Industry Intel

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Brothers Printers Vulnerable to Major Exploit

Researchers have discovered an exploit in several Brothers printer models that would allow attackers to issue a continuing DDoS attack against the printer, rendering it unusable. By sending a fraudulent HTTP request to the device, the attackers could then use the printer against itself by forcing a cycle of printer errors, followed swiftly by another phony HTTP request. Although this exploit only affects printer models with a web interface, its discovery sheds light on much more basic security flaws, such as not changing the default password or allowing unrestricted remote access.

Password Hackers Have Reached New Heights

As cybercriminals and their tools get more and more advanced, it’s no surprise that the use of traditional passwords may have finally met its end. Password cracking software has gone from taking years to days to hours to complete, so human-created passwords may now leave many institutions less secure than they could be, and have contributed to numerous data breaches in the last few years.

Ride-Hailing Service Leaves Servers Unsecured

In the least week or so, a server belonging to Fasten, a Boston-based ride-hailing service, was found to be publicly accessible for at least 48 hours; the timeframe may have been longer. The server in question contained personal data for both passengers and drivers, along with data about customer devices and the vehicles used. Fortunately for many users, the company worked quickly to secure the server and improve their data security policies.

Pro-ISIS Hacking Group Targets U.S. School Websites

Recently, the primary websites for at least 800 schools across the U.S. were hacked by a Pro-ISIS group to redirect site visitors to an Arabic YouTube propaganda video. The hacked sites were all linked through an academic website building service called SchoolDesk. SchoolDesk claims no personal information was exposed during the breach, though this news is difficult to confirm. This attack isn’t the worst one perpetrated by the hacking group, but it is the most recent, and the hackers have stated each of their victims has had limited security protocols.

IcedID Banking Trojan Spreads to US

Over the last several days, researchers have been tracking a new banking Trojan that has swiftly spread across the US. IcedID employs both redirection attacks and browser injection, which is fairly unusual. Previously, these tactics have only been combined by Dridex, a highly advanced banking Trojan. By using the botnet built by the Emotet Trojan, IcedID can deploy onto previously infected systems, causing even more damage.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

UK-Based Cryptocurrency Hit By Cyberattack

Prior to the official launch of Electroneum, a UK-based cryptocurrency that uses smartphones for its mining process, was targeted by a DDoS attack that shut down both the website and the app for several days. The attack effectively blocked all users from accessing their accounts, as the entire network was forced offline, to ensure the safety of investors’ funds.

Canadian University Held for Ransom

In the past week, officials have been working with affected students to secure their personal information after hackers breached the university’s systems and gained access to student records. The university has since taken its email system offline, as the hackers were spreading the leaked information throughout the email lists. Along with the data circulation, the hackers also demanded the university pay a large ransom of roughly 23,000 USD within 48 hours, though officials are still uncertain when the breach itself occurred.

WaterMiner Cryptocurrency Mod for GTA 5

As more cryptocurrency miners are embedded in software, one Russian hacker has gone a step further by exploiting a mod for the popular game Grand Theft Auto 5. The exploit silently uses a computer’s power to mine digital currency and, with the help of a modified version of the XMRig miner, can hide itself if it suspects monitoring software is active.

Paradise Papers Expose Latest Offshore Dealings

A sizable data dump from offshore law firm Appleby was released and quickly distributed across the globe in the last week. Initial reports reveal that nearly 1.4TB of data was included in the dump, which contained private investment figures belonging to large corporations and prominent political figures. While the perpetrator of the leak has not yet been identified, this event brings to light the unconscionable lack of security that such firms employ, even when dealing with the most sensitive of client data.

Parity Bug Freezes $300 Million in Cryptocurrency

Although the full impact has not yet been quantified, a user bug caused at least 70 Ethereum accounts to completely deactivate, leaving approximately $300 million worth of cryptocurrency completely inaccessible. The bug stems from a recent patch that Parity developers implemented after a previous breach led to the theft of over $30 million in cryptocurrency. At this time, the future of the locked funds is still undecided. Developers are considering a radical change (termed a “hard fork”) to the currency to unlock affected accounts, but this solution isn’t appealing to many investors.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

DoubleLocker Takes Android Ransomware to Next Level

While the concept of ransomware is nothing new, DoubleLocker takes encryption a step further by not only locking down the device’s files, but also locking the device itself. Once installed, DoubleLocker takes control of the Home button functionality, implementing a randomly generated PIN for the device the first time the user taps Home. This makes it extremely difficult to unlock the device without performing a complete factory reset.

