryptor—was a rare moment of contrition in the otherwise ruthless world of cybercrime. 

Fast forward to December 2023, and the echoes of LockBit’s past actions were resonate.  

Despite their previous promises and operational policies against targeting healthcare institutions, LockBit has claimed the recent attack on Capital Health. And even though the gang claims they did not encrypt the hospital’s files, that didn’t leave the hospital unharmed.  

As we wrote recently:  

“\[The\] hospitals and physicians’ offices experienced IT outages that forced them to resort to emergency protocols designed for system outages. Several surgeries were moved to later dates and outpatient radiology appointments were canceled.” 

Or what ransomware gangs probably call a classic case of “no encryption, no problem” for creating havoc. 

This juxtaposition of LockBit’s 2022 apology with their ongoing aggressive actions in 2023 highlighted the duplicity inherent in the ransomware landscape. LockBit’s activities served as a sobering reminder that despite occasional gestures that seem to indicate restraint or remorse, the fundamental nature of ransomware operations remains unchanged—driven by disruption, data theft, and financial gain at the expense of vulnerable targets, including critical healthcare services. 

More broadly speaking, December saw a continuation of an unnerving trend of healthcare sector attacks we touched upon in last month’s review, with disruptive attacks on Massachusetts-based Anna Jaques Hospital and Liberty Hospital in Missouri. In a sector where timing and information can be a matter of life and death, such disruptions are more than mere inconveniences; they are potentially life-threatening. 

**New ransomware gangs****DragonForce**

DragonForce is a new ransomware gang that published 21 victims to their leak site last month, including a significant attack on the Ohio Lottery on Christmas Eve. In that attack, the group claims to have encrypted devices and stolen sensitive data amounting to over 600GB. including personal information of Ohio Lottery customers and employees.

While details about DragonForce are limited, their Ohio Lottery attack and their sophisticated negotiation methods suggest that DragonForce might be a rebranded version of a previous gang.

DragonForce leak site

**WereWolves**

WereWolves is a new ransomware group that posted 15 victims last month across various countries, including Russia, the USA, and parts of Europe. WereWolves is unusual for targeting Russian entities and employs a variant of LockBit3 ransomware in its attacks. They are known to target a range of sectors, with a particular focus on large-scale businesses. 

WereWolves leak site

**Preventing Ransomware**

Fighting off ransomware gangs requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough.

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through.

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood.

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—choose an EDR solution with ransomware rollback to undo changes and restore files.

****How ThreatDown Addresses Ransomware** **

ThreatDown Bundles take a comprehensive approach to ransomware. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including:  

*   Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access. 
*   RDP Shield: Securing remote access points with Brute Force Protection. 
*   Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them. 
*   Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network. 
*   Ransomware Rollback: Reversing the impact of any successful attacks. 

ThreatDown EDR detecting LockBit ransomware 

ThreatDown automatically quarantining LockBit ransomware 

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams. 

Try ThreatDown bundles today

 Ransomware review: January 2024 

Several info-stealers have incorporated an exploit that allows them to gain permanent access to your Google account

Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA) the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn’t even help if the owner of the account changes their password.

Since the discovery of the exploit, numerous white and black hat security researchers have looked into and discussed the issue. As a result, the exploit is now built into various information stealers.

Cookies are used to track users across websites and remember information about their visit. Authentication cookies are in essence pieces of data that the browser sends to a site to identify the user and check whether they are logged in. Usually these cookies have an expiration date after which the user will be asked to log in.

Persistent cookies enable a continuous access to Google services, even after the user resets their password. This exploit allows the generation of persistent Google cookies by using a Google Application Programming Interface (API) designed for synchronizing accounts across different Google services to bring back to life expired authentication cookies.

A Google account provides access to Google services like Gmail, Google Calendar, and Google Maps, but also Google Ads and YouTube.

In a statement Google responded:

> “We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

However, some info stealers have reportedly already been updated to counter Google’s fraud detection measures.

Sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and and that no vulnerability is being exploited by the malware, which implies that Google isn’t working on a more permanent fix for this problem.

**Review devices**

To check whether someone has accessed your account, you can view which computers, phones, or other devices that were signed in to your Google Account recently.

