We found a Facebook scam that aims to redirect victims to sites promoting PUPs, adware, or other fraudulent sites.

Facebook scams are a constant nuisance and vary from like-farming to scams that can cost you some serious money. The latest one we found is a bit morbid.

Recently, I’ve seen quite a few posts on my timeline that looked like this:

Without going into details the post says:

> “I can’t believe he’s gone. I’ll miss him so much”

In all the posts I’ve seen, one of my Facebook friends was tagged. When I noticed that happen to two friends that do not know each other, the post did what it was intended to do, trigger my curiosity.

When you follow the posted link, which is a Facebook permalink to a post made by what is probably a compromised account, you’ll see a fake BBC news item about a fatal road accident. The permalink of any post on Facebook is hidden under its time stamp and can be used to share content on or outside of Facebook.

This post features a slightly different text: “I can’t believe this, I’m going to miss him so much”

The BBC news logo in the picture and the BBCNEWS part of the URL are obviously intended to gain your trust, and suggest that it’s safe to play the video.

In reality you will be redirected to the link displayed directly below the movie. We found several variations of that URL. All composed like this “BBCNEWS-{6 characters}.OMH4.XYZ”

Clicking the play button takes you through several redirects, very likely to perform fingerprinting, where sites gather information about your browser, your location, and other sites you’ve visited. The scammers do this to make sure you are redirected to a site that is likely to generate the most profit from people fitting your profile.

During my testing, I was not logged in on Facebook and surfing from a Dutch IP address, I ended up at polo\[.\]thegadgetguru\[.\]club which was unreachable at the time of writing. However, our archives show it’s a known source of pop-ups and has been for at least two years. These pop-ups can lead visitors to potentially unwanted programs, adware, and fraudulent sites.

It’s very likely that changing my IP address to a different location with a VPN and logging in to Facebook will change the outcome of the redirects, but I’m pretty sure none of them will be up to any good.

**How to avoid Facebook scams**

In this case I was able to spot the scam because it made me suspicious that two unrelated friends might be tagged in a similar post. But there are some other pointers to help you spot Facebook scams.

*   Scrutinize URLs closely. Not every scam campaign is sophisticated or difficult to spot. Start with the URL – if it’s obviously not for the website in question then step away.
*   Reach out to friends and family outside of Facebook or Instagram. If you’re not sure if a message is from the person it says it’s from, give them a call or send them a text message to check they really did send it.
*   Be wary of “free” stuff. Sure, free things are nice—but they shouldn’t cost you anything, and that includes your personal details or a small amount of money that you must pay first. If you see a giveaway doing the rounds on Facebook, go to that company’s official webpage to verify it, or give them a call.
*   Update your browser regularly. This keeps new vulnerabilities at bay, and is another layer of protection you can depend on.
*   Change your login credentials if you think your account may be compromised. And if you’ve used the same password on other sites, change them.
*   Install browser protection, like Malwarebytes Browser Guard, which can alert you to scams and other nasties in the browser.
*   If you’ve decided you’ve had it with Facebook you may like this post on how to deactivate or delete your Facebook account.

Report any posts you may find that are suspicious, scammy, illegal, or downright harmful to other Facebook users’ wellbeing. You can find this feature by clicking in the upper right hand corner of the Facebook post in question and picking either “Report post” or “Report photo”.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 “I&#8217;ll miss him so much” Facebook scam uses BBC branding to lure victims 

GitLab has warned about a critical vulnerability that allows an attacker to change passwords without user interaction.

GitLab has issued a warning about a critical vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). GitLab is an online DevOps platform that allows developers to collaborate on creating software. Organizations have a choice to install GitLab on their own server(s) or under GitLab’s control on GitLab.com.

The vulnerability allows a successful attacker to easily take over users’ accounts without any interaction. To remediate the problem, users of self-managed instances must upgrade to a patched version following the specified upgrade path. Do not skip upgrade stops as this could create instability. GitLab.com is already running the patched version.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. As we can see from the description in the database, the root of the problem is that it’s possible to direct password reset emails to unverified email addresses.

CVE-2023-7028 (CVSS score 10 out of 10): an issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

A GitLab account takeover can have serious consequences since the attacker could introduce unsafe code or get access to an organization’s API keys.