Heathrow Security Documents Found on Lost USB Drive

In the last week, officials at Heathrow Airport in London have been working to determine how a USB drive containing a large quantity of security details about the airport was found on an inconspicuous London street. The USB contained information on the airport’s security measures, as well as details on how the Queen is ushered through the facility. Fortunately, the man who found the drive turned it in to the proper authorities after discovering the data it contained.

Firefox Fights Canvas Fingerprinting

The newest Firefox browser version will take a sterner approach to canvas fingerprinting, a nearly silent method of tracking users’ browsing activity. Canvas fingerprinting tracks the browser instead of storing cookies on the system. Although it has legitimate uses, the canvas element allows companies to track users without their consent. Unlike cookies, fingerprints cannot be deleted by the user. While canvas fingerprinting won’t be going away, Firefox is taking a step in the right direction: their new browser version will give users the choice of opting in, rather than being unwitting subjects.

Mobile Facebook Users Targeted By Phishing Scheme

Recently, Facebook users from continental Europe have seen a sizeable increase in phishing campaigns focused on mobile users. The campaigns start with an already-hacked Facebook account that posts fake “YouTube” links. These links direct anyone who clicks to a fake login page that attempts to steal their credentials. The phished credentials are then used to continue propagating the campaign from the compromised user accounts.

ONI Ransomware Favors Japanese Systems

For the last several months, researchers have been tracking the ONI ransomware variant as it works its way through Japan’s corporate sector. Focusing solely on Japanese companies, ONI and MBR-ONI have been spotted encrypting numerous computers and also wiping others clean, likely in an attempt to cover up other hacking operations. Researchers report the attackers may have used the EternalBlue exploit to move through networks more easily, as the computers involved had not yet received the Microsoft update that would have patched that vulnerability.

We’re revealing the top 10 nastiest ransomware attacks from the past year. NotPetya came in on our list as the most destructive ransomware attack of 2017, followed closely by WannaCry and Locky in the number two and three spots, respectively. NotPetya took number one because of its intent to damage a country’s infrastructure. Unlike most ransomware attacks, NotPetya’s code wasn’t designed to extort money from its victims, but to destroy everything in its path.

While NotPetya and WannaCry were first uncovered in 2017, the other ransomware attacks on our top 10 list made their debuts last year. These attacks either continued into 2017 or returned with a vengeance.

This top 10 list underscores the reality of our increasingly connected world—cybercriminals will continue to develop new infections and will capitalize on reliable, successful attack methods.

DESCRIPTION

Starting as a fake Ukrainian tax software update, this ransomware is a variant of an older attack dubbed Petya, except this version uses the same exploit behind WannaCry. Once the software update was applied to devices, hackers used the exploits to spread laterally through networks like a worm. The code used to build NotPetya was not designed to extort money from its victims, but rather to destroy everything it its path. Inception: June 2017; Attack vector: Supply Chain ME.doc and Eternal Blue & Eternal Romance Exploit

DAMAGE REPORT

The ransom originally asked for about $300 in bitcoin, but the system that collected money from victims for decryption keys quickly disintegrated. NotPetya was designed to do as much damage to the Ukrainian infrastructure as possible. Not only did it shut down Ukrainian power plants, banking services, and supermarkets, but NotPetya also infected hundreds of thousands of computers in over 100 countries. Additionally, the ransomware shut down Maersk, the largest shipping container vessel in the world, along with FedEx (causing a reported $300 million in damage). Destruction Zone: 100+ countries

DESCRIPTION

The attackers behind WannaCry used the NSA 0-day Eternal Blue and Double Pulsar exploits first made available earlier this year by a group called the Shadow Brokers. Initially, the malware propagated via spam emails—including fake invoices, job offers, and other traps—which contained a .zip file that initiated the WannaCry infection. Eternal Blue exploits an older flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow remote code execution. This flaw was patched in Microsoft’s March 2017 update cycle, but many organizations had not run the patch or were using unsupported legacy operating systems like XP. Inception: First appeared in March 2017 but spread in May 2017; Attack vector: Eternal Blue Server Message Block (SMB) Exploit Kit

