According to a recent poll by the US Chamber of Commerce, 60% of small businesses are concerned about cybersecurity threats, and 58% are concerned about a supply chain breakdown.

Not surprisingly, small businesses in the professional services sector feel significantly more concerned about cybersecurity threats than those in manufacturing or services, but the poll explains that they also feel more prepared to handle them.

“The small businesses most concerned about cybersecurity threats include businesses with 20-500 employees (74%) and businesses in the professional services industry (71%). On the other hand, small businesses that are least likely to say they are prepared for cyber threats include businesses in the manufacturing sector (61%), female-owned businesses (68%), and businesses in average health (64%).”

Services businesses are right to be concerned. The most serious cyberthreat faced by organizations is ransomware, and on any given month, in almost any country, the services sector is the one hardest hit by ransomware.

However, while the services sector suffers more attacks than manufacturing, the difference has been steadily narrowing, so that it is almost insignificant

Small businesses are not sitting on their hands though. 49% say they have trained staff on cybersecurity measures in the past year, 23% think they are “very prepared” to handle cyberthreats, and 50% feel “somewhat prepared.”

It’s no surprise that small businesses are concerned—they have limited resources, and yet they need to be ready to fight off the same sophisticated criminal gangs as the biggest enterprises.

And, as you can read in our 2024 State of Malware report, cybercriminals continue to evolve their tactics. They like to use social engineering, and vulnerabilities in internet-connected devices and services, rather than old-fashioned malware to infiltrate systems and networks. And once they’ve broken in to a company network, they are increasingly turning to legitimate tools instead of malware to carry out their attacks, a tactic known as living-off-the-land (LOTL)

This requires a different approach and security solutions capable of dealing with these threats.

We don’t just report on threats—we block and remove them.

ThreatDown can help small business to be secure. Choose the ThreatDown bundle that’s right for your organization.

Educational institutions may face a range of cyberthreats in 2024, but our 2024 State of Malware in Education report identifies the six most critical ones.

Ransomware, for example, stands out as a key threat for schools and universities. The report covers how last year, we witnessed a 92% increase in ransomware attacks in K-12 schools and a 70% increase in Higher Education. The trend appears set to continue, partly due to specialized ransomware groups like Rhysida (formerly Vice Society) targeting educational sectors.  

Another major threat our 2024 State of Malware in Education covers is the reduction of conventional malware in favor of Living off The Land (LOTL) attacks. LOTL attacks exploit legitimate system tools to remain undetected while conducting harmful activities.

Our report suggests that educational institutions must employ expert staff to manually identify LOTL activities, which traditional malware detection tools miss. For example, we recently wrote how one K-12 district used MDR to uncover malicious PowerShell activity and stop an ongoing infection.

Some other trends and threats educational institutions can expect in the report to cover include:

• Why targeting Macs has become an easy choice for criminals 
• How CL0P is rewriting the ransomware playbook and why Big Game ransomware remains the most serious threat.
• How cybercriminals use ‘malvertising’ to target educational institutions with malicious ads for popular for remote learning such as Zoom. 

As we progress into 2024, the reality is that educational institutions’ success in pairing state of the art security software with skilled security staff will be a deciding factor in their ability to take down the most serious cyberthreats. 

To understand the complete list of threats facing educational institutions in 2024 and how to tackle them, get the full 2024 State of Malware in Education report—tailored to either K-12 or Higher Ed—below.

---

Nobody can deny the influence of AI today. In just a few years, we have observed AI’s capacity to be as transformative as the internet and smartphones, especially for cybersecurity. Indeed, the potential of AI to radically simplify complex security environments is unmistakable, and aligns closely with our mission at ThreatDown to reduce threats, complexity, and costs for our customers.

With continuous advancements in AI and its ever-expanding potential to enhance user experiences, ThreatDown remains dedicated to integrating these technologies into our solutions going forward. Let’s dive into where we are with AI and where we’re headed.

What led us here

We’ve always been big on democratizing security for all, and we believe AI has the potential to do just that. With this in mind, in late March 2024 we added a powerful AI functionality to our industry-leading Security Advisor. Users can now use simple natural language requests to search for information about their environment, ask for recommendations on how to optimize their security posture, and more.

The deployment of generative AI into our Security Advisor propels us closer to our goal to make security management more accessible, especially for companies with constrained IT resources. Generative AI’s ability to sift through vast datasets to highlight essential issues and suggest actions significantly lowers the barrier to advanced security, eliminating the necessity for deep security know-how among users. But we’re not done yet.

Where we’re going

As we integrate generative AI, we envisage a host of potential advancements that could further revolutionize security management:

• Global AI search: Our team is considering the development of a universal AI search feature, integrated across all products, that can comprehend natural language queries and surface relevant data.
• Evolving summarization techniques: Imagine an AI that can not only summarize threats detected by EDR tools but also provides remediation steps with contextual help to follow along.
• Dynamic security recommendations: We’re exploring the possibility of AI that not only provides recommendations but also adapts them in real-time based on the evolving security context of each user.

