Industry Intel

Massive Customer Database Left Exposed by Data Management Firm

A security researcher recently found a database containing customer information for nearly half a billion users of Veeam software on an unsecured AWS server. Most of the data was contact information spanning from 2013 to 2017 and was likely used by the Veeam marketing team’s automated customer contact functions. Fortunately, the database was taken offline within a week of the researcher contacting Veeam about the server.

Hacker Group Breaches British Airways

After last week’s reveal of the data breach affecting nearly 380,000 of the airline’s customers, it was discovered that the injection methods used were the work of known hacker group MageCart. By compromising third-party actors, the group can access hundreds of sites and begin passing any customer payment information back to their own systems. Even more toublesome, this particular attack appeared to be tailored for the British Airways systems specifically, but could very likely be readjusted for other applications.

Chinese Hackers Using Digitally Signed Drivers for Attacks

A long-active hacker group likely based in China has expanded their tactics to include a seemingly innocent network filtering driver (NDISProxy) to start their latest malware campaign. The driver itself has a signed digital certificate from a Chinese-based security software company, which was likely unaware their certificate was being misused. By injecting itself silently across the infected network, the fully functioning remote access Trojan can be used to execute malicious tasks with ease.

Scam Calls Causing Mobile Traffic Jam

The number of scam calls recoreded by the call management firm First Orion rose nearly 1000% over the past year, from 3.7% of total calls last year to 29% so far in 2018. The projections for the coming year project that number to rise to half of all mobile calls received in the U.S. Unfortunately, service providers have few options for slowing down the bombardment of phony calls facing their customers.

Latest MongoDB Attacks are Ransoming Empty Databases

While MongoDB attacks are nothing new, Mongo Lock has stepped up the game by identifying unprotected databases, exporting the data to their servers, wiping them clean, and leaving behind a ransom note instructing the victim to reach out via email rather than sending a Bitcoin payment directly to a crypto-wallet. Mongo Lock appears to operate via an automation script, though it has been known to fail, leaving the victim with both the ransom note and their original data.

Banking Trojans Still Appearing in Google Play Store

Multiple security researchers recently discovered a handful of banking trojans that have still managed to make their way into the Google Play app store, despite Google having increased its security to detect such apps. Many of the apps are disguised as astrology/horoscope software, but instead of reading the future, they steal SMS and call logs from the device, install unauthorized apps, and even seek out banking credentials based on other installed applications. Some of these apps had been installed by up to 1,000 individuals, many of whom are likely under the assumption that the app removed itself, after showing a fake error message claiming incompatibility with the device.

Obama-themed Ransomware Forges Dangerous Path

A new ransomware variant bearing the face of the former US president, Barack Obama, has been spotted in the wild performing some unusual encryption tactics. Rather than encrypting personal word documents and pictures, this variant focuses on encrypting executable files across the system, which could lead to the system crashing and other devastating results. It is still unclear if this methodology is the intent, or just an oversight by the ransomware’s authors, but this type of damage is unlikely to pay off if it renders the system nonfunctional.

Thousands of Online Stores Compromised

Due to security loopholes in eCommerce sites that use Magento as a host, nearly 8,000 sites have been confirmed to be hosting card-skimming malware, with up to 60 more being compromised every day. The breaches led to malicious scripts being added to the pages to record and upload any customer inputs in real time, rather than following a more complicated path to obtain the same data after the transaction is complete. Unfortunately, it is difficult to determine whether a site is safe without checking the entire codebase for any unauthorized entries.

Fake Tech Support Ads Now Indistinguishable from Real Counterparts

In the run-up to Google’s release of a verification program for third-party vendors to display ads, the company has been inundated with countless fake tech support advertisements that are nearly impossible to identify over a real vendor’s ads. The creators of these fake ads will go to almost any lengths to avoid detection, including creating entire companies to continue their illicit activities.

Unsecured Sites Leaving .git Repositories Easily Accessible

Nearly 400,000 websites have been found with exposed .git directories that could lead to major information exposure, if improperly accessed. These repositories contain everything from passwords and API keys for the site, to forgotten data stored on the sites. Fortunately for the website owners, the researcher who discovered the breach was not acting maliciously, and quickly began contacting them with information on how he found the leak and what they could do to resolve it.

If you saw a file called eicar.com on your computer, you might think it was malware. But, you would be wrong. Readers, if you haven’t yet met the EICAR test file, allow me to introduce you to it. If you have used the EICAR test file, let’s get a bit cozier with it.

