The most important and interesting computer security stories from the last week.
The post A week in security (August 1 – 7) appeared first on Malwarebytes Labs.

*   Partner Success Story
*   Marek Drummond
    
    Managing Director at Optimus Systems
    
    "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected."
    
*   See full story

A week in security (August 1 – 7)

Categories: Explained
A hack tool called KMSPico is hailed as the go-to tool when it comes to activiating Windows. But is it safe?



(Read more...)




The post KMSpico explained: No, KMS is not "kill Microsoft" appeared first on Malwarebytes Labs.

_Thanks to Pieter Arntz and the Threat Intelligence Team who contributed to the research._

A hack tool is a program that allows users to activate software even without a legitimate, purchased key. Hack tools are often used to root devices in order to (among others) remove barriers that stop users from using apps from other markets. This is why the term “hack tool” is often interchanged with “crack tool” and “rooting program.”

Many seek such tools in the hopes of getting more control over their devices, or out of necessity if the software they want to use requires them. In this post, we’ll focus on one hack tool that has been a trusted tool for activating pirated copies of Microsoft products for free: KMSPico.

**What is KMSPico?**

KMSPico (often stylized as KMSPICO or KMS Pico) uses an unofficial key management services (KMS) server to activate Microsoft products—although several hack tools already do the same. Here are some of Malwarebytes’ detection of such tools:

*   RiskWare.AutoKMS
*   AutoKMS.HackTool.Patcher.DDS
*   RiskWare.KMS
*   HackTool.KMS
*   HackTool.Agent.KMS
*   HackTool.IdleKMS
*   HackTool.AutoKMS
*   HackTool.WinActivator

KMSPico is one of the most (if not _the_ most) popular software activation tools for Windows and Office Suite, with millions of global users and endorsers. Funnily enough, it also seems to have a lot of "official websites."

Searching for “official KMSpico site” on your favorite search engine will yield thousands of results, including pages of posts from various portals warning internet users not to download KMSPico from Website A or Website B as its malware. And they’re right.

Whatever KMSPico “official” website you find in your search results is undoubtedly fake, which leaves people wondering—or probably even believing—that KMSPico is a myth. This tool, however, is far from mythical. It does exist, and the latest version, **10.2.0**, can only be downloaded from a members-only forum posted almost a decade ago.

**How does it work?**

To understand how KMSPico works, we should first understand how a KMS activation works.

KMS is a legitimate way to activate Windows licenses in client computers, especially en masse (volume activation). There is even a Microsoft document on creating a KMS activation host.

A KMS client connects to a KMS server (the activation host), which contains the host key the client uses for activation. Once KMS clients are validated, the Microsoft product on those clients contacts the server every 180 days (6 months) to maintain its validity. However, a KMS set-up is only viable for large organizations with Volume Licensed (VL) Microsoft products.

This is what KMSPico is trying to exploit. Once installed onto user clients, it changes a user’s retail version of their Microsoft to a “Volume Licensed” one by simply changing the key into a generic VL key. KMSPico then changes the default KMS server to an unofficial KMS server set up by the hack tool’s developer. 

Note that if the KMSPico developer decides to kill the server, then whoever their users are would no longer have an activated version of their Microsoft product.

**Why we don’t recommend it**

Hack tools can be qualified as riskware, a category of software that may be risky to install on your computer or device. This is because a legitimate copy of the software may be bundled with adware, or it’s actually malware named after popular software. Such is the case for KMSPico.

On top of that, using KMSPico violates Microsoft’s ToS (terms of service) for its products.

Our 2021 State of Malware report found that hack tools plagued our consumer and enterprise clients for the previous two years. 

Perhaps the most critical data we have of KMS hack tools are that they are ranked as a top threat for consumers (with a 2,118 percent growth) and enterprises (with a 2,251 percent growth). We attributed this to the sudden change in work life due to many moving to a work-from-home (WFH) set up during the COVID-19 pandemic. Many employees—and potentially even employers—resorted to using cracked versions of Microsoft products.

Finally, regarding software updates or patching, it’s also likely that KMSPico blocks any activated Microsoft product from “calling home.” If it does, then that would stop these products from getting updates or patches, and KMSPico users would be left with very vulnerable Microsoft software.

**Does Malwarebytes detect KMSPico?**

Yes. We detect components from the same toolset. So if you have downloaded the KMSPico tool, expect your Malwarebytes product to alert you of files detected as **HackTool.KMSpico**, **CrackTool.KMSPico**, or both.

