Chipmaker Production Halts After WannaCry Attack

A recent WannaCry attack at a Taiwanese chip manufacturerhas brought production to a standstill and threatens delays for new Apple products yet to be released. The manufacturer has announced that after two days their systems are clear and production is able to continue, blaming their own negligence for the attack rather than a targeted breach. Fortunately, no business or personal information was compromised and the infection was handled promptly.

Routers Cause Spread of Global Cryptomining Attack

Researchers have been following the increasing spread of a cryptomining attackover the past week that has affected nearly 200,000 MikroTik routers across the globe. The attack appears to stem from a single attacker, who likely targeted the MikroTik devices due to their high-volume of usage within large corporations and even ISPs, giving them the largest possible net for potential cryptomining. Even though MikroTik implemented a patch for this type of vulnerability back in April, there are still thousands of unpatched devices just waiting to become part of a swift growing network of infected mining machines.

Hackers Hit Hong Kong Healthcare

Several computers within the Hong Kong Health Department were recently victimized by a ransomware campaignthat, surprisingly, doesn’t demand a ransom payment. Though the attack has been traced back to mid-July, the identity of the attacker and their motivations are still unknown. Luckily, systems containing personal data were unaffected by the attack, and proper backups of the targeted systems mean that no operations were halted by the encryption.

Patient Records System Infested with Bugs

The widely-used OpenEMR platform, a patient management system, was found to contain numerous bugsthat could have allowed the records for over 100 million patients worldwide to be exposed. Several of the bugs would have allowed anyone with minimal credentials to obtain sensitive data, ranging from the scheduling and billing of medical procedures to administrative access for health organizations. Patches were quickly implemented by OpenEMR after they were informed of the bugs by a third-party security team.

TCM Bank Applications Leaked

Up to 10,000 customers are possibly affected after a year-long breachby a third-party firm allowed their sensitive information to be compromised. The breach affects those customers who applied for a TCM credit card from March 2017 to July 2018, with TCM confirming that at least 25 percent of the total applications in that period were leaked as part of this issue. Within 24 hours of being notified, both TCM and the third-party vendor were working to resolve the leak and to find ways to prevent future security issues.

This week, I’ll be at Black Hat USA 2018 in Las Vegas. If you’ve ever been to Black Hat, then you know all about the flood of information and how hard it can be to take it all in. This year’s presentations will range from the newest trends in browser exploits, bots, and social engineering attacks, to the security status quo and how legal policies shape information security. And it’s anyone’s guess what the hottest topics around the water cooler will look like. To prepare, I reached out to Eric Klonowski, Principal Reverse Engineer at Webroot, to shed some light on his role at Webroot and what he and his peers bring to a major industry event like Black Hat.

Below is our interview, edited for length.

Tyler: Eric, tell us why a role like yours is valuable to security companies.

Eric: If you want to be successful in any industry, you have to have someone who understands the problems, down to the details, that your product is supposed to solve. That’s what I do. I work to understand threats, threat actors, and the malware that’s proliferating to help seal off the vulnerabilities they exploit and prevent attacks. 

How has your role at Webroot evolved over time?

When I first came on board in 2015, my role was about 70 percent research, 30 percent development. Now, it’s more like 10 percent research and 90 percent development. We have to stay on top of the latest and greatest invasive techniques. That means we’re doing a lot of development. We have a staff reverse engineer who takes malware apart to write software that will block it better.

It’s not a regular 9-5. I’m a security nut and this work fascinates me, so it’s always on my mind.

It probably helps in your line of work to be able to think like a hacker, except you’re one of the good guys. What’s it like to live in that duality each day?

First off, “hacker” is our word. You don’t use that word.

Whoa.

I’m kidding. But let’s take a second to talk about “hacking.” Back when I was getting proficient at software development, I hung out in hacker forums that were full of people who would use basically copy and paste someone else’s malware to break into systems. I have no respect for that. It doesn’t take any skill or smarts.

The ethical piece aside, I do have respect for people who develop exploits and sophisticated malware. What they do is very similar to what I do. We’re both trying to solve the same problems creatively, efficiently, and effectively. We’re just coming at it from different sides, and with a different goal in mind. So yes, you could call me a hacker, but I’d say I’m a “white hat.”

It’s always fun to poke around and see what you can do, but you do have to know when to draw the line. Sometimes, researching malware is like being a vigilante; you report what you see and make the compromised locations known.

How quickly does your team have to act when they discover a new threat?

Our pace can vary widely, but when we discover a new threat, we try to crush it quickly. We have to move fast to hand our research and development work to the product team so they can integrate a mitigation strategy into our product. For instance, with the WannaCry ransomware attack last year, my phone was buzzing like crazy before I even got out of bed. Some days are like that.

When other researchers release a report of a new malware variant or zero-day, we crack it open and try to get a better understanding of how it might spread. As an example, if we’re examining ransomware, we want to observe the encryption mechanisms it contains. In a way, we look to see if the author made any mistakes.