If you ran this file through VirusTotal, 61 out of 62 antimalware scanners currently would detect the EICAR test file as if it were malicious. That’s because the EICAR file is actually a tool that was designed to help users verify their antimalware scanner is functioning properly. The EICAR test file is a harmless piece of code that most vendors have agreed to flag as if it was malicious. Essentially, it’s a false positive—by design—for your benefit. Some scanners detect it, some do not; neither outcome indicates that any scanner is better or worse than another.

If you have heard of EICAR, you may have seen it referred to as a “test virus,” but that’s inaccurate. Think of it more like the test button on a smoke detector in your home. The test button doesn’t simulate fire or smoke; it simply lets you know that the smoke detector is functional. The test button certainly doesn’t tell you anything about the quality of the smoke detector. Similarly, the EICAR test file does not simulate malware, it just causes a scanner to demonstrate how it would handle a threat it detected (assuming the vendor has chosen to recognize the file as malicious, that is.)

Using the EICAR Test File

Now that you know more about EICAR, let’s talk about why, how, and when you might want to use it.

1. Curiosity. The first time I used the test file, it was purely out of curiosity. What if I zipped the file up or changed its extension from .com to .xyz, and so on. Because the file itself is harmless, I could simulate any number of scenarios without risk to my computer or my data.
2. Smoke test. The intended purpose of the test file was always to verify that your scanner was properly installed and that the scan engine was functional. Any time you install a new antimalware product, you can give it a quick test with the EICAR file to make sure it is functioning as designed (if the vendor support the file, that is.)
3. Forensics. Malware writers often try to disable a scanner as soon as their malicious code gains a foothold on a given computer. If you periodically test your scanner and, one day, it fails to detect the test file, that could indicate of an infection. Keep in mind, it could also indicate that another layer of security blocked the file before it got to your scanner. The test itself is not conclusive and should only be considered as part of a bigger picture.
4. Behavioral information. Between 1997 and 2004, I worked at Microsoft, ensuring none of their software releases were infected. I used 11 different virus scanners on each of my test machines (don’t try this at home). The testing was not about the quality of the scanners, but rather how they’d react in different situations to help me make decisions and gain greater knowledge. For example, antivirus scanners have default configurations that I needed to test and potentially modify. Back then, not all scanners scanned all extension types by default. A directory with EICAR test files that each had different extensions would allow me to determine if my scanner’s default configuration for file types needed to be adjusted. Once I made modifications, I had to test those as well. There were a variety of tests I could run involving filenames with punctuation or foreign language characters, too. Basically, I could test virus handling without needing am actual virus.

Note: At the Virus Bulletin conference in 1999 I presented the paper, “Giving the EICAR Test File Some Teeth.” If you’re interested in the breadth of test scenarios I explored, you can read the paper on the Virus Bulletin website.

Where to Find EICAR

You’d think the easiest way to get your hands on this file would be to download it straight from www.eicar.org, except that your antimalware scanner might block the download. To get around that, you’d likely have to temporarily disable your web protection—WHICH I DO NOT RECOMMEND. Instead, I’ll show you how to create the file yourself.

Here are the step by step instructions.

1. Open Notepad.
2. Copy the following string and paste it into Notepad:
   X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
3. Save the file and cross your fingers that your scanner doesn’t detect it on close.

Note: You could create the file in Microsoft® Word, but you’d have to save it as plain text. The test file must begin with the test string, and Word includes additional information in .doc and .docx files.

The file eicar.com, will run on older operating systems, but not on a 64-bit OS. When you run it on a compatible OS, the file will display this text.

You can change the display message to anything you like. In the following example, I’ve replaced the word EICAR with my name.

However, if you change it as I did above, it will no longer be a valid test file and should not be detected by your antimalware program.

At the 1999 Virus Bulletin conference, I asked researchers for EICAR-like test files to test script and macro detection. Although we still don’t have that, the Anti-Malware Testing Standards Organization (AMTSO) provides a set of security feature checks at www.amtso.org/security-features-check. Just be sure to remember that the security feature checks, like the EICAR test file, don’t indicate the quality of the product, but they can be used to ensure that certain features are functioning.

Questions? Comments? Let’s talk on the Webroot community forum.

Texas Voters’ Data Leaked

A security researcher just discovered a publicly-available file containing sensitive voting information for nearly 99% of all registered voters in the state of Texas. The file was compiled by a data firm that was trying to gauge political opinion for the 2016 elections, as well as more localized campaigns. With all the attention the presidential campaigns brought to election security, mistakes like this one could lead to more serious outcomes if companies who handle such information don’t take the necessary precautions.

Chinese Hotel Breach Exposes 130 Million Guests’ Data

Huazhu Hotels Group has come under fire after several of their customer databases were uploaded to GitHub by their own development team. The databases were found for sale on the Dark Web and contained over 240 million unique records, with information ranging from names and addresses to card numbers and travel itineraries, a portion of which has been verified by a local security firm. The data appears to come from nearly all the hotel group’s brands, and is not localized to a specific region or name.

