We take a look at reports that internal Roblox employee documents have been leaked by an as-yet unknown attacker.
The post Roblox breached: Internal documents posted online by unknown attackers appeared first on Malwarebytes Labs.

A data compromise situation has impacted Roblox Corporation, the developers of the massive smash-hit video game Roblox. An as-yet unknown attacker has breached an employee account, and is in the process of exposing the data they’ve collected.

Nobody knows if they’ve exhausted their newly-plundered treasure trove, or if more leaks will follow.

**Hacks and compromise: from myth to reality**

The Roblox player base is young, and naturally enough worried about risks from cheats and account compromise. As a result, Roblox spends a fair amount of time debunking hacking myths. The most well known of these debunks probably relates to its John Doe and Jane Doe developer managed accounts.

Sadly for Roblox, this time around it appears that the compromise is very real with one key difference. It’s the developers under attack, rather than the players. For the time being, at least, they remain unaffected.

**Internal employee information: leaked**

A Roblox forum post has been playing host to around 4GB of stolen data. This data includes identification documents, spreadsheets related to Roblox creators, and various email addresses. At time of writing, there’s no specifics with regard to the “identification documents”. This could mean driving licence, passport, employee ID scan…we simply don’t know at the moment.

Roblox informed Motherboard that the documents were “illegally obtained as part of an extortion scheme that we refused to cooperate with”.

While there isn’t much information available yet, extortion tactics could suggest a double extortion attempt. The first thing to spring to mind here would be a ransomware attack. If the victim refuses to pay the ransom, the malware authors threaten to leak files. This can be incredibly damaging for all concerned, especially as files are often published even when the ransom is paid.

Of course, the extortion could spring from another source. Motherboard mentions the cache being stolen from an employee. The employee may have been phished. In this scenario, there is no ransomware involvement. Whatever the reason for the attack origin, players will naturally enough be very concerned.

**What can you do to keep your Roblox account safe?**

We don’t know if data has been grabbed outside of what’s already been leaked. There’s no indication from Roblox that user data has been accessed, which may only be known for certain as the investigation into the attack wraps up.

This is how you can help to keep your own account safe from harm in the meantime:

**Watch out for phishing**. Phishing attacks often follow on from breaches, although it may take days, or even weeks for an attempt to land in your mailbox. Be wary of mails asking you to login, or claiming that there has been a problem with your account. We suggest navigating to the official Roblox site directly instead of clicking links sent to your email address.

**Set up two-step verification**. This will help keep your account secure even if you were to hand over your login to a bogus website. Visit your account settings page, and then from the security tab select the type of two-step verification that you’d prefer. Roblox allows for a variety of different authenticator apps for use with your account.

**Logout of public and shared devices**. Roblox is great to play on the go. However, leaving your account logged in at on a public computer could result in item or account theft. Make sure you’ve fully logged out of any device which doesn’t belong to you. Public device compromise is still a very easy way to lose account access, and one which younger gamers could easily forget about as a potential threat.

Roblox breached: Internal documents posted online by unknown attackers

The FTC will keep an eye on companies that mishandle and misuse data to protect reproductive healthcare data in post-Roe America.
The post The FTC will go after companies misusing location, health, and other sensitive data appeared first on Malwarebytes Labs.

After the overturning of _Roe V Wade_, many feared that using, having access to, and sharing reproductive and sexual health data—once done freely—would be outlawed with the practice of abortion in many states. To protect such data from falling into the wrong hands,  Congresswoman Sara Jacobs (D-CA) sponsored the “My Body, My Data Act of 2022” bill.

Four days after the bill entered the House of Representatives and the Senate, US President Joe Biden signed an Executive Order Protecting Access to Reproductive Health Care Services, an order aimed at safeguarding healthcare services and protecting patient privacy and access to accurate information, among others.

Following this, the FTC (Federal Trade Commission) has warned tech companies and data brokers about potentially misusing the health data the US government seeks to protect.

The interconnectedness of devices has made life easier for most of us, but it remains a major nightmare for privacy-conscious consumers and organizations.

