Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Cyber News Rundown: Facebook Reveals “Clear History” Feature

May 4, 2018 | Industry Intel

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Cyberattack Shuts Down Mexico Central Bank

Within the past week, several payment systems associated with Mexico’s central bank were compromised for an unspecified amount of time. The impacted systems led to delays with money transfers and processing of transactions for central bank customers, but officials claim no funds or data were stolen. It is still unclear how the attackers accessed the systems, though the issue has heightened awareness of possible security flaws.

Facebook Implementing History Removal Tool

In the wake of the data mishandling scandal that tarnished Facebook’s privacy standards, the company announced it’s working on a new tool that will allow users to clear browsing history and cookies from within Facebook, along with opting out of allowing Facebook to gather future browsing data. While this tool is still being created, Mark Zuckerberg has said Facebook hopes to give more privacy controls back to the users who trust the site.

Fitbit Adopts Google Healthcare API

Recently, Fitbit announced they will be integrating their current systems to incorporate the Cloud Healthcare API from Google in order to give healthcare providers better access to important data. Fitbit has been working towards this for some time by constantly improving their data analysis and providing better feedback to users and their health professionals. The partnership with Google’s API allows them to use an industry-compliant system, without the trouble of creating one from the ground up.

Northeast School District Pays Hefty Ransom

Following the April 14 cyberattack that encrypted much of a Massachusetts school district’s computer systems, local police recommended the district pay the $10,000 ransom to restore the system. While it paying ransoms is normally suggested only as a last resort, it would appear that the district wasn’t capable to restoring the systems on their own. In the end, it opted to pay the requested amount in hopes the criminals stay true to their word.

DVRs Being Compromised

A researcher recently released a tool that would allow anyone access to several brands of DVRs and illicitly obtain both device credentials and live video recordings. Using Shodan, the researcher was able to identify nearly 55,000 unique, accessible DVR devices that could be exploited with his tool using a previously discovered flaw for DVR devices.

‘Smishing’: An Emerging Trend of Phishing Scams via Text Messages

May 1, 2018 | Home + Mobile, Threat Lab

Text messages are now a common way for people to engage with brands and services, with many now preferring texts over email. But today’s scammers have taken a liking to text messages or smishing, too, and are now targeting victims with text message scams sent via shortcodes instead of traditional email-based phishing attacks.

What do we mean by shortcodes

Businesses typically use shortcodes to send and receive text messages with customers. You’ve probably used them before—for instance, you may have received shipping information from FedEx via the shortcode ‘46339’. Other shortcode uses include airline flight confirmations, identity verification, and routine account alerts. Shortcodes are typically four to six digits in the United States, but different countries have different formats and number designations.

The benefits of shortcodes are fairly obvious. Texts can be more immediate and convenient, making it easier for customers to access links and interact with their favorite brands and services. One major drawback, however, is the potential to be scammed by a SMS-based phishing attack, or ‘Smishing’ attack. (Not surprisingly given the cybersecurity field’s fondness for combining words, smishing is a combination of SMS and phishing.)

All the Dangers of Phishing Attacks, Little of the Awareness

The most obvious example of a smishing attack is a text message containing a link to mobile malware. Mistakenly clicking on this type of link can lead to a malicious app being installed on your smartphone. Once installed, mobile malware can be used to log your keystrokes, steal your identity, or hold your valuable files for ransom. Many of the traditional dangers in opening emails and attachments from unknown senders are the same in smishing attacks, but many people are far less familiar with this type of attack and therefore less likely to be on guard against it.

Text messages from shortcodes can contain links to malware and other dangers.

Smishing for Aid Dollars

Another possible risk in shortcodes is that sending a one-word response can trigger a transaction, allowing a charge to appear on your mobile carrier’s bill. When a natural disaster strikes, it is common for charities to use shortcodes to make it incredibly easy to donate money to support relief efforts. For instance, if you text “PREVENT” to the shortcode 90999, you will donate $10 USD to the American Red Cross Disaster Relief Fund.

But this also makes it incredibly easy for a scammer to tell you to text “MONSOON” to a shortcode number while posing as a legitimate organization. These types of smishing scams can lead to costly fraudulent charges on your phone bill, not to mention erode aid agencies ability to solicit legitimate donations from a wary public.

Another common smishing technique happens during tax-filing season and involves IRS-themed requests for the taxpayer to update personal and financial information. An uptick in these scams after the pandemic prompted the FBI to post public warnings.