KMSpico explained: No, KMS is not "kill Microsoft"

Categories: A week in security
The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (August 1 - August 7) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (August 1 - August 7)

Cisco has released a security advisory about some serious security vulnerabilities in multiple Cisco small business VPN routers.
The post Patch now! Cisco VPN routers are vulnerable to remote control appeared first on Malwarebytes Labs.

Cisco has released a security advisory about several vulnerabilities in the Cisco Small Business RV series routers, covering the RV160, RV260, RV340, and RV345.

There are no workarounds available that address these vulnerabilities, so you need to patch.

**Vulnerabilities**

The vulnerabilities are dependent on one another—exploitation of one of the vulnerabilities may be required to exploit another vulnerability.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the ones included in these updates listed below.

**CVE-2022-20842**

CVE-2022-20842 is a vulnerability in the web-based management interface of the Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

This vulnerability is due to insufficient validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.

**CVE-2022-20827**

CVE-2022-20827 is a vulnerability in the web filter database update feature of Cisco Small Business RV160, RV260, RV340, and RV345 series routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to perform a command injection and execute commands on the underlying operating system with root privileges.

This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted input to the web filter database update feature.

**CVE-2022-20841**

CVE-2022-20841 is a vulnerability in the Open Plug and Play (PnP) module of Cisco Small Business RV160, RV260, RV340, and RV345 series routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system. To exploit this vulnerability, an attacker must leverage a machine-in-the-middle position or have an established foothold on a specific network device connected to the affected router.

**Input validation**

After reading the vulnerability descriptions above you may wonder what “input validation” means, since the absence of it seems to be one of the underlying issues.

As you probably suspected, input validation is the name for the checks that are done on data being added to a system. It is necessary to ensure only properly formed data enters the workflow in an information system. When a system does not properly validate its inputs, it gives threat actors a chance to attempt several attacks, depending on the type of system.

The most common type is SQL injection, an attack used against databases. SQL commands are a mixture of actions (code) and things being acted upon (data). The external inputs that feed into SQL commands should only ever be interpreted as data. If they are interpreted as code then an attacker can inject input that changes the behaviour of an application’s SQL commands.

Insufficient input validation could allow an attacker to execute SQL commands that could destroy your database or provide the attacker with data stored in the database.

**Mitigation**

There are no workarounds that address these vulnerabilities but Cisco has released free software updates for them. Cisco states it is not aware of any public announcements or malicious use of the vulnerabilities. So, now is your chance to install those updates before that changes.

A list of releases in which these vulnerabilities have been fixed is available in the Cisco Security Advisory.

Stay safe, everyone!

Patch now! Cisco VPN routers are vulnerable to remote control

We take a look at a wave of scams involving people's fears of increasing energy prices, and how to avoid being caught out.
The post Phishy calls and emails play on energy cost increase fears appeared first on Malwarebytes Labs.

Gas and electricity price concerns are rife at the moment, with spiralling costs and bigger increases waiting down the line. Sadly this makes the subject valuable material for fraudsters, playing into people’s fears with a dash of social engineering to make them worse off than they were previously.

Warnings abound of several energy / cost of living-themed scams doing the rounds. Shall we take a look?

**Identifiers of an attack**

These attacks target individuals living in countries where oil or electricity prices are a concern. If you have an imminent set of price increases on the horizon, you may be a target. Phone calls, emails, whatever it takes to extract some cash. The UK is a particularly hot flashpoint for these fraud attempts at the moment.

The senders will typically claim to be from an organisation with authority. Maybe an energy watchdog, or a consumer rights group, or maybe an energy company.

Refunds, rebates, and discounts generally are the order of the day. There’s a number of schemes along these lines at the moment due to be rolled out, and you can expect fraudsters to ride on their coat tails.

**Energy refund scam types****Fake rebates**

This scam involves cold calling and a spin on the (genuine) rebate plan put together by the British Government. Fraudsters inform potential victims that they need to hand over bank details in order to qualify. Normally we’d say “this is not true”. However: There are some cases where people do hand over payment information. Local councils in the UK have reached out to many people pre-emptively to arrange rebate payments. Where the scammers have an angle is that lots of other residents have _not_ been contacted.

In _those_ cases, the onus is on the individual to reach out and apply. They can choose to have the rebate applied to their next local council bill, or have the money paid directly into their bank account. To do this, they need to hand over payment details. The caveat is that the person applying does this themselves, on their local council website. Nobody should be cold-calling _asking_ for payment information.