Pioneering simplicity in security with AI

AI will likely become a bigger and bigger fixture in security as the years go on, and as it evolves, ThreatDown is deeply committed to simplifying security management through the power of AI.

Nebula users can use Security Advisor and its AI capabilities today. Learn more.

In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became evident that SolarMarker had been present in the district’s system since at least 2021, likely exfiltrating data over several years.

Let’s dive further into the investigation’s findings and the steps taken to mitigate the threat.

SolarMarker infection

Background

The incident began with the detection of an anomalous instance of PowerShell attempting to establish an outbound network connection to a suspicious IP address (188.241.83.61). This connection attempt was thwarted by Malwarebytes Web Protection (MWAC), signaling the first indication of a potential security breach.

Initial challenges

Upon investigation, it was discovered that Endpoint Detection and Response (EDR) settings were disabled in the client’s endpoint policy. This limitation prevented the use of Fast Response Scanning (FRS) to capture and analyze detailed endpoint data, necessitating a manual approach to the investigation utilizing Active Response Scanning (ARS).

Investigation and analysis

The first step involved querying active network connections with netstat, which revealed an instance of PowerShell in operation. To further understand the nature of this PowerShell instance, its command line was examined using Windows Management Instrumentation Command-line (WMIC) with the process ID (PID), which unveiled obfuscated code.

Decoding and understanding SolarMarker

The obfuscated PowerShell code was extracted and refactored for clarity. The analysis revealed the following components of the malware’s operation:

powershell

$decodeKey = '<Base64_encoded_string>'

$encodedFilePath = 'C:\Users\akeith\AppData\Roaming\micROSoft\wbpgVnSBjsytaokm\JqdVQplHfgwxyNmtaPX.gvzPlATqFe'

$decodedPayload = [System.IO.File]::ReadAllBytes($encodedFilePath)

for ($payloadIndex = 0; $payloadIndex -lt $decodedPayload.Count; $payloadIndex++) {

 $decodedPayload[$payloadIndex] = $decodedPayload[$payloadIndex] -bxor $decodeKey[$payloadIndex % $decodeKey.Length]

 if ($payloadIndex -ge $decodeKey.Length) {

 $payloadIndex = $decodeKey.Length

 }

}

[System.Reflection.Assembly]::Load($decodedPayload)

[ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()

This code reveals the malware’s methodology:

• It utilizes a Base64-encoded string as a decryption key.
• It targets a specific file path for encoded data.
• It reads, decodes, and executes the encrypted payload.

The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…). 

Further investigation uncovered randomly named folders within the AppData\Roaming\Microsoft directory, each containing encoded payloads. These discoveries suggested a more widespread infection than initially anticipated.

Response and mitigation

The response involved several steps to contain and eliminate the threat:

• Terminating the malicious PowerShell instance.
• Deleting the identified folders containing encoded payloads.
• Conducting a thorough search for persistence mechanisms, which fortunately yielded no findings.

A comprehensive threat scan was executed, and the incident was escalated for visibility with the client. Post-reboot checks confirmed the absence of persistence, no spawn of new PowerShell instances, and blocking of suspicious network connections, indicating successful remediation of the infection.

Conclusion

As we’ve seen in our 2024 State of Ransomware in Education report, the educational sector continues to be a prime target for attackers. In this case, attackers used SolarMarker, a sophisticated backdoor, to lurk within the school district’s network for years, likely stealing data in the process. Its presence went undetected until the district onboarded with ThreatDown MDR. Despite facing initial obstacles, such as disabled EDR settings, the ThreatDown MDR team successfully identified and neutralized the SolarMarker infection through manual intervention.

Discover how ThreatDown MDR can safeguard your K-12 institution.

How does a company navigate over 80 years of technical debt? Which tools do a security team of 5 rely on everyday? What threats are considered most dangerous?

On March 28, 2024, Malwarebytes CEO, Marcin Kleczynski, and Payette Associates Director of Information Technology, Dan Gallivan, will answer these questions and more in our live Byte into Security webinar.

Event details

Date: March 28, 2024
Time: 10 AM PST / 1 PM EST
Registration: Open Now

In this webinar, you’ll discover…

• How Payette Industries ensures the security of remote teams while handling extensive data repositories.
• The impact of moving workloads to the cloud and simplifying systems on enhancing security measures.
• Why adopting Managed Detection and Response (MDR) services is crucial for providing round-the-clock monitoring and augmenting the capabilities of internal teams.

Why attend?

This Byte into Security webinar is a must for anyone eager to see how top-tier cybersecurity tactics are applied in real-world scenarios. Whether you’re involved in IT or simply keen on learning about state-of-the-art security practices, Marcin and Dan’s discussion will equip you with valuable insights.

Register now to secure your spot!

Our webinar on the 2024 State of Malware report is now available on-demand. Featuring cybersecurity experts Mark Stockley and Jérôme Segura, this webinar unpacks 2024’s most critical cyberthreats, including big game ransomware, malvertising, and emerging challenges to mobile and Mac security.