Protect yourself from Smishing Attacks

While a trusted mobile security app can help you stay protected from a variety of mobile threats, avoiding smishing attacks demands a healthy dose of cyber awareness. Be skeptical of any text messages you receive from unknown senders and assume messages are risky until you are sure you know the sender or are expecting the message. Context is also very important. If a contact’s phone is lost or stolen, that contact can be impersonated. Make sure the message makes sense coming from that contact.

Webroot blog: What’s Behind the Surge in Phishing Sites? Three Theories

Cyber News Rundown: Amazon DNS Service Hijacked

Apr 27, 2018 | Industry Intel

Amazon IPs Rerouted for Several Hours

Early Tuesday morning attackers compromised an ISP that allowed them to reroute 1,300 IP addresses belonging to Amazon’s Route 53 DNS service. Amazon quickly released a statement on the issue and clarified that it was a specific vendor’s domain that was sharing the traffic across multiple peer networks. In doing so, the attackers were able to masquerade as MyEtherWallet.com, which netted them over $150,000 in cryptocurrency.

Middle East Ride-Hailing App Compromised

In an announcement at the beginning of this week, the ride-hailing app Careem addressed a data breach that occurred in mid-January. The breach could affect nearly 14 million customers, though officials have stated that no payment information was amongst the compromised data, as it is stored off-site. Fortunately, the breach shouldn’t affect anyone who signed up for the app after January 14.

Complaints of Tech Support Scams on the Rise

Over the course of 2017, Microsoft saw a 24% rise in the number of complaints regarding tech support scams their customers fell victim to. This increase is similar to the findings of the FBI’s Internet Crime Complaint Center, which saw an 86% change from the previous year. While the tactics used have not varied much, the number of scam calls have gone up significantly and have branched out to include both Mac and Linux users.

City of Atlanta Closing in on $3 Million Mark for Ransomware Recovery

It was recently revealed the City of Atlanta has spent close to $3 million to recover from a ransomware attack nearly a month ago. Though the original ransom was set at $51,000, paying it would not guarantee a swift resolution. Even now, Atlanta is still working on returning its systems to full working order. The delay may have been lengthened by the unknown amount of time the hackers had access to its system.

Malicious Crypto-miner Disables System Security

The newly dubbed PyRoMine, a cryptocurrency miner, which uses the EternalRomance NSA exploit to propagate, has been spotted in the wild over the past month. By disabling any security services it encounters, as well as Windows Updates, the malicious VBScript is able to compromise RDP to allow consistent traffic through port 3389. Even though it hasn’t spread widely, the number of unpatched machines still accessible to malware authors is a goldmine just waiting to be found.

Cyber News Rundown: Russia Bans Telegram

Apr 20, 2018 | Industry Intel

Russia Blocks Millions of IPs to Halt Use of Telegram

Recently, Russia has been putting pressure on Telegram, an end-to-end encrypted messaging service, to release a master key that would allow Russian officials to monitor suspected terrorist communications. Many of the blocked IPs belong to Amazon and Google, which have prompted Telegram users to switch to VPN services to continue using the app.

Facebook Accounts Breached by Stress Relief App

Within the last week, nearly 40,000 Facebook accounts have been compromised after users installed a stress relief painting program that silently steals available browser data. Likely being spread through spam emails, the malware itself runs a fully functional painting program that closely imitates the recently defunct Microsoft Paint and continues to gather data anytime its host computer restarts.

New Cryptominer Bypasses Open Browser Requirement

A recently discovered cryptominer functions like most previous miners, though its XMRig has been updated to no longer require an open internet browser session to begin its This change is significant, as it means the malware itself has been changed from being internet-reliant to endpoint-based, which allows it to function on the infected device without user interaction. While XMRig is still not the most prolific cryptominer currently operating, it’s believed to have spread to over 15 million unique endpoints around the world.

Tax Season is Open Season for Cyber Criminals

As the 2018 tax season wraps up, officials are working hard to determine if high volumes of tax returns being sent from individual computers are from tax professionals or criminals. While the IRS does have methods for stopping massive quantities of returns from being issued from a single device, tax professionals regularly file up to hundreds of returns per year. So how do they determine if they are legitimate or not? Now, cybercriminals have also recognized this loophole and have begun targeting pros, rather than individuals, to stay undetected while submitting fraudulent tax returns.

