Industry Intel

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Ukraine Hit With Nationwide Cyberattack

In the past week, Ukrainian officials have been making announcements regarding a cyberattack that has affected nearly all of the nation’s industries and government sectors. Also affected is Ukraine’s main airport, creating significant delays. While it is still unclear who initiated the attack, officials are saying that the infection was targeted to cause destruction across a variety of the country’s essential systems.

Wind Farms Surprisingly Insecure

As we move get closer to mass-production of wind power, the security of the turbines themselves is coming under scrutiny. Over the past few years, researchers have been performing penetration tests on multiple wind farms across the US, and have discovered that most are only as secure as the tumbler lock on the turbine door. After accessing the interior of the rarely-manned turbine, researchers were able to gain full control of not only that individual turbine, but every other one connected to the network. In light of such tests, the industry will soon have to make significant improvements to the turbines’ physical security of the turbines, as well as the networks they use.

Petya Ransomware Destroys Data, Rather than Ransoming It Back

Following this week’s Petya cyberattacks, researchers have been working tirelessly to understand the exact circumstances involved. While some believed it to be a ransomware attack, it appears the malware author’s intent was purely destructive. Rather than the typical bitcoin ransom demand, the infection virtually destroys the hard drive in question by encrypting the Master File Table and removing any access to the remainder of the encrypted files.

8Tracks Music Social Network Hacked

Over the past few days, a hacker operating on the Dark Web has posted an offer for 18 million 8Tracks user accounts and passwords. A sample of the data was verified, and, although the usernames and passwords are all SHA-1 encrypted, several web tools are readily available to any buyers determined to crack it. 8Tracks has since confirmed the breach and recommended that all users change their login credentials, especially those that have been used for multiple sites.

South Korean Banks Face Large DDoS Ransom Demand

In the last few days, at least 5 major South Korean banks have been threatened with a large-scale DDoS attack unless they pay a ransom of $315,000 in bitcoins. It’s no coincidence that this attack comes just weeks after the successful ransom of a South Korean web hosting service, though it would appear that the attackers never followed through, as the banks’ sites have remained up and running past the Monday deadline.

[Updated June 29, 2017, 10:20 a.m. MDT]

A host of companies across industries have confirmed attacks today by a brutal wave of ransomware, including global law firm DLA Piper, U.S. pharmaceutical giant Merck, and the Danish shipping company Maersk. Although targets originally appeared in Ukraine—shutting down power plants, banking services and supermarkets—this latest cyberattack has quickly spanned critical economic sectors around the globe.

Webroot customers are protected against this variant. This cyberattack was first seen by our threat research team at roughly 10:00 a.m. UTC on June 27, 2017.

What we know

Webroot’s threat researchers have confirmed that this ransomware is a variant of an older attack dubbed Petya, except this time the attack uses EternalBlue to target Windows systems—the same exploit behind the infamous WannaCry attack. While this variant appears to be an upgraded version of Petya, there is no confirmation that this attack is from the same author.

This variant mirrors Petya in that it encrypts the Master File Table (MFT) by overwriting the bootloader code, though unlike previous versions, it encrypts files based on file extension. The system fails to boot as usual and the end user instead sees a screen that appears similar to DOS and demands payment. The shot below depicts the preparation of the EternalBlue triggering packet.

This is the same attack vector that made WannaCry so effective, but we have also observed additional techniques used to infect more machines.

Here we can see that the worm is also utilizing WMI (Windows Management Instrumentation) in a technique to further reach through the network using credentials siphoned from the local machine.

Once the machine is infected, the computer will immediately restart to what looks like a ‘chkdsk,’ but isn’t. Below is an image from Ukrainian Prime Minister Pavlo Rozenko’s Facebook showing the world what the ransomware looks like while it encrypted his computer during this fake chkdsk stage.