And while location data (among others) is generated by apps, consumers regularly generate their own sensitive data, too, in the form of apps aiding them in testing their blood sugar, recording their sleep patterns, or capturing their biometric features to access devices. In matters related to personal reproductive health, this could be in the form of apps for tracking periods, monitoring fertility, or managing contraceptive use.

The FTC asserts that a combination of these generated data “creates a new frontier of potential harms to consumers”.

“The misuse of mobile location and health information—including reproductive health data—exposes consumers to significant harm,” said the FTC in a post. “Criminals can use location or health data to facilitate phishing scams or commit identity theft. Stalkers and other criminals can use location or health data to inflict physical and emotional injury.”

> The exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms.

The FTC renewed its vow to go after companies that use American digital data unfairly or deceptively.

“The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy. We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”

The regulator will closely scrutinize corporate claims that data is “anonymized”, as research has shown that it can be trivial to de-anonymize such data, even when they’re part of a seemingly homogenous data set. The FTC would also be after companies that gather more than what they ask users to consent for or those that retain data indefinitely.

The FTC will go after companies misusing location, health, and other sensitive data

This week on Lock and Code, we discuss how law enforcement can now use your data, ever since the Supreme Court overturned Roe v. Wade.
The post Roe v. Wade: How the cops can use your data: Lock and Code S03E15 appeared first on Malwarebytes Labs.

On the evening of June 23, in the United States, millions of women went to bed with a Constitutional right to choose to have an abortion, and they went to bed with the many assurances that are tied to that right—to speak about getting an abortion, to organize and provide support to those seeking abortions, to search for abortion services safely online, to digitally track their menstrual cycles, to record their reproductive plans, all without too much concern about who would be interested in that information.

But on June 24, that Constitutional right was removed by the Supreme Court.

Immediately, this legal story has become one of data privacy, as countless individuals ask themselves: What surrounding activity is now allowed?

Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that is now promising to technologically protect their data from legal requests? Should they clamp down on all their data? What should they do?

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts on this intersection of data privacy and legal turmoiil—Electronic Frontier Foundation staff attorney Saira Hussain and senior staff technologist Cooper Quintin.

As Quintin explains in the podcast, while much of the focus has recently been on the use of period-tracking apps, there are so many other forms of data out there that people should protect: 

> “Period-tracking apps aren’t the only apps that are problematic. The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches.”

By spotlighting how benign data points—including shopping habits and locations—have already been used to reveal pregnancies and miscarriages and to potentially identify abortion-seekers, our guests explain what data could now be of interest to law enforcement, and how people at home can keep their decisions private and secure.

Tune in to hear all this and more on the most recent episode of Lock and Code.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “SCP-x5x (Outer Thoughts)” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Roe v. Wade: How the cops can use your data: Lock and Code S03E15

We take a look at reports of organised review bombing, leading to extortion threats to get the negative ratings removed.
The post Extortionists target restaurants, demand money to take down bad reviews appeared first on Malwarebytes Labs.

Restaurants and other eating establishments are being targeted by extortionists who post fake reviews online and then offer to remove them in exchange for a gift card.

The possibility has always existed to leave poor reviews on Google Maps and elsewhere. However, seeing fraudsters get organised and issue extortion threats alongside the review is a new development.

According to the New York Times, businesses are being “deluged” with the poor reviews. Extortion threats are then mailed to the business owners, apologising for the actions but insisting that $75 Google Play gift cards be purchased in order to have the poor reviews erased.

Card codes are mailed to a ProtonMail account, where the scammers pick up their bounty. The codes are likely sold on at this point to turn a tidy profit. We don’t know if anyone actually sent a card code to the relevant mail address, nor if any reviews were removed by the fraudsters in cases where a payment was made.

The group claims to be based in India, and is currently targeting businesses in San Francisco, New York, and Chicago.

**The bad review bombing technique**

Review bombing is something you’ve probably heard about in relation to gaming. When fans of certain titles become annoyed with changes in a game, or something is released which they object to, some turn to leaving bad reviews.

These reviews tend to be organised by groups, and plaster a product’s page with poor ratings. This has a negative impact on the title, and comes with a variety of side effects. It might even make the product less visible to other shoppers due to the product review score tanking.