DAMAGE REPORT

WannaCry was the very first ransomware to take the whole world by storm, infecting several hundred thousand people in a single day. Some reports say the damage could be up to $4 billion. Luckilym a security researcher in England managed to discover a kill switch domain, which was all anyone needed to disable it. Further analysis shows that the kill switch domain has received over 10 million different connections since it was made available, suggesting WannaCry could have been even more destructive. Destruction Zone: 150+ countries

DESCRIPTION

The most popular ransomware of 2016 is still alive and well in 2017. New variants of Locky—Diablo and Lukitus—surfaced this past August using the same the initial phishing email attack vector. The emails contain a zipped attachment with malicious JavaScript that downloads the Locky payload. Most of the emails pose as fake invoices from companies such as Amazon Marketplace and Herbalife. More recently, the ransomware has been spotted using an email distribution campaign with Game of Thrones references in its scripting variables. Inception: February 2016; Attack vector: Spam Email

DAMAGE REPORT

Crowned the king of spam emails, Locky can reach millions of users per day in campaigns. One of the first organizations hit was the Hollywood Presbyterian Medical Center in Los Angeles. The hospital paid the ransom demand of 40 bitcoins (approximately $17,000 at the time) to regain access to their systems. That’s a huge payday for a single attack. Other individual reports reveal the requested amount is typically around 0.5 to 1 bitcoin ($400 to $800). Destruction Zone: United States, United Kingdom, Ireland, Australia, New Zealand, Canada, China, Russia, Japan, Italy, Spain, France, Mexico, south Africa, Sweden, Costa Rica, Puerto Rico, Bulgaria, Serbia, Switzerland, Barbados, Turkey, India, Philippines, Malaysia, Saudi Arabia, Brazil, and more

DESCRIPTION

This attack is the ultimate form of Remote Desktop Protocol (RDP) compromise. RDP is one of the most common ways to deploy ransomware because cybercriminals can compromise administrator accounts and systems that control entire organizations. As CrySis encrypts a computer, it also removes all of the automatic backups, so users can’t use them to restore files. Inception: First detected in February 2016; took a few months to spread; Attack vector: Remote Desktop Protocol (RDP)

DAMAGE REPORT

Initially CrySis demanded between $455-$1,022 in bitcoin. On three separate occasions, verified decryption keys have been release for CrySis, most recently in May 2017. Destruction Zone: United States, Canada, France, Australia, Vietnam, Mexico, Italy, Russia, Portugal, Spain, Serbia, Puerto Rico, South Africa, India, China, Russia, Turkey, New Zealand, Philippines, Malaysia, Saudi Arabia, Brazil, and more

DESCRIPTION

Arriving via fake shipping invoice emails, Nemucod, once opened, downloads malware and encryption components stored on compromised websites. Nemucod would have been crowned most malicious spam email if Locky hadn’t reignited in August. Inception: Historically, the hackers behind Nemucod teamed up with Teslacrypt, which was huge in 2015 and 2016; in 2017, they made their own ransomware variant; Attack vector: Spam Email

DAMAGE REPORT

Those infected with Nemucod receive a ransom note demanding $300 in bitcoin in exchange for the safe return of their files. Destruction Zone: United States, United Kingdom, Ireland, France, Spain, Germany, Greece, Portugal, Poland, Belgium, Netherlands, Norway, Sweden, Japan, India, China, Russia, Turkey, Serbia, Mexico, Australia, New Zealand, Philippines, Malaysia, Saudi Arabia, Brazil, and more

DESCRIPTION

Like Locky, new variants of Jaff ransomware continue to be distributed. Jaff leverages phishing emails and bears characteristics associated with other successful malware. While Jaff may not have garnered the level of attention WannaCry received, the techniques used in its distribution put it in an exclusive club; one whose recent membership includes both Dridex and Locky. Inception: May 2017; Attack vector: Spam Email

DAMAGE REPORT

Initial bitcoin ransom payments asked for 2 bitcoins ($3,700). Destruction Zone: United States, United Kingdom, Australia, Canada, Ireland, France, Spain, Greece, Germany, Portugal, Poland, Belgium, Netherlands, Norway, Sweden, Japan, India, China, Russia, Mexico, New Zealand, and more

DESCRIPTION

To distribute this ransomware, cybercriminals hack legitimate websites to add JavaScript code. Visitors to the sites receive a pop-up prompt to update their Chrome browsers, if they want to continue viewing the page. Downloading the "Chrome Font Pack" infects the users’ system. This attack is named after the Russian word for "spore." Inception: January 2017; Attack vector: Bogus Front Pack Update in a Browser Message