Key highlights:

• Expert insights: Stockley and Segura explain how the cybercrime landscape has shifted significantly in the past year, outlining the six most critical cyberthreats to watch out for in 2024.
• Practical defense strategies: Learn about how layered defense systems, including EDR, MDR, and web protection, can protect your data, devices and your business from emerging cyber threats.
• Why it’s essential: The webinar equips IT and security teams with a new threat prevention playbook that they can leverage today to prepare for 2024 cyberthreats of all types–not just malware.

Don’t let evolving threats catch your organization off guard—watch the webinar and arm yourself with the latest insight.

ThreatDown has once again earned a perfect score in AVLabs’ January 2024 real-world malware detection tests, marking the eleventh consecutive quarter in achieving this feat. 

Let’s delve into the details of the test and how ThreatDown outperformed competitors in exhaustive testing. 

The AVLab Assessment 

AVLabs evaluation process is extensive and comprehensive, putting cybersecurity products through a rigorous series of real-world scenarios. The tests involve: 

1. Malware Collection: AVLab amasses a broad spectrum of malware samples from various sources, such as public feeds and custom honeypots. This ensures the test includes the most current and diverse set of threats. 
2. System Log Analysis: The collected malware samples undergo thorough scrutiny to confirm their malicious characteristics and their ability to successfully infect a Windows 10 system. 
3. Real-life Cyber Attack Simulations: All products are tested under the same conditions. AVLab recreates cyberattack scenarios akin to what’s seen in the real world, using techniques that actual attackers employ. 

Products that block all malware samples and achieve a maximum score of 100% protection are awarded an “Excellent” award badge. 

The Results 

ThreatDown consistently excels in the tests, and January 2024 was no different. ThreatDown Endpoint Protection earned “Excellent” badges for detecting and blocking 100% of malware. 

The standout performance is due to our superior detection approach that combines rules-based techniques with behavioral and AI-based methods to stop threats at every stage of an attack. Our proactive approach, which involves identifying threats even before they execute, played a crucial role in obtaining a perfect AVLab score.  

The Competition 

Other vendors struggled to match ThreatDowns results. Five vendors—Cegis Cyber, F-Secure Total, Microsoft Defender, Panda Dome Advanced, and Webroot Antivirus—all missed samples in the January 2024 test. 

The foundation for superior Endpoint Detection and Response (EDR) 

ThreatDown Endpoint Protection (EP) is not merely a standalone product; it’s the bedrock of our ThreatDown Bundles, which combines the technologies and services that resource constrained IT teams need to take down threats, complexity, and cost. 

Leveraging the robust detection and prevention capabilities validated by AVLab’s tests, ThreatDown Bundles deliver a simple yet superior solution integrating award-winning endpoint protection technologies. Learn more about ThreatDown Bundles here.

For a deeper dive into our performance, view the full AVLab report here. 

ThreatDown is happy to announce that our Vulnerability Assessment and Patch Management (VPM) tool is now available for Mac endpoints. 

There are hundreds of third-party apps that Mac endpoint use on a daily basis—and with that large number of apps comes a dizzying amount of software updates to apply on a rolling basis. 

With VPM for Mac, Nebula and OneView users can now easily find missing updates and install them to take care of the large volume of software updates in third-party applications on Mac endpoints. Some key features include: 

• Single, lightweight agent: Updates install in minutes, using the same agent and cloud-based console that powers all ThreatDown endpoint security technologies. 
• Quick scans: Identifies software updates dates in modern and legacy applications in less than a minute. 
• Install software updates easily: Create a schedule to install third-party software updates regularly. 

Let’s dive into how to set up software updates for Mac endpoints with ThreatDown VPM.

Configuring VPM for Mac 

To configure VPM for Mac in Nebula/OneView: 

1. Go to Configure > Policies 

2. Create a new policy or select an existing policy. 

3. Click the Software management tab. 

4. Check mark Allow scanning for known vulnerabilities in installed software Mac endpoints.  

5. Click Save.  

In order to be able to apply software updates, users need to enable the policy setting Allow updating software inventory and applying Windows OS patches for endpoints for Mac.  

Viewing outdated software 

To view and update software: 

6. Go to Monitor > Software Inventory page. 

7. Filter Update available as Yes.

8. Click Actions.

9. Select Update Software.

10. Click Update.

You can also view outdated software by endpoint by: 

11. Click Manage > Endpoints  

12. Select specific endpoint(s) under the Software tab.  

13. Click Update Software.  

14. Click Update.

Updating outdated software 

To update outdated software, you can go directly to the Patch Management page as well: 

15. Manage > Patch Management 

16. Under Software Updates tab, select specific version(s) .

17. Click Actions. 

18. Select Update Software.

19. Click Update.

Try VPM for Mac today

3rd party software updates for Mac endpoints is available on both Nebula and OneView for our Patch Management users or users on an Advanced bundles and above.

Not a user but looking to learn more on how to protect your Mac endpoints? Reach out for a quote today.