Platforms selling games have had to take significant action against these tactics in recent years, developing new ways to spot inauthentic reviews and hiding them away from the public.

**Defending your business from bad review practices**

Google offers several guides for both reviewers and business owners where reviews are concerned.

Firstly, there’s detailed information about adding a review on Maps. While this is useful to know as a business owner, the really important information is on the How to remove reviews guide. Review removal requests are initiated via the Manage Reviews page. Before you submit, you need to check through the Prohibited and Restricted content section and see which category extortion attempts would fall under.

We suspect **Civil Discourse > Harassment**, or **Deceptive Content > Misrepresentation** would be good places to start.

*   We don’t allow users to post content to harass other people or businesses, or encourage others to participate in harassment.

*   Misleading information can impact the quality of information on Google Maps. For this reason, we don’t allow individuals to use Google Maps to mislead or deceive others, or make misrepresentations.

This includes:

*   False or misleading accounts of the description or quality of a good or service. 

No matter which rules you feel that your extortion-laced missives fall under, here’s how to report in both Maps and Search:

**Flag a review in Google Maps**

1.  On your computer, open Google Maps.
2.  Find your Business Profile.
3.  Find the review you’d like to report.
4.  Click **More >** **Flag as inappropriate**.

**Flag a review in Google Search**

1.  On your computer, go to Google.
2.  Find your Business Profile.
3.  Click **Google** **Reviews**.
4.  Find the review you’d like to report.
5.  Click **More >** **Report review**. Select the type of violation you want to report.

Extortionists target restaurants, demand money to take down bad reviews

The most important and interesting computer security stories from the last week.
The post A week in security (July 11 – July 17) appeared first on Malwarebytes Labs.

*   Partner Success Story
*   Marek Drummond
    
    Managing Director at Optimus Systems
    
    "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected."
    
*   See full story

A week in security (July 11 – July 17)

We take a look at a major ransomware attack impacting video game giant Bandai Namco, laced with the potential threat of data leakage.
The post Elden Ring maker Bandai Namco hit by ransomware and data leaks appeared first on Malwarebytes Labs.

It’s not been a great couple of months for gaming giant Bandai Namco. The name behind smash hit titles like Elden Ring and Dark Souls has endured a long run of cheats and hacks.

Hacking concerns led to Remote Code Execution issues, and multiplayer features in Souls titles were disabled for months. In March, in-game cheats in Elden Ring meant players had to turn off multiplayer to avoid new attacks.

We’re now in July and Bandai Namco has experienced its most severe issue yet, confirming it has fallen victim to a severe ransomware attack.

Eurogamer published a Bandai Namco statement, which reads as follows:

> _On 3rd July, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorised access by third party to the internal systems of several Group companies in Asian regions (excluding Japan)._
> 
> _“After we confirmed the unauthorised access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause._
> 
> _“We will continue to investigate the cause of this incident and will disclose the investigation results as appropriate. We will also work with external organizations to strengthen security throughout the Group and take measures to prevent recurrence._

**Double threat**

While triple threat attacks are becoming increasingly popular, double threat (locking up data and then threatening to make it public if the ransom isn’t paid) are still big business. What we have here is a classic double threat, being run by a group with no qualms about following through on its promises.

> ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.
> 
> Bandai Namco is an international video game publisher. Bandai Namco video game franchises include Ace Combat, Dark Souls, Dragon Ball\*, Soulcaliber, and more. pic.twitter.com/hxZ6N2kSxl
> 
> — vx-underground (@vxunderground) July 11, 2022

In the tweet above, the screenshot refers to the compromise as “data soon”. The fear is that data is going to be leaked at some point in the near future. There is currently no word how much data has been grabbed, or what the ransomware authors are asking as payment.

Whether the data is related to employees, third parties, or even customers, we simply don’t know. Games publishers and developers are also host to significant amounts of confidential data for unreleased and unannounced games. This is an additional angle to consider. Would attackers value secret game IP over user data? Possibly.

**The bad news carousel**

This lands at a really bad time for Bandai Namco. It’s not so long ago that the Dark Souls multiplayer servers were in the process of being switched back on. This could well throw a large ransomware shaped spanner into the works for those plans.