The account takeover won’t work if the target has 2FA enabled, since the attacker will not be able to log in if they don’t have control of the second authentication factor.

GitLab supports as a second factor of authentication:

*   Time-based one-time passwords (TOTP). When enabled, GitLab prompts you for a code when you sign in. Codes are generated by your one-time password authenticator (for example, a password manager on one of your devices).
*   WebAuthn devices. You’re prompted to activate your WebAuthn device (usually by pressing a button on it) when you supply your username and password to sign in. This performs secure authentication on your behalf.

Another critical vulnerability is listed as CVE-2023-5356 (CVSS score 9.6 out of 10): incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse Slack/Mattermost integrations to execute slash commands as another user.

Instructions on how to enable 2FA for GitLab can be found on GitLab docs. Enabling 2FA is recommended, even if you upgrade immediately.

GitLab states it has not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 GitLab warns zero-click vulnerability could lead to account takeovers 

Fidelity National Financial has suffered a ransomware attack and resulting data breach which involved 1.3 million of its customers' data.

In November 2023, real estate services company Fidelity National Financial (FNF) got its systems knocked offline for a week after a cyberincident.

As is often the case these days, it turns out that the cyberincident was very likely a ransomware attack that included a data breach. Ransomware operators typically steal data from the compromised systems to use as extra leverage against the victim.

The attack on FNF was claimed by ransomware group ALPHV/BlackCat on its leak site. ALPHV is typically in the top five most active ransomware gangs in our monthly ransomware reviews and is one of the most dangerous ransomware groups in the world.

The listing on ALPHV’s leak site has since been removed which might indicate that the ransom was paid. But it could also be another reason: In December 2023, the gang’s infrastructure was taken down by law enforcement. Unfortunately the gang did re-appear soon after.

In a form 8-K, FNF said it had notified applicable state attorneys general and regulators, and approximately 1.3 million potentially impacted consumers. Form 8-K is known as a “current report” and it is the report that companies must file with the SEC to announce major events that shareholders should know about.

The company has not so far specified the type of data that may have been stolen. FNF is providing credit monitoring and identity theft services to affected customers.

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Fidelity National Financial acknowledges data breach affecting 1.3 million customers 

A list of topics we covered in the week of January 8 to January 14 of 2024

January 15, 2024 - Fidelity National Financial has suffered a ransomware attack and resulting data breach which involved 1.3 million of its customers' data.

January 12, 2024 - The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

January 12, 2024 - A vulnerability in the popular Joomla! CMS has been added to CISA's known exploited vulnerabilities catalog.

January 11, 2024 - Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.

January 11, 2024 - This month in ransomware: ALPHV and LockBit joining forces?

 A week in security (January 8 &#8211; January 14) 

The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

Most new model cars are not just cars anymore. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. Some of them are basically smartphones on wheels.

Even if we assume these new features were all created with your convenience in mind, some of them can have some adverse effects on your privacy, and sometimes even your safety.

Addressing the use of connected cars to stalk, intimidate, and harass survivors of domestic violence, the Federal communications Commission (FCC) has issued a press release calling on carmakers and wireless companies to help ensure the independence and safety of domestic violence survivors.

Chairwoman Jessica Rosenworcel of the FCC said:

> “No survivor of domestic violence and abuse should have to choose between giving up their car and allowing themselves to be stalked and harmed by those who can access its data and connectivity.”

We have previously talked about cars spying on you, and the poor privacy policies that allow manufacturers to sell the data they gather for targeted advertising. We have also written about a federal judge that ruled it’s fine for car makers to intercept your text messages. But those are privacy concerns. Valid and serious, but on a different level from running the risk of being harassed by a jealous ex.

For readers focused on the privacy issues of connected cars, we can recommend the Mozilla report It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. And when you are parting with a car in the US, you may want to look at the Privacy4Cars app that can provide a Vehicle Privacy Report and claims to be able to delete your data. You will need your Vehicle Identification Number (VIN).

The FCC also asked wireless service providers (AT&T, T-Mobile and Verizon) to describe their partnerships with car manufacturers, seeking information on how the wireless providers work with them and what their policies are for handling geolocation data provided by car manufacturers.