DAMAGE REPORT

Unique to Spora are different purchases that can be made depending on the particular needs of the victim. Via the well-crafted ransom payment site, victims can restore their first two files (free!); restore additional files ($30); decrypt their files ($79); buy immunity from future Spora infections ($50) and remove all Spora-related files after paying the ransom ($20). Note: the prices reflected are from Spora’s inception. Destruction Zone: United States, United Kingdom, Canada, France, Italy, Poland, Mexico, Serbia, Turkey, Singapore, Japan, South Africa, Botswana, Netherlands, Niger, Bangladesh, Philippines, Malaysia, Saudi Arabia, Brazil, Portugal, Germany, Ireland, Spain, Hungary, Belarus, Vietnam, Belgium, and more

DESCRIPTION

Cerber has effectively utilized multiple attack vectors via RDP and spam emails. However, Cerber also distributes ransomware-as-a-service (RaaS). Through this “service,” cybercriminals package up ransomware and then give other criminals the tools to distribute as they see fit. The author of Cerber takes a 30% cut of the profits. Inception: March 2016; has been making several reappearances since its debut, most recently this October; Attack vector: Remote Desktop Protocol (RDP), Spam Email, RaaS

DAMAGE REPORT

One of the latest incarnations of Cerber will steal cryptocurrency and passwords from victims, providing an additional means of profit on top of the bitcoin ransom demands (between $300 and $600). Destruction Zone: United States, United Kingdom, Ireland, Canada, Singapore, South Africa, France, Italy, Japan, Chile, India, Australia, China, Germany, Malaysia, Greece, Sweden, Botswana, Turkey, Hungary, Spain, Norway, Serbia, and more

DESCRIPTION

CryptoMix is often distributed through RDP but also through exploit kits such as malvertising, in which victims click an infected ad to a hacked shopping site that attacks their device’s system. CryptoMix can also hide on flash drives, so if a user inserts a flash drive from an infected system into another, the infection spreads. Inception: March 2016; Attack vector: Remote Desktop Protocol (RDP) and Exploit Kit

DAMAGE REPORT

This ransomware is one of the few that doesn’t use payment portal on the dark web. Instead, users must wait for the cybercriminals to email them instructions, usually demanding a hefty Bitcoin ransom (5 bitcoin, or approximately $3,000). Destruction Zone: United States, United Kingdom, Ireland, New Zealand, Australia, Canada, Italy, Singapore, Turkey, Serbia, Greece, South Africa, India, Mexico, Chile, Ukraine, China, Germany, Malaysia, Japan, Sweden, Botswana, Spain, Hungary, Portugal, Norway, Iran, Russia, Israel, and more

DESCRIPTION

Jigsaw ransomware, named for the iconic character from the Saw film franchise, distributes via spam email and deletes a victim’s files every hour and each time the infection process starts until the ransom is paid. Inception: April 2016; Attack vector: Spam Email

DAMAGE REPORT

Every hour, Jigsaw Ransomware deletes victims’ files until the pay the ransom (prices ranging from $20-$200). After the initial infection, when the ransomware is restarted after process termination or a reboot, Jigsaw will delete a thousand files from the victim's computer. Destruction Zone: United States, United Kingdom, Ireland, Italy, Canada, Australia, New Zealand, Singapore, Serbia, Japan, Turkey, South Africa, Niger, France, Greece, Mexico, India Chile Bangladesh, Philippines, Malaysia, Saudi Arabia, Brazil, Botswana, Poland, Netherlands, Russia, Ukraine, and more

 

To view our Top 10 Nastiest Ransomware infographic, click here.

Not sure how to protect yourself online? Read our safety tips.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Fake Crypto Exchange Apps Found on Google Play Store

After being available on the Google Play store for nearly a month, several phishing apps that were spoofing cryptocurrency exchanges have been removed. Unfortunately, they had been installed up to 5000 unique times by unwitting users. While this isn’t the first time we’ve seen phony crypto exchange apps in an app store, they are becoming more regular, and increasingly difficult to identify.

Reaper Botnet on Track to Be Largest in History

A new botnet called Reaper has been spotted controlling nearly two million unique IoT devices, and is continuing to grow. The infection spreads relatively quietly, like a worm, and uses known vulnerabilities within internet-connected devices to increase its reach. The botnet has yet to be used for any known DDoS attacks, and it appears to be more concerned with growth than high-profile attacks.