There has to be concern over the considerable skillet of the BlackCat attackers, considering some of its likely past exploits. BlackCat stands accused of attacks on some of Europe’s largest ports back in February of this year. January saw data published belonging to a luxury fashion brand, and it wasn’t so long ago that it was publishing stolen data related to a luxury spa and resort located in the US.

This is one group which will absolutely carry out its double threat extortion threats. BlackCat is also ramping up its typical ransom amount, currently weighing in at around $2.5m. It remains to be seen how Bandai Namco handles this situation. Unfortunately for the publisher and their customers, the ransomware authors are firmly in the driving seat.

Elden Ring maker Bandai Namco hit by ransomware and data leaks

A hacking group displays its sophisticated skills by causing molten steel to spew from factory foundries. Could a state be backing the group?
The post Predatory Sparrow massively disrupts steel factories while keeping workers safe appeared first on Malwarebytes Labs.

Stuxnet‘s attack on Iran’s uranium enrichment facilities manifested fears of cyberattacks leaking into the real world. What once was theory is now upon us.

Two weeks ago, multiple Iranian steel facilities experienced a cyberattack that might have been pulled off by what many cybersecurity experts in the field believe is “a professional and tightly regulated team of state-sponsored military hackers, who may even be obliged to carry out risk assessments before they launch an operation.”

The group who claimed responsibility for the attack goes by the _nom de hack_ Predatory Sparrow.

Predatory Sparrow’s logo, which it uses on its Telegram and Twitter accounts. (Source: The BBC)

The victim organizations are the Khouzestan Steel Company (KSC), Mobarakeh Steel Company (MSC), and Hormozgan Steel Company (HOSCO).

Some say Predatory Sparrow’s name is a play on “Charming Kitten”, the name of the notorious Iranian APT (advanced persistent threat) group. Although Predatory Sparrow has its own social media accounts, these are not searchable under the English _nom_ but under its Persian equivalent, Gonjeshke Darande.

The attackers caused the foundry to spew hot molten steel and fire onto the factory floor, but not until workers had already cleared the area, unbeknownst of what was about to happen. The timing of the group’s attack is deliberate.

A video captured during one of these attacks was shared on its social platforms as proof. It already has 200,000 views.

“Today, 27/06/2022, we, ‘Gonjeshke Darande’, carried out cyberattacks against Iran’s steel industry which affiliated \[sic\] with the IRGC and the Basij,” a caption within the video reads. “These companies are subject to international sanctions and continue their operations despite the restrictions.”

> These cyberattacks, being carried out carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic.

The public office of the Iranian National Cyberspace Center confirmed the attacks, blaming the incidents on “foreign enemies.” The outcome triggered a temporary shutdown of facilities. The public office also claimed, “Security systems quickly took action to contain and repel the effects.”

According to sources close to the two organizations affected by the attack, the only reason severe damage wasn’t done to the production line was that they were switched off at night due to power supply restrictions. The attack “is understood” to have occurred between midnight and 6AM, Tehran time. Systems affected by the attack are the production and security systems.

At this point, no one knows whether Predatory Sparrow is a state-sponsored group. Is it just merely a group of hacktivists out to punish corporations they see are crossing the line?

“If this does turn out to be a state sponsored cyber-attack causing physical – or in the war studies jargon ‘kinetic’ damage – this could be hugely significant,” Emily Taylor, editor of the Cyber Policy Journal, told the BBC.

Ersin Cahmutoglu, a cybersecurity researcher from ADEO Cyber Security Services, also has a theory. “If this cyberattack is state-sponsored then of course Israel is the prime suspect. Iran and Israel are in a cyber-war, and officially both states acknowledge this.”

“Both states mutually organise cyberattacks through their intelligence services and everything has escalated since 2020 when retaliation came from Israel after Iran launched a failed cyberattack on Israeli water infrastructure systems and attempted to interfere with the chlorine level.”

UK-based Iranian activist and independent cyberespionage investigator Nariman Gharib also shared his thoughts: “If Israel is behind these attacks, I think they are showing that they can do real damage rather than just disrupting a service. It shows how things can quickly escalate.”

Last week, Predatory Sparrow leaked “top secret documents and tens of thousands of emails”, along with “trading practices” from the steel makers it attacked.