What types of tools do you use in reverse engineering?

By name, I typically utilize IDA, which is the industry standard. I also rely pretty heavily on WinDBG. When it comes down to it, those tools make your job easier. But someone in my position can use a pretty wide variety of tools to disassemble software and extrapolate what they are looking for.

You once told me reverse engineering was the “ultimate puzzle.” How did you discover this type of work?

I’ve always liked taking things apart and making them work better, and I started writing code when I was nine or 10. Later, I was hired as an intern for a defense contractor and had to do a lot of security-related research and software development. That’s really where it started, and I chose to stay on full-time for a few years. Until then, I was self-taught and didn’t really understand software on a large scale, but I learned so much about development from the people I was working with. I also worked on a lot of personal projects that propelled me forward on this path.

Where there any “aha moments” for you that made you decide this was the right career?

When I started at Webroot and became familiar with how the product functioned, I was pretty excited to see that we really do a great job here. We offer such a great product; the challenge to continue to make it better each day pretty motivating. And I’m very fortunate to have found a way to get paid to do something that’s always been a hobby I love.

Eric, thanks for the interview! I know we’re grateful you’re on our team at Webroot.

Ticketmaster Snafu Only Tip of the Iceberg

After last month’s Ticketmaster breach, a follow-up investigation found it to be part of a larger payment card compromising campaign affecting more than 800 online retail sites worldwide. The cause of the breach appears to stem from the third-party breaches of several Ticketmaster suppliers, which allowed hackers to integrate their own code within the software to compromise a far larger audience than originally realized.

Adobe Issues Patches for Over 100 Vulnerabilities

This month’s Patch Tuesday for Adobe introduced more than 100 unique fixes for vulnerabilities related to both Acrobat and Reader. Among the patches are fixes for unauthorized read issues that were allowing for the disclosure of sensitive information. Additionally, a patch was released for Flash Player that resolved a flaw allowing for unauthorized remote code execution, which could have had resulted in serious harm to any affected system.

Fitness Tracker App Reveals Locations of Military Personnel

Fitness app Polar Flow has recently come under scrutiny after the identity and locations of thousands of military personnel were easily revealed using the fitness map functionality. By displaying the activity map, users were could be traced to highly secretive locations, such as the White House and several other military bases around the world. The issue was caused by users swapping between public and private sessions closely tied to their individual user ID numbers when tracking fitness activities within the app.

Rahkni Ransomware Now Comes with a Choice

A longtime ransomware variant known as “Rahkni” was recently spotted in the wild with new functionality. The latest update has allowed Rahkni to decide between completely encrypting a system and deploying a crypto-miner. While mainly targeting Russian users, the ransomware is spread through malicious email attachments posing as a legitimate version of Adobe. In addition to its main operations, Rahkni also completes a thorough system scan and checks for virtualization and antivirus software before shutting down any OS-based defenses.

Chinese Hackers Compromise Australian University

After months of fending off cyberattacks, the Australian National University finally fell victim to a major data breach that has since been traced back to China. While the university believes that no student or staff information was stolen, the university serves as the main location for several national defense research organizations. This attack comes shortly after Australia implemented multiple new laws designed to reduce foreign intrusion.

Canadian college breach targets thousands

Last Friday, Algonquin College officials announced that an earlier data breachpotentially affected thousands of current and former students, as well as employees. While it is still unclear exactly what systems were affected, the officials have been working to contact all potential victims and inform them of the situation. What’s more interesting is Algonquin’s CISO’s comment in the article. You’d think that after the university’s first attack in 2014, they would have been better prepared this time around. At the very least, they could address the measures you’ve taken and plan on taking moving forward to prevent breaches.

Tinder implements major security upgrades

Tinder recently introduced fixes for two security vulnerabilitiesrelating to pictures insecurely stored on their servers and the ability to encrypt swipe responses. Those are pretty big vulnerabilities, considering Tinder has more than 50 million active users. The first fix involved Tinder securing their storage servers to keep hackers from accessing them through an unsecured WiFi network. The second fix revolved around making all swipe data the same size, as that was the differentiating factor between “likes” and “dislikes.”

Exactis data leak exposes info on 340 million users

A Florida-based marketing firm is currently under fire after the data for over 340 million customers was found on a publicly accessible server. It has not yet been determined for how long the information was publically accessible. The article title reads “Worse than Equifax.” I’d say. That’s all of America. Fortunately, Exactis was quick to lock down the server once they were alerted to the exposure. It has been confirmed that the data includes everything from names and addresses to types of pets and specific religious affiliations.

