Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Cyber News Rundown: Atlanta Ransomware Attack

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

City of Atlanta Faces Ransomware Roadblock

In the past week, the city of Atlanta has been dealing with the aftermath of a ransomware attack that effectively halted the police department’s Special Operations Section, which monitors non-emergency city functions. In a surprising twist, however, the ransomware author’s contact portal was leaked through several media outlets, prompting the author to remove the portal entirely and leaving the city with no means of paying the ransom. While the city was able to quickly return to normal operations for most employees, the recovery process will likely be ongoing for some time.

Facebook’s Data Collection Larger Than First Thought

Over the past week or so, researchers have been taking a deeper look into the data being collected by Facebook, with or without users’ permission. It was revealed that, due to lax API permissions for the Facebook installation on older versions of Android, Facebook was allowed to gather both call and SMS logs without user opt-ins. For some, extensive details of calls made by users were meticulously stored for up to several years. Details included call duration, recipient, and the date and time of the call. While Facebook claims any stored data is deleted if the user chooses to revoke permissions, users have been able to download their own data after removing the app, as the opt-in feature is the default setting when installing Facebook for the first time.

UK Anti-Doping Agency Hit By Cyber Attack

Recently, the UK’s anti-doping agency was targeted by an attack attempting to access drug testing and medical records for athletes. A Russian hacking group is believed to be responsible, as the attack comes not long after a doping scandal that affected several Russian athletes. Fortunately, the anti-doping agency has confirmed that no data was compromised in the attack and a simple reboot of their servers was all the remediation necessary.

Facebook Boosting Bounty Hunter Program After Data Handling Debacle

Following the latest scandal regarding the misuse of user data by third-party apps, Facebook has begun a complete overhaul of their bug bounty hunter program. In addition, they are reworking the company’s app review system to better determine permissions needed by apps that request access to a user’s friends list. Finally, any apps running on the Facebook platform that have been found to misuse customer data will be permanently blocked from accessing the development platform.

Sanny Malware Receives Multi-Step Delivery System

While Sanny has been well known and documented for several years, a new update has completely changed the delivery method of the malware. By portioning out the steps in the attack, rather than deploying everything in one drop, Sanny is capable of bypassing any UAC prompts and making multiple checks for the operating system version. Once the malicious macro is launched from within the email attachment, it checks for the specific OS and begins downloading additional files to bypass any OS security checks and executes its final payload.

Twitter is a Hotbed for Crypto Scam Bots

The brazen theft of cryptocurrency has been an ongoing issue for years now, mostly affecting exchanges and users who fail to store their private keys securely. But what about scams purporting to be giving free cryptocurrency away? It seems a little ridiculous, but there is a serious problem with this new incarnation of the classic “Nigerian letter” scam.

How crypto scams work

The scam is very simple. It asks victims to send fairly small amounts of cryptocurrency in return for a larger amount to be sent back later. The scammers often target influential Twitter accounts that likely have followers interested in cryptocurrency. After a popular account tweets—Elon Musk, for example—the scammer immediately replies to that tweet from an account imitating the influencer. So, @eloonmusk is impersonating @elonmusk, and @officialmacafee is impersonating @officialmcafee.

The biggest red flag here is that tweets pretending to be giving away crypto are not from verified accounts. They don’t have the blue checkmark badge next to their account name, which means they are NOT who they say they are. Usually, these imposter tweets will be supported by an entire botnet of fake accounts working in cahoots to increase the perceived legitimacy of the scam tweets. The tactics these bots use include liking and following each other’s posts and making fraudulent replies to these posts saying they received their Ethereum or Bitcoin successfully. They will even host scam websites that show “proof” this scheme is legitimate.

In an attempt to thwart such scammers, leaders in the crypto community have gone as far as to change their Twitter account names to include explicit warnings that they are not giving away cryptocurrency. Ethereum founder Vitalik Buterin is an example of this method, as well as one of the users most commonly targeted by the scam.