The FCC press release includes statistics showing that more than 12 million people each year are the victims of rape, physical violence, and stalking.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone, rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data by using any “remote access” apps for the car and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If the suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 FCC wants cars to make life harder for stalkers 

A vulnerability in the popular Joomla! CMS has been added to CISA's known exploited vulnerabilities catalog.

The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability for the Joomla! Content Management System (CMS) to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by January 29, 2024 in order to protect their devices against active threats.

Joomla! is an open-source CMS that’s been around since 2005, and has been one of the most popular CMS platforms by market share for much of that time. Many companies, from small outfits to large enterprises, use a CMS in some form to manage their websites. There are lots of advantages to using a popular CMS, but if you do you need to keep an eye out for updates.

Take for example the vulnerability that has been added to the CISA catalog: CVE-2023-23752 was reported, and a fix was created in February 2023. But here we are, active exploitation is upon us.

The vulnerability allows a successful attacker to access an application programming interface (API) through which they can obtain Joomla-related configuration information. The attacker has to construct specially crafted requests, which can eventually lead to the disclosure of sensitive information.

The vulnerability is the result of an improper access check that allows unauthorized access to webservice endpoints that exist in Joomla! versions 4.0.0-4.2.7.

If the database is exposed publicly, the attacker can change the Joomla! Super User’s password. After which the attacker can log in to the administrative web interface and modify a Joomla! template to include a web shell, or install a malicious plugin, giving themselves the ability execute code remotely.

But even if the database is not exposed publicly, exploitation can be used to get the Joomla! user database (usernames, emails, assigned group). This could open up options for credential stuffing. Credential stuffing is a special type of password attack that exploits password reuse by using username and password combinations found on one service to log in to other, unrelated services.

Users are advised to upgrade their CMS to version 4.2.8 or later. The latest version (5.0.1 at the moment of writing) and upgrade packages can be downloaded here.

**Secure your CMS**

There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security. They are as follows:

*   Choose a CMS that actively looks for and fixes security vulnerabilities.
*   If it has a mailing list for informing users about patches, join it.
*   Enable automatic updates if the CMS supports them.
*   Use the fewest number of plugins you can, and do your due diligence on the ones you use.
*   Keep track of the changes made to your site and its source code.
*   Secure accounts with two-factor authentication (2FA).
*   Give users the minimum access rights they need to do their job.
*   Limit file uploads to exclude code and executable files, and monitor them closely.
*   Use a Web Application Firewall (WAF).

If your CMS is hosted on your own servers, be aware of the dangers that this setup brings and keep it separated from other parts of your network.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Joomla! vulnerability is being actively exploited 

Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.

Software vendor Ivanti has warned customers about two actively exploited vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways. Successful exploitation would give an attacker the ability to run arbitrary code on Ivanti’s Virtual Private Network (VPN) system.

The warning is echoed by several international security agencies like CISA and the German BSI. Both are flagging active exploitation of these two chained vulnerabilities. Ivanti Connect Secure is a widely used VPN solution that allows users to connect to their organization’s network.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs mentioned in these reports are:

CVE-2023-46805 (CVSS score 8.2 out of 10): an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure, which allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887 (CVSS score 9.1 out of 10): A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Ivanti Neurons for Secure Access is not vulnerable to these CVEs. However, the gateways being managed are independently vulnerable to them.

After attackers have used the authentication bypass to authenticate as an administrator they are able to install webshells on the VPN system to gain persistence, allowing them to execute commands on the compromised devices.

Active exploitation has been seen as far back as December 3, 2023. These attackers erased log files and turned logging off on the compromised system. Besides that, they had stolen configuration files, altered existing files, dropped remote files, and established a reverse tunnel allowing them unrestricted access.

One of the dropped files contained a JavaScript that stole the credentials of users that logged in, which could also be used for lateral movement.

**Mitigation**

Patches will be released on a schedule based on versions, with the first coming out in the week of January 22. The last version will come out the week of February 19.

> “We are releasing patches based upon telemetry information available to us from current installed solutions that notify us of the version number they are running. We are releasing patches for the highest number of installs first and then continuing in declining order.”

Until then, customers are under advice to apply a workaround and monitor their network traffic for suspicious activity and analyze the logs on their Connect Secure device.

The workaround requires importing a mitigation.release.20240107.1.xml file which can be obtained via the download portal (login required). The XML file is in the zipped format, so you’ll need to unzip and then import the XML file.