Vice Prime Minister of Ukraine, Павло Розенко (Pavlo Rozenko) on Facebook. This is what Petya looks like when it’s encrypting your drive. pic.twitter.com/RgPtfuWK7p

— Mikko Hypponen (@mikko) June 27, 2017

This stage is the ransomware encrypting files on your hard drive. We found that the ransomware doesn’t encrypt the entirety of your files with matching extensions, but instead encrypts up to the first mebibyte of data. This is done presumably to save time during the encryption process, but also ensures that enough of the file is encrypted to be unlikely to restore without paying the ransom.

Once the fake chkdsk is complete (or all the files on the computer are encrypted) the infection will reboot the computer once more to this screen:

There is no way for a victim to retrieve their files other than to email the cybercriminal after paying the bitcoin address listed in the ransom. In fact, the email address listed in the ransom has, as of now, been shut down by the email provider. Essentially, this means victims are unable to get their files back, even after paying the ransom, as the payload author is now prevented from checking this email.

It now seems the attack’s intended effect was not to generate ransom payments at all. In a detailed post on the Microsoft Malware Protection Center blog, the initial route of infection was revealed to be a malicious update to tax accounting software deployed by the Ukrainian company M.E.Doc.

Given the initial attack vector and level of sophistication, the underlying motive appears to be aimed at wreaking the maximum amount of disruption in Ukrainian infrastructure, while merely operating under the guise of ransomware. This suspicion is supported by the absence of a payment portal or functional email address to deliver the ransom payment.

Why it matters

The bottom line is that companies are still failing to adequately secure their IT systems from the EternalBlue vulnerability in the Windows Server Message Block (SMB) server.

Microsoft issued critical security updates to patch this vulnerability on March 14, 2017. To verify that the MS17-010 patch is installed, follow the directions in this Microsoft support article.

If you’d like to learn more about this Petya-based attack, catch the replay of my webinar: Deep Dive into Petya-based & WannaCry Ransomware Attacks.

An interesting tidbit

Our threat researchers have determined that this infection includes a check to see if a file named “perfc” or “perfc.dat” exists in the Windows root directory before executing (a kill switch of sorts). Of course, the best “kill switch” is to perform updates that patch known vulnerabilities such as EternalBlue.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

WannaCry Shuts Down Honda Production Plant

Over the last few days, Honda officials have discovered a recurrence of WannaCry across multiple machines around the globe. This reinfection was enough to force the temporary closure of their Sayama plant in Japan. While Honda did implement several patches to ward off the initial attack in May, their efforts may not have been thorough enough, leading to their current predicament. Fortunately, the plant was able to reopen a day later, after the systems had been fully updated and cleaned.

Web Host Pays Out $1 Million Ransom

A South Korea-based web hosting service was recently hit with a Linux variant of Erebus ransomware, which affected over 150 unique servers for thousands of different business clients. While Linux systems haven’t traditionally been desirable targets for ransomware, attacks like this one are steadily increasing as more Linux exploits are discovered. Faced with the prospect of overwhelming fallout, the owner of the hosting company chose to pay the ransom, after negotiating with the attackers for a smaller sum.

NSA Malware Installing Cryptocurrency Miners

As further effects of the NSA leak continue to surface, one NSA hacking tool in particular is being used again as a backdoor to allow remote file execution on infected machines and install a cryptocurrency miner. In addition to using DOUBLEPULSAR—a backdoor that was also used in WannaCry attacks in May—to infect the machine, the Trojan also does a check for CPU usage to determine if the computer is suitable for mining Monero, a newer cryptocurrency that has been gaining market strength.

Mac® Computers Becoming Focal Point for Attackers

As more high-level employees use Macs for their daily operations, cybercriminals have more reasons to focus on Apple products when looking for valuable data to steal. By using service-based malware campaigns, criminals can now target entire networks of systems, rather than individual computers, giving them greater reward for less effort. Fortunately for Mac users, the same security rules for PC still apply: run the latest security updates, always back up your important files, and use some form of third-party security software to cover the remaining attack vectors.