Predatory Sparrow massively disrupts steel factories while keeping workers safe

A researcher found eight malware-laden apps in the Play Store which have been downloaded over 3 million times.
The post New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs appeared first on Malwarebytes Labs.

Security researcher Maxime Ingrao has found a new variant of Android/Trojan.Spy.Joker which he’s dubbed Autolycos. Malware in this family secretly subscribes users to premium services. The researcher noted that the eight applications that contained this malware had racked up a total of over 3 million downloads.

**Toll fraud malware**

Toll fraud malware is a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent. At the moment, toll fraud malware—also known as fleeceware—is one of the most prevalent types of Android malware. And not only does the number of infections keep going up, so does the sophistication of the malware.

**Joker**

Android/Trojan.Spy.Joker was the first major family that specialized in this field. It was first found in the Play Store in 2017. Joker is capable of clicking on online ads, and asks for SMS permissions during installation so it can access One Time Passwords (OTPs) to secretly approve payments. The user will never know that they have been subscribed to some service online until they check their bank statements or phone invoice.

**Detection**

Google uses the name Bread for the Joker malware family. In January, 2020, Google Play Protect detected and removed 1,700 unique Bread apps from the Play Store. By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint which makes it hard to detect. But SMS and toll fraud generally require some basic functionality like disabling WiFi which needs one of a handful of APIs. Since Joker expects security researchers to look for those APIs, it uses a wide variety of techniques to mask the usage of them.

**Slow response**

The small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store. But that doesn’t explain why it took Google over a year to remove the eight apps reported by Maxime Ingrao. He reported the apps in June, 2021, and the last two were removed on July 13, 2022. It’s possible they would still be available if the researcher hadn’t gone public because he said he got tired of waiting.

**Autolycos**

As mentioned earlier, the malware is still undergoing development. What is new about this type is that it no longer requires a WebView. WebViews are exactly what the name indicates—a small view to a piece of Web content. A WebView can be a tiny part of the app screen, a whole page, or anything in between. Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on. Autolycos avoids WebView by executing URLs on a remote browser and then including the result in HTTP requests.

**Malicious apps**

BleepingComputer posted the list of malicious apps found by Maxime Ingrao, which users may still have installed:

*   Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
*   Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
*   Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
*   Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
*   Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
*   Coco Camera v1.1 (com.toomore.cool.camera) –  1,000 downloads
*   Funny Camera by KellyTech –  500,000 downloads
*   Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads

Pradeo researchers have also identified four new malicious applications that embed the Joker malware:

*   Smart SMS Messages 50.000+ installs
*   Blood Pressure Monitor 10.000+ installs
*   Voice Languages Translator 10.000+ installs
*   Quick Test SMS 10.000+ installs

**How to avoid toll fraud malware**

Users that have any of the listed apps installed are advised to remove them as soon as possible. To avoid getting infected and duped by toll fraud malware there are a few countermeasures you can take:

*   Keep Play Protect active.
*   Pay attention to apps asking for permissions, in this case especially SMS permissions.
*   Minimize the number of apps you install, however useful they may seem. The Autolycos operators created numerous advertising campaigns on social media.
*   Do not rely on user reviews alone, since the malware authors use bots to maintain a good user rating.

Also, always keep an eye on your background internet data, battery consumption, phone invoices, and bank statements, just in case. The sooner you stop it, the smaller the damages.

New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs

China is gathering more intel about Russia after strengthening their diplomatic ties in the face of Western sanctions.
The post China’s Tonto Team increases espionage activities against Russia appeared first on Malwarebytes Labs.

According to analyses of several cybersecurity firms and CERT (Computer Emergency Response Team) Ukraine (CERT-UA), the state-sponsored threat actor group Tonto Team, which has been linked to China-backed cyber operations, is ramping up its spying campaign against Russian government agencies. 

The campaign, which involves an email, a Word document file in RTF (Rich Text File) format, and a backdoor payload, starts off with socially engineering recipients to convince them to open a malformed attachment, triggering the execution of an MS Office exploit, particularly in the Equation Editor.

According to SentinelOne, the RTF file masquerades as a government advisory or security warning to agencies and infrastructure providers of potential attacks.