1.  Go to your Google Account.
2.  On the left navigation panel, select **Security** .
3.  On the _Your devices_ panel, select **Manage all devices**.
4.  You’ll see devices where you’re currently signed in to your Google Account or have been in the last few weeks. For more details, select a device or a session.
5.  Devices or sessions where you’re signed out will have a “Signed out” indication.
6.  If multiple sessions appear for the same device type, they might all be on one device or multiple devices. Review their details, and if you’re not sure all the sessions are from your devices, sign out on them.

**Remediate**

If you think your account has been compromised, you will have to sign out of all browsers to invalidate the current session tokens and then reset your password. Next you will need to sign back in to generate new tokens. Only this stops the unauthorized access because it invalidates the old tokens.

The steps outlined below are for administrators who manage Google Accounts for a company, school, or other group. As an administrator, you can sign a user out of a managed Google Account, such as Google Workspace or Cloud Identity.

To reset a user’s sign-in cookies:

1.  Sign in to your Google Admin console. Sign in using an _administrator account_, not your current account.
2.  In the Admin console, go to **Menu** > **Directory > Users**.
3.  In the **Users** list, find the user. If you need help, go to Find a user account.
4.  Click the user’s name to open the user’s account page.
5.  Click **Security > Sign-in cookies > Reset**.

What might help stop this abuse is if Google speeds up the announced end of tracking cookies. Obviously, we think it’s best to keep these information stealers off your computer.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Info-stealers can steal cookies for permanent access to your Google account 

Mac users should be aware of an active distribution campaign via malicious ads delivering Atomic Stealer. The latest iteration of the malware is stealthy thanks to added encryption and obfuscation of its code.

Last year, we documented malware distribution campaigns both via malvertising and compromised sites delivering Atomic Stealer (AMOS) onto Mac users. This stealer has proven to be quite popular in the criminal underground and its developers have been adding new features to justify its hefty $3000/month rental fee.

It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules. Some samples from crack websites made their way to VirusTotal around that time frame, followed by a malvertising campaign we observed in January 2024.

In this blog post, we will review the latest changes with Atomic Stealer and the recent distribution with malicious ads via the Google search engine.

In December, Atomic Stealer ran a promotion via a post on their Telegram channel to offer a special holiday discount to their customers:

> Welcome. From today until December 31, 2023, the price for a subscription to Atomic MacOs Stealer is only $2000 . Happy New Year!

While the developers did not specifically advertise this feature, it appears that around December 17 Atomic Stealer had changed some of its code to hide certain strings that were previously used for detection and identifying its command and control server.

Sample with strings in clear text (Dec 12), showing for example the IP address for the malware’s C2 server:

Obfuscated sample (Dec 17), using a new encryption routine that hides strings of interest:

Those two samples above also represent the different distribution channels that Atomic Stealer customers are using to distribute the malware. It’s possible customers using software cracks got access to the update Atomic Stealer before those that leverage malicious ads.

In fact, during the holiday break, we noticed a decrease in malvertising activity, in particular for the campaigns running via Google search ads. This was somewhat expected and typically extends into early January. However, on January 8, we identified a malvertising campaign using similar tactics seen previously by threat actors distributing FakeBat. In this instance, there was also a payload destined for Mac users, Atomic Stealer in its updated version.

**Malvertising with FakeBat – Atomic Stealer combo**

The threat actors are luring victims via a Google search ad impersonating Slack, the popular communication tool, and redirecting them to a decoy website where the app can be downloaded for both Windows and Mac:

The threat actors are leveraging tracking templates to filter traffic and route it through a few redirects before loading the landing page:

On that same domain, there is an open directory showing the location of the Windows payload which is an MSI installer (FakeBat), and the Mac one, Atomic Stealer (AMOS):

**Obfuscated Atomic Stealer**

The malicious DMG file contains instructions for users to open the file as well as a dialog window asking them to enter their system password. This will allow Atomic Stealer to collect passwords and other sensitive files that are typically access-restricted.

When comparing the previous Atomic Stealer samples we have, we can see that the application code has changed. Previously, we could see certain strings revealing the nature of the payload (browsers, wallets, etc.) and more importantly the command and control server that receives stolen user data. Now, these strings are no longer visible as the code is well obfuscated:

When we analyzed this sample in a sandbox we saw the data exfiltration taking place and the corresponding C2 server:

**Stealing victim passwords, crypto wallets and cookies**

As detailed in Objective-See’s The Mac Malware of 2023, stealers were the most popular type of malware. It’s not just passwords that are of interest to cyber criminals. Stealing browser cookies can sometimes be even better than having the victim’s password, enabling authentication into accounts via session tokens.