**Ofgem impersonators**

Fraudsters are claiming to represent Ofgem, Britain’s independent energy regulator. They claim to be able to help you get a better energy deal and then ask for your payment details. These attacks come via text and email, and have been around for at least a month or so. Some of these also tap into the rebate scam, claiming to offer a “secure application” which is really just a phishing website.

**Fake energy company refunds**

This is a fairly common scam, just like fake tax refunds during tax season. They are definitely more relevant during the current energy crisis though. In this case, we’re talking fake refunds and a double-threat attack technique. The victim is lured in with emails offering a refund. Once the information is taken by the phishing website, the scammer calls the victim claiming to be working on behalf of their bank. The scammer goes on to highlight several types of fraud to be wary of, all the while trying to extract around $1,200 during the call.

**How to avoid these threats**

*   Any email or phone call asking for payment information is not going to be legitimate. You should also never be asked for login details for your online banking or other accounts from a cold-caller.
*   If you receive an unexpected call about energy prices or rebates, Insist on calling “them” back on their official number, taken from an official website, directly. If the caller objects to this, that’s an immediate red flag. A genuine caller would have no possible reason to object to this.
*   Bogus fake energy company websites are very popular and easy to set up. Visit the official website listed in official correspondence only, and pay close attention to URLs sent to you by text or email.

Stay safe out there!

Phishy calls and emails play on energy cost increase fears

Categories: Exploits and vulnerabilities
Categories: News
Tags: Cisco

Tags: VPN routers

Tags: CVE-2022-20842

Tags: CVE-2022-20827

Tags: CVE-2022-20841

Tags: input validation

Cisco has released a security advisory about some serious security vulnerabilities in multiple Cisco small business VPN routers.



(Read more...)




The post Patch now! Cisco VPN routers are vulnerable to remote control appeared first on Malwarebytes Labs.

Cisco has released a security advisory about several vulnerabilities in the Cisco Small Business RV series routers, covering the RV160, RV260, RV340, and RV345.

There are no workarounds available that address these vulnerabilities, so you need to patch.

**Vulnerabilities**

The vulnerabilities are dependent on one another—exploitation of one of the vulnerabilities may be required to exploit another vulnerability.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the ones included in these updates listed below.

**CVE-2022-20842**

CVE-2022-20842 is a vulnerability in the web-based management interface of the Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.

This vulnerability is due to insufficient validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.

**CVE-2022-20827**

CVE-2022-20827 is a vulnerability in the web filter database update feature of Cisco Small Business RV160, RV260, RV340, and RV345 series routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to perform a command injection and execute commands on the underlying operating system with root privileges.

This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted input to the web filter database update feature.

**CVE-2022-20841**

CVE-2022-20841 is a vulnerability in the Open Plug and Play (PnP) module of Cisco Small Business RV160, RV260, RV340, and RV345 series routers. Exploitation of the vulnerability could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system. To exploit this vulnerability, an attacker must leverage a machine-in-the-middle position or have an established foothold on a specific network device connected to the affected router.

**Input validation**

After reading the vulnerability descriptions above you may wonder what "input validation" means, since the absence of it seems to be one of the underlying issues.

As you probably suspected, input validation is the name for the checks that are done on data being added to a system. It is necessary to ensure only properly formed data enters the workflow in an information system. When a system does not properly validate its inputs, it gives threat actors a chance to attempt several attacks, depending on the type of system.

The most common type is SQL injection, an attack used against databases. SQL commands are a mixture of actions (code) and things being acted upon (data). The external inputs that feed into SQL commands should only ever be interpreted as data. If they are interpreted as code then an attacker can inject input that changes the behaviour of an application's SQL commands.

Insufficient input validation could allow an attacker to execute SQL commands that could destroy your database or provide the attacker with data stored in the database.

**Mitigation**

There are no workarounds that address these vulnerabilities but Cisco has released free software updates for them. Cisco states it is not aware of any public announcements or malicious use of the vulnerabilities. So, now is your chance to install those updates before that changes.

A list of releases in which these vulnerabilities have been fixed is available in the Cisco Security Advisory.

Stay safe, everyone!

Categories: News
Categories: Scams
Tags: scam

Tags: phish

Tags: email

Tags: social engineering

Tags: gas

Tags: electricity

Tags: energy company

Tags: rebate

Tags: discount

Tags: switch

We take a look at a wave of scams involving people's fears of increasing energy prices, and how to avoid being caught out.



(Read more...)




The post Phishy calls and emails play on energy cost increase fears appeared first on Malwarebytes Labs.