This is the malicious RFT document attached to an email sent over by the Tonto Team to targets, shared by one of our threat intelligence researchers on Twitter.  
(Source: Hossein Jazi | Malwarebytes)

The fake advisory is written in Russian. Below is the Google-translated text in English:

(Source: Hossein Jazi | Malwarebytes)

    Dear colleagues!
    
    In addition, we remind you that recently there have been more cases of attempts to steal logins / passwords for access of employees of the Minsitry to official mail and the Service Portal.
    
    Attackers on behalf of representatives of the Department of the Ministry of Foreign Affairs, government and other organizations send letters to e-mail addresses, in which they convince you to familiarize yourself with various documents and information.
    
    Under no circumstances do not enter your service login / password in such cases.
    
    Please note that the documents must be attached to the letter and opened from the body of the letter.
    
    Compliance with these rules will allow you to maintain the confidentiality of not only your data, but also the data of other employees of the Ministry.

The Tonto Team used Royal Road (sometimes called “8.t”) to create the malicious RTF file. First analyzed by nao\_sec, Royal Road is a document builder that gives threat actors the ability to embed malicious code within RTF files, aiding actors in compromising target systems.

The exploit is triggered upon opening the file, and the malware payload, Bisonal, is dropped. Bisonal, a tool many Chinese threat actors use, is a RAT (remote access Trojan). Apart from Chinese APTs (Advanced Persistent Threats), no other threat actor has used Bisonal.

The Tonto Team, an APT group that has been around almost as long as Bisonal, has many aliases: Karma Panda, Bronze Huntley, CactusPete, and Earth Akhlut. The group is known for targeting Asian nations (South Korea, Taiwan, and Japan) and Russia. So, this isn’t the first time China has been in the case of the former Soviet state. Rather, this is about a notable increase in targeting activity against Russia.

“What we’re seeing here is a potential Chinese government increase in intelligence collection requirements from inside Russia,” SentinelOne Senior Threat Researcher Tom Hegel told Dark Reading in an interview. “Perhaps an increased prioritization or expansion of resources assigned to such tasking.”

China is prioritizing its espionage campaign against Russia due to the ongoing Russian invasion of Ukraine. And while Chinese officials see themselves with Russia as “comprehensive strategic partners of coordination”, their diplomatic relations have strengthened through the years, mainly to suppress the expansion of Western alliances.

What China is doing is “simply China looking out for itself in uncertain times,” Hegel is also quoted saying. “Like any well-resourced nation, they seek to support their own agenda through cyber, and the state of affairs in Russia may be adjusting just what they prioritize.”

Chinese hacking groups have been using Royal Road and Bisonal for years, which says a lot. Its longevity points to the shared use of resources among these groups, making attribution very difficult. The repeated use of these tools through the years also suggests that campaigns against targeted nations have been successful, which gives us an idea of the state of security of these countries.

“The fact that these toolkits evolve and continue to operate really speaks to how well they’re resourced, and the state of the defense side,” Hegel told CyberScoop in a separate interview. “Nothing can really stop them from continuing to use this. It’s still successful in many cases, as we see here. You look at the exploits they’re using in these documents, they’re years old exploits. They’re popping people that are out of date by quite a few years.”

China’s Tonto Team increases espionage activities against Russia

In this post, we break down three endpoint security for Mac best practices to help you prevent phishing attacks, DDoS attacks, and much more.
The post Endpoint security for Mac: 3 best practices appeared first on Malwarebytes Labs.

If you’re one of the 50% of small and medium-sized businesses (SMBs) that use Mac devices today, chances are your IT and security teams have a ton of Mac endpoints to monitor. 

Securing that many endpoints can get really complex, really fast, especially when you consider that the common wisdom that Macs don’t get malware simply isn’t true: in fact, the number of malware detections on Mac jumped 200% year-on-year in 2021. 

And it’s not just malware you have to worry about with your Mac endpoints. 

Phishing attacks, vulnerability exploits, DDoS attacks, and much more threaten your company’s Macs at any time — and if any of them are successful, it could cost your business millions in lost productivity and information theft. 