Despite the bold disclaimer, scammers refuse to be shaken and continue to adapt their profiles and language to deceive victims.

What can be done to combat crypto scams?

Recently, Twitter attempted to remedy crypto scams by shadow banning the spammer accounts, but several cryptocurrency influencers were caught amid the ban and experienced temporary issues with their accounts.

“People just started DMing me that they couldn’t see my tweets in threads,” Twitter user @cryptomom told CoinDesk. “It would say ‘tweet unavailable.’ Others said they aren’t getting notifications when I tweet. But no word from Twitter. There is some really weird shit going on for crypto Twitter people right now. A rash of permanent bans and suspensions.”

Adding to confusion, Twitter mistakenly verified an account posing as Tron founder Justin Sun.

Cryto scams could prove to be a hurdle for Twitter and its users who’re active in the crypto space. It’s important for people to understand that these scams will NEVER pay you. These fake accounts will do their best to prove their legitimacy, but they are just preying on the greed of victims.

Twitter will need to introduce new methods for combatting this type of spam. Twitter CEO Jack Dorsey recently announced a new verification process is coming that will make it easier for all users to obtain verification, according to the Chicago Tribune. This change will help the numerous crypto organizations and influencers on Twitter establish a verified presence. It is important for users to be protected from predatory scammers, while also protecting the integrity of a platform that has become a major hub for cryptocurrency discussion and information sharing.

What do you think can be done to stop cryptocurrency scams on Twitter? Join me in the Webroot Community or drop me a line in the comments below!

Cyber News Rundown: Zenis Ransomware Deletes Backups

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Zenis Ransomware Makes Resolution Problematic for Victims

Researchers recently discovered a new ransomware variant named Zenis that encrypts in the usual way, but, in a new twist, also deletes all available backups and event logs, and even disables startup repair. In a further departure from the norm, the ransom note doesn’t mention a specific price. Instead, the author requests that victims send the ransom note and another small file to various email addresses to verify that the ransomware author can decrypt them. The author then sends a final price, likely based on the types and quantity of files that will need to be encrypted. It’s still unclear how the variant is being distributed—possibly through RDP or spam emails.

Orbitz Suffers Major Data Breach

Travel site Orbitz has admitted to being the latest victim in a continuing trend of data breaches that affect hundreds of thousands of customers. In this case, the data for nearly 800,000 Orbitz customers was compromised, and the breach lasted from January 2016 until December of 2017. While officials are still working to determine the initial access point, they have discovered that the lost data included full payment info, as well as complete personal data for the company’s customers.

Fake Amazon Ad Achieves Top Position in Google Search Results

In the last several days, researchers found that the top search result for Amazon.com was actually fake and was redirecting anyone who clicked it to a fake tech support page that tried to scare the visitor into contacting Windows Support. Fortunately, Google worked quickly to remove the malicious link from its search results, and GoDaddy took down the domain within an hour of being notified.

Facebook Faces Backlash After Misuse of Sensitive Data

Facebook has announced that the personal data for nearly 50 million users had been illicitly obtained by a third-party analytics firm, which carefully maneuvered through Facebook’s Terms of Service to get data on more than just consenting users. While the data collection app was knowingly downloaded by 270,000 users, the app itself collected not only their data, but the personal data of their entire network of friends. Though Facebook removed the app in 2015 and demanded that the data be destroyed, the app’s creator ignored the request and continued using it for profit.

Celebrity Picture Contains Hidden Crypto-miner

Hackers have recently taken to using image files to distribute malware and other malicious content, as they are simple to reconfigure and difficult to detect. In the latest case, a picture of Scarlett Johansson contained functionality that executed shell commands on a user’s machine and mined Monero cryptocurrency. It had already acquired ~$90,000 worth of Monero by the time of discovery.

TrickBot Banking Trojan Adapts with New Module

Since inception in late 2016, the TrickBot banking trojan has continually undergone updates and changes in attempts to stay one step ahead of defenders and internet security providers. While TrickBot has not always been the stealthiest trojan, its authors have remained consistent in the use of new distribution vectors and development of new features for their product. On March 15, 2018, Webroot observed a module (tabDll32 / tabDll64) being downloaded by TrickBot that has not been seen in the wild before this time.