In fact, Atomic Stealer developers were working on a cookie feature they announced on Christmas Eve:

> Hi everyone, the panel has released an update with a new feature – Google Restore, it is located instead of the old page Cookies Convertor. In brief – implemented anti-unlogin Google.

As stealers continue to be a top threat for Mac users, it is important to download software from trusted locations. Malicious ads and decoy sites can be very misleading though and it only takes a single mistake (entering your password) for the malware to collect and exfiltrate your data.

We have reported the malicious ad and infrastructure to the respective parties for mitigation.

To stay safe from this and other similar threats, a combination of web protection and antivirus is best suited. Malwarebytes Browser Guard and Antivirus for macOS can prevent and detect Atomic Stealer.

**Indicators of Compromise**

Malvertising chain

ivchlo\[.\]gotrackier\[.\]com  
red\[.\]seecho\[.\]net

Decoy site

slack\[.\]trialap\[.\]com

FakeBat payload URL

slack\[.\]trialap\[.\]com/app/Slack-x86.msix

FakeBat hash

49f12d913ad19d4608c1596cf24e7b6fff14975418f09e2c1ad37f231943fda3

FakeBat C2

ads-strong\[.\]online

Atomic Stealer payload URL

slack\[.\]trialap\[.\]com/app/Slack-Apps.dmg

Atomic Stealer hash

18bc97e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704a

C2

5.42.65\[.\]108

 Atomic Stealer rings in the new year with updated version 

Microsoft's patch Tuesday roundup looks like a relatively quiet one. Unless your organization uses FBX files.

Microsoft has issued patches for 48 security vulnerabilities in the first Patch Tuesday of 2024. With a relatively low number of patches—and only two of them critical—this makes it a relatively quiet month, which is certainly not the norm in January.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE IDs for the two critical vulnerabilities are:

CVE-2024-20674 is a Windows Kerberos security feature bypass vulnerability with a CVSS score of 9.0 out of 10. An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.

Kerberos is an authentication protocol that is used to verify the identity of a user or host. To make use of this vulnerability the attacker will need to gain access to the restricted network before being able to run an attack. Nevertheless Microsoft thinks exploitation is “more likely,” which means the vulnerability could be exploited as part of an attack chain.

CVE-2024-20700 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 7.5 out of 10. Successful exploitation of this vulnerability might be hard because it requires an attacker to win a race condition and they will need to first gain access to the restricted network before running an attack.

Hyper-V is the Windows hardware virtualization service. It enables users to create and run a software version of a computer, called a virtual machine. Sometimes these virtual machines are attractive targets for cybercriminals. But the advisory is not very clear on the exact circumstances or context that would allow the RCE.

One other vulnerability, classified as important, that might turn out to be of interest, at least for some users, is:

CVE-2024-20677 is a Microsoft Office Remote Code Execution (RCE) vulnerability with a CVSS score of 7.8 out of 10. The security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365.

FBX files are a type of 3D model file created using the Autodesk FBX software. When you try to insert an FBX file into Word, Excel, PowerPoint, and Outlook, you will see the following error: “An error occurred while importing this file.” If you’d like to re-enable this ability, you can find the reasons why you shouldn’t and the method how to do it on this Microsoft Support page.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

*   Adobe released a patch addressing six CVEs in Substance 3D Stager.
*   Google published the Android Security Bulletin for January 2024.
*   Fortinet has released a security update to address a vulnerability in FortiOS and FortiProxy software.
*   SAP has released its January 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch now! First patch Tuesday of 2024 is here 

The US Securities and Exchange Commission's X account was compromised to take advantage of an expected Bitcoin ETFs announcement.

We have seen several high-profile accounts that were taken over on X (formerly Twitter) only to be used for cryptocurrency related promotional activities, like expressing the approval of exchange-traded funds (ETFs).

The latest victim in this line-up is the Securities and Exchange Commission (SEC).

> The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
> 
> — U.S. Securities and Exchange Commission (@SECGov) January 9, 2024

The unauthorized post (which was removed within 30 minutes) looked like this:

The post says:

> “Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges.
> 
> The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection.”