Gas and electricity price concerns are rife at the moment, with spiralling costs and bigger increases waiting down the line. Sadly this makes the subject valuable material for fraudsters, playing into people's fears with a dash of social engineering to make them worse off than they were previously.

Warnings abound of several energy / cost of living-themed scams doing the rounds. Shall we take a look?

**Identifiers of an attack**

These attacks target individuals living in countries where oil or electricity prices are a concern. If you have an imminent set of price increases on the horizon, you may be a target. Phone calls, emails, whatever it takes to extract some cash. The UK is a particularly hot flashpoint for these fraud attempts at the moment.

The senders will typically claim to be from an organisation with authority. Maybe an energy watchdog, or a consumer rights group, or maybe an energy company.

Refunds, rebates, and discounts generally are the order of the day. There's a number of schemes along these lines at the moment due to be rolled out, and you can expect fraudsters to ride on their coat tails.

**Energy refund scam types****Fake rebates**

This scam involves cold calling and a spin on the (genuine) rebate plan put together by the British Government. Fraudsters inform potential victims that they need to hand over bank details in order to qualify. Normally we'd say "this is not true". However: There are some cases where people do hand over payment information. Local councils in the UK have reached out to many people pre-emptively to arrange rebate payments. Where the scammers have an angle is that lots of other residents have _not_ been contacted.

In _those_ cases, the onus is on the individual to reach out and apply. They can choose to have the rebate applied to their next local council bill, or have the money paid directly into their bank account. To do this, they need to hand over payment details. The caveat is that the person applying does this themselves, on their local council website. Nobody should be cold-calling _asking_ for payment information.

**Ofgem impersonators**

Fraudsters are claiming to represent Ofgem, Britain's independent energy regulator. They claim to be able to help you get a better energy deal and then ask for your payment details. These attacks come via text and email, and have been around for at least a month or so. Some of these also tap into the rebate scam, claiming to offer a "secure application" which is really just a phishing website.

**Fake energy company refunds**

This is a fairly common scam, just like fake tax refunds during tax season. They are definitely more relevant during the current energy crisis though. In this case, we're talking fake refunds and a double-threat attack technique. The victim is lured in with emails offering a refund. Once the information is taken by the phishing website, the scammer calls the victim claiming to be working on behalf of their bank. The scammer goes on to highlight several types of fraud to be wary of, all the while trying to extract around $1,200 during the call.

**How to avoid these threats**

*   Any email or phone call asking for payment information is not going to be legitimate. You should also never be asked for login details for your online banking or other accounts from a cold-caller.
*   If you receive an unexpected call about energy prices or rebates, Insist on calling "them" back on their official number, taken from an official website, directly. If the caller objects to this, that's an immediate red flag. A genuine caller would have no possible reason to object to this.
*   Bogus fake energy company websites are very popular and easy to set up. Visit the official website listed in official correspondence only, and pay close attention to URLs sent to you by text or email.

Stay safe out there!

Categories: News
We take a look at reports that EAS alerts could be issued by people without the correct authorisation.



(Read more...)




The post DHS says to update your Emergency Alert Systems immediately appeared first on Malwarebytes Labs.

Posted: August 5, 2022 by

The Department of Homeland Security has issued an advisory after vulnerabilities were found in its Emergency Alert Systems (EAS).

EAS technology is designed to fire out warning messages during times of national emergency. It can be used to warn of coastal flooding, earthquakes, child abduction, evacuations, and more, via multiple channels, including TV, SMS, and radio. If people are able to tamper with these systems, they can send false alerts. This is incredibly serious and could cause widespread panic, disruption, even injury or loss of life.

The advisory reads as follows:

> We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).
> 
> This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.
> 
> In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks.

The advice for anyone maintaining an EAS:

*   Ensure devices and supporting systems have the most recent software versions and security patches.
    
*   Protect devices with a firewall.
    
*   Monitor EAS devices and supporting systems and review audit logs regularly for unauthorized access.
    

Sadly, this kind of thing isn’t remotely new. Multiple high-profile alert-related compromises and accidents have happened in recent years. If you thought this would all be sorted out by now, you’d be mistaken.

**Tipping points that didn’t tip**

In 2020, an individual using the handle Virtrux claimed there were "thousands of open access methods to both the US and Canadian Emergency Alert Systems". Port scanning systems frequently used for emergency alerts revealed keywords that were potentially used for the alerts. From there, the attacker was able to grab service/default passwords via a splash of social engineering.