Microsoft Engineer Charged for Ransomware Money Laundering

A Microsoft employee was charged this week with laundering money accrued from a Reveton ransomware variant that was used as a prominent screen-locker several years ago. The engineer is accused of transferring over 100,000 USD to a partner in the UK that had been extorted as ransom for restoring the system to its normal functionality.

Cyber News Rundown: Hacktivists Strike YouTube Music Videos

Apr 13, 2018 | Industry Intel

Music-Oriented YouTube Channels Hacked

Within the last week, hackers have defaced multiple YouTube music videos, focusing largely on Vevo channels with high view counts. Most of the videos were quickly taken down after suspicious upload activity was found on several accounts, leaving some videos with the statement “Free Palestine” in the description. Vevo worked quickly to resolve the defacement and is in the process of returning the affected videos to viewable status.

Pen Test Reveals Security Risks for Radar

Researchers have recently been working to determine if radar is truly secure, as industry professionals have claimed, since it doesn’t interact with the Internet. Unfortunately, after a bit of effort, these same researchers were able to successfully breach the core systems for radar on a Navy vessel and modify it enough to set the ship off course without raising alarms. The system, had it been maliciously compromised, could have easily run the ship aground or sent off on a dangerous interception course. In addition to taking control of the vessel, the researchers were also able to remove all radar detections and leave the ship effectively blind in the water.

Majority of Android Users Denied Consent to Facebook over Data Collection

In a recent survey, nearly 90% of the 1,300 users had refused consent to Facebook for collecting SMS and call data. Unsurprisingly, Facebook has replied that the choice was an opt-in rather than out and users should have been asked, though many agree that no choice had ever been presented to them. Some users have even reported seeing over two years worth of call and SMS data saved within their Facebook account’s data.

Facebook Announces Permissions Change

In the wake of the Cambridge Analytica fiasco, Facebook has made multiple changes to its policy on app permissions that collect user data. Any app that hasn’t been accessed within the last 90 days will require the user to go through the Facebook login page and re-consent to any data collection that may take place. These changes will not be immediate, but instead rolled out over a two-week period, giving users time to decide which apps they want to use and letting expired data tokens be deleted.

Department of the Interior Faces Malware Infection

Nearly three years after the data breach within the Office of Personnel Management, the Interior Department is still having issues with properly securing their systems. The latest internal threat stems from a US Geological Survey employee who was found to be watching pornography and saving the videos to an external hard drive, which led to their computer hosting Russian malware. This likely ties back to the department relying on automated security systems, rather than having trained personnel actively monitoring for malicious activity.

Cyber News Rundown: Breaking Panera Bread

Apr 6, 2018 | Industry Intel

Panera Ignores Security Flaw for Months

This week it was revealed that Panera failed to disclose or resolve a data breach affecting nearly 37 million customers for more than eight months. When researchers initially reached out to the company in August of last year, Panera officials believed the e-mail to be spam and ignored it until the researcher followed up about the leak. While a resolution has finally been put forth by Panera, their attempts to downplay the leak to the media and extreme delay in taking action are unacceptable for an organization of that size.

Indian Utility Company Facing Ransom

A regional power utilities system in India was recently breached and now finds their billing data held hostage for nearly 20 Bitcoins. While officials are the cause of the attack, the billing systems are already back to normal, as there were several methods for backing up the data. The affected site was one of two that monitor many districts’ electricity billing throughout the region.

Under Armour Fitness Tracking App Breached

Under Armour announced this past week that their MyFitnessPal app had been subject to a data breach potentially affecting nearly 150 million users. Fortunately, the breach seems to contain only usernames, email addresses, and passwords for the app. Customers’ more sensitive information is stored beneath another layer of encryption. Under Armour has since released a full FAQ site along with a public statement in less than a week from the initial discovery.

Employee Info Leaking from Live Chat Widgets

Several live chat widgets have been found to expose a considerable number of personal details for employee conducting the chats. What’s more worrisome, the offending widgets can be found on hundreds of the largest websites, though the data being leaked varies based on company data policies. At least one of the notified widget creators has acknowledged the issue and will hopefully resolve it quickly.

High-end Retailers Have Payment Data Stolen

At least three separate high-end retailers recently disclosed a payment system breach that could impact millions of recent customers. A few hundred thousand cards have already been released, with the hacker group known as JokerStash promising to release more than 5 million in total, likely split amongst the stored data of the three retailers.