WannaCry Found on Australian Traffic Cameras

In the past week, officials have discovered at least 55 traffic cameras in Victoria, Australia were compromised with WannaCry ransomware after being connected to an infected USB drive. While the cameras have continued to function normally, traffic officials are still monitoring the system to ensure no incorrect traffic citations are issued due to the camera tampering.

Popular third-party chat platforms like Slack, Discord, and Telegram are just a few of the many new productivity applications that are being hijacked by cybercriminals to create command-and-control (C&C) communications infrastructures for their malware campaigns. As corporate security teams become more aware of traditional malware threats and deploy new security solutions to defend against them, cybercriminals continue to innovate. Now they’ve turned to well-known chat and social media applications as platforms to communicate with their deployed malware.

Hiding in Plain Sight

The appeal of these chat programs for cybercriminals is born from the fact that many of them are free, easy to use, and incorporate application programming interface (API) components that simplify connections between the programs and custom-built applications. It’s this use of APIs that allows hackers to operate undetected on corporate networks. This clever technique enables hackers to entrench their access by camouflaging themselves with normal data flows. Plus, because this malware leverages software platforms and services that are readily available (and free), all hackers need to do in order to stay connected to their growing malware bot farm is set up an account on their chat platform of choice.

Granted, not all software using APIs is susceptible to this type of attack. However, these attacks are a clear demonstration that tools used by project management and software development teams can be compromised in ways that expose their organizations to significant risk. I predict that similar vulnerabilities in productivity services and applications used by corporate technology teams will continue to be exploited—at an even greater rate. In many ways, these attacks mirror what we’ve seen recently targeting core protocols that operate on the Internet.

Know Your Enemy

Luckily, knowing the enemy is half the battle. With this in mind, we can manage these types of threats, and some of the steps I recommend come down to basic cyber hygiene. I highly recommend security professionals deploy an antivirus solution that incorporates anti-malware and firewall services to all endpoints. A solid threat-intelligence service is also vital to educate security staff and business stakeholders on the current threats and threat actors targeting their business.

One final point: it’s a good idea to screen all outbound network traffic in order to verify that it’s going to legitimate destinations. Hopefully, you’ve already deployed these recommended security controls. If you are missing one or more of these elements, it’s time to shore up your cybersecurity efforts to protect yourself and your organization.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

New Mobile Phishing Attacks are Using URL Padding

In an attempt to trick mobile browsing users into accessing malicious sites, attackers have begun adding multiple hyphens to URLs that keep the false address out of the mobile browser’s small address bar. This “URL padding” has even been spotted targeting high-traffic sites such as Facebook and Craigslist, to increase criminals’ chances of stealing user login credentials. We strongly recommend that users enter the desired URL manually, rather than clicking links, while also trying to maintain the same security standards for their mobile devices as for PCs.

Airline Traveler Data Remains Unsecured

While physical security around air travel has greatly increased over the last decade and a half, the data security of the nearly 8 million travelers is still at risk. The trouble stems largely from antiquated airline systems in general, which are currently exempt from the current Payment Card Industry Data Security Standards that are compulsory for all other online-sales industries. For the sake of airline travelers everywhere, we hope these systems will soon receive the updates they so desperately need to keep passenger and employee data safe.

Mazda Cars’ Infotainment Systems are Totally Hackable via USB

Over the past several years, many Mazda owners have been modifying their car’s entertainment systems using USBs that are pre-loaded with a specific code that allows high-level access to the system. While your imagination could run wild with the cybercriminal possibilities, for the time being, the code only operates when the car is running. This minor defense mechanism stops attackers from accessing the car remotely. The initial USB vulnerability has been well documented since the 2014 model year, so it’s somewhat surprising that it hasn’t been exploited further.

London University Hit with Ransomware

Within the last week, officials at University College London have been attempting to discover the origin of an attack that left large portions of their networks encrypted. It’s likely it began with a phishing email which then propagated throughout the university’s shared networks over the next couple of days. Fortunately for students and staff, it appears the encrypted data was securely backed up and will be used to restore the file structures once the infection is fully removed.