The hack appears to have been designed to take advantage of anticipation around an imminent annoncement by US regulators about Bitcoin Exchange Traded Funds (ETFs). ETFs are financial products that allow investors to buy commodities like gold or Bitcoin as if they are shares. A spot Bitcoin ETF will buy the cryptocurrency directly, “on the spot”, at its current price, throughout the day. The approval would mark a key milestone for the cryptocurrency market in gaining acceptance to mainstream financial markets.

Even though the false tweet only had a short life-span it caused a $2,000 spike in Bitcoin exchanges rates. Someone knowing this was going to happen could have made a significant profit.

In a statement the SEC said:

> “That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.”

Based on a preliminary probe, X confirmed that the SEC account had been compromised and it found that it was not due to a breach of the social media platform’s systems.

According to X, an unidentified individual was able to obtain control over a phone number associated with the @SECGov account through a third party. This would suggest the compromise was the result of a SIM swapping attack, where an attacker takes control of a phone number by convincing a mobile carrier to transfer the victim’s phone number to a SIM card they own.

With this control they can intercept messages, two-factor authentication (2FA) codes, and eventually reset passwords of the account the number has control over. Although apparently the SEC did not have 2FA enabled for its X account!

**Secure your X account**

Although any form of 2FA is better than none, all forms of 2FA are not equally secure. SMS-based 2FA is vulnerable to SIM swapping and if you can avoid it, we suggest you do. X offers other options like an authentication app and a security key.

To change your 2FA factor in X click on **More**

Select **Settings and Support** > **Settings and Privacy** > **Security and Account access**

Click **Security** > **Two-factor authentication** and put a checkmark in your preferred option.

You will be prompted to enter your X password and click Confirm. From there, follow the instructions in the prompts. Since not many people have security keys, I’ll continue with the Authentication app instructions.

*   Click **Get started**
*   Open your preferred authentication app and add the X account to the app. Usually this is as simple as scanning the QR code.
*   You’ll be prompted to enter the authentication code shown by the app.

You’re all set. Store the displayed backup code in a safe place in case you need it.

You’ll receive a confirmation mail at the address associated with the account.

And if you see tweets from an account about cryptocurrencies, NFTs, ETFs or other financial news that you would not expect from that account, keep a ten foot pole between you and what they are linking to.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 SEC X account hacked to hawk crypto-scams 

Dive more into how ThreatDown performed in G2 Winter 2024.

The peer-to-peer review source G2 has released its Winter 2024 reports, ranking ThreatDown products on top across several Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) categories. 

Based on verified customer reviews, ThreatDown EDR was voted a Leader in the overall and mid-market grid reports for EDR, winning awards for Most Implementable, Fastest Implementation, Easiest Admin, Best Usability, and more. ThreatDown MDR also won awards for Ease of Use, Highest User Adoption, and more. 

Let’s dive more into how ThreatDown performed in G2 Winter 2024 and look at quotes from IT professionals using ThreatDown solutions daily.  

**EDR that brings down complexity **

Endpoint Detection and Response (EDR) systems are grappling with significant complexities. Deployment challenges delay ROI and increase vulnerability to breaches. A lack of integrated tools in EDR necessitates additional platforms, creating operational and security gaps. Additionally, everyday management burdens, like alert overload, strain small IT teams and reduce productivity. 

Feedback from real users said ThreatDown EDR is the most user-friendly EDR solution available in the Mid-market Usability Index, with a Usability Score that surpasses the average across all other vendors. 

ThreatDown EDR deploys within minutes, featuring a lightweight endpoint agent, robust integrations, and an intuitive cloud-native management console. 

Dashboard view of ThreatDown Nebula console, featuring Security Advisor. 

> “The Nebula console is one of the most user-friendly interfaces we’ve come across. We can’t recommend it enough.” 
> 
> Justin N.  

> “Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so \[it’s\] win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.” 
> 
> John K. 

**Fastest to Implement EDR **

Malwarebytes EDR proudly holds the #1 spot on the mid-market Implementation Index. Our industry-leading ‘ease of setup’ and ‘implemention time’ won us the Most Implementable and Fastest Implementation awards for this category. 

With the average deployment timeline for traditional EDRs stretching up to 18 months for small security teams, a swifter solution means faster protection and resource savings. 