*   Navigate to **Maintenance** > **Import/Export** > **Import XML**
*   Use the **Browse** button to point to the unzipped XML file
*   Click the **Import** Button

Import of this XML into any one node of a Cluster is enough. A FAQ and more detailed instructions can be found in the Ivanti advisory article.

It is important to note that applying the workaround or a patch, when they are made available, is not enough to undo the effects of an attack. If you see signs that your instances have been compromised you should investigate or hire a specialized investigator to find out what the attackers may have obtained and what needs to be done to regain the required safety level.

CISA has added CVE-2023-46805 and CVE-2024-21887 to its Known Exploited Vulnerabilities Catalog, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by January 21, 2024 to protect FCEB networks against active threats.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Act now! Ivanti vulnerabilities are being actively exploited 

This month in ransomware: ALPHV and LockBit joining forces?

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In December, the ransomware scene saw 334 attacks, with the ALPHV shutdown saga continuing to grab the spotlight. In last month’s review, when we wrote about ALPHV’s infrastructure going offline, there was widespread speculation about law enforcement involvement, but no concrete evidence to confirm this. Now, the picture is becoming clearer. 

The previous theories about hardware failures within ALPHV are now overshadowed by the confirmed law enforcement action: recent updates revealed that the FBI played a pivotal role in disrupting ALPHV’s operations. This intervention led to the seizure of their URLs and enabled the recovery of decryption keys for many victims. 

The FBI’s recent operation against ALPHV has been a game-changer, not only disrupting the group’s activities but also denting their reputation in the cybercriminal community. The ripple effects? ALPHV affiliates are showing signs of mistrust, with some resorting to direct victim contact via email, and others shifting alliances to rival groups like LockBit. 

Adding to the intrigue, there’s talk of an emerging “cartel” between LockBit and ALPHV, according to messages on the dark web forums. This potential alliance could mark a new era in ransomware operations, where rivals look to pool resources and expertise in response to increasing law enforcement pressure. 

Known ransomware attacks by gang, December 2023

Known ransomware attacks by country, December 2023

Known ransomware attacks by industry, December 2023

In other news, LockBit’s attack on Capital Health last month was starkly reminiscent of events from a year prior. In December 2022, LockBit audaciously targeted SickKids (a hospital for sick children), impacting the hospital’s internal and corporate systems, phone lines, and website. Back then, LockBit’s unexpected apology for the hospital attack—blamed on a rogue affiliate, and self-forgiven with a free decryptor—was a rare moment of contrition in the otherwise ruthless world of cybercrime. 

Fast forward to December 2023, and the echoes of LockBit’s past actions were resonate.  

Despite their previous promises and operational policies against targeting healthcare institutions, LockBit has claimed the recent attack on Capital Health. And even though the gang claims they did not encrypt the hospital’s files, that didn’t leave the hospital unharmed.  

As we wrote recently:  

“\[The\] hospitals and physicians’ offices experienced IT outages that forced them to resort to emergency protocols designed for system outages. Several surgeries were moved to later dates and outpatient radiology appointments were canceled.” 

Or what ransomware gangs probably call a classic case of “no encryption, no problem” for creating havoc. 

This juxtaposition of LockBit’s 2022 apology with their ongoing aggressive actions in 2023 highlighted the duplicity inherent in the ransomware landscape. LockBit’s activities served as a sobering reminder that despite occasional gestures that seem to indicate restraint or remorse, the fundamental nature of ransomware operations remains unchanged—driven by disruption, data theft, and financial gain at the expense of vulnerable targets, including critical healthcare services. 

More broadly speaking, December saw a continuation of an unnerving trend of healthcare sector attacks we touched upon in last month’s review, with disruptive attacks on Massachusetts-based Anna Jaques Hospital and Liberty Hospital in Missouri. In a sector where timing and information can be a matter of life and death, such disruptions are more than mere inconveniences; they are potentially life-threatening. 

**New ransomware gangs****DragonForce**

DragonForce is a new ransomware gang that published 21 victims to their leak site last month, including a significant attack on the Ohio Lottery on Christmas Eve. In that attack, the group claims to have encrypted devices and stolen sensitive data amounting to over 600GB. including personal information of Ohio Lottery customers and employees.