Microsoft Office Vulnerability Leaves Users Defenseless

As more and more attention is focused on infections from malicious email attachments, an exploit has been found in a decades-old data exchange system used in all Microsoft Office programs that could allow similar attacks to remain unnoticed. The exploit is based on the data exchange protocols used to send data between Office apps and could be used to trigger malware without user interaction. Unfortunately, Microsoft is unlikely to perform any major patches to resolve the issue, since they could break the data protocols needed by each app.

Customer Info Breach at Major Cosmetics Company

Recently, a security firm found two publicly accessible databases containing sensitive information for nearly 2 million Tarte Cosmetics customers. The data consisted mostly of payment and other sensitive information for any online customers from the last decade, and may have also fallen victim to a ransomware attack during the period that it was unsecured. Fortunately, Tarte was quick to take both databases offline after being informed of the indiscretion.

Bad Rabbit Ransomware Invades Media Outlets

Over the past week, multiple media outlets from Eastern Europe to Japan have been experiencing a ransomware attack, dubbed Bad Rabbit by researchers. The variant shares some of its code with Petya, the ransomware that caused widespread damage earlier this year. Bad Rabbit seems to propagate through fake Flash updates and uses Mimikatz to obtain credentials from infected devices.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Swedish Trains Schedule Gets Derailed by Cyber Attack

In the last week, several computer systems belonging to the Sweden Transportation Administration were subjected to multiple DDoS attacks that forced the agency to halt some trains and delay others. While they were able to bring the services back online within a few hours, the delays affected transportation schedules for the remainder of the days. Unfortunately, the effects of the attacks were still noticeable within the transportation systems for several days, as the schedules all needed readjustment to accommodate their customers.

Adobe Flash Affected by Zero-Day Exploit

Researchers this week discovered a zero-day exploit within Adobe Flash Player that was used to install FinSpy, a malicious software used to steal user information. The software was hidden in an infected Word document, which the user received via email. FinSpy surveillance software is sold worldwide, but is often used maliciously to gain financial or political power through information gathering and extortion. Fortunately for Adobe Flash users, the latest update patches the exploit and is readily available from Adobe’s site.

Adult Themes Infest Roblox Computer Game

The open-source nature of games like Roblox can enable users to make custom additions to the game and make their experience their own. However, some users choose to take advantage of the system and abuse it. Unfortunately, many of the game’s younger user-base has recently been subjected to Nazi propaganda and other adult content. The vendors of such mods are usually banned from the servers, only to return a short while later.

IoT Takes Major Hit with Krack Attacks

Recently, a vulnerability was found within the WiFi encryption currently in use by hundreds of millions of IoT devices around the world. Fortunately, the vulnerability has been patched by dozens of vendors for quite some time now. However, there are still some devices that won’t likely receive an update in the near future: security cameras, routers, and other household wirelessly connected “things”.

Oracle Updates Large Number of Critical Patches

In their latest update, Oracle pushed out more than 250 different patches for bugs across hundreds of products. Some of the most critical patches involve SQL injection vulnerabilities in their E-Business Suite, which could be used maliciously to steal or alter sensitive financial data. Another area that received multiple patches was the Java Platform, which had 20 unique exploits that were available remotely without any user authentication.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Rigzone Founder Caught Stealing Data

Over the last few months, officials have been piecing together the case against Rigzone founder, David Kent. After selling the Rigzone domain several years ago, Kent used several backdoors he’d implemented to access account information for over 700,000 customers, which he then attempted to sell back to Rigzone. By setting up several dummy accounts, Rigzone staff determined the specific IP address Kent used and apprehend him.

Criminals Hack Eastern Europe Bank for Millions

In the last year, banks in several Eastern European countries have seen a drastic rise in fraudulent charges at ATMs that have allowed hackers to make off with nearly $40 million dollars. Attackers start by manipulating the banks overdraft protection and setting up proxies to allow accomplices in other countries withdraw massive quantities of money from separate accounts. In addition to spoofing the overdraft system, the attackers also installed remote access software on bank computers to enable further intrusion to the institution’s systems.

Multiple Accenture Servers Left Exposed Online

A security researcher recently discovered four servers belonging to Accenture that were left publicly accessible on the internet for an undisclosed length of time. These servers contained data on thousands of Accenture’s clients, though the company’s statement on the issue assured customers that all data was from a retired system that contained no current data. Fortunately, server logs show that the researcher was the only unauthorized user to access them, which should help Accenture’s IT staff sleep a little better.