Instagram Unveils Support for Third-Party 2FA

Nearly a year after Instagram announced their addition of SMS-based 2FA, the company has stated that they now allow support for third-party 2FA applications. In doing so, they give users the option to either set up an SMS verification path or receive a code through another app when attempting to log in to their account. This announcement comes just weeks after a string of high-profile accounts were hacked, leaving users with no options to regain access to the hijacked pages.

Bank of Spain Hit by DDoS Attack

Over the weekend, the Central Bank of Spain fell victim to a DDoS attack that continued through Tuesday afternoon, leaving users with spotty access to the bank’s website. Fortunately, the bank itself remained fully operational through the attack, as they are a central bank rather than commercial. Additionally, all communications with other Central Banks around Europe were unaffected, with no signs of other malicious activity.

HTTPS Now Standard on over Half of Top Sites

With the push to enforce full encryption on the internet, over half of the top million sites are now using HTTPS, with millions of domains switching over every day. This is likely due to Google’s efforts in the last couple months to warn Chrome users who attempt to access an unsecured site, in hopes of encouraging users to take their own security more seriously.

Instagram Hack Baffles Users

Hundreds of Instagram users have found themselves locked out of their accounts over the past week, with all methods of retrieving them having been removed as well. The episode began with many users noticing their accounts had been logged out and contact information changed, including email addresses with a .ru domain. Even though some users have been able to follow Instagram’s prescribed process to regain control of their accounts, many others hit roadblocks, frustration, and days of failed attempts.

Adobe Suite Receives Multiple Patches

Following Patch Tuesday, Adobe users found themselves on the receiving end of 11 total patches for Flash Player, Acrobat, and several other key programs. Most of the patches were related to remote code execution caused by improperly escalated access privileges. The company said it remains confident none of the flaws addressed were exploited before they were patched.

Millions Vanish in Indian Bank Hack

One of India’s largest banks announced that its systems had been hacked this week, with at least $14 million remaining unaccounted for. The largest chunk of funds were stolen with a cyberattack on the bank’s ATM servers that allowed hackers to simultaneously withdraw funds from ATMS in 28 different countries before transferring another couple of million dollars to a company based in Hong Kong. While officials are working closely with law enforcement to determine the attacker’s identities, it is very unlikely that they investigation will turn up anything of worth, judging by investigations of similar hacks in the past.

Finnish DDoS Attack Shuts Down Government Sites

On Sunday a handful of Finnish government sites became unavailable after a DDoS attack prevented users from logging into Suomi.fi, which handles identity verification for ministry-related sites. While some ministry sites don’t require the Suomi site for verification, this attack has prompted an increase in security measures used for sites that providing critical functions. Fortunately, the attack subsided after several hours and all affected sites were returned to normal by Sunday evening.

Fortnite Cheats Lead to Nothing but Infections

With Fortnite more popular than ever amongst the younger generation, a new wave of malicious “cheats” have been making their way around the internet hoping to entice young gamers with hopes of gaining advantages. Many of the available cheat tools offer free in-game currency, movement improvements, and even third-party downloaders for the game itself, all of which result in a malicious payload being installed on the computer while the user remains oblivious.

Chipmaker Production Halts After WannaCry Attack

A recent WannaCry attack at a Taiwanese chip manufacturerhas brought production to a standstill and threatens delays for new Apple products yet to be released. The manufacturer has announced that after two days their systems are clear and production is able to continue, blaming their own negligence for the attack rather than a targeted breach. Fortunately, no business or personal information was compromised and the infection was handled promptly.

Routers Cause Spread of Global Cryptomining Attack

Researchers have been following the increasing spread of a cryptomining attackover the past week that has affected nearly 200,000 MikroTik routers across the globe. The attack appears to stem from a single attacker, who likely targeted the MikroTik devices due to their high-volume of usage within large corporations and even ISPs, giving them the largest possible net for potential cryptomining. Even though MikroTik implemented a patch for this type of vulnerability back in April, there are still thousands of unpatched devices just waiting to become part of a swift growing network of infected mining machines.

Hackers Hit Hong Kong Healthcare

Several computers within the Hong Kong Health Department were recently victimized by a ransomware campaignthat, surprisingly, doesn’t demand a ransom payment. Though the attack has been traced back to mid-July, the identity of the attacker and their motivations are still unknown. Luckily, systems containing personal data were unaffected by the attack, and proper backups of the targeted systems mean that no operations were halted by the encryption.