Smaller teams can’t afford extensive learning curves, which is why they prioritize implementation costs (50 percent) in their endpoint security more than anything else. (Global Surveyz)  

ThreatDown EDR, the cornerstone of most ThreatDown Bundles, takes the complexity out of EDR deployment with an average time to become fully operational that is two times shorter than the industry average. 

You can distribute the ThreatDown Endpoint Agent to endpoints either manually to each user or automatically via network-wide remote deployment tools. 

> “If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.” 
> 
> Mauro B. 

> “Very easy to install and deploy, setup, and configure – for instance – a 5 machine setup would take roughly ~10 mins from start to finish.” 
> 
> Verified User 

> “Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings.” 
> 
> Doug C. 

**MDR with the Highest User Adoption **

ThreatDown MDR placed on multiple reports for G2 Winter 2023 reports, winning awards for “Ease of Use,” “Highest User Adoption,” “Easiest to do Business With,” “Easiest Admin,” and “Easiest to Use.” 

ThreatDown MDR provides powerful and affordable threat detection and remediation services with rapid set-up and 24×7 monitoring and investigations. Our top-tier MDR analysts protect your organization from cyberthreats through accelerated threat detection and response to incidents—allowing you to focus on growing your business. 

> “Malwarebytes MDR is simple to deploy and manage. They increase our security posture, meet cyber security insurance requirements, and make a great partner to augment my small IT team.” 
> 
> Steve S.  

> “We wanted to extend our SOC team with MDR services, and that has always been our vision with Malwarebytes since we look at the company as a partner, rather than a vendor. Malwarebytes MDR enables us to meet the need for 24 x7 coverage with professional security experts who work in the industry every day.” 
> 
> Matthew Verniere, Richards Building Supply 

> “Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With Malwarebytes MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulder and making sure it’s all clear.” 
> 
> Dennis Davis, IT Systems Manager, Drummond 

**Experience ThreatDown bundles: Award-winning ROI, user-friendly, and effective threat defense  **

ThreatDown provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and smooth, speedy implementation.  

Try ThreatDown Bundles today and join the ranks of those who have already discovered amazing results, best-in-class support, strong ROI—and more—of top-rated cybersecurity solutions.  

**Get a custom quote**

 ThreatDown earns highest ratings across EDR and MDR categories in G2 Winter 2024 results  

Ransomware gangs are getting more ruthless to increase the pressure on their victims. Now, even swatting cancer patients seems to be on the table.

Ransomware groups are liars, yes, but even when these dangerous cybercriminals would ransack organizations and destroy entire companies, a few select groups espoused a sort of “honor among thieves.” According to those few groups, their cybercriminal actions would never include organizations actively involved in healthcare, such as hospitals.

But, as can be expected from ransomware groups, these were nothing but lies. The million-dollar criminal operations, awash with cash, are still vulnerable to greed.

LockBit has claimed the recent attack on Capital Health. And even though LockBit claims they did not encrypt the hospitals files, the hospitals and physicians’ offices experienced IT outages that forced them to resort to emergency protocols designed for system outages. Several surgeries were moved to later dates and outpatient radiology appointments were canceled.

Unfortunately, we have seen these type of disruptions in healthcare before. And despite promises, we expect to see them again.

But in an even more brutal turn of events, a ransomware group is crossing another line, and resorted to threatening physical violence against patients. As fewer organizations are willing to pay the ransom, it seems the ransomware operators have lost all human decency (admittedly, it’s hard to believe they ever had any).

Again, we have seen ransomware groups turn on people who had their data stolen before. It’s an extra type of leverage to get the target organization to pay the ransom. Integris Health for example, an organization which operates a network of 15 hospitals and 43 clinics, reported that some of their patients received emails threatening to sell their information on the dark web.

But in the case of Seattle’s Fred Hutchinson Cancer Center, the criminals have taken it even a few steps further and threatened to “swat” hospital patients.

Swatting is where someone makes a hoax emergency call to law enforcement in order to get armed police (in reference to US “Special Weapons And Tactics” teams) to target a particular address. Over time, swatting has evolved from a dangerous type of prank to a cybercrime that can be ordered as a service.

Swatting is dangerous because of the potential consequences. Not only does it take emergency services away from their actual tasks, but there have been swatting incidents that had fatal consequences.