Cyber News Rundown: Atlanta Ransomware Attack

Mar 30, 2018 | Industry Intel

City of Atlanta Faces Ransomware Roadblock

In the past week, the city of Atlanta has been dealing with the aftermath of a ransomware attack that effectively halted the police department’s Special Operations Section, which monitors non-emergency city functions. In a surprising twist, however, the ransomware author’s contact portal was leaked through several media outlets, prompting the author to remove the portal entirely and leaving the city with no means of paying the ransom. While the city was able to quickly return to normal operations for most employees, the recovery process will likely be ongoing for some time.

Facebook’s Data Collection Larger Than First Thought

Over the past week or so, researchers have been taking a deeper look into the data being collected by Facebook, with or without users’ permission. It was revealed that, due to lax API permissions for the Facebook installation on older versions of Android, Facebook was allowed to gather both call and SMS logs without user opt-ins. For some, extensive details of calls made by users were meticulously stored for up to several years. Details included call duration, recipient, and the date and time of the call. While Facebook claims any stored data is deleted if the user chooses to revoke permissions, users have been able to download their own data after removing the app, as the opt-in feature is the default setting when installing Facebook for the first time.

UK Anti-Doping Agency Hit By Cyber Attack

Recently, the UK’s anti-doping agency was targeted by an attack attempting to access drug testing and medical records for athletes. A Russian hacking group is believed to be responsible, as the attack comes not long after a doping scandal that affected several Russian athletes. Fortunately, the anti-doping agency has confirmed that no data was compromised in the attack and a simple reboot of their servers was all the remediation necessary.

Facebook Boosting Bounty Hunter Program After Data Handling Debacle

Following the latest scandal regarding the misuse of user data by third-party apps, Facebook has begun a complete overhaul of their bug bounty hunter program. In addition, they are reworking the company’s app review system to better determine permissions needed by apps that request access to a user’s friends list. Finally, any apps running on the Facebook platform that have been found to misuse customer data will be permanently blocked from accessing the development platform.

Sanny Malware Receives Multi-Step Delivery System

While Sanny has been well known and documented for several years, a new update has completely changed the delivery method of the malware. By portioning out the steps in the attack, rather than deploying everything in one drop, Sanny is capable of bypassing any UAC prompts and making multiple checks for the operating system version. Once the malicious macro is launched from within the email attachment, it checks for the specific OS and begins downloading additional files to bypass any OS security checks and executes its final payload.

Twitter is a Hotbed for Crypto Scam Bots

Mar 28, 2018 | Industry Intel, Threat Lab

The brazen theft of cryptocurrency has been an ongoing issue for years now, mostly affecting exchanges and users who fail to store their private keys securely. But what about scams purporting to be giving free cryptocurrency away? It seems a little ridiculous, but there is a serious problem with this new incarnation of the classic “Nigerian letter” scam.

How crypto scams work

The scam is very simple. It asks victims to send fairly small amounts of cryptocurrency in return for a larger amount to be sent back later. The scammers often target influential Twitter accounts that likely have followers interested in cryptocurrency. After a popular account tweets—Elon Musk, for example—the scammer immediately replies to that tweet from an account imitating the influencer. So, @eloonmusk is impersonating @elonmusk, and @officialmacafee is impersonating @officialmcafee.

The biggest red flag here is that tweets pretending to be giving away crypto are not from verified accounts. They don’t have the blue checkmark badge next to their account name, which means they are NOT who they say they are. Usually, these imposter tweets will be supported by an entire botnet of fake accounts working in cahoots to increase the perceived legitimacy of the scam tweets. The tactics these bots use include liking and following each other’s posts and making fraudulent replies to these posts saying they received their Ethereum or Bitcoin successfully. They will even host scam websites that show “proof” this scheme is legitimate.

In an attempt to thwart such scammers, leaders in the crypto community have gone as far as to change their Twitter account names to include explicit warnings that they are not giving away cryptocurrency. Ethereum founder Vitalik Buterin is an example of this method, as well as one of the users most commonly targeted by the scam.

Excellent work, etherchain!https://t.co/doAqk8HbAq

(Anyone replying to this claiming to be giving away ETH is a scammer, as usual)

— Vitalik “Not giving away ETH” Buterin (@VitalikButerin) March 13, 2018

Despite the bold disclaimer, scammers refuse to be shaken and continue to adapt their profiles and language to deceive victims.