It appears that the TrickBot authors are still attempting to leverage MS17-010 and other lateral movement methods coupled with this module in an attempt to create a new monetization scheme for the group.

You can teach an old bot older tricks

Analyzed samples

  • 0058430e00d2ea329b98cbe208bc1dad – main sample (packed)
    • 0069430e00d2ea329b99cbe209bc1dad – bot 32 bit

Downloaded Modules

  • 711287e1bd88deacda048424128bdfaf – systeminfo32.dll
  • 58615f97d28c0848c140d5e78ffb2add – injectDll32.dll
  • 30fc6b88d781e52f543edbe36f1ad03b – wormDll32.dll
  • 5be0737a49d54345643c8bd0d5b0a79f – shareDll32.dll
  • 88384ba81a89f8000a124189ed69af5c – importDll32.dll
  • 3def0db658d9a0ab5b98bb3c5617afa3 – mailsearcher32.dll
  • 311fdc24ce8dd700f951a628b805b5e5 – tabDll32.dll

Behavioral Analysis

Upon execution, this iteration of TrickBot will install itself into the %APPDATA%\TeamViewer\ directory. If the bot has not been executed from its installation directory, it will restart itself from this directory and continue operation. Once running from its installation directory, TrickBot will write to the usual group_tag and client_id files along with creating a “Modules” folder used to store the encrypted plug and play modules and configuration files for the bot.


Image 1: TrickBot’s plug and play modules used to extend the bots functionality

Many of the modules shown above have been previously documented. The systeminfo and injectDll module have been coupled with the bot since its inception. The mailsearcher module was added in December 2016 and the worm module was discovered in late July 2017. The module of interest here is tabDll32 as this module has been previously undocumented. Internally, the module is named spreader_x86.dll and exports four functions similar to the other TrickBot modules.


Image 2a: Peering inside tabDll.dll


Image 2b: Abnormally large .rdata section

The file has an abnormally large rdata section which proves to be quite interesting because it contains two additional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable SsExecutor_x86.exe and an additional module screenLocker_x86.dll. Each module will be described in more detail in its respective section below.

Spreader_x86.dll

When loading the new TrickBot module in IDA, you are presented with the option of loading the debug symbol filename.


Image 3: Debug symbol filename of the downloaded module tabDll.dll

This gives us a preview of how the TrickBot developers structure new modules that are currently under development. When digging deeper into the module, it becomes evident that this module is used to spread laterally through an infected network making use of MS17-010.

Image 4: String references to EternalRomance exploit used for lateral movement

This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub.


Image 5: Copied code from ImprovedReflectiveDLLInjection


Image 6: Printf statements from the copied project on GitHub

SsExecutor_x86.exe 

The second phase of the new module comes in the form of an executable meant to run after post exploitation. Again, it was very nice of the TrickBot authors to give us a look at the debug symbols file path.


Image 7: Debug symbol filename of the embedded PE file.

When run, this executable will iterate over the use profiles in registry and goes to each profile to add a link to the copied binary to the start up path. This occurs after lateral movement takes place.

                        Image 8: Iterate over user profiles and create


Image 9: Execution of the copied binary

ScreenLocker_x86.dll

Similarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has shown any attempt at “locking” the victims machine.


Image 10: Peering inside screenLocker_x86.dll 

This Module exports two functions, “MyFunction” and a reflective DLL loading function. “MyFunction” appears to be the work in progress:


Image 11: Peering inside “MyFunction”


Image 12: Creation of the Locker Window

If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model. Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetization scheme.

It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines. 

The TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim’s network. This is being coupled with an unfinished “screenLocker” module in a new possible attempt to extort money from victims. The TrickBot banking trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead of cybersecurity professionals.