Needless to say, these are a lot of different threats to deal with when it comes to Mac endpoint security. But Thomas Reed, Director of Mac & Mobile at Malwarebytes, is here to remind us of a few simple things we can do to make our Mac endpoints more secure. 

In this post, we break down three of Reed’s best practices for endpoint security for Mac. 

**1\. Update frequently**

As in the Windows world, one of your top priorities needs to be keeping your Macs up to date — and by now we should all understand why. Just consider the fact that 60% of companies say breaches could have been avoided if they had patched known vulnerabilities. 

Tracking and patching vulnerabilities on macOS, however, is a little more difficult to do than on Windows. 

While Microsoft regularly advertises its security updates with its Patch Tuesdays,  Apple slips in patches on an ad-hoc basis — meaning MacOS admins need to put in a little more legwork to keep their devices up-to-date.

To ensure that you know about the latest updates for your Mac endpoints, there are two things you should do.

1.  **Sign up for Apple’s public security notifications and announcements mailing list**. You’ll get an email anytime Apple releases a patch for macOS.
2.  **Regularly check Apple’s list of security updates and patches.** It provides patch names, patch information, affected devices, and release dates.

Additionally, if you’re like most businesses and find that having no common view of assets is causing you major delays in patching, you should consider a vulnerability management solution that gives you instant visibility into potential vulnerabilities across your macOS environment.

**2\. Use a DNS filter to stop web-based attacks**

Since Macs have a much smaller amount of “traditional” malware attacking them compared to Windows, you might think your endpoints are in the clear of cyberattacks. 

Not so. 

Instead of file-based malware, a lot of Mac users get attacked with adware and PUPs that are typically delivered through a number of web-based scams. These threats can throw advertisements up on your screen and slow your computer down, among other things.

OK, that sounds annoying. But surely a few advertisements aren’t too big a threat to your Mac endpoint security, right? Not quite, says Thomas Reed.

“Some of the adware out there is more sophisticated than most of the malware that we see for Mac,” Reed says. “It can do all kinds of stuff, like sending all your network traffic through a proxy or changing system settings to be less secure.”

Reed also mentions that a lot of adware and PUPs are part of the payload of scam sites that direct you to some kind of installer that you download — and so having some sort of web-based protection is vital. That’s where DNS filtering comes in.

“The source of all of these kinds of attacks is through the web, and DNS filtering can help with that by blocking some of those sites,” Reed says.

DNS filtering blocks connections to malicious web servers attempting to deliver malware payloads, so any business interested in Mac endpoint security should have it. Learn more about the ways DNS filtering can save your business from cyberattacks.

**3\. Don’t rely on Mac AV – use EDR **

Since 2009, Apple has included a built-in antivirus (AV) technology called XProtect on all Macs — and while it’s fairly good, there are a lot of threats that it doesn’t detect (that a third-party would).

“You can’t rely on the built-in antivirus that’s in Mac OS to do the job,” Reed says. “You really need to have something else on top of that.”

Even so, let’s be overly generous and say XProtect and your third-party AV detects and removes every Mac malware threat. Throw in the fact that traditional AVs can’t prevent sophisticated threats such as file-based malware, and you just may be left wondering what you can do to best protect your Macs from damaging endpoint attacks.

Endpoint detection and response (EDR) is the answer. 

EDR gives you a real-time “birds-eye view” of all of your Mac endpoints, so whenever something happens outside the norm, you isolate an endpoint, quarantine the threat, or remediate. This stands in stark contrast to more reactive signature-based solutions (like AVs) that allow malware to execute before working.

A key feature of EDR is its threat hunting capabilities. Read our Threat Hunting Made Easy eBook to learn how to save hours every month on threat investigation and response.

**Prevent your Mac endpoints from online threats **

With everything from security vulnerabilities to malware threatening your company’s Macs at all times, Mac endpoint security is high-up on the list of priorities for macOS admins. In this post, we explained how macOS admins can stay on top of their patching game and why having a DNS filter and EDR are so essential for protecting Mac endpoints from a variety of threats.

Want to learn more about what simple and effective Mac endpoint protection looks like in action? Watch the demonstration of Malwarebytes Endpoint Detection and Response (EDR)!