What can be done to combat crypto scams?

Recently, Twitter attempted to remedy crypto scams by shadow banning the spammer accounts, but several cryptocurrency influencers were caught amid the ban and experienced temporary issues with their accounts.

“People just started DMing me that they couldn’t see my tweets in threads,” Twitter user @cryptomom told CoinDesk. “It would say ‘tweet unavailable.’ Others said they aren’t getting notifications when I tweet. But no word from Twitter. There is some really weird shit going on for crypto Twitter people right now. A rash of permanent bans and suspensions.”

Adding to confusion, Twitter mistakenly verified an account posing as Tron founder Justin Sun.

Cryto scams could prove to be a hurdle for Twitter and its users who’re active in the crypto space. It’s important for people to understand that these scams will NEVER pay you. These fake accounts will do their best to prove their legitimacy, but they are just preying on the greed of victims.

Twitter will need to introduce new methods for combatting this type of spam. Twitter CEO Jack Dorsey recently announced a new verification process is coming that will make it easier for all users to obtain verification, according to the Chicago Tribune. This change will help the numerous crypto organizations and influencers on Twitter establish a verified presence. It is important for users to be protected from predatory scammers, while also protecting the integrity of a platform that has become a major hub for cryptocurrency discussion and information sharing.

What do you think can be done to stop cryptocurrency scams on Twitter? Join me in the Webroot Community or drop me a line in the comments below!

Cyber News Rundown: Zenis Ransomware Deletes Backups

Mar 23, 2018 | Industry Intel

Zenis Ransomware Makes Resolution Problematic for Victims

Researchers recently discovered a new ransomware variant named Zenis that encrypts in the usual way, but, in a new twist, also deletes all available backups and event logs, and even disables startup repair. In a further departure from the norm, the ransom note doesn’t mention a specific price. Instead, the author requests that victims send the ransom note and another small file to various email addresses to verify that the ransomware author can decrypt them. The author then sends a final price, likely based on the types and quantity of files that will need to be encrypted. It’s still unclear how the variant is being distributed—possibly through RDP or spam emails.

Orbitz Suffers Major Data Breach

Travel site Orbitz has admitted to being the latest victim in a continuing trend of data breaches that affect hundreds of thousands of customers. In this case, the data for nearly 800,000 Orbitz customers was compromised, and the breach lasted from January 2016 until December of 2017. While officials are still working to determine the initial access point, they have discovered that the lost data included full payment info, as well as complete personal data for the company’s customers.

Fake Amazon Ad Achieves Top Position in Google Search Results

In the last several days, researchers found that the top search result for Amazon.com was actually fake and was redirecting anyone who clicked it to a fake tech support page that tried to scare the visitor into contacting Windows Support. Fortunately, Google worked quickly to remove the malicious link from its search results, and GoDaddy took down the domain within an hour of being notified.

Facebook Faces Backlash After Misuse of Sensitive Data

Facebook has announced that the personal data for nearly 50 million users had been illicitly obtained by a third-party analytics firm, which carefully maneuvered through Facebook’s Terms of Service to get data on more than just consenting users. While the data collection app was knowingly downloaded by 270,000 users, the app itself collected not only their data, but the personal data of their entire network of friends. Though Facebook removed the app in 2015 and demanded that the data be destroyed, the app’s creator ignored the request and continued using it for profit.

Celebrity Picture Contains Hidden Crypto-miner

Hackers have recently taken to using image files to distribute malware and other malicious content, as they are simple to reconfigure and difficult to detect. In the latest case, a picture of Scarlett Johansson contained functionality that executed shell commands on a user’s machine and mined Monero cryptocurrency. It had already acquired ~$90,000 worth of Monero by the time of discovery.

TrickBot Banking Trojan Adapts with New Module

Mar 21, 2018 | Threat Lab

Since inception in late 2016, the TrickBot banking trojan has continually undergone updates and changes in attempts to stay one step ahead of defenders and internet security providers. While TrickBot has not always been the stealthiest trojan, its authors have remained consistent in the use of new distribution vectors and development of new features for their product. On March 15, 2018, Webroot observed a module (tabDll32 / tabDll64) being downloaded by TrickBot that has not been seen in the wild before this time.