Spectre, Meltdown, & the CLIMB Exploit: A Primer on Vulnerabilities, Exploits, & Payloads

In light of the publicity, panic, and lingering despair around Spectre and Meltdown, I thought this might be a good time to clear up the differences between vulnerabilities, exploits, and malware. Neither Spectre nor Meltdown are exploits or malware. They are vulnerabilities. Vulnerabilities don’t hurt people, exploits and malware do. To understand this distinction, witness the CLIMB exploit:

The CLIMB Exploit

Frequently, when a vulnerability is exploited, the payload is malware. But the payload can be benign, or there may be no payload delivered at all. I once discovered a windows vulnerability, exploited the vulnerability, and was then able to deliver the payload. Here’s how that story goes:

It’s kind of embarrassing to admit, but one evening my wife and I went out to dinner, and upon returning, realized we had a problem. It wasn’t food poisoning. We were locked out of our house. The solution was to find a vulnerability, exploit it, and get into the house. The vulnerability I found was an insecure window on the ground floor.

With care I was able to push the window inward and sideways to open it. From the outside, I was able to bypass the clasp that should have held the window closed. Of course, the window was vulnerable for years, but nothing bad came of it. As long as nobody used (exploited) the vulnerability to gain unauthorized access to my home, there was no harm done. The vulnerability itself was not stealing things from my home. It was just there, inert. It’s not the vulnerability itself that hurts you. It’s the payload. Granted, the vulnerability is the enabler.

The window was vulnerable for years, but nothing bad happened. Nobody attacked me, and while the potential for attack was present, an attack (exploit) is not a vulnerability. The same can be true of vulnerabilities in software. Opening the window is where the exploit comes in.

My actual exploit occurred in two stages. First, there was proof of concept (POC). After multiple attempts, I was able to prove that the vulnerable window could be opened, even when a security device was present. Next, I needed to execute the Covert Lift Intrusion Motivated Breach (CLIMB) exploit. Yeah, that means I climbed into the open window, a neat little exploit with no coding required. I suppose I could have broken the window, but I really didn’t want to brick my own house (another vulnerability?).

Now we come to the payload. In this case, the payload was opening the door for my wife. You see, not all payloads are malicious. If a burglar had used the CLIMB exploit, they could have delivered a much more harmful payload. They could have washed the dishes (they wouldn’t, unless they were Sheldon Cooper), they could have stolen electronic items, or they could have planted incriminating evidence. The roof is the limit.

Not all vulnerabilities are as easy to exploit as others. All of my second-floor windows had the same vulnerability, but exploiting them would have been more difficult. I am sure happy that I found the vulnerability before a criminal did. Because I was forgetful that fateful night, I’m also happy the vulnerability was there when I found it. As I said, I really didn’t want to break my own window. By the way, I “patched” my windows vulnerability by placing a wooden dowel between the window and the wall.

There you have it. Vulnerabilities, exploits, and payloads explained through the lens of the classic CLIMB exploit.

Cyber News Rundown: Hackable Gas Stations

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Global Gas Station Software Found Unsecured

Researchers have recently discovered a vulnerability that would allow anyone to remotely access thousands of gas stations from around the world. The vulnerability stems from having these stations be connected to the Internet and can give the potential attacker control of gas prices, access to customer payment information, and even control over surveillance cameras. Unfortunately, due to the average age of the pumps in question and the preinstalled software also being outdated, it is unlikely that many of the machines will, or even can, be updated to protect against these vulnerabilities.

NHS Staff Ignoring Security Policies in Favor of Usability

In a recent survey of NHS professionals, it was found that nearly half are using non-approved messaging apps on a regular basis, rather than more secure channels, as they as quicker and easier to use. Even more alarming, a similar number were either completely unaware of their organization’s policies for safely transferring data or had not received any training on the subject. With data security becoming ever more necessary, the organizations that hold our most sensitive data should be held to an even higher standard, as typical consumers have little choice but to trust that they will keep it safe.