In November, 2020, virtrux tweeted images which appeared to show they had access to a system that allowed them to generate an EAS message.

> What would you send to everyone in the United States? @thugcrowd pic.twitter.com/jkQwfmPem6
> 
> — virtrux (j3ws3r) (@virtrux) November 23, 2020

Consider the chaos generated back in 2018 when an alert in Hawaii regarding an incoming missile was sent in error. Think of the sheer bedlam someone with full access to custom messages could generate with a few clicks of a keyboard.

Now wind forward to the present day and realise that we still have a long way to go.

**Accidents, incidents, and shenanigans**

Just last month, Spanish police arrested individuals suspected of tampering with a system used to monitor gamma radiation levels. In 2019, Australia’s early warning system for dangerous weather was compromised. On a related note, signs used to warn of bad weather or crashes on highways are notoriously easy to hijack. Even the humble traffic light doesn’t escape from the gravitational pull of unauthorised access.

As long as default settings and a lack of patching exists, it is hard to see these problems going away. The big question is what do authorities have in place as a backup if their emergency notifications go horribly wrong?

**RELATED ARTICLES**

DHS says to update your Emergency Alert Systems immediately

Smishing attacks, or phishing attempts via SMS, are on the rise, and Americans are fighting off billions of spam messages each month.
The post FCC warns of steep rise in phishing over SMS appeared first on Malwarebytes Labs.

After the FCC (Federal Communications Commission) made a huge splash weeks ago when it told Google and Apple to pull TikTok from their respective app stores, the federal agency is now warning Americans of an increased wave of SMS phishing attacks.

SMS phishing, otherwise known as smishing or robotexts (FCC’s own terminology), is a form of phishing that attempts to trick people into handing over their personally identifiable information (PII) and/or money using SMS instead of email, which standard phishing usually starts. The FCC has noted that scammers use various lures to trick someone into replying, giving out their information, or clicking a link.

“Like robocallers, a robotexter may use fear and anxiety to get you to interact,” the FCC consumer alert reads. “Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems or law enforcement action against you. They may provide confusing information—as if they were texting someone else—, incomplete information, or utilize other techniques to spur your curiosity and engagement.”

What motivates criminals to engage in smishing tactics is to get money and personal information or to simply confirm that the number they’re messaging is active, so they can target it in future scam campaigns.

According to the FCC, it tracks consumer complaints instead of text volume. The agency noted a steady climb of unwanted SMS messages, from approximately 5,700 in 2019 to 8,500 by June 30, 2022.

A separate study confirmed this, too, but revealed more sobering numbers. RoboKiller, an app that screens scammy calls and messages, found that Americans were sent a mind-blowing 12 billion spam texts in July 2022.

“That’s nearly **_44 spam texts_** for every person in the country!” And the numbers were no different in June and May 2022.

RoboKiller also pointed out in the report that spam texts have outpaced spam calls for two consecutive years. And one of the notable reasons for this is the FCC mandating the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) framework, which was designed to curb spam calls. It’s effective, which is why scammers switched to spam texts.

The FCC posted bite-sized, back-to-back tweets on signs of scam text messages and how Americans can avoid getting scammed.

> How to protect yourself from #scam robotexts:  
> ▪️ Do not respond  
> ▪️ Do not click on any links  
> ▪️ Do not provide any info  
> ▪️ File an FCC complaint  
> ▪️ Forward unwanted texts to SPAM (7726)  
> ▪️ Delete all suspicious texts
> 
> — The FCC (@FCC) July 28, 2022

When you receive a spam text, do not engage with the sender.

Ignore them, but file a complaint to the FCC.

Finally, if you think you were the victim of an SMS text scam, the FCC recommends you report the incident to your local law enforcement agency and notify your bank and mobile carrier.

Stay safe!

FCC warns of steep rise in phishing over SMS

BlackBasta lined up behind LockBit as the second most prevalent ransomware in July, a number of new gangs appeared, and an old one reappeared
The post Ransomware review: July 2022 appeared first on Malwarebytes Labs.

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In July, LockBit maintained the place it has occupied all year as the most active ransomware variant. Notably, BlackBasta, a relatively new ransomware variant that first appeared in April, took the place occupied by Conti for much of the year as the second most active variant. BlackBasta has been strongly linked to the gang behind Conti and may be the closest thing it has to a successor.

Two other gangs linked to Conti, Hive and KaraKurt, were also very active during July, ensuring that the gang behind “the costliest strain of ransomware ever documented” by the FBI continues to cast a long shadow, despite the retirement of the Conti “brand”.