It appears that the TrickBot authors are still attempting to leverage MS17-010 and other lateral movement methods coupled with this module in an attempt to create a new monetization scheme for the group.

You can teach an old bot older tricks

Analyzed samples

0058430e00d2ea329b98cbe208bc1dad – main sample (packed)
- 0069430e00d2ea329b99cbe209bc1dad – bot 32 bit

Downloaded Modules

711287e1bd88deacda048424128bdfaf – systeminfo32.dll
58615f97d28c0848c140d5e78ffb2add – injectDll32.dll
30fc6b88d781e52f543edbe36f1ad03b – wormDll32.dll
5be0737a49d54345643c8bd0d5b0a79f – shareDll32.dll
88384ba81a89f8000a124189ed69af5c – importDll32.dll
3def0db658d9a0ab5b98bb3c5617afa3 – mailsearcher32.dll
311fdc24ce8dd700f951a628b805b5e5 – tabDll32.dll

Behavioral Analysis

Upon execution, this iteration of TrickBot will install itself into the %APPDATA%\TeamViewer\ directory. If the bot has not been executed from its installation directory, it will restart itself from this directory and continue operation. Once running from its installation directory, TrickBot will write to the usual group_tag and client_id files along with creating a “Modules” folder used to store the encrypted plug and play modules and configuration files for the bot.

Image 1: TrickBot’s plug and play modules used to extend the bots functionality

Many of the modules shown above have been previously documented. The systeminfo and injectDll module have been coupled with the bot since its inception. The mailsearcher module was added in December 2016 and the worm module was discovered in late July 2017. The module of interest here is tabDll32 as this module has been previously undocumented. Internally, the module is named spreader_x86.dll and exports four functions similar to the other TrickBot modules.

Image 2a: Peering inside tabDll.dll

Image 2b: Abnormally large .rdata section

The file has an abnormally large rdata section which proves to be quite interesting because it contains two additional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable SsExecutor_x86.exe and an additional module screenLocker_x86.dll. Each module will be described in more detail in its respective section below.

Spreader_x86.dll

When loading the new TrickBot module in IDA, you are presented with the option of loading the debug symbol filename.

Image 3: Debug symbol filename of the downloaded module tabDll.dll

This gives us a preview of how the TrickBot developers structure new modules that are currently under development. When digging deeper into the module, it becomes evident that this module is used to spread laterally through an infected network making use of MS17-010.

Image 4: String references to EternalRomance exploit used for lateral movement

This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub.

Image 5: Copied code from ImprovedReflectiveDLLInjection

Image 6: Printf statements from the copied project on GitHub

SsExecutor_x86.exe

The second phase of the new module comes in the form of an executable meant to run after post exploitation. Again, it was very nice of the TrickBot authors to give us a look at the debug symbols file path.

Image 7: Debug symbol filename of the embedded PE file.

When run, this executable will iterate over the use profiles in registry and goes to each profile to add a link to the copied binary to the start up path. This occurs after lateral movement takes place.

Image 8: Iterate over user profiles and create

Image 9: Execution of the copied binary

ScreenLocker_x86.dll

Similarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has shown any attempt at “locking” the victims machine.

Image 10: Peering inside screenLocker_x86.dll

This Module exports two functions, “MyFunction” and a reflective DLL loading function. “MyFunction” appears to be the work in progress:

Image 11: Peering inside “MyFunction”

Image 12: Creation of the Locker Window

If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model. Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetization scheme.

It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines.

The TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim’s network. This is being coupled with an unfinished “screenLocker” module in a new possible attempt to extort money from victims. The TrickBot banking trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead of cybersecurity professionals.

Spectre, Meltdown, & the CLIMB Exploit: A Primer on Vulnerabilities, Exploits, & Payloads

Mar 20, 2018 | Industry Intel, Threat Lab

In light of the publicity, panic, and lingering despair around Spectre and Meltdown, I thought this might be a good time to clear up the differences between vulnerabilities, exploits, and malware. Neither Spectre nor Meltdown are exploits or malware. They are vulnerabilities. Vulnerabilities don’t hurt people, exploits and malware do. To understand this distinction, witness the CLIMB exploit:

The CLIMB Exploit

Frequently, when a vulnerability is exploited, the payload is malware. But the payload can be benign, or there may be no payload delivered at all. I once discovered a windows vulnerability, exploited the vulnerability, and was then able to deliver the payload. Here’s how that story goes:

It’s kind of embarrassing to admit, but one evening my wife and I went out to dinner, and upon returning, realized we had a problem. It wasn’t food poisoning. We were locked out of our house. The solution was to find a vulnerability, exploit it, and get into the house. The vulnerability I found was an insecure window on the ground floor.