Fortnite Mobile Invite Scams Flood Market Prior to Launch

In the days preceding the launch of Fortnite’s Mobile iOS functionality, hundreds of users have taken to posting fake “invites” for sale, throughout various social media sites. While the actual launch is still several days away, these invites have been offered for a variety of prices in hopes of finding someone eager enough to pay to play early.

AMD Chips Contain Critical Vulnerabilities

Over the last week or so, several critical flaws have been found within AMD processor chips that could be harmful, if exploited. While it would already require some administrative access to even begin using the vulnerabilities for harm, the exploit does allow unsigned, and possibly malicious, code to be uploaded to AMD’s Secure Processing Platform without performing any security checks. As these vulnerabilities are still being researched, the extent of their severity has yet to be fully decided.

Florida Virtual School Hit by Data Breach

Within the last few weeks, officials have been working to contact students, parents, and staff that may have been affected by a data breach that occurred sometime in the last year. While it is still unclear on what sensitive data may have been compromised, identity and credit monitoring services are being provided to anyone who has been in the database over the two-year period when it was illicitly accessed.

Cyber News Rundown: MoviePass App Tracks Your Every Move

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

MoviePass Subscription Service Tracks More Than Your Viewing Habits

The CEO of MoviePass recently revealed the full extent of its tracking functionality, which was originally thought to use your location to find a nearby theater. The application can track any user from their home to the theater, and then onward through the rest of their journey, keeping notes on businesses and restaurants the user may visit. While this data is said to only be used to help enhance the user’s evening, it does seem to be a massive breach of privacy given that there is nothing in the terms of service that mentions the full extent of the tracking.

Latest Crypto-Miner Introduces Kill List for Competitive Processes

A new cryptocurrency miner has recently been discovered that seems to have an edge over its competition: the ability to terminate conflicting processes to maintain control over the device’s processing power. While the use of a ‘kill list’ isn’t new to malware in general, this does seem to be the first program that uses it for mining purposes, rather than continuing to propagate.

MacOS Users Getting Browsing Security Update

Within the last week, Google has announced it will begin rolling out a new security feature for MacOS that will give Chrome users additional warnings when attempting to access malicious or compromised websites. While these features have been functional for Windows users for quite some time, it will begin implementing them for MacOS in April of this year. As Mac malware continues to proliferate, the necessity of these features grows right alongside it.

ComboJack Malware Targets Multiple Cryptocurrencies

Recently, researchers have spotted a new email spam campaign that downloads ComboJack, malware that seeks out several types of cryptocurrency wallet addresses currently stored on the device’s clipboard. By running endless checks on the clipboard for any cryptocurrency wallet address information, ComboJack will immediately replace any found address with one belonging to the attacker, while it continues to check for others.

School Employee W-2 Info Stolen in Phishing Scam

Officials have recently been contacting employees of an Alabama school district after a successful phishing attempt led to tax information being sent to a fake email address supposedly belonging to the superintendent of the district. The phishing scam affected at least 30 employees and has forced them to file their taxes manually, rather than electronically, as some returns had already been illicitly filed by the attacker.

Antimalware Testing is Hard, Disputing a Flawed Test is Even Harder

First thing’s first—I’d like to introduce myself. I’m senior security analyst Randy Abrams, and I’m delighted to be part of the Webroot team and our online community.

Prior to joining the team, I was a research director responsible for analyzing and reporting the test results of antimalware products. I also helped create test methodologies and looked for anomalies in the testing process. Before that, I worked as a director of technical education, where my role was very similar to my mission here at Webroot: to help all users stay more secure on the internet. Everything else I do is the means to meet these ends.

Earlier in my career, I spent 12 years at Microsoft working closely with researchers from major antimalware companies, as well as from several smaller antivirus companies, to ensure we did not release infected software. As a result, I bring a unique perspective to my role here at Webroot. I am a consumer (I use Webroot on my laptop). In the past, I have been an enterprise customer, worked at a test lab, and served on the vendor side of the industry.

Testers are Human. They Do Not Always Get it Right.