Latest Apple OS Gives Actual Password instead of Password Hint

A bug within Apple’s latest macOS, High Sierra, could allow a local attacker to request a password hint but receive the actual password. This bug occurred due to an issue with Apple’s file management system, which would have asked users to input a password hint in case they forgot their credentials. Unfortunately, the bug caused the hint request to display the legitimate password instead. Luckily for High Sierra users, Apple was quick to release a patch that fixed the issue.

Healthcare Service Records Found Online

Kromtech researchers discovered an unsecured Amazon S3 bucket belonging to a US healthcare services company that contained information on at least 150,000 patients. Although the company secured the server as soon as they were notified of this security oversight, it’s unclear how long the bucket was freely accessible.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Yahoo Breach Expands to All 3 Billion Users

In a recent statement, Yahoo announced that its 2013 breach, which took nearly 4 years to investigate, has impacted all 3 billion of their site’s unique users. Along with this recent update, the company is still reeling from a separate 2014 breach, which holds the dubious title of 2^nd largest data breach to date. This update to the total affected users isn’t surprising, given that the original breach left questions as to why some accounts were compromised, while others remained untouched and showed no signs of malicious activity.

Facebook Under Fire After Russia-Based Ads Overwhelm Users

Recently, Facebook founder Mark Zuckerberg issued an apology for the site’s lack of action in stopping Russian advertisements and fake news articles, which have been circulating heavily since the 2016 election season. His statement goes on to promise that additional safeguards will be implemented to ensure Facebook can continue to be a safe platform for users to voice their opinions.

Hackers Prove You Can Game the Gamers

In the past week, R6DB, an online stat tracking service for the popular game Rainbow Six Siege was shut down after several servers were wiped completely due to a cyber-attack. The attackers accessed the database remotely, as it was left unsecured during a recent data migration that hadn’t yet concluded. Unfortunately for many players, their information is completely gone, while company officials are still working to restore what information they can.

Apple’s About-Face

Face ID, the iPhone X’s highly-touted biometric device locking system, has been found to be less than secure in several scenarios. Some of the vulnerabilities relate to young users whose facial features may change as they age, and siblings with similar facial features being able to spoof the security measure. Fortunately, Face ID isn’t the only security precaution on the new device, as it will still require a passcode to be set.

NFL Player Data Found on Unsecure Server

Recently, researchers discovered that an unsecured database belonging to the NFL Players Association contained records on over 1,100 individual players and agents. The compromised data included everything from players’ personal info to team contracts and payee information. Even more worrisome, a ransom note with a bitcoin address was found among the data, though it appears the data itself wasn’t leaked to Dark Web sellers. Fortunately, the database was secured shortly after researchers notified the NFLPA, though no response was received from the association regarding the incident.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Showtime Site Found Using Cryptocurrency Miner

Following the discovery last week that ThePirateBay has been using a Monero miner to experiment with revenue alternatives for the site, researchers have found that both Showtime.com and ShowtimeAnytime.com have embedded code for similar cryptocurrency mining. The code itself runs only while the user is on the site, and ceases once they navigate away. The main concern, however, was the high CPU usage users experienced. The script in question was removed after several days of testing, but Showtime has yet to comment on their implementation of the crypto-miner or its intended outcome.

Massive Stash of Credit Card Info Linked to Sonic Breach

In the past few days, researchers have found a trove of credit card data that could be tied to a recent breach at Sonic, the popular drive-in restaurant. The data is organized by the location of each card, and currently contains nearly 5 million unique card numbers and related info. While Sonic has not yet determined the cause of the breach, they have been working with their credit processing company to identify the compromised store locations and implement credit monitoring for affected customers.

Big Four Accounting Firm Breached

Deloitte, one of the world’s largest accounting firms, suffered a cyberattack that exposed sensitive emails to criminals. Researchers believe hackers gained access to the email system via an administrative account without 2-factor authentication. The attack appears to have only affected a limited number of the firm’s clients, though actual figures are still unknown. Unfortunately, Deloitte’s security is severely lacking overall. With any luck, this breach will be the impetus they need to step up their protection practices.