Dark Web Service Offers SS7 Access for Cheap

Recently, a service has popped up on the Dark Web that would give several functionalities to anyone interested in tracking or monitoring any smart device. The service offers several different levels of monitoring, ranging from a basic report on a specific device to full tracking and message interception (for a larger fee, of course). While the exact method used to access these networks is still unknown, the manager of the service claims that it is surprisingly easy, even with all of the security and prevention techniques today’s telecom providers use.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Internet Cameras Showcase Major Security Flaws

Researchers recently discovered as many as 18 different vulnerabilities with Foscam cameras. Among the exploits are several methods of gaining remote access to the cameras, as well as viewing active feeds, and searching through locally stored files. Although the researchers reported these issues months ago, the manufacturer has not yet addressed the issues. Unfortunately for consumers, Foscam makes devices for at least 14 different brands, all of which come with the same security risks.

EternalBlue Exploit Port to Windows 10

The notorious EternalBlue exploit, which was used in the WannaCry attacks, has been ported to Windows 10, which means all current versions of Windows are susceptible to the exploit, if not properly patched. In addition to the port, another exploit module was created, which slims down network traffic and allows the infection to remain undetected by current detection criteria. While researchers are still learning and understanding the full capabilities of EternalBlue, it has also opened the door for less skilled hackers to modify the otherwise well-written exploit for their own purposes.

Car Owner Database Publicly Available

In the last week, researchers found a publicly-facing database containing the customer and vehicle information for nearly 10 million cars in the US. The database, which had been actively available for around four months, has no known owner, though several dealerships named in the database have been contacted with inquiries. Unauthorized access to the information could give criminals more than enough information to have extra keys made for the vehicles, and could even lead to identity theft issues.

Turla Hacking Group Changing Methods of Attack

The cybercriminal group Turla has executed numerous cyberattacks on major corporations and government agencies over the last few years. Now, however, they’ve switched their focus to individual attacks, typically using Firefox browser extensions to create backdoors into personal systems. The attacks are coordinated by placing comments on highly-trafficked Instagram pages and pictures. The browser extension hashes the comment values until the malicious hash is discovered, at which point it contacts a C&C server for instructions. Fortunately for many social media users, the APIs used to create the malicious extension will be phased out in future versions of Firefox.

Edmodo Data Breach Confirmed

Officials at Edmodo, an education technology company that works with K-12 schools and teachers, have been working to discover the source of a breach that affects over 77 million individual accounts. The majority of affected users were children who used various Edmodo programs for school, as well as educators across the country. Although the freshness of the data would indicate that the breach occurred very recently, and Edmodo did attempt to notify its users quickly, not all users received word that their accounts had been breached. Thankfully, the company used strong encryptions to protect passwords, so it’s unlikely that attackers will invest the time and effort necessary to decrypt them to access accounts.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Hackers Blackmail Surgery Patients

Hackers have begun contacting victims of a March data leak that exposed a database containing photos and other sensitive patient information. The majority of victims are linked to a Lithuanian cosmetic surgery clinic, and have received demands ranging from $40 to a full Bitcoin to prevent their photos from being released. Unfortunately for some of the patients, at least 25,000 photos have already been published, likely in an attempt to incite other ransom victims to pay.

Chipotle Payment Systems Hacked

Over the past few months, officials have been sorting out the severity of the Chipotle data breach that occurred between March and April of this year. As of the most recent statement, restaurants in 48 US states have been affected. The data that has been compromised consists of customer names and credit card information, but the company is working with multiple banks to assist any impacted customers.

Judy Malware Wreaks Havoc on Google Play Store

In the past week, Google has removed over 40 apps from the Play Store that were infected with “Judy” malware. Most of the apps were available in the store for quite some time, meaning the number of affected users could be in the millions. Fortunately, Google has recently released a new service that will continuously scan Android® devices for any malicious activity.