One of the most contentious parts of working in the security industry is antimalware testing. I used to joke that the reason antimalware testers are so arrogant is because antimalware researchers created them in their own image. Relationships between the testers and vendors have improved quite a bit in the past few years, but there still is a lot of friction. Scoring poorly on a test not only affects sales, but when the reason for the poor score was due to mistakes in testing, users do not get the quality of information they need to properly compare products.

Unfortunately, antimalware testing is really, really hard to get right. And it is not because of incompetence. You will never hear me say, or even imply, that testers are incompetent. The reason that testing is so hard to get right is because antimalware products have become so complex. There are interdependencies on cloud-based protections, reputation systems, whitelisting and blacklisting, scanning and remediation, and in some cases, like ours, system rollback. Additionally, sample acquisition and selection are problematic.

In the past, I have seen some serious mistakes resulting in products offering high-quality protection appear mediocre or worse. For vendors, a deeper problem arises when trying to dispute the test results. The public tends to think that testers always get it right and that vendors are just whining because they didn’t receive the score they thought their product deserved. No vendor was ever acquitted of a bad test in the court of public opinion.

In coming blogs, I will discuss some of the challenges testers face, and the impact these have on accurately presenting the information needed to make informed choices when selecting security software. As a former research director for a test lab, I dealt with issues, like the selection of samples, that could seriously impact reported results. Sample selection and acquisition is much more difficult than it would seem. When you see vendors score 100 percent, then the sample selection was too small.

When measuring performance, the ratio of file types (exe, .bmp, .mp3, .docx, etc.), as well as compression methods used in the file set, make a huge difference in real-world performance results. Even the files selected for false positive testing can affect the perceived quality of a product. Which is more important, detection of a file we see attacking tens of thousands of users, or the file we saw three times six months ago and never again? Given equal protection scores, would you rather have a product with one false positive or one with three false positives? These are a few of the issues that affect the quality of testing and understanding of what was actually tested. Believe it or not, one of the biggest problems with testing is not the results, it is the lack of meaningful analysis.

Have any questions or comments? I look forward to continuing the discussion on the Webroot Community.

Cyber News Rundown: A Wild Thanatos Appears!

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Thanatos Ransomware Causing Major Damage for Victims

A new ransomware variant has recently appeared and is proving to be more troublesome than most that came before it. By using individual encryption keys for each file, which it does not save, decryption is nearly impossible, even after paying the relatively small ransom of $200. Thanatos is also the first ransomware to accept Bitcoin Cash as a payment method.

Cryptojacking Found on LA Times Site

Researchers have stumbled onto yet another unsecured Amazon AWS server running a cryptominer. This time, the LA Times’ Homicide Report is at fault. Initially, the researchers found that the widely-accessible server had public write access turned on, which they reported to the server’s owner. Unfortunately, the researchers weren’t the first to find the server, which is how the Monero miner was placed on a single, moderately trafficked site within the LA Times network.

UK School CCTV Feeds Popping Up on US Websites

Recently, surveillance videos from several UK schools made their way onto a US-based website that hosts unsecured camera footage from around the world. While the footage was mainly from the exterior of the schools, it still causes concern over the safety and privacy of the students the cameras are meant to protect. While the breach can be traced back to the camera manufacturers, who did not implement strong device security, responsibility also falls on the staff who set up the cameras in the first place. This news serves as a reminder to always take cybersecurity precautions and change manufacturer default settings.

Cryptocurrency Miner Packed with Annoying Adware

A new cryptocurrency miner named UpdateChecker has been making the rounds over the last few days. The program is distributed as a fake Flash Player update and comes with the bonus of ads that run at hour-long intervals. The malware itself is downloaded from fake Adobe update websites and will immediately begin optimizing itself for the local machine and checking for updates to its own files. Unfortunately for victims of UpdateChecker, it is rather troublesome to remove, as it will relaunch itself if you kill the process, and can restart the miner anytime you shut it off.