Irish National Teachers’ Organisation Hacked

A recent Irish National Teachers’ Organisation breach may affect up to 30,000 current and retired teachers across the Republic of Ireland and Northern Ireland. While the breach doesn’t appear to have been data-oriented, the compromised systems contained massive quantities of teacher information. Fortunately, both payroll data and user passwords were not exposed, as they are stored in an alternate location. With enforcement of the EU’s General Data Protection Regulation (GDPR) on the horizon, breaches like these will likely become very costly for victim companies.

Vehicle Tracking Data Available Online

In the last two weeks, researchers found an unsettling number of account records belonging vehicle tracking service SVR Tracking had been left completely unsecured online. The data includes account credentials and vehicle identification information for roughly 500,000 unique accounts. While it’s unclear how long the data was publicly available, SVR secured the server within several hours of being notified of the discovery.

As a CISO, I think the cybersecurity community is beginning to realize that the threats we face as security professionals are consistently evolving, and, more importantly, that we must evolve just as quickly to combat them. Recent data collected by the Webroot® Threat Intelligence Platform on the acceleration of phishing attacks and the maturation of new, related criminal methodologies demonstrates that, to respond effectively, we must develop and leverage solutions that don’t just keep up with today’s threats, but predict their next moves.

Most CISOs, myself included, want solutions that can respond in real time and assist us in making critical decisions to not only protect our businesses, but reduce risk overall. A lot of the new solutions that might interest us can be integrated into a platform and allow us to consume different types of threat intelligence and data feeds so we can automate responses to attacks in real time.

3 Steps to Mitigate Phishing Risks

Phishing is the number one cause of breaches. Webroot BrightCloud® Web Reputation is one of the solutions I look to as a critical asset for any security team because it provides the knowledge, within milliseconds of selecting a URL, whether a site is malicious. This efficiency and accuracy allows security teams to be proactive in protecting their organizations—to prevent compromises, not react to them after the fact. In addition to leveraging this type of real-time intelligence technology, I recommend several steps to reduce the phishing risk to any organization and its employees.

Social Media Security Awareness

Social media is increasingly used by cybercriminals to research their targets. As such, CISOs should add social media security awareness training to their corporate security awareness curriculum. Personnel should be trained on the risks and given insight into how the data they publish in their profiles could be used to target them, their families, and the organizations they represent. In my experience, the majority of people on social media don’t take even the most basic security precautions, such as only connecting with people whom they know, or not allowing their profiles to be searched or viewed publicly.

Executive Exposure Prevention

Additionally, I recommend directing threat intelligence toward executive staff and assistants. An organization can provide a list of executive staff, board members, executive assistants, and other company VIPs to a threat intelligence service. The service can then scan the dark web and watch for anything related to the client organization and the list of provided personnel. This gives the organization’s security team advanced notice of possible phishing attacks against specific employees, and allows them to warn employees to mitigate risk, change passwords, and even shut down compromised accounts.

Real-Time Anti-Phishing

Given that the number of new unique phishing sites averages over one million per month, and that the lifespans of many such sites can be measured in mere hours, it’s clear we need new techniques to stop modern attacks. With this in mind, I recommend CISOs employ real-time threat intelligence feeds with data specific to their industry, and that the data be contextual, meaning it should apply to the technology, applications, and security controls the CISO has deployed.

I also recommend engaging real-time URL filtering, since phishing emails typically drop a ransomware payload, which can significantly impact an organization’s business operations. Since phishing websites are active for an average of 4-8 hours, and given the new methods cybercriminals use to hide malicious sites in plain view, I believe it’s critical to be proactive and use real-time URL filtering. The methods of bygone years, in which we deployed domain block lists and IP address block lists, have been outpaced by the innovative phishing techniques cybercriminals use today. As threats have adapted, we too need to adapt.

The Bottom Line

The latest quarterly threat report focuses on phishing specifically, and is an informative read for all of my fellow CISOs, and a primer to help support and maintain the security of your own organizations. As CISOs, it’s time to level the online playing field to proactively detect and respond to threats in real time. The first step is by arming ourselves with the right threat intelligence to make more timely and better-informed cybersecurity decisions.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

German Voting Software Raises Concerns

With German elections only a couple weeks away, researchers have been working to determine how secure the voting systems really are. Per a recent study, the software being used contains multiple vulnerabilities that could lead to devastating results if the election is compromised. Meanwhile, the software creator maintains there is nothing wrong with the system and any tampering would only lead to confusion, rather than truly affecting the vote’s outcome.