While details about DragonForce are limited, their Ohio Lottery attack and their sophisticated negotiation methods suggest that DragonForce might be a rebranded version of a previous gang.

DragonForce leak site

**WereWolves**

WereWolves is a new ransomware group that posted 15 victims last month across various countries, including Russia, the USA, and parts of Europe. WereWolves is unusual for targeting Russian entities and employs a variant of LockBit3 ransomware in its attacks. They are known to target a range of sectors, with a particular focus on large-scale businesses. 

WereWolves leak site

**Preventing Ransomware**

Fighting off ransomware gangs requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough.

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through.

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood.

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—choose an EDR solution with ransomware rollback to undo changes and restore files.

****How ThreatDown Addresses Ransomware** **

ThreatDown Bundles take a comprehensive approach to ransomware. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including:  

*   Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access. 
*   RDP Shield: Securing remote access points with Brute Force Protection. 
*   Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them. 
*   Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network. 
*   Ransomware Rollback: Reversing the impact of any successful attacks. 

ThreatDown EDR detecting LockBit ransomware 

ThreatDown automatically quarantining LockBit ransomware 

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams. 

Try ThreatDown bundles today

 Ransomware review: January 2024 

Several info-stealers have incorporated an exploit that allows them to gain permanent access to your Google account

Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA) the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn’t even help if the owner of the account changes their password.

Since the discovery of the exploit, numerous white and black hat security researchers have looked into and discussed the issue. As a result, the exploit is now built into various information stealers.

Cookies are used to track users across websites and remember information about their visit. Authentication cookies are in essence pieces of data that the browser sends to a site to identify the user and check whether they are logged in. Usually these cookies have an expiration date after which the user will be asked to log in.

Persistent cookies enable a continuous access to Google services, even after the user resets their password. This exploit allows the generation of persistent Google cookies by using a Google Application Programming Interface (API) designed for synchronizing accounts across different Google services to bring back to life expired authentication cookies.

A Google account provides access to Google services like Gmail, Google Calendar, and Google Maps, but also Google Ads and YouTube.

In a statement Google responded:

> “We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

However, some info stealers have reportedly already been updated to counter Google’s fraud detection measures.

Sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and and that no vulnerability is being exploited by the malware, which implies that Google isn’t working on a more permanent fix for this problem.

**Review devices**

To check whether someone has accessed your account, you can view which computers, phones, or other devices that were signed in to your Google Account recently.

1.  Go to your Google Account.
2.  On the left navigation panel, select **Security** .
3.  On the _Your devices_ panel, select **Manage all devices**.
4.  You’ll see devices where you’re currently signed in to your Google Account or have been in the last few weeks. For more details, select a device or a session.
5.  Devices or sessions where you’re signed out will have a “Signed out” indication.
6.  If multiple sessions appear for the same device type, they might all be on one device or multiple devices. Review their details, and if you’re not sure all the sessions are from your devices, sign out on them.

**Remediate**

If you think your account has been compromised, you will have to sign out of all browsers to invalidate the current session tokens and then reset your password. Next you will need to sign back in to generate new tokens. Only this stops the unauthorized access because it invalidates the old tokens.

The steps outlined below are for administrators who manage Google Accounts for a company, school, or other group. As an administrator, you can sign a user out of a managed Google Account, such as Google Workspace or Cloud Identity.

To reset a user’s sign-in cookies:

1.  Sign in to your Google Admin console. Sign in using an _administrator account_, not your current account.
2.  In the Admin console, go to **Menu** > **Directory > Users**.
3.  In the **Users** list, find the user. If you need help, go to Find a user account.
4.  Click the user’s name to open the user’s account page.
5.  Click **Security > Sign-in cookies > Reset**.

What might help stop this abuse is if Google speeds up the announced end of tracking cookies. Obviously, we think it’s best to keep these information stealers off your computer.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Info-stealers can steal cookies for permanent access to your Google account 

Mac users should be aware of an active distribution campaign via malicious ads delivering Atomic Stealer. The latest iteration of the malware is stealthy thanks to added encryption and obfuscation of its code.

Last year, we documented malware distribution campaigns both via malvertising and compromised sites delivering Atomic Stealer (AMOS) onto Mac users. This stealer has proven to be quite popular in the criminal underground and its developers have been adding new features to justify its hefty $3000/month rental fee.