Apple Repair Center Generating Excessive Emergency Calls

Since late last year, emergency dispatchers and police departments in Sacramento County, California have received over 1,600 calls originating from a local Apple repair facility. The calls are likely from one of two devices Apple manufactures that can make emergency calls without a SIM card or service provider. While this isn’t the first case of Apple devices triggering hundreds of emergency calls, the company is working with local law enforcement agencies to find a resolution.

Cyber News Rundown: Linux OS Hacked onto Nintendo Switch

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Hackers Run Linux OS On Nintendo Switch

When gaming consoles get hacked, it’s usually by someone who wants to play pirated games. Not this time. Recently, a group of hackers found an exploit that allowed them to deploy a full Linux OS onto the Nintendo Switch. The flaw is contained within the specific Tegra X1 chips used by the Switch for core functionality. These are not easily patched and would likely require a recall if the flaw becomes a major problem.

California Employee Data Breach

Employees working in the Department of Fish and Wildlife for California were recently notified that their Social Security numbers had been exposed in a data breach from late last year. The breach appears to have stemmed from a former employee downloading the data and removing it from the premises, prior to having left the company. This type of breach is extremely common, as many companies don’t enforce more strict data policies for current and former employees.

Facebook Bug Spams Users With 2FA System

In the last week or so, several Facebook users have taken to other social media platforms to announce a nearly endless stream of spam being sent to the phone numbers they had used for 2-factor authentication. The spam then began posting the user’s replies to their Facebook wall, even after multiple attempts to stop the messages. While Facebook has since resolved the issue, they have remained vague about when they’ll finally discontinue the program functionality that caused the issue in the first place.

Don't Get Hacked

Crypto-miners Found on Tesla Servers

Following the breach of Tesla’s cloud server last year, company engineers have been discovering cryptocurrency miners on several of their internal servers. The initial breach occurred because their Kubernetes console lacked a password, and, once in, the hackers set up a complex mining operation that used multiple techniques to avoid detection.

FedEx Breach Exposes Personal Information

Over the last few days, officials have confirmed that over 119,000 individual forms of scanned identification belonging to Bongo International, an international sales broker that was bought by FedEx in 2014, were left exposed to the public. The data, which was found on an Amazon S3 server, was likely forgotten about amidst the acquisition and was available for an unknown amount of time.

 

Valentine’s Day Sends Mobile, Online Dating Scammers on the Prowl

In a month where matchmaking is in high demand, we took a look at recent trends around online dating sites using Webroot Brightcloud Threat Intelligence Platform. What did we find? Valentine’s Day sends cybercriminals on the prowl, and not for a soulmate.

On average, visits to dating websites increase by 53 percent in the month of February, relative to the three months prior. There is also a 342 percent increase in visits to greeting card domains on Valentine’s Day relative to Christmas Day.

Cybercriminals take advantage of this massive spike in dating interest to take advantage of victims. The heart-breaker: In the week leading up to Valentine’s Day, there is an astounding 220 percent increase in malicious URLs from the week prior. The week following Valentine’s sees a dramatic 50 percent drop in malicious URLs.

We’ve even found WordsOfHeart.com—a dating website that will find your perfect match based on your password! We can’t stress enough how much of a bad idea this is.

WordsOfHeart.com Image

While the website does specify that you should not use the same password as your email or Facebook account, it’s still quite bizarre that your password would be a focal point for matching. At first glance, the appears to be a clever phishing attempt, but the site does indeed match you with other people. During initial sign up–using a weak password, no matches were found.

When trying again using the obviously weak password of password, we found hundreds of matches. Most of these “matches” appeared to be blank profiles that weren’t created for any real romance, but were rather just other people testing to see if this site was legitimate, and some were just trolling. Regardless of the functionality of the site, the entire premise behind it is something that everyone should steer clear.

Users should also exercise caution when dealing with more legitimate and established dating services. It has recently come to light that Tinder is not as secure as presumed. Tinder’s iOS and Android apps do not use basic HTTPS encryption for photos. What this means is that anyone using the same Wi-Fi network that your phone is on can potentially see your Tinder photo traffic.