Patient Records System Infested with Bugs

The widely-used OpenEMR platform, a patient management system, was found to contain numerous bugsthat could have allowed the records for over 100 million patients worldwide to be exposed. Several of the bugs would have allowed anyone with minimal credentials to obtain sensitive data, ranging from the scheduling and billing of medical procedures to administrative access for health organizations. Patches were quickly implemented by OpenEMR after they were informed of the bugs by a third-party security team.

TCM Bank Applications Leaked

Up to 10,000 customers are possibly affected after a year-long breachby a third-party firm allowed their sensitive information to be compromised. The breach affects those customers who applied for a TCM credit card from March 2017 to July 2018, with TCM confirming that at least 25 percent of the total applications in that period were leaked as part of this issue. Within 24 hours of being notified, both TCM and the third-party vendor were working to resolve the leak and to find ways to prevent future security issues.

This week, I’ll be at Black Hat USA 2018 in Las Vegas. If you’ve ever been to Black Hat, then you know all about the flood of information and how hard it can be to take it all in. This year’s presentations will range from the newest trends in browser exploits, bots, and social engineering attacks, to the security status quo and how legal policies shape information security. And it’s anyone’s guess what the hottest topics around the water cooler will look like. To prepare, I reached out to Eric Klonowski, Principal Reverse Engineer at Webroot, to shed some light on his role at Webroot and what he and his peers bring to a major industry event like Black Hat.

Below is our interview, edited for length.

Tyler: Eric, tell us why a role like yours is valuable to security companies.

Eric: If you want to be successful in any industry, you have to have someone who understands the problems, down to the details, that your product is supposed to solve. That’s what I do. I work to understand threats, threat actors, and the malware that’s proliferating to help seal off the vulnerabilities they exploit and prevent attacks. 

How has your role at Webroot evolved over time?

When I first came on board in 2015, my role was about 70 percent research, 30 percent development. Now, it’s more like 10 percent research and 90 percent development. We have to stay on top of the latest and greatest invasive techniques. That means we’re doing a lot of development. We have a staff reverse engineer who takes malware apart to write software that will block it better.

It’s not a regular 9-5. I’m a security nut and this work fascinates me, so it’s always on my mind.

It probably helps in your line of work to be able to think like a hacker, except you’re one of the good guys. What’s it like to live in that duality each day?

First off, “hacker” is our word. You don’t use that word.

Whoa.

I’m kidding. But let’s take a second to talk about “hacking.” Back when I was getting proficient at software development, I hung out in hacker forums that were full of people who would use basically copy and paste someone else’s malware to break into systems. I have no respect for that. It doesn’t take any skill or smarts.

The ethical piece aside, I do have respect for people who develop exploits and sophisticated malware. What they do is very similar to what I do. We’re both trying to solve the same problems creatively, efficiently, and effectively. We’re just coming at it from different sides, and with a different goal in mind. So yes, you could call me a hacker, but I’d say I’m a “white hat.”

It’s always fun to poke around and see what you can do, but you do have to know when to draw the line. Sometimes, researching malware is like being a vigilante; you report what you see and make the compromised locations known.

How quickly does your team have to act when they discover a new threat?

Our pace can vary widely, but when we discover a new threat, we try to crush it quickly. We have to move fast to hand our research and development work to the product team so they can integrate a mitigation strategy into our product. For instance, with the WannaCry ransomware attack last year, my phone was buzzing like crazy before I even got out of bed. Some days are like that.

When other researchers release a report of a new malware variant or zero-day, we crack it open and try to get a better understanding of how it might spread. As an example, if we’re examining ransomware, we want to observe the encryption mechanisms it contains. In a way, we look to see if the author made any mistakes.

What types of tools do you use in reverse engineering?

By name, I typically utilize IDA, which is the industry standard. I also rely pretty heavily on WinDBG. When it comes down to it, those tools make your job easier. But someone in my position can use a pretty wide variety of tools to disassemble software and extrapolate what they are looking for.

You once told me reverse engineering was the “ultimate puzzle.” How did you discover this type of work?

I’ve always liked taking things apart and making them work better, and I started writing code when I was nine or 10. Later, I was hired as an intern for a defense contractor and had to do a lot of security-related research and software development. That’s really where it started, and I chose to stay on full-time for a few years. Until then, I was self-taught and didn’t really understand software on a large scale, but I learned so much about development from the people I was working with. I also worked on a lot of personal projects that propelled me forward on this path.

Where there any “aha moments” for you that made you decide this was the right career?

When I started at Webroot and became familiar with how the product functioned, I was pretty excited to see that we really do a great job here. We offer such a great product; the challenge to continue to make it better each day pretty motivating. And I’m very fortunate to have found a way to get paid to do something that’s always been a hobby I love.

Eric, thanks for the interview! I know we’re grateful you’re on our team at Webroot.