It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules. Some samples from crack websites made their way to VirusTotal around that time frame, followed by a malvertising campaign we observed in January 2024.

In this blog post, we will review the latest changes with Atomic Stealer and the recent distribution with malicious ads via the Google search engine.

In December, Atomic Stealer ran a promotion via a post on their Telegram channel to offer a special holiday discount to their customers:

> Welcome. From today until December 31, 2023, the price for a subscription to Atomic MacOs Stealer is only $2000 . Happy New Year!

While the developers did not specifically advertise this feature, it appears that around December 17 Atomic Stealer had changed some of its code to hide certain strings that were previously used for detection and identifying its command and control server.

Sample with strings in clear text (Dec 12), showing for example the IP address for the malware’s C2 server:

Obfuscated sample (Dec 17), using a new encryption routine that hides strings of interest:

Those two samples above also represent the different distribution channels that Atomic Stealer customers are using to distribute the malware. It’s possible customers using software cracks got access to the update Atomic Stealer before those that leverage malicious ads.

In fact, during the holiday break, we noticed a decrease in malvertising activity, in particular for the campaigns running via Google search ads. This was somewhat expected and typically extends into early January. However, on January 8, we identified a malvertising campaign using similar tactics seen previously by threat actors distributing FakeBat. In this instance, there was also a payload destined for Mac users, Atomic Stealer in its updated version.

**Malvertising with FakeBat – Atomic Stealer combo**

The threat actors are luring victims via a Google search ad impersonating Slack, the popular communication tool, and redirecting them to a decoy website where the app can be downloaded for both Windows and Mac:

The threat actors are leveraging tracking templates to filter traffic and route it through a few redirects before loading the landing page:

On that same domain, there is an open directory showing the location of the Windows payload which is an MSI installer (FakeBat), and the Mac one, Atomic Stealer (AMOS):

**Obfuscated Atomic Stealer**

The malicious DMG file contains instructions for users to open the file as well as a dialog window asking them to enter their system password. This will allow Atomic Stealer to collect passwords and other sensitive files that are typically access-restricted.

When comparing the previous Atomic Stealer samples we have, we can see that the application code has changed. Previously, we could see certain strings revealing the nature of the payload (browsers, wallets, etc.) and more importantly the command and control server that receives stolen user data. Now, these strings are no longer visible as the code is well obfuscated:

When we analyzed this sample in a sandbox we saw the data exfiltration taking place and the corresponding C2 server:

**Stealing victim passwords, crypto wallets and cookies**

As detailed in Objective-See’s The Mac Malware of 2023, stealers were the most popular type of malware. It’s not just passwords that are of interest to cyber criminals. Stealing browser cookies can sometimes be even better than having the victim’s password, enabling authentication into accounts via session tokens.

In fact, Atomic Stealer developers were working on a cookie feature they announced on Christmas Eve:

> Hi everyone, the panel has released an update with a new feature – Google Restore, it is located instead of the old page Cookies Convertor. In brief – implemented anti-unlogin Google.

As stealers continue to be a top threat for Mac users, it is important to download software from trusted locations. Malicious ads and decoy sites can be very misleading though and it only takes a single mistake (entering your password) for the malware to collect and exfiltrate your data.

We have reported the malicious ad and infrastructure to the respective parties for mitigation.

To stay safe from this and other similar threats, a combination of web protection and antivirus is best suited. Malwarebytes Browser Guard and Antivirus for macOS can prevent and detect Atomic Stealer.

**Indicators of Compromise**

Malvertising chain

ivchlo\[.\]gotrackier\[.\]com  
red\[.\]seecho\[.\]net

Decoy site

slack\[.\]trialap\[.\]com

FakeBat payload URL

slack\[.\]trialap\[.\]com/app/Slack-x86.msix

FakeBat hash

49f12d913ad19d4608c1596cf24e7b6fff14975418f09e2c1ad37f231943fda3

FakeBat C2

ads-strong\[.\]online

Atomic Stealer payload URL

slack\[.\]trialap\[.\]com/app/Slack-Apps.dmg

Atomic Stealer hash

18bc97e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704a

C2

5.42.65\[.\]108