Once the Fred Hutchinson Cancer Center became aware of the cybercriminals’ swatting threats, they immediately notified the FBI and Seattle police. Let’s hope this reduces the potential dangers involved in swatting.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Exposing the ransomware lie to “leave hospitals alone” 

Apple may be found negligent in an Airtags stalking lawsuit, but it has made improvements that may help potential victims

Each year, an estimated 13.5 million people in the US are victim to stalking. This is a worrying fact stated in the introduction of a lawsuit against Apple brought by stalking victims who charge that AirTags empowered their abusers.

AirTags are marketed as trackers that allow you to easily find lost belongings like keys and luggage. If you lose an object, you can find the AirTag in the Find My app on another Apple device. The tracker transmits its location via Ultra Wideband technology which is more accurate than Bluetooth when it comes to determining exact location. Since the tracker shares its location with the Apple devices of others, you can also find your AirTag over large distances.

AirTags are relatively cheap ($29), small (1.29”/3.19 cm) and can run for about a year before they need the battery replaced. This makes them an ideal tool for stalkers—they just need to attach one to something that they expect you to keep with you.

An important part of a negligence claim is whether the manufacture could have foreseen the issue—in this case, the stalking issue. This shouldn’t be a problem since lots of people were screaming from the rooftops that Apple was basically putting out a product for stalkers.

From the suit:

> “Prior to and upon the AirTag’s release, advocates and technologists urged the company to rethink the product and to consider its inevitable use in stalking. In response, Apple heedlessly forged ahead, dismissing concerns and pointing to mitigation featured that it claimed rendered the devices ‘stalker proof.'”

One plaintiffs’ lawyer argued that Apple did not make it possible, at the time the victim was stalked, for people being followed to locate an unwanted AirTag.

When the judge asked what Apple could have done better, the lawyer acknowledged that Apple has since made many fixes, but victims should have been alerted they were being subjected to unwanted tracking more quickly.

**How do the improvements Apple made help victims?**

Since AirTags were introduced, Apple has made some changes that can help potential stalking victims.

The most important one is that someone is now able to find out if an AirTag that they don’t own is moving with them over time.

On iPhones and iPads this is enabled by default, but it doesn’t hurt to check, especially if somoene may have had access to your device.

To make sure these options are enabled:

*   Go **to Settings** **\> Privacy & Security** > **Location Services**: Location Services should be on
*   Under **Location Services** > **System Services** > **Find My iPhone/iPad**: Significant Locations should be on.
*   Under **Settings** you also need to make sure you’re not in **Airplane Mode** and **Bluetooth** is on.
*   Open the **Find My** app, open the **Me** tab, and make sure **Tracking Notifications** are turned on.

If an unknown AirTag is following you, you’ll see an alert like this:

In the Find My app, you’ll be able to see how long the AirTag has been with you and you can use the Play Sound option to have the tracker emit a noise, which can help you find it.

For Android owners, Google has created a similar anti-stalking feature. Please note that the path to find the appropriate settings may vary with vendors and Android versions, but this should give you a good idea:

*   Select **Settings** \> **Safety and emergency** \> **Unknown tracker alerts**. Here you can allow alerts and do a manual scan for nearby trackers.

An unknown tracker alert is sent when someone else’s tracker device is separated from them and detected to be traveling with you and out of Bluetooth range from the owner. You can trigger any found AirTag to make a sound and you’ll be able to see how long it’s been with you on a map.

There are plans to broaden the scope of the tracker alerts besides AirTags. Companies including Samsung, Tile, Chipolo, Eufy, and Pebblebee have expressed interest in supporting this technology.

We’ll keep an eye on the lawsuit and let you know how it progresses.

 AirTags stalking lawsuit alleges Apple&#8217;s negligence in protecting victims 

A list of topics we covered in the week of January 1 to January 7 of 2024

January 7, 2024 - UK Police are investigating a sexual assault on the avatar of a girl aged under 16 that caused psychological trauma.

January 7, 2024 - People using LLMs for bug bounty hunts are wasting developers' time argues the lead developer of cURL. And he's probably right.

January 7, 2024 - Researchers have found flaws in the way SMTP servers handle messages, allowing them to send spoofed emails to and from targets.

January 4, 2024 - Facebook has announced it will roll out a new option called Link History to mobile users around the world. What does that mean?

January 4, 2024 - 23andMe has responded in a letter to legal representatives of data breach victims that they were to blame themselves for re-using passwords