Upgraded Android OS Slows Tide of Overlay Attacks

While overlay attacks are nothing new to Android™ users, the Toast window is a surprisingly fresh take on this technique. Google has already patched the issue being exploited, but many users unintentionally fell victim and gave permissions to a malicious app using the Toast window overlay on a legitimate page to spoof the users input. This type of attack can range from simply installing an annoying piece of malware on the device, all the way up to locking the device down and demanding a ransom.

Apple Implements Even More Security for iOS 11

In recent years, the security surrounding smartphones and other portable devices has been under scrutiny by both users and law enforcement. In its latest iOS® version, Apple is introducing new features that will make unauthorized access to their devices even more challenging. The first is only a minor change, which request the device’s password/code when connecting it to a new computer (like those used by law enforcement for forensic analysis.) This change puts the power back in the device owner’s hands, as they aren’t required to divulge that type of information, nor would a potential thief be likely to know or guess the locking combination. The second feature allows the device to be put into SOS mode, which also requires a passcode to unlock, rather than using the TouchID, which can be falsified.

Equifax Hack Could Be Largest Ever

As you’ve probably heard, Equifax was recently compromised, leaving over 143 million Americans’ social security numbers and other highly sensitive information vulnerable and likely for sale. The original point of access would seem to be their main Argentinian employee portal page, which, through simple HTML viewing, can show both the username and password for nearly 14,000 customers who had filed a complaint, along with their social security number equivalent, all stored in plain text.

WordPress Plugin Removed Again for Malicious Activity

After 4 unprecedented takedowns, WordPress has finally removed the Display Widgets plugin from its repository after being implicated in malicious activity yet again. The plugin was sold several years ago and has since been installed on over 200,000 PCs, though it is hard to tell how many users have upgraded to more secure plugin versions. Even more worrisome is that backdoors became part of the plugin’s payload, and could be actively running on any of the 200,000 known devices.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Consumer Credit Reporting Agency Equifax Suffers Cyberattack Affecting 143 Million Customers

Equifax announced hackers gained access to sensitive company data that potentially compromised information for 143 million American consumers, including Social Security numbers, driver’s license information, and credit card details. This is the third major cybersecurity incident for the agency since 2015. Most concerning, Equifax knew of the breach on June 29 but waited until September 7 to disclose the information.

Instagram Hack Exposes Millions of Accounts

A group of hackers recently gained access to a large number of Instagram accounts for high-profile celebrities and other victims. The attackers were able to use an exploit in the Insta app to retrieve the email addresses and phone numbers for millions of account holders. They then used this information to take control of more valuable accounts and posted the credentials for sale on the dark web. While Instagram was quick to fix the bug, it is still unclear just how many accounts were compromised.

Customer Databases Belonging to Time Warner Cable Publicly Exposed

In the last week, officials have been working to trace the cause of a data breach that could affect nearly 4 million Time Warner Cable customers. The breach appears to have stemmed from two databases, managed by Broadsoft Inc. (a partner of TWC), that were left fully accessible to the public. The data in question spans millions of transactions and communications with customers who have used the MyTWC mobile app in the last 7 years.

PrincessLocker Ransomware Uses Exploit Kit to Spread

While PrincessLocker may not be the newest or most dangerous ransomware variant currently making the rounds, it propagates through an unusual method: exploit kits. Along with a less expensive ransom demand, PrincessLocker has been spotted as the payload for a fully automated exploit kit known as RIG, which uses drive-by attacks to exploit system vulnerabilities.

Energy Grid Hackers Play Waiting Game

As cyberattacks focus more and more on infrastructure, rather than financial gain, they leave the future of many cities and countries uncertain. Many modern hackers have managed to work their way into countries’ infrastructures by easily bypassing the poor security used by numerous largescale energy facilities around the world. They’ve left backdoors into systems that could cause major disruption to the surrounding geographical areas, and, unfortunately, many of these very systems have never been updated appropriately. Meanwhile, attackers have nothing but time on their side to determine how and when it would benefit them to exploit these vulnerabilities.

Poker Site DDoSed, Then Ransomed

Late last week, America’s Cardroom and Winning Poker Network fell victim to the latest in a long string of DDoS attacks that have plagued such sites for years. This latest attack, however, brought with it a ransom demand to stop the attacks. The sites claim to have mitigated the DDoS attacks, though that comes after nearly 2 days of cancelling poker tournaments due to the insufficient bandwidth for their players.