With care I was able to push the window inward and sideways to open it. From the outside, I was able to bypass the clasp that should have held the window closed. Of course, the window was vulnerable for years, but nothing bad came of it. As long as nobody used (exploited) the vulnerability to gain unauthorized access to my home, there was no harm done. The vulnerability itself was not stealing things from my home. It was just there, inert. It’s not the vulnerability itself that hurts you. It’s the payload. Granted, the vulnerability is the enabler.

The window was vulnerable for years, but nothing bad happened. Nobody attacked me, and while the potential for attack was present, an attack (exploit) is not a vulnerability. The same can be true of vulnerabilities in software. Opening the window is where the exploit comes in.

My actual exploit occurred in two stages. First, there was proof of concept (POC). After multiple attempts, I was able to prove that the vulnerable window could be opened, even when a security device was present. Next, I needed to execute the Covert Lift Intrusion Motivated Breach (CLIMB) exploit. Yeah, that means I climbed into the open window, a neat little exploit with no coding required. I suppose I could have broken the window, but I really didn’t want to brick my own house (another vulnerability?).

Now we come to the payload. In this case, the payload was opening the door for my wife. You see, not all payloads are malicious. If a burglar had used the CLIMB exploit, they could have delivered a much more harmful payload. They could have washed the dishes (they wouldn’t, unless they were Sheldon Cooper), they could have stolen electronic items, or they could have planted incriminating evidence. The roof is the limit.

Not all vulnerabilities are as easy to exploit as others. All of my second-floor windows had the same vulnerability, but exploiting them would have been more difficult. I am sure happy that I found the vulnerability before a criminal did. Because I was forgetful that fateful night, I’m also happy the vulnerability was there when I found it. As I said, I really didn’t want to break my own window. By the way, I “patched” my windows vulnerability by placing a wooden dowel between the window and the wall.

There you have it. Vulnerabilities, exploits, and payloads explained through the lens of the classic CLIMB exploit.

Cyber News Rundown: Hackable Gas Stations

Mar 16, 2018 | Industry Intel

Global Gas Station Software Found Unsecured

Researchers have recently discovered a vulnerability that would allow anyone to remotely access thousands of gas stations from around the world. The vulnerability stems from having these stations be connected to the Internet and can give the potential attacker control of gas prices, access to customer payment information, and even control over surveillance cameras. Unfortunately, due to the average age of the pumps in question and the preinstalled software also being outdated, it is unlikely that many of the machines will, or even can, be updated to protect against these vulnerabilities.

NHS Staff Ignoring Security Policies in Favor of Usability

In a recent survey of NHS professionals, it was found that nearly half are using non-approved messaging apps on a regular basis, rather than more secure channels, as they as quicker and easier to use. Even more alarming, a similar number were either completely unaware of their organization’s policies for safely transferring data or had not received any training on the subject. With data security becoming ever more necessary, the organizations that hold our most sensitive data should be held to an even higher standard, as typical consumers have little choice but to trust that they will keep it safe.

Fortnite Mobile Invite Scams Flood Market Prior to Launch

In the days preceding the launch of Fortnite’s Mobile iOS functionality, hundreds of users have taken to posting fake “invites” for sale, throughout various social media sites. While the actual launch is still several days away, these invites have been offered for a variety of prices in hopes of finding someone eager enough to pay to play early.

AMD Chips Contain Critical Vulnerabilities

Over the last week or so, several critical flaws have been found within AMD processor chips that could be harmful, if exploited. While it would already require some administrative access to even begin using the vulnerabilities for harm, the exploit does allow unsigned, and possibly malicious, code to be uploaded to AMD’s Secure Processing Platform without performing any security checks. As these vulnerabilities are still being researched, the extent of their severity has yet to be fully decided.

Florida Virtual School Hit by Data Breach

Within the last few weeks, officials have been working to contact students, parents, and staff that may have been affected by a data breach that occurred sometime in the last year. While it is still unclear on what sensitive data may have been compromised, identity and credit monitoring services are being provided to anyone who has been in the database over the two-year period when it was illicitly accessed.