Tinder Drift Demo Image
Source: CheckMarx, Tinder drift demo on YouTube.

To make matters even creepier, it’s possible for hackers to actually inject photos into your Tinder photo stream, as seen in a YouTube video by security researchers at CheckMarx. Be sure to keep this in mind when connected to public WiFi at coffee shops, libraries, airports, etc. It is worth noting that this lack of encryption is only an issue on the mobile Tinder apps, and using Tinder on your laptop browser would be fully encrypted. A recent survey by Mozilla shows that still only 68% of the internet is HTTPS encrypted, which is basic level protection. We expect that Tinder will be updating their mobile apps to address this soon.

Another stigma with dating websites is the overwhelming presence of bots. This isn’t a new development and the Ashley Madison hack a couple years back revealed that overwhelming number of women on the site which led to 80% of men to purchase, according to Gizmodo. This year, China is trying to crack down on mobile apps with fake female user accounts that send automated messages to solicit new users for gifts and money, according to the BBC. Over 600 people were arrested for this lucrative “business model” that generated over $150 million for these apps. With artificial intelligence getting smarter and smarter, we expect scams like this to continue, so make sure to watch out for these tactics.

Practice safe online dating

Avoid swiping on dating apps when connected to public, unsecured networks. Make sure you’re using two-factor authentication to help ensure your online data is more secure. As soon as an account’s credentials have been compromised, it’s very common to then use that account to try and scam others since the profile is (up to that point) legitimate and not suspicious. Another option when browsing on public WiFi is to use a VPN (virtual private network).

Overall, use good judgement when it comes to online dating. Be extra vigilant about dating websites you visit, keeping note of the URLs and mobile apps you access.

Cyber News Rundown: Scarab Ransomware Strikes Back

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

New Variant of Scarab Ransomware

With a few interesting changes to the original Scarab ransomware, Scarabey is quickly targeting Russian-speaking users with brute force attacks on unsecured RDP connections, rather than with the spam email campaigns used by its predecessor. Additionally, Scarabey takes the ransom a bit further by deleting 24 files from the encrypted machine for every 24 hours that the ransom remains unpaid.

Botnets Used to Spread Cryptocurrency Miners

Following the Shadow Brokers release of NSA exploits last summer, the use of EternalBlue continues with the latest trend of using the exploit to compromise machines and turn them into cryptocurrency miners. By expanding the botnet to cover over 500,000 unique machines, the attackers have successfully brought in more than $3 million since May of 2017. The use of such a large-scale botnet can effectively mine for the more resource-intensive currencies with ease and even disrupt businesses from their normal workflow for days at a time.

Bitcoin Ads Circumvent Facebook Ban

In the past week, Facebook officially implemented a ban on all cryptocurrency-related advertisements on their site. However, the ads have continued to appear for many users with characters in the phrase ‘bitcoin’ simply misspelled. The ban was initially set to block misleading financial services and products that unknowing users might click on due to the apparent legitimacy of the ads.

 

Do you live in one of the most-hacked states?

Mac Software Sites Distributing Crypto Miners

As crypto miners continue to gain popularity among cyber criminals, it was inevitable that they would begin focusing on Macs. MacUpdate, a well-known software download site, was recently found to be bundling miners with commonly used applications. Luckily, some of these bundles are poorly written and often fail to launch the decoy app, which is intended to draw users’ attention away from the malicious activity. To make matters worse, several other download sites were also affected and waited far too long to remove the malicious download links from their servers.

Tech Scammers Exploit Chrome Flaw

Tech scammers have long been the bane of legitimate software companies and their support teams. The latest trick, however, can easily bring an unsuspecting user to a full panic attack by simply rendering a Chrome browser completely unusable. First it displays an error message and then silently forces the browser to save a random file to disk at such a pace that the machine’s CPU maxes out and leaves the computer in a ‘locked’ state in the hopes that the victim will actually contact the phony support number being displayed.