Phishing Study Reveals Interesting Results

A recent study conducted by Ironscales monitored 500,000 unique mailboxes from 100 different companies. The study revealed that, over the course of nearly 8,500 attacks on the boxes, many focused on only a small percentage. Additionally, nearly 80% of phishing attacks were able to bypass the email filter and remain undetected, while those with more brand-oriented themes were caught almost immediately. It also pointed out that, while less than half of these attacks lasted longer than 24 hours, the ones that made it past 30 days were capable of sustaining themselves for up to a year or more.

Game Hackers Mod Nintendo Game Cartridges

While the practice of hacking games is nothing new, several hackers in the community have found a way to create a full Hex editor within Super Mario World, using nothing more than standard controller inputs. By jailbreaking the cartridge to store user-written data in the small game save files, they have been able to mod the game, giving players a wide variety of special perks, and even changing the color schemes of game levels.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Samsung’s Latest Iris Scanners are Easily Fooled

Recently, ethical hackers have been able to bypass Samsung’s latest attempt at iris recognition with minimal effort. Would you believe the tech is fooled by simply scanning a high-res picture of the right pair of eyes? While the vendor who supplies Samsung with the recognition software assures users that their security is infallible, the opposite seems to be true. The group that discovered the hack was also responsible for finding the workaround for Apple’s Touch ID locking system.

University Twitter Account Hacked, Tweets Racist Remarks

Unfortunately, Salem State University in Massachusetts has joined the ranks of notable organizations, institutions, and individuals who have fallen victim to social media hacks. In the past week, officials at Salem State having been dealing with the aftermath of a hack that caused their Twitter account to post highly offensive, racist messages. For the time being, the account has been suspended, the tweets in question have been deleted, and the university has issued public apologies through all regional means.

Tech Support Scammers Using WannaCry to Leverage Payment

While tech support scams aren’t new, it seems that scammers are now shifting their tactics to use cyberattacks that have made the news as an extortion tool. After launching an annoying popup that informs victims of their (fake) WannaCry infection, the scammers prompt users to call the (fake) support number for assistance. They then demand an outrageous payment just to run the free Microsoft Malicious Software Removal tool.

Yahoobleed Vulnerability Leaks User Data

Security researchers have been warning Yahoo! about its numerous security vulnerabilities around user data for years, and have gotten only silence in response. The flaw comes from ImageMagick, an image processing system used by Yahoo, which didn’t receive a crucial patch that was released in early 2015. This flaw allowed criminals to send an email containing a malicious image file which, once opened, would enable the end user access to Yahoo! server information. Rather than patching the bug that cybercriminals could exploit, Yahoo! simply discontinued using ImageMagick.

Bank Biometrics Bypassed by Twin Brother

Recently, a reporter for the BBC discovered that his HSBC bank credentials could be falsified by his non-identical twin brother using the voice-recognition password system. The system allowed the reporter’s brother no fewer than 8 attempts to correctly match the voice patterns necessary to access the account, though it only offered him limited viewing access. HSBC has stated that they will decrease the number of failed attempts allowed, and will work to add more layers of security.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

WannaCry Ransomware Tackles Globe

In the past week, organizations in over 150 different countries have been dealing with the WannaCry ransomware that spread like wildfire across at least 150,000 individual endpoint devices. By propagating like a worm, the infection was able to spread quickly, exploiting a largely unpatched vulnerability in several Windows operating systems. While a patch for un-updated systems has been publicly available since March, many organizations have struggled to roll it out to their endpoints, or can’t do so without rendering their proprietary software unusable.

Restaurant Listing Service Zamato Hacked

Researchers have discovered a Dark Web vendor with a listing for 17 million Zamato user accounts, along with samples of the data to prove its legitimacy. In response to the hack, Zamato has issued a forced password reset for all affected users, and strongly recommends a password change for the remaining users as added precaution. Fortunately, no credit card information was compromised, as it is stored in an alternate location.