The international picture followed a familiar pattern, with the USA suffering the largest number of attacks by far, distantly followed by a collection of the largest European economies. Services remained the sector most afflicted, suffering almost a quarter of all attacks.

Known ransomware attacks by group, July 2022

Known ransomware attacks by country, July 2022

Known ransomware attacks by industry sector, July 2022

**LockBit**

We wrote extensively about LockBit, and the appearance of LockBit 3.0, in last month’s ransomware review. Part of the gang’s success seems to have come from simply avoiding the attention-seeking pitfalls of other gangs. We wrote “…while some ransomware gangs seem to want to tell the world what they think, and how great they are, LockBit seems to care more about what its users think.”

Perhaps we spoke to soon. In July LockBit responded to an interview request by Red Hot Cyber in which it trotted out it’s version of the careworn old nonsense that criminal hackers help security, saying “we are ordinary pentesters and make this world safer”. Thanks to the gang’s threats and ruthless exploitation “companies can learn a security lesson and close vulnerabilities”, apparently. Whatever helps you sleep at night, we suppose.

The interview did contain some useful information too though, revealing that between 10%-50% of LockBit victims pay the ransom. The numbers we report each month are victims who appear on leak sites because they have _not_ paid the ransom, so this tidbit helps us understand the true scale of the ransomware problem.

The interviewee also confirmed the suspected relationship between LockBit 3.0 (also known as LockBit Black) and DarkSide/BlackMatter ransomware, revealing that the LockBit gang paid for DarkSide source code and based the latest version of its ransomware on it. If DarkSide sounds familiar, you may recall that it was the ransomware used in the infamous Colonial Pipeline attack. The DarkSide gang disappeared shortly after the attack “due to the pressure from the US”, only to reemerge as BlackMatter in July, before disappearing again in October 2021, again due to pressure from “authorities”.

**BlackBasta**

BlackBasta was the second most prolific ransomware variant behind LockBit in July, and it has occupied either the second or third place in our list ever since May, having only emerged the month before.

It burst into existence in April with 11 known victims. Being able to hit so many victims in its first month led some to speculate that it must be the work of an established gang that had a network of experienced affiliates in place, ready to work. It has since been linked to the gang behind the recently retired Conti ransomware, with which it enjoys an eye-catching overlap.

Known Conti and BlackBasta attacks in the last six months

As we reported in May and June, Conti hatched a scheme to fake its own death this year, after its support for Russia’s invasion of Ukraine caused ransom payments to dry up. Members of the gang were alleged dispersed to other “brands” owned by the Conti gang, as well as other gangs it had a relationship with.

Apparent beneficiaries included operators of three of the five most prevalent ransomware variants in July: BlackBasta, Hive, and the resurgent KaraKurt.

**REvil returns**

July was also notable for the reappearance of REvil, aka Sodinokibi, perhaps the most notorious name in ransomware. A single victim appeared on the gang’s Tor leak site in July, the first since April.

A new victim appeared on the REvil leak site for the first time in months

While many other groups were far more active, the group’s reputation ensures that any sign of life demands to be taken seriously.

REvil is responsible for two of the most significant ransomware attacks in history: The 2021 attack on JBS, the world’s largest meat processing company, and an enormous, cascading supply-chain attack against Kaseya VSA and its customers a month later. The attack on Kaseya was ultimately resolved when the company announced that it had acquired the decryption key needed to free the victims, without paying REvil its $70 million ransom demand. The source of the key was later revealed to have been the FBI, which had successfully infiltrated the group’s infrastructure.

Since then REvil has led a stop-start existence. Under pressure from US law enforcement, the gang went dark in July 2021. It reappeared a few months later before being forced offline when its infrastructure was hijacked by a multi-country law enforcement operation in October.

In January, in a highly unusual move, eight of its members were arrested in Russia by the FSB. However, even that wasn’t enough to keep the gang down for long. It’s infrastructure sparked back into life in April before going dark again, only for it to reappear in July.

**New gangs appear**

Last month also saw a glut of new ransomware gangs appear. The newcomers in our list are BianLian, Yanluowang, 0mega, Cheers, and RedAlert. With 11 known victims, the debut of BianLian is comparable in size to the appearance of BlackBasta in April, so we will be watching it closely in August.

The leak site of the new BianLian ransomware showed 11 victims in July

Yanluowang leak site

0mega leak site

Cheers leak site

RedAlert leak site

Source

Malwarebytes