Adidas website falls victim to hackers

Adidas’ US website was breached this week, with sensitive data for millions of customers being stolen by unknown hackers. The company has since confirmed that no payment card information was included in the leak, only site usernames and passwords, which Adidas did properly store with strong levels of encryption. The company is still suggesting anyone who has ever made purchases from their website to change their password, regardless of whether it has been used for other sites or not. Take this as an opportunity to update all of your passwords—especially passwords on sites that you use as the same for your Adidas account.

Ticketmaster waits months to reveal data breach

Ticketmaster United Kingdom has finally released a breach statementmonths after Monzo bank, a UK-based mobile bank, informed the tickets sales giant of dozens of fraudulent charges. Even after being informed, the company wasn’t able to properly identify any data breach for over 2 months. I guess the bright side is that Ticketmaster has begun offering identity monitoring services to affected customers.

Weaponized USB Drives Targeting Japan and South Korea

In an effort to target air-gapped internal systems, a new wave of weaponized USB drives has been found throughout Japanese and South Korean organizations. While these attacks are relatively uncommon, that only heightens the threat as most companies are ill-prepared for such an attack and have created their air-gapped network systems in hopes of deterring them. As the systems utilizing this security method are typically extremely sensitive, this type of attack becomes increasingly focused on organizations or industry processes.

Hotel Booking Software Compromised

This week, officials for FastBooking, a Paris-based software companythat sells booking software to hundreds of hotels around the world, announced they had fallen victim to a data breach. The actual breach occurred over a week ago, and it took FastBooking employees nearly a week to discover the malicious software running on their servers. Unfortunately for customers, the data stolen seems to vary from hotel to hotel, as they all store data differently. The breach could affect millions of clients worldwide.

PythonBot Delivers Ads and Cryptominers to Windows Users

Researchers have recently discovered a new adware variant,written exclusively in Python, that not only spams your device with various ads, but also installs a cryptominer on the system for added financial gain. Ads are displayed by PBot using a malicious browser extension that attempts to redirect users to revenue-generating ad sites. In addition to its malicious activities, PBot also contains functionality to constantly receive updates to stay a step ahead of security software trying to remove it.

Flight-tracking Service Suffers Data Breach

Over the last few days, FlightRadar24, one of the largest flight tracking servicesin the world, suffered a data breach that could affect all of its 230,000 users. The breach only contained email addresses and hashed passwords, with the company swiftly pushing out password reset links to all affected customers along with disabling all current passwords. Fortunately, this breach contained no other personally identifying information or payment card data.

Nintendo Switch Hacked After DevMenu Leak

Recently, users of the Nintendo Switch have discovered illicit photos being used as profile pictures within games targeted at younger players. After an internal developer menu for the Switch was leaked, users could upload any small JPG file to an SD card and use the menu to change the avatar picture to anything they choose, including pornographic images. Unfortunately, Nintendo doesn’t currently moderate user profile pictures, but will likely have to make some changes if this behavior continues.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

92 Million Genealogy Site Accounts Compromised

Earlier this week, genealogy and DNA testing site MyHeritage revealed it had suffered a breach that affects all 92 million of its users, making it the largest reported breach of 2018. The breach itself appears to have occurred in October of last year and affected the systems that store user emails and hashed variants of their passwords. Fortunately, neither DNA results nor payment systems were affected, as they are both stored separately from online account info. Following the breach, MyHeritage has begun implementing two-factor authentication and has strongly suggested that all users update their current passwords.

Apple’s Latest Beta Release Features Enhanced Security Measures

At this year’s Worldwide Developers Conference, Apple unveiled iOS 12 which includes several quality of life improvements for current apps along with new additions. Among the new features, Apple has hinted at one that forces users who are transferring data using a USB device to unlock their Apple device once per hour, to keep the transfer active. This feature is likely part of their continued response to the FBI and several security companies developing methods to bypass local device security to gain unauthorized access to the device.

Australian HR Firm Falls Victim to Data Breach

In the past two weeks, officials at Australian HR firm PageUp have been working to determine the scale of a data breach that occurred in the last week of May. The systems affected contained sensitive user information, minus payment data or written contracts, which are stored elsewhere. The company has since informed all affected customers of the issue and has taken several steps to ensure the malware that caused the breach has been removed.

Facebook Allowed Untrustworthy Chinese Firm to Access User Data

Following Facebook’s ongoing stream of litigation, they are once again under fire for allowing China-based Huawei to gather not only user data but also data from that user’s friend list, often without consent. Huawei and dozens of other developers were given access to Facebook’s API to assist in improving the user experience on various operating systems, though it is impossible to account for any misuse of the data from that point on.

Financial Sector Sees Major Increase in Keyloggers

Researchers analyzed the 100 malware infections that most recently affected the financial sector and found high volumes of keyloggers, as well as Emotet and Ursnif Trojans, which are commonly dropped from malicious Microsoft® Office documents. While it’s not unusual for keylogging software be used to steal sensitive financial info, the sheer quantity of variants indicates that, as these institutions have worked to increase their security, attackers have also been working to improve their own methods.