Pirates Pirate “Pirates”

As the official release of the new Pirates of the Caribbean movie looms ever closer, hackers have threatened to leak five minutes of a stolen, unreleased film, followed by 20-minute chunks if Disney doesn’t pay their Bitcoin ransom demand. (It’s unclear if the stolen movie is truly the new PotC, but that’s the rumor.) Piracy is hardly new in the film industry, and a case much like this one happened last month with Netflix and episodes from the upcoming season of Orange Is the New Black. From the sound of it, most production companies agree that a few leaks to dodgy download sites so close to release aren’t significant enough to consider paying up.

Dangerous Flaw Found in the Google Chrome Browser

A recently discovered flaw in Google Chrome has allowed researchers to download a malicious shell command file to a user’s computer, which then executes when the user opens the folder where the file was saved. Upon execution, the file retrieves the user’s login credentials for accessing other network drives or local files. Fortunately, Google is aware of the issue and is working to resolve the vulnerability.

Bell Canada User Data Leaked

In their public statement earlier this week, Bell Canada revealed that a large number of users’ email addresses had been compromised, along with several thousand names and phone numbers. The breach is currently under investigation, and all affected users have been notified to be on the lookout for resulting email phishing scams.

As the second wave of WannaCry spreads across the globe, the latest estimate from the leading European police agency Europol suggests the malware has hit over 200,000 victims over 150 countries.  You can catch up on some of the latest news here.

New kill switch detected ! https://t.co/sMyyGWbgnF #WannaCry – Just pushed for an order ! pic.twitter.com/cV6i8DpaF4

— Matthieu Suiche (@msuiche) May 14, 2017

Although a second kill switch has been identified and registered today, there is no certainty that this second kill switch will address all malware variants. Europol continues to recommend that one of the best defenses is to take advantage of the patches released by Microsoft.

Webroot currently has strong protection in place for WannaCry, and has already reviewed and fortified its protection and detection routines to protect its users against future variants that may appear.

As Webroot sees every new executable file introduced on systems where Webroot SecureAnywhere is installed, we get rapid insight into all types of new malware.  This allows us to quickly create and/or improve upon our best-in-class detection mechanisms for zero day threats.

Ransomware attacks continue to spread around the world this weekend, after the initial damage inflicted on healthcare organizations in Europe on Friday.

The criminals responsible for exploiting the Eternal Blue flaw haven’t yet been identified, but up to 100 countries have hit with WannaCry ransomware, with Russia, Ukraine and Taiwan among the top targets.

The ransomware first appeared in March, and is using the NSA 0-day Eternal Blue and Double Pulsar exploits first made available earlier this year by a group called the Shadow Brokers.  The initial spread of the malware was through email, including fake invoices, job offers and other lures with a .zip file that initiates the WannaCry infection.  The worm-like Eternal Blue can exploit a flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow remote code execution.  This flaw was patched in Microsoft’s March 2017 update cycle, but many organizations had not run the patch or were using unsupported legacy technology like XP.

What’s New

Today, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, including XP and Server 2003.

Overnight and today, it has become clear that a  kill switch was included in the code.  When it detects a specific web domain exists—created earlier today—it halts the spread of malware.  You can learn more at The Register.

As a Webroot customer, are you protected?  YES.

Webroot SecureAnywhere  does currently protect you from WannaCry ransomware.

In simple terms, although this ransomware is currently causing havoc across the globe, the ransomware itself is similar to what we have seen before.  It’s the advanced delivery mechanism that has unfortunately caught many organizations off guard.

In addition to deploying Webroot SecureAnywhere as part of a strong endpoint protection strategy, it is essential you continue to keep your systems up-to-date on the latest software versions, and invest in user education on the dangers of phishing, ransomware, social engineering and other common attack vectors.

If you have any questions about your Webroot deployment, reach out to our Support Team now.

And, if you are not a Webroot customer, we encourage you to trial Webroot SecureAnywhere now.